How do AWS Security Token Service (STS) keys work?

STSSecurity Token Service allows you to request temporary credentials for your AWS account without creating an IAM user. You do not need to inject any access key or environment variables in your application, as these credentials will be generated on-demand. Since they are temporary credentials, you don’t have to rotate them or remember to remove them when they no longer needed.

STS exposes APIs through its endpoint and AWS SDKs have the functions to create the programmatic access to STS. STS also supports AWS CloudTrail so you can log requests and information about the request. This log information is stored in an S3 bucket.

STS is enabling the SAML 2.0 federation. The client authentication flow is as follows:

1. A client request is first authenticated with an identity provider, the identity provider generates a sample token based on user identity and then returns it.
2. That token can then be used to assume a role with SAML, as shown in the flow diagram above via AssumeRoleWithSAML. The role must be defined with respect to the resource that the client wants access to in the account. The permissions will be granted to the client based on this role. The temporary credentials will then be returned by the STS to pretend to be the requested role, and a session will be maintained.
3. The temporary security credentials consist of an access key pair and a session token. This access key pair is the access key ID and secret key.
4. Finally, the client uses these STS credentials to access the desired service in your AWS account. The duration can last from fifteen minutes to a custom value for each role. In this case, the client retrieves an object from the bucket.

Federation can also be used to allow external users to access services in the AWS account using Amazon Cognito. Cognito allows users to authenticate with third-party identity providers (like Amazon, Facebook, or Google), which exchange the token from the identity provider for a Cognito token. The Cognito token is then used to get the temporary credentials from the STS to access the resources in the AWS account.

STS plays a vital role, as it supports AWS CloudTrail, which helps in the audit process. We can track the successful and failed requests, origin, and details about the request. Hence, STS becomes the first priority for most teams when it comes to authenticating users.