AWS
sts
assume role
command line
cloud computing

AWS sts assume role in one command

Master System Design with Codemia

Enhance your system design skills with over 120 practice problems, detailed solutions, and hands-on exercises.

AWS Security Token Service (STS) provides the assume-role function, which is a cornerstone feature enabling users to assume a different role in AWS for gaining temporary security credentials. This is particularly useful for managing cross-account access or restricting permissions within the same account. Let's explore the intricacies of using the assume-role operation in one command step and examine real-world scenarios and technical breakdowns.

Overview of AWS STS Assume Role

AWS STS facilitates the creation of temporary security credentials, allowing access to AWS resources. These credentials consist of an access key ID, a secret access key, and a session token. The assume-role action is critical when you need to switch roles within an account or across different AWS accounts, performing operations that your original IAM identity is not permitted to do with its standard permissions.

Benefits of Using assume-role

  • Security Enhancement: Temporary credentials minimize the risk of long-term key exposure.
  • Granular Access Control: Tailor permissions for specific tasks or operations.
  • Cross-account Access: Simplifies resource access distributed across multiple AWS accounts.

Command Line Utilization

To assume a role using AWS CLI in one command, it's essential to have the AWS CLI installed and configured correctly with your initial IAM user or a role that has the permission to assume the target role.

Syntax

The basic syntax for assuming a role using AWS CLI is:

bash
aws sts assume-role --role-arn <role-arn> --role-session-name <session-name> --duration-seconds <duration-seconds>

Example Command

Assume a role with the ARN arn:aws:iam::123456789012:role/example-role for a session named example-session, with a session lasting 3600 seconds (1 hour):

bash
aws sts assume-role --role-arn arn:aws:iam::123456789012:role/example-role --role-session-name example-session --duration-seconds 3600

The response includes temporary security credentials you can use for authentication:

json
1{
2    "Credentials": {
3        "AccessKeyId": "ASIA...EXAMPLE",
4        "SecretAccessKey": "wJalrX...EXAMPLE",
5        "SessionToken": "FQoGZXIvYXdzEBEaD...EXAMPLE",
6        "Expiration": "2021-11-14T23:00:00Z"
7    },
8    "AssumedRoleUser": {
9        "AssumedRoleId": "AROAEXAMPLE:example-session",
10        "Arn": "arn:aws:sts::123456789012:assumed-role/example-role/example-session"
11    }
12}

Implementation Details

Prerequisites

  • IAM Policies: Ensure your IAM user or role has the sts:AssumeRole permission.
  • Trust Relationship: The target role must trust the entity that attempts the assume-role. This is defined in the role's trust policy.

Managing Sessions

The duration of the temporary credentials is configurable between 15 minutes to 12 hours, leveraging the --duration-seconds option. Adjust this to balance access needs and security protocols.

Cross-Account Role Assumption

In situations where you assume roles across multiple AWS accounts, you need:

  1. Source Account IAM Policy: Add the sts:AssumeRole permission.
  2. Target Account's Role Trust Policy: List the source account's IAM user or role as a trusted entity.

Real-world Use Cases

  • DevOps: Efficiently switch roles for deploying resources in production environments.
  • Security Auditing: Assume roles with tailored permissions for audits without disclosing long-lived credentials.
  • Dynamic Resource Management: Automate complex workflows needing access to multiple AWS accounts.

Summary Table

Feature/ConceptDescription
Temporary CredentialsShort-lived keys for improved security.
Role ARNUnique identifier of the role you want to assume.
Session NameIdentifier for the session—important for logging and traceability.
Session DurationDetermines how long the temporary credentials are valid.
Cross-Account AccessFacilitates secure operations across different AWS accounts.

Conclusion

AWS STS assume-role is a powerful feature enabling robust, secure, and flexible access management across AWS resources. Its one-command capability streamlines operations for developers and administrators while enforcing rigorous security measures through temporary credentials. By automating workloads and simplifying cross-account operations, AWS STS through its assume-role operation remains indispensable in any scalable, secure cloud architecture.


Course illustration
Course illustration

All Rights Reserved.