Glad it was helpful!

Thanks!

There are multiple use cases such as - cross account authentication - dev ops pipeline - apps that needs to access services and you want to dynamically change the permissions depending on the users/apps/features (E.g. a SaaS application that needs to limit AWS services based on the SaaS plan/tier the user belongs into) - Apps that need to change permission based on various parameters (like weather, role, time of the day, whether the production environment is locked for deployments) Note that although I have used fixed role with fix role permission, you can dynamically change the permission set. For example, you can dynamically create a json IAM permission and pass it to STS assume permission so that only those dynamically generated permissions get deployed.

Hey, did you find out your answer ?

Basically you provide a date & time and specify any credentials issued before that date and time should not be granted access. Here is an example docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html

Yes, it’s possible. From command line you can generate temporary access and secret keys with just s3 access and then use those keys

It can be recreated. Let's say you had a bug and mistakenly written it to a log file. Now your credentials are exposed. However, if the credentials are time limited, then even if you expose them, by the time a hacker tries to use them, the credentials are already expired. That's why you use temporary credentials.

You can create a CloudTrail and monitor for activities. To revoke access you can use the following technique docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_revoke-sessions.html

No you can't. You either need to use AWS CLI, PowerShell or other SDKS like .NET, Java, Python to name a few.

This is a good question. You need to grant permission to run this command. i.e. The one who is executing Use-STSRole needs AssumeRole permission on that role. docs.aws.amazon.com/service-authorization/latest/reference/list_awssecuritytokenservice.html

@@cloudopian If I understand correctly, two things need to happen: 1. The user running the Use-STSRole command need a policy attached to it that has AssumeRole permission 2. The same user also needs to have a Trust Relationship on the role its trying to assume. Please correct if I'm wrong.

@@chaosinorderrr You are correct. Note that it's not only an IAM user that can assume a role, another IAM role or an AWS service can also assume a role provided they have permission to assume a role and have a trust relationship.

I am not sure about the exact use case for you. Here are a few tips. Instead of using access key and secret key, a role can assume another role. So instead of trusting a user you can trust a role. The role you trust can be the role Okta assumes as part of okta & AWS integration. When you login with Okta, behind the scene you are assuming a role. Which way you plan to access cloudwatch in the first place? Is it a program (instead of a human user) that needs CloudWatch access. If that's the case, where is that program running? If it is running on AWS compute environment like (EC2, Lambda, Containers) these environment can assume a role with CloudWatch permissions. So any program running inside those environment will get automatically get permissions those environment assumes. For example, in the first part of this video, I got amazon S3 access because the role assign to my dev machine had S3 access. Similarly, you can grant CloudWatch access to that role.

@@cloudopian Thank you so much for reading and replying with such a nice explanation 😊. I really appreciate for ur kind response. 1. Actually we have 3 aws account -devtest, stage, prod . In that for 1 account (devtest) we have access key and secret key details by which I was able automate test case to fetch cloudwatch logs(with the help of boto3 lib). In same way I want to automate to access cloudwatch logs of stage aws account but for this account I don't have any access key and secret key details. 2. Usually when we access manually 3 different account of aws we do with okta verify. I was able to see, under account setting under account name its been displayed as assumed-role. But shown outside as federated login. 3. I tried the same process u shown in this video. But I'm facing error as 'user has no permission'. 4. Even if my test case run on dev machine its aws configure details have other access key and secret key set. 5. I have seen your other videos as well....apart from temporary key or access key and secret key is there any other possibility to access aws?

@@ashab8469 Two questions for you. 1. In which account the automation program/application that wants to read the CloudWatch logs runs & 2. In what AWS compute service (E.g. containers, lambda, EC2 instance) the program that wants to read the cloudwatch runs?

Let's say, you run your automation in stage and want to access prod account cloudwatch. First create an IAM role X in stage account. Then create an IAM role Y in prod account. Configure Y's trust policy to trust X. Attach a custom policy that allows CloudWatch read access to Y. Here is a reference for CloudWatch IAM docs.aws.amazon.com/service-authorization/latest/reference/list_amazoncloudwatch.html . Then configure X to trust the compute service you are running your application (E.g. lambda, EC2 etc). Then attach the X to the compute service. E.g. If you are running your application on EC2 , X has to trust EC2 and then attach X to EC2 instance profile. When your application runs, it can then assume Y using sts assume role permission. (no access key or secret key is needed) and then using those assume credential you can read cloudwatch logs.

@@cloudopian Thank you very much🙂.....this help me alot...I will try this😀

Good point, if your test user is in account A and you are assuming a role in Account B, your test user in account A needs sts:AssumeRole permission in Account A

You need to use the SDK to do that. The same function I used in PowerShell is available in all the AWS SDKs (E.g. .NET, Java, Node etc)

Thanks Mehdi, can you clarify what you mean by “added the role in your profile?” Do you mean the “temporary” access key and secret key you get from the role attached to the EC2 instance? If that’s the case, usually you don’t need to get the temporary access key and secret key generated for EC2 instance role. That’s because any program invoking AWS API through AWS SDK, being inside that EC2 instance will have automatic access to that access key and secret key. However, if you really want to get that access key and secret key you can obtain it through EC2 meta data end point at 169.254.169.254/latest/meta-data . You need to navigate to following URL 169.254.169.254/latest/meta-data/iam/security-credentials/. There you will find the access key and secret key. Having said that, be careful when you try to use those keys outside the EC2. AWS will monitor usage of access key and secret given for EC2 instance role outside the given EC2 instance IP and will generate warning to the owner and sometimes can block the API call. If you pan to use an access key and secret key make sure you generate the key by yourself.

@@cloudopian Thanks for the response. so there is a command that you can use to add the AWS role to your profile . here is the command: "Set-AWSCredential -StoreAs my_role_profile -SourceProfile my_source_profile -RoleArn arn:aws:iam::123456789012:role/role-i-want-to-assume" This way the generation of the temporary Keys will be automatic. I was wondering if there is a way to check the key valid time and other parameters using the powershell commands. by the way i am not using an EC2 instance. I am using my own laptop to connect to the environment. Thanks again.

@@soheilpro2015 Wow, this is awesome, up until now I haven’t tried adding a role to my profile with Set-AWSCredentail with RoleArn. Thanks, this is a good learning for me. Having said that, I assume you still use some static access key and secret key because you still need sts:AssumeRole permission to assume the role, am I correct?

@@cloudopian Yes, i have my Access key and secret Key stored encrypted in my local computer.

What exactly you did? Are you sure your credentials are not expired?

Yes, because when I am using the $creds with -Credential it's working fine but same thing when I configure my AWS to use $creds.AccessKey and $creds.secretkey it shows the error "not present in our records". I couldn't find the reason since it's so strange