Day 4 – AWS Security Token Service(STS)

Welcome to Day 4 of 100 Days of AWS. The topic for today is AWS Security Token Service(STS). 

AWS Security Token Service(STS) that enables you to request temporary, limited privilege credentials for IAM Users or Federated Users).

Benefits

• No need to embed token in the code
• Limited Lifetime(15min — 1 and 1/2 day(36 hours))

Use Cases

• Identity Federation(Enterprise Identity Federation[Active Directory/ADFS]/ Web Identity Federation (Google, Facebook,Amazon))
• Cross-account access(For Organization with multiple AWS accounts)
• Applications on Amazon EC2 Instances

Let see this in action

Step1

• Create an IAM user

Go to AWS Console → Search for IAM → IAM → Users → Add users

* User name: Please give some meaningful name
* Access type: Only give this user Programmatic access

• In the next step don’t add this user to any group or attach any existing policy
• Keep everything default, Review and Create user

Step2

On the same IAM console, click on Roles

• Create role
• Choose Another AWS account

• Attach a Policy(AmazonS3ReadOnlyAccess)

• Review it and click on Create role at the bottom of the screen

Step3:

• Update/Modify Trust Relationships

Go to the Role we have just created and Click on Second Tab Trust relationships

• The current trust relation only allow root account to assume this role
• Modify it with the arn of the user(arn:aws:iam::XXXX:user/mynewuser) we have just created

Step4

Add inline policy to the user we have created

Service: STS
Action: AssumeRole
Resource: ARN of the role we created earlier(arn:aws:iam::XXXXXXX:role/sts-s3-read-only-role)

• This is making our user assume the role

Step5:

Testing

$ aws configure --profile ststestprofile
AWS Access Key ID [None]: XXXXXXXX
AWS Secret Access Key [None]: XXXXXX
Default region name [None]: us-west-2
Default output format [None]: json

NOTE: These are token which is generated when we created this user.

Also, export this profile for the time being

$ export AWS_PROFILE=ststestprofile

As we set the user to assume Role, let generate the temporary credentials and security token by running the below mentioned command

aws sts assume-role --role-arn arn:aws:iam::XXXXXX:role/sts-s3-read-only --role-session-name "mytestsession"
{

"Credentials": {

"AccessKeyId": "XXXXXXXX",

"SecretAccessKey": "XXXXXXXX",

"SessionToken": "XXXXXXXX",

"Expiration": "2022-04-08T06:54:56+00:00"

},

"AssumedRoleUser": {

"AssumedRoleId": "AROA47TQRQ43C6VCGJUH4:mytestsession",

"Arn": "arn:aws:sts::XXXXXXXX:assumed-role/sts-s3-read-only-role/mytestsession"

}

}

and then export it

export AWS_ACCESS_KEY_ID="XXXXXXX"
export AWS_SECRET_ACCESS_KEY="XXXXXXX"
export AWS_SECURITY_TOKEN="XXXXXXX"

Try to access S3 bucket

$aws s3 ls

2022-04-07 23:00:17 plakhera-test-sts-bucket

OR

$ aws s3 cp installing_terraform.sh s3://plakhera-test-sts-bucket

upload failed: ./installing_terraform.sh to s3://plakhera-test-sts-bucket/installing_terraform.sh An error occurred (AccessDenied) when calling the PutObject operation: Access Denied

Looking forward from you guys to join this journey and spend a minimum an hour every day for the next 100 days on AWS work and post your progress