Certified Security - Specialty

Sign Up Free or Log In to participate!

Why cannot we use AssumeRoleWithSAML?


If this directory was based on AD, could Identity Broker have used AssumeRoleWithSAML against STS?

I’m trying to figure out what are the use cases of using GetFederationToken instead of AssumeRoleWithSAML

Thank you!

2 Answers

In my understanding it’s because you don’t have a token from the ID Provider yet, AssumeRoleWithSAML needs you to pass a token coming from AD. Maybe someone can confirm/deny this.  https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html

GetFederationToken and AssumeRole. Both return a set of temporary security credentials, but they differ in how permissions associated with the temporary security credentials are derived. Both are called by the Application.

GetFederationToken requires an IAM user or root. The resulting permissions inherit the permissions of the caller, scoped down by the optional permissions attached in the request

AssumeRole sessions derive their permissions from the role policies that you’ve pre-defined, (once again scoped down by the optional permissions attached in the request). An IAM user or another role with permissions to call AssumeRole can assume a role


So, it means that I can choose between both and I juste need to make sure that either a role or a user has been created first?

Sam T

Yes they both work (functionality) exactly the same – for GetFederationToken – you need a user, for AssumeRole – you need to create a role (to be assumed) and either a user or a role can assume it.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?