Security Token Service(STS)

AWS Security Token Service(STS) is a web service that enables you to request temporary, limited privilege credentials for IAM Users or Federated Users.STS is the service that is a building block of many identity processes within AWS. If you have used the IAM role, then you already use the service provided by STS without necessarily being aware of it.


How STS Works

We start with the user who wants to assume a role, and that’s why STS is involved.

Temporary credentials include

Use Case:

At this stage, temporary credentials are generated and will be returned to the identity who assumes the role. Once the credentials expire, another sts:AssumeRole* call is needed to get access to new credentials.

NOTE: Temporary credentials can’t be canceled. You can’t manually invalidate credentials.

If you want to check these temporary credentials, log in to the EC2 instance, which assumes the IAM role s3_full_access_role, and access its metadata service( via curl command. Check this doc for more info

$ curl

$ curl
"Code" : "Success",
"LastUpdated" : "2022–08–16T22:57:12Z",
"Type" : "AWS-HMAC",
"SecretAccessKey" : "mdsTXXXXXXXXXX",
"Token" : "IQoJbXXXXXXXX"
"Expiration" : "2022–11–19T05:32:30Z"

Now let deep dive in and see the practical demonstration and assume the IAM role on the command line

aws iam create-user --user-name prashant
"Version": "2012-10-17",
"Statement": [
"Effect": "Allow",
"Action": [
"Resource": "*"
aws iam create-policy --policy-name assume-role-policy --policy-document file://assume-role-policy.json

Note down the ARN (Amazon Resource Name) of the IAM policy

aws iam attach-user-policy --user-name prashant --policy-arn "arn:aws:iam::1234567890:policy/assume-role-policy"
aws iam list-attached-user-policies --user-name prashant
"Version": "2012-10-17",
"Statement": {
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::1234567890:user/prashant"
"Action": "sts:AssumeRole"

NOTE: This trust policy allows users “arn:aws:iam::1234567890:user/prashant” to assume this role if they allow the sts:AssumeRole action in their permissions policy.

#Create an IAM Role
aws iam create-role --role-name assume-trust-role --assume-role-policy-document file://assume-role-trust-policy.json
#Attach S3 read only access policy to the role
aws iam attach-role-policy --role-name assume-trust-role --policy-arn "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
#List the attached role
aws iam list-attached-role-policies --role-name assume-trust-role
aws iam create-access-key --user-name prashant
aws configure
AWS Access Key ID [****************PFEC]: XXXXXXXX
AWS Secret Access Key [****************tHBh]: pYUgRXXXXXXXX
Default region name [us-east-1]:
Default output format [json]:
aws sts get-caller-identity
"Account": "1234567890",
"Arn": "arn:aws:iam::488842980206:user/prashant"
aws s3 ls

An error occurred (AccessDenied) when calling the ListBuckets operation: Access Denied
aws sts assume-role --role-arn "arn:aws:iam::123456789012:role/assume-trust-role" --role-session-name my-demo-role
export AWS_ACCESS_KEY_ID=RoleAccessKeyID
export AWS_SECRET_ACCESS_KEY=RoleSecretKey
export AWS_SESSION_TOKEN=RoleSessionToken
OUT=$(aws sts assume-role --role-arn arn:aws:iam::123456789012:role/assume-trust-role --role-session-name my-demo-role);\
export AWS_ACCESS_KEY_ID=$(echo $OUT | jq -r '.Credentials''.AccessKeyId');\
export AWS_SECRET_ACCESS_KEY=$(echo $OUT | jq -r '.Credentials''.SecretAccessKey');\
export AWS_SESSION_TOKEN=$(echo $OUT | jq -r '.Credentials''.SessionToken');
aws s3 ls



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Prashant Lakhera

AWS Community Builder, Ex-Redhat, Author, Blogger, YouTuber, RHCA, RHCDS, RHCE, Docker Certified,4XAWS, CCNA, MCP, Certified Jenkins, Terraform Certified, 1XGCP