All Blogs

Sam Coyle

|

December 13, 2024

Revolutionizing AWS Authentication in Catalyst with IAM Roles Anywhere

Learn how IAM Roles Anywhere and SPIFFE authentication eliminate static credentials, streamline role management, and enhance your security posture.

Introduction

In distributed applications, implementing secure service-to-service communication, stateful workflows, state management, and pub/sub messaging can prove to be a complex challenge. Diagrid Catalyst was created to simplify these complexities by providing developer APIs built on the open-source Dapr project.

Most of the APIs hosted by Catalyst require external infrastructure to function, such as a message broker for pub/sub, a key/value store for state management, or external services for bindings. Today, Catalyst supports connecting the APIs to over 30 infrastructure targets through Component resources which expose several authentication options for establishing connectivity to a target service.

As part of our first Diagrid Launch Week, we’re thrilled to announce support for IAM Roles Anywhere—a secure, dynamic authentication mechanism for all AWS component targets. This blog explores how it works, why it matters, and how to start using it today.

The Problem: Moving Beyond Static Credentials

Until now, onboarding AWS components in Catalyst required providing sensitive credentials like access keys and secrets. While securely stored and encrypted, static credentials introduce several issues:

  • Increased risk of human error and credential leakage
  • Compliance complexity with security best practices
  • Operational burdens of managing and rotating secrets

To tackle these challenges, we reimagined how Catalyst connects to AWS services. While solutions like IAM Roles for Service Accounts (IRSA) address authentication within AWS-managed Kubernetes, we wanted a more flexible solution that extends beyond AWS. Enter IAM Roles Anywhere.

What is IAM Roles Anywhere?

IAM Roles Anywhere extends AWS IAM role-based authentication to applications running outside AWS. Using trust relationships anchored in cryptographically signed certificates, it eliminates the need for static credentials. Instead, workloads can securely assume roles with short-lived, automatically rotated credentials.

Image credits to: https://medium.com/@rajdeep.617/aws-iam-roles-anywhere-bye-bye-iam-secrets-202a8b33ca55

For Catalyst, this aligns perfectly with our goal of modern, secure, and scalable authentication. By leveraging SPIFFE IDs provided by Dapr’s Sentry PKI, we’ve integrated IAM Roles Anywhere into Catalyst to deliver seamless AWS authentication.

How IAM Roles Anywhere Works

To configure IAM Roles Anywhere with Catalyst, you need to set up the following AWS IAM resources:

  1. Trust Anchor: Links an external certificate authority (CA) to an AWS account to establish trust.
  2. IAM Role: Defines permissions for authenticated applications.
  3. Profile: Connects the trust anchor to workloads, specifying roles that can be assumed.

Here’s a high-level workflow for Catalyst users:

  1. Define a Trust Anchor: Diagrid’s public CA at https://pem.trust.diagrid.io/ is registered as a trust anchor in your AWS account.
  2. Create a Trust Profile: Links the trust anchor to specific workloads.
  3. Establish Role Trust: SPIFFE IDs for Catalyst App IDs are linked to IAM roles through trust policies.
  4. Configure Authentication in Catalyst: Use the IAM Roles Anywhere profile in the Catalyst UI or CLI for AWS components.

Catalyst’s Integration: A Unified Authentication Profile

Dapr powers Catalyst’s architecture, and IAM Roles Anywhere adds to its extensive authentication capabilities. Previously, AWS components like DynamoDB, S3, and Kafka relied on authenticating via static credentials or disparate role-assumption mechanisms

By contributing the IAM Roles Anywhere authentication profile to upstream Dapr, we’ve unified AWS authentication for all AWS components. This profile offers:

  • Standardized authentication across components
  • Dynamic, short-lived credential sessions (rotated every 8 minutes)
  • Simplified migration paths for existing configurations

Additionally, we refactored the AWS code in Dapr’s Components Contrib, enhancing maintainability and adding robust test coverage.

Why IAM Roles Anywhere is a Game-Changer

This new authentication mechanism brings significant benefits:

  • Eliminates Static Credentials: Reduces the risk of leakage by removing the need for long-term credentials.
  • Enhanced Security: Short-lived credentials and trust-based authentication improve compliance and minimize vulnerabilities.
  • Simplifies Operations: Catalyst integrates with AWS authentication seamlessly, so developers can focus on building.
  • Supports Identity Standardization: SPIFFE IDs provide human-readable identities, ensuring consistency across cloud providers and enabling better tracing and auditing.
  • Empowers the Ecosystem: Our contributions to Dapr extend these benefits to the broader developer community.

Conclusion

The integration of IAM Roles Anywhere with SPIFFE-based authentication in Catalyst marks a major leap forward in secure and scalable AWS connectivity. By eliminating static credentials and leveraging PKI-based trust systems, we provide developers with an unmatched combination of simplicity, security, and flexibility. The Catalyst product team demonstrated this functionality in a recent webinar.

This is just the beginning—we’re exploring similar innovations for other cloud providers and welcome your feedback as we continue to enhance Catalyst.

Learn more about configuring IAM Roles Anywhere in Catalyst by visiting our documentation.

December 13, 2024
Sam Coyle
more blog posts
.NET Aspire & Dapr: What Are They, & How Do They Complement Each Other For Distributed Apps?
Dapr 1.13 Release Highlights
REPLAY: Introduction to Diagrid Catalyst
Diagrid Conductor Achieves SOC 2 Type I Certification: Elevating Data Security and Compliance
dapr 1.14 release highlights