AWS IAM: AssumeRole vs GetSessionToken

Question

I'm trying to generate a temporary credentials access key and secret key. I've used AssumeRole. The description says it generates an access key and secret key. But GetSessionTokenResult can also generate an access key and secret key. Then what's the use of assumeRole?

AWSSecurityTokenService awsSecurityTokenService = 
    AWSSecurityTokenServiceClientBuilder 
    .standard().withCredentials(new ProfileCredentialsProvider())
    .withRegion(region).build();
AssumeRoleRequest assumeRoleRequest = new AssumeRoleRequest()
    .withRoleArn(
                 "arn:aws:iam::account-id:role/p-27c229ade194_ec2")
    .withRoleSessionName("RedshiftSession");
AssumeRoleResult assumeRoleResult = awsSecurityTokenService
    .assumeRole(assumeRoleRequest);
GetSessionTokenRequest getSessionTokenRequest = new GetSessionTokenRequest();
getSessionTokenRequest.setDurationSeconds(1200);
GetSessionTokenResult getSessionTokenResult = awsSecurityTokenService
    .getSessionToken(getSessionTokenRequest);
Credentials sessionCredentials = getSessionTokenResult.getCredentials();

final String adminAccessKeyId = sessionCredentials.getAccessKeyId();
final String adminAccessSecretKey = sessionCredentials
    .getSecretAccessKey();

Earlier using assumeRole it showed error => aws:iam::user/admin is not sts:assumeRole on resource role aws:iam::role/role_id. By adding aws:iam::user/admin in trusted relationship of role_id it worked.

If I will comment out AccessRole and its other called class. I can generate an access key and secret key. What's the purpose of using AssumeRole?

Answer 1

There are several methods to obtain temporary credentials, depending upon your requirements:

• GetSessionToken gives you a set of temporary credentials based on your own IAM User. This is commonly used to activate Multi-Factor Authentication (MFA), or to create some scoped-down credentials for a situation where you want to limit access (eg giving access to an application that uploads/downloads data to S3, without giving any non-S3 access). The new credentials have, at most, the same permissions as you have (and never any more).
• AssumeRole is used to obtain credentials that have a totally different set of permissions. For example, you might not have permission to access S3, but you might have permission to assume an "S3 access" role. The credentials returned then allow you to temporarily access S3. Another example is providing access to administrator permissions — rather than always using an account with Admin permissions, it is safer to temporarily assume an Admin role, do the admin activity, then return to using normal credentials. Less is likely to go wrong than always using Admin-level access.

Also, AssumeRole can be used to gain cross-account access. For example, a user in Account A could assume a role in Account B, which grants access to resources in Account B. This is not possible via GetSessionToken.

I always find this article useful to explain the differences: Understanding the API Options for Securely Delegating Access to Your AWS Account | AWS Security Blog