Compare AWS STS credentials
The following table compares features of the API operations in AWS STS that return temporary security credentials. To learn about the different methods you can use to request temporary security credentials by assuming a role, see Methods to assume a role. To learn about the different AWS STS API operations that allow you to pass session tags, see Pass session tags in AWS STS.
Note
You can send AWS STS API calls either to a global endpoint or to one of the Regional endpoints. If you choose an endpoint closer to you, you can reduce latency and improve the performance of your API calls. You also can choose to direct your calls to an alternative Regional endpoint if you can no longer communicate with the original endpoint. If you are using one of the various AWS SDKs, then use that SDK method to specify a Region before you make the API call. If you manually construct HTTP API requests, then you must direct the request to the correct endpoint yourself. For more information, see the AWS STS section of Regions and Endpoints and Manage AWS STS in an AWS Region.
AWS STS API | Who can call | Credential lifetime (min | max | default) | MFA support¹ | Session policy support² | Restrictions on resulting temporary credentials |
---|---|---|---|---|---|
AssumeRole | IAM user or IAM role with existing temporary security credentials | 15 m | Maximum session duration setting³ | 1 hr | Yes | Yes |
Cannot call |
AssumeRoleWithSAML | Any user; caller must pass a SAML authentication response that indicates authentication from a known identity provider | 15 m | Maximum session duration setting³ | 1 hr | No | Yes |
Cannot call |
AssumeRoleWithWebIdentity | Any user; caller must pass an OIDC compliant JWT token that indicates authentication from a known identity provider | 15 m | Maximum session duration setting³ | 1 hr | No | Yes |
Cannot call |
GetFederationToken | IAM user or AWS account root user |
IAM user: 15 m | 36 hr | 12 hr Root user: 15 m | 1 hr | 1 hr |
No | Yes |
Cannot call IAM operations using the AWS CLI or AWS API. This limitation does not apply to console sessions. Cannot call AWS STS operations except
SSO to console is allowed.⁵ |
GetSessionToken | IAM user or AWS account root user |
IAM user: 15 m | 36 hr | 12 hr Root user: 15 m | 1 hr | 1 hr |
Yes | No |
Cannot call IAM API operations unless MFA information is included with the request. Cannot call AWS STS API operations except SSO to console is not allowed.⁶ |
¹ MFA support. You can include information about a multi-factor authentication (MFA) device when you call the AssumeRole and GetSessionToken API operations. This ensures that the temporary security credentials that result from the API call can be used only by users who are authenticated with an MFA device. For more information, see Secure API access with MFA.
² Session policy support. Session policies are policies that you pass as a parameter when you programmatically create a temporary session for a role or federated user. This policy limits the permissions from the role or user's identity-based policy that are assigned to the session. The resulting session's permissions are the intersection of the entity's identity-based policies and the session policies. Session policies cannot be used to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information about role session permissions, see Session policies.
³ Maximum session duration setting. Use the
DurationSeconds
parameter to specify the duration of your role session
from 900 seconds (15 minutes) up to the maximum session duration setting for the role.
To learn how to view the maximum value for your role, see Update the maximum session duration
for a role.
⁴ GetCallerIdentity. No permissions are
required to perform this operation. If an administrator adds a policy to your IAM user
or role that explicitly denies access to the sts:GetCallerIdentity
action,
you can still perform this operation. Permissions are not required because the same
information is returned when an IAM user or role is denied access. To view an example
response, see I am not authorized to
perform: iam:DeleteVirtualMFADevice.
⁵ Single sign-on (SSO) to the console. To
support SSO, AWS lets you call a federation endpoint (https://signin.aws.amazon.com/federation
) and
pass temporary security credentials. The endpoint returns a token that you can use to
construct a URL that signs a user directly into the console without requiring a
password. For more information, see Enabling SAML 2.0 federated users to
access the AWS Management Console and How to Enable Cross-Account Access to the AWS Management Console
⁶ After you retrieve your temporary credentials, you can't access the AWS Management Console by passing the credentials to the federation single sign-on endpoint. For more information, see Enable custom identity broker access to the AWS console.