Actions, resources, and condition keys for AWS Security Token Service - Service Authorization Reference

Actions, resources, and condition keys for AWS Security Token Service

AWS Security Token Service (service prefix: sts) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.

References:

Actions defined by AWS Security Token Service

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in AWS. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

The Resource types column indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") in the Resource element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. Required resources are indicated in the table with an asterisk (*). If you specify a resource-level permission ARN in a statement using this action, then it must be of this type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one but not the other.

For details about the columns in the following table, see Actions table.

Actions Description Access level Resource types (*required) Condition keys Dependent actions
AssumeRole Grants permission to obtain a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to Write

role*

aws:TagKeys

aws:PrincipalTag/${TagKey}

aws:RequestTag/${TagKey}

sts:TransitiveTagKeys

sts:ExternalId

sts:RoleSessionName

iam:ResourceTag/${TagKey}

sts:SourceIdentity

aws:SourceIdentity

AssumeRoleWithSAML Grants permission to obtain a set of temporary security credentials for users who have been authenticated via a SAML authentication response Write

role*

saml:namequalifier

saml:sub

saml:sub_type

saml:aud

saml:iss

saml:doc

saml:cn

saml:commonName

saml:eduorghomepageuri

saml:eduorgidentityauthnpolicyuri

saml:eduorglegalname

saml:eduorgsuperioruri

saml:eduorgwhitepagesuri

saml:edupersonaffiliation

saml:edupersonassurance

saml:edupersonentitlement

saml:edupersonnickname

saml:edupersonorgdn

saml:edupersonorgunitdn

saml:edupersonprimaryaffiliation

saml:edupersonprimaryorgunitdn

saml:edupersonprincipalname

saml:edupersonscopedaffiliation

saml:edupersontargetedid

saml:givenName

saml:mail

saml:name

saml:organizationStatus

saml:primaryGroupSID

saml:surname

saml:uid

saml:x500UniqueIdentifier

aws:TagKeys

aws:PrincipalTag/${TagKey}

aws:RequestTag/${TagKey}

sts:TransitiveTagKeys

sts:SourceIdentity

sts:RoleSessionName

AssumeRoleWithWebIdentity Grants permission to obtain a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider Write

role*

cognito-identity.amazonaws.com:amr

cognito-identity.amazonaws.com:aud

cognito-identity.amazonaws.com:sub

www.amazon.com:app_id

www.amazon.com:user_id

graph.facebook.com:app_id

graph.facebook.com:id

accounts.google.com:aud

accounts.google.com:oaud

accounts.google.com:sub

aws:TagKeys

aws:PrincipalTag/${TagKey}

aws:RequestTag/${TagKey}

sts:TransitiveTagKeys

sts:SourceIdentity

sts:RoleSessionName

DecodeAuthorizationMessage Grants permission to decode additional information about the authorization status of a request from an encoded message returned in response to an AWS request Write
GetAccessKeyInfo Grants permission to obtain details about the access key id passed as a parameter to the request Read
GetCallerIdentity Grants permission to obtain details about the IAM identity whose credentials are used to call the API Read
GetFederationToken Grants permission to obtain a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user Read

user

aws:TagKeys

aws:PrincipalTag/${TagKey}

aws:RequestTag/${TagKey}

GetServiceBearerToken [permission only] Grants permission to obtain a STS bearer token for an AWS root user, IAM role, or an IAM user Read

sts:AWSServiceName

GetSessionToken Grants permission to obtain a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for an AWS account or IAM user Read
SetSourceIdentity [permission only] Grants permission to set a source identity on a STS session Write

role

user

sts:SourceIdentity

aws:SourceIdentity

TagSession [permission only] Grants permission to add tags to a STS session Tagging

role

user

aws:TagKeys

aws:PrincipalTag/${TagKey}

aws:RequestTag/${TagKey}

sts:TransitiveTagKeys

Resource types defined by AWS Security Token Service

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.

Resource types ARN Condition keys
role arn:${Partition}:iam::${Account}:role/${RoleNameWithPath}

aws:ResourceTag/${TagKey}

user arn:${Partition}:iam::${Account}:user/${UserNameWithPath}

Condition keys for AWS Security Token Service

AWS Security Token Service defines the following condition keys that can be used in the Condition element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.

To view the global condition keys that are available to all services, see Available global condition keys.

Condition keys Description Type
accounts.google.com:aud Filters access by the Google application ID String
accounts.google.com:oaud Filters access by the Google audience String
accounts.google.com:sub Filters access by the subject of the claim (the Google user ID) String
aws:FederatedProvider Filters access by the IdP that was used to authenticate the user String
aws:PrincipalTag/${TagKey} Filters access by the tag associated with the principal that is making the request String
aws:RequestTag/${TagKey} Filters access by the tags that are passed in the request String
aws:ResourceTag/${TagKey} Filters access by the tags associated with the resource String
aws:SourceIdentity Filters access by the source identity that is set on the caller String
aws:TagKeys Filters access by the tag keys that are passed in the request String
cognito-identity.amazonaws.com:amr Filters access by the login information for Amazon Cognito String
cognito-identity.amazonaws.com:aud Filters access by the Amazon Cognito identity pool ID String
cognito-identity.amazonaws.com:sub Filters access by the subject of the claim (the Amazon Cognito user ID) String
graph.facebook.com:app_id Filters access by the Facebook application ID String
graph.facebook.com:id Filters access by the Facebook user ID String
iam:ResourceTag/${TagKey} Filters access by the tags that are attached to the role that is being assumed String
saml:aud Filters access by the endpoint URL to which SAML assertions are presented String
saml:cn Filters access by the eduOrg attribute ArrayOfString
saml:commonName Filters access by the commonName attribute String
saml:doc Filters access by on the principal that was used to assume the role String
saml:eduorghomepageuri Filters access by the eduOrg attribute ArrayOfString
saml:eduorgidentityauthnpolicyuri Filters access by the eduOrg attribute ArrayOfString
saml:eduorglegalname Filters access by the eduOrg attribute ArrayOfString
saml:eduorgsuperioruri Filters access by the eduOrg attribute ArrayOfString
saml:eduorgwhitepagesuri Filters access by the eduOrg attribute ArrayOfString
saml:edupersonaffiliation Filters access by the eduPerson attribute ArrayOfString
saml:edupersonassurance Filters access by the eduPerson attribute ArrayOfString
saml:edupersonentitlement Filters access by the eduPerson attribute ArrayOfString
saml:edupersonnickname Filters access by the eduPerson attribute ArrayOfString
saml:edupersonorgdn Filters access by the eduPerson attribute String
saml:edupersonorgunitdn Filters access by the eduPerson attribute ArrayOfString
saml:edupersonprimaryaffiliation Filters access by the eduPerson attribute String
saml:edupersonprimaryorgunitdn Filters access by the eduPerson attribute String
saml:edupersonprincipalname Filters access by the eduPerson attribute String
saml:edupersonscopedaffiliation Filters access by the eduPerson attribute ArrayOfString
saml:edupersontargetedid Filters access by the eduPerson attribute ArrayOfString
saml:givenName Filters access by the givenName attribute String
saml:iss Filters access by on the issuer, which is represented by a URN String
saml:mail Filters access by the mail attribute String
saml:name Filters access by the name attribute String
saml:namequalifier Filters access by the hash value of the issuer, account ID, and friendly name String
saml:organizationStatus Filters access by the organizationStatus attribute String
saml:primaryGroupSID Filters access by the primaryGroupSID attribute String
saml:sub Filters access by the subject of the claim (the SAML user ID) String
saml:sub_type Filters access by the value persistent, transient, or the full Format URI String
saml:surname Filters access by the surname attribute String
saml:uid Filters access by the uid attribute String
saml:x500UniqueIdentifier Filters access by the uid attribute String
sts:AWSServiceName Filters access by the service that is obtaining a bearer token String
sts:ExternalId Filters access by the unique identifier required when you assume a role in another account String
sts:RoleSessionName Filters access by the role session name required when you assume a role String
sts:SourceIdentity Filters access by the source identity that is passed in the request String
sts:TransitiveTagKeys Filters access by the transitive tag keys that are passed in the request String
www.amazon.com:app_id Filters access by the Login with Amazon application ID String
www.amazon.com:user_id Filters access by the Login with Amazon user ID String