Using the AWS Security Token Service (AWS STS), you can provide trusted users with temporary, limited access to your AWS resources.
Temporary access is useful in scenarios that involve identity federation, web identity federation, delegation, cross-account access, and IAM roles:
If you manage user identities outside of AWS, identity federation allows you to give your external user identities permissions to use resources in your AWS account. For example, you can authenticate users in your corporate network, and then provide those users direct access to the AWS Management Console without creating new AWS identities for them and requiring them to sign in with a separate user name and password. This is known as the single sign-on (SSO) approach to temporary access. AWS STS supports open standards like SAML 2.0 (Security Assertion Markup Language 2.0), or you can manage your own solution for federating user identities.
Web Identity Federation
You can let users of your mobile app or web application sign in using a well-known identity provider—such as Login with Amazon, Facebook, Google, and many others—and you can exchange the credentials from that provider for temporary permissions to use resources in your AWS account. This is known as the web identity federation approach to temporary access.
When you use web identity federation for your mobile or web application, you don't need to create custom sign-in code or manage your own user identities. Using web identity federation helps you keep your AWS account secure, because you don't have to distribute long-term security credentials, such as IAM user access keys, with your application.
AWS STS web identity federation supports Login with Amazon, Facebook, Google, and any OpenID Connect (OICD)-compatible identity provider.
For mobile applications, we recommend that you use Amazon Cognito. You can use this service with the AWS Mobile SDK for iOS and the AWS Mobile SDK for Android and Fire OS to create unique identities for users and authenticate them for secure access to your AWS resources. Amazon Cognito supports the same identity providers as AWS STS, and also supports unauthenticated (guest) access and lets you migrate user data when a user signs in. Amazon Cognito also provides APIs for synchronizing user data so that it is preserved as users move between devices. For more information, see the following:
Many organizations maintain more than one AWS account. Using cross-account access, you can define user identities in one account, and use those identities to access AWS resources in other accounts that belong to your organization. This is known as the delegation approach to temporary access. For more information, see Cross-Account Access: Sharing Resources Between AWS Accounts in the Using IAM guide.
Roles for Amazon EC2
If you run applications on Amazon EC2 instances and those applications needs access to AWS resources, you can provide temporary security credentials to your instances when you launch them. These temporary security credentials are available to all applications that run on the instance, so you don't need to store any long-term credentials on the instance. This is known as roles for Amazon EC2.
You can use temporary security credentials to access most AWS services. For a list of the services that accept temporary security credentials, see AWS Services that Support AWS Security Token Service (AWS STS).
To request temporary security credentials using AWS STS, you call one of the API actions in the following list. The list describes typical scenarios for using each API.
You can call the APIs using one of the AWS SDKs, which are available in a variety of programming languages, including Java, .NET, Python, Ruby, Android, and iOS. The SDKs take care of tasks such as cryptographically signing your requests, retrying requests if necessary, and handling error responses. You can also use the AWS STS Query API, which is described in the AWS Security Token Service API Reference.
The AWS STS API actions return temporary security credentials that consist of an access key (that is, an access key ID and a secret access key), and a session token. Users (or an application that the user is running) can use these credentials to access your resources. The credentials are associated with an IAM access control policy that limits what the user can do when using the credentials. For more information, see Requesting AWS Resources Using Temporary Security Credentials.
Although temporary security credentials are short-lived, users who have temporary access can make lasting changes to your AWS resources. For example, if a user with temporary access launches an Amazon EC2 instance, the instance can continue to run and incur charges against your AWS account even after the user's temporary security credentials expire.
For information about functional differences among these APIs, see Comparing Features of AWS STS APIs.
This API is useful for allowing existing IAM users to access AWS resources that they don't already have access to, such as resources in another AWS account. It is also useful for existing IAM users as a means to gain privileged access—for example, to provide multi-factor authentication (MFA). For more information, see Cross-Account Access: Sharing Resources Between AWS Accounts and Configuring MFA-Protected API Access in the Using IAM guide.
The API returns a set of temporary security credentials for federated users who are authenticated using a public identity provider such as Login with Amazon, Facebook, Google, or any OpenID Connect (OIDC)-compatible identity provider. This API is useful for creating mobile applications or client-based web applications that require access to AWS, in which users do not have their own AWS or IAM identities. For more information, see Creating a Role to Allow AWS Access for the Mobile App.
Instead of directly calling
AssumeRoleWithWebIdentity, we recommend
that you use Amazon Cognito and the Amazon Cognito credentials provider with the AWS SDKs for mobile
development. For more information, see the following:
This API returns a set of temporary security credentials for federated users who are authenticated in your organization and who pass authentication and authorization information to AWS using SAML 2.0 (Security Assertion Markup Language). This API is useful in organizations that have integrated their identity systems (such as Windows Active Directory or OpenLDAP) with software that can produce SAML assertions to provide information about user identity and permissions. For more information, see Creating Temporary Security Credentials for SAML Federation.
This API returns a set of temporary security credentials for federated users. This API
AssumeRole in that the default expiration period is
substantially longer (up to 36 hours instead of up to 1 hour). The longer expiration
period can help reduce the number of calls to AWS because you do not need to get new
credentials as often. For more information, see Creating Temporary Security Credentials to Enable Access for
This API returns a set of temporary security credentials to an existing IAM user. It is useful for providing enhanced security, for example, for making AWS requests when MFA is enabled for the IAM user. For more information, see Creating Temporary Security Credentials to Enable Access for IAM Users.
The following table lists features of the actions (APIs) in AWS STS that return temporary security credentials.
For general information about these APIs and their intended purposes, see Ways to Get Temporary Security Credentials.
|AWS STS API||Who can call||Credential lifetime (min/max/default)||MFA support||Passed policy support||Restrictions on resulting temporary credentials|
|AssumeRole||IAM user or user with existing temporary security credentials||15m/1hr/1hr||Yes||Yes||
|AssumeRoleWithSAML||Any user; caller must pass a SAML authentication response that indicates authentication from a known identity provider.||15m/1hr/1hr||No||Yes|
|AssumeRoleWithWebIdentity||Any user; caller must pass a web identity token that indicates authentication from a known identity provider.||15m/1hr/1hr||No||Yes||
|GetFederationToken||IAM user or root account||
IAM user: 15m/36hr/12hr
Root account: 15m/1hr/1hr
Cannot call IAM APIs directly.
SSO to console is allowed.
Cannot call AWS STS APIs.
|GetSessionToken||IAM user or root account||
IAM user: 15m/36hr/12hr
Root account: 15m/1hr/1hr
Cannot call IAM APIs unless MFA information is included with the request.
Cannot call AWS STS APIs except
Single sign-on (SSO) to console not allowed, but any user with a password (root or IAM user) can sign into the console.
MFA support. Some AWS STS APIs allow you to pass information about a multi-factor authentication (MFA) device. This lets you make sure that the temporary security credentials that result from the API call can be used only by users who have authenticated with an MFA device. For more information, see Configuring MFA-Protected API Access in the Using IAM guide.
Passed policy support. Some AWS STS APIs allow you to pass an IAM policy that is used in conjunction with other policies (if any) to determine what the user is allowed to do with the temporary credentials that result from the API call. For more information, see the following topics:
Single sign-on (SSO) to the console. To support SSO,
AWS lets you call a federation endpoint
https://signin.aws.amazon.com/federation), passing temporary security
credentials. The endpoint returns a token that can be used to construct a URL that signs a
user directly into the console, without requiring a password. For more information, see
Giving Federated Users Direct Access to the AWS Management Console and How to enable cross-account access to the AWS Management Console in the AWS
AWS Security Token Service is a feature of your AWS account offered at no additional charge. You will be charged only for use of other AWS services by your AWS STS temporary security credentials. For information about the pricing of other AWS services, see the Amazon Web Services pricing page.
Using AWS Security Token Service to get temporary security credentials has the following advantages:
You do not have to distribute long-term AWS security credentials with an application.
You can provide access to your AWS resources to users without having to define an AWS identity for them.
The temporary security credentials have a limited lifetime, so you do not have to rotate them or explicitly revoke them when they're no longer needed. After temporary security credentials expire, they cannot be reused. You can specify how long the credentials are valid, up to a maximum limit.