Add tag to sts session through IoT credential provider

0

We use device X.509 certificate and call IoT credential provider to get STS token, then access our services and AWS resources. Now we want to use STS session tag to do Attribute-based access control, but I could not find any doc or API to do so.

There is seem no way to pass tags through CURL link mentioned in https://docs.aws.amazon.com/iot/latest/developerguide/authorizing-direct-aws.html.

1 Answer
0

There is an alternative to all this...

  1. After obtaining the STS token from the IoT credential provider, you can add custom logic in your application to attach session tags.
  2. Use the TagSession API (part of AWS Security Token Service) to add tags to the session.
  3. Consider adding a server-side component (e.g., Lambda function or an API Gateway) that receives the STS token. Here you can extract relevant information (such as user identity or context) and add session tags.
  4. The server-side logic can then call the TagSession API to attach the desired tags.
  5. Instead of relying solely on the IoT credential provider, create a custom token generation process.
profile picture
EXPERT
answered 3 months ago
  • Thanks Giovanni for your answer, I think we can only add STS session tag during assuming role and can not modify it after, otherwise it will have security risk to allow add/modify session tag. Of cause, we can use existing STS token to assume another role, add tags and get new STS token, but that is not what we want, we need session tag added to STS token directly from IoT credential provider. Anyone know if there is way?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions