Actions, resources, and condition keys for Amazon Security Token Service
Amazon Security Token Service (service prefix: sts
) provides the following service-specific resources, actions, and condition context keys for use in IAM permission policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
Topics
Actions defined by Amazon Security Token Service
You can specify the following actions in the Action
element of an IAM policy statement. Use policies to grant permissions to perform an operation in Amazon. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.
The Resource types column of the Actions table indicates whether each action supports resource-level permissions. If there is no value for this column, you must specify all resources ("*") to which the policy applies in the Resource
element of your policy statement. If the column includes a resource type, then you can specify an ARN of that type in a statement with that action. If the action has one or more required resources, the caller must have permission to use the action with those resources. Required resources are indicated in the table with an asterisk (*). If you limit resource access with the Resource
element in an IAM policy, you must include an ARN or pattern for each required resource type. Some actions support multiple resource types. If the resource type is optional (not indicated as required), then you can choose to use one of the optional resource types.
The Condition keys column of the Actions table includes keys that you can specify in a policy statement's Condition
element. For more information on the condition keys that are associated with resources for the service, see the Condition keys column of the Resource types table.
Note
Resource condition keys are listed in the Resource types table. You can find a link to the resource type that applies to an action in the Resource types (*required) column of the Actions table. The resource type in the Resource types table includes the Condition keys column, which are the resource condition keys that apply to an action in the Actions table.
For details about the columns in the following table, see Actions table.
Actions | Description | Access level | Resource types (*required) | Condition keys | Dependent actions |
---|---|---|---|---|---|
AssumeRole | Grants permission to obtain a set of temporary security credentials that you can use to access Amazon resources that you might not normally have access to | Write | |||
cognito-identity.amazonaws.com:amr cognito-identity.amazonaws.com:aud |
|||||
AssumeRoleWithSAML | Grants permission to obtain a set of temporary security credentials for users who have been authenticated via a SAML authentication response | Write | |||
saml:eduorgidentityauthnpolicyuri saml:edupersonprimaryaffiliation saml:edupersonprimaryorgunitdn |
|||||
AssumeRoleWithWebIdentity | Grants permission to obtain a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider | Write | |||
cognito-identity.amazonaws.com:amr cognito-identity.amazonaws.com:aud |
|||||
AssumeRoot | Grants permission to obtain a set of temporary security credentials that you can use to perform privileged tasks in member accounts in your organization | Write | |||
DecodeAuthorizationMessage | Grants permission to decode additional information about the authorization status of a request from an encoded message returned in response to an Amazon request | Write | |||
GetAccessKeyInfo | Grants permission to obtain details about the access key id passed as a parameter to the request | Read | |||
GetCallerIdentity | Grants permission to obtain details about the IAM identity whose credentials are used to call the API | Read | |||
GetFederationToken | Grants permission to obtain a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user | Read | |||
GetServiceBearerToken [permission only] | Grants permission to obtain a STS bearer token for an Amazon root user, IAM role, or an IAM user | Read | |||
GetSessionToken | Grants permission to obtain a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for an Amazon Web Services account or IAM user | Read | |||
SetContext [permission only] | Grants permission to set context keys on a STS session | Write | |||
SetSourceIdentity [permission only] | Grants permission to set a source identity on a STS session | Write | |||
TagSession [permission only] | Grants permission to add tags to a STS session | Tagging | |||
Resource types defined by Amazon Security Token Service
The following resource types are defined by this service and can be used in the Resource
element of IAM permission policy statements. Each action in the Actions table identifies the resource types that can be specified with that action. A resource type can also define which condition keys you can include in a policy. These keys are displayed in the last column of the table. For details about the columns in the following table, see Resource types table.
Resource types | ARN | Condition keys |
---|---|---|
role |
arn:${Partition}:iam::${Account}:role/${RoleNameWithPath}
|
|
user |
arn:${Partition}:iam::${Account}:user/${UserNameWithPath}
|
|
root-user |
arn:${Partition}:iam::${Account}:root
|
|
self-session |
arn:${Partition}:sts::${Account}:self
|
Condition keys for Amazon Security Token Service
Amazon Security Token Service defines the following condition keys that can be used in the Condition
element of an IAM policy. You can use these keys to further refine the conditions under which the policy statement applies. For details about the columns in the following table, see Condition keys table.
To view the global condition keys that are available to all services, see Available global condition keys.
Condition keys | Description | Type |
---|---|---|
accounts.google.com:aud | Filters access by the Google application ID | String |
accounts.google.com:oaud | Filters access by the Google audience | String |
accounts.google.com:sub | Filters access by the subject of the claim (the Google user ID) | String |
aws:RequestTag/${TagKey} | Filters access by the tags that are passed in the request | String |
aws:ResourceTag/${TagKey} | Filters access by the tags associated with the resource | String |
aws:TagKeys | Filters access by the tag keys that are passed in the request | ArrayOfString |
cognito-identity.amazonaws.com:amr | Filters access by the login information for Amazon Cognito | String |
cognito-identity.amazonaws.com:aud | Filters access by the Amazon Cognito identity pool ID | String |
cognito-identity.amazonaws.com:sub | Filters access by the subject of the claim (the Amazon Cognito user ID) | String |
graph.facebook.com:app_id | Filters access by the Facebook application ID | String |
graph.facebook.com:id | Filters access by the Facebook user ID | String |
iam:ResourceTag/${TagKey} | Filters access by the tags that are attached to the role that is being assumed | String |
saml:aud | Filters access by the endpoint URL to which SAML assertions are presented | String |
saml:cn | Filters access by the eduOrg attribute | ArrayOfString |
saml:commonName | Filters access by the commonName attribute | String |
saml:doc | Filters access by on the principal that was used to assume the role | String |
saml:eduorghomepageuri | Filters access by the eduOrg attribute | ArrayOfString |
saml:eduorgidentityauthnpolicyuri | Filters access by the eduOrg attribute | ArrayOfString |
saml:eduorglegalname | Filters access by the eduOrg attribute | ArrayOfString |
saml:eduorgsuperioruri | Filters access by the eduOrg attribute | ArrayOfString |
saml:eduorgwhitepagesuri | Filters access by the eduOrg attribute | ArrayOfString |
saml:edupersonaffiliation | Filters access by the eduPerson attribute | ArrayOfString |
saml:edupersonassurance | Filters access by the eduPerson attribute | ArrayOfString |
saml:edupersonentitlement | Filters access by the eduPerson attribute | ArrayOfString |
saml:edupersonnickname | Filters access by the eduPerson attribute | ArrayOfString |
saml:edupersonorgdn | Filters access by the eduPerson attribute | String |
saml:edupersonorgunitdn | Filters access by the eduPerson attribute | ArrayOfString |
saml:edupersonprimaryaffiliation | Filters access by the eduPerson attribute | String |
saml:edupersonprimaryorgunitdn | Filters access by the eduPerson attribute | String |
saml:edupersonprincipalname | Filters access by the eduPerson attribute | String |
saml:edupersonscopedaffiliation | Filters access by the eduPerson attribute | ArrayOfString |
saml:edupersontargetedid | Filters access by the eduPerson attribute | ArrayOfString |
saml:givenName | Filters access by the givenName attribute | String |
saml:iss | Filters access by on the issuer, which is represented by a URN | String |
saml:mail | Filters access by the mail attribute | String |
saml:name | Filters access by the name attribute | String |
saml:namequalifier | Filters access by the hash value of the issuer, account ID, and friendly name | String |
saml:organizationStatus | Filters access by the organizationStatus attribute | String |
saml:primaryGroupSID | Filters access by the primaryGroupSID attribute | String |
saml:sub | Filters access by the subject of the claim (the SAML user ID) | String |
saml:sub_type | Filters access by the value persistent, transient, or the full Format URI | String |
saml:surname | Filters access by the surname attribute | String |
saml:uid | Filters access by the uid attribute | String |
saml:x500UniqueIdentifier | Filters access by the uid attribute | String |
sts:AWSServiceName | Filters access by the service that is obtaining a bearer token | String |
sts:DurationSeconds | Filters access by the duration in seconds when getting a bearer token | String |
sts:ExternalId | Filters access by the unique identifier required when you assume a role in another account | String |
sts:RequestContext/${ContextKey} | Filters access by the session context key-value pairs embedded in the signed context assertion retrieved from a trusted context provider | String |
sts:RequestContextProviders | Filters access by the context provider ARNs | ArrayOfARN |
sts:RoleSessionName | Filters access by the role session name required when you assume a role | String |
sts:SourceIdentity | Filters access by the source identity that is passed in the request | String |
sts:TaskPolicyArn | Filters access by TaskPolicyARN | String |
sts:TransitiveTagKeys | Filters access by the transitive tag keys that are passed in the request | ArrayOfString |
www.amazon.com:app_id | Filters access by the Login with Amazon application ID | String |
www.amazon.com:user_id | Filters access by the Login with Amazon user ID | String |