Using Amazon Security Token Service
The Amazon Security Token Service (Amazon STS) helps you request temporary, limited-privilege credentials for IAM users.
Important
For Amazon services to work properly on a Snowball Edge, you must allow the ports for the services. For details, see Ports Required to Use Amazon Services on an Amazon Snowball Edge Device.
Topics
Using the Amazon CLI and API Operations on Snowball Edge
When using the Amazon CLI or API operations to issue IAM, Amazon STS, Amazon S3, and Amazon EC2 commands
on Snowball Edge device, you must specify the region
as "snow
." You
can do this using Amazon configure
or within the command itself, as in the
following examples.
aws configure --profile snowballEdge Amazon Access Key ID [None]: defgh Amazon Secret Access Key [None]: 1234567 Default region name [None]: snow Default output format [None]: json
Or
aws iam list-users --profile snowballEdge --endpoint http://192.0.2.0:6078 --region snow
Note
The access key ID and access secret key that are use locally on Amazon Snowball Edge can't be interchanged with the keys in the Amazon Web Services Cloud.
Supported Amazon STSAmazon CLI Commands on a Snowball Edge
Only the assume-role command is supported locally.
The following parameters are supported for assume-role
:
role-arn
role-session-name
duration-seconds
Example Command
To assume a role, use the following command.
aws sts assume-role --role-arn
"arn:aws:iam::123456789012:role/example-role"
--role-session-nameAWSCLI-Session
--endpointhttp://snow-device-IP-address
:7078
For more information about using the assume-role
command, see
How do I assume an
IAM role using the Amazon CLI?
For more information about using Amazon STS, see Using Temporary Security Credentials in the IAM User Guide.
Supported Amazon STS API Operations
Only the AssumeRole API is supported locally.
The following parameters are supported for AssumeRole
:
RoleArn
RoleSessionName
DurationSeconds
Example
To assume a role, use the following.
https://sts.amazonaws.com/ ?Version=2011-06-15 &Action=AssumeRole &RoleSessionName=session-example &RoleArn=arn:aws:iam::123456789012:role/demo &DurationSeconds=3600