In response to STS requests such as 'AssumeRole' etc, the STS services returns temporary security credentials that consist of <access-key, secret-key, session/security token>. While 'access-key' is used to identify a user, the secret-key is used to ensure (validate) that the user is really the one to whom the temporary credentials were issued (assuming that the credentials were not stolen). What then is the use of the third-part, the 'session/security token' ?
Asked
Active
Viewed 466 times
0
-
1You kinda answered your own question. The session/security token identifies the session created by the user. – jellycsc Feb 26 '21 at 16:33
-
But the session can be accessed/indexed by the access-key. Access-Key -> Credentials/Session_Info. The access-key is specified in the http headers with the key 'X-Amz-Credential'. – Prasad B Feb 26 '21 at 17:16
2 Answers
0
I am not an AWS employee, nor do I have internal knowledge of IAM authorization, so this is speculation.
With that out of the way, I speculate that the session token is an optimization. It appears to be a Base64-encoded value, and I would expect that it contains at the least a signed timestamp that indicates when the credential expires. This allows the front-end servers for AWS to quickly reject expired tokens without needing to look at a database.
It's an optimization that's needed because the number of session identifiers can be expected to several orders of magnitude larger than the "long-lived" credentials assigned to users.
Parsifal
- 3,928
- 5
- 9
0
Session token most likely contains the list of claims one of which may be "Is User MFA Authenticated". But I don't see the use of Public/Private access key.
Iftikhar Ali
- 369
- 3
- 12