AWS Security Token Service
Using Temporary Security Credentials (API Version 2011-06-15)
Did this page help you?  Yes | No |  Tell us about it...
Next »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.

What Is AWS Security Token Service?

Using the AWS Security Token Service (AWS STS), you can provide trusted users with temporary, limited access to your AWS resources.

When to Use Temporary Credentials

Temporary access is useful in scenarios that involve identity federation, web identity federation, delegation, cross-account access, and IAM roles:

Identity Federation

If you manage user identities outside of AWS, identity federation allows you to give your external user identities permissions to use resources in your AWS account. For example, you can authenticate users in your corporate network, and then provide those users direct access to the AWS Management Console without creating new AWS identities for them and requiring them to sign in with a separate user name and password. This is known as the single sign-on (SSO) approach to temporary access. AWS STS supports open standards like SAML 2.0 (Security Assertion Markup Language 2.0), or you can manage your own solution for federating user identities.

Web Identity Federation

You can let users of your mobile app or web application sign in using a well-known identity provider—such as Login with Amazon, Facebook, Google, and many others—and you can exchange the credentials from that provider for temporary permissions to use resources in your AWS account. This is known as the web identity federation approach to temporary access.

When you use web identity federation for your mobile or web application, you don't need to create custom sign-in code or manage your own user identities. Using web identity federation helps you keep your AWS account secure, because you don't have to distribute long-term security credentials, such as IAM user access keys, with your application.

AWS STS web identity federation supports Login with Amazon, Facebook, Google, and any OpenID Connect (OICD)-compatible identity provider.

Note

For mobile applications, we recommend that you use Amazon Cognito. You can use this service with the AWS Mobile SDK for iOS and the AWS Mobile SDK for Android and Fire OS to create unique identities for users and authenticate them for secure access to your AWS resources. Amazon Cognito supports the same identity providers as AWS STS, and also supports unauthenticated (guest) access and lets you migrate user data when a user signs in. Amazon Cognito also provides APIs for synchronizing user data so that it is preserved as users move between devices. For more information, see the following:

Cross-Account Access

Many organizations maintain more than one AWS account. Using cross-account access, you can define user identities in one account, and use those identities to access AWS resources in other accounts that belong to your organization. This is known as the delegation approach to temporary access. For more information, see Cross-Account Access: Sharing Resources Between AWS Accounts in the Using IAM guide.

Roles for Amazon EC2

If you run applications on Amazon EC2 instances and those applications needs access to AWS resources, you can provide temporary security credentials to your instances when you launch them. These temporary security credentials are available to all applications that run on the instance, so you don't need to store any long-term credentials on the instance. This is known as roles for Amazon EC2.

You can use temporary security credentials to access most AWS services. For a list of the services that accept temporary security credentials, see AWS Services that Support AWS Security Token Service (AWS STS).

Ways to Get Temporary Security Credentials

To request temporary security credentials using AWS STS, you call one of the API actions in the following list. The list describes typical scenarios for using each API.

You can call the APIs using one of the AWS SDKs, which are available in a variety of programming languages, including Java, .NET, Python, Ruby, Android, and iOS. The SDKs take care of tasks such as cryptographically signing your requests, retrying requests if necessary, and handling error responses. You can also use the AWS STS Query API, which is described in the AWS Security Token Service API Reference.

The AWS STS API actions return temporary security credentials that consist of an access key (that is, an access key ID and a secret access key), and a session token. Users (or an application that the user is running) can use these credentials to access your resources. The credentials are associated with an IAM access control policy that limits what the user can do when using the credentials. For more information, see Requesting AWS Resources Using Temporary Security Credentials.

Important

Although temporary security credentials are short-lived, users who have temporary access can make lasting changes to your AWS resources. For example, if a user with temporary access launches an Amazon EC2 instance, the instance can continue to run and incur charges against your AWS account even after the user's temporary security credentials expire.

For information about functional differences among these APIs, see Comparing Features of AWS STS APIs.

AWS Security Token Service API Actions

AssumeRole

This API is useful for allowing existing IAM users to access AWS resources that they don't already have access to, such as resources in another AWS account. It is also useful for existing IAM users as a means to gain privileged access—for example, to provide multi-factor authentication (MFA). For more information, see Cross-Account Access: Sharing Resources Between AWS Accounts and Configuring MFA-Protected API Access in the Using IAM guide.

AssumeRoleWithWebIdentity

The API returns a set of temporary security credentials for federated users who are authenticated using a public identity provider such as Login with Amazon, Facebook, Google, or any OpenID Connect (OIDC)-compatible identity provider. This API is useful for creating mobile applications or client-based web applications that require access to AWS, in which users do not have their own AWS or IAM identities. For more information, see Creating a Role to Allow AWS Access for the Mobile App.

Note

Instead of directly calling AssumeRoleWithWebIdentity, we recommend that you use Amazon Cognito and the Amazon Cognito credentials provider with the AWS SDKs for mobile development. For more information, see the following:

AssumeRoleWithSAML

This API returns a set of temporary security credentials for federated users who are authenticated in your organization and who pass authentication and authorization information to AWS using SAML 2.0 (Security Assertion Markup Language). This API is useful in organizations that have integrated their identity systems (such as Windows Active Directory or OpenLDAP) with software that can produce SAML assertions to provide information about user identity and permissions. For more information, see Creating Temporary Security Credentials for SAML Federation.

GetFederationToken

This API returns a set of temporary security credentials for federated users. This API differs from AssumeRole in that the default expiration period is substantially longer (up to 36 hours instead of up to 1 hour). The longer expiration period can help reduce the number of calls to AWS because you do not need to get new credentials as often. For more information, see Creating Temporary Security Credentials to Enable Access for Federated Users.

GetSessionToken

This API returns a set of temporary security credentials to an existing IAM user. It is useful for providing enhanced security, for example, for making AWS requests when MFA is enabled for the IAM user. For more information, see Creating Temporary Security Credentials to Enable Access for IAM Users.

Comparing Features of AWS STS APIs

The following table lists features of the actions (APIs) in AWS STS that return temporary security credentials.

For general information about these APIs and their intended purposes, see Ways to Get Temporary Security Credentials.

AWS STS API Who can call Credential lifetime (min/max/default) MFA support Passed policy support Restrictions on resulting temporary credentials
AssumeRole IAM user or user with existing temporary security credentials 15m/1hr/1hr Yes Yes

Cannot call GetFederationToken or GetSessionToken.

AssumeRoleWithSAML Any user; caller must pass a SAML authentication response that indicates authentication from a known identity provider. 15m/1hr/1hrNoYes

Cannot call GetFederationToken or GetSessionToken.

AssumeRoleWithWebIdentity Any user; caller must pass a web identity token that indicates authentication from a known identity provider. 15m/1hr/1hr NoYes

Cannot call GetFederationToken or GetSessionToken.

GetFederationTokenIAM user or root account

IAM user: 15m/36hr/12hr

Root account: 15m/1hr/1hr

No Yes

Cannot call IAM APIs directly.

SSO to console is allowed.

Cannot call AWS STS APIs.

GetSessionTokenIAM user or root account

IAM user: 15m/36hr/12hr

Root account: 15m/1hr/1hr

Yes No

Cannot call IAM APIs unless MFA information is included with the request.

Cannot call AWS STS APIs except AssumeRole.

Single sign-on (SSO) to console not allowed, but any user with a password (root or IAM user) can sign into the console.


Pricing of AWS STS

AWS Security Token Service is a feature of your AWS account offered at no additional charge. You will be charged only for use of other AWS services by your AWS STS temporary security credentials. For information about the pricing of other AWS services, see the Amazon Web Services pricing page.

Advantages of Temporary Security Credentials

Using AWS Security Token Service to get temporary security credentials has the following advantages:

  • You do not have to distribute long-term AWS security credentials with an application.

  • You can provide access to your AWS resources to users without having to define an AWS identity for them.

  • The temporary security credentials have a limited lifetime, so you do not have to rotate them or explicitly revoke them when they're no longer needed. After temporary security credentials expire, they cannot be reused. You can specify how long the credentials are valid, up to a maximum limit.