A Principal (person or application) use an entity (user or role) to send requests to AWS API. Now, when you use AWS console to interact with the AWS ecosystem, I understand these requests are signed automatically so that AWS can identify who sent them (whereas you need to sign HTTP API calls manually).
Is each request made to the AWS API signed? irrespective of if the request is made from Console/CLI/SDK/HTTP API. I understand few STS and S3 actions are exceptions but my question is to find out if signing the requests is dependant on the source of request i.e. Console/CLI/SDK/HTTP API? Or if this applies to all either automatically or manually?
On the IAM user guide documentation, it is mentioned that -
When you use the AWS Command Line Interface (AWS CLI) or one of the AWS SDKs to make requests to AWS, these tools automatically sign the requests for you with the access key that you specify when you configure the tools
So, when requests are made through AWS console, how are these requests signed ? as console users does not have access keys?
- When assuming a role, a user sends an STS:Assumerole request with the role specified in the request. Does the temporary credential returned apply to the user who assumed the role or does the temporary credential apply to the role? Basically, what I am trying to understand is if STS:Assumerole is to authenticate the role or the user who assumed the role?
