STS issues temporary security credentials (access key + secret key + session token) that expire after a set time. Temporary credentials are more secure than long-term access keys because they automatically become invalid.
| Operation | Used By | Duration |
|---|---|---|
| AssumeRole | Services, cross-account access, federated users | 15 min to 12 hours |
| AssumeRoleWithWebIdentity | Apps using Cognito, Google, Facebook login | 1 hour |
| AssumeRoleWithSAML | Enterprise SSO (Active Directory) | 1 hour |
| GetSessionToken | IAM users adding MFA to temporary credentials | 15 min to 36 hours |
# Account A (trusting account) creates a role:
# Trust Policy: "Allow Account B to assume this role"
{
"Principal": {"AWS": "arn:aws:iam::ACCOUNT_B_ID:root"},
"Action": "sts:AssumeRole"
}
# Account B user assumes the role:
aws sts assume-role
--role-arn "arn:aws:iam::ACCOUNT_A_ID:role/CrossAccountRole"
--role-session-name "MySession"
# Returns temporary credentials:
# AccessKeyId, SecretAccessKey, SessionToken (expires in 1 hour)
# Use them:
export AWS_ACCESS_KEY_ID=ASIA...
export AWS_SECRET_ACCESS_KEY=...
export AWS_SESSION_TOKEN=...