To send a request to AWS you must be authenticated. An IAM user can have long-term credentials such as a username and password or a set of access keys. When you assume an IAM role, you are given temporary security credentials.
In this article, we will go through 5 ways of authenticating with AWS, and then cover how to use it through the AWS CLI either by configuring them or using exported environment variables.
Here are 5 different ways you can authenticate to AWS using various services within and by generating credentials/tokens as required.
Assuming a role involves using a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to. The role being assumed must have the sts:AssumeRole action applied to it via a trust policy.
Run the CLI command
aws sts assume-role --role-arn <AWS_ROLE_TO_ASSUME> --role-session-name <SESSION_NAME> --duration-seconds <DURATION>The credentials will expire after <DURATION> seconds. The maximum duration is 129,600 seconds which is 36 hours.
This method returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response. This operation provides a mechanism for tying an enterprise identity store or directory to role-based AWS access without user-specific credentials or configuration.
Run the CLI command
aws sts assume-role-with-saml --role-arn <ROLE_ARN> --principal-arn <SAML_PROVIDER_ARN> --saml-assertion <SAML_ASSERTION>The credentials will expire after <DURATION> seconds. The maximum is 43200 seconds which is 12 hours.
This method returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider. Example providers include the OAuth 2.0 providers Login with Amazon and Facebook, or any OpenID Connect-compatible identity provider such as Google or Amazon Cognito federated identities.
Run the CLI command
aws sts assume-role-with-web-identity --duration-seconds DURATION --role-session-name <ROLE_SESSION> --provider-id "www.amazon.com" --policy-arns <POLICY_ARNS> --role-arn <ROLE_ARN>
--web-identity-token <WEB_IDENTITY_TOKEN>The credentials will expire after <DURATION> seconds. The maximum is 43200 seconds which is 12 hours.
If a user who created the cluster wishes to run kubectl commands then a kubeconfig can be generated using the following command. Regardless of their IAM privileges, the IAM user that created the kubernetes cluster is assigned system:masters(admin) privileges in the cluster.
Run the below command to generate credentials and add them to ~/.kube/config
aws eks update-kubeconfig --name test-clusterRun kubectl get svc to confirm credentials were generated and are working as intended.
This method returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user. A typical use is in a proxy application that gets temporary security credentials on behalf of distributed applications inside a corporate network.
Run the CLI command
aws sts get-federation-token --name <TOKEN_NAME> --duration-seconds <DURATION> --policy <POLICY_STATEMENT>The credentials will expire after <DURATION> seconds. The maximum is 129,600 seconds which is 36 hours.
aws configure --profile <new-profile-name>AWS Access Key IDAWS Secret Access KeyDefault region name~/.aws/credentials file and add the following line in the correct profile sectionaws_session_token=<aws_session_token_value>Pre-Requisites
awscli command line tool to be installed.On the terminal export the following variables
export AWS_ACCESS_KEY_ID=<aws_access_key>
export AWS_SECRET_ACCESS_KEY=<aws_secret_access_key>
export AWS_SESSION_TOKEN=<aws_session_token>
export AWS_DEFAULT_REGION=<region>Run the following command to verify setup
aws sts get-caller-identitySuccessful command response will contain UserId and Account