Enlapser

AWS Roles Anywhere on Raspberry Pi — aws_signing_helper builds

Published 2025-10-14 · Enlapser

We are publishing automated builds of Amazon’s aws_signing_helper for Raspberry Pi (both armhf and arm64). The helper is part of the IAM Roles Anywhere toolchain that lets on‑prem and edge devices obtain temporary AWS credentials using X.509 certificates instead of storing static credentials on disk.

Our repository: github.com/Enlapser/aws-signing-helper-rpi-builds

Why Roles Anywhere?

IAM Roles Anywhere allows devices outside AWS to assume IAM roles using a certificate‑based trust model. Compared to placing API keys on a machine, Roles Anywhere:

  • Reduces secret sprawl: No long‑lived AWS keys on disk.
  • Improves security posture: Short‑lived credentials are issued via CreateSession.
  • Auditable and revocable: Trust is anchored to your CA; you can revoke certs or disable profiles.
  • Principle of least privilege: Map devices to roles with scoped policies.

See the upstream project for details and usage examples: aws/rolesanywhere-credential-helper.

Our use cases

We run two internal stations on Raspberry Pi that benefit from Roles Anywhere:

  • SD‑card provisioning station at the factory — writes firmware/configs and securely pulls environment‑specific materials.
  • HDD picture archive delivery station — packages and delivers large timelapse archives while authenticating to our backend services.

In both setups, replacing machine‑stored AWS credentials with short‑lived, certificate‑backed sessions improves resilience and simplifies rotation.

The gap on Raspberry Pi

We couldn’t find maintained aws_signing_helper binaries for Raspberry Pi. Documentation and community guides generally recommend building from source. That’s fine for one‑offs, but we wanted a repeatable, discoverable solution that keeps up with new upstream releases.

What our repo does

  • Tracks upstream releases of aws/rolesanywhere-credential-helper.
  • Builds aws_signing_helper for armhf and arm64 Raspberry Pi targets.
  • Publishes GitHub Releases with checksums for easy consumption.
  • Keeps it simple: no forks or modifications to the helper, just reproducible builds.

Build flow and versioning

A scheduled job checks for new upstream releases daily. When a new tag appears, we build fresh armhf and arm64 binaries and publish them as GitHub Releases using the same version as the upstream tag/release, along with checksums.

We do not modify the helper — builds are from upstream source as‑is.

Testing

We test new builds sporadically when provisioning internal tools that use Roles Anywhere (our factory SD‑card provisioning station and HDD picture archive delivery station). There is no comprehensive test matrix. If you run into issues, please open an issue on the builds repository.

Quick start

  1. Download the latest release for your Pi architecture from our repo’s Releases page.
  2. Mark it executable and place it on your PATH.
  3. Follow AWS’s setup to create a trust anchor, profile, and role; then use the helper via credential-process or serve.

Refer to the upstream README for commands, including credential-process, update, and serve, and PKCS#11/TPM and PKCS#8 private‑key notes.

Credits

All credit for aws_signing_helper goes to AWS. We simply provide convenient Raspberry Pi builds and automated release plumbing.

• Upstream: aws/rolesanywhere-credential-helper
• RPi builds: Enlapser/aws-signing-helper-rpi-builds