STS Federation

This page demonstrates AWS Federation. Using IAM credentials, an STS token is created and used.

Step 1: Supply Credentials Long-term IAM user credentials are needed. This IAM user must have a policy attached to it that a) allows it to create an STS token and b) has at least the same permissions as granted in step 2. Please note; credentials are tested using ec2:DescribeRegions() so in this lab, these credentials also need that permission.

Step 2: Create Custom STS Token A temporary STS token is created. Supply: a) User name, b) policy and c) duration this token will be valid.

Step 3: Use the token Use the token to access AWS services (like DynamoDB) or redirect the AWS Console.

0% Complete (success)

IAM User Access Key

IAM User Secret Key

0% Complete (success)

Step 2: Enter STS Customization


User name

Duration

Policy

0% Complete (success)

The STS Token

The STS token consists of the following components

STS Access Key ?
STS Secret Key ?
STS Session Token (packed policy) ?
STS Expiration ?
STS ARN ?
0% Complete (success) 
 
???

Visit the URL on the left. Then, copy the result down here

Why is this so complicated?

Thanks to CORS; cross-origin resource sharing. Without it, a web page could contain Javascript that would crawl your LAN and send the results to the bad guys. Normally, Javascript can only access the URL it was downloaded from. Luckily, many AWS services allow access because they are CORS friendly. The IAM URL's are not so we cannot retrieve the token ourselves. Please do some copy-and-pasting.
0% Complete (success) 
 
???

Visit the URL on the left

This should allow access to the AWS Console, using the STS Credentials and custom policy defined in the previous steps.