Try it now and let us know what you think. Switch to the new look >>
You can return to the original look by selecting English in the language selector above.
Requesting Temporary Security Credentials
To request temporary security credentials, you can use AWS Security Token Service (AWS STS) operations in the AWS API. These include operations to create and provide trusted users with temporary security credentials that can control access to your AWS resources. For more information about AWS STS, see Temporary Security Credentials. To learn about the different methods that you can use to request temporary security credentials by assuming a role, see Using IAM Roles.
To call the API operations, you can use one of the AWS SDKs. The SDKs are available for a variety of programming languages and environments, including Java, .NET, Python, Ruby, Android, and iOS. The SDKs take care of tasks such as cryptographically signing your requests, retrying requests if necessary, and handling error responses. You can also use the AWS STS Query API, which is described in the AWS Security Token Service API Reference. Finally, two command line tools support the AWS STS commands: the AWS Command Line Interface, and the AWS Tools for Windows PowerShell.
The AWS STS API operations create a new session with temporary security credentials that consist of an access key and a session token. The access key consists of an access key ID and a secret key. Users (or an application that the user runs) can use these credentials to access your resources. You can create a role session and pass session policies programmatically using AWS STS API operations. The resulting session's permissions are the intersection of the role's identity-based policies and the session policies. For more information about session policies, see Session Policies.
Note
The size of the security token that AWS STS API operations return is not fixed. We strongly recommend that you make no assumptions about the maximum size. The typical token size is less than 4096 bytes, but that can vary.
Using AWS STS with AWS Regions
You can send AWS STS API calls either to a global endpoint or to one of the Regional endpoints. If you choose an endpoint closer to you, you can reduce latency and improve the performance of your API calls. You also can choose to direct your calls to an alternative regional endpoint if you can no longer communicate with the original endpoint. If you are using one of the various AWS SDKs, then use that SDK's method to select a Region before you make the API call. If you are manually constructing HTTP API requests, then you must direct the request to the correct endpoint yourself. For more information, see the AWS STS section of Regions and Endpoints and Managing AWS STS in an AWS Region.
The following are the API operations that you can use to acquire temporary credentials for use in your AWS environment and applications.
AssumeRole—Cross-Account Delegation and Federation Through a Custom Identity Broker
The AssumeRole API operation is useful for allowing existing IAM users to
access AWS resources that they don't already have access to, such as resources in
another
AWS account. It is also useful as a means to temporarily gain privileged access—for
example, to provide multi-factor authentication (MFA). You must call this API using
existing
IAM user credentials. For more information, see Creating a Role to Delegate Permissions to an IAM
User and Configuring MFA-Protected API Access.
This call must be made using valid AWS security credentials. When you make this call, you pass the following information:
-
The Amazon Resource Name (ARN) of the role that the app should assume.
-
The duration, which specifies the duration of the temporary security credentials. Use the
DurationSecondsparameter to specify the duration of the role session from 900 seconds (15 minutes) up to the maximum session duration setting for the role. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role. If you do not pass this parameter, the temporary credentials expire in one hour. TheDurationSecondsparameter from this API is separate from theSessionDurationHTTP parameter that you use to specify the duration of a console session. Use theSessionDurationHTTP parameter in the request to the federation endpoint for a console sign-in token. For more information, see Creating a URL that Enables Federated Users to Access the AWS Management Console (Custom Federation Broker). -
A role session name, which is a string value that you can use to identify the session. This value can be captured and logged by CloudTrail to help you distinguish between your role users during an audit.
-
(Optional) Inline or managed session policies. These policies limit the permissions from the role's identity-based policy that are assigned to the role session. The resulting session's permissions are the intersection of the role's identity-based policies and the session policies. Session policies cannot be used to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information about role session permissions, see Session Policies.
-
If configured to use multi-factor authentication (MFA), then you include the identifier for an MFA device and the one-time code provided by that device.
-
An optional ExternalId value that can be used when delegating access to your account to a third party. This value helps ensure that only the specified third party can access the role. For more information, see How to Use an External ID When Granting Access to Your AWS Resources to a Third Party.
The following example shows a sample request and response using AssumeRole.
In this example, the request includes the name for the session named Bob. The
Policy parameter includes a JSON document that specifies that the resulting
credentials have permissions to access only Amazon S3.
Example Request
https://sts.amazonaws.com/ ?Version=2011-06-15 &Action=AssumeRole &RoleSessionName=Bob &RoleArn=arn:aws::iam::123456789012:role/demo &Policy=%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Sid%22%3A%20%22Stmt1%22%2C%22Effect%22%3A%20%22Allow%22%2C%22Action%22%3A%20%22s3%3A*%22%2C%22Resource%22%3A%20%22*%22%7D%5D%7D &DurationSeconds=1800 &ExternalId=123ABC &AUTHPARAMS
Note
The policy value shown in the preceding example is the URL-encoded version of the following policy:
{"Version":"2012-10-17","Statement":[{"Sid":"Stmt1","Effect":"Allow","Action":"s3:*","Resource":"*"}]}
The AUTHPARAMS parameter in the example is a placeholder for your
signature. A signature is the authentication information that you
must include with AWS HTTP API requests. We recommend using the AWS SDKs to create API requests, and one benefit of
doing so is that the SDKs handle request signing for you. If you must create and sign
API
requests manually, see Signing AWS Requests
By Using Signature Version 4 in the Amazon Web Services General Reference to learn
how to sign a request.
In addition to the temporary security credentials, the response includes the Amazon Resource Name (ARN) for the federated user and the expiration time of the credentials.
Example Response
<AssumeRoleResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/"> <AssumeRoleResult> <Credentials> <SessionToken> AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQW LWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGd QrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU 9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz +scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA== </SessionToken> <SecretAccessKey> wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY </SecretAccessKey> <Expiration>2011-07-15T23:28:33.359Z</Expiration> <AccessKeyId>AKIAIOSFODNN7EXAMPLE</AccessKeyId> </Credentials> <AssumedRoleUser> <Arn>arn:aws:sts::123456789012:assumed-role/demo/Bob</Arn> <AssumedRoleId>ARO123EXAMPLE123:Bob</AssumedRoleId> </AssumedRoleUser> <PackedPolicySize>6</PackedPolicySize> </AssumeRoleResult> <ResponseMetadata> <RequestId>c6104cbe-af31-11e0-8154-cbc7ccf896c7</RequestId> </ResponseMetadata> </AssumeRoleResponse>
Note
AssumeRole stores the policy in a packed format. AssumeRole
returns the size as a percentage of the maximum size allowed so you can adjust the
calling
parameters. For more information about the size constraints on the policy, go to AssumeRole in the
AWS Security Token Service API Reference.
AssumeRoleWithWebIdentity—Federation Through a Web-Based Identity Provider
The AssumeRoleWithWebIdentity API operation returns a set of temporary
security credentials for federated users who are authenticated through a public identity
provider. Examples of public identity providers include Login with Amazon, Facebook,
Google,
or any OpenID Connect (OIDC)-compatible identity provider. This operation is useful
for
creating mobile applications or client-based web applications that require access
to AWS.
Using this operation means that your users do not need their own AWS or IAM identities.
For more information, see About Web Identity Federation.
Note
Instead of directly calling AssumeRoleWithWebIdentity, we recommend that
you use Amazon Cognito and the Amazon Cognito credentials provider with the AWS SDKs
for mobile development.
For more information, see the following:
-
Amazon Cognito Identity in the AWS Mobile SDK for Android Developer Guide
-
Amazon Cognito Identity in the AWS Mobile SDK for iOS Developer Guide
If you are not using Amazon Cognito, you call the AssumeRoleWithWebIdentity action of
AWS STS. This is an unsigned call, meaning that the app does not need to have access
to any
AWS security credentials to make the call. When you make this call, you pass the following
information:
-
The Amazon Resource Name (ARN) of the role that the app should assume. If your app supports multiple ways for users to sign in, you must define multiple roles, one per identity provider. The call to
AssumeRoleWithWebIdentityshould include the ARN of the role that is specific to the provider through which the user signed in. -
The token that the app gets from the IdP after the app authenticates the user.
-
The duration, which specifies the duration of the temporary security credentials. Use the
DurationSecondsparameter to specify the duration of the role session from 900 seconds (15 minutes) up to the maximum session duration setting for the role. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role. If you do not pass this parameter, the temporary credentials expire in one hour. TheDurationSecondsparameter from this API is separate from theSessionDurationHTTP parameter that you use to specify the duration of a console session. Use theSessionDurationHTTP parameter in the request to the federation endpoint for a console sign-in token. For more information, see Creating a URL that Enables Federated Users to Access the AWS Management Console (Custom Federation Broker). -
A role session name, which is a string value that you can use to identify the session. This value can be captured and logged by CloudTrail to help you distinguish between your role users during an audit.
-
(Optional) Inline or managed session policies. These policies limit the permissions from the role's identity-based policy that are assigned to the role session. The resulting session's permissions are the intersection of the role's identity-based policies and the session policies. Session policies cannot be used to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information about role session permissions, see Session Policies.
Note
A call to
AssumeRoleWithWebIdentityis not signed (encrypted). Therefore, you should only include optional session policies if the request is transmitted through a trusted intermediary. In this case, someone could alter the policy to remove the restrictions.
When you call AssumeRoleWithWebIdentity, AWS verifies the authenticity of
the token. For example, depending on the provider, AWS might make a call to the provider
and
include the token that the app has passed. Assuming that the identity provider validates
the
token, AWS returns the following information to you:
-
A set of temporary security credentials. These consist of an access key ID, a secret access key, and a session token.
-
The role ID and the ARN of the assumed role.
-
A
SubjectFromWebIdentityTokenvalue that contains the unique user ID.
When you have the temporary security credentials, you can use them to make AWS API calls. This is the same process as making an AWS API call with long-term security credentials. The difference is that you must include the session token, which lets AWS verify that the temporary security credentials are valid.
Your app should cache the credentials. As noted, by default the credentials expire
after
an hour. If you are not using the AmazonSTSCredentialsProvider operation in the AWS SDK, it's up to you and your
app to call AssumeRoleWithWebIdentity again. Call this operation to get a new set
of temporary security credentials before the old ones expire.
AssumeRoleWithSAML—Federation Through an Enterprise Identity Provider Compatible with SAML 2.0
The AssumeRoleWithSAML API operation returns a set of temporary security
credentials for federated users who are authenticated by your organization's existing
identity
system. The users must also use SAML 2.0 (Security Assertion Markup Language) to pass authentication and
authorization information to AWS. This API operation is useful in organizations that
have
integrated their identity systems (such as Windows Active Directory or OpenLDAP) with
software
that can produce SAML assertions. Such an integration provides information about user
identity
and permissions (such as Active Directory Federation Services or Shibboleth). For
more
information, see About SAML 2.0-based Federation.
This is an unsigned call, which means that the app does not need to have access to any AWS security credentials in order to make the call. When you make this call, you pass the following information:
-
The Amazon Resource Name (ARN) of the role that the app should assume.
-
The ARN of the SAML provider created in IAM that describes the identity provider.
-
The SAML assertion, encoded in base64, that was provided by the SAML identity provider in its authentication response to the sign-in request from your app.
-
The duration, which specifies the duration of the temporary security credentials. Use the
DurationSecondsparameter to specify the duration of the role session from 900 seconds (15 minutes) up to the maximum session duration setting for the role. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role. If you do not pass this parameter, the temporary credentials expire in one hour. TheDurationSecondsparameter from this API is separate from theSessionDurationHTTP parameter that you use to specify the duration of a console session. Use theSessionDurationHTTP parameter in the request to the federation endpoint for a console sign-in token. For more information, see Creating a URL that Enables Federated Users to Access the AWS Management Console (Custom Federation Broker). -
(Optional) Inline or managed session policies. These policies limit the permissions from the role's identity-based policy that are assigned to the role session. The resulting session's permissions are the intersection of the role's identity-based policies and the session policies. Session policies cannot be used to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information about role session permissions, see Session Policies.
When you call AssumeRoleWithSAML, AWS verifies the authenticity of the SAML
assertion. Assuming that the identity provider validates the assertion, AWS returns
the
following information to you:
-
A set of temporary security credentials. These consist of an access key ID, a secret access key, and a session token.
-
The role ID and the ARN of the assumed role.
-
An
Audiencevalue that contains the value of theRecipientattribute of theSubjectConfirmationDataelement of the SAML assertion. -
An
Issuervalue that contains the value of theIssuerelement of the SAML assertion. -
A
NameQualifierelement that contains a hash value built from theIssuervalue, the AWS account ID, and the friendly name of the SAML provider. When combined with theSubjectelement, they can uniquely identify the federated user. -
A
Subjectelement that contains the value of theNameIDelement in theSubjectelement of the SAML assertion. -
A
SubjectTypeelement that indicates the format of theSubjectelement. The value can bepersistent,transient, or the fullFormatURI from theSubjectandNameIDelements used in your SAML assertion. For information about theNameIDelement'sFormatattribute, see Configuring SAML Assertions for the Authentication Response.
When you have the temporary security credentials, you can use them to make AWS API calls. This is the same process as making an AWS API call with long-term security credentials. The difference is that you must include the session token, which lets AWS verify that the temporary security credentials are valid.
Your app should cache the credentials. By default the credentials expire after an
hour. If
you are not using the AmazonSTSCredentialsProvider action in the AWS SDK, it's up to you and your app
to call AssumeRoleWithSAML again. Call this operation to get a new set of
temporary security credentials before the old ones expire.
GetFederationToken—Federation Through a Custom Identity Broker
The GetFederationToken API operation returns a set of temporary security
credentials for federated users. This API differs from AssumeRole in that the
default expiration period is substantially longer (12 hours instead of one hour).
Additionally, you can use the DurationSeconds parameter to specify a duration for
the temporary security credentials to remain valid. The resulting credentials are
valid for
the specified duration, between 900 seconds (15 minutes) to 129,600 seconds (36 hours).The
longer expiration period can help reduce the number of calls to AWS because you do
not need
to get new credentials as often. For more information, see Requesting Temporary Security Credentials.
When you make a request to get temporary security credentials for a federated user,
you
use the credentials of a specific user identity (an IAM user) to make the request.
The
permissions for the temporary security credentials are determined by the session policies
that
you pass when you call GetFederationToken. The resulting session permissions are
the intersection of the IAM user policies and the session policies that you pass.
Session
policies cannot be used to grant more permissions than those allowed by the identity-based
policy of the IAM user that is requesting federation. For more information about role
session permissions, see Session Policies.
The GetFederationToken call returns temporary security credentials that
consist of the security token, access key, secret key, and expiration. You can use
GetFederationToken if you want to manage permissions inside your organization
(for example, using the proxy application to assign permissions). To view a sample
application
that uses GetFederationToken, go to Identity Federation Sample Application for an Active
Directory Use Case in the AWS Sample Code &
Libraries.
The following example shows a sample request and response that uses
GetFederationToken. In this example, the request includes the name for a
federated user named Jean. The PolicyArns parameter includes the ARN of a managed
policy that allows access to only Amazon S3. In addition to the temporary security
credentials, the
response includes the Amazon Resource Name (ARN) for the federated user and the expiration
time of the credentials.
Example Request
https://sts.amazonaws.com/ ?Version=2011-06-15 &Action=GetFederationToken &Name=Jean &PolicyArns.member.1.arn==arn%3Aaws%3Aiam%3A%3A123456789012%3Apolicy%2FRole1policy &DurationSeconds=1800 &AUTHPARAMS
Note
The policy ARN shown in the preceding example includes the following URL-encoded ARN:
arn:aws:iam::123456789012:policy/Role1policy
Also, note that the &AUTHPARAMS parameter in the example is meant as a
placeholder for the authentication information—that is, the
signature—that you must include with AWS HTTP API requests.
We recommend using the AWS SDKs to create API
requests, and one benefit of doing so is that the SDKs handle request signing for
you. If
you must create and sign API requests manually, go to Signing AWS Requests By Using Signature Version
4 in the Amazon Web Services General Reference to learn how to sign a
request.
Example Response
<GetFederationTokenResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/"> <GetFederationTokenResult> <Credentials> <SessionToken> AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQW LWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGd QrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU 9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz +scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCEXAMPLE== </SessionToken> <SecretAccessKey> wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY </SecretAccessKey> <Expiration>2019-04-15T23:28:33.359Z</Expiration> <AccessKeyId>AKIAIOSFODNN7EXAMPLE;</AccessKeyId> </Credentials> <FederatedUser> <Arn>arn:aws:sts::123456789012:federated-user/Jean</Arn> <FederatedUserId>123456789012:Jean</FederatedUserId> </FederatedUser> <PackedPolicySize>2</PackedPolicySize> </GetFederationTokenResult> <ResponseMetadata> <RequestId>c6104cbe-af31-11e0-8154-cbc7ccf896c7</RequestId> </ResponseMetadata> </GetFederationTokenResponse>
Note
GetFederationToken stores session policies in a packed format. The
operation returns the size as a percentage of the maximum size allowed so that you
can
adjust the calling parameters. For more information about size constraints on the
policy, go
to GetFederationToken in the
AWS Security Token Service API Reference.
If you prefer to grant permissions at the resource level (for example, you attach
a
resource-based policy to an Amazon S3 bucket), you can omit the Policy parameter.
However, if you do not include a policy for the federated user, the temporary security
credentials will not grant any permissions. In this case, you must use resource policies to grant the federated user access to your AWS
resources.
For example, assume your AWS account number is 111122223333, and you have an
Amazon S3 bucket that you want to allow Susan to access. Susan's temporary security
credentials
don't include a policy for the bucket. In that case, you would need to ensure that
the bucket
has a policy with an ARN that matches Susan's ARN, such as
arn:aws:sts::111122223333:federated-user/Susan.
GetSessionToken—Temporary Credentials for Users in Untrusted Environments
The GetSessionToken API operation returns a set of temporary security
credentials to an existing IAM user. This is useful for providing enhanced security,
such as
allowing AWS requests only when MFA is enabled for the IAM user. Because the credentials
are temporary, they provide enhanced security when you have an IAM user who accesses
your
resources through a less secure environment. Examples of less secure environments
include a
mobile device or web browser. For more information, see Requesting Temporary Security Credentials or
GetSessionToken in the AWS Security Token Service API Reference.
By default, temporary security credentials for an IAM user are valid for a maximum
of 12
hours. But you can request a duration as short as 15 minutes or as long as 36 hours
using the
DurationSeconds parameter. For security reasons, a token for an AWS account root user is
restricted to a duration of one hour.
GetSessionToken returns temporary security credentials consisting of a
security token, an access key ID, and a secret access key. The following example shows
a
sample request and response using GetSessionToken. The response also includes the
expiration time of the temporary security credentials.
Example Request
https://sts.amazonaws.com/ ?Version=2011-06-15 &Action=GetSessionToken &DurationSeconds=1800 &AUTHPARAMS
Note
The AUTHPARAMS parameter in the example is a placeholder for your
signature. A signature is the authentication information that you
must include with AWS HTTP API requests. We recommend using the AWS SDKs to create API requests, and one benefit of
doing so is that the SDKs handle request signing for you. If you must create and sign
API
requests manually, go to Signing AWS Requests
By Using Signature Version 4 in the Amazon Web Services General Reference to learn
how to sign a request.
Example Response
<GetSessionTokenResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/"> <GetSessionTokenResult> <Credentials> <SessionToken> AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/L To6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3z rkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtp Z3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE </SessionToken> <SecretAccessKey> wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY </SecretAccessKey> <Expiration>2011-07-11T19:55:29.611Z</Expiration> <AccessKeyId>AKIAIOSFODNN7EXAMPLE</AccessKeyId> </Credentials> </GetSessionTokenResult> <ResponseMetadata> <RequestId>58c5dbae-abef-11e0-8cfe-09039844ac7d</RequestId> </ResponseMetadata> </GetSessionTokenResponse>
Optionally, the GetSessionToken request can include SerialNumber
and TokenCode values for AWS multi-factor authentication (MFA) verification. If
the provided values are valid, AWS STS provides temporary security credentials that
include
the state of MFA authentication. The temporary security credentials can then be used
to access
the MFA-protected API operations or AWS websites for as long as the MFA authentication
is
valid.
The following example shows a GetSessionToken request that includes an MFA
verification code and device serial number.
https://sts.amazonaws.com/ ?Version=2011-06-15 &Action=GetSessionToken &DurationSeconds=7200 &SerialNumber=YourMFADeviceSerialNumber &TokenCode=123456 &AUTHPARAMS
Note
The call to AWS STS can be to the global endpoint or to any of the regional endpoints that you activate your AWS account. For more information, see the AWS STS section of Regions and Endpoints.
The AUTHPARAMS parameter in the example is a placeholder for your
signature. A signature is the authentication information that you
must include with AWS HTTP API requests. We recommend using the AWS SDKs to create API requests, and one benefit of
doing so is that the SDKs handle request signing for you. If you must create and sign
API
requests manually, see Signing AWS Requests
By Using Signature Version 4 in the Amazon Web Services General Reference to learn
how to sign a request.
Comparing the AWS STS API Operations
The following table compares features of the API operations in AWS STS that return temporary security credentials. To learn about the different methods you can use to request temporary security credentials by assuming a role, see Using IAM Roles.
Comparing your API options
| AWS STS API | Who can call | Credential lifetime (min | max | default) | MFA support¹ | Session policy support² | Restrictions on resulting temporary credentials |
|---|---|---|---|---|---|
| AssumeRole | IAM user or IAM role with existing temporary security credentials | 15 m | Maximum session duration setting³ | 1 hr | Yes | Yes |
Cannot call |
| AssumeRoleWithSAML | Any user; caller must pass a SAML authentication response that indicates authentication from a known identity provider | 15 m | Maximum session duration setting³ | 1 hr | No | Yes |
Cannot call |
| AssumeRoleWithWebIdentity | Any user; caller must pass a web identity token that indicates authentication from a known identity provider | 15 m | Maximum session duration setting³ | 1 hr | No | Yes |
Cannot call |
| GetFederationToken | IAM user or AWS account root user |
IAM user: 15 m | 36 hr | 12 hr Root user: 15 m | 1 hr | 1 hr |
No | Yes |
Cannot call IAM API operations directly.⁴ Cannot call AWS STS API operations except SSO to console is allowed.⁵ |
| GetSessionToken | IAM user or AWS account root user |
IAM user: 15 m | 36 hr | 12 hr Root user: 15 m | 1 hr | 1 hr |
Yes | No |
Cannot call IAM API operations unless MFA information is included with the request. Cannot call AWS STS API operations except SSO to console is not allowed.⁶ |
¹ MFA support. You can include information about a multi-factor authentication (MFA) device when you call the AssumeRole and GetSessionToken API operations. This ensures that the temporary security credentials that result from the API call can be used only by users who are authenticated with an MFA device. For more information, see Configuring MFA-Protected API Access.
² Session policy support. Session policies are policies that you pass as a parameter when you programmatically create a temporary session for a role or federated user. This policy limits the permissions from the role or user's identity-based policy that are assigned to the session. The resulting session's permissions are the intersection of the entity's identity-based policies and the session policies. Session policies cannot be used to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information about role session permissions, see Session Policies.
³ Maximum session duration setting. Use the
DurationSeconds parameter to specify the duration of your role session from 900
seconds (15 minutes) up to the maximum session duration setting for the role. To learn
how to
view the maximum value for your role, see View the Maximum Session Duration Setting
for a Role.
⁴ GetCallerIdentity. No permissions are required
to perform this operation. If an administrator adds a policy to your IAM user or role
that
explicitly denies access to the sts:GetCallerIdentity action, you can still
perform this operation. Permissions are not required because the same information
is returned
when an IAM user or role is denied access. To view an example response, see I Am Not Authorized to
Perform: iam:DeleteVirtualMFADevice.
⁵ Single sign-on (SSO) to the console. To support
SSO, AWS lets you call a federation endpoint (https://signin.aws.amazon.com/federation) and pass
temporary security credentials. The endpoint returns a token that you can use to construct
a
URL that signs a user directly into the console without requiring a password. For
more
information, see Enabling SAML 2.0 Federated Users to
Access the AWS Management Console and How to Enable Cross-Account Access to the AWS Management Console in the AWS
Security Blog.
⁶ After you retrieve your temporary credentials, you can't access the AWS Management Console by passing the credentials to the federation single sign-on endpoint. For more information, see Creating a URL that Enables Federated Users to Access the AWS Management Console (Custom Federation Broker).
