A developer is building an application that needs access to an S3 bucket.
An IAM role is created with the required permissions to access the S3 bucket.
Which API call should the Developer use in the application so that the code can access to the S3 bucket?
Click on the arrows to vote for the correct answer
A. B. C. D.Answer - D.
This is given in the AWS Documentation.
A role specifies a set of permissions that you can use to access AWS resources.
In that sense, it is similar to an IAM user.
An application assumes a role to receive permissions to carry out required tasks and interact with AWS resources.
The role can be in your own account or any other AWS account.
For more information about roles, their benefits, and how to create and configure them, see IAM Roles, and Creating IAM Roles.
To learn about the different methods that you can use to assume a role, see Using IAM Roles.
Important.
The permissions of your IAM user and any roles that you assume are not cumulative.
Only one set of permissions is active at a time.
When you assume a role, you temporarily give up your previous user or role permissions and work with the permissions assigned to the role.
When you exit the role, your user permissions are automatically restored.
To assume a role, an application calls the AWS STS AssumeRole API operation and passes the ARN of the role to use.
When you call AssumeRole, you can optionally pass a JSON policy.
This allows you to restrict permissions for that for the role's temporary credentials.
This is useful when you need to give the temporary credentials to someone else.
They can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role.
You cannot use the passed policy to grant permissions that are in excess of those allowed by the permissions policy of the role that is being assumed.
To learn more about how AWS determines the effective permissions of a role, see Policy Evaluation Logic.
Option A is incorrect because IAM does not have this API.
Option B is incorrect because STS:GetSessionToken is used if you want to use MFA to protect programmatic calls to specific AWS API operations like Amazon EC2 StopInstances.
MFA-enabled IAM users would need to call GetSessionToken and submit an MFA code associated with their MFA device.
Option C is incorrect because IAM does not have this API.
For more information on switching roles, please refer to the below Link-
https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-api.htmlThe correct answer is D. STS:AssumeRole.
Explanation: When a developer creates an IAM role with permissions to access an S3 bucket, they can use the AWS Security Token Service (STS) AssumeRole API to obtain temporary security credentials that can be used to access the S3 bucket.
The AssumeRole API allows an IAM user or an AWS service to assume a role temporarily to perform specific actions on AWS resources. When an IAM user or an AWS service assumes a role, AWS returns temporary security credentials that can be used to access resources that are allowed by the role.
Using the temporary security credentials obtained through AssumeRole, the developer can then access the S3 bucket using the S3 API.
A. IAM: AccessRole is not a valid API call.
B. STS: GetSessionToken returns temporary credentials for an IAM user. It is not used to assume a role.
C. IAM:GetRoleAccess is not a valid API call.
D. STS:AssumeRole is the correct API call to use when assuming an IAM role to obtain temporary security credentials.