AWS STS is a web service which stands for Security Token Service and it enables you to request temporary credentials for the AWS users. Using this, we can provide trusted users with temporary security credentials which can control access to our AWS resources.
How does it differ from the IAM user credentials?
The temporary credentials will work similar to credentials of the IAM users. The difference would be:
- They are short term – from a few minutes to some hours.
- They are generated and provided dynamically whenever requested
How does it work on the application side?
Take the example of an application that is developed by an entity that owns AWS resources. The user/customer of this application needs to access these resources occasionally while using the app. In this case, instead of allowing the app to access the AWS resources permanently, it is more secure to make use of temporary credentials. This is where AWS STS comes into picture.
We can set up our application to use the AWS SDK which will make API calls to AWS STS endpoints for credentials.
Please see the sample code below to see how to use AWS STS. The inputs are an accessKey and secretKey. The outputs are a set of temporary credentials containing an access key ID, a secret key and a security token.
Sample code:
The response for this would be similar to below:
Note: We need to set up an AWS IAM user first and using its Access Key ID and Secret Access Key, we need to fetch the temporary credentials.