AWS Identity and Access Management Roles Anywhere


You can obtain temporary security credentials in IAM for workloads such as servers, containers, and applications that run outside of AWS by using the AWS Identity and Access Management Roles Anywhere feature. Your workloads can use the same IAM policies and IAM roles that you use with AWS applications to access AWS resources. If you use IAM Roles Anywhere, you won’t have to worry about managing long-term credentials for workloads that are running on platforms other than AWS.

To use IAM Roles Anywhere, your workloads must use X.509 certificates issued by your certificate authority (CA). You register the CA with IAM Roles Anywhere as a trust anchor to establish trust between your public-key infrastructure (PKI) and IAM Roles Anywhere. You can also use AWS Private Certificate Authority (AWS Private CA) to create a CA and then use that to establish trust with IAM Roles Anywhere. AWS Private CA is a managed private CA service for managing your CA infrastructure and your private certificates. Check out “What is AWS Private CA?” for additional details.

IAM Roles Anywhere concepts

Learn the basic terms and concepts used in IAM Roles Anywhere.

Trust anchors

You establish trust between IAM Roles Anywhere and your certificate authority (CA) by creating a trust anchor. A trust anchor is a reference to either AWS Private CA or an external CA certificate. Your workloads that are not hosted on AWS authenticate with the trust anchor by exchanging their certificates that were issued by a trusted certification authority (CA) for temporary AWS credentials. For more information, see IAM Roles Anywhere trust model.


An IAM role is an IAM identity that you can create in your account that has specific permissions. A role is intended to be assumable by anyone who needs it. IAM Roles Anywhere requires a role to trust its service principal before it can assume a role and deliver temporary AWS credentials. If a role does not trust its service principal, IAM Roles Anywhere will not be able to assume the role. Visit the Role trusts information page for further details.


You will need to create a profile in order to specify which roles IAM Roles Anywhere will assume and what your workloads will be able to accomplish with the temporary credentials. You can limit the permissions that are available for a session that you create by defining permissions in a profile and using IAM managed policies.

Access to IAM Roles From Any Location

Management Console

You can use the browser-based console that can be found at to manage the resources associated with your IAM Roles Anywhere account.

Command Line Tools

You can perform IAM Roles Anywhere tasks and other AWS-related activities by using the AWS command line tools to issue commands at the command line of your local system. This can be faster and more convenient than using the console. The command line tools can be useful if you want to build scripts to perform AWS tasks.

AWS provides the AWS Command Line Interface (AWS CLI). Refer to the AWS Command Line Interface User Guide for information on how to install and make use of the AWS Command Line Interface.


The AWS software development kits (SDKs) consist of libraries and sample code for various programming languages and platforms including Java, Python, Ruby, .NET, iOS and Android, and others. The software development kits (SDKs) include features such as cryptographically signing requests, managing errors, and automatically retrying requests. Check out the Tools for Amazon Web Services page if you want more information about the AWS Software Development Kits (SDKs), including how to download and install them.