Security Token Service

-
AssumeRole
BrianWagner stsAssumeRole

Q. What is AWS STS?

  1. AWS Security Token Service(STS) is a web service that enables you to request temporary, limited-privilege credentials for following users

    1. AWS Identity and Access Management (IAM) users

    2. Federated users

Q. Is AWS STS global service?

  1. YES, default it is a global service with a single endpoint at https://sts.amazonaws.com, However , we can also choose to make STS API calls to endpoints in any other supported regions (refer) to reduce latency(server lag) by sending the request to servers in a region that geographically closer to us.

Q. What are the types of access can AWS Users have?

  1. Two types of access possible.

    1. Programmatic access - Enables an access Key ID and secret access key for the AWS API, CLI, SDK and other development tools

    2. AWS Management Console access - Enables a password that allows users to sign-in to the AWS Management console.

Q. What are the common scenarios to go for Temporary Credentials?

  1. Following are common scenarios for temporary credentials

    1. Identity Federation

      1. Enterprise Identity Federation - Used when you want to use organization existing authentication system to grant access to AWS resources

        1. Custom federation broker

        2. Federation using SAML 2.0

      2. Web Identity Federation - authenticate using well known third party identity providers

    2. Delegation

    3. Cross account access

    4. IAM Roles

Q. Which STS API Action used to get temporary credentials ( access key ID, secret access key, security token). To access resources in Another AWS account

  1. Use AssumeRole action

Note
 We can’t use AWS account root credentials to call AssumeRole action. You can also call GetFederationToken using the security credentials of an AWS account root user, but we do not recommend it.

Things to remember about STS API actions

STS API Actions
1. AssumeRole used to get short-term temporary credentials. it is assoicated with role, if you have multiple AWS accounts and want to access resource from one acccount to other use this

2. GetFederationToken doesn't associated with role. it gives long-lived access token. used proxy-based apps

3. AssumeRoleWithWebIdentity used with thiry party providers to grant access

4. AssumeRoleWithSAML used with your organization authentication system to get AWS resource access

5. GetSessionToken used with MFA devices

Q: How do I assume an IAM role?

  1. You assume an IAM role by calling the AWS Security Token Service (STS) AssumeRole APIs (in other words,

    1. AssumeRole,

    2. AssumeRoleWithWebIdentity,

    3. AssumeRoleWithSAML).

These APIs return a set of temporary security credentials that applications can then use to sign requests to AWS service APIs.

Q: How many IAM roles can I create?

  1. You are limited to 1,000 IAM roles under your AWS account. If you need more roles, submit the IAM limit increase request form with your use case, and AWS will consider your request.

Q: How can I request temporary security credentials for federated users?

  1. The following are the STS API operations that you can use to acquire temporary credentials for use in your AWS environment and applications.

    1. GetFederationToken

    2. AssumeRole

    3. AssumeRoleWithSAML

    4. AssumeRoleWithWebIdentity

AssumeRole

Q. How does AssumeRole works?

  1. Cross-Account Delegation and Federation Through a Custom Identity Broker

This API action is useful for allowing existing IAM users to access AWS resources that they don’t already have access to, such as resources in another AWS account. It is also useful for existing IAM users as a means to temporarily gain privileged access.

AssumeRoleWithWebIdentity

Q. How does AssumeRoleWithWebIdentity works?

  1. Federation Through a Web-based Identity Provider

This API operation returns a set of temporary security credentials for federated users who are authenticated through a public identity provider.

Examples of public identity providers include Login with Amazon, Facebook, Google, or any OpenID Connect (OIDC)-compatible identity provider.

Note
 Instead of directly calling AssumeRoleWithWebIdentity, we recommend that you use Amazon Cognito and the Amazon Cognito credentials provider with the AWS SDKs for mobile development.

AssumeRoleWithSAML

Q. How does AssumeRoleWithSAML works?

  1. Federation Through an Enterprise Identity Provider Compatible with SAML 2.0

This API returns a set of temporary security credentials for federated users who are authenticated by your organization’s existing identity system. The users must also use SAML 2.0 (Security Assertion Markup Language) to pass authentication and authorization information to AWS.

GetFederationToken

Q. How does GetFederationToken works?

  1. Federation Through a Custom Identity Broker

This API returns a set of temporary security credentials for federated users.

This API differs from AssumeRole in that the default expiration period is substantially longer (12 hours instead of one hour).

Additionally, you can use the DurationSeconds parameter to specify a duration for the temporary security credentials to remain valid.

The resulting credentials are valid for the specified duration, between 900 seconds (15 minutes) to 129,600 seconds (36 hours).

GetSessionToken

Q. How does GetSessionToken works?

  1. Returns a set of temporary credentials for an AWS account or IAM user.

The credentials consist of an access key ID, a secret access key, and a security token.

Typically, you use GetSessionToken if you want to use MFA to protect programmatic calls to specific AWS API operations like Amazon EC2 StopInstances.

MFA-enabled IAM users would need to call GetSessionToken and submit an MFA code that is associated with their MFA device.

Using the temporary security credentials that are returned from the call, IAM users can then make programmatic calls to API operations that require MFA authentication.

If you do not supply a correct MFA code, then the API returns an access denied error.

Comments

Post a Comment

Popular posts from this blog

IBM Datapower GatewayScript

-
Introduction IBM API Assembly Language Introduction GatewayScript is a new transformation technology for API, Web, and Mobile and is available in DataPower. GatewayScript is based on the JavaScript programming language. More precisely, it supports the ECMAScript 5.1 version of the specification. On the DataPower appliance, JavaScript runs in ‘strict’ mode only. The strict mode provides a more consistent and more disciplined behavior. For example, if a script attempts to write a property of a DataPower API object and that object is frozen, an immediate exception is thrown. The ‘strict’ mode behavior supports stronger error checking and handling and increases security. DataPower Playground (GatewayScript Fiddle) IBM DataPower Playground is an interactive website that lets you write GatewayScript code and execute it on a cloud-hosted DataPower Gateway for learning purposes. Available at : https://datapower-playground.mybluemix.net/ GatewayScript provides
Read more

Spring boot Kafka Integration

-
Image
Introduction Introduction K afka is an open source streaming platform which scales very well in a horizontal way without compromising speed and efficiency. The Kafka core is written in Scala , and Kafka Streams and KSQL are written in Java . Features Kafka is a service bus To connect heterogeneous applications, we need to implement a message publication mechanism to send and receive messages among them. A message router is known as message broker . Kafka is a message broker , a solution to deal with routing messages among clients in a quick way. Kafka architecture has two directives The first is to not block the producers (to deal with back pressure). The second is to isolate producers and consumers . The producers should not know who their consumers are, hence the kafka follows the dumb broker and smart clients model. Tip Back pressure is to make applications robust against data surges. when producer generates data higher rate tha
Read more

Spring boot SOAP Web Service Performance

-
Image
Consumng This tutorial walks you through the process of consuming a SOAP-based web service with Spring. It elucidates following items Making parallel calls with RxJava (or WebFlux ) Sending large SOAP message payloads using AXIOM( AXis Object Model) AxiomSoapMessageFactory .(which improves performance) Marshalling( is the process of transforming the memory representation of an object to a data format suitable for storage or transmission) Marshalling (XML Serialization) done with O/X Mappers, different types of mappers out there and choose appropriate one for your need. Castor XML mapping is an open source XML binding framework. It allows you to transform the data contained in a java object model into/from an XML document. By default, it does not require any further configuration, though a mapping file can be used to have more control over the behavior of Castor. The Spring integration classes reside in the org.springframework.oxm.castor pa
Read more