Secure and Simplify IAM Roles Anywhere RBAC and Audit with Teleport

Yes, Teleport works with AWS Roles Anywhere. Teleport's Workload Identity feature can be used in conjunction with AWS Roles Anywhere to allow workloads to securely authenticate with AWS services without using long-lived credentials.1

Teleport Workload Identity issues flexible short-lived identities in X.509 certificates, which AWS Roles Anywhere can use for authentication to AWS services. This is particularly useful for machines that need to securely authenticate with AWS services without using long-lived credentials.To use Teleport with AWS Roles Anywhere, you need to follow these general steps:

• Configure AWS Roles Anywhere
• Configure Teleport RBAC
• Issue Workload ID certificates
• Configure the AWS CLI and SDKs to use Roles Anywhere for authentication

For example, to configure Teleport RBAC, you would create a role like this:

yamlkind: roleversion: v6metadata: name: my-workload-roles-anywherespec: allow: spiffe: - path: /svc/example-service

This configuration allows Teleport to issue X.509 certificates containing the specified SPIFFE ID, which can then be used with AWS Roles Anywhere.

It's important to note that this implementation differs from using the Teleport Application Service to protect AWS APIs in a few ways:

• Requests to AWS are not proxied through the Teleport Proxy Service, resulting in reduced latency but also less visibility in Teleport's audit log.
• Workload ID works with any AWS client, including the command-line tool and SDKs.
• This method can be used when a machine needs to authenticate with AWS, unlike the Teleport Application Service approach.To use this feature, you need a Teleport cluster version 16.0.4 or above, and you'll need to configure both Teleport and AWS Roles Anywhere appropriately.2