| « PreviousNext » | |
   | Did this page help you? Yes | No | Tell us about it... |
Permissions in Temporary Security Credentials for Federated Users
When an IAM user calls the GetFederationToken API action to create temporary security credentials for a federated user, the IAM user can optionally pass in a policy to grant the federated user a specific set of permissions. If the temporary security credentials do not include a policy, the federated user has no permissions except any permissions specified in resource policies.
If the temporary security credentials do include a policy, the permissions applied to the federated user are based on the following:
The policy associated with the temporary security credentials
Any resource policies that explicitly give access to the federated user
Any policies associated with the IAM user who created the temporary security credentials
The following diagram illustrates how permissions work for federated users.
 |
The IAM user who creates the temporary security credentials for the federated user is represented by the first oval, on the left. The federated user is the second oval, on the right. The IAM user's permissions are represented by the entire area within the oval, including the area of intersection (areas 1 and 2). |
 |
The IAM user can delegate permissions to the federated user only to the extent that he has permissions. In this diagram, the IAM user delegates only a portion of his permissions to the federated user. The delegated permissions are indicated by the intersection of the ovals (area 2). |
 |
In this diagram, there is a resource policy that explicitly grants permissions to the federated user, indicated by the third oval (area 3). As a result, the federated user's permissions include the permissions granted by the IAM user (area 2), as well as the permissions granted in the resource policy (area 3). |
These permissions are evaluated together at the time of authorization, and the evaluation logic never results in a conflict. There is always a true/false result that either allows or denies the requested access. For more information about how permissions are evaluated, see Evaluation Logic in Using AWS Identity and Access Management.
Example of using policies to control how temporary security credentials are created and how permissions are delegated
Suppose that an IAM user named Issuer wants to grant read-only permissions to federated users for the AWS account's Amazon S3 buckets. The AWS account administrator (the admin) could scope the Amazon S3 permissions of Issuer with the following IAM user policy.
{
"Statement": [{
"Effect": "Allow",
"Action": ["s3:GetObject", "sts:GetFederationToken"]
"Resource": "arn:aws:s3:::mybucket/federated-user/*"
}]
}
When Issuer wants to delegate permissions to a federated user, Issuer can call GetFederationToken with the name of the federated user, the duration the token is valid, and a policy granting access to Amazon S3, minimally. Any temporary security credentials Issuer creates will enable a federated user to read from the Amazon S3 bucket as long as the temporary security credentials are valid.
Issuer can restrict the permissions he delegates. For example, if Issuer wants to restrict the permissions he delegates based on the name of the user, so that a user named Jill is able to read her own files but not the files of any other federated user, then Issuer could do this by passing in a policy when he calls GetFederationToken. The policy that Issuer passes in might look like the following example.
{
"Statement": [{
"Effect": "Allow",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/federated-user/Jill/*"
}]
}
In this way, Issuer can delegate an arbitrary number of permissions, leveraging the hierarchical structure of Amazon S3 object names.
Note
If conditions exist in either policy, the conditions must be satisfied by the request for authorization to succeed. So, for example, if Issuer can make Amazon S3 requests only subject to an aws:SourceIp condition, that condition also applies to calls made with temporary security credentials issued by Issuer.
Additionally, because AWS checks permissions at authorization time rather than when the temporary security credentials are created, permissions are impacted by the policies in effect when a request is made, regardless of the policies in effect when the temporary security credentials were created. So in this example, Issuer might create temporary security credentials with the following general wildcard permissions.
{
"Statement": [{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
}]
}
As a result, even though Issuer doesn't have these general permissions, Issuer can successfully call GetFederationToken and receive temporary security credentials with this policy. Jill will then have whatever permissions Issuer has when her temporary security credentials are authenticated by AWS, but no more. In this case, if Jill were to attempt to delete an Amazon S3 bucket, the request would fail because Issuer does not have permission to delete a bucket.
If after issuing the temporary security credentials to Jill, the AWS account owner wanted to revoke Jill's permissions, but no one else's, the account owner could use a deny policy like the one in the following example. To effect this policy, the AWS account owner would attach this policy to Issuer (the IAM user who created the temporary security credentials). For the purposes of this policy, it doesn't matter that IAM doesn't know who Jill is; the policy works because it denies the permission of Issuer to enable the Amazon S3 GetObject action for Jill.
{
"Statement": [{
"Effect": "Deny",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::mybucket/federated/Jill/*"
}]
}
Note
You should also be aware that delegation works across accounts, from an account to an IAM user under the account, and from an IAM user to a set of temporary security credentials. For more information on delegating permissions across accounts, see Enabling Cross-Account Access in Using AWS Identity and Access Management.
Related Topics
Overview of Policies in Using AWS Identity and Access Management
Disable Permissions Granted Through Temporary Security Credentials
