Introduction
To send a request to AWS you must be authenticated. An IAM user can have long-term credentials such as a username and password or a set of access keys. When you assume an IAM role, you are given temporary security credentials.
In this article, we will go through 5 ways of authenticating with AWS, and then cover how to use it through the AWS CLI either by configuring them or using exported environment variables.
5 ways of authenticating with AWS
Here are 5 different ways you can authenticate to AWS using various services within and by generating credentials/tokens as required.
1. AWS Role Assume Role Temporary Access Mechanism
Assuming a role involves using a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to. The role being assumed must have the sts:AssumeRole action applied to it via a trust policy.
-
Run the CLI command
aws sts assume-role --role-arn <AWS_ROLE_TO_ASSUME> --role-session-name <SESSION_NAME> --duration-seconds <DURATION> -
The credentials will expire after
<DURATION>seconds. The maximum duration is 129,600 seconds which is 36 hours.
2. AWS AssumeRoleWithSAML Temporary Access Mechanism
This method returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response. This operation provides a mechanism for tying an enterprise identity store or directory to role-based AWS access without user-specific credentials or configuration.
-
Run the CLI command
aws sts assume-role-with-saml --role-arn <ROLE_ARN> --principal-arn <SAML_PROVIDER_ARN> --saml-assertion <SAML_ASSERTION> -
The credentials will expire after
<DURATION>seconds. The maximum is 43200 seconds which is 12 hours.
3. AWS AssumeRoleWithWebIdentity Temporary Access Mechanism
This method returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider. Example providers include the OAuth 2.0 providers Login with Amazon and Facebook, or any OpenID Connect-compatible identity provider such as Google or Amazon Cognito federated identities.
-
Run the CLI command
aws sts assume-role-with-web-identity --duration-seconds DURATION --role-session-name <ROLE_SESSION> --provider-id "www.amazon.com" --policy-arns <POLICY_ARNS> --role-arn <ROLE_ARN> --web-identity-token <WEB_IDENTITY_TOKEN> -
The credentials will expire after
<DURATION>seconds. The maximum is 43200 seconds which is 12 hours.
4. For an IAM user that created a Kubernetes cluster
If a user who created the cluster wishes to run kubectl commands then a kubeconfig can be generated using the following command. Regardless of their IAM privileges, the IAM user that created the kubernetes cluster is assigned system:masters(admin) privileges in the cluster.
-
Run the below command to generate credentials and add them to ~/.kube/config
aws eks update-kubeconfig --name test-cluster -
Run kubectl get svc to confirm credentials were generated and are working as intended.
5. AWS GetFederationToken Temporary Access Mechanism
This method returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user. A typical use is in a proxy application that gets temporary security credentials on behalf of distributed applications inside a corporate network.
-
Run the CLI command
aws sts get-federation-token --name <TOKEN_NAME> --duration-seconds <DURATION> --policy <POLICY_STATEMENT> -
The credentials will expire after
<DURATION>seconds. The maximum is 129,600 seconds which is 36 hours.
How to configure and use these credentials
Using AWS CLI Configure
- On the terminal use
aws configure --profile <new-profile-name> - Provide the value for `
