Austin's SWE Notes 😭

    STS Overview

    • Allow to grant limited and temporary access to AWS resources (up to 1 hour)
    • Important APIS:
      • AssumeRole: assume roles within your account or cross accountPasted image 20221019200425.png
        • Define an IAM Role to assume
        • Define which principals can access this Role
        • Use AWS STS to retrieve credential and impersonate the role
        • The credential is valid between 15 minutes to 1 hour
      • GetCallerIdentity: return details about IAM user or role used in the API call
      • DecodeAuthorizationMessage: decode error message when AWS API is denied. As seen in STS Decode
    • Other APIs
      • AssumeRoleWithSAML: return credentials for users logged in with SAML
      • AssumeRoleWithWebIdentity: credentials for OAuth login (Facebook, Google, ...)
      • GetSessionToken: for MFA, from a user or AWS account root user
      • GetFederationToken: obtain temporary credentials for a federated user

    STS with MFA

    Pasted image 20221019201131.png

    • Use GetSessionToken from STS, which returns
      • AccessID
      • SecretKey
      • SessionToken
      • Expiration
    • Use with combination of "aws:MultiFactorAuthPresent": true in the condition
    ← Pass Role And Get Role
    Trust Policy →