| « PreviousNext » | |
   | Did this page help you? Yes | No | Tell us about it... |
Using Temporary Security Credentials to Access AWS
As described in Creating Temporary Security Credentials, when you create temporary security credentials, the AWS Security Token Service (STS) returns temporary security credentials that consist of a token, an access key ID, and a secret access key. To give a user access to your resources, you distribute the temporary security credentials to the user you are granting temporary access to. You can distribute these credentials manually or programmatically. When the user makes calls to your resources, the user passes the token and access key ID, and signs the request with the secret access key. (The token works only with the access keys that it was generated with.)
How the user passes in the token depends on the API and version of the AWS product the user is making calls to. The following table describes the AWS products that currently support temporary security credentials, and provides links to information about how to make a call with temporary security credentials using each product API. If service-specific information is not available, general information about using temporary security credentials is provided in the following section, Using Temporary Security Credentials to Authenticate an AWS Request.
Note
The AWS services listed in the following table also support using temporary security credentials to access AWS through the AWS Management Console.
Using Temporary Security Credentials to Authenticate an AWS Request
The way you format a request for an AWS service varies depending on the service. For most services, you will need to do the following:
Replace your usual AWSAccessKeyId parameter with the user access key ID provided by IAM.
Include the IAM session token.
Sign the request with the user SecretKeyId provided by IAM.
If you send requests using expired credentials, AWS denies the request.
The following examples uses temporary security credentials to authenticate a
ListUsers request to IAM. The request uses Signature Version 4 and
includes authorization information in the headers.
Sample for services that use Signature Version 4 and add authorization information in the header
POST http://iam.amazonaws.com/ HTTP/1.1 Authorization: AWS4-HMAC-SHA256 Credential=Access Key ID provided by AWS Security Token Service/20110909/us-east-1/iam/aws4_request, SignedHeaders=host, Signature=Signature calculated using the SecretKeyId provided by AWS Security Token Servicehost: iam.amazonaws.com Content-type: application/x-www-form-urlencoded; charset=utf-8 X-Amz-Date: 20110909T233600Z X-Amz-Security-Token:Security Token ValueAction=ListUsers&Version=2010-05-08
The following example shows an Amazon SimpleDB request that uses Signature Version 2 and includes authorization information in the query string.
Sample for services that use Signature Version 2 and add authorization information in the query string
https://sdb.amazonaws.com/ ?Action=GetAttributes &AWSAccessKeyId=Access Key ID provided by AWS Security Token Service&DomainName=MyDomain &ItemName=MyItem &SignatureVersion=2 &SignatureMethod=HmacSHA256 &Timestamp=2010-01-25T15%3A03%3A07-07%3A00 &Version=2009-04-15 &Signature=Signature calculated using the SecretKeyId provided by AWS Security Token Service&SecurityToken=Security Token Value
Note
AWS provides support for temporary security credentials and session tokens in the AWS SDKs so that you can implement temporary security credentials or session tokens with a specific programming language. Each SDK has its own instructions for implementing this feature. For a current list of AWS SDKs that support this feature, see Ways to Access the AWS Security Token Service.
