FRANS CAISAR RAMADHAN

My personal blog

STS credential for non AWS users

2020.07.02

Use Case

We have resources in AWS Account that only accessible using AWS Credential. Thus it is required to grant credential and access to the external entity that do not have AWS account.

One of the common practice is to authenticate and retrieve temporary credential from IAM Role. We can define some sort of IAM Policies and attach to the designated IAM Role, then let the entity to do sts-assume-role to it and get dynamic temporary STS credential - reference.

To do that in AWS environment is effortless, but not that straightforward for external non-AWS entities.

Solution and Summary

  • We can setup AWS API Gateway + AWS Lambda that can receive HTTP request from whitelisted entities.
  • Lambda can retrieve temporary credential by adding the instance_profile to the Trusted Entities in Trust Relationship config for IAM Role
  • Result is the entity received temporary credential which by default only valid for 3600 seconds

Above solutions are already covered by this terraform module:

Currently terraform-aws-lambda-sts only support whitelisting via public IP and externalID as additional authentication parameter.

Sample Request and Response for testing

Request:

curl -X POST \
  https://<INVOKE URL of API Gateway> \
  -H 'Content-Type: application/json' \
  -d '{
  "assumed_role_arn" : "arn:aws:iam::1234567890:role/SampleRole",
  "token_duration" : 1800,
  "external_id"   "12312312391231893knjsdkakbsdnaksdjbak1231213",
}'

Response:

{
  "Version": 1,
  "AccessKeyId": "ASIA22OD7FLXHZ5ZFRXI",
  "SecretAccessKey": "A7XSXJzgyoUb9u8R/kWB+kg3b1duGE/kBd58S2ft",
  "SessionToken": "FwoGZXIvYXdzEHEaDFSm4muCfVBnkIEJ3yK3AZxaNCsP8Fs3r3a66SumCZXH2/jd3jrw7FuPdBPxto25WSlKFs14+T+Vim/hxPxeJFTtvDvyrP7OMJCUySLiiSsiVXmWneov/hoxQMm9xYzRxECwdpe3+LMV7y3CZ8om4HsbXvOnPJUwxV//r49fvaiu+3tMu09DQkKyMOn+OJLVmKTK0NpL5ytSAsD7MmqhdPDX9rKJoylumsRtyFFJBqxfuTXXjeyJDiIM3ngEo5E8FE0LvPuZPiirqLTvBTIta/EymgxiGTnJptCPD8ro7X1BaMntWVBb+dZtazXuyYzFY1MyMeY7Ix9XS8wC",
  "Expiration": "2019-12-08T16:18:03Z"
}

Above request can be easily simulated by this tool:

It will provide more robust usage and detailed information for audit purpose. This will provide capability to retrieve credential from external process

You might find detailed setup and informations by following the README.

Feel free to contribute and raise any issue by following the guideline in each repositories.

tutorial aws sts lambda golang
comments powered by Disqus