Calling the IAM API using HTTP query requests
You can access the IAM and Amazon STS services programmatically using the Query API.
Query API requests are HTTPS requests that must contain an Action
parameter to indicate the
action to be performed. IAM and Amazon STS support GET and POST requests for all actions. That
is, the API does not require you to use GET for some actions and POST for others. However, GET
requests are subject to the limitation size of a URL; although this limit is browser dependent,
a typical limit is 2048 bytes. Therefore, for Query API requests that require larger sizes, you
must use a POST request.
The response is an XML document. For details about the response, see the individual action pages in the IAM API Reference or the Amazon Security Token Service API Reference.
Tip
Instead of making direct calls to the IAM or Amazon STS API operations, you can use one of the Amazon
SDKs. The Amazon SDKs consist of libraries and sample code for various programming languages and
platforms (Java, Ruby, .NET, iOS, Android, etc.). The SDKs provide a convenient way to create
programmatic access to IAM and Amazon. For example, the SDKs take care of tasks such as
cryptographically signing requests (see below), managing errors, and retrying requests
automatically. For information about the Amazon SDKs, including how to download and install them,
see the Tools for Amazon Web Services
For details about the API actions and errors, see the IAM API Reference or the Amazon Security Token Service API Reference.
Endpoints
IAM and Amazon STS each have a single global endpoint:
-
(Amazon STS) https://sts.amazonaws.com.cn
Note
Amazon STS also supports sending requests to regional endpoints in addition to the global endpoint. Before you can use Amazon STS in a Region, you must first activate STS in that Region for your Amazon Web Services account. For more information about activating additional Regions for Amazon STS, see Managing Amazon STS in an Amazon Web Services Region.
For more information about Amazon endpoints and Regions for all services, see Service endpoints and quotas in the Amazon Web Services General Reference.
HTTPS required
Because the Query API returns sensitive information such as security credentials, you must use HTTPS with all API requests.
Signing IAM API requests
Requests must be signed using an access key ID and a secret access key. We strongly recommend that you do not use your Amazon Web Services account root user credentials for everyday work with IAM. You can use the credentials for an IAM user or you can use Amazon STS to generate temporary security credentials.
To sign your API requests, we recommend using Amazon Signature Version 4. For information about using Signature Version 4, go to Signature Version 4 Signing Process in the Amazon General Reference.
If you need to use Signature Version 2, information about using Signature Version 2 is available in the Amazon General Reference.
For more information, see the following:
-
Amazon Security Credentials. Provides general information about the types of credentials used for accessing Amazon.
-
Security best practices in IAM. Presents a list of suggestions for using IAM service to help secure your Amazon resources.
-
Temporary security credentials in IAM. Describes how to create and use temporary security credentials.