Security Token Service

  • A service that provides temporary security credentials.

  • These credentials are generated when sts:AssumeRole is called.


🔄 Assuming a Role

  • When an identity (user, application, external entity) calls sts:AssumeRole, AWS returns:

    • Temporary credentials (Access Key ID, Secret Access Key, Session Token).

  • These credentials:

    • Are short-lived (expire after a set time).

    • Do not belong to the identity using them.


Access Control

  • The access from these credentials is based on the role's permissions policy.

  • Can be further restricted to a subset of those permissions.

  • Ensures least privilege access is possible even when assuming powerful roles.


☁️ Where Temporary Credentials Can Be Used

  • Can be used to access AWS resources just like permanent credentials.

  • Especially useful for:

    • Cross-account access

    • Federated users

    • Applications needing short-term access


🧠 Quick Summary

Feature
Description

Service

AWS STS (Security Token Service)

Main operation

sts:AssumeRole

Output

Temporary credentials

Lifetime

Short-lived (e.g., 15 min to a few hours)

Belongs to

The role, not the calling identity

Access control

Controlled by the role's policy, and can be further limited

Use cases

Temporary access, cross-account roles, identity federation

Revoking Temporary Credentials

Last updated