1
00:00:00,470 --> 00:00:02,060
‫So there is a service we've been using

2
00:00:02,060 --> 00:00:04,170
‫behind the scenes without really knowing it.

3
00:00:04,170 --> 00:00:06,130
‫And it's at the center of AWS.

4
00:00:06,130 --> 00:00:09,740
‫It's called AWS STS for security token service.

5
00:00:09,740 --> 00:00:10,573
‫This enables you

6
00:00:10,573 --> 00:00:14,130
‫to create temporary, limited privileges credentials

7
00:00:14,130 --> 00:00:16,590
‫to access your AWS resources.

8
00:00:16,590 --> 00:00:18,310
‫That means that you get short-term credentials,

9
00:00:18,310 --> 00:00:21,130
‫just like your access key and your secret access key,

10
00:00:21,130 --> 00:00:24,050
‫but you can configure your expiration period.

11
00:00:24,050 --> 00:00:26,390
‫So the user, for example, has access to a role

12
00:00:26,390 --> 00:00:28,030
‫and then wants to leverage that role.

13
00:00:28,030 --> 00:00:29,150
‫So what it's going to do is that it's going

14
00:00:29,150 --> 00:00:31,930
‫to assume the role using an STS API call.

15
00:00:31,930 --> 00:00:33,453
‫It will talk to the STS service,

16
00:00:33,453 --> 00:00:37,260
‫and the result of this API call will be STS sending us back

17
00:00:37,260 --> 00:00:39,840
‫some temporary security credentials,

18
00:00:39,840 --> 00:00:44,770
‫and they look just like an access key, security key

19
00:00:44,770 --> 00:00:47,280
‫as well as a session key,

20
00:00:47,280 --> 00:00:49,610
‫which is going to be limited in time.

21
00:00:49,610 --> 00:00:51,920
‫And using these three credentials,

22
00:00:51,920 --> 00:00:54,332
‫we're going to access our AWS resources

23
00:00:54,332 --> 00:00:57,510
‫and using the (mumbles) role we just assumed.

24
00:00:57,510 --> 00:00:59,770
‫So the idea is that the use cases can be multiple.

25
00:00:59,770 --> 00:01:02,100
‫Number one they would be identity federation.

26
00:01:02,100 --> 00:01:04,870
‫For example, to manage their identities in external systems

27
00:01:04,870 --> 00:01:08,790
‫and provide them with STS tokens to access AWS resources

28
00:01:08,790 --> 00:01:12,050
‫or for IAM roles, access for cross or same account access,

29
00:01:12,050 --> 00:01:14,220
‫which is the exact example I showed you

30
00:01:14,220 --> 00:01:15,620
‫on the right hand side.

31
00:01:15,620 --> 00:01:18,040
‫Or finally, when we used it behind the scenes

32
00:01:18,040 --> 00:01:20,400
‫in the course is that when we provide an IAM role

33
00:01:20,400 --> 00:01:21,960
‫to our EC2 instances.

34
00:01:21,960 --> 00:01:23,323
‫Behind the scene there's a script

35
00:01:23,323 --> 00:01:26,580
‫that actually refreshes the EC2 credentials,

36
00:01:26,580 --> 00:01:30,330
‫using the security token service in the backhand.

37
00:01:30,330 --> 00:01:31,163
‫So that's it.

38
00:01:31,163 --> 00:01:33,470
‫Anytime from an example perspective that you see,

39
00:01:33,470 --> 00:01:36,760
‫you need to create temporary, limited privileges credentials

40
00:01:36,760 --> 00:01:37,810
‫to AWS (mumbles) STS.

41
00:01:39,830 --> 00:01:40,663
‫That's it.

42
00:01:40,663 --> 00:01:42,240
‫I will see you in the next lecture.