- To understand how AWS STS
AssumeRoleAPI works by implementing small web application. - To use AWS SDK with AWS S3 to upload files.
- To practice uploading files using frontend and backend using JavaScript & Node js.
ROLE_ARN_TO_ASSUME: AWS IAM Role ARN to assume (typically has the permission that user does not have but needs)AWS_ACCESS_KEY_ID: AWS IAM credential idAWS_SECRET_ACCESS_KEY: AWS IAM credential sercret
- Client request API server(backend) to upload files.
- At the backend, process the reqeust with multer library and store the file to
upload/directory (middleware) - Request temporary credentials from STS. The role ARN that we want to assume needs to be set as
ROLE_ARN_TO_ASSUMEenvironment variable.- The role needs to have
S3:GetObject,S3:PutObject, andS3:ListObjectpermission. - IAM user that we are using to request the temporary credentials need to have
STS:AssumeRolepermission for the IAM role.
{ "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::<ACCOUNT_ID>:role/<ROLE_ARM_TO_ASSUME>" } ] }- IAM role needs to have trust entities(Trust relationships) that includes the IAM user.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": [ "arn:aws:iam::<ACCOUNT_ID>:user/<IAM_USER_1>", "arn:aws:iam::<ACCOUNT_ID>:user/<IAM_USER_2>", // ... more ] }, "Action": "sts:AssumeRole" } ] } - The role needs to have
- Use the temporary credentials to upload files to a S3 bucket.
- We successfully used the permission of IAM role (
S3:PutObject) without directly getting its credentials.