Study Guide: Making Authenticated Calls to AWS Services
Make authenticated calls to AWS services
Making Authenticated Calls to AWS Services
Authentication is the process of verifying who is making a request to AWS, while authorization determines what that entity is allowed to do. For the AWS Certified Developer Associate (DVA-C02) exam, understanding how to programmatically interact with AWS using secure, authenticated methods is a core requirement.
Learning Objectives
After studying this guide, you should be able to:
- Differentiate between permanent IAM user credentials and temporary STS credentials.
- Configure the AWS CLI and SDK for programmatic access.
- Explain the process of assuming an IAM role using AWS STS.
- Implement the Principle of Least Privilege (POLP) when defining permissions.
- Understand how bearer tokens and identity federation provide access to applications.
Key Terms & Glossary
- Principal: An entity (user, role, or application) that can make a request for an action or resource on AWS.
- IAM User: A persistent identity with long-term credentials (Access Key ID and Secret Access Key).
- IAM Role: An identity that does not have long-term credentials and is instead "assumed" by trusted entities.
- STS (Security Token Service): A web service that enables you to request temporary, limited-privilege credentials for users.
- SDK (Software Development Kit): Language-specific libraries (e.g., Boto3 for Python) used to call AWS APIs.
- POLP (Principle of Least Privilege): The security practice of granting only the minimum permissions necessary to perform a task.
The "Big Idea"
In the AWS ecosystem, nothing happens without an authenticated API call. Whether you use the Management Console, the CLI, or an SDK, every request is signed. Security in development is about moving away from static "secret keys" stored in code and moving toward temporary, rotating credentials provided by IAM Roles and STS. This "safe by design" approach minimizes the blast radius if a credential is leaked.
Formula / Concept Box
| Authentication Method | Use Case | Credential Type |
|---|---|---|
| IAM User Access Keys | Local development, legacy CLI access | Permanent / Long-term |
| IAM Roles / STS | EC2 instances, Lambda functions, Cross-account | Temporary (Expires) |
| Cognito Identity Pools | Mobile/Web apps (External users) | Temporary (Exchanged) |
| Bearer Tokens | Microservices, API Gateway authorization | Token-based (JWT) |
Hierarchical Outline
- IAM Identities
- Root User: Full unrestricted access; only for initial setup and specific account tasks.
- IAM Users: Best for human operators or specific legacy programmatic needs.
- IAM Groups: Collections of users to manage permissions at scale.
- Programmatic Access
- AWS CLI: Command-line tools for manual or scripted service interaction.
- AWS SDKs: Programmatic libraries that handle request signing, retries, and error handling.
- Temporary Credentials via STS
- AssumeRole API: Returns Access Key ID, Secret Access Key, and a Session Token.
- Regional Endpoints: Use regional STS endpoints to reduce latency and increase session validity.
- Federated Access
- SAML 2.0 / OIDC: Authenticating via external providers (e.g., Okta, Google).
- Amazon Cognito: Managing user pools and identity pools for application-level access.
Visual Anchors
The STS Role Assumption Flow
Credential Hierarchy Diagram
\begin{tikzpicture}[node distance=2cm, every node/.style={rectangle, draw, rounded corners, minimum width=3cm, minimum height=1cm, align=center}] \node (root) {Root User \ (Unrestricted)}; \node (iam) [below of=root] {IAM Principal}; \node (user) [below left of=iam, xshift=-1cm] {IAM User \ (Long-term Keys)}; \node (role) [below right of=iam, xshift=1cm] {IAM Role \ (Temporary Keys)};
\draw[->, thick] (root) -- (iam);
\draw[->] (iam) -- (user);
\draw[->] (iam) -- (role);
\node[draw=none, fill=none, text width=4cm, font=\small] at (-4, -3) {\textbf{Warning:} Avoid using Root for daily tasks.};\end{tikzpicture}
Definition-Example Pairs
- Trust Policy: A JSON document that defines which principals are allowed to assume a role.
- Example: An EC2 instance role has a trust policy allowing
ec2.amazonaws.comto assume it.
- Example: An EC2 instance role has a trust policy allowing
- Permissions Policy: A JSON document defining what actions are allowed on which resources.
- Example: A policy allowing
s3:GetObjecton the bucketmy-media-filesonly.
- Example: A policy allowing
- Instance Profile: A container for an IAM role that you can use to pass role information to an EC2 instance.
- Example: Attaching a "WebserverRole" to an EC2 instance so the application code can automatically fetch credentials.
Worked Examples
Example 1: Assuming a Role via CLI
To gain temporary access to a production account from a development environment, you use the assume-role command.
# Requesting temporary credentials
aws sts assume-role \\
--role-arn "arn:aws:iam::123456789012:role/ProdAdminRole" \\
--role-session-name "DevSession1"Output Analysis:
The response contains the Credentials object. To use them, you must export these as environment variables:
AWS_ACCESS_KEY_IDAWS_SECRET_ACCESS_KEYAWS_SESSION_TOKEN(Crucial: Roles always require this token).
Example 2: Using the SDK (Python/Boto3)
SDKs automatically look for credentials in environment variables, ~/.aws/credentials, or Instance Metadata.
import boto3
# The SDK automatically handles authentication if
# environment variables or roles are configured.
s3 = boto3.client('s3')
# This call is signed automatically by the SDK
response = s3.list_buckets()
print(response['Buckets'])Checkpoint Questions
- What are the three components returned by the AWS STS
AssumeRoleAPI call? - Why is it a security best practice to use IAM Roles for applications running on EC2 instead of IAM User Access Keys?
- Which AWS service is used to provide federated identities for mobile and web applications?
- True or False: A Session Token is required when using long-term IAM User Access Keys.
- What is the difference between a Trust Policy and a Permissions Policy?
▶Click to see Answers
- Access Key ID, Secret Access Key, and Session Token.
- Roles provide temporary, automatically rotating credentials, eliminating the risk of hard-coded, long-term secrets being leaked.
- Amazon Cognito.
- False. Session tokens are specific to temporary credentials (STS).
- A Trust Policy defines who can assume the role; a Permissions Policy defines what the principal can do once they have assumed the role.
[!IMPORTANT] Always follow the Principle of Least Privilege. If a Lambda function only needs to read from one S3 bucket, do not give it
s3:*or access to all buckets.