Actions, resources, and condition keys for Amazon Security Token Service
Amazon Security Token Service (service prefix: sts) provides the following
service-specific operations, resources, actions, and condition keys for use in IAM permission
policies.
References:
-
Learn how to configure this service.
-
View a list of the API operations available for this service.
-
Learn how to secure this service and its resources by using IAM permission policies.
-
View the programmatic service authorization reference
for this service.
Topics
API operations defined by Amazon Security Token Service
The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.
| Operation | IAM action | Condition key | Possible value(s) | Access level |
|---|---|---|---|---|
|
AssumeRole |
Write |
|||
Write |
||||
Write |
||||
Tagging, Write |
||||
|
AssumeRoot |
Write |
|||
|
DecodeAuthorizationMessage |
Write |
|||
|
GetAccessKeyInfo |
Read |
|||
|
GetCallerIdentity |
Read |
|||
|
GetDelegatedAccessToken |
Write |
|||
|
GetFederationToken |
Read |
|||
Tagging, Write |
||||
|
GetSessionToken |
Read |
|||
|
GetWebIdentityToken |
Write |
|||
Tagging, Write |
Actions defined by Amazon Security Token Service
You can specify the following actions in the Action element of an IAM
policy statement. Use policies to grant permissions to perform an operation in Amazon. When
you use an action in a policy, you usually allow or deny access to the API operation or CLI
command with the same name. However, in some cases, a single action controls access to more
than one operation. Alternatively, some operations require several different actions.
Permission-only actions for Amazon Security Token Service
The following actions are defined by Amazon Security Token Service but are not directly invocable through any API operation. They can only be used in IAM policy statements to grant or deny permissions.
| Actions | Description | Resource types (*required) | Condition keys | Access level |
|---|---|---|---|---|
Grants permission to obtain a STS bearer token for an Amazon root user, IAM role, or an IAM user |
Read |
|||
Grants permission to set context keys on a STS session |
Write |
|||
Grants permission to set a source identity on a STS session |
Write |
|||
Grants permission to add tags to the JSON Web Token (JWT) generated by the GetWebIdentityToken API |
Tagging, Write |
|||
Grants permission to add tags to a STS session |
Tagging, Write |
Resource types defined by Amazon Security Token Service
The following resource types are defined by this service and can be used in the
Resource element of IAM permission policy statements.
| Resource types | ARN | Condition keys |
|---|---|---|
arn:${Partition}:iam::aws:contextProvider/${ContextProviderName} |
||
arn:${Partition}:sts::${Account}:federated-user/${FederatedUserName} |
||
arn:${Partition}:iam::${Account}:role/${RoleNameWithPath} |
||
arn:${Partition}:iam::${Account}:root |
||
arn:${Partition}:sts::${Account}:self |
Condition keys for Amazon Security Token Service
Amazon Security Token Service defines the following condition keys that can be used in the
Condition element of an IAM policy.
| Condition keys | Description | Type |
|---|---|---|
Filters access by the Google application ID |
String |
|
Filters access by the Google Cloud or Google Workspace organization number |
Numeric |
|
Filters access by the Google audience |
String |
|
Filters access by the subject of the claim (the Google user ID) |
String |
|
Filters access by the git branch that triggered the Buildkite build |
String |
|
Filters access by the Buildkite cluster ID |
String |
|
Filters access by the Buildkite cluster name |
String |
|
Filters access by the Buildkite organization ID |
String |
|
Filters access by the Buildkite organization slug |
String |
|
Filters access by the Buildkite pipeline ID |
String |
|
Filters access by the Buildkite pipeline slug |
String |
|
Filters access by the git branch that triggered the Buildkite build |
String |
|
Filters access by the Buildkite cluster ID |
String |
|
Filters access by the Buildkite cluster name |
String |
|
Filters access by the Buildkite organization ID |
String |
|
Filters access by the Buildkite organization slug |
String |
|
Filters access by the Buildkite pipeline ID |
String |
|
Filters access by the Buildkite pipeline slug |
String |
|
Filters access by the git branch that triggered the Buildkite build |
String |
|
Filters access by the Buildkite cluster ID |
String |
|
Filters access by the Buildkite cluster name |
String |
|
Filters access by the Buildkite organization ID |
String |
|
Filters access by the Buildkite organization slug |
String |
|
Filters access by the Buildkite pipeline ID |
String |
|
Filters access by the Buildkite pipeline slug |
String |
|
Filters access by the tags that are passed in the request |
String |
|
Filters access by the tags associated with the resource |
String |
|
Filters access by the tag keys that are passed in the request |
ArrayOfString |
|
Filters access by the login information for Amazon Cognito |
String |
|
Filters access by the Amazon Cognito identity pool ID |
String |
|
Filters access by the subject of the claim (the Amazon Cognito user ID) |
String |
|
Filters access by the personal account that initiated the workflow run |
String |
|
Filters access by the ID of the personal account that initiated the workflow run |
String |
|
Filters access by the ID of the enterprise that contains the repository from where the workflow is running |
String |
|
Filters access by the name of the environment used by the job |
String |
|
Filters access by the reference path to the reusable workflow for jobs using a reusable workflow |
String |
|
Filters access by the git ref (branch or tag) that triggered the workflow run |
String |
|
Filters access by the repository from where the workflow is running |
String |
|
Filters access by the ID of the repository from where the workflow is running |
String |
|
github.com/enterprises/${EnterpriseName}:repository_owner_id |
Filters access by the ID of the repository owner from where the workflow is running |
String |
Filters access by the name of the workflow |
String |
|
Filters access by the GitLab namespace (group) ID of the project running the CI/CD job |
String |
|
Filters access by the source that triggered the GitLab pipeline |
String |
|
Filters access by the GitLab project ID running the CI/CD job |
String |
|
Filters access by whether the GitLab git ref that triggered the job is protected |
String |
|
Filters access by the GitLab runner environment for the CI/CD job |
String |
|
Filters access by the GitLab user access level within the project |
String |
|
Filters access by the GitLab user email executing the CI/CD job |
String |
|
Filters access by the GitLab user ID executing the CI/CD job |
String |
|
Filters access by the GitLab username executing the CI/CD job |
String |
|
Filters access by the Facebook application ID |
String |
|
Filters access by the Facebook user ID |
String |
|
Filters access by the tags that are attached to the role that is being assumed |
String |
|
idcs-${OciUniqueIdentifier}.identity.oraclecloud.com:rpst_id |
Filters access by the OCI resource principal session token ID |
String |
Filters access by the CircleCI project ID |
String |
|
Filters access by the endpoint URL to which SAML assertions are presented |
String |
|
Filters access by the eduOrg attribute |
ArrayOfString |
|
Filters access by the commonName attribute |
String |
|
Filters access by on the principal that was used to assume the role |
String |
|
Filters access by the eduOrg attribute |
ArrayOfString |
|
Filters access by the eduOrg attribute |
ArrayOfString |
|
Filters access by the eduOrg attribute |
ArrayOfString |
|
Filters access by the eduOrg attribute |
ArrayOfString |
|
Filters access by the eduOrg attribute |
ArrayOfString |
|
Filters access by the eduPerson attribute |
ArrayOfString |
|
Filters access by the eduPerson attribute |
ArrayOfString |
|
Filters access by the eduPerson attribute |
ArrayOfString |
|
Filters access by the eduPerson attribute |
ArrayOfString |
|
Filters access by the eduPerson attribute |
String |
|
Filters access by the eduPerson attribute |
ArrayOfString |
|
Filters access by the eduPerson attribute |
String |
|
Filters access by the eduPerson attribute |
String |
|
Filters access by the eduPerson attribute |
String |
|
Filters access by the eduPerson attribute |
ArrayOfString |
|
Filters access by the eduPerson attribute |
ArrayOfString |
|
Filters access by the givenName attribute |
String |
|
Filters access by on the issuer, which is represented by a URN |
String |
|
Filters access by the mail attribute |
String |
|
Filters access by the name attribute |
String |
|
Filters access by the hash value of the issuer, account ID, and friendly name |
String |
|
Filters access by the organizationStatus attribute |
String |
|
Filters access by the primaryGroupSID attribute |
String |
|
Filters access by the subject of the claim (the SAML user ID) |
String |
|
Filters access by the value persistent, transient, or the full Format URI |
String |
|
Filters access by the surname attribute |
String |
|
Filters access by the uid attribute |
String |
|
Filters access by the uid attribute |
String |
|
Filters access by the service that is obtaining a bearer token |
String |
|
Filters access by the duration in seconds when getting a bearer token or a JSON Web Token (JWT) from the GetWebIdentityToken API |
Numeric |
|
Filters access by the unique identifier required when you assume a role in another account |
String |
|
Filters access by the audience that is passed in the request |
ArrayOfString |
|
Filters access by the session context key-value pairs embedded in the signed context assertion retrieved from a trusted context provider |
String |
|
Filters access by the context provider ARNs |
ArrayOfARN |
|
Filters access based on whether the identity provider authorized the role via the roles claim in the OIDC token |
Bool |
|
Filters access by the role session name required when you assume a role |
String |
|
Filters access by the signing algorithm that is passed in the request |
String |
|
Filters access by the source identity that is passed in the request |
String |
|
Filters access by TaskPolicyARN |
ARN |
|
Filters access by the transitive tag keys that are passed in the request |
ArrayOfString |
|
Filters access by the personal account that initiated the workflow run |
String |
|
Filters access by the ID of the personal account that initiated the workflow run |
String |
|
Filters access by the ID of the enterprise that contains the repository from where the workflow is running |
String |
|
Filters access by the name of the environment used by the job |
String |
|
Filters access by the reference path to the reusable workflow for jobs using a reusable workflow |
String |
|
Filters access by the git ref (branch or tag) that triggered the workflow run |
String |
|
Filters access by the repository from where the workflow is running |
String |
|
Filters access by the ID of the repository from where the workflow is running |
String |
|
Filters access by the ID of the repository owner from where the workflow is running |
String |
|
Filters access by the name of the workflow |
String |
|
Filters access by the personal account that initiated the workflow run |
String |
|
Filters access by the ID of the personal account that initiated the workflow run |
String |
|
token.actions.githubusercontent.com/${SubPath}:enterprise_id |
Filters access by the ID of the enterprise that contains the repository from where the workflow is running |
String |
Filters access by the name of the environment used by the job |
String |
|
token.actions.githubusercontent.com/${SubPath}:job_workflow_ref |
Filters access by the reference path to the reusable workflow for jobs using a reusable workflow |
String |
Filters access by the git ref (branch or tag) that triggered the workflow run |
String |
|
Filters access by the repository from where the workflow is running |
String |
|
token.actions.githubusercontent.com/${SubPath}:repository_id |
Filters access by the ID of the repository from where the workflow is running |
String |
token.actions.githubusercontent.com/${SubPath}:repository_owner_id |
Filters access by the ID of the repository owner from where the workflow is running |
String |
Filters access by the name of the workflow |
String |
|
Filters access by the personal account that initiated the workflow run |
String |
|
Filters access by the ID of the personal account that initiated the workflow run |
String |
|
Filters access by the ID of the enterprise that contains the repository from where the workflow is running |
String |
|
Filters access by the name of the environment used by the job |
String |
|
Filters access by the reference path to the reusable workflow for jobs using a reusable workflow |
String |
|
Filters access by the git ref (branch or tag) that triggered the workflow run |
String |
|
Filters access by the repository from where the workflow is running |
String |
|
Filters access by the ID of the repository from where the workflow is running |
String |
|
Filters access by the ID of the repository owner from where the workflow is running |
String |
|
Filters access by the name of the workflow |
String |
|
Filters access by the Login with Amazon application ID |
String |
|
Filters access by the Login with Amazon user ID |
String |