This blog post is the 2nd in the AWS Certified Solutions Architect series. This is inline with my efforts to crack the AWS Certified Solutions Architect Professional Exam.
What is AWS STS?
AWS Security Token Service (STS) is a web service that provides temporary security credentials that enable you to access AWS resources. STS provides an alternative to long-term access keys by enabling you to request temporary, limited-privilege credentials for accessing AWS resources.
Temporary credentials provided by STS are valid for a specified duration, after which they expire. This provides an additional layer of security and helps to reduce the risk of credentials being compromised.
AWS STS API Explaination
Here are some examples of how AWS STS can be used:
AssumeRole: AssumeRole is an STS API that enables you to obtain temporary security credentials for accessing AWS resources. You can use AssumeRole to delegate permissions to users, applications, or services that are not authorized to access your AWS resources. For example, assume you have an EC2 instance that needs to access S3 buckets in another account. You can use AssumeRole to obtain temporary security credentials with permissions to access the S3 buckets in the other account, and then use those credentials to access the S3 buckets.
GetFederationToken: GetFederationToken is an STS API that enables you to obtain temporary security credentials for federated users. Federated users are users who are not directly managed by AWS IAM but are authenticated by an external identity provider (IdP). For example, assume you have a mobile application that authenticates users through a social media platform. You can use GetFederationToken to obtain temporary security credentials for the authenticated users, and then use those credentials to access AWS resources.
AssumeRoleWithSAML: AssumeRoleWithSAML is an STS API that enables you to obtain temporary security credentials for federated users authenticated by a SAML (Security Assertion Markup Language) identity provider. For example, assume you have a web application that uses SAML to authenticate users through a corporate identity provider. You can use AssumeRoleWithSAML to obtain temporary security credentials for the authenticated users, and then use those credentials to access AWS resources.
AssumeRoleWithWebIdentity: AssumeRoleWithWebIdentity is an STS API that enables you to obtain temporary security credentials for web identity federation. Web identity federation enables users to authenticate with a web identity provider, such as Amazon, Google, or Facebook, and obtain temporary security credentials to access AWS resources. For example, assume you have a web application that uses Amazon as the identity provider. You can use AssumeRoleWithWebIdentity to obtain temporary security credentials for the authenticated users, and then use those credentials to access AWS resources.
Conclusion
AWS Security Token Service (STS) provides temporary security credentials that enable you to access AWS resources. With STS, you can delegate permissions to users, applications, or services that are not authorized to access your AWS resources, and reduce the risk of credentials being compromised. STS provides several APIs, including AssumeRole, GetFederationToken, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity, which can be used to obtain temporary security credentials for different use cases.
For more info please check the full documentation here: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html
Comments