Skip to main content

Secure AWS Components with IAM Roles Anywhere

IAM Roles Anywhere is an AWS service that extends IAM role-based authentication to workloads running outside of AWS. It eliminates the need for long-term credentials by using cryptographically signed certificates, anchored in a trust relationship. Catalyst utilizes its PKI (Public Key Infrastructure) to sign certificates and assigns a unique SPIFFE ID to each App ID, enabling seamless and secure authentication.

Follow these steps to enable secure authentication for accessing your AWS infrastructure from Catalyst:

Create a Trust Anchor

  1. Navigate to the Roles Anywhere service in the AWS Management Console.

    roles anywhere nav

  2. Select the option to "Create a trust anchor"

    trust anchor

  3. Provide a name, select External certificate bundle and paste in the contents of the Diagrid certificate bundle. This establishes the root of trust between Catalyst and your AWS infrastructure.

    trust anchor

    note

    The Diagrid Certificate Authority (CA) bundle has a 10-year expiration. Diagrid also provides a secondary certificate to facilitate smooth certificate rotation.

    Be mindful of expiration settings when creating the Trust Anchor.

Create IAM Role(s)

  1. Navigate to the main IAM dashboard in AWS to begin creating the IAM roles you would like Catalyst to assume when accessing AWS resources.

    IAM search

  2. Navigate to Roles and select Create a new role.

  3. Select Custom trust policy as the Trusted entity type and add the following trust policy placeholder below. We will update the placeholders to use the Trust Anchor created in the previous step.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "Service": "rolesanywhere.amazonaws.com"
                },
                "Action": [
                    "sts:AssumeRole",
                    "sts:TagSession",
                    "sts:SetSourceIdentity"
                ],
                "Condition": {
                    "StringEquals": {
                        "aws:SourceArn": "[TRUST_ANCHOR_ARN]"
                    },
                    "StringLike": {
                        "aws:PrincipalTag/x509SAN/URI": "spiffe://[CATALYST_ORG_ID].aws-us-west.diagrid.io/ns/prj-[CATALYST_PROJECT_ID]/*"
                    }
                }
            }
        ]
    }

    IAM Role create

  4. Replace the placeholders with your custom values:

    • Trust Anchor ARN: Retrieve the ARN for your Trust Anchor by returning to the resource and copying the value Trust anchor ARN

    • Catalyst Org ID: Retrieve by selecting the copy icon from the org selector in the top-right corner of the Catalyst console or through the Diagrid CLI by running diagrid whoami Org ID

    • Catalyst Project ID: Accessible in the Catalyst console by retrieving the ID of your project from the Projects page. Org ID

  5. Assign the permissions needed by this role to interact with your AWS infrastructure services and finalize role creation.

    warning

    This trust policy allows all Catalyst App IDs in the project to assume the roles it is associated with, as indicated by * in the SPIFFE ID above. For tighter security, you can replace the project level ID and instead scope the trust anchor to individual App IDs using their SPIFFE IDs. You can retrieve these IDs in the App ID Details view in the console, or by running diagrid appid get.

    App ID Spiffe

Create an IAM Profile

The IAM Profile links the IAM Role to the IAM Roles Anywhere service, enabling Catalyst to securely assume the role using temporary, auto-rotating credentials. It also allows you to configure session policies and durations, ensuring secure and flexible access to AWS resources.

  1. Return to the Roles Anywhere service and create a new Profile.
  2. Associate the IAM Role created in the previous step with the profile.
  3. Optionally, set Session Policies and specify a Session Duration. Credentials will rotate automatically at half the session lifespan to maintain secure connectivity.

Fill in the Component Authentication Fields in Catalyst

With the AWS resources configured, you can now complete the AWS: IAM Roles Anywhere authentication profile in Catalyst. Provide the necessary fields to establish secure connectivity for Catalyst App IDs to your AWS infrastructure. Create component

Summary of AWS Concepts

AWS ConceptDescription
Trust AnchorAssociate Diagrid as an external certificate authority (CA) with your AWS account to establish a root of trust.
IAM RoleSpecify permissions for authenticated applications to access AWS resources.
ProfileLinks the Trust Anchor to workloads, defining the IAM Role to be assumed for secure access.

By using Catalyst's integration with AWS IAM Roles Anywhere, you ensure robust, scalable, and secure connectivity between your applications and AWS infrastructure.