amazon web services - Is it secure to store on client's device AWS Temporary Credentials (STS)? -
i wanted ask if secure store aws temporary credentials (access key id
, secret access key
, session token
) on mobile device calls api? many sources describes necessary part of authorization process. according mentioned below aws resources images:
i'm speaking of credentials can obtained assumerolewithwebidentity
or getcredentialsforidentity
.
isn't more secure use jwt tokents instead prevent hacking credentials , obtain access secured them resources?
the credentials sts no different (at high level) jwt tokens. both temporary, , if 'hacker' obtain either type of credential, result same. key benefit of using temporary credentials in general if/when compromised, valid short amount of time (usually hour).
storing temporary credentials on device separate topic, jwt tokens not different sts session credentials.
i don't have links, i'm sure there public discussions , docs on storing session credentials in apps on devices.
Comments
Post a Comment