Comparing AWS IAM and Identity Federation
AWS Identity and Access Management (IAM) is a web service that provides authentication and authorization for AWS resources to your users. It provides a way to define policies and attach the policy to users that provides authentication and authorization.
When creating an IAM user under an AWS account, requires “Username”, “Password”, “Optional Policy info”, “Optional Group name” & “Optional Multi-factor authentication flag”. Authentication URL for IAM users varies from the root user and can be in the following format
Identity federation allows to sign in using a well-known identity provider (IdP) —such as Login with Amazon, Facebook, Google, or any other OpenID Connect (OIDC)-compatible IdP, receive an authentication token, and then exchange that token for temporary security credentials in AWS that map to an IAM role with permissions to use the resources in AWS account
Federation happens through AWS Security Token Service (AWS STS) and can be integrate in two different methods
- STS:GetFederationToken – Authentication using this method requires an IAM user or root. Policies are inherited from the IAM user (caller) used for providing access to federated user + additional permissions specified for the federated user as part of the STS:GetFederationToken API.
- STS:AssumeRole – Authentication using this method derives permissions from the “Role name” mentioned instead of “IAM user”. Additional policies can be specified for the federated user as part of the STS:AssumeRole API.
Note: Federated users are usually authenticated at the “Identity Provider” end. URL to authenticate can be defined as per our need if we have the control over Identify Provider used for authentication.
The table below compares IAM and Identity Federation.
|Users are created upfront and policies are pre-defined||Users are created on the fly and do not physically exist in AWS|
|Need to share credentials with user when they want to access AWS portal||Need not share credentials. Authenticated URL with Sign in token will be provided to the user to access AWS portal without any credentials or keys|
|Cannot control the session duration for IAM user without implementing any workaround.||Session duration can be controlled by specifying the time in “minutes” while authentication with AWS Security Token Service (STS). This provides federated access to services.
Sign-in token expires automatically after the “minutes” specified and user is logged out of AWS site after that time
|Policies to IAM users are pre-defined and are attached when creating IAM user. Policies can be modified anytime as required from AWS portal.||Policies can be specified at the time of authentication. So the policy can vary each time user accesses the AWS portal|
||Can be authenticated by any of the following options
|AWS login Usernames, Passwords, API Access Key and secret keys are created upfront||AWS login usernames are dynamic and can be unique for each session. Same username may or may not be used for authentication again. It can vary as per the implementation.|
|No of IAM users that can be created on AWS account are restricted to 5000 users max||There is no limit on the number of federated users accessing an account|