- Allows to assume roles across different accounts or same accounts
- Generates temporary credentials (
sts:AssumeRole*) - Temporary credentials are similar to access key. They expire and they don't belong to the identity
- Temporary credentials are requested by another identity (AWS or external - identity federation)
- STS allows us to enable identity federation
- Define an IAM role within an account or cross-account
- Define which principals can access the IAM role
- Use the AWS STS (Secure Token Service) to retrieve the IAM role we have access to (
AssumeRoleAPI) - Temporary credentials can be valid between 15 minutes to 1 hour
- Trust policy: specifies who can assume a role
- Roles can be assumed by many identities
- Everybody who assumes a role, gets the same set of permissions
- Temporary credentials can not be cancelled, they are valid until they expire
- Temporary credentials can last for longer time
- In case of a credential leak if we change the permissions for the policy, we will affect all legitimate users - not a good idea for revoking access
- Solution:
- Revoke all existing sessions, by applying an
AWSRevokeOlderSessionsinline policy to the role. This will apply to all existing sessions, sessions created afterwards will not be affected - We can not manually revoke credentials!
- Revoke all existing sessions, by applying an