0

I have a use case where I need arbitrary clients to receive AWS credentials (key and secret) that I generate and pass to it. The credentials should expire after a few minutes. The clients need to post to an s3 bucket.

The clients will not be a part of any AWS account and cannot use any multi factor auth. This seems to prevent me from using IAM roles.

It seems that the Security Token Service is what Amazon provides for similar use cases, but I can't massage it to get what I need out of it. I either need a role ARN, or to pass the session token on to the clients to use in their requests. The clients can have no concept of a session token- only AWS key/secret.

In short, I want to be able to generate a temporary AWS key/secret pair that needs no multifactor auth or session token.

Is this possible? Thanks!

Alex Totheroh
  • 157
  • 2
  • 11
  • Do you really need temporary IAM credentials, or is it acceptable to have a pre-signed URL you can share that lets someone POST the new file to S3? If the pre-signed URL approach is acceptable, there are lots of answers in SO already. – dmulter Jun 15 '18 at 21:02
  • *"The clients can have no concept of a session token- only AWS key/secret."* Then the clients are not correctly implemented. Support for session tokens is a pretty fundamental component of request signing. Are you sure about this part? – Michael - sqlbot Jun 16 '18 at 00:18

1 Answers1

1

This is exactly the use-case for Uploading Objects Using Pre-Signed URLs - Amazon Simple Storage Service.

Basically:

  • Your application determines whether the user is authorized to upload/download a file
  • It generates a Pre-signed URL that includes an expiration time
  • The clients use the URL to upload/download to S3
  • After the expiry time, the URL no longer works
John Rotenstein
  • 241,921
  • 22
  • 380
  • 470
  • Similarly, given a signed policy document, clients can POST into a bucket: https://docs.aws.amazon.com/AmazonS3/latest/dev/UsingHTTPPOST.html – twotwotwo Jun 15 '18 at 22:54