# Security Token Service (STS)

* STS is a web service that enables you to **request temporary, limited-privilege credentials for IAM users** or for users that you authenticate (federated users).<br>
* **By default, temporary security credentials for an IAM user are valid for a maximum of 12 hours**.
  * But you can **request a duration as short as 15 minutes or as long as 36 hours** using the DurationSeconds parameter.

## AssumeRole <a href="#api_assumerole" id="api_assumerole"></a>

* Returns a **set of temporary security credentials that you can use to access AWS resources that you might not normally have access to**.<br>
* Typically, you use `AssumeRole` within **your account or for cross-account access**.

## AssumeRoleWithSAML <a href="#api_assumerolewithsaml" id="api_assumerolewithsaml"></a>

* Returns a **set of temporary security credentials for users who have been authenticated via a SAML authentication response**.<br>
* This operation **provides a mechanism for tying an enterprise identity store or directory to role-based AWS access without user-specific credentials** or configuration.

## AssumeRoleWithWebIdentity <a href="#api_assumerolewithwebidentity" id="api_assumerolewithwebidentity"></a>

* Returns a **set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider**.<br>
  * Example providers include **Cognito**, Login with **Amazon**, **Facebook**, **Google**, or **any OpenID Connect-compatible identity provider**.<br>
* For mobile applications, **AWS recommend that you use Amazon Cognito**.&#x20;

## GetSessionToken <a href="#api_getsessiontoken" id="api_getsessiontoken"></a>

* Returns a set of temporary credentials for an AWS account or IAM user for users who want to **use MFA to protect programmatic calls to specific AWS API operations**.<br>
* MFA-enabled IAM users would need to **call `GetSessionToken` and submit an MFA code** that is associated with their MFA device.<br>
* Using the **temporary security credentials that are returned from the call**, IAM users can then make programmatic calls to API operations that require MFA authentication.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://karansingh.gitbook.io/aws-saa-c02/security-and-management/security-token-service-sts.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.