aws-sts

Get temporary security credentials to access specific AWS resources

$ aws sts assume-role --role-arn [aws_role_arn]

$ aws sts get-caller-identity

aws sts subcommand [global-options]

--debug
    Turn on debug logging for troubleshooting.

--endpoint-url URL
    Override default STS endpoint URL.

--no-verify-ssl
    Disable SSL certificate verification (insecure).

--region REGION
    AWS region, e.g., us-east-1 (STS supports global endpoints).

--profile PROFILE
    Use specific named profile from AWS config.

--output text|table|json
    Output format; json default for parsing.

--query JMESPath
    JMESPath query to filter JSON output.

--cli-input-json FILE
    Read input from JSON file instead of stdin.

--no-paginate
    Disable automatic pagination (rare for STS).

--help
    Show help for command or subcommand.

The aws sts command is a core component of the AWS Command Line Interface (CLI), providing access to AWS Security Token Service (STS). STS enables temporary security credentials for IAM users, roles, and federated identities, supporting secure, short-lived access to AWS resources without sharing long-term keys.

Key use cases include verifying identity via get-caller-identity, assuming roles for cross-account access or privilege escalation with assume-role, securing sessions with MFA using get-session-token, and federated access through SAML or OIDC with commands like assume-role-with-saml or assume-role-with-web-identity. It's vital for automation, CI/CD pipelines, EC2 instance roles, and compliance with least-privilege principles.

Commands output structured JSON by default, ideal for scripting with --query and --output options. Requires AWS CLI installed (v2 recommended for performance), configured credentials via environment variables, ~/.aws/credentials, or IAM roles. STS calls are free but subject to API limits and regional endpoints.

Temporary credentials expire (15min-36hrs); renew as needed. Regional endpoints required for some regions. MFA or role trust policies must be configured. High-volume calls may hit throttling limits.

get-caller-identity: Get caller ARN/UserId/Account.
assume-role: Assume IAM role for temp creds.
get-session-token: Get MFA-secured token.
assume-role-with-saml: SAML-based federation.

aws sts get-caller-identity --output table
aws sts assume-role --role-arn arn:aws:iam::123:role/MyRole --role-session-name mysession

Part of AWS CLI v1 (2013 initial release), with STS support from early versions for identity federation. AWS CLI v2 (2020) improved speed, added features like auto-prompt. STS evolved with additions like Web Identity Federation (2011 service launch).

aws(1), aws configure(1)