Obtaining connection values for Amazon S3 (AWS PKI)

About this task

Use these instructions to obtain the connection values for the AWS PKI authentication type for Amazon S3. You can obtain the client certificate and private key by using either OpenSSL or AWS Private Certificate Authority (AWS Private CA).

Procedure

  1. To obtain the client certificate and the client private key by using OpenSSL, complete the following steps:
    Important: Ensure that OpenSSL is installed on your system.
    1. Open a terminal.
    2. Run the following commands in a terminal to create a workspace for the certificate files. 
      mkdir -p ~/rolesanywhere-ca
cd ~/rolesanywhere-ca
    3. Create a file that is named openssl.cnf in the certificate workspace directory by using a text editor.
    4. Paste the following minimal OpenSSL configuration into the file and save it:
      [ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
x509_extensions    = v3_ca
prompt             = no

[ req_distinguished_name ]
C  = US
ST = California
L  = San Francisco
O  = MyCompany
OU = DevOps
CN = MyRolesAnywhereCA

[ v3_ca ]
basicConstraints = critical, CA:TRUE
keyUsage = critical, keyCertSign, cRLSign
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
    5. Generate the CA private key.
      openssl genrsa -out ca.key 2048
    6. Generate the self-signed CA certificate.
      openssl req -x509 -new -nodes \
  -key ca.key \
  -sha256 \
  -days 3650 \
  -out ca.pem \
  -config openssl.cnf

# The self-signed CA certificate is valid for 10 years

      The ca.pem file is the root CA certificate.

    7. Upload the content in the generated ca.pem file to the AWS Management Console when you create a trust anchor in step 3.
    8. Create an OpenSSL configuration file named leaf.cnf for the certificate.
    9. Paste the following minimal OpenSSL configuration content into the file and save it:
      [ req ]
default_bits       = 2048
distinguished_name = req_distinguished_name
req_extensions     = v3_req
prompt             = no

[ req_distinguished_name ]
C  = US
ST = California
L  = San Francisco
O  = MyCompany
OU = DevOps
CN = MyAppLeafCert

[ v3_req ]
basicConstraints = critical, CA:FALSE
keyUsage = critical, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth
subjectKeyIdentifier = hash
    10. Generate the client private key.
      openssl genrsa -out leaf.key 2048
    11. Generate the Certificate Signing Request (CSR).
      openssl req -new \
  -key leaf.key \
  -out leaf.csr \
  -config leaf.cnf
    12. Copy and save the leaf.key file. This is your Client private key value.
    13. Sign the client certificate by using the CA.
      openssl x509 -req \
  -in leaf.csr \
  -CA ca.pem \
  -CAkey ca.key \
  -CAcreateserial \
  -out leaf.pem \
  -days 365 \
  -sha256 \
  -extfile leaf.cnf \
  -extensions v3_req
    14. Copy and save the leaf.pem file securely. This is your Client certificate value.
    Tip: You can encrypt the files if necessary.
  2. To obtain the client certificate and the client private key by using AWS Private Certificate Authority, complete the following steps:
    1. Log in to your AWS Management Console.
    2. Go to AWS Private Certificate Authority.
    3. Click the Create a private CA button.
    4. Select the mode that you require from Mode options.
    5. In CA type options, select Root as the type.
    6. Enter the Subject distinguished name options values as required.
    7. In the Key algorithm options section, select the key algorithm and the algorithm strength as required.
    8. In Certificate revocation options, select the method that you require.
    9. Click the Create CA button.
      Note: For detailed information about creating a private certificate authority, see Create a private CA in AWS Private CA in the AWS documentation page.
    10. Select the certificate authority that you created.
    11. Go to Actions > Install CA certificate.
    12. In Specify the root CA certificate parameters, specify your certificate parameters.
    13. Review the settings, and then click Confirm and Install.
      Note: For detailed information about installing a CA certificate, see Installing the CA certificate in the AWS documentation page.
    14. Go to AWS Certificate Manager in your Amazon console.
    15. Click the Request a certificate button.
    16. In Certificate type, select Request a private certificate.
    17. In Certificate authority, select the private certificate authority that you created in step 2.i.
    18. Enter a name in the Domain names section.
    19. Select the Key algorithm that you require.
    20. Click the Request button.
    21. To export the certificate, select the certificate ID that you created.
    22. Click the Export button.
    23. Enter and confirm a passphrase. This is your Client key password value for the private key.
    24. Click the Generate PEM Encoding button.
    25. Download and save the exported certificate. This is your Client certificate value.
    26. Download and save the exported private key. This is your Private key value.
  3. To obtain the trust anchor ARN value, complete the following steps:
    1. Log in to your AWS Management Console.
    2. Go to IAM, and then select Roles from the sidebar.
    3. In the Roles Anywhere section, click Manage.
    4. Click the Create a trust anchor button.
    5. In the Trust anchor name field, enter a name for the trust anchor.
    6. In Certificate authority (CA) source, select the source according to how you created the certificate authority.
      If you have created the certificate authority by using AWS Private Certificate Authority:
      • Select AWS Private Certificate Authority as the Certificate authority (CA) source.
      • In the AWS Private Certificate Authority section, select the certificate authority that you created in step 2.i.
      If you have created the certificate authority by using OpenSSL:
      • Select External certificate bundle as the Certificate authority (CA) source.
      • In the External certificate bundle section, copy and paste the content in the ca.pem file that you generated in step 1.f.
    7. Configure the Notification settings as required.
    8. Click the Create a trust anchor button.
      Create a trust anchor page
      Note: For more information about creating a trust anchor, see Establish trust in the AWS documentation page.
    9. On the Trust anchors section, select the trust anchor that you created.
    10. Copy the ARN value (this is your Trust anchor ARN value), and save it somewhere safe.
  4. To obtain the role ARN value, complete the following steps:
    1. Log in to your AWS Management Console.
    2. Go to IAM, and then select Roles from the sidebar.
    3. Select Create a new role, and then click Next.

      The Select trusted entity page appears.

    4. Select Custom trust policy as the Trusted entity type.
    5. Paste the following JSON policy.
      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "rolesanywhere.amazonaws.com"
      },
      "Action": [
        "sts:AssumeRole",
        "sts:TagSession",
        "sts:SetSourceIdentity"
      ]
    }
  ]
}
      Select trusted entity page
    6. Click the Next button.

      The Add permissions page appears.

    7. Select the appropriate permissions policies to attach to your new role.
    8. Click the Next button.

      The Name, review, and create page appears.

    9. In the Role name field, enter a name for the role.
    10. In the Description field, enter a description for the role.
    11. Click the Create role button.
    12. On the Roles page, select the role that you created.
    13. Copy the ARN value (this is your Role ARN value), and save it somewhere safe.
  5. To obtain the profile ARN value, complete the following steps:
    1. Log in to your AWS Management Console.
    2. Go to IAM, and then select Roles from the sidebar.
    3. In the Roles Anywhere section, click the Manage button.
    4. Click the Create a profile button.

      The Create a profile page appears.

      A Select trusted entity page
    5. In the Profile name field, enter a name for your profile.
    6. Click the Add another role button, and then select the role ARN that you created in step 4.
    7. Optional: Add a JSON policy as an Inline policy based on your requirement.
      For example, to grant full S3 access with session tagging, copy and paste the following JSON policy.
      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "s3:*",
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "sts:TagSession",
        "sts:SetSourceIdentity"
      ],
      "Resource": "*"
    }
  ]
}
      For example, to restrict the session policy to a specific bucket, copy and paste the following JSON policy.
      {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:ListBucket",
        "s3:GetObject"
      ],
      "Resource": [
        "arn:aws:s3:::your-bucket-name",
        "arn:aws:s3:::your-bucket-name/*"
      ]
    }
  ]
}
    8. Set the Session duration as required.
    9. Click the Create a profile button.
    10. On the Profiles section, select the profile that you created.
    11. Copy the ARN value (this is your Profile ARN value), and save it somewhere safe.