Using Amazon Security Token Service on a Snowball Edge - Amazon Snowball Edge Developer Guide
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Using Amazon Security Token Service on a Snowball Edge

The Amazon Security Token Service (Amazon STS) helps you request temporary, limited-privilege credentials for IAM users.

Important

For Amazon services to work properly on a Snowball Edge, you must allow the ports for the services. For details, see Port requirements for Amazon services on a Snowball Edge.

Using the Amazon CLI and API operations on a Snowball Edge

When using the Amazon CLI or API operations to issue IAM, Amazon STS, Amazon S3, and Amazon EC2 commands on Snowball Edge device, you must specify the region as "snow." You can do this using Amazon configure or within the command itself, as in the following examples.

aws configure --profile snowballEdge Amazon Access Key ID [None]: defgh Amazon Secret Access Key [None]: 1234567 Default region name [None]: snow Default output format [None]: json

Or

aws iam list-users --endpoint http://192.0.2.0:6078 --region snow --profile snowballEdge
Note

The access key ID and access secret key that are use locally on Amazon Snowball Edge can't be interchanged with the keys in the Amazon Web Services Cloud.

Supported Amazon STSAmazon CLI commands on a Snowball Edge

Only the assume-role command is supported locally.

The following parameters are supported for assume-role:

  • role-arn

  • role-session-name

  • duration-seconds

Example command to assume a role on a Snowball Edge

To assume a role, use the following command.

aws sts assume-role --role-arn "arn:aws:iam::123456789012:role/example-role" --role-session-name AWSCLI-Session --endpoint http://snow-device-IP-address:7078

For more information about using the assume-role command, see How do I assume an IAM role using the Amazon CLI?

For more information about using Amazon STS, see Using Temporary Security Credentials in the IAM User Guide.

Supported Amazon STS API operations on a Snowball Edge

Only the AssumeRole API is supported locally.

The following parameters are supported for AssumeRole:

  • RoleArn

  • RoleSessionName

  • DurationSeconds

Example of assuming a role
https://sts.amazonaws.com/ ?Version=2011-06-15 &Action=AssumeRole &RoleSessionName=session-example &RoleArn=arn:aws:iam::123456789012:role/demo &DurationSeconds=3600