View a markdown version of this page

Actions, resources, and condition keys for Amazon Security Token Service - Service Authorization Reference
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Actions, resources, and condition keys for Amazon Security Token Service

Amazon Security Token Service (service prefix: sts) provides the following service-specific operations, resources, actions, and condition keys for use in IAM permission policies.

References:

API operations defined by Amazon Security Token Service

The following table maps API operations to the IAM actions they authorize. Only condition keys that have static values for the given API and action are listed; for the full set of condition keys supported by each action, see the Actions table.

Operation IAM action Condition key Possible value(s) Access level

AssumeRole

sts:AssumeRole

Write

sts:SetContext

Write

sts:SetSourceIdentity

Write

sts:TagSession

Tagging, Write

AssumeRoot

sts:AssumeRoot

Write

DecodeAuthorizationMessage

sts:DecodeAuthorizationMessage

Write

GetAccessKeyInfo

sts:GetAccessKeyInfo

Read

GetCallerIdentity

sts:GetCallerIdentity

Read

GetDelegatedAccessToken

sts:GetDelegatedAccessToken

Write

GetFederationToken

sts:GetFederationToken

Read

sts:TagSession

Tagging, Write

GetSessionToken

sts:GetSessionToken

Read

GetWebIdentityToken

sts:GetWebIdentityToken

Write

sts:TagGetWebIdentityToken

Tagging, Write

Actions defined by Amazon Security Token Service

You can specify the following actions in the Action element of an IAM policy statement. Use policies to grant permissions to perform an operation in Amazon. When you use an action in a policy, you usually allow or deny access to the API operation or CLI command with the same name. However, in some cases, a single action controls access to more than one operation. Alternatively, some operations require several different actions.

Actions Description Resource types (*required) Condition keys Access level

AssumeRole

Grants permission to obtain a set of temporary security credentials that you can use to access Amazon resources that you might not normally have access to

role*

accounts.google.com:aud

accounts.google.com:sub

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

cognito-identity.amazonaws.com:amr

cognito-identity.amazonaws.com:aud

cognito-identity.amazonaws.com:sub

graph.facebook.com:app_id

graph.facebook.com:id

iam:ResourceTag/${TagKey}

saml:namequalifier

saml:sub

saml:sub_type

sts:ExternalId

sts:RoleSessionName

sts:SourceIdentity

sts:TransitiveTagKeys

www.amazon.com:app_id

www.amazon.com:user_id

Write

AssumeRoleWithSAML

Grants permission to obtain a set of temporary security credentials for users who have been authenticated via a SAML authentication response

role*

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

iam:ResourceTag/${TagKey}

saml:aud

saml:cn

saml:commonName

saml:doc

saml:eduorghomepageuri

saml:eduorgidentityauthnpolicyuri

saml:eduorglegalname

saml:eduorgsuperioruri

saml:eduorgwhitepagesuri

saml:edupersonaffiliation

saml:edupersonassurance

saml:edupersonentitlement

saml:edupersonnickname

saml:edupersonorgdn

saml:edupersonorgunitdn

saml:edupersonprimaryaffiliation

saml:edupersonprimaryorgunitdn

saml:edupersonprincipalname

saml:edupersonscopedaffiliation

saml:edupersontargetedid

saml:givenName

saml:iss

saml:mail

saml:name

saml:namequalifier

saml:organizationStatus

saml:primaryGroupSID

saml:sub

saml:sub_type

saml:surname

saml:uid

saml:x500UniqueIdentifier

sts:RoleSessionName

sts:SourceIdentity

sts:TransitiveTagKeys

Write

AssumeRoleWithWebIdentity

Grants permission to obtain a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider

role*

accounts.google.com:aud

accounts.google.com:google/organization_number

accounts.google.com:oaud

accounts.google.com:sub

agent.${Domain}.buildkite.dev:build_branch

agent.${Domain}.buildkite.dev:cluster_id

agent.${Domain}.buildkite.dev:cluster_name

agent.${Domain}.buildkite.dev:organization_id

agent.${Domain}.buildkite.dev:organization_slug

agent.${Domain}.buildkite.dev:pipeline_id

agent.${Domain}.buildkite.dev:pipeline_slug

agent.${Domain}.buildkite.site:build_branch

agent.${Domain}.buildkite.site:cluster_id

agent.${Domain}.buildkite.site:cluster_name

agent.${Domain}.buildkite.site:organization_id

agent.${Domain}.buildkite.site:organization_slug

agent.${Domain}.buildkite.site:pipeline_id

agent.${Domain}.buildkite.site:pipeline_slug

agent.buildkite.com:build_branch

agent.buildkite.com:cluster_id

agent.buildkite.com:cluster_name

agent.buildkite.com:organization_id

agent.buildkite.com:organization_slug

agent.buildkite.com:pipeline_id

agent.buildkite.com:pipeline_slug

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

cognito-identity.amazonaws.com:amr

cognito-identity.amazonaws.com:aud

cognito-identity.amazonaws.com:sub

github.com/enterprises/${EnterpriseName}:actor

github.com/enterprises/${EnterpriseName}:actor_id

github.com/enterprises/${EnterpriseName}:enterprise_id

github.com/enterprises/${EnterpriseName}:environment

github.com/enterprises/${EnterpriseName}:job_workflow_ref

github.com/enterprises/${EnterpriseName}:ref

github.com/enterprises/${EnterpriseName}:repository

github.com/enterprises/${EnterpriseName}:repository_id

github.com/enterprises/${EnterpriseName}:repository_owner_id

github.com/enterprises/${EnterpriseName}:workflow

gitlab.com:namespace_id

gitlab.com:pipeline_source

gitlab.com:project_id

gitlab.com:ref_protected

gitlab.com:runner_environment

gitlab.com:user_access_level

gitlab.com:user_email

gitlab.com:user_id

gitlab.com:user_login

graph.facebook.com:app_id

graph.facebook.com:id

iam:ResourceTag/${TagKey}

idcs-${OciUniqueIdentifier}.identity.oraclecloud.com:rpst_id

oidc.circleci.com/org/${OrgId}:oidc.circleci.com/project-id

sts:RoleAuthorizedByIdp

sts:RoleSessionName

sts:SourceIdentity

sts:TransitiveTagKeys

token.actions.${Domain}.ghe.com:actor

token.actions.${Domain}.ghe.com:actor_id

token.actions.${Domain}.ghe.com:enterprise_id

token.actions.${Domain}.ghe.com:environment

token.actions.${Domain}.ghe.com:job_workflow_ref

token.actions.${Domain}.ghe.com:ref

token.actions.${Domain}.ghe.com:repository

token.actions.${Domain}.ghe.com:repository_id

token.actions.${Domain}.ghe.com:repository_owner_id

token.actions.${Domain}.ghe.com:workflow

token.actions.githubusercontent.com/${SubPath}:actor

token.actions.githubusercontent.com/${SubPath}:actor_id

token.actions.githubusercontent.com/${SubPath}:enterprise_id

token.actions.githubusercontent.com/${SubPath}:environment

token.actions.githubusercontent.com/${SubPath}:job_workflow_ref

token.actions.githubusercontent.com/${SubPath}:ref

token.actions.githubusercontent.com/${SubPath}:repository

token.actions.githubusercontent.com/${SubPath}:repository_id

token.actions.githubusercontent.com/${SubPath}:repository_owner_id

token.actions.githubusercontent.com/${SubPath}:workflow

token.actions.githubusercontent.com:actor

token.actions.githubusercontent.com:actor_id

token.actions.githubusercontent.com:enterprise_id

token.actions.githubusercontent.com:environment

token.actions.githubusercontent.com:job_workflow_ref

token.actions.githubusercontent.com:ref

token.actions.githubusercontent.com:repository

token.actions.githubusercontent.com:repository_id

token.actions.githubusercontent.com:repository_owner_id

token.actions.githubusercontent.com:workflow

www.amazon.com:app_id

www.amazon.com:user_id

Write

AssumeRoot

Grants permission to obtain a set of temporary security credentials that you can use to perform privileged tasks in member accounts in your organization

root-user*

sts:TaskPolicyArn

Write

DecodeAuthorizationMessage

Grants permission to decode additional information about the authorization status of a request from an encoded message returned in response to an Amazon request

Write

GetAccessKeyInfo

Grants permission to obtain details about the access key id passed as a parameter to the request

Read

GetCallerIdentity

Grants permission to obtain details about the IAM identity whose credentials are used to call the API

Read

GetDelegatedAccessToken

Returns temporary security credentials for accessing an Amazon Web Services account after temporary delegation request approval. This API requires the tradeInToken provided upon request delegation approval and is intended to be used only by Amazon or Amazon Partners

Write

GetFederationToken

Grants permission to obtain a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user

federated-user

aws:RequestTag/${TagKey}

aws:TagKeys

Read

GetSessionToken

Grants permission to obtain a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for an Amazon Web Services account or IAM user

Read

GetWebIdentityToken

Grants permission to obtain a short-lived, publicly verifiable JSON Web Token (JWT) that represents the calling IAM principal's identity

aws:RequestTag/${TagKey}

aws:TagKeys

sts:DurationSeconds

sts:IdentityTokenAudience

sts:SigningAlgorithm

Write

Permission-only actions for Amazon Security Token Service

The following actions are defined by Amazon Security Token Service but are not directly invocable through any API operation. They can only be used in IAM policy statements to grant or deny permissions.

Actions Description Resource types (*required) Condition keys Access level

GetServiceBearerToken

Grants permission to obtain a STS bearer token for an Amazon root user, IAM role, or an IAM user

sts:AWSServiceName

sts:DurationSeconds

Read

SetContext

Grants permission to set context keys on a STS session

role

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

sts:RequestContext/${ContextKey}

sts:RequestContextProviders

Write

self-session

sts:RequestContext/${ContextKey}

sts:RequestContextProviders

SetSourceIdentity

Grants permission to set a source identity on a STS session

role

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

sts:SourceIdentity

Write

TagGetWebIdentityToken

Grants permission to add tags to the JSON Web Token (JWT) generated by the GetWebIdentityToken API

aws:RequestTag/${TagKey}

aws:TagKeys

Tagging, Write

TagSession

Grants permission to add tags to a STS session

role

aws:RequestTag/${TagKey}

aws:ResourceTag/${TagKey}

aws:TagKeys

iam:ResourceTag/${TagKey}

saml:aud

sts:TransitiveTagKeys

Tagging, Write

Resource types defined by Amazon Security Token Service

The following resource types are defined by this service and can be used in the Resource element of IAM permission policy statements.

Resource types ARN Condition keys

context-provider

arn:${Partition}:iam::aws:contextProvider/${ContextProviderName}

federated-user

arn:${Partition}:sts::${Account}:federated-user/${FederatedUserName}

role

arn:${Partition}:iam::${Account}:role/${RoleNameWithPath}

aws:ResourceTag/${TagKey}

iam:ResourceTag/${TagKey}

root-user

arn:${Partition}:iam::${Account}:root

self-session

arn:${Partition}:sts::${Account}:self

Condition keys for Amazon Security Token Service

Amazon Security Token Service defines the following condition keys that can be used in the Condition element of an IAM policy.

Condition keys Description Type

accounts.google.com:aud

Filters access by the Google application ID

String

accounts.google.com:google/organization_number

Filters access by the Google Cloud or Google Workspace organization number

Numeric

accounts.google.com:oaud

Filters access by the Google audience

String

accounts.google.com:sub

Filters access by the subject of the claim (the Google user ID)

String

agent.${Domain}.buildkite.dev:build_branch

Filters access by the git branch that triggered the Buildkite build

String

agent.${Domain}.buildkite.dev:cluster_id

Filters access by the Buildkite cluster ID

String

agent.${Domain}.buildkite.dev:cluster_name

Filters access by the Buildkite cluster name

String

agent.${Domain}.buildkite.dev:organization_id

Filters access by the Buildkite organization ID

String

agent.${Domain}.buildkite.dev:organization_slug

Filters access by the Buildkite organization slug

String

agent.${Domain}.buildkite.dev:pipeline_id

Filters access by the Buildkite pipeline ID

String

agent.${Domain}.buildkite.dev:pipeline_slug

Filters access by the Buildkite pipeline slug

String

agent.${Domain}.buildkite.site:build_branch

Filters access by the git branch that triggered the Buildkite build

String

agent.${Domain}.buildkite.site:cluster_id

Filters access by the Buildkite cluster ID

String

agent.${Domain}.buildkite.site:cluster_name

Filters access by the Buildkite cluster name

String

agent.${Domain}.buildkite.site:organization_id

Filters access by the Buildkite organization ID

String

agent.${Domain}.buildkite.site:organization_slug

Filters access by the Buildkite organization slug

String

agent.${Domain}.buildkite.site:pipeline_id

Filters access by the Buildkite pipeline ID

String

agent.${Domain}.buildkite.site:pipeline_slug

Filters access by the Buildkite pipeline slug

String

agent.buildkite.com:build_branch

Filters access by the git branch that triggered the Buildkite build

String

agent.buildkite.com:cluster_id

Filters access by the Buildkite cluster ID

String

agent.buildkite.com:cluster_name

Filters access by the Buildkite cluster name

String

agent.buildkite.com:organization_id

Filters access by the Buildkite organization ID

String

agent.buildkite.com:organization_slug

Filters access by the Buildkite organization slug

String

agent.buildkite.com:pipeline_id

Filters access by the Buildkite pipeline ID

String

agent.buildkite.com:pipeline_slug

Filters access by the Buildkite pipeline slug

String

aws:RequestTag/${TagKey}

Filters access by the tags that are passed in the request

String

aws:ResourceTag/${TagKey}

Filters access by the tags associated with the resource

String

aws:TagKeys

Filters access by the tag keys that are passed in the request

ArrayOfString

cognito-identity.amazonaws.com:amr

Filters access by the login information for Amazon Cognito

String

cognito-identity.amazonaws.com:aud

Filters access by the Amazon Cognito identity pool ID

String

cognito-identity.amazonaws.com:sub

Filters access by the subject of the claim (the Amazon Cognito user ID)

String

github.com/enterprises/${EnterpriseName}:actor

Filters access by the personal account that initiated the workflow run

String

github.com/enterprises/${EnterpriseName}:actor_id

Filters access by the ID of the personal account that initiated the workflow run

String

github.com/enterprises/${EnterpriseName}:enterprise_id

Filters access by the ID of the enterprise that contains the repository from where the workflow is running

String

github.com/enterprises/${EnterpriseName}:environment

Filters access by the name of the environment used by the job

String

github.com/enterprises/${EnterpriseName}:job_workflow_ref

Filters access by the reference path to the reusable workflow for jobs using a reusable workflow

String

github.com/enterprises/${EnterpriseName}:ref

Filters access by the git ref (branch or tag) that triggered the workflow run

String

github.com/enterprises/${EnterpriseName}:repository

Filters access by the repository from where the workflow is running

String

github.com/enterprises/${EnterpriseName}:repository_id

Filters access by the ID of the repository from where the workflow is running

String

github.com/enterprises/${EnterpriseName}:repository_owner_id

Filters access by the ID of the repository owner from where the workflow is running

String

github.com/enterprises/${EnterpriseName}:workflow

Filters access by the name of the workflow

String

gitlab.com:namespace_id

Filters access by the GitLab namespace (group) ID of the project running the CI/CD job

String

gitlab.com:pipeline_source

Filters access by the source that triggered the GitLab pipeline

String

gitlab.com:project_id

Filters access by the GitLab project ID running the CI/CD job

String

gitlab.com:ref_protected

Filters access by whether the GitLab git ref that triggered the job is protected

String

gitlab.com:runner_environment

Filters access by the GitLab runner environment for the CI/CD job

String

gitlab.com:user_access_level

Filters access by the GitLab user access level within the project

String

gitlab.com:user_email

Filters access by the GitLab user email executing the CI/CD job

String

gitlab.com:user_id

Filters access by the GitLab user ID executing the CI/CD job

String

gitlab.com:user_login

Filters access by the GitLab username executing the CI/CD job

String

graph.facebook.com:app_id

Filters access by the Facebook application ID

String

graph.facebook.com:id

Filters access by the Facebook user ID

String

iam:ResourceTag/${TagKey}

Filters access by the tags that are attached to the role that is being assumed

String

idcs-${OciUniqueIdentifier}.identity.oraclecloud.com:rpst_id

Filters access by the OCI resource principal session token ID

String

oidc.circleci.com/org/${OrgId}:oidc.circleci.com/project-id

Filters access by the CircleCI project ID

String

saml:aud

Filters access by the endpoint URL to which SAML assertions are presented

String

saml:cn

Filters access by the eduOrg attribute

ArrayOfString

saml:commonName

Filters access by the commonName attribute

String

saml:doc

Filters access by on the principal that was used to assume the role

String

saml:eduorghomepageuri

Filters access by the eduOrg attribute

ArrayOfString

saml:eduorgidentityauthnpolicyuri

Filters access by the eduOrg attribute

ArrayOfString

saml:eduorglegalname

Filters access by the eduOrg attribute

ArrayOfString

saml:eduorgsuperioruri

Filters access by the eduOrg attribute

ArrayOfString

saml:eduorgwhitepagesuri

Filters access by the eduOrg attribute

ArrayOfString

saml:edupersonaffiliation

Filters access by the eduPerson attribute

ArrayOfString

saml:edupersonassurance

Filters access by the eduPerson attribute

ArrayOfString

saml:edupersonentitlement

Filters access by the eduPerson attribute

ArrayOfString

saml:edupersonnickname

Filters access by the eduPerson attribute

ArrayOfString

saml:edupersonorgdn

Filters access by the eduPerson attribute

String

saml:edupersonorgunitdn

Filters access by the eduPerson attribute

ArrayOfString

saml:edupersonprimaryaffiliation

Filters access by the eduPerson attribute

String

saml:edupersonprimaryorgunitdn

Filters access by the eduPerson attribute

String

saml:edupersonprincipalname

Filters access by the eduPerson attribute

String

saml:edupersonscopedaffiliation

Filters access by the eduPerson attribute

ArrayOfString

saml:edupersontargetedid

Filters access by the eduPerson attribute

ArrayOfString

saml:givenName

Filters access by the givenName attribute

String

saml:iss

Filters access by on the issuer, which is represented by a URN

String

saml:mail

Filters access by the mail attribute

String

saml:name

Filters access by the name attribute

String

saml:namequalifier

Filters access by the hash value of the issuer, account ID, and friendly name

String

saml:organizationStatus

Filters access by the organizationStatus attribute

String

saml:primaryGroupSID

Filters access by the primaryGroupSID attribute

String

saml:sub

Filters access by the subject of the claim (the SAML user ID)

String

saml:sub_type

Filters access by the value persistent, transient, or the full Format URI

String

saml:surname

Filters access by the surname attribute

String

saml:uid

Filters access by the uid attribute

String

saml:x500UniqueIdentifier

Filters access by the uid attribute

String

sts:AWSServiceName

Filters access by the service that is obtaining a bearer token

String

sts:DurationSeconds

Filters access by the duration in seconds when getting a bearer token or a JSON Web Token (JWT) from the GetWebIdentityToken API

Numeric

sts:ExternalId

Filters access by the unique identifier required when you assume a role in another account

String

sts:IdentityTokenAudience

Filters access by the audience that is passed in the request

ArrayOfString

sts:RequestContext/${ContextKey}

Filters access by the session context key-value pairs embedded in the signed context assertion retrieved from a trusted context provider

String

sts:RequestContextProviders

Filters access by the context provider ARNs

ArrayOfARN

sts:RoleAuthorizedByIdp

Filters access based on whether the identity provider authorized the role via the roles claim in the OIDC token

Bool

sts:RoleSessionName

Filters access by the role session name required when you assume a role

String

sts:SigningAlgorithm

Filters access by the signing algorithm that is passed in the request

String

sts:SourceIdentity

Filters access by the source identity that is passed in the request

String

sts:TaskPolicyArn

Filters access by TaskPolicyARN

ARN

sts:TransitiveTagKeys

Filters access by the transitive tag keys that are passed in the request

ArrayOfString

token.actions.${Domain}.ghe.com:actor

Filters access by the personal account that initiated the workflow run

String

token.actions.${Domain}.ghe.com:actor_id

Filters access by the ID of the personal account that initiated the workflow run

String

token.actions.${Domain}.ghe.com:enterprise_id

Filters access by the ID of the enterprise that contains the repository from where the workflow is running

String

token.actions.${Domain}.ghe.com:environment

Filters access by the name of the environment used by the job

String

token.actions.${Domain}.ghe.com:job_workflow_ref

Filters access by the reference path to the reusable workflow for jobs using a reusable workflow

String

token.actions.${Domain}.ghe.com:ref

Filters access by the git ref (branch or tag) that triggered the workflow run

String

token.actions.${Domain}.ghe.com:repository

Filters access by the repository from where the workflow is running

String

token.actions.${Domain}.ghe.com:repository_id

Filters access by the ID of the repository from where the workflow is running

String

token.actions.${Domain}.ghe.com:repository_owner_id

Filters access by the ID of the repository owner from where the workflow is running

String

token.actions.${Domain}.ghe.com:workflow

Filters access by the name of the workflow

String

token.actions.githubusercontent.com/${SubPath}:actor

Filters access by the personal account that initiated the workflow run

String

token.actions.githubusercontent.com/${SubPath}:actor_id

Filters access by the ID of the personal account that initiated the workflow run

String

token.actions.githubusercontent.com/${SubPath}:enterprise_id

Filters access by the ID of the enterprise that contains the repository from where the workflow is running

String

token.actions.githubusercontent.com/${SubPath}:environment

Filters access by the name of the environment used by the job

String

token.actions.githubusercontent.com/${SubPath}:job_workflow_ref

Filters access by the reference path to the reusable workflow for jobs using a reusable workflow

String

token.actions.githubusercontent.com/${SubPath}:ref

Filters access by the git ref (branch or tag) that triggered the workflow run

String

token.actions.githubusercontent.com/${SubPath}:repository

Filters access by the repository from where the workflow is running

String

token.actions.githubusercontent.com/${SubPath}:repository_id

Filters access by the ID of the repository from where the workflow is running

String

token.actions.githubusercontent.com/${SubPath}:repository_owner_id

Filters access by the ID of the repository owner from where the workflow is running

String

token.actions.githubusercontent.com/${SubPath}:workflow

Filters access by the name of the workflow

String

token.actions.githubusercontent.com:actor

Filters access by the personal account that initiated the workflow run

String

token.actions.githubusercontent.com:actor_id

Filters access by the ID of the personal account that initiated the workflow run

String

token.actions.githubusercontent.com:enterprise_id

Filters access by the ID of the enterprise that contains the repository from where the workflow is running

String

token.actions.githubusercontent.com:environment

Filters access by the name of the environment used by the job

String

token.actions.githubusercontent.com:job_workflow_ref

Filters access by the reference path to the reusable workflow for jobs using a reusable workflow

String

token.actions.githubusercontent.com:ref

Filters access by the git ref (branch or tag) that triggered the workflow run

String

token.actions.githubusercontent.com:repository

Filters access by the repository from where the workflow is running

String

token.actions.githubusercontent.com:repository_id

Filters access by the ID of the repository from where the workflow is running

String

token.actions.githubusercontent.com:repository_owner_id

Filters access by the ID of the repository owner from where the workflow is running

String

token.actions.githubusercontent.com:workflow

Filters access by the name of the workflow

String

www.amazon.com:app_id

Filters access by the Login with Amazon application ID

String

www.amazon.com:user_id

Filters access by the Login with Amazon user ID

String