This assumes you have already configured the aws command line tool. If not, check out my article on Getting Started with the AWS CLI.
The AWS Security Token Service (STS) can be used to request a short term, temporary Access Key, Secret Key and Session Token for a user.
For example, let say you have already Set your Profile Config using the AWS CLI. In this scenario, your users hidden .aws/credentials file should contain something like this. Of course, in reality the Access Key and Secret Key wouldn't be a string of ones and A. Just using this to make this example clear.
~]$ cat /home/john.doe/.aws/credentials
[default]
aws_secret_access_key = 111111111AAAAAAAAAAA111111111AAAAAAAAAAAA
aws_access_key_id = 111111111AAAAAAAAAAA
The aws sts get-session-token command can be used to get the temporary Access Key, Secret Key and Session Token. The Access Key and Secret Key will be different from the users permanent Access Key and Secret Key. Notice that the temporary Access Key, Secret Key and Session Token is only available for a short time, 12 hours by default.
~]$ aws sts get-session-token
{
"Credentials": {
"SecretAccessKey": "222222222BBBBBBBBBBB222222222BBBBBBBBBBB",
"SessionToken": "FwoGZXIvYXdzEKT//////////wEaDDW6Bq4Y59mN8vLBJiKCAe4C4xZd3kdPBzu/DLj9xxo1f9IWDbSEKsssuopXvDK1in/bLxydTpVG8Aycy3gPGm1eJhwZOfBrYOP20FvzPTJr10ZdrknrVAqBFaNyO3yDFN/mfJ9/sxpY065AZk88TQVOfKfuvDShO7+Rlo7wem+F7x8EWXYoLdnFu+IAFWaJ1YgoxryCrQYyKCaZl3Lbz3bd7B+EdnMb4k/h/wmol30O7Et5yj7wSxRb4oHYaxDo9VE=",
"Expiration": "2024-01-12T14:04:54Z",
"AccessKeyId": "222222222BBBBBBBBBBB"
}
}
A great use case will be for an application that needs an Access Key, Secret Key and Session Token. Instead of configuring the application with your users long term, permanent Access Key and Secret Key, you can instead request a short-term, temporary ccess Key, Secret Key and Session Token.
For example, perhaps you are using Python and boto3 to List Amazon Web Services (AWS) Secrets from AWS Secrets Manager. Often, this means loading a certain users AWS_PROFILE, which uses the users long-term, permanent Access Key and Secret Key.
#!/usr/bin/python3
import boto3
import os
os.environ['AWS_PROFILE'] = 'johndoe'
client = boto3.client('secretsmanager')
secrets_dict = client.list_secrets(
Filters = [
{ 'Key': 'name', 'Values': ['my-secret'] }
]
)
print(f"secrets_dict = {secrets_dict}")
And here is an example building off this, with no error handling, just to highlight the most relevant code. boto3 sts is used to get a short-term, temporary Access Key, Secret Key and Session Token and then the Access Key, Secret Key and Session Token are used in the request to return the ARN of my-secret. This still uses the default profile in your users hidden .aws/credentials file to request the temporary Access Key, Secret Key and Session Token, so your users hidden .aws/credentials file is still needed here.
#!/usr/bin/python3
import boto3
import sys
client = boto3.client('sts')
response = client.get_session_token()
print(f"response['Credentials']['AccessKeyId'] = {response['Credentials']['AccessKeyId']}")
print(f"response['Credentials']['SecretAccessKey'] = {response['Credentials']['SecretAccessKey']}")
print(f"response['Credentials']['SessionToken'] = {response['Credentials']['SessionToken']}")
client = boto3.client(
'secretsmanager',
aws_access_key_id=response['Credentials']['AccessKeyId'],
aws_secret_access_key=response['Credentials']['SecretAccessKey'],
aws_session_token=response['Credentials']['SessionToken']
)
my_secret = client.list_secrets(
Filters = [
{ 'Key': 'tag-key', 'Values': ['Name'] },
{ 'Key': 'tag-value', 'Values': ['my_secret '] }
]
)
for item in my_secret ['SecretList']:
print(f"ARN = {item['ARN']}")
Did you find this article helpful?
If so, consider buying me a coffee over at 