STS Response to AssumeRoleWithWebIdentity - AWS Certified Security - Specialty Exam
Question
A development team is creating a mobile app that needs access to AWS resources such as S3 buckets and RDS instances.
The team plans to configure a web identity federation with Google identity provider to manage user identities outside of AWS. IAM roles have been created for the web identity federation.
After users authenticate with Google, Secure Token Service (STS) has returned the AWS credentials to the app. Which information exists in the STS response to AssumeRoleWithWebIdentity?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.Answer : A.
Option A is CORRECT because the temporary security credentials returned by STS include SessionToken, SecretAccessKey, and AccessKeyId.
Applications can use these credentials to sign calls to AWS service API operations.
Option B is incorrect because the policy ARN only appears in the AssumeRoleWithWebIdentity request to STS.
Option C is incorrect because the WebIdentityToken is provided by the identity provider.
The token exists in the AssumeRoleWithWebIdentity request.
Option D is incorrect because there is no SAMLAssertion information, and the web identity federation does not use SAML.
Reference:
https://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html.When users authenticate with Google, the mobile app sends an OpenID Connect (OIDC) authentication request to the Google Identity Provider (IdP). Google responds with an ID token and an access token.
The mobile app uses the ID token and the access token to call the AWS Security Token Service (STS) AssumeRoleWithWebIdentity API. The API request must include the Amazon Resource Name (ARN) of the IAM role that the app wants to assume, the Google Identity Provider's client ID, and the ID token and access token that the app obtained from Google.
The STS service validates the tokens and, if the validation is successful, returns temporary security credentials. These credentials include an AccessKeyId, SecretAccessKey, and a SessionToken.
The AccessKeyId and SecretAccessKey are used to sign requests to AWS services. The SessionToken is a temporary token that indicates the user's authenticated session, and it is used to authorize the user's access to AWS resources.
The STS response does not contain the policy ARN that is used by the web identity IAM role. Instead, the IAM role has a trust policy that specifies the allowed identity providers and the conditions under which the role can be assumed.
The STS response also does not contain the WebIdentityToken, which is used to access AWS resources. The WebIdentityToken is sent to AWS as part of the STS AssumeRoleWithWebIdentity API request, but it is not returned in the response.
Finally, the STS response does not contain the SAMLAssertion returned by the Google identity provider. SAML (Security Assertion Markup Language) is not used in this scenario. Instead, the authentication is based on OIDC (OpenID Connect).
