7

Iam new to AWS trying to understand the concepts,what is the difference between IAM Role and STS WHEN TO USE WHICH SERVICE from application.can anyone please explain

BadriGadde
  • 83
  • 2
  • 4
  • 2
    STS is just a method of getting IAM credentials. You can't use STS without IAM. STS is most useful in orgs with multiple AWS accounts. – jordanm Aug 04 '20 at 18:41

1 Answers1

9

To put it in simple terms IAM role is a document, definition of who (your app, AWS service etc) can use what (list of API calls) under which conditions (list of service specific conditions, optional). Roles are managed by IAM service.

STS is AWS service which is used for getting temporary credentials. If you want to assume role, you request these credentials via STS service. If your app has permissions to assume role, IAM service will grant you permissions (list of API calls) which this role allows and STS service will return you your credentials.

Now, "when to use which" is not an entirely correct question, given the explanation above. But I understand where you got the idea, and better question would be in my opinion: "When to use STS service to assume role and when don't".

Answer to that would be, as a rule of thumb, if your app is running on AWS (EC2, Elastic Beanstalk, Lambda etc) use roles directly, i.e. attach role to an instance. If your app uses AWS SDK for whatever language, it will pick it up seamlessly.

Exception to this would be if you want to perform some actions in completely different account. Then you need to use STS service directly to assume role in different account.

If your payload is running outside of AWS, use STS.

Oleksii Donoha
  • 2,911
  • 10
  • 22
  • Thanx for the clarification.so the final takeway is we use iam role when we want communication b/w AWS resources with in the account.we use STS service if we want communication b/w resources/users outside - AWS , communication b/w aws resources/users in different accounts which requires assumerole.is my understanding correct? – BadriGadde Aug 05 '20 at 18:39
  • 2
    @BadriGadde all in all you need to understand that you **always** call STS to assume role. Just in case when you run app on EC2, AWS SDK will do it for you under the hood. If you run outside of AWS or cross account, you need to do that explicitly. – Oleksii Donoha Aug 07 '20 at 16:52