STS
Owner | |
---|---|
Verification | |
Tags | |
Last edited time |
STS
Provides the ability to assume a role , provides temporary credentials and identity federation
(15m - 12h) using the AssumeRole
API
Ability to revoke active sessions and credentials for a role using theAWSRevokeOlderSessions
“Zone of trust” includes accounts that you own, out side the “zone of trust” = 3rd party entity
To provide access to 3rd party entity - need to define an External ID and define permissions using IAM policy
Session tags - to limit who can assume the role based on specific tags (dependent)
STS API’s:
-
AssumeRole
- access a role within or cross account
AssumeRoleWithSAML
- for users logged with SAML federation
AssumeRoleWithWebIdentity
- FB, Google - recommended to use Cognito
GetSessionToken
- for MFA
GetFederationToken
- temp credentials for federated user