AWS Security Token Service(STS)

AWS STS

AWS Security Token Service(STS) that enables you to request temporary, limited privilege credentials for IAM Users or Federated Users).

Benefits

• No need to embed token in the code
• The defaults expiration for these temporary credentials is 12 hours; the minimum is 15 minutes, and the maximum is 36 hours.

Use Cases

• Identity Federation(Enterprise Identity Federation[Active Directory/ADFS]/ Web Identity Federation (Google, Facebook))
• Cross-account access(For Organization with multiple AWS accounts)
• Applications on Amazon EC2 Instances

Let see this in action

Step1

• Create an IAM user

Go to AWS Console → Security, Identity, & Compliance → IAM → Users → Add user

create a user with programmatic access

* User name: Please give some meaningful name
* Access type: Only give this user Programmatic access

• In the next step don’t add this user to any group or attach any existing policy
• Keep everything default, Review and Create user

Step2

• Create Roles
• Choose Another AWS account

• Attach a Policy(AmazonS3ReadOnlyAccess)

• Review and create the role

Step3:

• Update/Modify Trust Relationships

Go to the Role we have just created and Click on Second Tab Trust relationships

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::XXXXXX:user/myteststsuser"
      },
      "Action": "sts:AssumeRole",
      "Condition": {}
    }
  ]
}

• The current trust relation only allow root account to assume this role
• Modify it with the arn of the user(myteststsuser) we have just created

Step4

Add an inline policy to the user we have created

Service: STS
Action: AssumeRole
Resource: ARN of the role we created earlier

• This is making our user assume the role

Step5:

Testing

$ aws configure --profile ststestprofileAWS Access Key ID [None]: XXXXXXXXAWS Secret Access Key [None]: XXXXXXDefault region name [None]: us-west-2Default output format [None]: json

Also, export this profile for the time being

$ export AWS_PROFILE=ststestprofile

As we set the user to assume Role, let generate the temporary credentials and security token by running the below-mentioned command

$ aws sts assume-role --role-arn arn:aws:iam::XXXXXX:role/sts-s3-read-only --role-session-name "mytestsession"{"AssumedRoleUser": {"AssumedRoleId": "XXXXXXX:mytestsession","Arn": "arn:aws:sts::XXXXXXX:assumed-role/sts-s3-read-only/mytestsession"},"Credentials": {"SecretAccessKey": "XXXXXXX","SessionToken": "XXXXXXX","Expiration": "2018-12-18T06:47:21Z", "AccessKeyId": "XXXXXXXXX"}}

and then export it

export AWS_ACCESS_KEY_ID="XXXXXXX"
export AWS_SECRET_ACCESS_KEY="XXXXXXX"
export AWS_SECURITY_TOKEN="XXXXXXX"

Try to access S3 bucket

$ aws s3 ls2018-12-13 20:53:05 mytestXXXXX

OR

$ aws s3 cp bucketest s3://mytestXXXXXXupload failed: ./bucketest to s3://mytestXXXXXX/bucketest An error occurred (AccessDenied) when calling the PutObject operation: Access Denied