Introduction "I want to drop a file from an on-prem server into S3." "I want to read DynamoDB from a Kubernetes pod sitting in my datacenter." "I want to pull a secret from AWS Secrets Manager from an app in someone else's cloud." Do this the naive way and you end up here: Create an IAM User Issue an access key (the AKIA... kind) Paste it into ~/.aws/credentials , env vars, or some on-prem Secrets Manager Use it forever This is where most production incidents start today. Long-lived access keys leak and stay leaked, rotation gets forgotten, and there is no record of who copied them where or when. AWS IAM Roles Anywhere is the mechanism that hands IAM Role temporary credentials to workloads outside AWS without distributing any long-lived key. The key material is replaced by an X.509 certificate . This article goes deep on Roles Anywhere. 1. Vocabulary you need first Roles Anywhere sits on top of two things: IAM Role and PKI (the certificate world). If either is fuzzy you will get lost fast.…