OpenSSLで作った自己署名証明書でIAM Roles Anywhereを使ってみた

OpenSSLで作った自己署名証明書でもIAM Roles Anywhereは使えます
2022.07.12

OpenSSLのプライベート認証局の出番では?

こんにちは、のんピ(@non____97)です。

皆さんはIAM Roles Anywhereを使いたいなと思ったことはありますか? 私はあります。

先人が既にアクセスキーを発行せずにAWS CLIを叩けることを検証しています。

せっかくなので、OpenSSLで作った自己署名証明書でもIAM Roles Anywhereを使えるのか検証してみます。

いきなりまとめ

プライベート認証局の作成

/etc/pki/tls/openssl.cnfの編集

それでは、プライベート認証局の作成をします。

Amazon Linux 2には(というかRedHat 7系のOS)にはプライベート認証局を簡単に作成するスクリプトである/etc/pki/tls/misc/CAが提供されています。

$ cat /etc/pki/tls/misc/CA
#!/bin/sh
#
# CA - wrapper around ca to make it easier to use ... basically ca requires
#      some setup stuff to be done before you can use it and this makes
#      things easier between now and when Eric is convinced to fix it :-)
#
# CA -newca ... will setup the right stuff
# CA -newreq ... will generate a certificate request
# CA -sign ... will sign the generated request and output
#
# At the end of that grab newreq.pem and newcert.pem (one has the key
# and the other the certificate) and cat them together and that is what
# you want/need ... I'll make even this a little cleaner later.
#
#
# 12-Jan-96 tjh    Added more things ... including CA -signcert which
#                  converts a certificate to a request and then signs it.
# 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
#                  environment variable so this can be driven from
#                  a script.
# 25-Jul-96 eay    Cleaned up filenames some more.
# 11-Jun-96 eay    Fixed a few filename missmatches.
# 03-May-96 eay    Modified to use 'ssleay cmd' instead of 'cmd'.
# 18-Apr-96 tjh    Original hacking
#
# Tim Hudson
# tjh@cryptsoft.com
#

# default openssl.cnf file has setup as per the following
# demoCA ... where everything is stored
cp_pem() {
    infile=$1
    outfile=$2
    bound=$3
    flag=0
    exec <$infile;
    while read line; do
        if [ $flag -eq 1 ]; then
                echo $line|grep "^-----END.*$bound"  2>/dev/null 1>/dev/null
                if [ $? -eq 0 ] ; then
                        echo $line >>$outfile
                        break
                else
                        echo $line >>$outfile
                fi
        fi

        echo $line|grep "^-----BEGIN.*$bound"  2>/dev/null 1>/dev/null
        if [ $? -eq 0 ]; then
                echo $line >$outfile
                flag=1
        fi
    done
}

usage() {
 echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2
}

if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi

if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi  # 1 year
CADAYS="-days 1095"     # 3 years
REQ="$OPENSSL req $SSLEAY_CONFIG"
CA="$OPENSSL ca $SSLEAY_CONFIG"
VERIFY="$OPENSSL verify"
X509="$OPENSSL x509"
PKCS12="openssl pkcs12"

if [ -z "$CATOP" ] ; then CATOP=/etc/pki/CA ; fi
CAKEY=./cakey.pem
CAREQ=./careq.pem
CACERT=./cacert.pem

RET=0

while [ "$1" != "" ] ; do
case $1 in
-\?|-h|-help)
    usage
    exit 0
    ;;
-newcert)
    # create a certificate
    $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS
    RET=$?
    echo "Certificate is in newcert.pem, private key is in newkey.pem"
    ;;
-newreq)
    # create a certificate request
    $REQ -new -keyout newkey.pem -out newreq.pem $DAYS
    RET=$?
    echo "Request is in newreq.pem, private key is in newkey.pem"
    ;;
-newreq-nodes)
    # create a certificate request
    $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS
    RET=$?
    echo "Request (and private key) is in newreq.pem"
    ;;
-newca)
    # if explicitly asked for or it doesn't exist then setup the directory
    # structure that Eric likes to manage things
    NEW="1"
    if [ "$NEW" -o ! -f ${CATOP}/serial ]; then
        # create the directory hierarchy
        mkdir -p ${CATOP}
        mkdir -p ${CATOP}/certs
        mkdir -p ${CATOP}/crl
        mkdir -p ${CATOP}/newcerts
        mkdir -p ${CATOP}/private
        touch ${CATOP}/index.txt
    fi
    if [ ! -f ${CATOP}/private/$CAKEY ]; then
        echo "CA certificate filename (or enter to create)"
        read FILE

        # ask user for existing CA certificate
        if [ "$FILE" ]; then
            cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE
            cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE
            RET=$?
            if [ ! -f "${CATOP}/serial" ]; then
                $X509 -in ${CATOP}/$CACERT -noout -next_serial \
                      -out ${CATOP}/serial
            fi
        else
            echo "Making CA certificate ..."
            $REQ -new -keyout ${CATOP}/private/$CAKEY \
                           -out ${CATOP}/$CAREQ
            $CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \
                           -keyfile ${CATOP}/private/$CAKEY -selfsign \
                           -extensions v3_ca \
                           -infiles ${CATOP}/$CAREQ
            RET=$?
        fi
    fi
    ;;
-xsign)
    $CA -policy policy_anything -infiles newreq.pem
    RET=$?
    ;;
-pkcs12)
    if [ -z "$2" ] ; then
        CNAME="My Certificate"
    else
        CNAME="$2"
    fi
    $PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \
            -out newcert.p12 -export -name "$CNAME"
    RET=$?
    exit $RET
    ;;
-sign|-signreq)
    $CA -policy policy_anything -out newcert.pem -infiles newreq.pem
    RET=$?
    cat newcert.pem
    echo "Signed certificate is in newcert.pem"
    ;;
-signCA)
    $CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem
    RET=$?
    echo "Signed CA certificate is in newcert.pem"
    ;;
-signcert)
    echo "Cert passphrase will be requested twice - bug?"
    $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
    $CA -policy policy_anything -out newcert.pem -infiles tmp.pem
    RET=$?
    cat newcert.pem
    echo "Signed certificate is in newcert.pem"
    ;;
-verify)
    shift
    if [ -z "$1" ]; then
            $VERIFY -CAfile $CATOP/$CACERT newcert.pem
            RET=$?
    else
        for j
        do
            $VERIFY -CAfile $CATOP/$CACERT $j
            if [ $? != 0 ]; then
                    RET=$?
            fi
        done
    fi
    exit $RET
    ;;
*)
    echo "Unknown arg $i" >&2
    usage
    exit 1
    ;;
esac
shift
done
exit $RET

こちらのスクリプトで認証局を作成したり、CSRの生成や証明書を発行することができます。

デフォルトではこちらのスクリプトはOpenSSLの設定ファイル/etc/pki/tls/openssl.cnfを参照しています。

IAM Roles Anywhereの信頼アンカーとして使用される証明書には以下のような要件があります。

Certificates used as trust anchors must satisfy the same requirements for signature algorithm, but with the following differences:

  • The key usage must include Digital Signature, Certificate Sign, and CRL Sign.
  • Basic constraints must include CA: true.

Trust model in AWS Identity and Access Management Roles Anywhere - IAM Roles Anywhere

デフォルトの/etc/pki/tls/openssl.cnfv3_cakeyUsageDigital Signatureが含まれていません。

$ cat /etc/pki/tls/openssl.cnf
.
.
(中略)
.
.
[ v3_ca ]


# Extensions for a typical CA


# PKIX recommendation.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer

# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true

# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
# keyUsage = cRLSign, keyCertSign

# Some might want this also
# nsCertType = sslCA, emailCA

# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy

# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF

Digital Signatureが含まれていないプライベート認証局の証明書を信頼アンカーに登録しようとしてもIncorrect basic constraints for CA certificateとエラーになってしまいます。

Incorrect basic constraints for CA certificate

そのため、/etc/pki/tls/openssl.cnfv3_cakeyUsageを編集してあげます。

# /etc/pki/tls/openssl.cnf の編集
$ sudo vi /etc/pki/tls/openssl.cnf

# 編集内容の確認
$ cat /etc/pki/tls/openssl.cnf
.
.
(中略)
.
.
[ v3_ca ]


# Extensions for a typical CA


# PKIX recommendation.

subjectKeyIdentifier=hash

authorityKeyIdentifier=keyid:always,issuer

# This is what PKIX recommends but some broken software chokes on critical
# extensions.
#basicConstraints = critical,CA:true
# So we do this instead.
basicConstraints = CA:true

# Key usage: this is typical for a CA certificate. However since it will
# prevent it being used as an test self-signed certificate it is best
# left out by default.
keyUsage = cRLSign, keyCertSign, digitalSignature

# Some might want this also
# nsCertType = sslCA, emailCA

# Include email address in subject alt name: another PKIX recommendation
# subjectAltName=email:copy
# Copy issuer details
# issuerAltName=issuer:copy

# DER hex encoding of an extension: beware experts only!
# obj=DER:02:03
# Where 'obj' is a standard or added object
# You can even override a supported extension:
# basicConstraints= critical, DER:30:03:01:01:FF

プライベート認証局の作成

それではプライベート認証局を作成します。

$ sudo /etc/pki/tls/misc/CA -newca
CA certificate filename (or enter to create)

Making CA certificate ...
Generating a 2048 bit RSA private key
..............................................+++
......................................................+++
writing new private key to '/etc/pki/CA/private/./cakey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:iam-roles-anyware-ca
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/./cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            c9:51:f2:e3:01:51:84:c2
        Validity
            Not Before: Jul 12 02:28:00 2022 GMT
            Not After : Jul 11 02:28:00 2025 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            organizationName          = Default Company Ltd
            commonName                = iam-roles-anyware-ca
        X509v3 extensions:
            X509v3 Subject Key Identifier:
                A1:9A:6C:85:B7:B8:DB:03:5E:2C:3F:67:CD:1D:A2:53:E1:C3:1F:D5
            X509v3 Authority Key Identifier:
                keyid:A1:9A:6C:85:B7:B8:DB:03:5E:2C:3F:67:CD:1D:A2:53:E1:C3:1F:D5

            X509v3 Basic Constraints:
                CA:TRUE
            X509v3 Key Usage:
                Digital Signature, Certificate Sign, CRL Sign
Certificate is to be certified until Jul 11 02:28:00 2025 GMT (1095 days)

Write out database with 1 new entries
Data Base Updated

Key UsageDigital Signature, Certificate Sign, CRL Signと要件通りになっていますね。また、Basic ConstraintsCA:TRUEになっています。

プライベート認証局の証明書ファイル/etc/pki/CA/cacert.pemから証明書部分を抽出しておきます。

$ openssl x509 -in /etc/pki/CA/cacert.pem
-----BEGIN CERTIFICATE-----
MIIDlDCCAnygAwIBAgIJAMlR8uMBUYTCMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV
BAYTAkpQMQ4wDAYDVQQIDAVUb2t5bzEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55
IEx0ZDEdMBsGA1UEAwwUaWFtLXJvbGVzLWFueXdhcmUtY2EwHhcNMjIwNzEyMDIy
.
.
(中略)
.
.
EzpiIMsvi6j+EOAH/7344zYfqooylepZfnR9BIc/+fVnnYLXesOTlK8GmHsBQzj9
aFuLhsxXAkqXuYrMFFHYXX9Ri+hOX0sSXNS4FuyqVqtSBEmmPMfidCkGZ7HRw7hI
2oS2w2Pjdto=
-----END CERTIFICATE-----

信頼アンカーの作成

次に信頼アンカーの作成です。

IAMのコンソールからロール-管理をクリックします。

IAM Roles Anywhereの管理

信頼アンカーを作成するをクリックします。

信頼アンカーを作成する

信頼アンカー名を入力します。認証期間(CA)ソースは外部証明書バンドルを選択し、テキストエリアに事前に確認したプライベート認証局の証明書をペーストし、信頼アンカーを作成するをクリックします。

信頼アンカーの作成

信頼アンカーの一覧に追加されたことを確認します。

信頼アンカーの作成確認

また、信頼アンカーのARNは後で使用するので控えておきます。

信頼アンカーのARN確認

IAMロールの作成

次にIAM Roles Anywhereで使用するIAMロールを作成します。

作成するIAMロールの信頼されたエンティティは以下のようにIAM Roles Anywhereが引き受けられるようにする必要があります。

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Service": "rolesanywhere.amazonaws.com"
            },
            "Action": [
                "sts:AssumeRole",
                "sts:SetSourceIdentity",
                "sts:TagSession"
            ]
        }
    ]
}

IAMポリシーはAmazonEC2ReadOnlyAccessにしてみました。

IAM Roles Anywhere用のIAMロールの作成

プロファイルの作成

作成したIAMロールとIAM Roles Anywhereを関連づけるためにプロファイルを作成します。

プロファイルを作成をクリックします。

プロファイルを作成

プロファイル名の入力と先ほど作成したIAMロールの選択をします。セッションポリシーは変更せずにプロファイルを作成をクリックします。

プロファイルの設定

プロファイルの一覧に追加されたことを確認します。

プロファイルの作成確認

プロファイルのARNも後で使用するので控えておきます。

プロファイルのARN確認

証明書の発行

CSRの生成

IAM Roles Anywhereのエンドエンティティ証明書の発行をします。

証明書発行のためにCSRを生成します。

$ sudo /etc/pki/tls/misc/CA -newreq
Generating a 2048 bit RSA private key
................+++
..+++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:iam-roles-anyware-instance
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem

CSRが生成されました。

$ ls -l newreq.pem
-rw-r--r-- 1 root root 1025 Jul 12 02:55 newreq.pem

$ cat newreq.pem
-----BEGIN CERTIFICATE REQUEST-----
MIICvDCCAaQCAQAwdzELMAkGA1UEBhMCSlAxDjAMBgNVBAgMBVRva3lvMRUwEwYD
VQQHDAxEZWZhdWx0IENpdHkxHDAaBgNVBAoME0RlZmF1bHQgQ29tcGFueSBMdGQx
IzAhBgNVBAMMGmlhbS1yb2xlcy1hbnl3YXJlLWluc3RhbmNlMIIBIjANBgkqhkiG
.
.
(中略)
.
.
3HYGFwUKaAMuaP5zytSodJz1iGP9RSIsYLGteExwozdwXoXDXD9FPbeC1EWEHtSY
iVjhmgmFUkyT78AoTMTXR5dO0sD6NB8eg4Z+vnuWNrGf/8mvQoqib8fkUyA5DVt4
sHtz1uesOimEoP/eVX7vkRDlsLpn2XN+1HWQvoe+VVAL9/6rIcyPe9xVIKIebxKY
54efl9z3gwPk9bFJkWmSZeqEXOF31fj9sk84imHqcJg=
-----END CERTIFICATE REQUEST-----

また、秘密鍵も生成されています。BEGIN ENCRYPTED PRIVATE KEYなのでパスフレーズは設定されたままです。

$ ls -l newkey.pem
-rw-r--r-- 1 root root 1834 Jul 12 02:55 newkey.pem

$ cat newkey.pem
-----BEGIN ENCRYPTED PRIVATE KEY-----
.
.
(中略)
.
.
-----END ENCRYPTED PRIVATE KEY-----

証明書の発行

それでは証明書を発行します。

$ sudo /etc/pki/tls/misc/CA -sign
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            c9:51:f2:e3:01:51:84:c3
        Validity
            Not Before: Jul 12 03:01:40 2022 GMT
            Not After : Jul 12 03:01:40 2023 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            localityName              = Default City
            organizationName          = Default Company Ltd
            commonName                = iam-roles-anyware-instance
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                97:C6:D2:8B:E0:D7:6A:B8:08:92:10:0E:5B:D7:93:48:BE:00:55:FF
            X509v3 Authority Key Identifier:
                keyid:A1:9A:6C:85:B7:B8:DB:03:5E:2C:3F:67:CD:1D:A2:53:E1:C3:1F:D5

Certificate is to be certified until Jul 12 03:01:40 2023 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            c9:51:f2:e3:01:51:84:c3
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=JP, ST=Tokyo, O=Default Company Ltd, CN=iam-roles-anyware-ca
        Validity
            Not Before: Jul 12 03:01:40 2022 GMT
            Not After : Jul 12 03:01:40 2023 GMT
        Subject: C=JP, ST=Tokyo, L=Default City, O=Default Company Ltd, CN=iam-roles-anyware-instance
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:bb:32:bc:de:5e:a8:58:f4:c2:e4:8e:e7:d4:72:
                    dc:5a:b7:f2:e6:62:44:83:76:d8:15:8a:12:da:ee:
                    a0:72:73:05:2b:4f:bd:89:e8:bf:a7:8d:e5:27:20:
                    2b:b2:33:72:45:01:b2:ca:15:38:4d:47:10:ab:84:
                    05:a0:b9:ef:b5:11:2b:6b:be:ac:28:2f:83:35:36:
                    9d:98:f7:9d:53:59:b5:b3:3c:3e:22:ec:b5:20:75:
                    5e:b9:46:c9:5d:66:95:e3:0b:1b:33:92:0b:81:ba:
                    68:d4:03:98:bc:b1:69:d1:d6:6a:21:93:37:84:51:
                    91:89:e7:12:e6:ea:74:05:8c:1c:f1:19:07:8c:75:
                    39:c5:09:e6:08:e4:21:72:ed:ac:5a:4c:0a:5d:a1:
                    ad:6e:b3:20:46:fd:c9:3f:c9:96:9d:0c:ec:ba:f3:
                    1c:99:dd:e8:d0:14:fe:71:5d:57:1e:6b:22:ce:37:
                    6d:6b:fc:9f:3a:b9:ae:c5:f3:da:6b:e1:41:6e:2f:
                    b5:bd:cb:0b:55:11:bb:03:1a:11:0c:bb:ef:c7:42:
                    3b:ce:fc:fe:6a:6c:2d:0c:15:56:dd:dd:ad:46:31:
                    79:8c:8f:b0:64:cc:40:d8:70:58:6a:be:a8:de:5c:
                    db:c3:b1:1b:aa:14:ec:97:df:16:76:6d:db:df:ec:
                    a2:61
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                97:C6:D2:8B:E0:D7:6A:B8:08:92:10:0E:5B:D7:93:48:BE:00:55:FF
            X509v3 Authority Key Identifier:
                keyid:A1:9A:6C:85:B7:B8:DB:03:5E:2C:3F:67:CD:1D:A2:53:E1:C3:1F:D5

    Signature Algorithm: sha256WithRSAEncryption
         8f:55:45:04:5f:32:bd:94:c1:b6:03:e2:95:ef:07:8e:77:c0:
         03:72:87:93:60:00:5c:b9:12:3a:cd:19:78:3b:4e:89:24:9e:
         dd:46:b4:b8:3a:2a:40:ca:fc:5a:59:6b:1b:f6:8d:eb:6e:5e:
         86:a0:0f:b9:2e:09:4e:00:24:7d:55:5e:58:88:43:b3:b5:b1:
         5c:e6:8d:ee:d2:d6:16:95:2f:75:34:ea:ac:fd:ec:82:88:12:
         64:82:ba:0a:b0:34:0b:92:76:db:02:72:e5:26:98:d1:4b:dd:
         3c:fb:bd:83:61:46:40:fb:27:ee:b0:ae:aa:6e:a7:07:b8:5e:
         48:81:1f:12:9e:4e:39:78:4d:f4:71:91:72:c8:c4:b5:1a:b0:
         8c:2d:51:d8:bc:92:0b:d6:2c:3f:27:2a:eb:e6:af:2f:f5:1a:
         75:12:5c:80:cf:98:57:d5:11:05:c2:62:63:c2:52:fb:72:3e:
         c9:9e:c8:ba:02:51:92:7d:9d:3c:16:80:48:c2:a4:05:77:23:
         07:b4:0c:a5:57:04:62:63:41:6e:88:ed:2c:6a:9c:32:16:eb:
         c0:4d:cb:82:e6:41:4c:4f:d9:76:7f:d0:2c:f6:14:4d:13:2d:
         e1:90:29:c8:8e:56:b2:8f:6e:56:c4:08:2a:ab:db:37:92:a8:
         48:57:f1:63
-----BEGIN CERTIFICATE-----
MIIDzzCCAregAwIBAgIJAMlR8uMBUYTDMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV
BAYTAkpQMQ4wDAYDVQQIDAVUb2t5bzEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55
IEx0ZDEdMBsGA1UEAwwUaWFtLXJvbGVzLWFueXdhcmUtY2EwHhcNMjIwNzEyMDMw
.
.
(中略)
.
.
CrA0C5J22wJy5SaY0UvdPPu9g2FGQPsn7rCuqm6nB7heSIEfEp5OOXhN9HGRcsjE
tRqwjC1R2LySC9YsPycq6+avL/UadRJcgM+YV9URBcJiY8JS+3I+yZ7IugJRkn2d
PBaASMKkBXcjB7QMpVcEYmNBbojtLGqcMhbrwE3LguZBTE/Zdn/QLPYUTRMt4ZAp
yI5Wso9uVsQIKqvbN5KoSFfxYw==
-----END CERTIFICATE-----
Signed certificate is in newcert.pem

証明書のファイルが作成されたことを確認します。

$ ls -l newcert.pem
-rw-r--r-- 1 root root 4553 Jul 12 03:01 newcert.pem

$ cat newcert.pem
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            c9:51:f2:e3:01:51:84:c3
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=JP, ST=Tokyo, O=Default Company Ltd, CN=iam-roles-anyware-ca
        Validity
            Not Before: Jul 12 03:01:40 2022 GMT
            Not After : Jul 12 03:01:40 2023 GMT
        Subject: C=JP, ST=Tokyo, L=Default City, O=Default Company Ltd, CN=iam-roles-anyware-instance
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:bb:32:bc:de:5e:a8:58:f4:c2:e4:8e:e7:d4:72:
                    dc:5a:b7:f2:e6:62:44:83:76:d8:15:8a:12:da:ee:
                    a0:72:73:05:2b:4f:bd:89:e8:bf:a7:8d:e5:27:20:
                    2b:b2:33:72:45:01:b2:ca:15:38:4d:47:10:ab:84:
                    05:a0:b9:ef:b5:11:2b:6b:be:ac:28:2f:83:35:36:
                    9d:98:f7:9d:53:59:b5:b3:3c:3e:22:ec:b5:20:75:
                    5e:b9:46:c9:5d:66:95:e3:0b:1b:33:92:0b:81:ba:
                    68:d4:03:98:bc:b1:69:d1:d6:6a:21:93:37:84:51:
                    91:89:e7:12:e6:ea:74:05:8c:1c:f1:19:07:8c:75:
                    39:c5:09:e6:08:e4:21:72:ed:ac:5a:4c:0a:5d:a1:
                    ad:6e:b3:20:46:fd:c9:3f:c9:96:9d:0c:ec:ba:f3:
                    1c:99:dd:e8:d0:14:fe:71:5d:57:1e:6b:22:ce:37:
                    6d:6b:fc:9f:3a:b9:ae:c5:f3:da:6b:e1:41:6e:2f:
                    b5:bd:cb:0b:55:11:bb:03:1a:11:0c:bb:ef:c7:42:
                    3b:ce:fc:fe:6a:6c:2d:0c:15:56:dd:dd:ad:46:31:
                    79:8c:8f:b0:64:cc:40:d8:70:58:6a:be:a8:de:5c:
                    db:c3:b1:1b:aa:14:ec:97:df:16:76:6d:db:df:ec:
                    a2:61
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                97:C6:D2:8B:E0:D7:6A:B8:08:92:10:0E:5B:D7:93:48:BE:00:55:FF
            X509v3 Authority Key Identifier:
                keyid:A1:9A:6C:85:B7:B8:DB:03:5E:2C:3F:67:CD:1D:A2:53:E1:C3:1F:D5

    Signature Algorithm: sha256WithRSAEncryption
         8f:55:45:04:5f:32:bd:94:c1:b6:03:e2:95:ef:07:8e:77:c0:
         03:72:87:93:60:00:5c:b9:12:3a:cd:19:78:3b:4e:89:24:9e:
         dd:46:b4:b8:3a:2a:40:ca:fc:5a:59:6b:1b:f6:8d:eb:6e:5e:
         86:a0:0f:b9:2e:09:4e:00:24:7d:55:5e:58:88:43:b3:b5:b1:
         5c:e6:8d:ee:d2:d6:16:95:2f:75:34:ea:ac:fd:ec:82:88:12:
         64:82:ba:0a:b0:34:0b:92:76:db:02:72:e5:26:98:d1:4b:dd:
         3c:fb:bd:83:61:46:40:fb:27:ee:b0:ae:aa:6e:a7:07:b8:5e:
         48:81:1f:12:9e:4e:39:78:4d:f4:71:91:72:c8:c4:b5:1a:b0:
         8c:2d:51:d8:bc:92:0b:d6:2c:3f:27:2a:eb:e6:af:2f:f5:1a:
         75:12:5c:80:cf:98:57:d5:11:05:c2:62:63:c2:52:fb:72:3e:
         c9:9e:c8:ba:02:51:92:7d:9d:3c:16:80:48:c2:a4:05:77:23:
         07:b4:0c:a5:57:04:62:63:41:6e:88:ed:2c:6a:9c:32:16:eb:
         c0:4d:cb:82:e6:41:4c:4f:d9:76:7f:d0:2c:f6:14:4d:13:2d:
         e1:90:29:c8:8e:56:b2:8f:6e:56:c4:08:2a:ab:db:37:92:a8:
         48:57:f1:63
-----BEGIN CERTIFICATE-----
MIIDzzCCAregAwIBAgIJAMlR8uMBUYTDMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV
BAYTAkpQMQ4wDAYDVQQIDAVUb2t5bzEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55
IEx0ZDEdMBsGA1UEAwwUaWFtLXJvbGVzLWFueXdhcmUtY2EwHhcNMjIwNzEyMDMw
.
.
(中略)
.
.
CrA0C5J22wJy5SaY0UvdPPu9g2FGQPsn7rCuqm6nB7heSIEfEp5OOXhN9HGRcsjE
tRqwjC1R2LySC9YsPycq6+avL/UadRJcgM+YV9URBcJiY8JS+3I+yZ7IugJRkn2d
PBaASMKkBXcjB7QMpVcEYmNBbojtLGqcMhbrwE3LguZBTE/Zdn/QLPYUTRMt4ZAp
yI5Wso9uVsQIKqvbN5KoSFfxYw==
-----END CERTIFICATE-----

動作確認 (1回目)

クレデンシャルヘルパーツールのダウンロード

それでは、動作確認です。

まず、クレデンシャルヘルパーツールをダウンロードして、実行権限を与えます。

# クレデンシャルヘルパーツールをダウンロード
$ sudo curl https://s3.amazonaws.com/roles-anywhere-credential-helper/CredentialHelper/latest/linux_amd64/aws_signing_helper --output aws_signing_helper  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 12.6M  100 12.6M    0     0  86.5M      0 --:--:-- --:--:-- --:--:-- 86.6M

# クレデンシャルヘルパーツールの権限確認
$ ls -l aws_signing_helper
-rw-r--r-- 1 root root 13266672 Jul 12 03:04 aws_signing_helper

# クレデンシャルヘルパーツールに実行権限を追加
$ sudo chmod +x aws_signing_helper

# 権限の確認
$ ls -l aws_signing_helper
-rwxr-xr-x 1 root root 13266672 Jul 12 03:04 aws_signing_helper

動作確認 (1回目)

クレデンシャルヘルパーツールを実行してみます。

$ ./aws_signing_helper credential-process \
     --certificate ./newcert.pem \
     --private-key ./newkey.pem \
     --trust-anchor-arn arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:trust-anchor/5c50d4aa-8d0e-44d3-97d5-e26151d0bb2e \
     --profile-arn arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:profile/cdc56346-c267-4d99-a833-dee00070f1b5 \
     --role-arn arn:aws:iam::<AWSアカウントID>:role/iam-roles-anyware-role
2022/07/12 03:09:48 unable to parse private key

unable to parse private keyとエラーが出力されてしまいました。

試しに証明書の秘密鍵のパスフレーズを解除してからリトライします。

# 秘密鍵のパスフレーズを解除
$ sudo openssl rsa -in newkey.pem -out cert.key
Enter pass phrase for newkey.pem:
writing RSA key

# 秘密鍵のパスフレーズが解除されたことを確認
$ cat cert.key
-----BEGIN RSA PRIVATE KEY-----
.
.
(中略)
.
.
-----END RSA PRIVATE KEY-----

# リトライ
$ ./aws_signing_helper credential-process \
     --certificate ./newcert.pem \
     --private-key ./newkey.pem \
     --trust-anchor-arn arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:trust-anchor/5c50d4aa-8d0e-44d3-97d5-e26151d0bb2e \
     --profile-arn arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:profile/cdc56346-c267-4d99-a833-dee00070f1b5 \
     --role-arn arn:aws:iam::<AWSアカウントID>:role/iam-roles-anyware-role
2022/07/12 03:12:42 AccessDeniedException: Untrusted certificate. Insufficient certificate

秘密鍵のパースエラーは解消されましたが、Untrusted certificate. Insufficient certificateとエラーになってしまいました。

よくよくドキュメントを確認すると、エンドエンティティ証明書も要件がありました。

End entity certificates must satisfy the following constraints to be used for authentication:

  • The certificates must be X.509v3.
  • Basic constraints must include CA: false.
  • The key usage must include Digital Signature.
  • The signing algorithm must include SHA256 or stronger. MD5 and SHA1 signing algorithms are rejected.

Trust model in AWS Identity and Access Management Roles Anywhere - IAM Roles Anywhere

発行された証明書と比較すると、key UsageDigital Signatureが含まれていません。

ということで、証明書の再発行をします。

証明書の再発行

古い証明書の無効化

Subjectが重複する証明書を発行する場合、以下のようなエラーが出力されてしまいます。

failed to update database
TXT_DB error number 2

そのため、証明書を再発行するにあたって、古い証明書を無効化しておきます。

# 証明書のデータベースファイルを確認
$ cat /etc/pki/CA/index.txt
V       250711022800Z           C951F2E3015184C2        unknown /C=JP/ST=Tokyo/O=Default Company Ltd/CN=iam-roles-anyware-ca
V       230712030140Z           C951F2E3015184C3        unknown /C=JP/ST=Tokyo/L=Default City/O=Default Company Ltd/CN=iam-roles-anyware-instance

# 不要な証明書を無効化
$ sudo openssl ca -revoke /etc/pki/CA/newcerts/C951F2E3015184C3.pem
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Revoking Certificate C951F2E3015184C3.
Data Base Updated

# 不要な証明書が無効化されたことを確認
$ cat /etc/pki/CA/index.txt
V       250711022800Z           C951F2E3015184C2        unknown /C=JP/ST=Tokyo/O=Default Company Ltd/CN=iam-roles-anyware-ca
R       230712030140Z   220712043755Z   C951F2E3015184C3        unknown /C=JP/ST=Tokyo/L=Default City/O=Default Company Ltd/CN=iam-roles-anyware-instance

本来であれば証明書を無効化した後CRLを作成するところですが、伝える相手もいないのでCRLは作成しません。

/etc/pki/tls/openssl.cnfの編集

CSRの再生成前に/etc/pki/tls/openssl.cnfを編集します。

# /etc/pki/tls/openssl.cnf の編集
$ sudo vi /etc/pki/tls/openssl.cnf

# 編集内容の確認
$ cat /etc/pki/tls/openssl.cnf
.
.
(中略)
.
.
[ req ]
default_bits            = 2048
default_md              = sha256
default_keyfile         = privkey.pem
distinguished_name      = req_distinguished_name
attributes              = req_attributes
x509_extensions = v3_ca # The extentions to add to the self signed cert

# Passwords for private keys if not present they will be prompted for
# input_password = secret
# output_password = secret

# This sets a mask for permitted string types. There are several options.
# default: PrintableString, T61String, BMPString.
# pkix   : PrintableString, BMPString (PKIX recommendation before 2004)
# utf8only: only UTF8Strings (PKIX recommendation after 2004).
# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
# MASK:XXXX a literal mask value.
# WARNING: ancient versions of Netscape crash on BMPStrings or UTF8Strings.
string_mask = utf8only

req_extensions = v3_req # The extensions to add to a certificate request
.
.
(中略)
.
.
[ usr_cert ]

# These extensions are added when 'ca' signs a request.

# This goes against PKIX guidelines but some CAs do it and some software
# requires this to avoid interpreting an end user certificate as a CA.

basicConstraints=CA:FALSE

# Here are some examples of the usage of nsCertType. If it is omitted
# the certificate can be used for anything *except* object signing.

# This is OK for an SSL server.
# nsCertType                    = server

# For an object signing certificate this would be used.
# nsCertType = objsign

# For normal client use this is typical
# nsCertType = client, email

# and for everything including object signing:
# nsCertType = client, email, objsign

# This is typical in keyUsage for a client certificate.
keyUsage = nonRepudiation, digitalSignature, keyEncipherment

# This will be displayed in Netscape's comment listbox.
nsComment                       = "OpenSSL Generated Certificate"

# PKIX recommendations harmless if included in all certificates.
subjectKeyIdentifier=hash
authorityKeyIdentifier=keyid,issuer

# This stuff is for subjectAltName and issuerAltname.
# Import the email address.
# subjectAltName=email:copy
# An alternative to produce certificates that aren't
# deprecated according to PKIX.
# subjectAltName=email:move

# Copy subject details
# issuerAltName=issuer:copy

#nsCaRevocationUrl              = http://www.domain.dom/ca-crl.pem
#nsBaseUrl
#nsRevocationUrl
#nsRenewalUrl
#nsCaPolicyUrl
#nsSslServerName

# This is required for TSA certificates.
# extendedKeyUsage = critical,timeStamping

CSRの再生成

CSRの再生成をします。

$ sudo /etc/pki/tls/misc/CA -newreq
Generating a 2048 bit RSA private key
...........................................................................................+++
................................+++
writing new private key to 'newkey.pem'
Enter PEM pass phrase:
Verifying - Enter PEM pass phrase:
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [XX]:JP
State or Province Name (full name) []:Tokyo
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:iam-roles-anyware-instance
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
Request is in newreq.pem, private key is in newkey.pem

CSRと一緒に生成された秘密鍵のパスフレーズを解除しておきます。

$ sudo openssl rsa -in newkey.pem -out cert.key
Enter pass phrase for newkey.pem:
writing RSA key

証明書の発行

証明書を再発行します。

$ sudo /etc/pki/tls/misc/CA -sign
Using configuration from /etc/pki/tls/openssl.cnf
Enter pass phrase for /etc/pki/CA/private/cakey.pem:
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number:
            c9:51:f2:e3:01:51:84:c5
        Validity
            Not Before: Jul 12 04:58:36 2022 GMT
            Not After : Jul 12 04:58:36 2023 GMT
        Subject:
            countryName               = JP
            stateOrProvinceName       = Tokyo
            localityName              = Default City
            organizationName          = Default Company Ltd
            commonName                = iam-roles-anyware-instance
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                F4:8B:BB:60:C2:33:AA:58:8B:81:E8:00:C2:EE:36:D2:C2:7D:34:1C
            X509v3 Authority Key Identifier:
                keyid:A1:9A:6C:85:B7:B8:DB:03:5E:2C:3F:67:CD:1D:A2:53:E1:C3:1F:D5

Certificate is to be certified until Jul 12 04:58:36 2023 GMT (365 days)
Sign the certificate? [y/n]:y


1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            c9:51:f2:e3:01:51:84:c5
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=JP, ST=Tokyo, O=Default Company Ltd, CN=iam-roles-anyware-ca
        Validity
            Not Before: Jul 12 04:58:36 2022 GMT
            Not After : Jul 12 04:58:36 2023 GMT
        Subject: C=JP, ST=Tokyo, L=Default City, O=Default Company Ltd, CN=iam-roles-anyware-instance
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:c0:03:cf:d6:3a:20:f6:ad:74:72:d5:3a:fb:bc:
                    bd:d6:4b:98:f7:2e:11:6e:79:ff:91:83:52:8d:31:
                    e0:c7:0f:75:16:63:26:c9:8f:00:96:44:2b:23:e1:
                    81:eb:11:e2:38:b2:f6:36:56:63:2f:57:75:b3:91:
                    3a:5e:cc:2c:e1:68:f5:de:8a:9d:53:45:e9:8a:38:
                    ef:45:d5:39:b9:ea:79:6a:01:ce:0a:75:91:84:84:
                    3e:98:c6:10:14:9b:3d:1e:79:3d:ea:dc:cb:81:7e:
                    80:51:2d:bc:0b:32:ad:cc:b3:e6:0a:a8:06:83:1d:
                    4a:a6:18:1b:c9:c9:fb:57:cc:0e:bd:98:53:6b:c0:
                    84:7c:60:5d:5c:f9:46:91:88:40:c1:49:4a:fb:2e:
                    ba:9c:14:a4:66:c4:97:44:28:57:17:de:30:58:71:
                    a0:10:5d:18:7f:3d:28:9f:a7:36:c7:0c:8b:39:2e:
                    c2:71:e7:46:0d:21:f8:1b:83:38:d9:24:f5:0c:fe:
                    35:c5:17:8c:72:b7:a4:70:13:e6:7e:36:a5:f3:53:
                    17:5f:6e:64:06:26:8f:a8:8d:8d:47:9d:d4:52:79:
                    12:e9:67:05:d3:a8:91:11:29:28:bc:42:41:54:ca:
                    a1:4c:b5:8c:9d:47:f1:ba:a1:72:81:b6:4c:68:ca:
                    d0:ff
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints:
                CA:FALSE
            X509v3 Key Usage:
                Digital Signature, Non Repudiation, Key Encipherment
            Netscape Comment:
                OpenSSL Generated Certificate
            X509v3 Subject Key Identifier:
                F4:8B:BB:60:C2:33:AA:58:8B:81:E8:00:C2:EE:36:D2:C2:7D:34:1C
            X509v3 Authority Key Identifier:
                keyid:A1:9A:6C:85:B7:B8:DB:03:5E:2C:3F:67:CD:1D:A2:53:E1:C3:1F:D5

    Signature Algorithm: sha256WithRSAEncryption
         99:58:e3:f2:1c:2d:51:ee:4d:94:35:97:91:ba:70:c7:16:72:
         f6:d4:49:08:62:ca:7e:27:68:d8:f0:1a:07:58:e0:b8:f2:5a:
         d5:11:0c:85:e4:e9:dc:1d:55:f6:5f:7a:8a:9c:3c:26:ba:18:
         fa:83:84:c8:6a:fb:14:08:a2:bc:74:e1:e5:4c:a1:60:59:b3:
         da:73:81:9f:2b:a0:15:90:a8:f5:5c:58:9d:38:c1:49:a7:ef:
         ea:29:f3:22:a8:e6:9b:2c:f6:25:b3:8a:a5:d3:bb:ba:67:a3:
         f8:70:be:f6:22:90:4e:9e:7a:8b:17:04:b3:2f:b3:33:ca:b9:
         66:1b:75:84:60:62:70:a8:60:3b:d3:d9:90:dc:8f:6a:53:7d:
         e6:e5:0c:b8:59:11:68:dc:81:98:91:1e:7f:09:44:a9:7b:47:
         49:47:66:cf:6f:67:18:24:b5:39:93:09:f7:15:c0:92:89:a2:
         db:0d:7c:90:4f:ad:df:d3:48:cd:e4:aa:5d:6f:f2:96:2f:d7:
         50:15:54:2c:24:d7:c6:50:2c:28:c9:33:ff:b9:84:fa:37:8f:
         67:7c:7a:aa:2b:30:08:bd:4f:d6:ff:87:15:8d:33:d9:da:48:
         87:59:bd:d1:c5:6f:26:79:44:e5:3c:e5:53:a9:fc:f9:90:4d:
         45:e7:2c:14
-----BEGIN CERTIFICATE-----
MIID3jCCAsagAwIBAgIJAMlR8uMBUYTFMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV
BAYTAkpQMQ4wDAYDVQQIDAVUb2t5bzEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55
IEx0ZDEdMBsGA1UEAwwUaWFtLXJvbGVzLWFueXdhcmUtY2EwHhcNMjIwNzEyMDQ1
.
.
(中略)
.
.
FZCo9VxYnTjBSafv6inzIqjmmyz2JbOKpdO7umej+HC+9iKQTp56ixcEsy+zM8q5
Zht1hGBicKhgO9PZkNyPalN95uUMuFkRaNyBmJEefwlEqXtHSUdmz29nGCS1OZMJ
9xXAkomi2w18kE+t39NIzeSqXW/yli/XUBVULCTXxlAsKMkz/7mE+jePZ3x6qisw
CL1P1v+HFY0z2dpIh1m90cVvJnlE5TzlU6n8+ZBNRecsFA==
-----END CERTIFICATE-----
Signed certificate is in newcert.pem

Key UsageDigital Signatureがある証明書が発行されました。

動作確認 (2回目)

2回目の動作確認です。

クレデンシャルヘルパーツールを実行してみます。

$ ./aws_signing_helper credential-process \
     --certificate ./newcert.pem \
     --private-key ./cert.key \
     --trust-anchor-arn arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:trust-anchor/5c50d4aa-8d0e-44d3-97d5-e26151d0bb2e \
     --profile-arn arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:profile/cdc56346-c267-4d99-a833-dee00070f1b5 \
     --role-arn arn:aws:iam::<AWSアカウントID>:role/iam-roles-anyware-role
{"Version":1,"AccessKeyId":"ASIA6KUFAVPU6PW4NEHS","SecretAccessKey":"1+Ax0yFTo0+c/WUtBOd6sC4TTOV6QNiLUaNm59He","SessionToken":"IQoJb3JpZ2luX2VjEB0aCXVzLWVhc3QtMSJIMEYCIQDMwkOKlkquq+puUTw2sxRpuJG71UcOdk+eViQ7ueQI0gIhAP8tsyzxtbTkMMREe6Tegxt1a5a4s/qMDbF0bn1i7SuDKpEFCFYQAhoMOTg0OTAwMjE3ODMzIgykrFsEExDiGXIlHIwq7gTy+epUoCvuw8MUmT0JSz+60XN5Yo4Gex6zS0zdWoCIZHVpMKy8K024tgxMSfu14TiCqD+klrwEbX+LvMwhpD7Z79KQGCVcJjM9DRzxc+ZSSoSaAhEspyX9GVfPr8jXJk4BQx/joapqhZmSX00oPurwD9aazi54ni3vBg83RH1BEnIfjE3Yn4wk8vo3DNls4KX/s4GZBWIqW8oqQY+EakEtWrm1jqh78G13t81iCsH8A14vZnSwzSiQUkTH0nfnvcKBUHSelMjeRTuVqur/+oF46gWb5mufHX8C1MyIPKp6ogRvwp5Jp66eSDjmtA17Ee8Qb7HkStL8JYijKDNjh3cFGV/ryXUiPx9mlh0jkpzo5INkPuk2f6wpVuLzx4I7YvlL7b6sgCJnEH0HEaGPgtGFsxRDc2jV2x7JTvtrDRfdQAIUpN7IC2RuaEwfqmq/Glui+LZp/bdQnve1IQxrn2G8Fg7nTPH8cUqSFhVdUNebZOBih4p/0zO/cYYSpJhBotV1lVVJ1BOsN6Hj6pIgyppNX0am4vP8+y5VXtp06WdY5EmCIprNYRse/UEqGzeWeu5iA1R0jZbSxeOeQwNbmYXlDeMNH4b9PHlxAr7sH5WRi5QpzeHmiw60KodJuaqAdA5BJLzNqm2IuawY/J6zg0N04Fps0mk1saBfmTpw/M3f2Gy46KE3n3qGeKpjV2I1VkaujGB1GYwk+V/1p48VI0LtnxxV9esItMCMw+1aLY3dgIddy4P+9bo5VJE3n5N5eS2vjK3Edrj6rJhd0td+tzTLZ/0bBmDKmnfmc79f7mZjWWXGYB/3Hb1g9Ro8VpwiMNf/s5YGOsIB1GN2GSMSvrnaOSKmlFGKKT/G/9KVIQhsJwqYZbXtQVmhK76JM7O1kupo1wZR9W55W4E8Es8TQnX0NkXqBSB9FcsaqioOGPmA11BuahQRd57f0+4Fe0UDn9N7gvHis3aayV+eKCR8QEiqBui09GnSrsuknxRUf3Nb3MpcYOkCjNnDToGg3B17KztrVQ4wGLaEh1yeoq5Sv6AK8eWbeyR6dyocfDlDV7NRGhdexCf0R5f7p4SrcyJElk8jDjoV/GNDcNo=","Expiration":"2022-07-12T06:00:07Z"}

アクセスキー、シークレットアクセスキー、セッショントークンが出力されました。

出力された値を環境変数に入れて、AWS CLIを叩いてみます。

# 認証情報を環境変数に追加
$ export AWS_ACCESS_KEY_ID=ASIA6KUFAVPU6PW4NEHS
$ export AWS_SECRET_ACCESS_KEY=1+Ax0yFTo0+c/WUtBOd6sC4TTOV6QNiLUaNm59He
$ export AWS_SESSION_TOKEN=IQoJb3JpZ2luX2VjEB0aCXVzLWVhc3QtMSJIMEYCIQDMwkOKlkquq+puUTw2sxRpuJG71UcOdk+eViQ7ueQI0gIhAP8tsyzxtbTkMMREe6Tegxt1a5a4s/qMDbF0bn1i7SuDKpEFCFYQAhoMOTg0OTAwMjE3ODMzIgykrFsEExDiGXIlHIwq7gTy+epUoCvuw8MUmT0JSz+60XN5Yo4Gex6zS0zdWoCIZHVpMKy8K024tgxMSfu14TiCqD+klrwEbX+LvMwhpD7Z79KQGCVcJjM9DRzxc+ZSSoSaAhEspyX9GVfPr8jXJk4BQx/joapqhZmSX00oPurwD9aazi54ni3vBg83RH1BEnIfjE3Yn4wk8vo3DNls4KX/s4GZBWIqW8oqQY+EakEtWrm1jqh78G13t81iCsH8A14vZnSwzSiQUkTH0nfnvcKBUHSelMjeRTuVqur/+oF46gWb5mufHX8C1MyIPKp6ogRvwp5Jp66eSDjmtA17Ee8Qb7HkStL8JYijKDNjh3cFGV/ryXUiPx9mlh0jkpzo5INkPuk2f6wpVuLzx4I7YvlL7b6sgCJnEH0HEaGPgtGFsxRDc2jV2x7JTvtrDRfdQAIUpN7IC2RuaEwfqmq/Glui+LZp/bdQnve1IQxrn2G8Fg7nTPH8cUqSFhVdUNebZOBih4p/0zO/cYYSpJhBotV1lVVJ1BOsN6Hj6pIgyppNX0am4vP8+y5VXtp06WdY5EmCIprNYRse/UEqGzeWeu5iA1R0jZbSxeOeQwNbmYXlDeMNH4b9PHlxAr7sH5WRi5QpzeHmiw60KodJuaqAdA5BJLzNqm2IuawY/J6zg0N04Fps0mk1saBfmTpw/M3f2Gy46KE3n3qGeKpjV2I1VkaujGB1GYwk+V/1p48VI0LtnxxV9esItMCMw+1aLY3dgIddy4P+9bo5VJE3n5N5eS2vjK3Edrj6rJhd0td+tzTLZ/0bBmDKmnfmc79f7mZjWWXGYB/3Hb1g9Ro8VpwiMNf/s5YGOsIB1GN2GSMSvrnaOSKmlFGKKT/G/9KVIQhsJwqYZbXtQVmhK76JM7O1kupo1wZR9W55W4E8Es8TQnX0NkXqBSB9FcsaqioOGPmA11BuahQRd57f0+4Fe0UDn9N7gvHis3aayV+eKCR8QEiqBui09GnSrsuknxRUf3Nb3MpcYOkCjNnDToGg3B17KztrVQ4wGLaEh1yeoq5Sv6AK8eWbeyR6dyocfDlDV7NRGhdexCf0R5f7p4SrcyJElk8jDjoV/GNDcNo=

# EC2インスタンスの情報をAWS CLIで確認
$ aws ec2 describe-instances \
    --instance-ids i-0fd11c3a1398908bb \
    --region us-east-1
{
    "Reservations": [
        {
            "Instances": [
                {
                    "Monitoring": {
                        "State": "disabled"
                    },
                    "PublicDnsName": "ec2-3-235-121-71.compute-1.amazonaws.com",
                    "State": {
                        "Code": 16,
                        "Name": "running"
                    },
                    "EbsOptimized": true,
                    "LaunchTime": "2022-07-12T02:19:53.000Z",
                    "PublicIpAddress": "3.235.121.71",
                    "PrivateIpAddress": "172.31.14.187",
                    "ProductCodes": [],
                    "VpcId": "vpc-0e0796981cea634c1",
                    "CpuOptions": {
                        "CoreCount": 1,
                        "ThreadsPerCore": 2
                    },
                    "StateTransitionReason": "",
                    "InstanceId": "i-0fd11c3a1398908bb",
                    "EnaSupport": true,
                    "ImageId": "ami-0cff7528ff583bf9a",
                    "PrivateDnsName": "ip-172-31-14-187.ec2.internal",
                    "KeyName": "xxxxx",
                    "SecurityGroups": [
                        {
                            "GroupName": "default",
                            "GroupId": "sg-09833fa43dc030900"
                        }
                    ],
                    "ClientToken": "",
                    "SubnetId": "subnet-0355def964cb72d89",
                    "InstanceType": "t3.micro",
                    "CapacityReservationSpecification": {
                        "CapacityReservationPreference": "open"
                    },
                    "NetworkInterfaces": [
                        {
                            "Status": "in-use",
                            "MacAddress": "02:b9:5a:24:d9:17",
                            "SourceDestCheck": true,
                            "VpcId": "vpc-0e0796981cea634c1",
                            "Description": "",
                            "NetworkInterfaceId": "eni-0f74de6b95007f850",
                            "PrivateIpAddresses": [
                                {
                                    "PrivateDnsName": "ip-172-31-14-187.ec2.internal",
                                    "PrivateIpAddress": "172.31.14.187",
                                    "Primary": true,
                                    "Association": {
                                        "PublicIp": "3.235.121.71",
                                        "PublicDnsName": "ec2-3-235-121-71.compute-1.amazonaws.com",
                                        "IpOwnerId": "amazon"
                                    }
                                }
                            ],
                            "PrivateDnsName": "ip-172-31-14-187.ec2.internal",
                            "InterfaceType": "interface",
                            "Attachment": {
                                "Status": "attached",
                                "DeviceIndex": 0,
                                "DeleteOnTermination": true,
                                "AttachmentId": "eni-attach-055395aa5ba0c57bc",
                                "AttachTime": "2022-07-12T02:19:53.000Z"
                            },
                            "Groups": [
                                {
                                    "GroupName": "default",
                                    "GroupId": "sg-09833fa43dc030900"
                                }
                            ],
                            "Ipv6Addresses": [],
                            "OwnerId": "<AWSアカウントID>",
                            "PrivateIpAddress": "172.31.14.187",
                            "SubnetId": "subnet-0355def964cb72d89",
                            "Association": {
                                "PublicIp": "3.235.121.71",
                                "PublicDnsName": "ec2-3-235-121-71.compute-1.amazonaws.com",
                                "IpOwnerId": "amazon"
                            }
                        }
                    ],
                    "SourceDestCheck": true,
                    "Placement": {
                        "Tenancy": "default",
                        "GroupName": "",
                        "AvailabilityZone": "us-east-1b"
                    },
                    "Hypervisor": "xen",
                    "InstanceLifecycle": "spot",
                    "BlockDeviceMappings": [
                        {
                            "DeviceName": "/dev/xvda",
                            "Ebs": {
                                "Status": "attached",
                                "DeleteOnTermination": true,
                                "VolumeId": "vol-0b0d9d6737487a8cf",
                                "AttachTime": "2022-07-12T02:19:54.000Z"
                            }
                        }
                    ],
                    "Architecture": "x86_64",
                    "RootDeviceType": "ebs",
                    "IamInstanceProfile": {
                        "Id": "AIPA6KUFAVPU6UWS3OMTH",
                        "Arn": "arn:aws:iam::<AWSアカウントID>:instance-profile/AmazonSSMRoleForInstancesQuickSetup"
                    },
                    "RootDeviceName": "/dev/xvda",
                    "VirtualizationType": "hvm",
                    "Tags": [
                        {
                            "Value": "ca",
                            "Key": "Name"
                        }
                    ],
                    "SpotInstanceRequestId": "sir-abredmeg",
                    "HibernationOptions": {
                        "Configured": false
                    },
                    "MetadataOptions": {
                        "State": "applied",
                        "HttpEndpoint": "enabled",
                        "HttpTokens": "optional",
                        "HttpPutResponseHopLimit": 1
                    },
                    "AmiLaunchIndex": 0
                }
            ],
            "ReservationId": "r-0433f26b704769217",
            "Groups": [],
            "OwnerId": "<AWSアカウントID>"
        }
    ]
}

EC2インスタンスの情報をAWS CLIで確認できました。

クレデンシャルヘルパーツールのコマンドを~/.aws/configに登録してAWS CLIを叩けるかも確認します。

事前に認証情報の環境変数はクリアしておきます。

# 環境変数をクリア
$ unset AWS_ACCESS_KEY_ID
$ unset AWS_SECRET_ACCESS_KEY
$ unset AWS_SESSION_TOKEN

# 環境変数がクリアされたことを確認
$ echo $AWS_ACCESS_KEY_ID

$ echo $AWS_SECRET_ACCESS_KEY

$ echo $AWS_SESSION_TOKEN

クレデンシャルヘルパーツールのコマンドを~/.aws/configに登録します。

# ディレクトリの作成
$ mkdir ~/.aws

# ~/.aws/config の作成
$ vi ~/.aws/config

# ~/.aws/config の内容の確認
$ cat ~/.aws/config
[default]
credential_process = ./aws_signing_helper credential-process
  --certificate /usr/bin/newcert.pem
  --private-key /usr/bin/cert.key
  --trust-anchor-arn arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:trust-anchor/5c50d4aa-8d0e-44d3-97d5-e26151d0bb2e
  --profile-arn arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:profile/cdc56346-c267-4d99-a833-dee00070f1b5
  --role-arn arn:aws:iam::<AWSアカウントID>:role/iam-roles-anyware-role

~/.aws/credentialsがない状態でAssume Roleできることを確認します。

# ~/.aws/credentials がないことを確認
$ ls -l ~/.aws
total 4
-rw-r--r-- 1 ssm-user ssm-user 431 Jul 12 05:44 config

# Assume Roleできることを確認
$ aws sts get-caller-identity
{
    "Account": "<AWSアカウントID>",
    "UserId": "AROA6KUFAVPUU5M2Q3OWY:00c951f2e3015184c5",
    "Arn": "arn:aws:sts::<AWSアカウントID>:assumed-role/iam-roles-anyware-role/00c951f2e3015184c5"
}

作成したiam-roles-anyware-roleにAssume Roleできることを確認できました。

CloudTrailで確認すると、以下のようにCreateSessionイベントが記録されていました。userAgentCredHelper/1.0.0 (go1.18.2; linux; amd64)ということからクレデンシャルヘルパーツールからのアクセスであることが分かります。

{
  "eventVersion": "1.08",
  "userIdentity": {
      "type": "Unknown",
      "principalId": "",
      "arn": "",
      "accountId": "<AWSアカウントID>",
      "accessKeyId": "",
      "userName": ""
  },
  "eventTime": "2022-07-12T08:32:10Z",
  "eventSource": "rolesanywhere.amazonaws.com",
  "eventName": "CreateSession",
  "awsRegion": "us-east-1",
  "sourceIPAddress": "3.239.222.193",
  "userAgent": "CredHelper/1.0.0 (go1.18.2; linux; amd64)",
  "requestParameters": {
      "cert": "MIID3jCCAsagAwIBAgIJAMlR8uMBUYTFMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNVBAYTAkpQMQ4wDAYDVQQIDAVUb2t5bzEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEdMBsGA1UEAwwUaWFtLXJvbGVzLWFueXdhcmUtY2EwHhcNMjIwNzEyMDQ1ODM2WhcNMjMwNzEyMDQ1ODM2WjB3MQswCQYDVQQGEwJKUDEOMAwGA1UECAwFVG9reW8xFTATBgNVBAcMDERlZmF1bHQgQ2l0eTEcMBoGA1UECgwTRGVmYXVsdCBDb21wYW55IEx0ZDEjMCEGA1UEAwwaaWFtLXJvbGVzLWFueXdhcmUtaW5zdGFuY2UwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDAA8/WOiD2rXRy1Tr7vL3WS5j3LhFuef+Rg1KNMeDHD3UWYybJjwCWRCsj4YHrEeI4svY2VmMvV3WzkTpezCzhaPXeip1TRemKOO9F1Tm56nlqAc4KdZGEhD6YxhAUmz0eeT3q3MuBfoBRLbwLMq3Ms+YKqAaDHUqmGBvJyftXzA69mFNrwIR8YF1c+UaRiEDBSUr7LrqcFKRmxJdEKFcX3jBYcaAQXRh/PSifpzbHDIs5LsJx50YNIfgbgzjZJPUM/jXFF4xyt6RwE+Z+NqXzUxdfbmQGJo+ojY1HndRSeRLpZwXTqJERKSi8QkFUyqFMtYydR/G6oXKBtkxoytD/AgMBAAGjgYkwgYYwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwLAYJYIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQWBBT0i7tgwjOqWIuB6ADC7jbSwn00HDAfBgNVHSMEGDAWgBShmmyFt7jbA14sP2fNHaJT4cMf1TANBgkqhkiG9w0BAQsFAAOCAQEAmVjj8hwtUe5NlDWXkbpwxxZy9tRJCGLKfido2PAaB1jguPJa1REMheTp3B1V9l96ipw8JroY+oOEyGr7FAiivHTh5UyhYFmz2nOBnyugFZCo9VxYnTjBSafv6inzIqjmmyz2JbOKpdO7umej+HC+9iKQTp56ixcEsy+zM8q5Zht1hGBicKhgO9PZkNyPalN95uUMuFkRaNyBmJEefwlEqXtHSUdmz29nGCS1OZMJ9xXAkomi2w18kE+t39NIzeSqXW/yli/XUBVULCTXxlAsKMkz/7mE+jePZ3x6qiswCL1P1v+HFY0z2dpIh1m90cVvJnlE5TzlU6n8+ZBNRecsFA==",
      "durationSeconds": 3600,
      "profileArn": "arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:profile/cdc56346-c267-4d99-a833-dee00070f1b5",
      "roleArn": "arn:aws:iam::<AWSアカウントID>:role/iam-roles-anyware-role",
      "trustAnchorArn": "arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:trust-anchor/5c50d4aa-8d0e-44d3-97d5-e26151d0bb2e"
  },
  "responseElements": {
      "credentialSet": [
          {
              "assumedRoleUser": {
                  "arn": "arn:aws:sts::<AWSアカウントID>:assumed-role/iam-roles-anyware-role/00c951f2e3015184c5",
                  "assumedRoleId": "AROA6KUFAVPUU5M2Q3OWY:00c951f2e3015184c5"
              },
              "credentials": {
                  "accessKeyId": "ASIA6KUFAVPUSIOVTSM4",
                  "expiration": "2022-07-12T09:32:10Z",
                  "secretAccessKey": "HIDDEN_DUE_TO_SECURITY_REASONS",
                  "sessionToken": "IQoJb3JpZ2luX2VjECEaCXVzLWVhc3QtMSJHMEUCIEUVzaMKYcwu9hld36Zm/hmgMr8/W2Os7KfHqJDqcsZTAiEA+y/ryr+iLImuk1N2VF41dVBZ4ObodMA3DynqwJuONoEqkQUIWhACGgw5ODQ5MDAyMTc4MzMiDF1a7xxCpGKMc/qVMiruBC7yk02fdnn4wOSfsKAxKCobo4Uu2kkCbxnS14jrBQBglJhc8b6jMt3JXnyeTCu4r+NJF335VdESIhuEQKQXYhXTOKJER54NnI2OPnpDBvmXbVukeyQd4QNihfCMz+rJrvcxQJxu7a6yq95elhwCn1RTz7hXb2R5ucMKpb2jAlcMhSixEQtYHn1ux3qLZyCQNGfLAo85Nc3F/cMIsDouICwZg+6vZ9tcyzR+7D49KEDY3cfCEWRCs3woW90U6DcVZVbQLlKm0zenbQvda72paS6Or6PMBU5epyP4pD8ssCsMcFBR3K5ywU+plujRqgVt3ivtmK20cx8/9tVfl4YyI66P86O5OzJnQXFSlCtD+1TWDhJsUAecBLlgnRIB66Kg88soVAFtxH8skEZLIKPhWZ6dfwjGnx9h+SDzrgQtobAKya6YplsvbM5HfgJ7uITrbbMQOrSlqYYgcN31oXb6qVpbxS7wfwJ22deDMSIZc3OXU4c8YNAxsFPTIFIpVrf9Gyx2E45Eqf/KjUUIGkkJaCirltr+omz0RrHAFL2hTTQ9DeNpiYIsRDvu1CLcFuCicZ+18WbSAGZ7oNO4GDvzoaIQiFtlRhVNQbegLgmjho1n4cptXdzIs6XK7gNBD5JV+5ynAubpDiyZEGDD68aaBSWVEjqK0E5lE5EGg7fGIqo36iVbkxB/oyiJxowuDEOF3FUiVH2HC/Xoc+SWNjzCY9+w/6dR9N6hS9ACCAh875/ZhvT/mD9FU+09E7YtK/w9ox5ug3BbHJBG2Jrgvkm85EtSXsk/PjU30euBbHF1Rc4AeUTeAkFDYMbXfspsb3IwiuO0lgY6wwFgHyiDalmQQqy+lXFlT6wWDVMdfp7A3EaC/xcDOcj7CCl9D4TbXpM12OcMWMIoPMmMKL9EHn7bnz6HAmmMLDHtThmb8Z43S80wM3Ab+scHJBl6WbnPIGnDJKQ93KXhyisNQphmuOaOHDbsto78ekihygBLCcU3v6Lx9nENwtTcbWjq2cH7O24XixUx7pWZtM/hkUo40336uIxisDg8j3bM99X1dAdt07j+ytEG19BH1KUG7ENnrLhPD5onx/MpfjrfBwo="
              },
              "packedPolicySize": 55,
              "roleArn": "arn:aws:iam::<AWSアカウントID>:role/iam-roles-anyware-role",
              "sourceIdentity": "CN=iam-roles-anyware-instance"
          }
      ],
      "subjectArn": "arn:aws:rolesanywhere:us-east-1:<AWSアカウントID>:subject/6334a30e-14fd-4fc5-9262-6e67267c42dc",
      "x509Subject": "C=JP,ST=Tokyo,L=Default City,O=Default Company Ltd,CN=iam-roles-anyware-instance"
  },
  "requestID": "fae5107a-30ed-4216-af36-62baef51824c",
  "eventID": "7a0e47fd-07b8-47d8-9e21-c805a76e4d3e",
  "readOnly": false,
  "eventType": "AwsApiCall",
  "managementEvent": true,
  "recipientAccountId": "<AWSアカウントID>",
  "eventCategory": "Management",
  "tlsDetails": {
      "tlsVersion": "TLSv1.2",
      "cipherSuite": "ECDHE-RSA-AES128-GCM-SHA256",
      "clientProvidedHostHeader": "rolesanywhere.us-east-1.amazonaws.com"
  }
}

それでは、AWS CLIでEBSボリュームの情報を確認してみます。

$ aws ec2 describe-volumes \
    --filters Name=attachment.instance-id,Values=i-0fd11c3a1398908bb \
    --region us-east-1
{
    "Volumes": [
        {
            "AvailabilityZone": "us-east-1b",
            "Attachments": [
                {
                    "AttachTime": "2022-07-12T02:19:54.000Z",
                    "InstanceId": "i-0fd11c3a1398908bb",
                    "VolumeId": "vol-0b0d9d6737487a8cf",
                    "State": "attached",
                    "DeleteOnTermination": true,
                    "Device": "/dev/xvda"
                }
            ],
            "Encrypted": false,
            "VolumeType": "gp3",
            "VolumeId": "vol-0b0d9d6737487a8cf",
            "State": "in-use",
            "Iops": 3000,
            "SnapshotId": "snap-08f1069dfde2007ba",
            "CreateTime": "2022-07-12T02:19:54.234Z",
            "MultiAttachEnabled": false,
            "Size": 8
        }
    ]
}

確かに、AWS CLIでEBSボリュームの情報を確認できました。

CloudTrailで確認すると、以下のようにDescribeVolumesイベントが記録されていました。invokedByrolesanywhere.amazonaws.comということからIAM Roles Anywhereのプロファイルを使った操作であることが分かります。

{
    "eventVersion": "1.08",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "AROA6KUFAVPUU5M2Q3OWY:00c951f2e3015184c5",
        "arn": "arn:aws:sts::<AWSアカウントID>:assumed-role/iam-roles-anyware-role/00c951f2e3015184c5",
        "accountId": "<AWSアカウントID>",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "AROA6KUFAVPUU5M2Q3OWY",
                "arn": "arn:aws:iam::<AWSアカウントID>:role/iam-roles-anyware-role",
                "accountId": "<AWSアカウントID>",
                "userName": "iam-roles-anyware-role"
            },
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "2022-07-12T08:32:10Z",
                "mfaAuthenticated": "false"
            },
            "sourceIdentity": "CN=iam-roles-anyware-instance"
        },
        "invokedBy": "rolesanywhere.amazonaws.com"
    },
    "eventTime": "2022-07-12T08:32:10Z",
    "eventSource": "ec2.amazonaws.com",
    "eventName": "DescribeVolumes",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "rolesanywhere.amazonaws.com",
    "userAgent": "rolesanywhere.amazonaws.com",
    "requestParameters": {
        "volumeSet": {},
        "filterSet": {
            "items": [
                {
                    "name": "attachment.instance-id",
                    "valueSet": {
                        "items": [
                            {
                                "value": "i-0fd11c3a1398908bb"
                            }
                        ]
                    }
                }
            ]
        }
    },
    "responseElements": null,
    "requestID": "86bf8acb-d85c-4f9f-b412-971ff4e5f4db",
    "eventID": "6bb32c87-5f95-4a27-8565-6efc3b6b44f7",
    "readOnly": true,
    "eventType": "AwsApiCall",
    "managementEvent": true,
    "recipientAccountId": "<AWSアカウントID>",
    "eventCategory": "Management"
}

OpenSSLで作った自己署名証明書でもIAM Roles Anywhereは使える

OpenSSLで作った自己署名証明書でIAM Roles Anywhereを使ってみました。

証明書と秘密鍵さえあれば認証情報を入手できる、これぞIAM Roles Anywhereという感じで非常に面白かったです。

ちなみにIAM Roles Anywhereのプロファイルや信頼アンカーを削除すると、以下のようにエラーを出力するようになりました。

# プロファイルを削除した場合
$ aws sts get-caller-identity
Error when retrieving credentials from custom-process: 2022/07/12 08:45:43 ResourceNotFoundException: Profile not found.

# 信頼アンカーを削除した場合
$ aws sts get-caller-identity

Error when retrieving credentials from custom-process: 2022/07/12 08:47:15 AccessDeniedException: Specified Trust Anchor wasn't found.

上述のようなエラーが出力された場合は、IAM Roles Anywhereの設定が不足している可能性があります。

この記事が誰かの助けになれば幸いです。

以上、AWS事業本部 コンサルティング部の のんピ(@non____97)でした!