Articles → AWS → Security Token Service (STS) In AWS

Security Token Service (STS) In AWS

In this article, we will discuss Security Token Service (STS) in AWS.

Purpose

The Security Token Service provides the temporary credentials to the user.

Scenario

Consider a scenario, where you want to provide full access to the S3 bucket to a user for 1 hour. For that, we can perform any of the 2 steps: -

Provide full access to the user manually
Use STS

How To Create Temporary Credentials Using STS?

To create the temporary credentials, we will work on the following steps: -

Create a user
Create a role
Change the trust relationship of the role
Generate temporary credentials using the Use-STSRole command in PowerShell
Execute the command to get the list of buckets

So, let us get started.

Create A User

First, create a user. Please do not provide any permission to the user.

Picture showing adding a user without any permission

Click to Enlarge

Create A Role

Create a new role and assign the AmazonS3FullAccess permission to the role.

Picture showing creating a role with AmazonS3FullAccess permission

Click to Enlarge

Change The Trust Relationship Of The Role

Once the role is created, edit the role, and go to the Trust relationships tab.

Picture showing the Edit trust relationship button for editing the trust relationship

Click to Enlarge

Click on the Edit trust relationship button. A popup window will appear. Change the value of the Principal node (see the figure below).

Picture showing changing the trusted relationship json

Click to Enlarge

Click on the Update Trust Policy button. The change is updated for the role.

Picture showing the trust relationship updated

Click to Enlarge

Generate Temporary Credentials Using The "Use-Stsrole" Command In Powershell

To Generate the temporary credentials, open PowerShell, and write the following command.

Set-AWSCredential -AccessKey <Access Key> -SecretKey <Secret Key>

You can use the AccessKey and SecretKey of the user created in the previous steps. Next, use this command.

$creds = (Use-STSRole -RoleArn "arn:aws:iam::462618770999:role/myrole" -RoleSessionName="TempS3Access").Credentials

Here, arn:aws:iam::462618770999:role/myrole is the arn of the role created in the previous steps. You can print the $creds variable and see the AccessKey and SecretKey.

Picture showing the value of $creds variable in powershell

Click to Enlarge

Execute The Command To Get The List Of Buckets

Now, use this command to list the S3 bucket.

Get-S3Bucket -Credential $creds

Picture showing the output of Get-S3Bucket -Credential $creds

Click to Enlarge

Posted By -	Karan Gupta

Posted On -	Monday, December 6, 2021

Query/Feedback

Your Email Id		**

Subject		*

Query/Feedback	Characters remaining 250	**