Security Token Service (STS) creates temporary security credentials – short time use (A few minutes to several hours).
Features
- STS API calls return a credential, which has 3 components
- Security Token
- Access Key ID
- Secrete Access Key
- Applications can use these temporary security credentials to sign calls to AWS service API operations.
APIs
- AssumeRole
- AssumeRoleWithWebIdentity
- AssumeRoleWithSAML
- GetFederationToken
- GetSessionToken
AssumeRoleWithWebIdentity
- The “assume-role-with-web-identity” API returns a temporary AWS credentials for users authenticated using a Web Identity Provider.
- Regular Web Applications: call the API directly
- Mobile Applications: use Cognito – user pools and identity pools -.
- It returns
- AssumedRoleUser
- Arn
- AssumedRoleId
- Credentials
- SessionToken
- AccessKeyId
- SecretAccessKey
- Expiration
- AssumedRoleUser
Session Tags
- When you assume a role in STS, you can pass a tag.
- The tag is used in the policy to control access using the “aws:PrincipalTag” condition
For example, the following policy allows S3 access only when the principal makes the request with the specified tag, such as “sts:AssumeRole” with a session tag “Department=hr”
{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::hr-files/*",
"Condition": {
"StringEquals": {
"aws:PrincipalTag/Department": "hr"
}
}
}
Benefits
- There is no need to pass or save credentials in an application or an instance.
- Use Cases
- Identity Federation (SAML – Security Assertion Markup Language, Web Identity Federation)
- Roles for Cross Account Access
- Roles for EC2 instances
Scriptorium 