AWS Security Token Service (STS)

AWS STS provides temporary, limited-privilege credentials for IAM users and federated identities.

Refer to the AWS Identity and Access Management User Guide for guidance on IAM and STS uses.

API Access

The ISTSClient interface and its implementation TSTSClient provides access to all STS operations.

Identifying the Caller

Use GetCallerIdentity to verify which credentials are being used:

var
  Client: ISTSClient;
  Response: ISTSGetCallerIdentityResponse;
begin
  Client := TSTSClient.Create;
  Response := Client.GetCallerIdentity;
  Writeln('Account: ', Response.Account);
  Writeln('ARN:     ', string(Response.Arn));
  Writeln('User ID: ', Response.UserId);
end.

Other Operations

AssumeRole returns temporary credentials for assuming an IAM role.
AssumeRoleWithSAML returns temporary credentials for users authenticated via a SAML identity provider.
AssumeRoleWithWebIdentity returns temporary credentials for users authenticated via a web identity provider (e.g. OpenID Connect).
GetSessionToken returns temporary credentials for an IAM user, typically used with MFA.
GetFederationToken returns temporary credentials for a federated user.

API Access​

Identifying the Caller​

Other Operations​

API Access

Identifying the Caller

Other Operations