0

I want to create temporary credentials that last about 30 days, and will only have access to a specific directory in a specific S3 bucket (I have figured out what the policy to do this would look like). Note that the specific directory is determined by the username. (so its somewhat dynamic)

I have seen some potential options but they all have pitfalls:

- Amazon Cognito: For my use case, this will become too complex, as it will need some work on the client side.

- GetFederatedToken: This seemed like the best option, but only allows a max expiration time of 36 hours (3 days) for my use case, I would need something that lasts longer.

AssumeRole and GetSessionToken also have the same issue as GetFederatedToken.

If there is some way that I could give the temporary credentials the permission to renew themselves via an API request, (but not change the policy attached to them), that would be perfect for my use case. Any thoughts on how I could achieve my desired result?

I don't want to use IAM's, as some of the users may be outside of my organization, and this number could grow really large.

Kikanye
  • 1,198
  • 1
  • 14
  • 33
  • 2
    You can't, at least not with credentials from STS. You could perhaps provide a script that can be used to validate the current credentials and make an API call to some backend (simple API Gateway + Lambda function?) to refresh the temporary credentials. Obviously the backend should authenticate the user and validate the time remaining in the 30-day window. – jarmod Feb 16 '22 at 17:20
  • I'd tried this, but for my use case it solves the problem for some users, but now all. Some of my users manage their own infrastructure which makes something like this rather difficult to do. Thanks for the suggestion though. – Kikanye Feb 16 '22 at 18:16
  • Have not tried this but did you test with an IAM role that allows the role to [assume itself](https://stackoverflow.com/questions/64398235/how-to-assume-aws-role-from-the-same-aws-role-in-cloudformation-template)? And maybe add a [date condition](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_examples_aws-dates.html) on the S3 policy statements to restrict them to the 30 days. – jarmod Feb 16 '22 at 18:23
  • This is an interesting idea, I will try this and and see. – Kikanye Feb 16 '22 at 18:33

0 Answers0