The AWS Security Token Service (AWS STS) enables you to provide trusted users with temporary credentials that provide controlled access to your AWS resources.
By default, AWS STS is a global service that has a single endpoint at
https://sts.amazonaws.com. There is also, by default, one regional endpoint
https://sts.us-east-1.amazonaws.com. You can choose to enable AWS STS
in additional regions for your account, and then make AWS STS API calls to endpoints in those
added regions. This can reduce latency by making the requests from servers in a region that is
geographically closer to you. No matter which region your credentials come from, they work
globally. For more information, see Activating AWS STS in a New Region.
Using AWS Security Token Service to get temporary security credentials has the following advantages:
You do not have to distribute long-term AWS security credentials with an application.
You can provide access to your AWS resources to users without having to define an AWS identity for them.
The temporary security credentials have a limited lifetime, so you do not have to rotate them or explicitly revoke them when they're no longer needed. After temporary security credentials expire, they cannot be reused. You can specify how long the credentials are valid, up to a maximum limit.
Temporary credentials are useful in scenarios that involve identity federation, delegation, cross-account access, and IAM roles:
You can manage your user identities in an external system outside of AWS and grant users who sign in using those systems access to perform AWS tasks and access your AWS resources. IAM supports two types of identity federation. In both cases, the identities are stored outside of AWS. The distinction is where the external system resides—in your datacenter or an external third party on the web.
Enterprise identity federation. You can authenticate users in your organization's network, and then provide those users access to AWS without creating new AWS identities for them and requiring them to sign in with a separate user name and password. This is known as the single sign-on (SSO) approach to temporary access. AWS STS supports open standards like Security Assertion Markup Language (SAML) 2.0, which enables you to use Microsoft AD FS leverage your Microsoft Active Directory, or you can manage your own solution for federating user identities.
Web identity federation. You can let users sign in using a well-known third party identity provider—such as Login with Amazon, Facebook, Google, or any OpenID Connect (OIDC) 2.0 compatible provider—and you can exchange the credentials from that provider for temporary permissions to use resources in your AWS account. This is known as the web identity federation approach to temporary access.
When you use web identity federation for your mobile or web application, you don't need to create custom sign-in code or manage your own user identities. Using web identity federation helps you keep your AWS account secure, because you don't have to distribute long-term security credentials, such as IAM user access keys, with your application.
AWS STS web identity federation supports Login with Amazon, Facebook, Google, and any OpenID Connect (OICD)-compatible identity provider.
For mobile applications, we recommend that you use Amazon Cognito. You can use this service with the AWS Mobile SDK for iOS and the AWS Mobile SDK for Android and Fire OS to create unique identities for users and authenticate them for secure access to your AWS resources. Amazon Cognito supports the same identity providers as AWS STS, and also supports unauthenticated (guest) access and lets you migrate user data when a user signs in. Amazon Cognito also provides APIs for synchronizing user data so that it is preserved as users move between devices. For more information, see the following:
Many organizations maintain more than one AWS account. Using cross-account access, you can define user identities in one account, and use those identities to access AWS resources in other accounts that belong to your organization. This is known as the delegation approach to temporary access. For more information, see Cross-Account Access: Sharing Resources Between AWS Accounts in the Using IAM guide.
Roles for Amazon EC2
If you run applications on Amazon EC2 instances and those applications need access to AWS resources, you can provide temporary security credentials to your instances when you launch them. These temporary security credentials are available to all applications that run on the instance, so you don't need to store any long-term credentials on the instance. This is known as roles for Amazon EC2.
You can use temporary security credentials to access most AWS services. For a list of the services that accept temporary security credentials, see AWS Services that Support AWS Security Token Service (AWS STS).
To request temporary security credentials using AWS STS, you can use the AWS STS API actions.
You can call the APIs using one of the AWS SDKs, which are available in a variety of programming languages, including Java, .NET, Python, Ruby, Android, and iOS. The SDKs take care of tasks such as cryptographically signing your requests, retrying requests if necessary, and handling error responses. You can also use the AWS STS Query API, which is described in the AWS Security Token Service API Reference.
The AWS STS API actions return temporary security credentials that consist of an access key (that is, an access key ID and a secret access key), and a session token. Users (or an application that the user is running) can use these credentials to access your resources. The credentials are associated with an IAM access control policy that limits what the user can do when using the credentials. For more information, see Requesting AWS Resources Using Temporary Security Credentials.
Although temporary security credentials are short-lived, users who have temporary access can make lasting changes to your AWS resources. For example, if a user with temporary access launches an Amazon EC2 instance, the instance can continue to run and incur charges against your AWS account even after the user's temporary security credentials expire.
The following are the APIs that enable you acquire temporary credentials for use in your AWS environment and applications.
This API is useful for allowing existing IAM users to access AWS resources that they don't already have access to, such as resources in another AWS account. It is also useful for existing IAM users as a means to gain privileged access—for example, to provide multi-factor authentication (MFA). For more information, see Cross-Account Access: Sharing Resources Between AWS Accounts and Configuring MFA-Protected API Access in the Using IAM guide.
The API returns a set of temporary security credentials for federated users who are authenticated using a public identity provider such as Login with Amazon, Facebook, Google, or any OpenID Connect (OIDC)-compatible identity provider. This API is useful for creating mobile applications or client-based web applications that require access to AWS, in which users do not have their own AWS or IAM identities. For more information, see Creating a Role to Allow AWS Access for the Mobile App.
Instead of directly calling
AssumeRoleWithWebIdentity, we recommend
that you use Amazon Cognito and the Amazon Cognito credentials provider with the AWS SDKs for mobile
development. For more information, see the following:
This API returns a set of temporary security credentials for federated users who are authenticated in your organization and who pass authentication and authorization information to AWS using SAML 2.0 (Security Assertion Markup Language). This API is useful in organizations that have integrated their identity systems (such as Windows Active Directory or OpenLDAP) with software that can produce SAML assertions to provide information about user identity and permissions. For more information, see About AWS STS SAML 2.0-based Federation.
This API returns a set of temporary security credentials for federated users. This API
AssumeRole in that the default expiration period is
substantially longer (up to 36 hours instead of up to 1 hour). The longer expiration
period can help reduce the number of calls to AWS because you do not need to get new
credentials as often. For more information, see AWS APIs to Create Temporary Security Credentials .
This API returns a set of temporary security credentials to an existing IAM user. It is useful for providing enhanced security, for example, for making AWS requests when MFA is enabled for the IAM user. For more information, see Creating Temporary Security Credentials to Enable Access for IAM Users.
The following table compares features of the actions (APIs) in AWS STS that return temporary security credentials.
|AWS STS API||Who can call||Credential lifetime (min/max/default)||MFA support*||Passed policy support*||Restrictions on resulting temporary credentials|
|AssumeRole||IAM user or user with existing temporary security credentials||15m/1hr/1hr||Yes||Yes||
|AssumeRoleWithSAML||Any user; caller must pass a SAML authentication response that indicates authentication from a known identity provider.||15m/1hr/1hr||No||Yes|
|AssumeRoleWithWebIdentity||Any user; caller must pass a web identity token that indicates authentication from a known identity provider.||15m/1hr/1hr||No||Yes||
|GetFederationToken||IAM user or root account||
IAM user: 15m/36hr/12hr
Root account: 15m/1hr/1hr
Cannot call IAM APIs directly.
SSO to console is allowed.*
Cannot call AWS STS APIs.
|GetSessionToken||IAM user or root account||
IAM user: 15m/36hr/12hr
Root account: 15m/1hr/1hr
Cannot call IAM APIs unless MFA information is included with the request.
Cannot call AWS STS APIs except
Single sign-on (SSO) to console not allowed, but any user with a password (root or IAM user) can sign into the console.*
MFA support. Some AWS STS APIs allow you to pass information about a multi-factor authentication (MFA) device. This lets you make sure that the temporary security credentials that result from the API call can be used only by users who have authenticated with an MFA device. For more information, see Configuring MFA-Protected API Access in the Using IAM guide.
Passed policy support. Some AWS STS APIs allow you to pass an IAM policy that is used in conjunction with other policies (if any) to determine what the user is allowed to do with the temporary credentials that result from the API call. For more information, see the following topics:
Single sign-on (SSO) to the console. To support
SSO, AWS lets you call a federation endpoint
https://signin.aws.amazon.com/federation), passing temporary security
credentials. The endpoint returns a token that can be used to construct a URL that signs
a user directly into the console, without requiring a password. For more information,
see Giving Federated Users Direct Access to the AWS Management Console and How to enable cross-account access to the AWS Management Console in the
AWS Security Blog.
AWS Security Token Service is an included feature of your AWS account offered at no additional charge. You are charged only for the use of other AWS services that are accessed by your AWS STS temporary security credentials. For information about the pricing of other AWS services, see the Amazon Web Services pricing page.