AWS Security Token Service (STS) is a web service that allows you to request temporary, limited-privilege credentials for AWS services. These credentials are typically used to authenticate users or services for a specific period of time, allowing them to access AWS resources securely without using long-term IAM credentials.
STS helps manage and secure access to AWS resources by issuing temporary security credentials that expire after a defined duration. It is especially useful for scenarios where you need to grant temporary access to AWS resources, such as federated users, third-party applications, or AWS services.
Key Features of AWS STS:
Temporary Security Credentials:
STS issues temporary security credentials (Access Key ID, Secret Access Key, and Session Token) that are valid for a specified duration (from a few minutes to several hours).
These credentials grant access to AWS resources for a limited time, reducing the security risk of long-term access keys.
Federated Access:
STS allows you to authenticate users from external identity providers (e.g., Active Directory, Google, Facebook, or SAML 2.0-compliant identity providers).
This makes it easier to manage users who are outside your AWS account, like partners or contractors, without having to create individual IAM users.
Cross-Account Access:
You can grant temporary access to resources across different AWS accounts, using roles that are assumed via STS. This is useful when you need to share resources between accounts securely.
IAM Roles are typically assumed by users or services in one account to access resources in another account using STS.
Mobile and Web Application Integration:
STS can be used to securely authenticate users in mobile or web applications, granting them temporary access to AWS resources without the need to store long-term AWS credentials in the app.
You can authenticate users via SSO, social logins, or federated identity providers, and then use STS to provide them with temporary credentials to access AWS services.
Assumed Roles for AWS Services:
AWS services such as EC2, Lambda, or ECS can assume IAM roles via STS, enabling them to access AWS resources on your behalf. This provides a secure and scalable way to manage permissions without embedding long-term credentials within the application.
AssumeRoleWithWebIdentity:
This feature allows web and mobile applications to authenticate users using web identity providers like Facebook, Google, or Amazon Cognito and request temporary credentials to access AWS resources.
It is a popular way to authenticate users in applications without requiring a full AWS IAM user.
AssumeRoleWithSAML:
You can integrate STS with SAML 2.0-compliant identity providers (such as Active Directory Federation Services) to allow users to authenticate and assume AWS IAM roles for temporary access.
Policy-Based Permissions:
You can attach IAM policies to the temporary credentials issued by STS to control what actions can be performed with the credentials. Policies can limit access to specific AWS services, actions, and resources.
How AWS STS Works:
User Authentication:
The user (or service) authenticates via an identity provider (for federated users) or assumes an IAM role directly.
STS Request:
A request is sent to STS to assume a role or request temporary credentials, typically specifying the role ARN (Amazon Resource Name) and any session-specific parameters.
STS Issues Temporary Credentials:
STS verifies the request and, if authorized, issues temporary security credentials consisting of:
Access Key ID
Secret Access Key
Session Token
These credentials are then used by the user or application to interact with AWS resources for the duration of the session (up to several hours).
Access AWS Resources:
The user or service uses the temporary credentials to interact with AWS services (like S3, EC2, etc.) as permitted by the associated IAM policy.
Credential Expiration:
After the credentials expire, the user or service can no longer access AWS resources with those temporary credentials and must request new credentials if needed.