Skip to content

STS AssumeRoleWithWebIdentity

  • assume-role-with-web-identity is an API provided by STS (Security Token Service)
  • Returns temporary security credentials for users authenticated by mobile or web application or using a Web ID Provider like Amazon, Facebook, Google, etc.
  • For mobile applications, Cognito is recommended
  • Regular web applications can use the STS assume-role-with-web-identity API.

An example workflow:

  1. A user auths with Google, Facebook, or Amazon.
  2. Google, Facebook, or Amazon yield a JWT token.
  3. Once she has successfully authenticated, the application then makes the assume-role-with-web-identity API call, which yields temporary credentials via STS (Security Token Service).
  4. The user now has temporary access to AWS resources.

It's important to know two specific parts of the assume-role-with-web-identity response:

```XML <...> ... arn:aws:sts:92349234923:assumed-role/FederatedWebIdentityRole/app1 AR0ACLKWSDQDDEXAMPLE.app1 AQoDYXdzEE0a7ANXXXXXXXXXXXOasdfasdflk+EXAMPLE wJalrXUTAFEMHDASLKFSJDLKJFLDKFD/bDFDJDFjDJDJDFEXAMPLEKEY 2019-02-05T23:00:23Z ASgeIAIOSFODNN7EN8EXAMPLE ...

  • The ARN in the AssumeRoleUser piece can be used to refer to the temporary credentials programmatically.
  • The Credentials section of the response contain a set of temporary credentials.