Assume IAM role by non AWS machine and authenticate with Conjur

Hi, I am trying to create a code sample to achieve this concept for some of our developers that want to use conjur authn-iam authentication.
Basically we would like a non-aws machine possibly on-prem to assume a aws role and authenticate with conjur for retrieving secrets.
Here are the steps I am envisioning to go about it, please correct me

  • using okta to auth to aws account
  • select the role and generate aws keyset (access key, secret key , token)
  • pass those into conjur-iam-client (get conjur iam api key)
  • create conjur client (from conjur-iam-client as well)
  • retrieve secrets

can someone please suggest or point me at a sample that may exist out there

Vamsi Maddirala

Hi Vamsi,

Will this be using IAM Roles or IAM Users. I am not familiar with fetching IAM Roles from a non-aws machine.

If you are able to to retrieve the access key, secret key & token I could make some modifications to the conjur-iam-api-key github to support this flow.

I would be happy to work with you in creating this solution.


Hi Andrew,

Thanks for the reply, you are correct, I am able to retrieve the access key, secret key and the token by assuming an aws IAM role using my AD credentials as shown in the image below.


I tried to get conjur-iam-api-key (using your library) but unable to do so, because I believe I am not able to generate a

  • Signature key

  • Canonical request

  • Conjur-iam-api-key

As sts or is not accessible via my work station. Please let me know your availability and I will be glad to work with you on this.

Thanks for the offer to help.


Hi Andrew, please let me know if you had a chance to look into this. Thanks!

Hi Vamsi,

I have made modification to the code that can be found here:

Make sure to get the latest code and follow the procedure for installation.
Once you have done this please take a look at this section:

This goes over how to use authn-iam within lambda but it should apply to on-prem deployments also. As long as you can obtain the iam-role-name, access-key, secret-key and security-token. It should authenticate successfully.

Let me know if you have any other questions.


1 Like

Thanks Andrew! Let me give that a shot, this is great turnaround.


Hi Andrew, FYI, I am getting a 401 when i tried from an on-prem because the session_token (conjur_client) returned is empty, i got past getting the signature though.
Here is the error info:
requests.exceptions.HTTPError: 401 Client Error: Unauthorized for url: https://write.secrets.tsi.lan/authn/prod/host%2F029298672891%2FHydraDatamartTaskHost/authenticate
I am authenticating to aws to get access_key, secret_key, token using my windows account, I have an internal meet with cloud team to ensure assuming the role part works in the meantime.
The code works from within EC2 as expected. Thanks
-Vamsi Maddirala

Could you provide the code you are using on-prem. Are you passing in the access, secret and token from the assumed role?


Turns out the key set i am passing are for the account not for the host ec2 instance role. I am trying to figure out what’s called boto3 to generate instance keyset.

Tried the boto3 and it is working now, basically a couple of hoops to jump to get ec2 keyset generated.
Thanks Andrew!

Awesome, great to hear. Do you mind providing the code you are using with boto3? I am interested in how you implemented and might make a more formal post going over how to use IAM authn from on-prem.


No problem at all. Here are the steps to get this going somewhat unstructured still but its working.

  • run okta-aws (internal aws cli based tool to assume role of an account)

  • choose account option to generate a key set for the account

  • make the account# trusted entity under ec2 assume role policy (via aws console)

  • use boto (custom python code) to assume role of an EC2 instance and generate keyset

  • use the keyset to auth with conjur

1. Here is my sample using boto3.

import boto3
def get_instance_keyset(arn):
    sts_session = boto3.Session(profile_name='saml')
    sts_client = sts_session.client('sts')
        RoleArn="%s" %arn,

    return aws_access_key_id, aws_secret_access_key, aws_session_token

if __name__ == "__main__":

2. Here are a few tweaks I had to make to the conjur_iam_client.

def get_iam_role_name():
    r = requests.get(AWS_METADATA_URL)
    return '<Host>'
def create_conjur_iam_api_key(iam_role_name=None, access_key=None, secret_key=None, token=None):
    # if iam_role_name is None:
    # iam_role_name = get_iam_role_name()
    # if access_key is None and secret_key is None and token is None:
    #     access_key, secret_key, token = get_iam_role_metadata(iam_role_name)
    keyset = boto.get_instance_keyset(arn)
    access_key = keyset[0]
    secret_key = keyset[1]
    token = keyset[2]
    region = get_aws_region()
    iam_role_name = <Host>

    if access_key is None or secret_key is None:
        print('No access key is available.')

    # Create a date for headers and the credential string
    t = datetime.datetime.utcnow()
.... there is more in this def....

Calling client methods to print client list.
get_conjur_iam_session_token(os.environ['CONJUR_APPLIANCE_URL'], os.environ['CONJUR_ACCOUNT'], os.environ['AUTHN_IAM_SERVICE_ID'], os.environ['CONJUR_AUTHN_LOGIN'], os.environ['CONJUR_CERT_FILE'])
conjur_client = create_conjur_iam_client(os.environ['CONJUR_APPLIANCE_URL'], os.environ['CONJUR_ACCOUNT'], os.environ['AUTHN_IAM_SERVICE_ID'], os.environ['CONJUR_AUTHN_LOGIN'], os.environ['CONJUR_CERT_FILE'])
conjur_list = conjur_client.list()

This topic was automatically closed 7 days after the last reply. New replies are no longer allowed.