Using Temporary Security Credentials
AWS STS (API Version 2011-06-15)
AWS Documentation » AWS Identity and Access Management » Using Temporary Security Credentials » Creating Temporary Security Credentials » Granting an IAM Group Permission to Create Temporary Security Credentials
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Granting an IAM Group Permission to Create Temporary Security Credentials

By default, IAM users do not have permission to create temporary security credentials for federated users and roles. However, IAM users can call GetSessionToken by default. To grant an IAM group permission to create temporary security credentials for federated users or roles, you should attach a policy to the IAM group that the IAM users belong to that grants one or both of the following privileges:

  • For federated users, access to AWS STS GetFederationToken.

  • For IAM roles, access to AWS STS AssumeRole.

Example A policy that grants permission to create temporary security credentials for a federated user

The following example shows a policy that grants permission to access GetFederationToken.

{
 "Version": "2012-10-17",
 "Statement": [{
   "Effect": "Allow",
   "Action": "sts:GetFederationToken",
   "Resource":"*"
 }]
}

Important

When you give an IAM user permission to create temporary security credentials for federated users, you should be aware that this enables the IAM user to delegate his or her own permissions. For more information about delegating permissions across IAM users and AWS accounts, see Enabling Cross-Account Access. For more information about controlling permissions in temporary security credentials, see Controlling Permissions for Temporary Security Credentials.

Example Example of granting a user limited permission to create temporary security credentials for federated users

When you let an IAM user call GetFederationToken to create temporary security credentials for federated users, it is a best practice to restrict as much as practical the permissions that the IAM user is allowed to delegate. For example, the following policy shows how to let an IAM user create temporary security credentials only for federated users whose names start with Manager.

{
 "Version": "2012-10-17",
 "Statement": [{
   "Effect": "Allow",
   "Action": "sts:GetFederationToken",
   "Resource":["arn:aws:sts::123456789012:federated-user/Manager*"]
 }]
}

Example Example of a policy granting permission to assume a role

The following example shows a policy that grants permission to call AssumeRole for the UpdateApp role in AWS account 123123123123.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": "sts:AssumeRole",
      "Resource": "arn:aws:iam::123123123123:role/UpdateAPP"
    }
  ]
}

Related Topics

Document Conventions« PreviousNext »
Terms of UseDid this page help you?  Yes | No |  Tell us about it...