Skip to content
DOCS
User Guide API Guide

Configure an AWS STS Federation Credential Provider

AWS offers the AWS Security Token Service (STS), a web service designed to facilitate the request of temporary, restricted-privilege credentials for users.

Aembit’s Credential Provider for AWS STS broadly supports AWS services that use the SigV4 and SigV4a authentication protocol depending if requests are for regional services or global/multi-region services respectively. See How Aembit uses AWS SigV4 and SigV4a for information about SigV4/4a and how Aembit handles SigV4/4a requests.

Credential Provider configuration

Section titled “Credential Provider configuration”

To configure an AWS Security Token Service Federation Credential Provider, follow these steps:

  1. Log into your Aembit tenant.

  2. In the left nav menu, go to Credential Providers.

    Aembit directs you to the Credential Providers page displaying a list of existing Credential Providers. In this example, there are no existing Credential Providers.

    Credential Providers - Main Page Empty

  3. Click New.

    This opens the Credential Providers dialog window.

    Credential Providers - Dialog Window Empty

  4. In the Credential Providers dialog window, enter the following information:

    • Name - Name of the Credential Provider.

    • Description - An optional text description of the Credential Provider.

    • Credential Type - A dropdown menu that enables you to configure the Credential Provider type. Select AWS Security Token Service Federation.

    • OIDC Issuer URL - OpenID Connect (OIDC) Issuer URL, auto-generated by Aembit, is a dedicated endpoint for OIDC authentication within AWS.

    • AWS IAM Role Arn - Enter your AWS IAM Role in ARN format, Aembit associates this ARN with the AWS STS credentials request.

    • Aembit IdP Token Audience - This read-only field specifies the aud (Audience) claim value which Aembit uses in the JWT Access Token when requesting credentials from AWS STS.

    • Lifetime (seconds) - Specify the duration for which AWS STS credentials remain valid, ranging from 900 seconds (15 minutes) to a maximum of 129,600 seconds (36 hours).

    Credential Providers - Dialog Window Completed

  5. Click Save when finished. Aembit directs you back to the Credential Providers page, where you’ll see your newly created Credential Provider.

    Credential Providers - Main Page With New Credential Provider

AWS Identity Provider configuration {#aws-idp-config}

Section titled “AWS Identity Provider configuration {#aws-idp-config}”

To use the AWS STS Credential Provider, you must configure the AWS Identity Provider and assign it with an IAM role:

  1. Within the AWS Console, go to IAM > Identity providers and select Add provider.

  2. On the Configure provider screen, complete the steps and fill out the values specified:

    • Provider type- Select OpenID Connect.

    • Provider URL- Paste in the OIDC Issuer URL from the Credential Provider fields.

    • Click Get thumbprint to configure the AWS Identity Provider trust relationship.

    • Audience: Paste in the Aembit IdP Token Audience from the Credential Provider fields.

    • Click Add provider.

  3. Within the AWS Console, go to IAM > Identity providers and select the Identity Provider you just created.

  4. Click Assign role and choose Use an existing role.