AWS STS

AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users).

With AWS STS, you can:

  • Assume IAM roles: Request temporary credentials to access AWS resources across accounts or with elevated permissions
  • Verify identity: Determine the AWS account, ARN, and user ID associated with the calling credentials
  • Generate session tokens: Obtain temporary credentials with optional MFA protection for enhanced security
  • Audit access keys: Look up the AWS account that owns a given access key for security investigations

In Sim, the AWS STS integration allows your agents to manage temporary credentials as part of automated workflows. This is useful for cross-account access patterns, credential rotation, identity verification before sensitive operations, and security auditing. Agents can assume roles to interact with other AWS services, verify their own identity, or look up access key ownership without exposing long-lived credentials.

Usage Instructions

Integrate AWS STS into the workflow. Assume roles, get temporary credentials, verify caller identity, and look up access key information.

Actions

sts_assume_role

Assume an IAM role and receive temporary security credentials

Input

ParameterTypeRequiredDescription
regionstringYesAWS region (e.g., us-east-1)
accessKeyIdstringYesAWS access key ID
secretAccessKeystringYesAWS secret access key
roleArnstringYesARN of the IAM role to assume
roleSessionNamestringYesIdentifier for the assumed role session
durationSecondsnumberNoDuration of the session in seconds (900-43200, default 3600)
policystringNoJSON IAM policy to further restrict session permissions (max 2048 chars)
externalIdstringNoExternal ID for cross-account access
serialNumberstringNoMFA device serial number or ARN
tokenCodestringNoMFA token code (6 digits)
policyArnsstringNoComma-separated ARNs of up to 10 IAM managed policies to use as session policies
tagsstringNoJSON object of up to 50 session tag key/value pairs for attribute-based access control
transitiveTagKeysstringNoComma-separated tag keys that propagate through role chaining

Output

ParameterTypeDescription
accessKeyIdstringTemporary access key ID
secretAccessKeystringTemporary secret access key
sessionTokenstringTemporary session token
expirationstringCredential expiration timestamp
assumedRoleArnstringARN of the assumed role
assumedRoleIdstringAssumed role ID with session name
packedPolicySizenumberPercentage of allowed policy size used
sourceIdentitystringSource identity set on the role session, if any

sts_assume_role_with_web_identity

Assume an IAM role using an OIDC/OAuth 2.0 web identity token (e.g. GitHub Actions OIDC, EKS IRSA, Google/Facebook federation) and receive temporary security credentials

Input

ParameterTypeRequiredDescription
regionstringYesAWS region (e.g., us-east-1)
roleArnstringYesARN of the IAM role to assume
roleSessionNamestringYesIdentifier for the assumed role session
webIdentityTokenstringYesOAuth 2.0 access token or OpenID Connect ID token from the identity provider (up to 20000 chars)
providerIdstringNoFully qualified host of a legacy OAuth 2.0 provider (e.g. www.amazon.com\); omit for OpenID Connect providers
policyArnsstringNoComma-separated ARNs of up to 10 IAM managed policies to use as session policies
policystringNoJSON IAM policy to further restrict session permissions (max 2048 chars)
durationSecondsnumberNoDuration of the session in seconds (900-43200, default 3600)

Output

ParameterTypeDescription
accessKeyIdstringTemporary access key ID
secretAccessKeystringTemporary secret access key
sessionTokenstringTemporary session token
expirationstringCredential expiration timestamp
assumedRoleArnstringARN of the assumed role
assumedRoleIdstringAssumed role ID with session name
subjectFromWebIdentityTokenstringUnique user identifier from the identity provider's token subject claim
audiencestringIntended audience (client ID) of the web identity token
providerstringIssuing authority of the presented web identity token
packedPolicySizenumberPercentage of allowed policy size used
sourceIdentitystringSource identity set on the role session, if any

sts_assume_role_with_saml

Assume an IAM role using a SAML 2.0 authentication response from an enterprise identity provider and receive temporary security credentials

Input

ParameterTypeRequiredDescription
regionstringYesAWS region (e.g., us-east-1)
roleArnstringYesARN of the IAM role to assume
principalArnstringYesARN of the SAML provider in IAM that describes the identity provider
samlAssertionstringYesBase64-encoded SAML authentication response from the identity provider
policyArnsstringNoComma-separated ARNs of up to 10 IAM managed policies to use as session policies
policystringNoJSON IAM policy to further restrict session permissions (max 2048 chars)
durationSecondsnumberNoDuration of the session in seconds (900-43200, default 3600)

Output

ParameterTypeDescription
accessKeyIdstringTemporary access key ID
secretAccessKeystringTemporary secret access key
sessionTokenstringTemporary session token
expirationstringCredential expiration timestamp
assumedRoleArnstringARN of the assumed role
assumedRoleIdstringAssumed role ID with session name
subjectstringValue of the NameID element in the Subject of the SAML assertion
subjectTypestringFormat of the name ID (e.g. transient, persistent)
issuerstringValue of the Issuer element of the SAML assertion
audiencestringValue of the SAML assertion's SubjectConfirmationData Recipient attribute
nameQualifierstringHash uniquely identifying the issuer, account, and SAML provider
packedPolicySizenumberPercentage of allowed policy size used
sourceIdentitystringSource identity set on the role session, if any

sts_get_caller_identity

Get details about the IAM user or role whose credentials are used to call the API

Input

ParameterTypeRequiredDescription
regionstringYesAWS region (e.g., us-east-1)
accessKeyIdstringYesAWS access key ID
secretAccessKeystringYesAWS secret access key

Output

ParameterTypeDescription
accountstringAWS account ID
arnstringARN of the calling entity
userIdstringUnique identifier of the calling entity

sts_get_session_token

Get temporary security credentials for an IAM user, optionally with MFA

Input

ParameterTypeRequiredDescription
regionstringYesAWS region (e.g., us-east-1)
accessKeyIdstringYesAWS access key ID
secretAccessKeystringYesAWS secret access key
durationSecondsnumberNoDuration of the session in seconds (900-129600, default 43200)
serialNumberstringNoMFA device serial number or ARN
tokenCodestringNoMFA token code (6 digits)

Output

ParameterTypeDescription
accessKeyIdstringTemporary access key ID
secretAccessKeystringTemporary secret access key
sessionTokenstringTemporary session token
expirationstringCredential expiration timestamp

sts_get_access_key_info

Get the AWS account ID associated with an access key

Input

ParameterTypeRequiredDescription
regionstringYesAWS region (e.g., us-east-1)
accessKeyIdstringYesAWS access key ID
secretAccessKeystringYesAWS secret access key
targetAccessKeyIdstringYesThe access key ID to look up

Output

ParameterTypeDescription
accountstringAWS account ID that owns the access key

On this page