AWS Security Token Service (STS)

AWS Security Token Service (STS) is the engine behind temporary credentials in AWS. Every time you assume a role, federate an external identity, or request session tokens, STS is doing the work. Understanding STS is essential for building secure architectures.

What is AWS STS?

STS is a global web service that provides temporary, limited-privilege security credentials. These credentials consist of three parts:

Component	Description
Access Key ID	Identifies the temporary credential
Secret Access Key	Used to sign requests
Session Token	Must be included with every request using temporary credentials

Temporary credentials work almost identically to permanent access keys, except:

They expire automatically after a configurable period.
They cannot be revoked individually — you revoke them by changing the role's permissions or the session policy.
They are not stored with the user — STS generates them on demand.

Why Use Temporary Credentials?

Temporary credentials are a cornerstone of AWS security best practices:

Reduced blast radius — if stolen, they expire quickly.
No secret management burden — no keys to store, rotate, or track.
Automatic rotation — new credentials are issued each time a role is assumed.
Auditability — CloudTrail records every STS call, showing who assumed which role and when.

Core STS API Actions

STS provides several API actions, each serving a different use case:

1. AssumeRole

The most commonly used STS action. It returns temporary credentials for an IAM role.

aws sts assume-role \
  --role-arn arn:aws:iam::123456789012:role/MyRole \
  --role-session-name my-session \
  --duration-seconds 3600

Use cases:

Cross-account access
Granting temporary elevated permissions
Applications assuming roles programmatically

Duration: 15 minutes to 12 hours (default: 1 hour).

2. AssumeRoleWithSAML

Returns temporary credentials for users authenticated via a SAML 2.0 identity provider (e.g., Active Directory Federation Services, Okta, OneLogin).

Use case: Enterprise single sign-on (SSO) — employees authenticate with their corporate credentials and receive AWS access without needing IAM users.

Duration: 15 minutes to 12 hours.

3. AssumeRoleWithWebIdentity

Returns temporary credentials for users authenticated by a web identity provider (e.g., Login with Amazon, Facebook, Google, or any OpenID Connect provider).

Use case: Mobile or web applications where end users authenticate with a social identity provider to access AWS resources (like uploading to S3).

Note: AWS recommends using Amazon Cognito instead of calling this API directly, as Cognito provides a higher-level abstraction.

Duration: 15 minutes to 12 hours.

4. GetSessionToken

Returns temporary credentials for an IAM user. This is typically used to enable MFA-protected API access.

aws sts get-session-token \
  --serial-number arn:aws:iam::123456789012:mfa/my-user \
  --token-code 123456 \
  --duration-seconds 3600

AWS Security Token Service (STS)

AWS Security Token Service (STS)

What is AWS STS?

Why Use Temporary Credentials?

Core STS API Actions

1. AssumeRole

2. AssumeRoleWithSAML

3. AssumeRoleWithWebIdentity

4. GetSessionToken

More in Cloud