How to provide temporary access to your AWS account

When providing users access to the AWS account, we mostly create an IAM account for them and provide them with the required credentials. This is not the best practice and there are many risks associated with this. Exposure of credentials and limited rotation practices may lead to unauthorized access and compromises. To mitigate these risks, we should provide users temporary access when required.

Required AWS resources

To provide the users with temporary access, we need an IAM role in our AWS account. An IAM role is an AWS identity with an IAM policyAn IAM policy is a JSON document that allows us to define permissions for an IAM identity or a resource. specifying their access. The specified entity can assume a role, giving it temporary credentials to access resources based on the policies attached to the role. Using this IAM role, we can create a session for the user, allowing them to use the AWS account for a limited time without any permanent credentials. Let’s start by creating the required IAM role.

The command below creates an IAM role. Replace the <account-id> in line 9 with your AWS account ID. Also, enter access_key_id and secret_access_key in the widget below before executing the command. You can generate the keys by following our Answer on “How to generate AWS access keys.’’

Note: The IAM user whose credentials are being used must have the permissions to perform all the required actions.

aws iam create-role \
  --role-name IdentityProviderRole \
  --assume-role-policy-document '{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "AWS": "arn:aws:iam::<account-id>:root"
        },
        "Action": "sts:AssumeRole"
      }
    ]
  }'

In this command, the argument assume-role-policy-document specifies the services that will be allowed to assume this role. Copy the Arn from the output and save it somewhere safe to be used later.

Now that the role has been created let’s add the required permissions with it using the put-role-policy command. Execute the command given below to create a policy for the role.

aws iam put-role-policy \
  --role-name IdentityProviderRole \
  --policy-name IdentityProviderPolicy \
  --policy-document '{
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Action": [
          "*"
        ],
        "Resource": "*"
      }
    ]
  }'

The argument policy-document specifies the permissions that this role will have. For now, we’ve provided the role with all permissions for all resources. These permissions can be restricted based on the specific use case. For example, if someone wants AWS credentials to use the EC2 service, we can change this policy to provide only the required EC2 permissions.

Generate temporary credentials

Now that we’ve created the IAM role, we’re all set to provide temporary credentials to the users. To do that, we’ll use the STSAmazon STS (AWS Security Token Service) is a web service that enables us to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that we authenticate (federated users). These temporary security credentials can be used to access AWS resources, providing a way to grant short-term access to AWS environment without needing to create and manage long-term credentials. and Single Sign-On servicesAWS Single Sign-On (AWS SSO) is a cloud-based service that simplifies the process of managing SSO access to multiple AWS accounts and business applications. It allows users to sign in with a single set of credentials and gain access to all their assigned AWS resources and applications. AWS SSO integrates with AWS Organizations to centrally manage access across multiple AWS accounts. of AWS. The application in the coding playground below uses these services and our IAM role to provide the required temporary access. Here’s the workflow of our application:

  • User Authentication

    • Users provide their company login credentials (username and password) via a login form.

    • The server checks the provided credentials against predefined users.

  • Assume the AWS IAM Role

    • Upon successful authentication, the server uses the AWS SDK to assume an AWS IAM role associated with the user.

    • This involves making a request to the AWS Security Token Service (STS) to obtain temporary credentials. These credentials include the session ID, session key, and session token. If we want to provide the users with just the CLI access, this would be enough. However, we want the user to have access to the AWS Management Console, so we’ll now use these credentials to generate a login URL.

  • Get Sign-in Token

    • The temporary credentials received from AWS STS are formatted into a JSON string, and that string is then used to request a sign-in token from the AWS federation endpoint.

  • Construct Final Login URL

    • The received sign-in token is used to construct the final URL that users will use to log in to the AWS Management Console. This URL is constructed following the AWS format and includes additional details like the issuer and destination.

Enter the IAM role ARN we saved earlier in the widget below and click the “Run’’ button to run the application.

<!-- result.ejs -->

<!DOCTYPE html>
<html lang="en">
<head>
  <meta charset="UTF-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0">
  <title>AWS Sign-In Result</title>
  <!-- Add any additional stylesheets or head content as needed -->
</head>
<body>
  <h1>AWS Sign-In Result</h1>
  
  <!-- Display the final URL -->
  <p>Truncated URL:</p>
  <input type="text" id="finalUrl" value="<%= finalUrl %>" readonly>
  <button onclick="copyToClipboard()">Copy URL</button>
  
  <!-- Display session validity information -->
  <p>Session is valid for <%= sessionDuration %> seconds.</p>
  
  <script>
    // Function to copy the URL to the clipboard
    function copyToClipboard() {
      var copyText = document.getElementById("finalUrl");
      copyText.select();
      document.execCommand("copy");
      alert("URL copied to clipboard!");
    }
  </script>
  
</body>
</html>
Company website

After the application starts, use the following credentials to log in:

  • Username: bob

  • Password: bobpassword

These are dummy company credentials that we provided to the user to identify themselves before they can be provided access to the AWS console.

Once you are logged in, the app will use the STS service to start a temporary session for you by assuming the IAM role we created earlier. After that session has started and the app has received the credentials for that session, it uses the AWS Single Sign-On service to get a sign-in URL for the user.

Copy the sign-in URL generated by the application and open it in a new private window. You should be able to log in to the AWS console and perform all operations since the IAM role used to create this session has an all-permissive policy attached to it. This session will be valid only for 43200 seconds, after which the user won’t be able to use this account.

Conclusion

We’ve learned how, by creating an IAM role and attaching appropriate policies, we can enable users to assume the role and obtain temporary credentials. This approach allows users to perform necessary actions within a specified time frame without exposing long-term credentials. Furthermore, integrating Single Sign-On (SSO) facilitates seamless and secure access to the AWS Management Console, ensuring that access is controlled and temporary, thereby safeguarding the AWS account.

Free Resources

Copyright ©2025 Educative, Inc. All rights reserved