{"id":18654422,"url":"https://github.com/steelcityamir/sts-proxy","last_synced_at":"2026-05-01T19:31:24.600Z","repository":{"id":218149955,"uuid":"745666243","full_name":"steelcityamir/sts-proxy","owner":"steelcityamir","description":"STS Authentication Proxy for AWS","archived":false,"fork":false,"pushed_at":"2024-04-22T15:46:11.000Z","size":127,"stargazers_count":1,"open_issues_count":0,"forks_count":0,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-05-17T23:38:40.664Z","etag":null,"topics":["access-control","authentication","authorization","aws","aws-sts","cloud-security","iam","java","proxy","security","sts","token-generator","token-service"],"latest_commit_sha":null,"homepage":"","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/steelcityamir.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null}},"created_at":"2024-01-19T20:38:37.000Z","updated_at":"2025-01-25T17:17:34.000Z","dependencies_parsed_at":"2024-01-20T04:26:06.477Z","dependency_job_id":"cbcae1a2-5dfe-4ec4-a28b-fb75f913e07f","html_url":"https://github.com/steelcityamir/sts-proxy","commit_stats":null,"previous_names":["codebyamir/aws-auth-gw","codebyamir/aws-sts-proxy","steelcityamir/sts-proxy"],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/steelcityamir/sts-proxy","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/steelcityamir%2Fsts-proxy","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/steelcityamir%2Fsts-proxy/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/steelcityamir%2Fsts-proxy/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/steelcityamir%2Fsts-proxy/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/steelcityamir","download_url":"https://codeload.github.com/steelcityamir/sts-proxy/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/steelcityamir%2Fsts-proxy/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":32510588,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-30T13:12:12.517Z","status":"online","status_checked_at":"2026-05-01T02:00:05.856Z","response_time":64,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["access-control","authentication","authorization","aws","aws-sts","cloud-security","iam","java","proxy","security","sts","token-generator","token-service"],"created_at":"2024-11-07T07:15:19.797Z","updated_at":"2026-05-01T19:31:24.579Z","avatar_url":"https://github.com/steelcityamir.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cdiv align=\"center\"\u003e\n\u003cimg height=\"60\" src=\"https://github.com/steelcityamir/sts-proxy/assets/54147931/938fd461-02bc-487e-bb03-e1b4c2ed4bb1\"\u003e\n\u003ch1 align=\"center\"\u003eSTSproxy\u003c/h1\u003e\n\u003c/div\u003e\n\nSTSproxy is an AWS STS (Security Token Service) Authentication Proxy, providing a simple and secure way for you to provision temporary, limited-privilege AWS credentials for third-parties who need access to your AWS resource(s).\n\n\u003cbr /\u003e\n \n## 🌟 Use Case\nIdeal for scenarios where a third-party vendor without an AWS account needs access to your AWS resources, ensuring secure and controlled access.\n![Flow Diagram](https://github.com/steelcityamir/sts-proxy/assets/54147931/a37cf74d-a9bd-4907-8e63-e5a9fbd86b20)\n\n\n\n## 📋 What You Need to Get Started\n- AWS account\n- An IAM user with `sts:AssumeRole` permissions.\n- An IAM role with the necessary permissions for the resources you want to grant access to (e.g. read-only access to an S3 bucket).\n\n\u003cbr /\u003e\n\n\u003c!---\n##  🐳 Running with Docker \n#### Create .env file\n```\nROLE_ARN=\u003cIAM role arn\u003e # arn:aws:iam::123456789012:role/S3Access\nAWS_ACCESS_KEY_ID=\u003caccess key id of user who has sts:AssumeRole permission\u003e\nAWS_SECRET_ACCESS_KEY=\u003csecret access key of user who has sts:AssumeRole permission\u003e\n```\n\n\u003e [!NOTE]\n\u003e The `AWS_` prefixed variables are not needed if running on an EC2 instance with the required IAM role.\n\n#### Run the Docker container\n```bash\ndocker run -d -p 8080:8080 --env-file .env --name sts-proxy codebyamir/sts-proxy\n```\n\n\n#### Test the API\nUse Swagger UI to test the API at http://localhost:8080/swagger-ui/index.html.\n\n \u003cbr /\u003e\n---\u003e\n\n## 🛠️ Building the App from Source\n\n#### Pre-requisites\n- Java JDK 21\n  \n#### Clone the repository\n```bash\ngit clone https://github.com/steelcityamir/sts-proxy.git\ncd sts-proxy\n```\n\n#### Set environment variables\n```bash\nexport ROLE_ARN=\u003cIAM role arn\u003e # arn:aws:iam::123456789012:role/S3Access\nexport AWS_ACCESS_KEY_ID=\u003caccess key id of user who has sts:AssumeRole permission\u003e\nexport AWS_SECRET_ACCESS_KEY=\u003csecret access key of user who has sts:AssumeRole permission\u003e\n```\n\n\u003e [!NOTE]\n\u003e The `AWS_` prefixed variables are not needed if running on an EC2 instance with the required IAM role.\n\n\n#### Run the application\n```bash\n./gradlew bootRun\n```\n\n#### Test the API\nUse Swagger UI to test the API at http://localhost:8080/swagger-ui/index.html.\n\n\u003cbr /\u003e\n\n## 🚀 API usage\n\n### POST /auth\n\n#### Request body\n\n```json\n{\n  \"username\": \"vendor\", \n  \"password\": \"password\"\n}\n```\n\n### Responses\n\n``200 OK``\n```json\n{\n  \"accessKeyId\": \"ASIA...\",\n  \"secretAccessKey\": \"+kd...\",\n  \"sessionToken\": \"IQo...\",\n  \"expiresOn\": \"2024-01-20T02:28:37Z\"\n}\n```\n\n``400 Bad Request``\n- The request body was invalid or malformed.\n\n``401 Unauthorized``\n- The credentials were incorrect.\n\n``503 Service Unavailable``\n- Authentication was successful but the AWS client encountered an error.\n\n\u003cbr /\u003e\n\n## ⚙️ Configuration\n\nThe `application.properties` file contains several configuration options to tailor the behavior of the application. \n\nThese can be overridden using environment variables.\n\n### AWS Role ARN\nThis is the Amazon Resource Name (ARN) of the role that the application will assume when interacting with AWS Security Token Service (STS).\n\n- Environment variable: `ROLE_ARN`\n- Application property: `aws.role.arn=${ROLE_ARN}`\n\n\u003e [!NOTE]\n\u003e Example ARN would be `arn:aws:iam::123456789012:role/S3Access`\n\n### Session Lifetime\n\nSpecifies the duration, in seconds, for which the credentials should remain valid.  The default and minimum value is 900 seconds (15 minutes).   The maximum value is 43200 seconds (12 hours).\n\n- Environment variable: `ROLE_SESSION_DURATION_SECONDS`\n- Configuration property: `aws.role.session.duration.seconds=${ROLE_SESSION_DURATION_SECONDS:900}`\n\n\u003e [!TIP]\n\u003e The session duration should be long enough to perform the necessary tasks but short enough to maintain security.\n\n### Proxy Username\nThis is the username for proxy authentication. Default value is `vendor`.\n\n- Environment variable: `VENDOR_USERNAME`\n- Application property: `vendor.username=${VENDOR_USERNAME:vendor}`\n\n\n### Proxy Password\n\nThe bcrypt hash of the password used for proxy authentication. The default value hash corresponds to the password `password`.\n\n- Environment variable: `VENDOR_PASSWORD`\n- Application property: `vendor.password=${VENDOR_PASSWORD:{bcrypt}$2a$10$dXJ3SW6G7P50lGmMkkmwe.20cQQubK3.HZWzG3YB1tlRy.fqvM/BG}`\n\n\n\u003e [!TIP]\n\u003e It is highly recommended to change the default password. Use a bcrypt generator to create a new hash using 10 rounds.\n\n\u003cbr /\u003e\n\n## 🔒 Security Considerations for Production\n\n### Use a TLS/SSL Certificate\nAlways use HTTPS with TLS/SSL certificates to secure data in transit. This protects sensitive data, such as authentication credentials and session tokens, from being intercepted.\n\n### Secure Application Properties\nAvoid storing sensitive information directly in `application.properties`.\n\n### Role and Access Management\nApply the principle of least privilege for the AWS IAM roles. Ensure that the IAM role assumed by your application has only the necessary permissions and nothing more.\n\n### Use Strong Complex Password for API Access\nEnforce the following guidelines for the password:\n- Minimum Length: Password should be at least 12 characters long.\n- Complexity Requirements: Include a mix of uppercase and lowercase letters, numbers, and symbols.\n- No Predictable Patterns: Avoid sequential characters (e.g., 1234, abcd) and repeated characters (e.g., aaaa, 1111).\n\n### IP Whitelisting\nRestrict access to authorized IP addresses for an additional layer of security.\n\n\u003cbr /\u003e\n\n## 📄 License\nThis project is licensed under the MIT License - see the LICENSE file for details.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsteelcityamir%2Fsts-proxy","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fsteelcityamir%2Fsts-proxy","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fsteelcityamir%2Fsts-proxy/lists"}