|Did this page help you? Yes | No | Tell us about it...|
IAM enables you to grant any user temporary access to your Amazon Web Services (AWS) resources. Temporary access is useful when:
You need identity federation between AWS and your non-AWS users in your own identity and authorization system.
You want single sign-on between your identity and authorization system and the AWS Management Console.
You need enhanced security for mobile environments and for users accessing your AWS resources through a web browser.
You have IAM users who need temporary security credentials.
To grant users temporary access to your resources, you call the AWS Security Token Service (STS) APIs. The AWS STS APIs return temporary security credentials consisting of a security token, an Access Key ID, and a Secret Access Key. You issue the temporary security credentials to the users who need temporary access to your resources. These users can be existing IAM users, or they can be non-AWS users (federated identities). The users might even be systems or applications that need to access your AWS resources. The extent to which a user who has these temporary security credentials can access your AWS resources depends on permissions you set using AWS access policies.
Temporary security credentials provide enhanced security because they have short life spans and cannot be reused after they expire. The Access Key ID and Secret Access Key generated with the token cannot be used without the token, and a user who has these temporary security credentials can access your resources only until the credentials expire. By default, temporary security credentials are valid for 12 hours, but you can specify a different maximum duration. You can create as many sets of temporary security credentials as you need; there is no limit.
This guide describes some common scenarios for granting temporary access, explains how to use the AWS STS API to generate temporary security credentials, describes how permissions work, and provides links to information about how to use temporary security credentials with other AWS products. This guide also links to sample applications you can view to learn more about generating temporary security credentials.
Although temporary security credentials are short-lived, you should be aware that users who have temporary access can make lasting changes to your AWS resources. For example, if a user with temporary access launches an Amazon EC2 instance, that instance could continue to run and incur charges against your AWS account even after the user's temporary security credentials expire.
Not all AWS products support using temporary security credentials. For a list of the products that accept temporary security credentials, see Using Temporary Security Credentials to Access AWS.