AWS STS (Security Token Service) Command Examples (with examples)

1. Get temporary security credentials to access specific AWS resources

Code:

aws sts assume-role --role-arn aws_role_arn

Motivation:

The assume-role command is used to obtain temporary security credentials that can be used to access specific AWS resources. In some scenarios, it is necessary to delegate access to certain resources to another user or service, without granting them permanent credentials. This command allows you to generate temporary credentials for a specific IAM role, which can then be used by the user or service to access the designated resources for a specified period of time.

Arguments:

• --role-arn: The Amazon Resource Name (ARN) of the IAM role to be assumed.

Example Output:

{
    "Credentials": {
        "AccessKeyId": "ASIA5P3CBY...",
        "SecretAccessKey": "cDqIBj83...",
        "SessionToken": "FwoGZXIv...",
        "Expiration": "2022-03-01T19:11:50Z"
    },
    "AssumedRoleUser": {
        "AssumedRoleId": "AROA4B271E...",
        "Arn": "arn:aws:sts::123456789012:assumed-role/MyRole/myusername"
    }
}

2. Get an IAM user or role whose credentials are used to call the operation

Code:

aws sts get-caller-identity

Motivation:

The get-caller-identity command allows you to retrieve information about the AWS Identity and Access Management (IAM) user or role whose credentials are being used to call the operation. This is useful in situations where you want to verify the identity of the user or role, especially in multi-account or cross-account access scenarios.

Arguments:

None

Example Output:

{
    "UserId": "AIDACKCEVSQ6C2EXAMPLE",
    "Account": "123456789012",
    "Arn": "arn:aws:iam::123456789012:user/user-name"
}

These are the first two examples of how to use the aws sts command. Stay tuned for the remaining six in the next sections.