AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for AWS Security Token Service

AWS Security Token Service (service prefix: sts) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS Security Token Service

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AssumeRole Returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to Write

role*

AssumeRoleWithSAML Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response Write

role*

saml:namequalifier

saml:sub

saml:sub_type

saml:aud

saml:iss

saml:doc

saml:cn

saml:commonName

saml:eduorghomepageuri

saml:eduorgidentityauthnpolicyuri

saml:eduorglegalname

saml:eduorgsuperioruri

saml:eduorgwhitepagesuri

saml:edupersonaffiliation

saml:edupersonassurance

saml:edupersonentitlement

saml:edupersonnickname

saml:edupersonorgdn

saml:edupersonorgunitdn

saml:edupersonprimaryaffiliation

saml:edupersonprimaryorgunitdn

saml:edupersonprincipalname

saml:edupersonscopedaffiliation

saml:edupersontargetedid

saml:givenName

saml:mail

saml:name

saml:organizationStatus

saml:primaryGroupSID

saml:surname

saml:uid

saml:x500UniqueIdentifier

AssumeRoleWithWebIdentity Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider Write

role*

cognito-identity.amazonaws.com:amr

cognito-identity.amazonaws.com:aud

cognito-identity.amazonaws.com:sub

www.amazon.com:app_id

www.amazon.com:user_id

graph.facebook.com:app_id

graph.facebook.com:id

accounts.google.com:aud

accounts.google.com:oaud

accounts.google.com:sub

DecodeAuthorizationMessage Decodes additional information about the authorization status of a request from an encoded message returned in response to an AWS request Write
GetAccessKeyInfo Returns details about the access key id passed as a parameter to the request. Read
GetCallerIdentity Returns details about the IAM identity whose credentials are used to call the API Read
GetFederationToken Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user Read

user

GetSessionToken Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for an AWS account or IAM user Read

Resources Defined by AWS Security Token Service

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
role arn:${Partition}:iam::${Account}:role/${RoleNameWithPath}
user arn:${Partition}:iam::${Account}:user/${UserNameWithPath}

Condition Keys for AWS Security Token Service

AWS Security Token Service defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
accounts.google.com:aud Filters actions based on the Google application ID String
accounts.google.com:oaud Filters actions based on the Google audience String
accounts.google.com:sub Filters actions based on the subject of the claim (the Google user ID) String
aws:FederatedProvider Filters actions based on the IdP that was used to authenticate the user String
cognito-identity.amazonaws.com:amr Filters actions based on the login information for Amazon Cognito String
cognito-identity.amazonaws.com:aud Filters actions based on the Amazon Cognito identity pool ID String
cognito-identity.amazonaws.com:sub Filters actions based on the subject of the claim (the Amazon Cognito user ID) String
graph.facebook.com:app_id Filters actions based on the Facebook application ID String
graph.facebook.com:id Filters actions based on the Facebook user ID String
saml:aud Filters actions based on the endpoint URL to which SAML assertions are presented String
saml:cn Filters actions based on the eduOrg attribute String
saml:commonName Filters actions based on the commonName attribute String
saml:doc Filters actions based on the principal that was used to assume the role String
saml:eduorghomepageuri Filters actions based on the eduOrg attribute String
saml:eduorgidentityauthnpolicyuri Filters actions based on the eduOrg attribute String
saml:eduorglegalname Filters actions based on the eduOrg attribute String
saml:eduorgsuperioruri Filters actions based on the eduOrg attribute String
saml:eduorgwhitepagesuri Filters actions based on the eduOrg attribute String
saml:edupersonaffiliation Filters actions based on the eduPerson attribute String
saml:edupersonassurance Filters actions based on the eduPerson attribute String
saml:edupersonentitlement Filters actions based on the eduPerson attribute String
saml:edupersonnickname Filters actions based on the eduPerson attribute String
saml:edupersonorgdn Filters actions based on the eduPerson attribute String
saml:edupersonorgunitdn Filters actions based on the eduPerson attribute String
saml:edupersonprimaryaffiliation Filters actions based on the eduPerson attribute String
saml:edupersonprimaryorgunitdn Filters actions based on the eduPerson attribute String
saml:edupersonprincipalname Filters actions based on the eduPerson attribute String
saml:edupersonscopedaffiliation Filters actions based on the eduPerson attribute String
saml:edupersontargetedid Filters actions based on the eduPerson attribute String
saml:givenName Filters actions based on the givenName attribute String
saml:iss Filters actions based on the issuer, which is represented by a URN String
saml:mail Filters actions based on the mail attribute String
saml:name Filters actions based on the name attribute String
saml:namequalifier Filters actions based on the hash value of the issuer, account ID, and friendly name String
saml:organizationStatus Filters actions based on the organizationStatus attribute String
saml:primaryGroupSID Filters actions based on the primaryGroupSID attribute String
saml:sub Filters actions based on the subject of the claim (the SAML user ID) String
saml:sub_type Filters actions based on the value persistent, transient, or the full Format URI String
saml:surname Filters actions based on the surname attribute String
saml:uid Filters actions based on the uid attribute String
saml:x500UniqueIdentifier Filters actions based on the uid attribute String
sts:ExternalId Filters actions based on the unique identifier equired when you assume a role in another account String
www.amazon.com:app_id Filters actions based on the Login with Amazon application ID String
www.amazon.com:user_id Filters actions based on the Login with Amazon user ID String