AWS Identity and Access Management
User Guide

Actions, Resources, and Condition Keys for AWS Security Token Service

AWS Security Token Service (service prefix: sts) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions Defined by AWS Security Token Service

You can specify the following actions in the Action element of an IAM policy statement. By using policies, you define the permissions for anyone performing an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions. For details about the columns in the following table, see The Actions Table.

Actions Description Access Level Resource Types (*required) Condition Keys Dependent Actions
AssumeRole Returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to Write

role*

AssumeRoleWithSAML Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response Write

role*

saml:namequalifier

saml:sub

saml:sub_type

saml:aud

saml:iss

saml:doc

saml:cn

saml:commonName

saml:eduorghomepageuri

saml:eduorgidentityauthnpolicyuri

saml:eduorglegalname

saml:eduorgsuperioruri

saml:eduorgwhitepagesuri

saml:edupersonaffiliation

saml:edupersonassurance

saml:edupersonentitlement

saml:edupersonnickname

saml:edupersonorgdn

saml:edupersonorgunitdn

saml:edupersonprimaryaffiliation

saml:edupersonprimaryorgunitdn

saml:edupersonprincipalname

saml:edupersonscopedaffiliation

saml:edupersontargetedid

saml:givenName

saml:mail

saml:name

saml:organizationStatus

saml:primaryGroupSID

saml:surname

saml:uid

saml:x500UniqueIdentifier

AssumeRoleWithWebIdentity Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider Write

role*

<web-identity-provider>:aud

<web-identity-provider>:oaud

<web-identity-provider>:sub

DecodeAuthorizationMessage Decodes additional information about the authorization status of a request from an encoded message returned in response to an AWS request Write
GetCallerIdentity Returns details about the IAM identity whose credentials are used to call the API Read
GetFederationToken Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user Read

user

Resources Defined by STS

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see The Resource Types Table.

Resource Types ARN Condition Keys
iam arn:${Partition}:iam::${Account}:${RelativeId}
role arn:${Partition}:iam::${Account}:role/${RoleNameWithPath}
sts arn:${Partition}:sts::${Account}:${RelativeId}
user arn:${Partition}:iam::${Account}:user/${UserNameWithPath}

Condition Keys for AWS Security Token Service

AWS Security Token Service defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see The Condition Keys Table.

To view the global condition keys that are available to all services, see Available Global Condition Keys in the IAM Policy Reference.

Condition Keys Description Type
<web-identity-provider>:aud String
<web-identity-provider>:oaud String
<web-identity-provider>:sub String
aws:FederatedProvider String
saml:aud String
saml:cn String
saml:commonName String
saml:doc String
saml:eduorghomepageuri String
saml:eduorgidentityauthnpolicyuri String
saml:eduorglegalname String
saml:eduorgsuperioruri String
saml:eduorgwhitepagesuri String
saml:edupersonaffiliation String
saml:edupersonassurance String
saml:edupersonentitlement String
saml:edupersonnickname String
saml:edupersonorgdn String
saml:edupersonorgunitdn String
saml:edupersonprimaryaffiliation String
saml:edupersonprimaryorgunitdn String
saml:edupersonprincipalname String
saml:edupersonscopedaffiliation String
saml:edupersontargetedid String
saml:givenName String
saml:iss String
saml:mail String
saml:name String
saml:namequalifier String
saml:organizationStatus String
saml:primaryGroupSID String
saml:sub String
saml:sub_type String
saml:surname String
saml:uid String
saml:x500UniqueIdentifier String
sts:ExternalId String