AWS Security Token Service (AWS STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS IAM users or for federated users that you have authenticated. STS is a key part of AWS Security services, and integrated part of Identity and Access Management service.
Key purpose of AWS STS is allows a user or an application to assume a role and obtain access to AWS services or resources.
Following diagram showcases an example of where a User wants to access an S3 object in AWS, and leverages her web identity provider login.
Steps:
- User logins with one of the web identity provider (such as Facebook, Google, Apple, etc.)
- 3rd party returns a token to the User
- User sends that token to STS
- STS verifies the token, and returns temporary credentials to the User
- User can now access S3 (provided her credentials are authorized to access S3)
STS Assume Role requests return following data:
- AccessKeyID
- SecretAccessKey
- SessionToken
- Expiration
STS supports following Assume Role calls:
- AssumeRole
- Returns set of temporary security credentials
- Typically used for cross-account access.
- You cannot use Root User to call AssumeRole.
- AssumeRoleWithSAML
- Returns set of temporary security credentials for users who have been authenticated via a SAML authentication process.
- AssumeRoleWithWebIdentity
- Returns set of temporary security credentials for users who have been authenticated via a web identity provider.
Key Points
- By default, STS is available as a global service, with all STS requests served via a single endpoint – https://sts.amazonaws.com
- You can however enable Regional STS endpoints to reduce latency.
- You cannot access STS through AWS console.
- You can use CloudTrail to view STS requests for audit and analysis purposes.
External Resources