S3 Role switching would improve security for cross-account applications
Currently, the API keys needs to be of the AWS account in question.
For users of multiple accounts, this opens up another set of keys that can become lost/stolen/misplaced.
Security would be improved if one had the option to switch users and request temporary credentials from AWS:
My python snippet:
def GetS3Session():
import os
s3Client = boto3.client('sts')
tempCredentials = s3Client.assume_role(RoleArn="arn:aws:iam::00000000000:role/Prod-Integration",RoleSessionName="default")
aws_secret_access_key = tempCredentials["Credentials"]["SecretAccessKey"]
aws_access_key_id = tempCredentials["Credentials"]["AccessKeyId"]
token = tempCredentials["Credentials"]["SessionToken"]
s3 = boto3.resource('s3',aws_access_key_id=aws_access_key_id,aws_secret_access_key=aws_secret_access_key,aws_session_token=token)
return s3
For users of multiple accounts, this opens up another set of keys that can become lost/stolen/misplaced.
Security would be improved if one had the option to switch users and request temporary credentials from AWS:
My python snippet:
def GetS3Session():
import os
s3Client = boto3.client('sts')
tempCredentials = s3Client.assume_role(RoleArn="arn:aws:iam::00000000000:role/Prod-Integration",RoleSessionName="default")
aws_secret_access_key = tempCredentials["Credentials"]["SecretAccessKey"]
aws_access_key_id = tempCredentials["Credentials"]["AccessKeyId"]
token = tempCredentials["Credentials"]["SessionToken"]
s3 = boto3.resource('s3',aws_access_key_id=aws_access_key_id,aws_secret_access_key=aws_secret_access_key,aws_session_token=token)
return s3