Idea Details

CA PAM - use STS:assumeRole API instead of STS:getFederationToken API

Last activity 07-23-2019 01:25 PM
Raj Gandhi's profile image
07-23-2019 01:25 PM

Currently PAM uses STS:GetFederationToken API to provision AWS Console access for the user. However, once the user is logged in to AWS Console, the user cannot assume another AWS Role. This is a limitation of STS:GetFederationToken API.

Based on the documentation provided by AWS, they recommend to use STS:AssumeRole to login the user to the AWS account and from there the user can assume additional roles as required.

Can PAM support this feature?

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison (API Restrictions)