You can use AWS Security Token Service (STS) to assume an IAM role. Once the role is assumed, you get the permissions of that role. The credentials you get as part of assume role is temporary and you can set how long those credentials are valid.
For the complete tutorial visit
[ Ссылка ]
What if your programs are not in Amazon EC2 but you still want to have temporary credentials to access AWS? This is common if your software are on Azure or on on-premises servers. In this situation, you can use a service called AWS Security Token Service (STS) to get temporary credentials. AWS STS is the underpinning technology behind all the authentication & authorization mechanisms on AWS. Whether you use SAML based authentication such as ADFS, OpenID connect, AWS CLI or SDK to access AWS, all of them use AWS STS to obtain temporary credentials. Therefore, having a deep understanding of AWS STS is crucial step towards mastering AWS security. Watch this video to learn how AWS Security token service works. In this video we use AWS PowerShell, nevertheless the API is available in Command Line Interface (CLI), .NET, Java, Python or any other language AWS supports.
00:00 We first remove AmazonS3FullAccess from the EC2 instance role. This will ensure when we access S3 from PowerShell, credentials are not coming from the EC2 instance role. We then create a new user called mytest-user with no permissions and create an access key and a secret key. The important thing to note here is that mytest-user does not have any permission. We will later use this user and assume a role called my-test-role which has some permissions.
03:00 We create a new role called my-test-role and attached the permission AmazonS3FullAccess to it. Modify the trust section of the role to trust the user mytest-user (we created a moment ago) to assume the role. This will ensure not all users can assume the role, but only the given user can assume the role. We configure the trust relationship to include following configuration. Although we configure an IAM user as the trusted principal, you can also define another role or a service as the trusted principal. For instance, if you want another role X to assume my-test-role you will then define the urn of X as the trusted principal.
Note that the AWS account number 123456789123 will be different for you.
The flexibility to configure this trust relationship is enormous. A role can be configured/trusted to assume another role in another account. This is useful when you want to promote a deployment in the pre-production account into production. We can configure the trust relationship, such that a user in a shared service account/pre-production account is trusted to assume a role in production environment to do production deployments.
06:00 We then use the cmdlet Use-STSRole to assume the role my-test-role and get temporary credentials.
08:30 The temporary credentials you got from Use-STSRole can then be used to list S3 buckets. Note that unlike static credentials associated with an IAM user, these new temporary access key and secret key pair has an expiration time. Also observe how the credential changes every time you call Use-STSRole cmdlet.
10:10 There is a minimum duration of 900 seconds or 15min you can assume a role. In a large distributed system with millions of users having these kind of limits allows to manage the sheer volume of API requests that can easily go into trillions. If you try to use the credentials after they have been expired, you will get an error message saying that the credentials are no longer valid. If you use .NET, Java or any other AWS provided SDKs, trying to use expired credentials will throw an exception which you can later catch and use to assume the role again.
13:00 With the help of new assume role approach, you can now have a shared service that can deploy solutions to multiple environments/AWS accounts and none of those destinations need to maintain static access keys or secret keys or even IAM users. All what those destinations need is a role which trusts a shared service IAM user or a role.
![](https://s2.save4k.org/pic/dqF4VJCska4/maxresdefault.jpg)