5 Different ways to authenticate with AWS

Introduction

To send a request to AWS you must be authenticated. An IAM user can have long-term credentials such as a username and password or a set of access keys. When you assume an IAM role, you are given temporary security credentials.

In this article, we will go through 5 ways of authenticating with AWS, and then cover how to use it through the AWS CLI either by configuring them or using exported environment variables.

5 ways of authenticating with AWS

Here are 5 different ways you can authenticate to AWS using various services within and by generating credentials/tokens as required.

1. AWS Role Assume Role Temporary Access Mechanism

Assuming a role involves using a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to. The role being assumed must have the sts:AssumeRole action applied to it via a trust policy.

1. Run the CLI command

   aws sts assume-role --role-arn <AWS_ROLE_TO_ASSUME> --role-session-name <SESSION_NAME> --duration-seconds <DURATION>

2. The credentials will expire after <DURATION> seconds. The maximum duration is 129,600 seconds which is 36 hours.

2. AWS AssumeRoleWithSAML Temporary Access Mechanism

This method returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response. This operation provides a mechanism for tying an enterprise identity store or directory to role-based AWS access without user-specific credentials or configuration.

1. Run the CLI command

   aws sts assume-role-with-saml --role-arn <ROLE_ARN> --principal-arn <SAML_PROVIDER_ARN> --saml-assertion <SAML_ASSERTION>

2. The credentials will expire after <DURATION> seconds. The maximum is 43200 seconds which is 12 hours.

3. AWS AssumeRoleWithWebIdentity Temporary Access Mechanism

This method returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider. Example providers include the OAuth 2.0 providers Login with Amazon and Facebook, or any OpenID Connect-compatible identity provider such as Google or Amazon Cognito federated identities.

1. Run the CLI command

   aws sts assume-role-with-web-identity --duration-seconds DURATION --role-session-name <ROLE_SESSION> --provider-id "www.amazon.com" --policy-arns <POLICY_ARNS> --role-arn <ROLE_ARN>
   --web-identity-token <WEB_IDENTITY_TOKEN>

2. The credentials will expire after <DURATION> seconds. The maximum is 43200 seconds which is 12 hours.

4. For an IAM user that created a Kubernetes cluster

If a user who created the cluster wishes to run kubectl commands then a kubeconfig can be generated using the following command. Regardless of their IAM privileges, the IAM user that created the kubernetes cluster is assigned system:masters(admin) privileges in the cluster.

1. Run the below command to generate credentials and add them to ~/.kube/config

   aws eks update-kubeconfig --name test-cluster

2. Run kubectl get svc to confirm credentials were generated and are working as intended.

5. AWS GetFederationToken Temporary Access Mechanism

This method returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user. A typical use is in a proxy application that gets temporary security credentials on behalf of distributed applications inside a corporate network.

1. Run the CLI command

   aws sts get-federation-token --name <TOKEN_NAME> --duration-seconds <DURATION> --policy <POLICY_STATEMENT>

2. The credentials will expire after <DURATION> seconds. The maximum is 129,600 seconds which is 36 hours.

How to configure and use these credentials

Using AWS CLI Configure

1. On the terminal use aws configure --profile <new-profile-name>
2. Provide the value for `