Configure an AWS STS Federation Credential Provider

AWS offers the AWS Security Token Service (STS), a web service designed to facilitate the request of temporary, restricted-privilege credentials for users.

Aembit’s Credential ProviderCredential Provider: Credential Providers obtain the specific access credentials—such as API keys, OAuth tokens, or temporary cloud credentials—that Client Workloads need to authenticate to Server Workloads.Learn more for AWS STS broadly supports AWS services that use the SigV4 and SigV4a authentication protocol depending if requests are for regional services or global/multi-region services respectively. See How Aembit uses AWS SigV4 and SigV4a for information about SigV4/4a and how Aembit handles SigV4/4a requests.

Pre-signed URLs

Aembit doesn’t support AWS pre-signed URLs. For more information, see Known limitations.

Multiple providers

You can configure multiple AWS STS Credential Providers within a single Access PolicyAccess Policy: Access Policies define, enforce, and audit access between Client and Server Workloads by cryptographically verifying workload identity and contextual factors rather than relying on static secrets.Learn more to access different AWS resources with different IAM roles. See Using multiple AWS STS Credential Providers for details.

Prerequisites

Before configuring an AWS Security Token Service Federation Credential Provider in Aembit, ensure you have the following:

• (Multiple Credential Providers only) Aembit Edge ComponentAembit Edge: Aembit Edge represents components deployed within your operational environments that enforce Access Policies by intercepting traffic, verifying identities, and injecting credentials just-in-time.Learn more minimum versions:
  • Agent Proxy 1.27.3865
  • Agent Controller 1.27.2906
• An active Aembit TenantAembit Tenant: Aembit Tenants serve as isolated, dedicated environments within Aembit that provide complete separation of administrative domains and security configurations.Learn more with appropriate permissions to create and manage Credential Providers.
• An AWS account with permissions to create IAM roles and Identity Providers.
• A Server Workload configured with HTTP Application Protocol and AWS Signature v4 authentication method. See AWS Cloud Server Workload for configuration details.

Credential Provider configuration

To configure an AWS Security Token Service Federation Credential Provider, follow these steps:

1. Log into your Aembit Tenant, and go to Credential Providers.

   Aembit directs you to the Credential Providers page displaying a list of existing Credential Providers. In this example, there are no existing Credential Providers.

   

2. Click + New.

   This opens the Credential Providers dialog window.

   

3. In the Credential Providers dialog window, enter the following information:

   • Name - Name of the Credential Provider.

   • Description - An optional text description of the Credential Provider.

   • Credential Type - A dropdown menu that enables you to configure the Credential Provider type. Select AWS Security Token Service Federation.

   • OIDC Issuer URL - OpenID Connect (OIDC) Issuer URL, auto-generated by Aembit, is a dedicated endpoint for OIDC authentication within AWS.

   • AWS IAM Role Arn - Enter your AWS IAM Role in ARN format, Aembit associates this ARN with the AWS STS credentials request.

   • Aembit IdP Token Audience - This read-only field specifies the aud (Audience) claim value which Aembit uses in the JWT Access Token when requesting credentials from AWS STS.

   • Lifetime (seconds) - Specify the duration for which AWS STS credentials remain valid, ranging from 900 seconds (15 minutes) to a maximum of 129,600 seconds (36 hours).

   

4. Click Save when finished. Aembit directs you back to the Credential Providers page, where you’ll see your newly created Credential Provider.

   

AWS Identity Provider configuration

To use the AWS STS Credential Provider, you must configure the AWS Identity Provider and assign it with an IAM role:

1. Within the AWS Console, go to IAM > Identity providers and select Add provider.

2. On the Configure provider screen, complete the steps and fill out the values specified:

   • Provider type - Select OpenID Connect.

   • Provider URL - Paste in the OIDC Issuer URL from the Credential Provider fields.

   • Click Get thumbprint to configure the AWS Identity Provider trust relationship.

   • Audience - Paste in the Aembit IdP Token Audience from the Credential Provider fields.

   • Click Add provider.

3. Within the AWS Console, go to IAM > Identity providers and select the Identity Provider you just created.

4. Click Assign role and choose Use an existing role.

Configure multiple AWS STS Credential Providers

To configure multiple AWS STS Credential Providers within a single Access Policy, follow these steps. Each Credential Provider must have a unique Access Key ID that your application uses as a selector.

Access Key ID format

Access Key ID selector values must use uppercase characters only. For example, use AKIADUMMYFORROLEA instead of akiadummyforrolea.

How it works

For conceptual information about how Aembit routes requests to the appropriate Credential Provider, see Using multiple AWS STS Credential Providers.

1. Create your first AWS STS Credential Provider by following the Credential Provider configuration procedure.

2. Note the Access Key ID selector value for this Credential Provider. Your application uses this placeholder in requests intended for this Credential Provider.

3. Repeat the Credential Provider configuration steps to create additional AWS STS Credential Providers, each with:

   • A unique Name identifying its purpose (for example, STS-S3-Access, STS-DynamoDB-Access)
   • A different AWS IAM Role ARN for each Credential Provider
   • A unique Access Key ID selector for each Credential Provider

4. For each new AWS STS Credential Provider, configure the corresponding AWS Identity Provider by following the AWS Identity Provider configuration procedure.

5. Go to Access Policies and either create a new Access Policy or edit an existing one.

6. In the Credential Providers column, hover over the + icon and select Existing.

7. Add each AWS STS Credential Provider you created to the Access Policy.

8. Click Save or Save & Activate to save your Access Policy.

Application configuration

Configure your application to use the appropriate Access Key ID selector for each AWS service request. Agent Proxy extracts the Access Key ID from the AWS SigV4 Authorization header and routes the request to the matching Credential Provider.

AWS CLI example

To use the AWS CLI with multiple Credential Providers, set these environment variables:

# Set to any non-empty value (required by AWS CLI, replaced by Aembit)
export AWS_SECRET_ACCESS_KEY=placeholder

# Set to the Access Key ID selector for the desired Credential Provider
export AWS_ACCESS_KEY_ID=AKIADUMMYFORROLEA

# Make AWS requests
aws s3 ls

Change AWS_ACCESS_KEY_ID to switch between Credential Providers. For example:

• AKIADUMMYFORROLEA → Uses Credential Provider configured for S3 access
• AKIADUMMYFORROLEB → Uses Credential Provider configured for DynamoDB access

Verify your configuration

To confirm your multiple AWS STS Credential Provider configuration works correctly:

1. Set the environment variables for one of your Credential Providers.

2. Run an AWS CLI command (for example, aws s3 ls).

3. Check the access authorization events in your Aembit Tenant to confirm:

   • Aembit selected the correct Credential Provider
   • The credentialProvider.name field matches your expected Credential Provider

4. Change AWS_ACCESS_KEY_ID to a different selector and repeat to verify the second Credential Provider.

Related topics

• Using multiple AWS STS Credential Providers - Learn how Aembit routes requests to multiple AWS STS Credential Providers
• How Aembit uses AWS SigV4 and SigV4a - Learn about AWS request signing
• Credential Providers overview - Overview of all available Credential Provider types