AWS Security Token Service (AWS STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS IAM users or for federated users that you have authenticated. STS is a key part of AWS Security services, and integrated part of Identity and Access Management service.

Key purpose of AWS STS is allows a user or an application to assume a role and obtain access to AWS services or resources.

 

Following diagram showcases an example of where a User wants to access an S3 object in AWS, and leverages her web identity provider login.

AWS STS Example

Steps:

  1. User logins with one of the web identity provider (such as Facebook, Google, Apple, etc.)
  2. 3rd party returns a token to the User
  3. User sends that token to STS
  4. STS verifies the token, and returns temporary credentials to the User
  5. User can now access S3 (provided her credentials are authorized to access S3)

 

STS Assume Role requests return following data:

  • AccessKeyID
  • SecretAccessKey
  • SessionToken
  • Expiration

 

STS supports following Assume Role calls:

  • AssumeRole
    • Returns set of temporary security credentials
    • Typically used for cross-account access.
    • You cannot use Root User to call AssumeRole.
  • AssumeRoleWithSAML
    • Returns set of temporary security credentials for users who have been authenticated via a SAML authentication process.
  • AssumeRoleWithWebIdentity
    • Returns set of temporary security credentials for users who have been authenticated via a web identity provider.

 


Key Points

  • By default, STS is available as a global service, with all STS requests served via a single endpoint – https://sts.amazonaws.com
  • You can however enable Regional STS endpoints to reduce latency.
  • You cannot access STS through AWS console.
  • You can use CloudTrail to view STS requests for audit and analysis purposes.

 


External Resources