Use AWS STS to Get Temporary Credentials for KVS WebRTC
In modern web apps, hardcoding long-term AWS credentials is risky, especially for real-time services like Kinesis Video Streams (KVS) WebRTC. The safe way is to use temporary credentials generated by AWS Security Token Service (STS). This guide explains how it works and how to securely connect to AWS KVS.
What is AWS STS?
AWS STS issues temporary security credentials so your app can access AWS resources without storing long-term keys.
| Feature | Description |
| Duration | Short-lived, from a few minutes up to a few hours |
| Based on | An existing identity (IAM user, IAM role, SAML, OIDC, etc.) |
| Use Case | Temporary access for mobile/web apps, third-party access, or high-security scenarios |
Tip: Using temporary credentials helps reduce security risks and adhere to the principle of least privilege
How Authentication Works
Here’s the typical flow for getting temporary credentials for KVS:
- User Login: The user opens your web app and logs in.
- JWT Token: After login, the web app receives a JWT token from Cognito User Pool.
- Identity Exchange: The app sends the JWT to Cognito Identity Pool, which internally calls STS AssumeRoleWithWebIdentity.
- Temporary Credentials: STS returns credentials: AccessKeyId, SecretAccessKey, SessionToken.
KVS Access: The web app uses these credentials to call Kinesis Video Streams WebRTC APIs
Sequence: Get Credentials and Connect
Here’s a step-by-step sequence of communication
| Step | Who | Action | Recipient | Note |
| 1 | User | Start LIVE request | Web backend | Initiates streaming |
| 2 | Web | Request Credential | AWS Cognito | Starts auth and token exchange |
| 3 | AWS Cognito | Request temp credentials | AWS STS | STS generates short-lived credentials |
| 4 | Web | Return STS credentials | User frontend | Frontend receives temporary keys |
| 5 | User | Connect WebRTC using STS | AWS KVS | Secure connection established |
| 6 | Connection | Connected | .. | Temporary, secure streaming active |
Handling Expired Credentials
- STS credentials are short-lived (default: 1 hour).
- If they expire, the web app cannot continue streaming.
Make sure your app refreshes credentials automatically when needed
Quick Checklist
- ✅ Get JWT token after user login
- ✅ Exchange JWT with Cognito Identity Pool → STS generates temporary credentials
- ✅ Use credentials to connect WebRTC → Secure, temporary connection to KVS
- ✅ Monitor expiration → Refresh credentials before they expire
Why This Matters
Using Cognito + STS is the secure, recommended approach:
- No long-term keys in the app
- Access follows least privilege principle
- Seamless, secure real-time streaming
It works for Vue, React, or any web client that needs temporary access to AWS KVS WebRTC
Conclusion
By leveraging AWS STS with Cognito, your web app can securely access Kinesis Video Streams without hardcoding credentials. Following this flow:
- User logs in → JWT obtained
- JWT exchanged → Temporary credentials generated
Connect using temporary credentials → Secure streaming
Ready to get started?
Contact IVC for a free consultation and discover how we can help your business grow online.
Contact IVC for a Free Consultation
