AWS Security Token Service

A web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management users or for users that you authenticate (federated users).

Endpoints
https://sts.amazonaws.com maps to US East region. Other regions are available are activated by default

Recording API requests
STS supports AWS CloudTrail to record all AWS calls for your AWS account and delivers log files to an Amazon S3 bucket.

Actions

AssumeRole
Returns a set of temporary security credentials (access key ID, secret access key, security token) that you can use to access AWS resources that you might not normally have access to.
AssumeRole is used for cross-account access or federation

You cannot AssumeRole by using the AWS rook account credentials; access is denied

For cross-account access, you can create one set of long-term credentials in one account and then use temporary security credentials to access all the other accounts by assuming roles in those accounts.
For federation, you can grant single sign-on acces to the AWS Managment Console. if you have an identity and authentication system in your corporate network, you grant those users identies access to aws with templorary security credntials for that role. You construct a sign-in URL that users can use to access the console.
Credentials are valid for the duration thar you specified when calling AssumeRole, from 900 seconds to 3600 seconds. Default is 3600 seconds
To assume a role the aws account must be trusted by the role. Trust relationship is defined in the role’s trust policy when t he role is created.
You can use MFA when you all AssumeRole. Usueful for cross-account scenarios.

AsumeRoleWithSAML
Returns a set of temporary security credentials for users authenticated via a SAML authentication response.

AssumeRoleWithWebIdentity
Returns a set of temporary security credentials for users authenticated in a mobile or web application with a web identity provider (Amazon Cognito, Facebook, Google, or OpenID etc)
Calling this does not requrie the use of AWS security credentials. This is goo for mobile devices.

Tags:,