Until now, your AWS credentials would have to be stored on the device. If your credentials are embedded in a mobile application there is no straightforward way to rotate them without updating every installed copy of the application. Alternatively, each installed copy of the application could require entry of an individual set of AWS credentials. This option would add some friction to the installation process.
The SDK now includes support for using temporary security credentials provided by the AWS Security Token Service. The SDK provides two sample applications that demonstrate how to connect to a token vending machine which serves as an interface to the AWS Security Token Service. See the Credential Management in Mobile Applications article for more details.
Applications that make use of the token vending machine can obtain AWS credentials on an as-needed basis. You can use the token vending machines that we supply, or you can implement your own.
Our token vending machines are distributed as WAR files that can be run with AWS Elastic Beanstalk, preferably using the credentials of an IAM (Identity and Access Management) user. We have provided two versions of each token vending machine, Anonymous and Identity.
Anonymous Token Vending Machine
The Anonymous token vending machine is designed to support registration at the device level. It supports two principal functions - registerdevice and gettoken. Here is the basic request and response flow:
Identity Token Vending Machine
The Identity token vending machine is designed to support registration and login at the user level. It supports three principal functions: registeruser, login, and gettoken. Here's the basic request and response flow:
If you have used one of our SDKs to build a mobile application, I'd enjoy hearing about it. Please feel free to post a comment or to send me some email (firstname.lastname@example.org).