How is Hologram server different from STS?

[grantr]

Hologram server and STS seem equivalent at first glance: http://docs.aws.amazon.com/STS/latest/UsingSTS/Welcome.html

What does Hologram server provide that STS doesn't? Why not use STS as the backend for Hologram agent?

[walterking]

Essentially hologram is a proxy to sts - the server uses sts api on the back. The main problem we were trying to solve is distributing aws keys - if the agent connects directly to sts, the agent then needs aws keys.

It also centralizes auth, so we can gate it with ldap, vpn etc. we intend to also restrict user access to roles - you could do this in iam but we also don't want to manage user specific accounts in iam

On Wednesday, April 1, 2015, Grant Rodgers notifications@github.com wrote:

Hologram server and STS seem equivalent at first glance: http://docs.aws.amazon.com/STS/latest/UsingSTS/Welcome.html

What does Hologram server provide that STS doesn't? Why not use STS as the backend for Hologram agent?

— Reply to this email directly or view it on GitHub https://github.com/AdRoll/hologram/issues/39.

[grantr]

Thanks for the info @walterking! The local metadata service would definitely make using AWS apis much easier.

if the agent connects directly to sts, the agent then needs aws keys.

STS supports auth methods that don't require AWS keys in advance. Check out http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingFedTokens.html#saml-temp-creds. If your LDAP or VPN identity provider supports SAML, you can send a SAML assertion to STS in an unsigned request and get aws keys back.

[copumpkin]

@grantr ultimately even with SAML, you need some other server/entity making sure you're who you say you are and certifying that. The hologram server is conceptually just that, even if the mechanism is slightly different. The hologram agent is just emulating the EC2 instance credential mechanism on a user machine.