Skip to content

AWS STS Session Token

STSSessionToken uses the GetSessionToken API to retrieve a temporary session token.

Output Keys and Values

Key Description
access_key_id The access key ID that identifies the temporary security credentials.
secret_access_key The secret access key that can be used to sign requests.
session_token The token that users must pass to the service API to use the temporary credentials.
expiration The date on which the current credentials expire.

Authentication

You can choose from three authentication mechanisms:

  • static credentials using spec.auth.secretRef
  • point to a IRSA Service Account with spec.auth.jwt
  • use credentials from the SDK default credentials chain from the controller environment

Request Parameters

Following request parameters can be provided:

  • duration seconds -> can specify the TTL of the generated token
  • serial number -> define the serial number of the MFA device used by the user
  • token code -> possible code generated by the above referenced MFA device

Example Manifest

apiVersion: generators.external-secrets.io/v1alpha1
kind: STSSessionToken
metadata:
  name: sts-gen
spec:

  # specify aws region (mandatory)
  region: eu-west-1

  # assume role with the given authentication credentials
  role: "my-role"

  # choose an authentication strategy
  # if no auth strategy is defined it falls back to using
  # credentials from the environment of the controller.
  auth:

    # 1: static credentials
    # point to a secret that contains static credentials
    # like AWS_ACCESS_KEY_ID / AWS_SECRET_ACCESS_KEY
    secretRef:
      accessKeyIDSecretRef:
        name: "my-aws-creds"
        key: "key-id"
      secretAccessKeySecretRef:
        name: "my-aws-creds"
        key: "access-secret"

    # option 2: IAM Roles for Service Accounts
    # point to a service account that should be used
    # that is configured for IAM Roles for Service Accounts (IRSA)
    jwt:
      serviceAccountRef:
        name: "oci-token-sync"

  # optional request parameters for further fine-tuning the Token generation.
  requestParameters:
    serialNumber: arn:aws:iam::123456789012:mfa/user
    sessionDuration: 900
    tokenCode: "123456"

Example ExternalSecret that references the STS Session Token generator: 

apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
  name: "sts-secret"
spec:
  refreshInterval: "1h"
  target:
    name: sts-secret
  dataFrom:
  - sourceRef:
      generatorRef:
        apiVersion: generators.external-secrets.io/v1alpha1
        kind: STSSessionToken
        name: "sts-gen"