STS - AssumeRoleWithWebIdentity

Question 1

What is AssumeRole with Web Identity?

Answer 1

Assume-role-with-web-identity is an API provided by STS (Security Token Service) that allows users authenticated with a web identity provider to access AWS resources. It allows sign-up and sign-in

Question 2

What is STS?

Answer 2

STS stands for the Security Token Service. It is an API provided by AWS as part of the Security Token Service.

Question 3

What is the purpose of AssumeRole with Web Identity API call?

Answer 3

The AssumeRole with Web Identity API call allows users authenticated with a web identity provider to access AWS resources after successful authentication.

Question 4

What are Temporary Credentials in the context of STS?

Answer 4

If successful, STS will return temporary credentials enabling access to AWS resources for the authenticated user.

Question 5

What is an Assumed Role User?

Answer 5

Within the Assumed Role User, the ARN (Amazon Resource Name) and Assumed Role ID are used to programmatically reference the temporary credentials, not an IAM role or user.

Question 6

What is the recommended approach for mobile applications in terms of using AssumeRole with Web Identity API?

Answer 6

For regular web applications, the assume-role-with-web-identity API can be used. However, for mobile applications, AWS recommends using Amazon Cognito.

Question 7

What is the full workflow of STS for AssumeRole with Web Identity?

Answer 7

1. User/web application authenticates with the Web Identity Provider.
2. The Web Identity Provider sends back a JWT token.
3. The web application uses the assume-role-with-web-identity API including the JWT.
4. STS returns the AWS credentials (Access Key and Secret Access Key).
5. The application can use the temporary credentials to access AWS resources.