Appx. AWS STS issuance
This article walks you through an example of creating and utilizing temporary security credentials to control access to AWS S3 resources using AWS Security Token Service (AWS STS).
info
For a list of S3 API Features provided by KakaoCloud, please refer to the S3 document.
API preparations
Please refer to the API Preparation for the preparatory work required to call the API.
STS token
Use AssumeRoleWithWebIdentity to issue an access key ID, secret access key, and security token to access resources in AWS. You can use Openstack tokens to create temporary credentials with the permissions of the token user.
Request
Issue STS Token
curl -X POST \ 'https://objectstorage.kr-central-2.kakaocloud.com/' \
--header 'Accept: */*' \
--header 'Content-Type: application/json' \
--data-raw '{
"Action" : "AssumeRoleWithWebIdentity",
"DurationSeconds": 1800;
"ProviderId" : "iam.kakaocloud.com",
"WebIdentityToken" : "{x-auth-token}"
}'
| method | Request URL |
|---|---|
| POST | https://objectstorage.kr-central-2.kakaocloud.com/ |
| field | Format | Description |
|---|---|---|
| Action* | String | Type of action to perform - Only AssumeRoleWithWebIdentity is supported |
| DurationSeconds | Int | How long temporary credentials are valid |
| ProviderId | String | The entity that provides WebIdentity. - Currently only iam.kakaocloud.com is provided |
| WebIdentityToken | String | Token issued by Openstack |
Response
Response example
<AssumeRoleWithWebIdentityResponse>
<AssumeRoleWithWebIdentityResult>
<SubjectFromWebIdentityToken>{user_id}</SubjectFromWebIdentityToken>
<Credentials>
<SessionToken>{session_token}</SessionToken>
<SecretAccessKey>{session_secret_key}</SecretAccessKey>
<Expiration>{expiration}</Expiration>
<AccessKeyId>{session_access_key}</AccessKeyId>
</Credentials>
<Provider>iam.kakaocloud.com</Provider>
</AssumeRoleWithWebIdentityResult>
<ResponseMetadata>
<RequestId>{request_id}</RequestId>
</ResponseMetadata>
</AssumeRoleWithWebIdentityResponse>
| field | Type | Description |
|---|---|---|
| user_id | String | User ID for which temporary credentials will be used |
| session_token | String | Session token for temporary credentials |
| session_secret_key | String | Secret access key for temporary credentials |
| session_access_key | String | Secret access key ID for temporary credentials |
| expiration | Timestamp | Expiration time for temporary credentials |
| response code | Response | Description |
|---|---|---|
200 | OK | Success |
400 | BadRequest | Request information error |
403 | Forbidden | No permission |
Example - get bucket list
Query bucket list
curl --location 'https://objectstorage.kr-central-2.kakaocloud.com/' \
--header 'X-Amz-Security-Token: {Issued STS Session Token}' \
--header 'X-Amz-Content-Sha256: e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855' \
--header 'X-Amz-Date: 20230719T074808Z' \
--header 'Authorization: AWS4-HMAC-SHA256 Credential=2d554f581e81aa56a120fc29bd806405/20230719/kr-central-2/s3/aws4_request, SignedHeaders=host;x-amz-content-sha256;x-amz-date;x-amz-security -token, Signature=3f0f3cd5a25406947c936e8d51cdd13f3d5b4fafa1078da4e1b7b3df0d1e662a'