Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider, such as Login with Amazon, Facebook, or Google. AssumeRoleWithWebIdentity is an API call that does not require the use of AWS security credentials. Therefore, you can distribute an application (for example, on mobile devices) that requests temporary security credentials without including long-term AWS credentials in the application or by deploying server-based proxy services that use long-term AWS credentials. For more information, see Creating a Mobile Application with Third-Party Sign-In in AWS Security Token Service . The temporary security credentials consist of an access key ID, a secret access key, and a security token. Applications can use these temporary security credentials to sign calls to AWS service APIs. The credentials are valid for the duration that you specified when calling AssumeRoleWithWebIdentity , which can be from 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the temporary security credentials are valid for 1 hour. The temporary security credentials that are returned from the AssumeRoleWithWebIdentity response have the permissions that are associated with the access policy of the role being assumed and any policies that are associated with the AWS resource being accessed. You can further restrict the permissions of the temporary security credentials by passing a policy in the request. The resulting permissions are an intersection of both policies. The role's access policy and the policy that you passed are evaluated when calls to AWS service APIs are made using the temporary security credentials. Before your application can call AssumeRoleWithWebIdentity , you must have an identity token from an identity provider and create a role that the application can assume. Typically, to get an identity token, you need to register your application with the identity provider and get a unique application ID from that provider. Also, when you create the role that the application assumes, you must specify the registered identity provider as a principal (establish trust with the identity provider). For more information, see Creating Temporary Security Credentials for Mobile Apps Using Third-Party Identity Providers.