Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

Is it accurate to say STS is an authorization-only service?

0

I'm recently doing a deep dive into AWS IAM and AWS STS. I haven't seen it said explicitly before, but it is accurate to say that STS is only for authorization? Because it seems that only entities that can perform action (AssumeRole*) are already authenticated via a third party. Weather it's a third party IDP and you perform AssumeRoleWithSAML/AssumeRoleWithWebIdentity, or if you're an IAM User and you were authenticated via IAM Identity Center, or if you're an IAM role and already have existing security credentials.

At no point does it seem that you actually authenticate to STS, but you rather come with already validated security credentials.

Is my separation for STS as an authorization-only service, accurate? Or did I misunderstood something? And if so, what's the role of Identity Center? I am a bit confused about this one, tho I haven't yet exhausted all the resources out there yet.

Topics
Security, Identity, & Compliance
Tags
AWS IAM Identity CenterSecurity, Identity, & Compliance
Language
English
asked 9 months ago135 views
1 Answer
-1

Your understanding of AWS Security Token Service (STS) is partially correct, but it's not entirely accurate to describe STS as an authorization-only service. STS plays a crucial role in both authentication and authorization processes within the AWS ecosystem.

STS is primarily responsible for issuing temporary security credentials, which are used for both authentication and authorization. When you use STS operations like AssumeRole, AssumeRoleWithSAML, or AssumeRoleWithWebIdentity, you're essentially requesting temporary security credentials that can be used to access AWS resources.

You're correct that in many cases, the entity making the STS call is already authenticated by another system. For example:

  1. With AssumeRoleWithSAML or AssumeRoleWithWebIdentity, the user is authenticated by a third-party identity provider.
  2. For IAM users using AssumeRole, they're authenticated via their long-term AWS credentials.
  3. For IAM roles, they're using existing temporary credentials to assume another role.

However, STS is still involved in the authentication process because it validates the incoming identity and issues new temporary credentials. These credentials are then used for both authentication and authorization when accessing AWS services.

Regarding AWS IAM Identity Center (formerly AWS Single Sign-On), it works in conjunction with STS to provide a streamlined authentication and authorization experience. IAM Identity Center manages user identities and their access to AWS accounts and applications. When a user signs in through IAM Identity Center, it uses STS behind the scenes to obtain temporary credentials for the user, which are then used to access AWS resources.

In summary, while STS doesn't perform the initial authentication in many scenarios, it's not accurate to call it an authorization-only service. It plays a crucial role in both authentication and authorization by issuing and validating temporary security credentials used to access AWS resources.
Sources
Identity-enhanced IAM role sessions - AWS IAM Identity Center
Compare AWS STS credentials - AWS Identity and Access Management
Actions - AWS Security Token Service

answered 9 months ago
EXPERT
reviewed 9 months ago
  • Etay
    9 months ago

    Can you give an example of when STS actually authenticates a user? If necessary, provide a step-by-step example of a user authenticating, and then authorizing and performing actions in AWS, and in this example explain when an authentication is performed, when there's authorization, and which service is responsible for each.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content