AWS Security Token Service(STS)

AWS Security Token Service(STS) that enables you to request temporary, limited privilege credentials for IAM Users or Federated Users).


  • No need to embed token in the code
  • The defaults expiration for these temporary credentials is 12 hours; the minimum is 15 minutes, and the maximum is 36 hours.

Use Cases

  • Identity Federation(Enterprise Identity Federation[Active Directory/ADFS]/ Web Identity Federation (Google, Facebook))
  • Cross-account access(For Organization with multiple AWS accounts)
  • Applications on Amazon EC2 Instances

Let see this in action


  • Create an IAM user
Go to AWS Console → Security, Identity, & Compliance → IAM → Users → Add user
* User name: Please give some meaningful name
* Access type: Only give this user Programmatic access
  • In the next step don’t add this user to any group or attach any existing policy
  • Keep everything default, Review and Create user


  • Create Roles
  • Choose Another AWS account
  • Attach a Policy(AmazonS3ReadOnlyAccess)
  • Review and create the role


  • Update/Modify Trust Relationships

Go to the Role we have just created and Click on Second Tab Trust relationships

"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::XXXXXX:user/myteststsuser"
"Action": "sts:AssumeRole",
"Condition": {}
  • The current trust relation only allow root account to assume this role
  • Modify it with the arn of the user(myteststsuser) we have just created


Add an inline policy to the user we have created

Service: STS
Action: AssumeRole
Resource: ARN of the role we created earlier
  • This is making our user assume the role



$ aws configure --profile ststestprofileAWS Access Key ID [None]: XXXXXXXXAWS Secret Access Key [None]: XXXXXXDefault region name [None]: us-west-2Default output format [None]: json

Also, export this profile for the time being

$ export AWS_PROFILE=ststestprofile

As we set the user to assume Role, let generate the temporary credentials and security token by running the below-mentioned command

$ aws sts assume-role --role-arn arn:aws:iam::XXXXXX:role/sts-s3-read-only --role-session-name "mytestsession"{"AssumedRoleUser": {"AssumedRoleId": "XXXXXXX:mytestsession","Arn": "arn:aws:sts::XXXXXXX:assumed-role/sts-s3-read-only/mytestsession"},"Credentials": {"SecretAccessKey": "XXXXXXX","SessionToken": "XXXXXXX","Expiration": "2018-12-18T06:47:21Z", "AccessKeyId": "XXXXXXXXX"}}

and then export it


Try to access S3 bucket

$ aws s3 ls2018-12-13 20:53:05 mytestXXXXX


$ aws s3 cp bucketest s3://mytestXXXXXXupload failed: ./bucketest to s3://mytestXXXXXX/bucketest An error occurred (AccessDenied) when calling the PutObject operation: Access Denied



DevOps/Cloud | 2x AWS Certified | Terraform | Gitlab

Love podcasts or audiobooks? Learn on the go with our new app.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store