AWS IAM roles and STS

0
votes

As per AWS IAM user guide,

When you make a call using temporary security credentials, the call must include a session token, which is returned along with those temporary credentials. AWS uses the session token to validate the temporary security credentials.

Question - By validation, does it mean that the session token helps AWS identify the life (duration) of temporary credentials during each API call and help AWS in managing the rotation of temporary credentials?

Validation of temporary security credentials seems to be a bit confusing (may be the English vocabulary) as otherwise when you make a call using permanent security credentials, is validation not necessary - wouldn't AWS be able to use the same mechanism as permanent credentials for temporary credentials as well because both have access key (access key id and secret access key) - What is the specific use of session token?

2
amazon-web-servicesamazon-iam

2 Answers

1
votes

STS comes with duration and default is 3600s AWS validates the combination of key_id/access_key/duration for a temporary token for each API call

STS is more secure as it's a temporary token only, as opposed to access_key_id and secret_access_key which is a permanent combination, if you lose some admin key/secret, your AWS account will encounter serious damage So key your permanent key securely and use STS as much as possible

1
votes

Maybe it contains encrypted information.

Maybe it's just a really large random number used for lookup in a global database.

Maybe it's neither of these things.

The specific purposes of the security token is not documented and ultimately does not matter, because the token is opaque and is not considered sensitive information. Only the secret key is secret.

If you try to use temporary cresentials without the token, the resulting error message will imply that the credentials don't exist at all, so there is reason to speculate that the token contains encrypted information mapping the temporary credentials to their associated principle, the session policy if present, and validity timestamps, since doing so would allow STS credentials to be validated by a global, distributed system without need of a central backing store... but this is, and can only be, speculation.

There are no documented mechanisms for inspecting or decoding the token.