Post a reply

Before posting, please read how to report bug or request support effectively.

Bug reports without an attached log file are usually useless.

Options
Add an Attachment

If you do not want to add an Attachment to your Post, please leave the Fields blank.

(maximum 10 MB; please compress large files; only common media, archive, text and programming file formats are allowed)

Options

Topic review

fritz.grobbelaar

S3 Role switching would improve security for cross-account applications

Currently, the API keys needs to be of the AWS account in question.

For users of multiple accounts, this opens up another set of keys that can become lost/stolen/misplaced.

Security would be improved if one had the option to switch users and request temporary credentials from AWS:

My python snippet:
def GetS3Session():
import os
s3Client = boto3.client('sts')
tempCredentials = s3Client.assume_role(RoleArn="arn:aws:iam::00000000000:role/Prod-Integration",RoleSessionName="default")
aws_secret_access_key = tempCredentials["Credentials"]["SecretAccessKey"]
aws_access_key_id = tempCredentials["Credentials"]["AccessKeyId"]
token = tempCredentials["Credentials"]["SessionToken"]
s3 = boto3.resource('s3',aws_access_key_id=aws_access_key_id,aws_secret_access_key=aws_secret_access_key,aws_session_token=token)
return s3