IAM Roles Anywhere credential helper now supports TPM 2.0
AWS Identity and Access Management (IAM) Roles Anywhere today released version 1.4.0 of the credential helper, introducing built-in compatibility with Trusted Platform Module (TPM) 2.0. With this release, the credential helper can directly utilize X.509 certificates and associated private keys stored in TPMs on Windows or Linux systems. Keys remain within their secure hardware store, which can help improve your security posture.
IAM Roles Anywhere enables workloads that run outside of AWS, such as servers, containers, and applications, to use X.509 digital certificates to obtain temporary AWS credentials and access AWS resources using the same IAM roles and policies that you have configured for your AWS workloads to access AWS resources. IAM Roles Anywhere is compatible with certificates issued by any X.509-compliant PKI provider.
IAM Roles Anywhere credential helper is a tool that automates the process of signing CreateSession API with the private key associated with an X.509 end-entity certificate and calls the endpoint to obtain temporary AWS credentials. The credential helper includes PKCS #11 compatibility to leverage private keys from any hardware or software secure store your infrastructure trusts. With today’s release, developers have additional flexibility to directly leverage a TPM as the secure hardware store, thereby can help improving security posture while also reducing complexity.
The IAM Roles Anywhere credential helper source code is available on GitHub. For more information on credential helper v1.4.0, see the release note.