DynamoDB - Web Identity Federation


Web Identity Federation allows you to simplify authentication and authorization for large user groups. You can skip the creation of individual accounts, and require users to login to an identity provider to get temporary credentials or tokens. It uses AWS Security Token Service (STS) to manage credentials. Applications use these tokens to interact with services.

Web Identity Federation also supports other identity providers such as – Amazon, Google, and Facebook.

Function − In use, Web Identity Federation first calls an identity provider for user and app authentication, and the provider returns a token. This results in the app calling AWS STS and passing the token for input. STS authorizes the app and grants it temporary access credentials, which allow the app to use an IAM role and access resources based on policy.

Implementing Web Identity Federation

You must perform the following three steps prior to use −

  • Use a supported third party identity provider to register as a developer.

  • Register your application with the provider to obtain an app ID.

  • Create a single or multiple IAM roles, including policy attachment. You must use a role per provider per app.

Assume one of your IAM roles to use Web Identity Federation. Your app must then perform a three-step process −

  • Authentication
  • Credential acquisition
  • Resource Access

In the first step, your app uses its own interface to call the provider and then manages the token process.

Then step two manages tokens and requires your app to send an AssumeRoleWithWebIdentity request to AWS STS. The request holds the first token, the provider app ID, and the ARN of the IAM role. The STS the provides credentials set to expire after a certain period.

In the final step, your app receives a response from STS containing access information for DynamoDB resources. It consists of access credentials, expiration time, role, and role ID.