By Fatskills Exam Guides Team — the exam nerds behind 28,500+ quizzes and 2.1M practice questions across 500+ global exams.
For AWS Solutions Architect – Associate (SAA-C03) and Real-World Production
STS (Security Token Service) is AWS’s service for issuing short-lived, temporary credentials instead of long-lived IAM access keys. Think of it like a hotel keycard—it works for a limited time, then expires automatically. If someone steals it, they can’t use it forever.
You’re a cloud engineer at a fintech startup. Your CI/CD pipeline needs to deploy code to AWS, but your security team bans long-lived IAM keys. You must: 1. Replace hardcoded keys with temporary credentials.2. Grant least-privilege access to the pipeline.3. Rotate credentials automatically (no manual intervention).
If you ignore STS:- Your IAM keys get leaked → attackers drain your AWS account.- Auditors fail your compliance check → fines or lost contracts.- Cross-account access becomes a nightmare (manual key sharing = security risk).
AssumeRole
AssumeRoleWithSAML
AssumeRoleWithWebIdentity
GetSessionToken
GetFederationToken
json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:root" }, "Action": "sts:AssumeRole" } ] }
Principal
*
s3:*
s3:GetObject
bash aws sts assume-role --role-arn arn:aws:iam::123456789012:role/MyRole --role-session-name MySession --external-id "SuperSecret123"
DeleteBucket
json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:DeleteBucket", "Resource": "*", "Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } } } ] }
Delete*
Terminate*
Update*
https://sts.amazonaws.com
https://sts.<region>.amazonaws.com
sts.us-east-1.amazonaws.com
aws --version
Replace hardcoded IAM keys in a CI/CD pipeline with STS temporary credentials using AssumeRole.
AWS account
Another AWS account
GitHubActionsSecret123
AmazonS3FullAccess
GitHubActionsDeployRole
Verify the trust policy:
aws iam get-role --role-name GitHubActionsDeployRole
Expected output (truncated):
{ "Role": { "AssumeRolePolicyDocument": { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "AWS": "arn:aws:iam::123456789012:root" }, "Action": "sts:AssumeRole", "Condition": { "StringEquals": { "sts:ExternalId": "GitHubActionsSecret123" } } } ] } } }
Add a secret named AWS_EXTERNAL_ID with value GitHubActionsSecret123.
AWS_EXTERNAL_ID
Create a GitHub Actions Workflow (.github/workflows/deploy.yml): ```yaml name: Deploy to AWS on: [push]
.github/workflows/deploy.yml
jobs: deploy: runs-on: ubuntu-latest steps: - name: Configure AWS Credentials uses: aws-actions/configure-aws-credentials@v4 with: role-to-assume: arn:aws:iam::123456789012:role/GitHubActionsDeployRole aws-region: us-east-1 role-session-name: GitHubActionsDeploy role-external-id: ${{ secrets.AWS_EXTERNAL_ID }} role-duration-seconds: 900 # 15 minutes ```
Why this works:- GitHub Actions assumes the role using STS.- The role-external-id prevents the confused deputy attack.- Credentials expire after 15 minutes (least privilege).
role-external-id
bash aws sts assume-role \ --role-arn arn:aws:iam::123456789012:role/GitHubActionsDeployRole \ --role-session-name TestSession \ --external-id GitHubActionsSecret123
bash export AWS_ACCESS_KEY_ID=ASIA... export AWS_SECRET_ACCESS_KEY=... export AWS_SESSION_TOKEN=...
bash aws s3 ls # Should list buckets if the role has S3 permissions
userIdentity
aws:MultiFactorAuthPresent
Environment
Owner
Purpose
AccessDenied
sts:ExternalId
DurationSeconds
aws:MultiFactorAuthPresent: true
Trap: GetFederationToken (not for cross-account) or hardcoded IAM keys.
Scenario: "A mobile app needs to upload files to S3. How should it authenticate?"
Trap: IAM user keys (long-lived = security risk).
Scenario: "A company uses Okta for SSO. How should employees access AWS?"
Your team uses a legacy script that hardcodes IAM keys. Replace them with STS temporary credentials using AssumeRole. The script runs on an EC2 instance and needs S3 read-only access.
json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "ec2.amazonaws.com" }, "Action": "sts:AssumeRole" } ] }
AmazonS3ReadOnlyAccess
Name: EC2S3ReadOnlyRole.
EC2S3ReadOnlyRole
Attach the role to the EC2 instance:
Select EC2S3ReadOnlyRole.
Update the script to use the role’s temporary credentials: bash # No need to hardcode keys! The EC2 instance metadata service provides temp creds. aws s3 ls s3://your-bucket-name
bash # No need to hardcode keys! The EC2 instance metadata service provides temp creds. aws s3 ls s3://your-bucket-name
Why this works:- EC2 automatically assumes the role and gets temporary credentials from the instance metadata service (169.254.169.254).- No hardcoded keys = no security risk.
169.254.169.254
aws sts assume-role --role-arn arn:aws:iam::123456789012:role/MyRole --role-session-name Test
--external-id
sts_client.assume_role(RoleArn="...", RoleSessionName="...")
boto3
--duration-seconds 900
--external-id "SuperSecret123"
"Condition": { "Bool": { "aws:MultiFactorAuthPresent": "true" } }
curl http://169.254.169.254/latest/meta-data/iam/security-credentials/EC2S3ReadOnlyRole
https://sts.us-east-1.amazonaws.com
"Principal": { "AWS": "arn:aws:iam::123456789012:root" }
"Policy": "{ \"Version\": \"2012-10-17\", \"Statement\": [...] }"
Join 4M+ learners. Unlock unlimited quizzes, wrong-answer tracking, flashcards + reminders, study guides, and 1-on-1 challenges.