S3 Role switching would improve security for cross-account applications

Advertisement

fritz.grobbelaar
Joined:
Posts:
1
Location:
South Africa

S3 Role switching would improve security for cross-account applications

Currently, the API keys needs to be of the AWS account in question.

For users of multiple accounts, this opens up another set of keys that can become lost/stolen/misplaced.

Security would be improved if one had the option to switch users and request temporary credentials from AWS:

My python snippet:
def GetS3Session():
import os
s3Client = boto3.client('sts')
tempCredentials = s3Client.assume_role(RoleArn="arn:aws:iam::00000000000:role/Prod-Integration",RoleSessionName="default")
aws_secret_access_key = tempCredentials["Credentials"]["SecretAccessKey"]
aws_access_key_id = tempCredentials["Credentials"]["AccessKeyId"]
token = tempCredentials["Credentials"]["SessionToken"]
s3 = boto3.resource('s3',aws_access_key_id=aws_access_key_id,aws_secret_access_key=aws_secret_access_key,aws_session_token=token)
return s3

Reply with quote

Advertisement

You can post new topics in this forum