Compare AWS STS credentials - AWS Identity and Access Management

Compare AWS STS credentials

The following table compares features of the API operations in AWS STS that return temporary security credentials. To learn about the different methods you can use to request temporary security credentials by assuming a role, see Methods to assume a role. To learn about the different AWS STS API operations that allow you to pass session tags, see Pass session tags in AWS STS.

Note

You can send AWS STS API calls either to a global endpoint or to one of the Regional endpoints. If you choose an endpoint closer to you, you can reduce latency and improve the performance of your API calls. You also can choose to direct your calls to an alternative Regional endpoint if you can no longer communicate with the original endpoint. If you are using one of the various AWS SDKs, then use that SDK method to specify a Region before you make the API call. If you manually construct HTTP API requests, then you must direct the request to the correct endpoint yourself. For more information, see the AWS STS section of Regions and Endpoints and Manage AWS STS in an AWS Region.

AWS STS API Who can call Credential lifetime (min | max | default) MFA support¹ Session policy support² Restrictions on resulting temporary credentials
AssumeRole IAM user or IAM role with existing temporary security credentials 15 m | Maximum session duration setting³ | 1 hr Yes Yes

Cannot call GetFederationToken or GetSessionToken.

AssumeRoleWithSAML Any user; caller must pass a SAML authentication response that indicates authentication from a known identity provider 15 m | Maximum session duration setting³ | 1 hr No Yes

Cannot call GetFederationToken or GetSessionToken.

AssumeRoleWithWebIdentity Any user; caller must pass an OIDC compliant JWT token that indicates authentication from a known identity provider 15 m | Maximum session duration setting³ | 1 hr No Yes

Cannot call GetFederationToken or GetSessionToken.

GetFederationToken IAM user or AWS account root user

IAM user: 15 m | 36 hr | 12 hr

Root user: 15 m | 1 hr | 1 hr

No Yes

Cannot call IAM operations using the AWS CLI or AWS API. This limitation does not apply to console sessions.

Cannot call AWS STS operations except GetCallerIdentity.⁴

SSO to console is allowed.⁵

GetSessionToken IAM user or AWS account root user

IAM user: 15 m | 36 hr | 12 hr

Root user: 15 m | 1 hr | 1 hr

Yes No

Cannot call IAM API operations unless MFA information is included with the request.

Cannot call AWS STS API operations except AssumeRole or GetCallerIdentity.

SSO to console is not allowed.⁶

¹ MFA support. You can include information about a multi-factor authentication (MFA) device when you call the AssumeRole and GetSessionToken API operations. This ensures that the temporary security credentials that result from the API call can be used only by users who are authenticated with an MFA device. For more information, see Secure API access with MFA.

² Session policy support. Session policies are policies that you pass as a parameter when you programmatically create a temporary session for a role or federated user. This policy limits the permissions from the role or user's identity-based policy that are assigned to the session. The resulting session's permissions are the intersection of the entity's identity-based policies and the session policies. Session policies cannot be used to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information about role session permissions, see Session policies.

³ Maximum session duration setting. Use the DurationSeconds parameter to specify the duration of your role session from 900 seconds (15 minutes) up to the maximum session duration setting for the role. To learn how to view the maximum value for your role, see Update the maximum session duration for a role.

GetCallerIdentity. No permissions are required to perform this operation. If an administrator adds a policy to your IAM user or role that explicitly denies access to the sts:GetCallerIdentity action, you can still perform this operation. Permissions are not required because the same information is returned when an IAM user or role is denied access. To view an example response, see I am not authorized to perform: iam:DeleteVirtualMFADevice.

Single sign-on (SSO) to the console. To support SSO, AWS lets you call a federation endpoint (https://signin.aws.amazon.com/federation) and pass temporary security credentials. The endpoint returns a token that you can use to construct a URL that signs a user directly into the console without requiring a password. For more information, see Enabling SAML 2.0 federated users to access the AWS Management Console and How to Enable Cross-Account Access to the AWS Management Console in the AWS Security Blog.

⁶ After you retrieve your temporary credentials, you can't access the AWS Management Console by passing the credentials to the federation single sign-on endpoint. For more information, see Enable custom identity broker access to the AWS console.