AWS IAM Authenticator

The AWS IAM Authenticator (IAM Authenticator) allows an AWS resource to use its AWS IAM role to authenticate with Conjur. This approach enables EC2 instances and Lambda functions to access credentials stored in Conjur.

To learn more, see IAM roles in the AWS Documentation.

Configure the IAM Authenticator

This section describes how to set up the IAM Authenticator.

Authentication flow

After you have configured the IAM Authenticator and have granted permissions, let's explore the authentication flow of an EC2 instance or a Lambda function:

  1. The instance or function starts, assuming the IAM role was provided.

  2. From the instance or function, generate a signed request to the STS service to get the identity of the requestor. This request is signed using the instance or function's access key. The signed request is valid for five minutes.

    The example below shows how a signed request is generated (using Ruby):

    require 'aws-sigv4'
    require 'aws-sdk'
    request =
      service: 'sts',
      region: 'us-east-1',
      http_method: 'GET',
      url: ''
  3. Using the signed request, the instance or function authenticates with a Conjur using the following:

    require 'conjur-api'
    Conjur.configuration.account = 'my-account'
    Conjur.configuration.appliance_url = ''
    Conjur.configuration.cert_file = '<cert>/<path>/conjur-yourorg.pem'
    conjur = Conjur::API.new_from_key 'host/aws/011915987442:assumed-role/MyApp', request.to_json
  4. When Conjur receives this authentication request, it performs the following:

    1. Validates the host, myspace/011915987442/MyApp, has permission to authenticate using the prod IAM Authenticator.

    2. Extracts the signed request from the POST body.

    3. Creates a request to the AWS STS service, using the provided signed request as its header.

    4. If the STS request is successful, the requesting instance or function's IAM role is returned. The role is validated against the requesting role. If the two roles match, an access token is returned.

      Below is an example of a successful STS response:

      <GetCallerIdentityResponse xmlns=\"\">

Troubleshooting AWS IAM authentication

Authentication may fail for any of the following reasons - in each case, a 401 Unauthorized response is returned:

  • Signed request is invalid (signed by an unknown AWS Access Key or on that is older than 5 minutes)

  • Role ARN from the signed request does not match the Conjur host ARN

  • Conjur host does not have permission to authenticate using the IAM Authenticator