LinuxCommandLibrary

aws-sts

Obtain temporary AWS credentials

TLDR

Get temporary security credentials to access specific AWS resources

$ aws sts assume-role --role-arn [aws_role_arn]
copy

Get an IAM user or role whose credentials are used to call the operation
$ aws sts get-caller-identity
copy

SYNOPSIS

aws-sts [options]

PARAMETERS

--profile
    Optional: Specifies the AWS CLI profile to use. If not specified, the default profile is used. This profile contains configuration such as the region and long-term credentials required to authenticate with STS.

--role-arn
    Required: The ARN (Amazon Resource Name) of the IAM role to assume. This is the role that defines the permissions the temporary credentials will have.

--session-name
    Optional: A custom session name for the assumed role session. This helps in identifying the session in AWS CloudTrail logs.

--duration-seconds
    Optional: The duration, in seconds, that the session should last. Values can range from 900 seconds (15 minutes) to the maximum session duration set for the role (up to 43200 seconds, or 12 hours).

--region
    Optional: The AWS region to use. If not specified, the region is determined from the AWS CLI configuration or environment variables.

--output
    Optional: Specifies the output format (e.g., json, text, table). This determines how the credentials are displayed.

--help
    Optional: Displays help information about the command and its options.

DESCRIPTION

The `aws-sts` command is a command-line interface (CLI) tool designed to simplify obtaining temporary AWS credentials using AWS Security Token Service (STS). It leverages STS to assume roles and retrieve access keys, secret keys, and session tokens. This enables users to access AWS resources with specific permissions for a limited duration, promoting security best practices by avoiding the use of long-term IAM user credentials directly. The tool streamlines the process of interacting with STS, handling the complexities of authentication and credential management. It often integrates with configuration files and environment variables to automate the credential retrieval and application process. It allows users to easily retrieve valid temporary credentials to use with the AWS CLI or other AWS SDK tools.

CAVEATS

The `aws-sts` command relies on having properly configured AWS CLI credentials with sufficient permissions to call the STS AssumeRole API. Ensure the IAM user or role you are using has the `sts:AssumeRole` permission for the specified role ARN. The duration specified must be within the allowed limits of the role's maximum session duration.

ERROR HANDLING

The `aws-sts` command will usually exit with a non-zero code if errors occur. Ensure you have enough permissions configured in the IAM Role. Some of the errors will be logged to stderr. Please check this file in case of any problems.

OUTPUT

The command will usually output the values of the temporary credentials (access key, secret key, and session token) to stdout in a format configured via options, or by default in a format suitable for setting environment variables.
These credentials can then be used to authenticate subsequent AWS CLI commands or SDK calls.

SEE ALSO

aws(1), aws configure(1), sts(1)

Copied to clipboard