Authenticate AWS resources

AWS resources can use their AWS IAM roles to authenticate to Conjur Cloud using Conjur Cloud's AWS IAM Authenticator.

To learn more about IAM roles, see the AWS documentation.

Supported AWS resources

All AWS resources that support IAM roles.

Supported integration

You can use the Conjur AWS IAM Client for Python to create an instantiated Python3 client, which uses the AWS IAM Authenticator (IAM Authenticator) to authenticate with Conjur Cloud. For more information, see Conjur AWS IAM Client for Python.

How it works

This section describes the authentication flow of an AWS resource to Conjur Cloud:

When the AWS workload starts, and assuming the IAM role was provided:

  1. The AWS workload sends an authentication request to Conjur Cloud, with the session credentials in the body.

  2. Conjur Cloud sends a GetCallerIdentity request to the STS on behalf of the workload, based on the provided session credentials.

  3. The STS sends the caller identity to Conjur Cloud.

  4. Conjur Cloud validates the caller identity against the workload ID in Conjur Cloud.

  5. Conjur Cloud sends a Conjur access token.

  6. The AWS workload uses the access token to retrieve secrets from Conjur Cloud.