Using the AWS Security Token Service to Retrieve Temporary Security Credentials For a User

Using the AWS Security Token Service to retrieve temporary security credentials for a user may not be the best way to go. For example, this may be the wrong solution if your user is on a mobile device and the service is not configured for authentication via Open Id Connect. In this case, a user may be issued a token without a proper credential revocation mechanism in place. In such a scenario, the user is at a disadvantage and may not be able to get into OSS, let alone access the services it enables.

The AWS Security Token Service does not support the creation of extra IAM identities. It does support assuming roles and performing related tasks in a secure manner. In order to be able to perform these functions, the user needs to provide an AWS ID and have the requisite permissions. For example, if an employee is working on an HVAC system at home, he or she may be locked out of the system. In such a scenario, the user might have to go to work in the office to continue the workflow. Luckily, there is a workaround.

To get temporary credentials, you can call the sts:AssumeRoleWithWebIdentity API and have it return the credentials requisite to perform the task at hand. However, the API has a limited maximum session duration limit. Also, this isn’t the cheapest way to get credentials. If the application has complex requirements, it may be easier and cheaper to use a more robust solution. For example, you may have to use the AWS Identity and Access Management (IAM) service to obtain your temporary credentials.

The AWS Security Token Service also provides a more robust and more effective way to obtain temporary credentials for a user. For example, you can set up a federated Id token to perform the sts:AssumeRoleWithWebIdentity function, which will provide the necessary credentials for you. However, you can also set up an identity token from a supported identity provider. If this is the case, you might want to consider the following.

The AWS Security Token Service has a full list of roles supported. However, in order to take advantage of this functionality, you should first understand which role your organization needs in order to get the most value out of your AWS subscription. This can be done via the Create CredentialRole documentation. Also, you should be aware that the AWS Security Token Service isn’t very friendly to multiple accounts and services as principals. For example, you might want to avoid mixing your AWS Organization with your AWS Cloudbreak or Amazon Cognito identity.

One last note is that there are limitations on the number of STS tokens that can be issued within a given interval. As a result, using the service on a frequent basis may not be the most effective solution for your business. In addition, the aforementioned token isn’t very portable, meaning you may have to repeat the process on the next employee who uses your service.