Integrating AWS Roles Anywhere with Let's Encrypt

AWS recently came out with a new feature called "Roles Anywhere". In order for it to work, you need to establish trust between your account and Certificate Authority. AWS instructions are specific for AWS' ACM PCA that costs $400/month, which is a little to steep just to avoid long-term credentials on the on-prem server.
Is it possible to integrate this feature with Let's Encrypt? AWS docs say "follow the instructions provided by the CA"... which is not very helpful. Can anybody here provide more helpful instructions? My understanding that I need to create a certificate bundle that will include my public key as well. Then AWS will verify my request that includes private key against this bundle. So, I tried to take R3 bundle, and then just append my public key... but it didn't work.
Maybe somebody smarter than me can come up with a tutorial on the topic. Once you know it, it should be quite straightforward...

1 Like

I believe that the CA bundle you need is this one:

cabundle.pem (3.7 KB)

which consists of the following:

  1. R3 (signed by ISRG Root X1)
  2. ISRG Root X1 (self-signed)

You should be able to use that CA bundle as-is and should not need to include anything else.

Warning!

Please read @rmbolger's response directly below to understand some of the risks of using this approach.

6 Likes

Please be careful testing this with Let's Encrypt (or any public CA). The doc you linked to demonstrates creating a policy that seems to allows any certificate issued by your trusted CA access to your account. The only way to prevent this appears to be use an optional "Condition" section in the policy that can limit the certs by things x509 fields in the cert like CN.

It doesn't seem like AWS intended this feature to be used with certs from a public CA even though it could theoretically work.

11 Likes