What is STS

STS (Security Token Service) is a temporary access permission management service provided by {{channelName}}. IAM offers two types of identities: IAM users and IAM roles. Among them, IAM roles do not have permanent identity credentials, but can only obtain temporary identity credentials with customizable validity and access permissions through STS, that is, security tokens (STS Tokens).

Basic Concepts

IAM User

IAM user is one type of entity identity in IAM, with a fixed identity ID and credential. It usually corresponds to a specific person or application. For more information, please refer to User Management.

IAM Role

An IAM role is a virtual user that can be granted a set of permission policies. Unlike IAM subusers, IAM roles do not have a fixed login password or access key. It needs to be assumed by a trusted entity user (IAM user). Once the assuming is successful, the entity user will obtain the temporary identity credential of the IAM role, that is, the security token (STS Token). The security token can be used to access authorized resources in the identity of the IAM role.

Permission Policies

Permission policies are a collection of permissions described in a syntax structure, which can accurately describe the set of authorized resources, operations and authorized conditions. Permission policy is a simple language specification that describes a set of permissions. An IAM role can be bound with a set of permission policies, IAM roles without bound permission policies can exist, but they cannot access resources.

Assuming Roles

Assuming roles is the method that entity users use to obtain the security tokens of role identities. An entity user can obtain the security token of the role by calling the STS API AssumeRole - Obtain temporary identity credentials by assuming a role, and use the security token to access the cloud service API.

Feature Function

Obtain STS Token when Using IAM User to Assume a Role

Authorized IAM users can use their own access keys to call AssumeRole - Obtain temporary identity credentials of the assumed role to obtain the STS Token of a certain IAM role, so that the STS Token can be used to access {{channelName}} cloud resources. This is often used in cross-account access scenarios and temporary authorization scenarios.

Product Advantages

Using STS Token reduces the risk of long-term access key (AccessKey) leakage. STS Token has time sensitivity and can have a customizable validity period, which will automatically expire after it expires, without the need for regular rotation. Customized permission policies can be bound to STS Token, providing more flexible and fine-grained cloud resource authorization.