AWS Security Token Service(STS)

AWS STS

AWS Security Token Service(STS) that enables you to request temporary, limited privilege credentials for IAM Users or Federated Users).

Benefits

Use Cases

Let see this in action

Step1

Go to AWS Console → Security, Identity, & Compliance → IAM → Users → Add user
create a user with programmatic access
* User name: Please give some meaningful name
* Access type: Only give this user Programmatic access

Step2

Step3:

Go to the Role we have just created and Click on Second Tab Trust relationships

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXX:user/myteststsuser"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}

Step4

Add an inline policy to the user we have created

Service: STS
Action: AssumeRole
Resource: ARN of the role we created earlier

Step5:

Testing

$ aws configure --profile ststestprofileAWS Access Key ID [None]: XXXXXXXXAWS Secret Access Key [None]: XXXXXXDefault region name [None]: us-west-2Default output format [None]: json

Also, export this profile for the time being

$ export AWS_PROFILE=ststestprofile

As we set the user to assume Role, let generate the temporary credentials and security token by running the below-mentioned command

$ aws sts assume-role --role-arn arn:aws:iam::XXXXXX:role/sts-s3-read-only --role-session-name "mytestsession"{"AssumedRoleUser": {"AssumedRoleId": "XXXXXXX:mytestsession","Arn": "arn:aws:sts::XXXXXXX:assumed-role/sts-s3-read-only/mytestsession"},"Credentials": {"SecretAccessKey": "XXXXXXX","SessionToken": "XXXXXXX","Expiration": "2018-12-18T06:47:21Z", "AccessKeyId": "XXXXXXXXX"}}

and then export it

export AWS_ACCESS_KEY_ID="XXXXXXX"
export AWS_SECRET_ACCESS_KEY="XXXXXXX"
export AWS_SECURITY_TOKEN="XXXXXXX"

Try to access S3 bucket

$ aws s3 ls2018-12-13 20:53:05 mytestXXXXX

OR

$ aws s3 cp bucketest s3://mytestXXXXXXupload failed: ./bucketest to s3://mytestXXXXXX/bucketest An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

--

--

DevOps/Cloud | 2x AWS Certified | Terraform | Gitlab

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store