Posted On: Sep 20, 2023

Today, AWS Identity and Access Management (IAM) Roles Anywhere released credential helper version 1.1.0 to include support for X.509 certificates and private keys that are stored in Public-Key Cryptography Standards (PKCS) #11 compatible security modules. IAM Roles Anywhere credential helper is a tool that manages the process of signing CreateSession API with the private key associated with an X.509 end-entity certificate and calls the endpoint to obtain temporary AWS credentials. With this release, you can use the credential helper to delegate signing operations to keys stored within PKCS #11 compatible security modules, without those keys ever leaving those stores; which can help improve your security posture.

IAM Roles Anywhere enables workloads that run outside of AWS, such as servers, containers, and applications, to use X.509 digital certificates to obtain temporary AWS credentials and access AWS resources using the same IAM roles and policies that you have configured for your AWS workloads to access AWS resources.

IAM Roles Anywhere is available in most commercial Regions. The IAM Roles Anywhere credential helper source code is now available on GitHub. For more information on credential helper v1.1.0, see the release note. To learn more about how to delegate signing operations to PKCS #11 modules such as YubiKeys, see our blog post.