Reputation: 737
AWS IAM roles and STS
As per AWS IAM user guide,
When you make a call using temporary security credentials, the call must include a session token, which is returned along with those temporary credentials. AWS uses the session token to validate the temporary security credentials.
Question - By validation, does it mean that the session token helps AWS identify the life (duration) of temporary credentials during each API call and help AWS in managing the rotation of temporary credentials?
Validation of temporary security credentials seems to be a bit confusing (may be the English vocabulary) as otherwise when you make a call using permanent security credentials, is validation not necessary - wouldn't AWS be able to use the same mechanism as permanent credentials for temporary credentials as well because both have access key (access key id and secret access key) - What is the specific use of session token?
Upvotes: 0
Views: 528
Answers (2)
Reputation: 178956
Maybe it contains encrypted information.
Maybe it's just a really large random number used for lookup in a global database.
Maybe it's neither of these things.
The specific purposes of the security token is not documented and ultimately does not matter, because the token is opaque and is not considered sensitive information. Only the secret key is secret.
If you try to use temporary credentials without the token, the resulting error message will imply that the credentials don't exist at all, so there is reason to speculate that the token contains encrypted information mapping the temporary credentials to their associated principal, the session policy (if present), and validity timestamps, since doing so would allow STS credentials to be validated by a global, distributed system without need of a central backing store... But this is, and can only be, speculation.
There are no documented mechanisms for inspecting or decoding the token.
Upvotes: 2
Reputation: 327
STS comes with duration and default is 3600s AWS validates the combination of key_id/access_key/duration for a temporary token for each API call
STS is more secure as it's a temporary token only, as opposed to access_key_id and secret_access_key which is a permanent combination, if you lose some admin key/secret, your AWS account will encounter serious damage So key your permanent key securely and use STS as much as possible
Upvotes: 1
Related Questions
- IAM Roles and instance profile
- Assuming roles when logged in via IAM Identity Center
- Assume one role from another in the AWS management console
- Application using Iam Role vs STS
- AWS: STS Assume Role not working for user
- STS Role Trust relationship
- AWS: Assinging IAM roles to IAM users
- Applying IAM roles to ECS instances
- AWS IAM Roles for SQS
- AWS STS Roles with EC2 AssumeRole