Security Token Service (STS)

  • Allows to get temporary access i.e., upto 1 hour to AWS resources.

API Details

Roles
Description

AssumeRole

Assume Role within your account or cross account

AssumeRoleWithSAML

Return credentials for users logged with SAML

AssumeRoleWithWebIdentity

Returns credential for user logged with Idp like Google, Fb, OIDC compatible, but now AWS recommends Cognito over this

GetSessionToken

For MFA, from user or AWS root account

GetFederationToken

Obtain temporary credential for federated user

GetCallerIdentity

Return details about IAM user or role used in the API call

DecodeAuthorizationMessage

Decode error message when an AWS API is denied

STS and AssumeRole

  1. Same account

  • Define an IAM role within your account.

  • Define which principal can access this role.

  • Use STS to retrieve credentials to impersonate the IAM role you have access to (AssumeRole API).

  • Temporary credentials can be valid between 15 mins to 1 hour.

  1. Cross account

  • Define an IAM role in another account.

  • Write correct permission to own account and target account.

  • Run the assume role API to access the target account.

STS with MFA

  • Use GetSessionToken from STS.

  • Attach IAM policy with appropriate IAM condition.

    • Explicitly mention aws:MultiFactorAuthPresent:true in the condition.

  • GetSessionToken returns

    • AccessID

    • SecretKey

    • Session Token

    • Expiration Date

Previous27_STSNext28_DirectoryService

Last updated