Temporary credentials
Unlike long-term credentials, temporary security credentials in AWS are designed to be short-lived. They are dynamically generated and automatically expire after a certain period, ranging from a few minutes to several hours. This way, temporary credentials provide an added layer of security because they are not permanently stored with the user (human or non-human) and are automatically revoked when they expire. This means that even if they were to be accidentally exposed, they could not be used beyond their configured lifetime.
Temporary credentials are used in several scenarios, including identity federation, cross-account access, and roles assigned to EC2 instances, Lambda functions, or other resources.
In identity federation, temporary credentials are used to grant external identities (such as users in your corporate directory) permissions to access resources without having to create an IAM user for each identity. In cross-account access, temporary credentials allow users from one AWS account to access resources in another account.
When running an application on an EC2 instance, you can provide temporary security credentials to your instance by attaching an IAM role to it. These temporary credentials are available to all applications running on the instance, eliminating the need to store long-term credentials such as access keys locally on that instance. The same applies to Lambda functions, where using an IAM role also eliminates the need to store access keys in environment variables, or worse, within the code of the function. This approach is the most secure way to manage non-human identities in an AWS environment.
IAM Roles Anywhere further extends the versatility of temporary credentials by enabling applications running outside of AWS, such as on-premises servers, to securely assume IAM roles. However, enabling IAM Roles Anywhere outside AWS involves a more complex setup as it requires a trust anchor between your public-key infrastructure (PKI) and AWS to establish trust.