AWS STS GetFederationToken + resource based policy

0

Hello,

I am trying to understand the inner workings of AWS STS GetFederationToken in combination with resource based policy as described in https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html. Does the IAM permission policy attached to the user which calls "GetFederationToken" must contain the same IAM actions as specified in the resource policy (the s3 actions in the example) or not? The documentation is not clear for me.

Thank you very much for any help.

1 Antwort
0
Akzeptierte Antwort

Hello ,

Thank you for posting your question on the AWS Repost, my name is Rochak and it will be a pleasure assisting you with this today.

I understand you would like to know if the IAM permission policy attached to the user which calls "GetFederationToken" must contain the same IAM actions as specified in the resource policy. Please, let me know if my understanding is incorrect.

Please note that yes, the IAM policy attached to the user making the GetFederationToken API call must contain the necessary IAM actions to perform the operation, but it does not necessarily need to contain the same IAM actions as specified in the resource policy.

The GetFederationToken API call is used to obtain temporary security credentials for a federated user, which can be used to access AWS resources for a limited period. When making the GetFederationToken call, the user must have the sts:GetFederationToken permission included in their IAM policy.

On the other hand, the resource-based policy is used to control access to specific resources (e.g., S3 buckets) like you mentioned for the federated user. The IAM permissions policy and resource-based policy are separate entities, and they serve different purposes. While the IAM policy grants permission to make the GetFederationToken API call, the resource-based policy controls access to the specific resource(s) that the federated user is authorized to access.[1]

So, the main point here is the IAM policy attached to the user making the GetFederationToken call must include the sts:GetFederationToken permission, but it does not need to contain the same IAM actions as specified in the resource policy. [2]

I hope this helps. If you need further info, let me know in the comments; otherwise I'd appreciate if you mark my answer as "accepted".

Kind regards, Rochak from AWS

References:

[1] Identity based policy and resource-based policy https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_identity-vs-resource.html

[2] Policy Types https://aws.amazon.com/blogs/security/iam-policy-types-how-and-when-to-use-them/

AWS
beantwortet vor einem Jahr
  • Hello Rochak,

    Thank you very much for your reply. You understood my question correctly and you provided a clear answer to my question. It is now clear for me what has to be defined. Thanks for that. Only the documentation does not seem clear to me as the picture in the upper section proposes that the resulting permissions are an intersection of the users permission policy and the bucket policy - like it is the case when dealing with session policies.

    Also the section "The following resource-based policy is attached to the bucket. This bucket policy allows a federated user named Carol to access the bucket. When the example policy described earlier is attached to the token-app IAM user, the federated user named Carol has permission to perform the s3:GetObject, s3:PutObject, and s3:DeleteObject actions on the bucket named productionapp." lead me to the conclusion that it is an intersection.

    Best regards, Thomas

Du bist nicht angemeldet. Anmelden um eine Antwort zu veröffentlichen.

Eine gute Antwort beantwortet die Frage klar, gibt konstruktives Feedback und fördert die berufliche Weiterentwicklung des Fragenstellers.

Richtlinien für die Beantwortung von Fragen