|Did this page help you? Yes | No | Tell us about it...|
The AWS Security Token Service, or AWS STS for short, lets you grant a trusted user temporary, limited access to your Amazon Web Services (AWS) resources. Here are some are examples of when temporary access is useful:
Federation. You can grant temporary access to people in a corporate network without having to define individual IAM identities for each corporate user. You can also let federated users log into the AWS Management Console without having to be defined as IAM users, which we refer to as single sign-on (SSO). AWS STS supports open standards like the SAML 2.0 (Security Assertion Markup Language 2.0), or you can manage your own solution for federating user identities.
Federation for mobile apps. You can grant access to a user who logs in to a mobile application using Login with Amazon, Facebook, or Google. Users don't have to have IAM identities. (We refer to this as web identity federation.)
Cross-account access. This lets IAM users in one account access resources in another account. (We refer to this as cross-account API access.)
Security management for applications running on Amazon EC2 instances that need access to AWS resources. (We refer to this as delegating API access by using roles.)
Security management to scope down permissions at run time. This is useful for IAM users who are using multi-factor authentication (MFA).
You can use temporary security credentials to access most AWS services. For a list of the services that accept temporary security credentials, see AWS Services that Support AWS Security Token Service (AWS STS).
To request temporary security credentials using the AWS STS, you write code to call the API actions listed in the following table. You can make these calls using one of the AWS SDKs, which are available in a variety of programming languages, including Java, .NET, Python, Ruby, Android, and iOS. The SDKs take care of tasks such as cryptographically signing your service requests, retrying requests if necessary, and handling error responses. You can also use the AWS STS Query API, which is described in the AWS Security Token Service API Reference.
AWS Security Token Service API Actions
Returns a set of temporary security credentials. You call this API by using the credentials of an existing IAM user. This API is useful for granting AWS access to users who do not have an IAM identity (that is, to federated users). It is also useful for allowing existing IAM users to access AWS resources that they don't already have access to, such as resources in another account. For more information, see Creating Temporary Security Credentials for Delegating API Access.
Returns a set of temporary security credentials for federated users who are authenticated using a public identity provider like Login with Amazon, Facebook, or Google. This API is useful for creating mobile applications or client-based web applications that require access to AWS but where users do not have their own AWS or IAM identity. For more information, see Creating a Role to Allow AWS Access for the Mobile App.
Returns a set of temporary security credentials for federated users who are authenticated in your organization and who pass authentication and authorization information to AWS using SAML (Security Assertion Markup Language). This API is useful in organizations that have integrated their identity systems (such as Windows Active Directory) with software that can produce SAML assertions to provide information about user identity and permissions. For more information, see Creating Temporary Security Credentials for SAML Federation.
Returns a set of temporary security credentials for federated users. This API differs
Returns a set of temporary security credentials to an existing IAM user. This API is useful for providing enhanced security, such as to make AWS requests when MFA is enabled for the IAM user. For more information, see Creating Temporary Security Credentials to Enable Access for IAM Users.
The AWS STS API actions return temporary security credentials that consist of an access key ID, a secret access key, and a session token. Users (or an application that the user is running) can then use these temporary security credentials to access your resources. The temporary security credentials are associated with an IAM access control policy that limits what the user can do when using these credentials. For more information, see Using Temporary Security Credentials.
Although temporary security credentials are short-lived, users who have temporary access can make lasting changes to your AWS resources. For example, if a user with temporary access launches an Amazon EC2 instance, the instance can continue to run and incur charges against your AWS account even after the user's temporary security credentials expire.
AWS Security Token Service is a feature of your AWS account offered at no additional charge. You will be charged only for use of other AWS services by your AWS STS temporary security credentials. For information about the pricing of other AWS services, see the Amazon Web Services pricing page.
Using AWS Security Token Service to get temporary security credentials is useful for the following reasons:
You do not have to distribute long-term AWS security credentials with an application.
You can provide access to your AWS resources to users without having to define an AWS identity for them.
The temporary security credentials have a limited lifetime, meaning that you do not have to rotate them or explicitly revoke them when they're no longer needed. After temporary security credentials have expired, they cannot be reused. You can specify how long the credentials are good for, up to a maximum limit.