Temporary security credentials in IAM - Amazon Identity and Access Management
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Temporary security credentials in IAM

You can use the Amazon Security Token Service (Amazon STS) to create and provide trusted users with temporary security credentials that can control access to your Amazon resources. Temporary security credentials work almost identically to long-term access key credentials, with the following differences:

  • Temporary security credentials are short-term, as the name implies. They can be configured to last for anywhere from a few minutes to several hours. After the credentials expire, Amazon no longer recognizes them or allows any kind of access from API requests made with them.

  • Temporary security credentials are not stored with the user but are generated dynamically and provided to the user when requested. When (or even before) the temporary security credentials expire, the user can request new credentials, as long as the user requesting them still has permissions to do so.

As a result, temporary credentials have the following advantages over long-term credentials:

  • You do not have to distribute or embed long-term Amazon security credentials with an application.

  • You can provide access to your Amazon resources to users without having to define an Amazon identity for them. Temporary credentials are the basis for roles and identity federation.

  • The temporary security credentials have a limited lifetime, so you do not have to update them or explicitly revoke them when they're no longer needed. After temporary security credentials expire, they cannot be reused. You can specify how long the credentials are valid, up to a maximum limit.

Amazon STS and Amazon regions

Temporary security credentials are generated by Amazon STS. By default, Amazon STS is a global service with a single endpoint at https://sts.amazonaws.com.cn. However, you can also choose to make Amazon STS API calls to endpoints in any other supported Region. This can reduce latency (server lag) by sending the requests to servers in a Region that is geographically closer to you. No matter which Region your credentials come from, they work globally. For more information, see Managing Amazon STS in an Amazon Web Services Region.

Common scenarios for temporary credentials

Temporary credentials are useful in scenarios that involve identity federation, delegation, cross-account access, and IAM roles.

Identity federation

You can manage your user identities in an external system outside of Amazon and grant users who sign in from those systems access to perform Amazon tasks and access your Amazon resources. IAM supports two types of identity federation. In both cases, the identities are stored outside of Amazon. The distinction is where the external system resides—in your data center or an external third party on the web. For more information about external identity providers, see Identity providers and federation.

  • SAML federation – You can authenticate users in your organization's network, and then provide those users access to Amazon without creating new Amazon identities for them and requiring them to sign in with different sign-in credentials. This is known as the single sign-on approach to temporary access. Amazon STS supports open standards like Security Assertion Markup Language (SAML) 2.0, with which you can use Microsoft AD FS to leverage your Microsoft Active Directory. You can also use SAML 2.0 to manage your own solution for federating user identities. For more information, see SAML 2.0 federation.

    • Custom federation broker – You can use your organization's authentication system to grant access to Amazon resources. For an example scenario, see Enabling custom identity broker access to the Amazon console.

    • Federation using SAML 2.0 – You can use your organization's authentication system and SAML to grant access to Amazon resources. For more information and an example scenario, see SAML 2.0 federation.

  • OpenID Connect (OIDC) federation – You can let users sign in using a well-known third-party identity provider such as Login with Amazon, Facebook, Google, or any OIDC 2.0 compatible provider for your mobile or web application, you don't need to create custom sign-in code or manage your own user identities. Using OIDC federation helps you keep your Amazon Web Services account secure, because you don't have to distribute long-term security credentials, such as IAM user access keys, with your application. For more information, see OIDC federation.

    Amazon STS OIDC federation supports Login with Amazon, Facebook, Google, and any OpenID Connect (OIDC)-compatible identity provider.

    Note

    For mobile applications, we recommend that you use Amazon Cognito. You can use this service with Amazon SDKs for mobile development to create unique identities for users and authenticate them for secure access to your Amazon resources. Amazon Cognito supports the same identity providers as Amazon STS, and also supports unauthenticated (guest) access and lets you migrate user data when a user signs in. Amazon Cognito also provides API operations for synchronizing user data so that it is preserved as users move between devices. For more information, see Authentication with Amplify in the Amplify Documentation.

Roles for cross-account access

Many organizations maintain more than one Amazon Web Services account. Using roles and cross-account access, you can define user identities in one account, and use those identities to access Amazon resources in other accounts that belong to your organization. This is known as the delegation approach to temporary access. For more information about creating cross-account roles, see Creating a role to delegate permissions to an IAM user. To learn whether principals in accounts outside of your zone of trust (trusted organization or account) have access to assume your roles, see What is IAM Access Analyzer?.

Roles for Amazon EC2

If you run applications on Amazon EC2 instances and those applications need access to Amazon resources, you can provide temporary security credentials to your instances when you launch them. These temporary security credentials are available to all applications that run on the instance, so you don't need to store any long-term credentials on the instance. For more information, see Using an IAM role to grant permissions to applications running on Amazon EC2 instances.

Other Amazon services

You can use temporary security credentials to access most Amazon services. For a list of the services that accept temporary security credentials, see Amazon services that work with IAM.