Question

If there is a user that sends a request to STS requesting for credentials:

AWS.config.credentials = new AWS.WebIdentityCredentials({

  RoleArn: 'arn:aws:iam::{id}:role/{role}',

  WebIdentityToken: idToken,

  RoleSessionName: VALUE

});

Next, if the user sends a request to a private API Gateway endpoint, and if it uses RoleSessionName, it gives me the details as to who the person is that makes the request. Now, can we avoid other users to assume this identity by using the same RoleSessionName?

Is there a best way to authenticate users using STS and IAM roles? If yes what it is?

Answer 1

RoleSessionName being an identifier for a defined session, shouldn't be used as a mechanism to differentiate callers in any case.

The assumed role is the "effective" principal in this case. If you want the API to behave differently based on the user, then please use unique role for each user.

Answer 2

RoleSessionName is the way to tell each user apart. One cannot create a separate role for each user because each account can only have 1000 roles at most. I think this API call is not meant to be used on client side for authentication purpose. It's only meant to give a role to an already authenticated user on server side.