The AWS Security Token Service (STS) is a web service that lets you grant a trusted user temporary, limited-privilege credentials to access your Amazon Web Services (AWS) resources.
Questions tagged [aws-sts]
146 questions
121
votes
4 answers
Quick way to get AWS Account number from the AWS CLI tools?
Looking for a quick way to pull my account number, I had originally thought of using aws iam get-account-authorization-details --max-items 1 but there are several issues with doing it this way. Is there a way to do this that might not cross account…
ehime
- 7,079
- 8
- 42
- 101
10
votes
5 answers
AWS sts assume role in one command
To assume an AWS role in the CLI, I do the following command:
aws sts assume-role --role-arn arn:aws:iam::123456789123:role/myAwesomeRole --role-session-name test --region eu-central-1
This gives to me an output that follows the schema:
{
…
Arcones
- 1,849
- 1
- 16
- 36
8
votes
1 answer
aws sts get-session-token fails with profile
I'm trying to get a session token in order to set environment variables in order to use a tool which uploads to S3 but doesn't directly support AWS profiles.
aws sts get-session-token --profile myprofile
Enter MFA code for…
Steve Bennett
- 84,226
- 27
- 133
- 175
8
votes
1 answer
AWS: Amazon Cognito vs STS and SAML
In the official AWS documentation about Cognito, in the outline of a use case is stated that:
1.In the first step your app user signs in through a user pool and
receives user pool tokens after a successful authentication.
2.Next, your app…
pkaramol
- 9,548
- 14
- 80
- 167
8
votes
1 answer
aws-sdk upload with STS credentials - 403 error
I've been trying to set up Amazon's STS (Security Token Service) to create temporary credentials for client side uploads to S3.
I can get the code working fine with an access key generated from the IAM user, but when I swap out the access key/secret…
eetee
- 107
- 1
- 5
4
votes
1 answer
How secret is the session token in AWS temporary security credentials?
I want to generate pre-signed S3 URLs using temporary security credentials (my program is running on an EC2 host that has an IAM role attached with the policies I want).
I saw on the docs for how to create a signed request that I am supposed to…
CDOct
- 43
- 3
4
votes
2 answers
Amazon Bucket Policy for only mobile app access
I have a bucket in Amazon S3 and I set data inside read only for everyone. However, this is not what I want. I would like that data to be accessible only from my mobile application and restrict it to download by url.
Is that possible? if so how to…
birdcage
- 2,510
- 4
- 29
- 52
3
votes
1 answer
How to generate AWS credential report for all accounts in an organization
I am looking to generate a AWS credential report for all the accounts under an organization. Is there any way to generate the consolidated report of accounts.
I know we can generate a credential report per account (one) under an organization as per…
Harry
- 233
- 1
- 5
- 19
3
votes
2 answers
AWS Amplify - CognitoIdentityCredentials is not authorized to perform: sts:AssumeRole on resource
I have an Amplify App using Nuxt. When a user logs in via cognito the app tries to use STS to transfer to another role to get a QuickSight Dashboard Embed Url following this AWS blog post.
So I have a role with this policy:
{
"Version":…
av0000
- 1,515
- 5
- 18
- 37
3
votes
1 answer
What's the use case for RoleSessionName when assuming a role in AWS and how it affects the performance
I have a scenario in which I want to have access to resources of one account from some other account in AWS (cross-account access). And I want to implement this access in code (NodeJs) implemented as lambda function and also as long-running code on…
Mehran
- 12,150
- 14
- 78
- 191
3
votes
1 answer
InvalidClientTokenId when calling get-caller-identity on an AWS EC2 instance with instance profile
We're having an issue where we're on a CentOS EC2 instance that is using a role through an attached instance profile. When we're on the console after SSHing in, we run the python awscli command line tool to get our identity:
$ aws sts…
Dave
- 41
- 3
3
votes
1 answer
How to use assume_role_with_web_identity auth for aws-fog S3 storage in Ruby on Rails?
I have kubernetes setup with STS and it works fine with sdk for sqs, sns etc. I need to use STS auth with fog-aws gem to download/list files and I can do it with ruby aws-sdk-s3 but I use carrierwave gem so I am trying to figure it out using…
pramodtech
- 5,810
- 15
- 65
- 108
3
votes
1 answer
SignatureDoesNotMatch when overriding STS API endpoint in Terraform
I am running Terraform in AWS region us-west-2 (Oregon) in a private VPC. Because of this I am using VPC endpoints to expose the STS API and am overriding this endpoint in Terraform as follows:
provider "aws" {
endpoints {
sts =…
dippynark
- 2,030
- 9
- 28
3
votes
1 answer
What's the functionality of AWS_SESSION_TOKEN returned from STS API?
aws sts assume-role returns three fields as the issued Temporary Security Credentials.
AWS_ACCESS_KEY_ID
AWS_SECRET_ACCESS_KEY
AWS_SESSION_TOKEN
The first two are with the same format of a user's Access Key, but the 3rd field, AWS_SESSION_TOKEN,…
chen
- 3,850
- 3
- 31
- 62
3
votes
0 answers
AWSSecurityTokenServiceException: Acced denied. User is not authorized to perform sts:AssumeRole
I'm new to aws. I want to generate temporary credentials for aws call. And for that I use example from Making Requests Using IAM User Temporary Credentials - AWS SDK for Java
Where I pass
String clientRegion = "";
String roleARN =…
Nikolas
- 1,801
- 5
- 24
- 47