This tutorial will guide you through building a secure, serverless API to programmatically issue temporary AWS credentials using AWS STS (Security Token Service) and expose them via API Gateway. This approach avoids the need for long-lived credentials while providing secure, revocable tokens for clients.

1. Overview of the Solution

We will:

Use an IAM role to provide AWS permissions.
Set up an AWS Lambda function to call sts:AssumeRole and generate temporary credentials.
Expose the Lambda function using Amazon API Gateway as a RESTful API endpoint.
Secure the API Gateway using an API key or IAM authentication.

2. Prerequisites

AWS account with the required permissions.
AWS CLI configured.
Basic knowledge of AWS IAM, Lambda, and API Gateway.
Python runtime for Lambda.

3. Step-by-Step Implementation

Step 1: Create an IAM Role for AssumeRole

Go to the AWS IAM console.
Create a Role:

Select “Another AWS Account” as the trusted entity.
Use your AWS Account ID (or the account that will assume the role).

Attach a policy (e.g., AmazonS3ReadOnlyAccess) for permissions.
Save the Role ARN (e.g., arn:aws:iam::123456789012:role/TemporaryAccessRole).

Step 2: Create a Lambda Function

Go to the AWS Lambda console and click Create Function, then Choose Author from Scratch:

Function Name: generate-temp-credentials
Runtime: Python 3.9+.

Step 2.1 Python Code

Add the following Python code to generate temporary credentials using sts:AssumeRole:

   def lambda_handler(event, context):  
       # STS client  
       sts_client = boto3.client("sts")  

       # Role to assume (set in environment variable)  
       role_arn = os.environ['ROLE_ARN']  
       session_name = "TemporarySession"  

       try:  
           # Call AssumeRole to get temporary credentials  
           response = sts_client.assume_role(  
               RoleArn=role_arn,  
               RoleSessionName=session_name,  
               DurationSeconds=3600  # Valid for 1 hour  
           )  

           # Extract credentials  
           credentials = response["Credentials"]  

           # Return credentials securely  
           return {  
               "statusCode": 200,  
               "body": json.dumps({  
                   "AccessKeyId": credentials["AccessKeyId"],  
                   "SecretAccessKey": credentials["SecretAccessKey"],  
                   "SessionToken": credentials["SessionToken"],  
                   "Expiration": credentials["Expiration"].isoformat()  
               })  
           }  
       except Exception as e:  
           return {  
               "statusCode": 500,  
               "body": json.dumps({"error": str(e)})  
           }

Step 2.2 Environment Variables

In the Environment Variables section, add:

Key: ROLE_ARN
Value: The IAM role ARN you created earlier.

Step 2.3 Add Lambda Execution Role

Attach a role to the Lambda function with the sts:AssumeRole permission:

    {  
       "Version": "2012-10-17",  
       "Statement": [  
         {  
           "Effect": "Allow",  
           "Action": "sts:AssumeRole",  
           "Resource": "arn:aws:iam::123456789012:role/TemporaryAccessRole"  
         }  
       ]  
     }

Step 2.4 Deployment

Save and deploy the Lambda function.

Step 3: Set Up API Gateway

Go to the API Gateway console and create a new REST API.
Add a Resource and Method:
- Resource: /get-temp-credentials
- Method: POST.
Integrate with the Lambda function:
- Choose Lambda Function as the integration type.
- Link it to the generate-temp-credentials Lambda function.
Deploy the API:
- Go to Actions > Deploy API.
- Choose a stage (e.g., prod).
Note the API endpoint URL.

Step 4: Secure the API

You can secure the API endpoint in multiple ways:

Option 1: API Keys

Enable API Keys on the API Gateway method.
Generate an API key under the API Gateway console.
Pass the API key in the request header:

x-api-key: YOUR_API_KEY

Option 2: IAM Authorization

Enable IAM Authentication on the API method.
Use an IAM user or role to call the API securely.

Example: Secure Call with IAM:

aws apigateway test-invoke-method
  --rest-api-id YOUR_API_ID
  --resource-id YOUR_RESOURCE_ID
  --http-method POST
  --profile YOUR_IAM_PROFILE

Step 5: Test the Endpoint

Using tools like curl or Postman, call the API Gateway endpoint:

curl -X POST \
  -H "x-api-key: YOUR_API_KEY" \
  https://YOUR_API_ID.execute-api.us-west-2.amazonaws.com/prod/get-temp-credentials

Example Response:

{
    "AccessKeyId": "ASIAXXXXXXXXXXXXX",
    "SecretAccessKey": "wJalrXUtnFEXAMPLEKEY",
    "SessionToken": "IQoJb3JpZ2…",
    "Expiration": "2024-06-17T12:34:56Z"
}

4. Client Usage of Temporary Credentials

The client can use the returned credentials to create a session in AWS SDKs (e.g., Boto3):

import boto3

Temporary credentials from API response

temp_credentials = {
    "aws_access_key_id": "ASIAXXXXXXXXXXXXX",
    "aws_secret_access_key": "wJalrXUtnFEXAMPLEKEY",
    "aws_session_token": "IQoJb3JpZ2…"
}

Initialize session

session = boto3.Session(
    aws_access_key_id=temp_credentials["aws_access_key_id"],
    aws_secret_access_key=temp_credentials["aws_secret_access_key"],
    aws_session_token=temp_credentials["aws_session_token"]
)

Use session

s3 = session.client("s3")
print(s3.list_buckets())

5. Conclusion

By using AWS STS AssumeRole with a secure API Gateway and Lambda function, you can create a mechanism to issue temporary credentials for clients. This approach avoids static, long-lived credentials and provides secure, revocable tokens that expire automatically. It is a scalable, serverless solution for API-based access to AWS resources.