DynamoDB - Web Identity Federation

user-pcr user-pcr
Mar 16, 2022 - 17:58
0 6
DynamoDB - Web Identity Federation

Web identity federation simplifies authentication and authorization for large groups of users. You can skip creating separate accounts and require users to sign in to an identity provider to receive temporary credentials or tokens. Credential management uses the AWS Security Token Service (STS). Applications use these tokens to interact with services.

Web Identity Federation also supports other identity providers such as Amazon, Google, and Facebook.

Function. When used with web identity federation, the identity provider first calls the identity provider to authenticate the user and application, and the provider returns a token. This causes the application to call the AWS STS and pass in the input token. The STS authorizes the application and grants it temporary access credentials that allow the application to use the IAM role and access policy-based resources.

Implementing Web Identity Federation

You must complete the following three steps before using −

  • Use a supported third party identity provider to sign up as a developer.

  • Register your application with the provider to get an application ID.

  • Create one or more IAM roles, including a policy attachment. You must use a role for every provider in the application.

Use a supported third party identity provider to sign up as a developer.

Register your application with the provider to get an application ID.

Create one or more IAM roles, including a policy attachment. You must use a role for every provider in the application.

Assume that you are using one of your IAM roles to use web identity federation. Your application must then follow a three-step process −

  • Authentication
  • Get credentials
  • Access to resources

In the first step, your application uses its own interface to call the provider, and then manages the token process.

Then the second step is token management and your application needs to send an AssumeRoleWithWebIdentity request to AWS STS. The request contains the first token, the vendor application ID, and the IAM role ARN. The STS provides credentials that expire after a certain period.

In the last step, your application receives a response from the STS containing information about access to DynamoDB resources. It consists of credentials, expiration date, role, and role ID.