Skip to content

Add support for AWS IAM Roles Anywhere (credential_process or rolesanywhere-credential-helper) #298

New issue
New issue
Open
Open
Add support for AWS IAM Roles Anywhere (credential_process or rolesanywhere-credential-helper)#298
@ksandrmatveyev

Description

@ksandrmatveyev
ksandrmatveyev
opened on Sep 8, 2025

Case:
Discover Consul servers in AWS via AWS IAM Roles Anywhere for Consul agents outside of AWS.

Example:
Currently, AWS CLI is able to use AWS_CONFIG_FILE and aws_signing_helper script as credential_process:

[profile roles-anywhere]
    credential_process = C:/consul/bin/aws_signing_helper.exe credential-process --certificate "" --private-key "" --trust-anchor-arn "" --profile-arn "" --role-arn ""

# works
$env:AWS_CONFIG_FILE='C:/consul/roles_anywhere_config'
$env:AWS_PROFILE='roles-anywhere'
aws ec2 describe-instances

Currently, Consul supports AWS_SHARED_CREDENTIALS_FILE https://developer.hashicorp.com/consul/docs/deploy/server/cloud-auto-join#authentication-precedence, that doesn't support credential_process, but as example AWS CLI do:

[roles-anywhere]
    credential_process = C:/consul/bin/aws_signing_helper.exe credential-process --certificate "" --private-key "" --trust-anchor-arn "" --profile-arn "" --role-arn ""

$env:AWS_SHARED_CREDENTIALS_FILE='C:/consul/roles_anywhere_credentials'
$env:AWS_PROFILE='roles-anywhere'
aws ec2 describe-instances

Advantages:
Use temporary credentials from AWS IAM Roles Anywhere instead of static AWS IAM User credentials to call EC2 API.

Options:
Either one of the options can be implemented:

  1. Support of AWS_CONFIG_FILE and credential_process parameter by go-discover (running scripts or etc)
  2. Mimic functionality from https://github.com/aws/rolesanywhere-credential-helper to go-discover. Also retry_join https://developer.hashicorp.com/consul/docs/deploy/server/cloud-auto-join#aws-ec2-and-ecs can be extended with:
retry_join ["provider=aws certificate= private-key= trust-anchor-arn= profile-arn= role-arn="]
  1. Support of credential_process in AWS_SHARED_CREDENTIALS_FILE

Links:
https://docs.aws.amazon.com/sdkref/latest/guide/access-rolesanywhere.html
https://docs.aws.amazon.com/sdkref/latest/guide/feature-process-credentials.html
https://docs.aws.amazon.com/rolesanywhere/latest/userguide/credential-helper.html#credential-helper-credential-process
https://github.com/aws/rolesanywhere-credential-helper

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions