If this directory was based on AD, could Identity Broker have used AssumeRoleWithSAML against STS?
I’m trying to figure out what are the use cases of using GetFederationToken instead of AssumeRoleWithSAML
In my understanding it’s because you don’t have a token from the ID Provider yet, AssumeRoleWithSAML needs you to pass a token coming from AD. Maybe someone can confirm/deny this. https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
GetFederationToken and AssumeRole. Both return a set of temporary security credentials, but they differ in how permissions associated with the temporary security credentials are derived. Both are called by the Application.
GetFederationToken requires an IAM user or root. The resulting permissions inherit the permissions of the caller, scoped down by the optional permissions attached in the request
AssumeRole sessions derive their permissions from the role policies that you’ve pre-defined, (once again scoped down by the optional permissions attached in the request). An IAM user or another role with permissions to call AssumeRole can assume a role
So, it means that I can choose between both and I juste need to make sure that either a role or a user has been created first?
Yes they both work (functionality) exactly the same – for GetFederationToken – you need a user, for AssumeRole – you need to create a role (to be assumed) and either a user or a role can assume it.