AWS STS

Connect to AWS Security Token Service

AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users).

With AWS STS, you can:

  • Assume IAM roles: Request temporary credentials to access AWS resources across accounts or with elevated permissions
  • Verify identity: Determine the AWS account, ARN, and user ID associated with the calling credentials
  • Generate session tokens: Obtain temporary credentials with optional MFA protection for enhanced security
  • Audit access keys: Look up the AWS account that owns a given access key for security investigations

In Sim, the AWS STS integration allows your agents to manage temporary credentials as part of automated workflows. This is useful for cross-account access patterns, credential rotation, identity verification before sensitive operations, and security auditing. Agents can assume roles to interact with other AWS services, verify their own identity, or look up access key ownership without exposing long-lived credentials.

Usage Instructions

Integrate AWS STS into the workflow. Assume roles, get temporary credentials, verify caller identity, and look up access key information.

Tools

sts_assume_role

Assume an IAM role and receive temporary security credentials

Input

ParameterTypeRequiredDescription
regionstringYesAWS region (e.g., us-east-1)
accessKeyIdstringYesAWS access key ID
secretAccessKeystringYesAWS secret access key
roleArnstringYesARN of the IAM role to assume
roleSessionNamestringYesIdentifier for the assumed role session
durationSecondsnumberNoDuration of the session in seconds (900-43200, default 3600)
externalIdstringNoExternal ID for cross-account access
serialNumberstringNoMFA device serial number or ARN
tokenCodestringNoMFA token code (6 digits)

Output

ParameterTypeDescription
accessKeyIdstringTemporary access key ID
secretAccessKeystringTemporary secret access key
sessionTokenstringTemporary session token
expirationstringCredential expiration timestamp
assumedRoleArnstringARN of the assumed role
assumedRoleIdstringAssumed role ID with session name
packedPolicySizenumberPercentage of allowed policy size used

sts_get_caller_identity

Get details about the IAM user or role whose credentials are used to call the API

Input

ParameterTypeRequiredDescription
regionstringYesAWS region (e.g., us-east-1)
accessKeyIdstringYesAWS access key ID
secretAccessKeystringYesAWS secret access key

Output

ParameterTypeDescription
accountstringAWS account ID
arnstringARN of the calling entity
userIdstringUnique identifier of the calling entity

sts_get_session_token

Get temporary security credentials for an IAM user, optionally with MFA

Input

ParameterTypeRequiredDescription
regionstringYesAWS region (e.g., us-east-1)
accessKeyIdstringYesAWS access key ID
secretAccessKeystringYesAWS secret access key
durationSecondsnumberNoDuration of the session in seconds (900-129600, default 43200)
serialNumberstringNoMFA device serial number or ARN
tokenCodestringNoMFA token code (6 digits)

Output

ParameterTypeDescription
accessKeyIdstringTemporary access key ID
secretAccessKeystringTemporary secret access key
sessionTokenstringTemporary session token
expirationstringCredential expiration timestamp

sts_get_access_key_info

Get the AWS account ID associated with an access key

Input

ParameterTypeRequiredDescription
regionstringYesAWS region (e.g., us-east-1)
accessKeyIdstringYesAWS access key ID
secretAccessKeystringYesAWS secret access key
targetAccessKeyIdstringYesThe access key ID to look up

Output

ParameterTypeDescription
accountstringAWS account ID that owns the access key

On this page

Usage Instructions
Tools
sts_assume_role
Input
Output
sts_get_caller_identity
Input
Output
sts_get_session_token
Input
Output
sts_get_access_key_info
Input
Output