Steps to implement sts code.
1. create IAM user - IAM
2. give few permission to this IAM user - p1, p2
3. create one role which IAM user can assume it - R1
4. create one policy which will allow IAM user to assume R1(role ARN) role - p3
5. call Assume role api to finally assume the role R1 - Java
aws iam create-user --user-name Tyler { "User": { "Path": "/", "UserName": "Tyler", "UserId": "AIDAWSIFEYCAWKUI6026W", "Arn": "451519234177:user/Tyler", "CreateDate": "2021-03-28T08:13:12+00:00" } }
aws iam create-access-key --user-name Tyler { "AccessKey": { "UserName": "Tyler", "AccessKeyId":"AKIAWSIFEYCASZBVUIUYD", "Status": "Active", "SecretAccessKey": "3pFfJieG/n7u76+FrCPnX5nQRW2H4cxm3Td3e10s", "CreateDate": "2021-03-28T-08:13:34+00:00" } }
aws configure
Create policy to allow list lambda function and test in aws-cli.
{ "Version": "2012-10-17", "Satement": [ { "Effect": "Allow", "Action": [ "lambda:ListFunctions" ], "Resource": "*" } ] } aws lambda list-functions --region us-west-1
Edit policy to also allow assume 'AssumeThisRole' role.
{ "Version": "2012-10-17", "Satement": [ { "Effect": "Allow", "Action": [ "lambda:ListFunctions" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "sts:AssumeRole" ], "Resource": "arn:aws:iam::451519234177:role/AssumeThisRole" } ] }
Create IAM role which is AssumeThisRole.
Create Policy to allow list roles to AssumeThisRole.
{ "Version": "2012-10-17", "Satement": [ { "Effect": "Allow", "Action": [ "iam:ListRoles" ], "Resource": "*" } ] }
Edit Trust Relationship to allow who can assume this role (AssumeThisRole).
{ "Version": "2012-10-17", "Satement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::451519234177:user/Tyler" }, "Action": "sts:AssumeRole" } ] }
Using Java sdk to test sts.
Add dependency to pom.xml.
<!--To assume role--> <dependency> <groupId>com.amazonaws</groupId> <artifactId>aws-java-sdk-sts</artifactId> </dependency> <!--To list role --> <dependency> <groupId>com.amazonaws</groupId> <artifactId>aws-java-sdk-iam</artifactId> </dependency>
Wirte Java code to call assumeRole API.
package com.tyler.config.test.aws.sts; import com.amazonaws.auth.AWSStaticCredentialsProvider; import com.amazonaws.auth.BasicSessionCredentials; import com.amazonaws.services.identitymanagement.AmazonIdentityManagement; import com.amazonaws.services.identitymanagement.AmazonIdentityManagementClientBuilder; import com.amazonaws.services.identitymanagement.model.DeleteRoleRequest; import com.amazonaws.services.securitytoken.AWSSecurityTokenService; import com.amazonaws.services.securitytoken.AWSSecurityTokenServiceClientBuilder; import com.amazonaws.services.securitytoken.model.AssumeRoleRequest; import com.amazonaws.services.securitytoken.model.AssumeRoleResult; import com.amazonaws.services.securitytoken.model.Credentials; public class StsTest { public static void main(String[] args) { String roleARN = "arn:aws::451519234177:role/AssumeThisRole"; // The role arn which we want to assume. String roleSessionName = "Session_1"; // Any name we can write. AWSSecurityTokenService stsClient = AWSSecurityTokenServiceClientBuilder.standard().build(); /** * withRoleArn: The role arn which we want to assume. * withRoleSessionName: The roleSessionName you writed. * withDurationSeconds: To set how long could be accessable by this role. */ AssumeRoleRequest roleRequest = new AssumeRoleRequest().withRoleArn(roleARN).withRoleSessionName(roleSessionName).withDurationSeconds(3600); AssumeRoleResult assumeResult = stsClient.assumeRole(roleRequest); // Call assumeRole API Credentials temporaryCredentials = assumeResult.getCredentials(); System.out.println("ACCESS_KEY_ID ===> " + temporaryCredentials.getAccessKeyId()); System.out.println("SECRET_ACCESS_KEY ===> " + temporaryCredentials.getSecretAccessKey()); System.out.println("SESSION_TOKEN ===> " + temporaryCredentials.getSessionToken()); BasicSessionCredentials credentials = new BasicSessionCredentials(temporaryCredentials.getAccessKeyId(), temporaryCredentials.getSecretAccessKey(), temporaryCredentials.getSessionToken()); AWSStaticCredentialsProvider credentialsProvider = new AWSStaticCredentialsProvider(credentials); AmazonIdentityManagement client = AmazonIdentityManagementClientBuilder.standard().withCredentials(credentialsProvider).build(); System.out.println(); System.out.println("************************LIST-ROLES************************"); client.listRoles().getRoles().forEach(r -> System.out.println(r.getArn())); client.deleteRole(new DeleteRoleRequest().withRoleName("amplify-amplifygraphqldema-dev-183938-authRole")); // try to delete a role - it will make exception because we only give the ListRoles permission in the policy } }