Controlling Permissions for Temporary Security Credentials

AWS determines what permissions to associate with temporary security credentials at the time that the credentials are created. For example, the permissions for the temporary security credentials are bound to either the role that was assumed (AssumeRole or AssumeRoleWithWebIdentity) or to the IAM user that made the request (GetFederationToken or GetSessionToken). The temporary security credentials are not bound to a set of static permissions when the credentials are created. Instead, the effective permissions are evaluated when a request is made that uses the credentials, based on the current permissions of the associated IAM user or role that the temporary security credentials are bound to.

After temporary security credentials have been issued, they are valid through the expiration period and cannot be revoked. However, because the permissions for the temporary credentials are checked for each request, you can change the effective permissions for the temporary security credentials by editing (or deleting) the policy or policies that describe the permissions for the role or user. In effect, you can change the access rights for those credentials even after the credentials have been issued.

This section describes what you need to know about granting permissions in temporary security credentials, and how to update or disable permissions after temporary security credentials have been issued.