STS Creds in One Line of Code

Leaked or stolen AWS access keys are listed as one of the top three incident types for AWS security. Why not disable the use of permanent access keys in an AWS environment from the start? If an environment doesn’t have long life access keys, this security vulnerability is avoided. For this topic, we dive into short lived access keys for AWS using a SAML provider. At the end of the article you will be able to use a single line of AWS Powershell to generate a short lived access key.

AWS most common security incidents Source: SummitRoute Security Roadmap

This post assumes you have set up a SAML identity provider (IdP) and IAM Roles with this SAML provider in its trust policy. For more information on SAML, please see the AWS documentation for enabling federation with ADFS AND Saml.

AWS Saml configuration example

Picture source: AWS SAML with Federated users

The AWS function that we are driving into today is Use-STSRoleWithSAML. AWS Powershell Documentation. The get-help -examples of this function don’t go into what exactly someone needs to get this function working. In fact it’s empty.

AWS Powershell use-stsrolewithsaml Let’s figure out how to use it with the goal to make authenticating and creating a temporary key as easy as possible for an end user. .

Use-STSRoleWithSAML AWS PowerShell This function has seven core parameters available. I will use three to create a temporary access key. With the function at the end of this post, these parameters will be generated by default.

SAMLAssertion PrincipalArn RoleArn Saml assertion is in layman’s terms the response from your saml provider. The amazon definition is: “The base-64 encoded SAML authentication response provided by the IdP.”

PrincipalArn in layman’s terms is the Provider ARN in AWS IAM under “Identity Providers”.

aws saml principalarn RoleArn in layman’s terms is the Role ARN for the role that trusts the Identity Provider specified above

aws powershell rolearn iam

The good news: The code in this post generates these parameters. You will only need to find your SSO url for the Amazon console.


The url for SSO The sso url for sts saml tokens contains three parts:

The Fully Qualified Domain Name (Fqdn) :: $adfshost in the function The guts of the url :: /adfs/ls/IdpInitiatedSignon.aspx?LoginToRP= And the relying party suffix :: most often urn:amazon:webservices SSO URL Examples Example 1: https://$ADFSHost/adfs/ls/IdpInitiatedSignon.aspx?LoginToRP=$RelyingParty

Example 2: https://$adfshost/idp/profile/SAML2/Unsolicited/SSO?providerId=$RelyingParty

Example 3: For other examples, google “inurl: urn:amazon:webservice”

aws saml urn example output

For this post you will use Get-awsTempCred.ps1 in the Aws_powertools repo.

Davidprowe github aws powershell saml credentials Source:

If you use Microsoft ADFS and set up AWS to work with ADFS using the AWS instructions, the only line in this code will need to change is:

[string]$ADFSHost=‘” and enter your saml provider fqdn in the parameter.

get-stssamlcred aws powershell adfs saml

Load the functions into memory and try “Get-STSSAMLCred” out. Here are the ways I use them with my production environment. Please note, this method does not create access keys for the root account.

Setting the PowerShell host terminal window with a temporary access key: Get-stssamlcred -sethost Choose the role Verify access aws powershell cli access key

aws powershell access key

Getting temporary access keys and tokens for profiles or third party applications like cloudmapper. Get-stssamlcred Choose Role Get temporary credentials

aws powershell access key temporary

Test Saml logins with a different user account: By default I have the script pull the domain and user running the PowerShell instance. To specify another user, use the -ChangeUser parameter

Get-STSSAMLCred -ChangeUser Enter username Password Choose role aws powershell access key user access That’s it! One line of code to generate temporary access keys for AWS programmatic access!