Security Token Service (STS)

  • STS is a web service that enables you to request temporary, limited-privilege credentials for IAM users or for users that you authenticate (federated users).

  • By default, temporary security credentials for an IAM user are valid for a maximum of 12 hours.

    • But you can request a duration as short as 15 minutes or as long as 36 hours using the DurationSeconds parameter.

AssumeRole

  • Returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to.

  • Typically, you use AssumeRole within your account or for cross-account access.

AssumeRoleWithSAML

  • Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response.

  • This operation provides a mechanism for tying an enterprise identity store or directory to role-based AWS access without user-specific credentials or configuration.

AssumeRoleWithWebIdentity

  • Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider.

    • Example providers include Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible identity provider.

  • For mobile applications, AWS recommend that you use Amazon Cognito.

GetSessionToken

  • Returns a set of temporary credentials for an AWS account or IAM user for users who want to use MFA to protect programmatic calls to specific AWS API operations.

  • MFA-enabled IAM users would need to call GetSessionToken and submit an MFA code that is associated with their MFA device.

  • Using the temporary security credentials that are returned from the call, IAM users can then make programmatic calls to API operations that require MFA authentication.

PreviousIAM Permission BoundariesNextIdentity Federation in AWS

Last updated