Using Temporary Security Credentials
AWS STS (API Version 2011-06-15)
AWS Documentation » AWS Identity and Access Management » Using Temporary Security Credentials » Creating Temporary Security Credentials
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Creating Temporary Security Credentials

Topics

This topic describes using the AWS Security Token Service (STS) API to create temporary security credentials. For information about using one of the supported SDKs to create temporary security credentials, see Ways to Access the AWS Security Token Service.

The method you use to create the temporary security credentials depends on how you use them.

  • To create temporary security credentials for their own use, IAM users call the AWS STS GetSessionToken API action. Users do not need explicit permission to use GetSessionToken; it is available to all IAM users.

  • To enable your users to create temporary security credentials for federated users, you must grant those users permission to access GetFederationToken.

  • To delegate access to AWS resources within your organization's AWS account, you can create roles and specify the trusted entities. Entities that assume the role must have permission to call the AssumeRole action. Only IAM users or supported AWS services can assume a role. If you use AWS account credentials to call AssumeRole, access is denied.

For more general information about controlling user permissions, see Managing IAM Policies. The AWS STS API is described in detail in the AWS Security Token Service API Reference.

Important

You should be aware that once you issue temporary security credentials, you cannot revoke them. However, in the rare cases when you need to disable temporary security credentials before they expire, you can control temporary security credential permissions by modifying the permissions of the IAM user who created them or by modifying the permissions of a role. For this reason, we do not recommend using your root account credentials to create temporary security credentials for federated users. For more information, see Disable Permissions Granted Through Temporary Security Credentials.

Note

You can give your IAM users the ability to create temporary security credentials, but users cannot use these credentials to access IAM or AWS STS.

Document Conventions« PreviousNext »
Terms of UseDid this page help you?  Yes | No |  Tell us about it...