How do I provide temporary credentials in AWS STS?

 

What is AWS STS?

"The AWS STS means the "AWS Security Token Service AWS Security Token Service which stands for "AWS Security Token Service It is a service that issues temporary authentication information which issues temporary authentication information.

Temporary credentials can be

  • access key
  • secret access key
  • session token

It is made up of three parts.

These three temporary credentials can be used to access the resources of another authorized account.

 

Methods used in STS for temporary authentication methods

Web ID Federation

Web ID Federation is an authentication method used on mobile applications built by AWS resources to access AWS resources.

App users can sign in to the application using external identity providers (IdPs) such as Facebook, Google, etc.

Once you receive an authentication token, you can map that token to an IAM role with permissions to use the resources in your AWS account andconvert it toAWS temporary security credentials.

 

 

 

use case

If you are storing images in S3 and want to allow temporary access to that resource, for example.

 

 

Reference Site

 

STS setting items

ID Federation

Identity Federation links user identities across multiple security domains, each with its own identity management system.

When identity federation is achieved in two domains, an end user authenticated in one domain can access its resources in the other domain without logging in.

 

Web ID Federation

Web ID Federation eliminates the need to create custom sign-in codes or manage your own user IDs.

Instead, app users can
sign in using an external identity provider, such as Google
Google, etc.

Once you receive an authentication token, you can map that token to an IAM role with permissions to use the resources in your AWS account and convert it to temporary security credentials for AWS.

IdP

Using an IdP helps keep your AWS account secure by eliminating the need to embed and distribute long-term security credentials in your application.

To use an IdP, create an IAM identity provider entity and establish a trust relationship between your AWS account and the IdP.

IAM supports IdPs compatible with OpenID Connect or SAML 2.0 (Security Assertion Markup Language 2.0).

Thus, it is possible to use SAML federation to create temporary AWS security credentials and still provide access to AWS resources.

However, when using OpenID Connect, Web identity federation is used.

 

 

use case

It will be possible as an application function to set access permissions to S3 by means of temporary authentication information by STS.

 

related object

おすすめの記事