|« PreviousNext »|
|Did this page help you? Yes | No | Tell us about it...|
This topic describes using the AWS Security Token Service (STS) API to create temporary security credentials. For information about using one of the supported SDKs to create temporary security credentials, see Ways to Access the AWS Security Token Service.
The method you use to create the temporary security credentials depends on how you use them.
To create temporary security credentials for their own use, IAM users call the
AWS STS GetSessionToken API action. Users do not need explicit permission to
GetSessionToken; it is available to all IAM users.
To enable your users to create temporary security credentials for federated users, you must grant those users permission to access GetFederationToken.
To delegate access to AWS resources within your organization's AWS account,
you can create roles and specify the trusted entities. Entities that assume the
role must have permission to call the
AssumeRole action. Only IAM
users or supported AWS services can assume a role. If you use AWS account
credentials to call
AssumeRole, access is denied.
You should be aware that once you issue temporary security credentials, you cannot revoke them. However, in the rare cases when you need to disable temporary security credentials before they expire, you can control temporary security credential permissions by modifying the permissions of the IAM user who created them or by modifying the permissions of a role. For this reason, we do not recommend using your root account credentials to create temporary security credentials for federated users. For more information, see Disable Permissions Granted Through Temporary Security Credentials.
You can give your IAM users the ability to create temporary security credentials, but users cannot use these credentials to access IAM or AWS STS.