5 Different ways to authenticate with AWS

Riyaz Walikar

~ 4 min read

AWS supports multiple ways of authenticating users based on their context. This article shows various ways of authenticating to AWS using credentials, tokens, SSO and others.

Introduction

To send a request to AWS you must be authenticated. An IAM user can have long-term credentials such as a username and password or a set of access keys. When you assume an IAM role, you are given temporary security credentials.

In this article, we will go through 5 ways of authenticating with AWS, and then cover how to use it through the AWS CLI either by configuring them or using exported environment variables.

5 ways of authenticating with AWS

Here are 5 different ways you can authenticate to AWS using various services within and by generating credentials/tokens as required.

1. AWS Role Assume Role Temporary Access Mechanism

Assuming a role involves using a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to. The role being assumed must have the sts:AssumeRole action applied to it via a trust policy.

  1. Run the CLI command

    aws sts assume-role --role-arn <AWS_ROLE_TO_ASSUME> --role-session-name <SESSION_NAME> --duration-seconds <DURATION>
  2. The credentials will expire after <DURATION> seconds. The maximum duration is 129,600 seconds which is 36 hours.

2. AWS AssumeRoleWithSAML Temporary Access Mechanism

This method returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response. This operation provides a mechanism for tying an enterprise identity store or directory to role-based AWS access without user-specific credentials or configuration.

  1. Run the CLI command

    aws sts assume-role-with-saml --role-arn <ROLE_ARN> --principal-arn <SAML_PROVIDER_ARN> --saml-assertion <SAML_ASSERTION>
  2. The credentials will expire after <DURATION> seconds. The maximum is 43200 seconds which is 12 hours.

3. AWS AssumeRoleWithWebIdentity Temporary Access Mechanism

This method returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider. Example providers include the OAuth 2.0 providers Login with Amazon and Facebook, or any OpenID Connect-compatible identity provider such as Google or Amazon Cognito federated identities.

  1. Run the CLI command

    aws sts assume-role-with-web-identity --duration-seconds DURATION --role-session-name <ROLE_SESSION> --provider-id "www.amazon.com" --policy-arns <POLICY_ARNS> --role-arn <ROLE_ARN>
    --web-identity-token <WEB_IDENTITY_TOKEN>
  2. The credentials will expire after <DURATION> seconds. The maximum is 43200 seconds which is 12 hours.

4. For an IAM user that created a Kubernetes cluster

If a user who created the cluster wishes to run kubectl commands then a kubeconfig can be generated using the following command. Regardless of their IAM privileges, the IAM user that created the kubernetes cluster is assigned system:masters(admin) privileges in the cluster.

  1. Run the below command to generate credentials and add them to ~/.kube/config

    aws eks update-kubeconfig --name test-cluster
  2. Run kubectl get svc to confirm credentials were generated and are working as intended.

5. AWS GetFederationToken Temporary Access Mechanism

This method returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user. A typical use is in a proxy application that gets temporary security credentials on behalf of distributed applications inside a corporate network.

  1. Run the CLI command

    aws sts get-federation-token --name <TOKEN_NAME> --duration-seconds <DURATION> --policy <POLICY_STATEMENT>
  2. The credentials will expire after <DURATION> seconds. The maximum is 129,600 seconds which is 36 hours.

How to configure and use these credentials

Using AWS CLI Configure

  1. On the terminal use aws configure --profile <new-profile-name>
  2. Provide the value for AWS Access Key ID
  3. Provide the value for AWS Secret Access Key
  4. Provide the value for Default region name
  5. Open the ~/.aws/credentials file and add the following line in the correct profile section
aws_session_token=<aws_session_token_value>

Using Exported Environment Variables

Pre-Requisites

  • awscli command line tool to be installed.
  1. On the terminal export the following variables

    export AWS_ACCESS_KEY_ID=<aws_access_key>
    export AWS_SECRET_ACCESS_KEY=<aws_secret_access_key>
    export AWS_SESSION_TOKEN=<aws_session_token>
    export AWS_DEFAULT_REGION=<region>
  2. Run the following command to verify setup

    aws sts get-caller-identity
  3. Successful command response will contain UserId and Account

;