AWS STS (Security Token Service)

What is AWS STS?

AWS STS is a web service that is used to request temporary, limited-privilege credentials. AWS STS is integrated with AWS IAM (Identity and Access Management) service. It is available as a global service as well as a regional service.

By default, AWS STS is available as a global service and all the STS requests are sent to the global endpoint at https://sts.amazonaws.com. Global requests map to the US East (N. Virginia) Region.

In addition to that, AWS provides us with the option to send the STS request to the AWS region of our choice. In fact, AWS recommends using Regional AWS STS endpoints over the global endpoint.

How Do AWS STS Keys Work?

If you enter STS in the AWS Management console search bar, nothing comes up. Because it is not available in the console, AWS STS is accessed programmatically only by the AWS SDK or AWS CLI.

The AWS IAM entity will make API calls to the STS global endpoint or regional endpoint (if enabled). Then the STS key will be generated dynamically.

Once STS receives the request, it will return a response with the following

Access KeyID and Secret keyID : The Access key and secret key will be used to access the AWS Services programmatically

Session Token : Key generated by STS Service to obtain a session with AWS Services

Expiration: Time duration for the session expiration

The above diagram illustrates the sample Architecture flow diagram for an AWS STS API Call with Web Identity Federation.

The Web Identity federation is the option we usually see on the login screen, such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP.

1. Client Authentication:

• We can see that the Web identity provider authenticates the user identity and returns with a JSON Web Token (JWT).

2. AWS STS API Request:

• Using the token, the user will assume that identity to request the STS API.

3. AWS STS API Response:

• AWS STS returns a dynamically generated token as a response to the API call request. The user will use that token to obtain a session.

4. Accessing AWS Services:

• Using the session token, the user will be able to access the AWS Services.

Every time the user logs in and accesses the AWS service, a unique session token will be generated dynamically by AWS STS.

AWS STS Actions

AWS STS actions are categorized into three categories. They are

1. Read
2. Tag
3. Write

Read Action

Tag Action

Write Action

Use Cases for AWS STS

Common scenarios for temporary credentials in AWS are listed below:

Identity federation using SAML 2.0 and Web identity such as Google, Facebook, etc

• Instead of creating IAM users, we create an IAM role. We integrate our SAML 2.0 or ADFS or Web identity into the AWS Identity provider. Then users available in ADFS or SAML 2.0 will assume the role to access the AWS service. Whenever they access the AWS Service, a unique session token will be created and mapped to that user.

Roles for cross-account access

• Assume we have an AWS Production Account and a Developer Account.

• By assuming the role with STS permission, users in the developer account will be able to access the production AWS account without creating an IAM user with the help of temporary access tokens. The same goes for AWS resources as well.

Roles for Amazon EC2

• We create an IAM role with AWS resource access and attach it to the EC2 server. The EC2 server can now access the AWS resource (policy-based) without creating the IAM users or credentials on the EC2 server.

• EC2 uses the STS service under the hood to achieve this.

Access AWS services with IAM role

• We can further delegate our IAM access by allowing the IAM users to follow role-based access. The IAM role will use STS to access the AWS services, instead of the IAM credentials.

For example,

• If an IAM user wants to access an S3 bucket, instead of attaching the S3 policy directly to the IAM user, we can create one IAM role with S3 Bucket permission.
• The policy will then be attached, stating that IAM users can assume the role to access S3.

AWS STS Example

In this example, we will provide the EC2 server with the access to an S3 bucket using IAM roles.

STEP 1: View the available S3 bucket. If there is no S3 bucket, create one.

STEP-2: Launch one EC2 server on a public subnet and the ensure that the server is in running state.

STEP 3: Follow the steps below to create an IAM role.

Select AWS Service and use case as EC2

Policy: AmazonS3FullAccess (AWS Managed Policy)

Name: ec2-role-for-s3

Create the role.

Note down the role name.

STEP-4: Attach this IAM role to the EC2 server.

Select the created role under the dropdown and click Update IAM role.

STEP-5: Login to the EC2 server. In the server CLI, enter the below command.

Login view:

This command will list the buckets available in the region of the launched EC2 instance.

What have we achieved here?

You may have noticed that we didn't pass or store any IAM credentials to the EC2 servers. By attaching the IAM role to the EC2 instance, the EC2 server will be able to access the S3 services using STS.  

In this example, we will provide an IAM user with the access to AWS Account services using STS Assume role

Step 1: Create an IAM user with no permissions.

In the above image, we can see that the IAM user will be able to log in to the server but is not able to view any services or resources. It is because we didn't attach any policy to the IAM user.

Step 2: Create an IAM Role with Administrator permissions and copy its ARN.