0

I want to be able to assign a time-based api token to a non-admin AWS user that results in giving that user temporary admin privileges to all AWS services.

Why do I want this? Because when I develop on AWS on my personal account I like to be able to have admin access to every service, but I don't want to have a pair of cleartext undying admin credentials sitting in my .aws/credentials file. So I want to be able to assume an IAM role that will elevate a user to admin and use STS to assign a time-based API token.

At work we use federation via a SAML server so users are given time-based access no matter what role they have: dev, admin, etc, but I don't want to have to set all of that up just to have a time-based API token. I have read the AWS docs and discussed this in #aws and so far the response I have is to make an IAM trust policy that hard-codes a time end:

{
"Version": "2012-10-17",
"Statement": [
    {
        "Effect": "Allow",
        "Action": "*",
        "Resource": "*",
        "Condition" : {"DateLessThan": {"aws:CurrentTime" : "2017-10-30T00:00:00Z"}}
    }
]
}

But I don't want to manually hardcode and update this policy every time and would rather use STS to assign a time-based API token. Any insight would be much appreciated.

Digital Impermanence
  • 407
  • 1
  • 5
  • 16
  • I don't have time to write an answer, but this should give you the information you need: https://blog.stitchdata.com/role-playing-with-aws-c9eaebcc6c98 – kdgregory Oct 11 '17 at 16:01
  • However, there's a bigger question: _why_ don't you want to have plaintext credentials in `.aws/credentials`? I'm assuming that you take reasonable security precautions (eg, encrypted disk, strong password to access your personal computer), and are not in the habit of storing your credentials in random places. To make temporary credentials more secure than permanent credentials you would need to authenticate in order to receive those credentials. Regular rotation of credentials may be sufficient. You do have 2FA enabled on your login, right? – kdgregory Oct 11 '17 at 16:10
  • I have everything you said except 2FA. I want temporary credentials because they're better than permanent ones. We use temp creds at work with *everything* you mentioned and this is a good solution. I want some way to reproduce that for my personal projects. That is all. – Digital Impermanence Oct 11 '17 at 16:14
  • Have you found a good alternative? – Cristiano Coelho Aug 16 '22 at 00:59

2 Answers2

0

Have you tried GetSessionToken , refer this

Sample Request:

https://sts.amazonaws.com/
?Version=2011-06-15
&Action=GetSessionToken
&DurationSeconds=3600
&SerialNumber=YourMFADeviceSerialNumber
&TokenCode=123456
&AUTHPARAMS
Kush Vyas
  • 5,813
  • 2
  • 26
  • 36
0

STS and IAM Roles:

1) Create your role in the AWS console.

2) Use the AWS CLI to issue you new credentials using this role. You can create a batch script with the command to simplify executing it.

Example:

aws sts assume-role --role-arn arn:aws:iam::123456789012:role/xaccounts3access --role-session-name s3-access-example

The output of the command contains an access key, secret key, and session token that you can use to authenticate to AWS.

Temporary credentials

John Hanley
  • 74,467
  • 6
  • 95
  • 159