AWS Security Token Service(STS)

AWS STS

AWS Security Token Service(STS) that enables you to request temporary, limited privilege credentials for IAM Users or Federated Users).

Benefits

  • No need to embed token in the code
  • The defaults expiration for these temporary credentials is 12 hours; the minimum is 15 minutes, and the maximum is 36 hours.

Use Cases

  • Identity Federation(Enterprise Identity Federation[Active Directory/ADFS]/ Web Identity Federation (Google, Facebook))
  • Cross-account access(For Organization with multiple AWS accounts)
  • Applications on Amazon EC2 Instances

Let see this in action

Step1

  • Create an IAM user
Go to AWS Console → Security, Identity, & Compliance → IAM → Users → Add user
create a user with programmatic access
* User name: Please give some meaningful name
* Access type: Only give this user Programmatic access
  • In the next step don’t add this user to any group or attach any existing policy
  • Keep everything default, Review and Create user

Step2

  • Create Roles
  • Choose Another AWS account
  • Attach a Policy(AmazonS3ReadOnlyAccess)
  • Review and create the role

Step3:

  • Update/Modify Trust Relationships

Go to the Role we have just created and Click on Second Tab Trust relationships

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXX:user/myteststsuser"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
  • The current trust relation only allow root account to assume this role
  • Modify it with the arn of the user(myteststsuser) we have just created

Step4

Add an inline policy to the user we have created

Service: STS
Action: AssumeRole
Resource: ARN of the role we created earlier
  • This is making our user assume the role

Step5:

Testing

$ aws configure --profile ststestprofileAWS Access Key ID [None]: XXXXXXXXAWS Secret Access Key [None]: XXXXXXDefault region name [None]: us-west-2Default output format [None]: json

Also, export this profile for the time being

$ export AWS_PROFILE=ststestprofile

As we set the user to assume Role, let generate the temporary credentials and security token by running the below-mentioned command

$ aws sts assume-role --role-arn arn:aws:iam::XXXXXX:role/sts-s3-read-only --role-session-name "mytestsession"{"AssumedRoleUser": {"AssumedRoleId": "XXXXXXX:mytestsession","Arn": "arn:aws:sts::XXXXXXX:assumed-role/sts-s3-read-only/mytestsession"},"Credentials": {"SecretAccessKey": "XXXXXXX","SessionToken": "XXXXXXX","Expiration": "2018-12-18T06:47:21Z", "AccessKeyId": "XXXXXXXXX"}}

and then export it

export AWS_ACCESS_KEY_ID="XXXXXXX"
export AWS_SECRET_ACCESS_KEY="XXXXXXX"
export AWS_SECURITY_TOKEN="XXXXXXX"

Try to access S3 bucket

$ aws s3 ls2018-12-13 20:53:05 mytestXXXXX

OR

$ aws s3 cp bucketest s3://mytestXXXXXXupload failed: ./bucketest to s3://mytestXXXXXX/bucketest An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
ABHISHEK KUMAR

ABHISHEK KUMAR

More from Medium

FREE hosting website on AWS with Gohugo — Netlify low cost alternative

Restrict access by IP address for AWS CloudFront Distribution

AWS Security Tips #001: Virtual Patching on AWS

AWS Security Intro — 3. Network