IAM user keys #

To explain how temporary grants work, you first need to understand the role of the security keys you entered when configuring command-line access in Chapter 2.

Each IAM user has two keys:

an access key
a secret key

When the SDK makes a request to an AWS service, for example s3.putObject(), it sends the access key in the request headers. This allows the service to map the request to an AWS account. The SDK also sends a cryptographic signature based on the request body and the secret key using Amazon’s Signature Version 4 Signing Process (SIGV4 algorithm). The receiving service uses the access key to locate the corresponding secret key in the IAM database, and also creates a SIGV4 signature for the request. If the two signatures match, AWS knows that the request was authorised by the user.

The interesting part of this is that some services accept templated signatures, so you can create a grant upfront without knowing all the request parameters. This allows you to effectively produce temporary grants for users to perform limited operations with your AWS resources. For example, you could sign a request matching an S3 upload to a specific file key, in a specific bucket, up to a specific size, and only valid for a specific period of time. You can then safely send this signature to a client, without the risk of exposing the real secret key. ...

Getting Started

Setup Tools for Local Development

Creating a Web Service

Host a Serverless Application on AWS Lambda

Development and Troubleshooting

Core Features of AWS Lambda

Handling HTTP Requests

Using External Storage

Cheaper, Faster, Serverless

Handling Platform Events

Using Application Components

Managing Sessions and User Workflows

Designing Robust Applications

Deployment Options

Process Amazon SNS Notifications with AWS Lambda

Signing Requests

IAM user keys #