AWS Security Token Service(STS)

ABHISHEK KUMAR
3 min readAug 9, 2019

--

AWS STS

AWS Security Token Service(STS) that enables you to request temporary, limited privilege credentials for IAM Users or Federated Users).

Benefits

  • No need to embed token in the code
  • The defaults expiration for these temporary credentials is 12 hours; the minimum is 15 minutes, and the maximum is 36 hours.

Use Cases

  • Identity Federation(Enterprise Identity Federation[Active Directory/ADFS]/ Web Identity Federation (Google, Facebook))
  • Cross-account access(For Organization with multiple AWS accounts)
  • Applications on Amazon EC2 Instances

Let see this in action

Step1

  • Create an IAM user
Go to AWS Console → Security, Identity, & Compliance → IAM → Users → Add user
create a user with programmatic access
* User name: Please give some meaningful name
* Access type: Only give this user Programmatic access
  • In the next step don’t add this user to any group or attach any existing policy
  • Keep everything default, Review and Create user

Step2

  • Create Roles
  • Choose Another AWS account
  • Attach a Policy(AmazonS3ReadOnlyAccess)
  • Review and create the role

Step3:

  • Update/Modify Trust Relationships

Go to the Role we have just created and Click on Second Tab Trust relationships

{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXX:user/myteststsuser"
},
"Action": "sts:AssumeRole",
"Condition": {}
}
]
}
  • The current trust relation only allow root account to assume this role
  • Modify it with the arn of the user(myteststsuser) we have just created

Step4

Add an inline policy to the user we have created

Service: STS
Action: AssumeRole
Resource: ARN of the role we created earlier
  • This is making our user assume the role

Step5:

Testing

$ aws configure --profile ststestprofileAWS Access Key ID [None]: XXXXXXXXAWS Secret Access Key [None]: XXXXXXDefault region name [None]: us-west-2Default output format [None]: json

Also, export this profile for the time being

$ export AWS_PROFILE=ststestprofile

As we set the user to assume Role, let generate the temporary credentials and security token by running the below-mentioned command

$ aws sts assume-role --role-arn arn:aws:iam::XXXXXX:role/sts-s3-read-only --role-session-name "mytestsession"{"AssumedRoleUser": {"AssumedRoleId": "XXXXXXX:mytestsession","Arn": "arn:aws:sts::XXXXXXX:assumed-role/sts-s3-read-only/mytestsession"},"Credentials": {"SecretAccessKey": "XXXXXXX","SessionToken": "XXXXXXX","Expiration": "2018-12-18T06:47:21Z", "AccessKeyId": "XXXXXXXXX"}}

and then export it

export AWS_ACCESS_KEY_ID="XXXXXXX"
export AWS_SECRET_ACCESS_KEY="XXXXXXX"
export AWS_SECURITY_TOKEN="XXXXXXX"

Try to access S3 bucket

$ aws s3 ls2018-12-13 20:53:05 mytestXXXXX

OR

$ aws s3 cp bucketest s3://mytestXXXXXXupload failed: ./bucketest to s3://mytestXXXXXX/bucketest An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

--

--

ABHISHEK KUMAR
ABHISHEK KUMAR

Written by ABHISHEK KUMAR

DevOps/Cloud | 2x AWS Certified | 1x Terraform Certified | 1x CKAD Certified | Gitlab