Database Reference
In-Depth Information
Using Web Identity Federation
We have already seen what Web Identity Federation is in Chapter 5 , Advanced Topics . Just
to revise, WIF is a utility that allows end users to access an AWS resource using accounts
such as Amazon, Facebook, and Google. Here, we use Secure Token Service ( STS ) from
Amazon to generate temporary user credentials, and by using those credentials, we access
the AWS resource (for example, a table in DynamoDB). The following steps will help you
to implement WIF for your application:
1. Register your application with identity providers such as Amazon, Google, and
Facebook. These identity providers have given elaborate description on how to re-
gister your app. You can follow the steps to validate the identity of the user.
2. Once you have got the identity token from the providers, you can call the As-
sumeRoleWithWebIdentity API, which is a part of AWS STS, to get the
temporary credentials. To call AsssumeRoleWithWebIdentity , you don't
need any credentials. Once you call this API with the required details, you would
get temporary credentials, that is, access key and secret key. You can read more
about this API at http://docs.aws.amazon.com/STS/latest/APIReference/
API_AssumeRoleWithWebIdentity.html .
3. Using these credentials, you can call AWS APIs (for example, an API to put data
in a DynamoDB table API to read something from the DynamoDB table). These
credentials would be valid for only a given time. This time could be from 15
minutes to 1 hour. Depending on your need, you can set the validity duration.
4. Once the credentials get timed out, you need to again pass on the identity token to
STS and get new, temporary credentials.
This is explained in the following diagram:
Search WWH ::




Custom Search