- https://docs.aws.amazon.com/iam/index.html
- AWS Security Token Service (AWS STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users)
- STS provides upon request:
§ Access Key ID and Secret Key
§ Session Token
§ Expiration or Duration
§ User / Application name
- Short-term – few minutes to several hours
- Once expired – can request new
- Main advantage – ability to provide access to AWS resources without defining an AWS identity
- GLOBAL service – single endpoint, https://sts.amazonaws.com
- Can selectively disable STS in specific regions
- Once issued, credentials work globally, in any region
- Exception: temporary credentials from GovCloud (US) and China (Beijing) can be used only in the region they were issued. Credentials from other regions can be used anywhere except these two private ones
- STS Tokens are generated via API / SDK / CLI, not Console
- Exception: EC2 – temporarily credentials are automatically attached to an EC2 role, no need to request
- Multiple APIs exist, different token expiration defaults on each
§ AssumeRole – IAM user; typically used within account or for cross-account access.
§ AssumeRoleWithSAML – any user; used for federation access; must pass SAML authentication with known identity provider first (ex: from Google, Facebook, Amazon)
§ AssumeRoleWithWebIdentity – any user; used for web access; must pass a web identity token indicating authentication with known identity provider first
§ GetSessioToken – IAM user or root user; used for MFA log ins
§ GetFederationToken - IAM user or root user
- Can pass in a policy along with the request to most of the APIs to better scope down the set of permissions. The passed policy can only have a subset of permissions allowed by the role. It cannot be used to add new permissions (filer). Not supported by GetSessioToken.
- MSF is supported by AssumeRole and GetSessioToken
- Expiration – defaults specific to each API. Ex: AssumeRole token is valid for 1 hour by default, but this can be extended. The recommended to approach is to cache – and re-request close to expiry. Once issued – credentials cannot be revoked; AWS can however trim down the set if permissions associated with issued credentials
- SAML
2.0 – Security Assertion Markup
language – XML-based protocol that uses security tokens to pass information
about end user/application between Identity Provider and Service Provider.
Enables access to AWS for users authenticated with on-premise ADS – removes the
need to maintain on AWS user details already stored on-premises.
No comments:
Post a Comment