Can you use IAM roles to connect from a non-AWS application to AWS services?

Question

We have some hybrid environment where some applications are running in our own datacenter and other services are running on AWS cloud.

Now we have some application which needs to write files to S3. In our current solution we have created a IAM user (with access keys) who has an inline policy to write/list/delete objects on a certain bucket.

This works but it isn't that secure probably because the security credentials are permanent. One of the main advantages of using AWS roles is that the credentials are rotated in a specific time interval and stored as metadata.

I know you can assign a role to an EC2 and so the EC2 can securely connect to (for example) an S3 bucket and do their allowed stuff. But how do we have to handle this for applications which are NOT running on AWS but need a connection to an AWS service?

score 2 · Accepted Answer · answered Oct 21 '18 at 16:19

2

You want to use the AWS Security Token Service. This is specifically designed for the use case you describe.

More details here:

Temporary Security Credentials

And here:

AWS Security Token Service

answered Oct 21 '18 at 16:19

Alex Moore

1,704
5
12

I don't see how this really answers the question asked (without creating an infinite regression) because **you can't call STS without already being in possession of a set of credentials.** EC2 instance roles work because the EC2 infrastructure calls STS on behalf of the instance, so the instance doesn't require static credentials in order to initiate the process. Outside EC2, this isn't possible. – Michael - sqlbot Oct 22 '18 at 09:51

Can you use IAM roles to connect from a non-AWS application to AWS services?

1 Answers1