All posts
October 15, 20251 min read

AWS S3 Read-Only Access via Identity Federation

The cloud session would last only an hour, and the clock had already started. You needed read-only access to Amazon S3 for a federated identity, and there was no margin for error. Identity federation with AWS lets you grant temporary credentials to users from an external identity provider without creating IAM users. For S3, this is often paired with strict read-only roles to limit risk while still enabling data access. To build a secure, compliant setup, integrate your IdP with AWS Security To

Free White Paper

Identity Federation + Auditor Read-Only Access: The Complete Guide

Architecture patterns, implementation strategies, and security best practices. Delivered to your inbox.

Free. No spam. Unsubscribe anytime.
Andrios Robert

The cloud session would last only an hour, and the clock had already started. You needed read-only access to Amazon S3 for a federated identity, and there was no margin for error.

Identity federation with AWS lets you grant temporary credentials to users from an external identity provider without creating IAM users. For S3, this is often paired with strict read-only roles to limit risk while still enabling data access.

To build a secure, compliant setup, integrate your IdP with AWS Security Token Service (STS) through SAML or OIDC. Once authenticated, STS issues temporary access keys tied to an IAM role. This role should have a policy scoped to the exact S3 resources your use case requires. Avoid wildcards. Grant s3:GetObject and, if listing is needed, s3:ListBucket. Block all write and delete actions.

Example IAM policy for a read-only S3 role:

Continue reading? Get the full guide.

Identity Federation + Auditor Read-Only Access: Architecture Patterns & Best Practices

Free. No spam. Unsubscribe anytime.
{
 "Version": "2012-10-17",
 "Statement": [
 {
 "Sid": "AllowListBucket",
 "Effect": "Allow",
 "Action": ["s3:ListBucket"],
 "Resource": ["arn:aws:s3:::my-bucket"]
 },
 {
 "Sid": "AllowGetObjects",
 "Effect": "Allow",
 "Action": ["s3:GetObject"],
 "Resource": ["arn:aws:s3:::my-bucket/*"]
 }
 ]
}

Attach this policy to an IAM role with a trust policy that accepts the IdP as a principal. For SAML, define the AWS account and role in your IdP configuration. For OIDC, register the IdP in AWS, then link the provider ARN in your trust policy.

STS temporary credentials should have a short session duration to reduce risk. Use conditions in the trust policy to restrict by source IP, MFA status, or aws:RequestTag values for tighter access control.

Test by initiating a federated login from your IdP, assuming the role, and verifying S3 access through the AWS CLI:

aws s3 ls s3://my-bucket --profile federated-readonly

Identity federation with AWS S3 read-only roles reduces administrative overhead, eliminates static long-term keys, and enforces least-privilege principles. Done right, it gives external or temporary users the access they need—nothing more.

See a working example live in minutes at hoop.dev and streamline your identity federation workflows without compromise.

Get started

See hoop.dev in action

One gateway for every database, container, and AI agent. Deploy in minutes.

Get a demoMore posts