Configure AWS STS Token

The AWS Security Token Service (STS) token provides temporary credentials for secure access to AWS resources. By default, STS token is enabled in the DataServer. For more details, see Flow for STS Token.

Note

  • The STS_DURATION_SECONDS property specifies the duration for which the AWS Security Token Service (STS) token is valid. The default value is 3600 seconds (1 hour).
  • This property is critical in scenarios where access revocation must reflect in Spark sessions. Since an active session uses the temporary credentials issued by the STS token, any changes to permissions (such as revoking access) may not reflect until the token expires, or the session is restarted with new credentials.

  • Scenario Explanation:

    • Access Revoke Behavior: When a user is logged into an active Spark session, access continues to function based on the permissions available when the session started. If permissions are revoked in Privacera during this session, the access will remain valid until:

      • The current STS token expires (default 1 hour). Since the STS token with policy enabled access is already cached, new policies will only be synced after the current STS token expires.
      • A new Spark session is started, which fetches the latest credentials reflecting the updated permissions.

    • Access Grant Behavior: When a user is logged into an active Spark session, access is granted based on the permissions available when the session started. If permissions are granted in Privacera during this session, the access will reflect immediately because the new permissions are actively granted and checked in real time.

  • To minimize the delay in reflecting access changes, you can configure the STS_DURATION_SECONDS property to a lower value, such as 300 seconds (5 minutes). This will ensure that the STS token expires sooner, and the session fetches updated credentials more frequently. However, this may increase the frequency of credential refreshes, which can impact performance.

  1. To configure the AWS STS token and its expiry time, include the following properties in the vars.dataserver.aws.yml file:

    YAML
    1
2
3
4
5
6
7
8
    DATASERVER_AWS_PROFILE_PROPERTIES:
- PROFILE_NAME: "aws_account1"
  PROFILE_PROPERTIES:
    # Set true to enable STS token
    - STS_TOKEN_SIGNING_ENABLE: "true"

    # Set the STS token expiry time in seconds.
    - STS_DURATION_SECONDS: "3600"

  2. Once the properties are configured, refer to the Privacera Manager Quickstart.

  1. In PrivaceraCloud, navigate to Settings -> Applications.
  2. On the Connected Applications screen, select S3.
  3. On the screen, click the edit icon, click on Access Management -> ADVANCED tab.
  4. Add the following property with the appropriate value for <your_profile_name>:
    Properties
    1
2
    dataserver.aws.<your_profile_name>.signer.ststoken.enable=true
dataserver.aws.<your_profile_name>.sts.duration.seconds=3600
  5. Click the Test Connection button to verify the connection.
  6. Once the connection is successful, click Save.

Comments