gitea-mirror/hacktricks-cloud
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks-cloud.git synced 2025-12-05 20:40:18 -08:00
Code Issues Packages Projects Releases Wiki Activity

stsgetfederatedtoken

Browse Source
This commit is contained in:
JaimePolop
2025-09-29 17:14:00 +02:00
parent 19024e5a7c
commit e153dc47b0
2 changed files with 12 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
src/pentesting-cloud/aws-security/aws-post-exploitation/aws-sts-post-exploitation.md
View File

@@ -100,6 +100,18 @@ client.meta.events.register( 'before-call.secretsmanager.GetSecretValue', lambda
response = client.get_secret_value(SecretId="flag_secret") print(response['SecretString'])
```
### **`sts:GetFederationToken`**
With this permission it's possible to create a federated identity for the user executing it, limited to the permissions that this user has.
```bash
aws sts get-federation-token --name <username>
```
The token returned by sts:GetFederationToken belongs to the federated identity of the calling user, but with restricted permissions. Even if the user has administrator rights, certain actions such as listing IAM users or attaching policies cannot be performed through the federated token.
Additionally, this method is somewhat more stealthy, since the federated user does not appear in the AWS console (IAM portal), it can only be observed through CloudTrail logs or monitoring tools.
{{#include ../../../banners/hacktricks-training.md}}

23
src/pentesting-cloud/aws-security/aws-privilege-escalation/aws-sts-privesc.md
View File

@@ -37,29 +37,6 @@ aws sts assume-role --role-arn $ROLE_ARN --role-session-name sessionname
> Note that in this case the permission `sts:AssumeRole` needs to be **indicated in the role to abuse** and not in a policy belonging to the attacker.\
> With one exception, in order to **assume a role from a different account** the attacker account **also needs** to have the **`sts:AssumeRole`** over the role.
### **`sts:GetFederationToken`**
With this permission it's possible to generate credentials to impersonate any user:
```bash
aws sts get-federation-token --name <username>
```
This is how this permission can be given securely without giving access to impersonate other users:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "sts:GetFederationToken",
"Resource": "arn:aws:sts::947247140022:federated-user/${aws:username}"
}
]
}
```
### `sts:AssumeRoleWithSAML`