Service bearer tokens
Some Amazon services require that you have permission to get an Amazon STS service bearer token before you can access their resources programmatically. These services support a protocol that requires you to use a bearer token instead of using a traditional Amazon Signature Version 4 for API requests. When you perform Amazon CLI or Amazon API operations that require bearer tokens, the Amazon service requests a bearer token on your behalf. The service provides you with the token, which you can then use to perform subsequent operations in that service.
Amazon STS service bearer tokens include information from your original principal authentication
that might affect your permissions. This information can include principal tags, session tags,
and session policies. The token's access key ID begins with the ABIA
prefix. This
helps you to identify operations that were performed using service bearer tokens in your CloudTrail
logs.
Important
The bearer token can be used only for calls to the service that generates it and in the Region where it was generated. You can't use the bearer token to perform operations in other services or Regions.
An example of a service that supports bearer tokens is Amazon CodeArtifact. Before you can
interact with Amazon CodeArtifact using a package manager such as NPM, Maven, or PIP, you must
call the aws codeartifact get-authorization-token
operation. This operation returns
a bearer token that you can use to perform Amazon CodeArtifact operations. Alternatively, you can
use the aws codeartifact login
command that completes the same operation and then
configures your client automatically.
If you perform an action in an Amazon service that generates a bearer token for you, you must have the following permissions in your IAM policy:
{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowServiceBearerToken", "Effect": "Allow", "Action": "sts:GetServiceBearerToken", "Resource": "*" } ] }
For a service bearer token example, see Using identity-based policies for Amazon CodeArtifact in the Amazon CodeArtifact user guide.