AWS Security Token Service

<AssumeRoleResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<AssumeRoleResult>
<Credentials>
  <SessionToken>
   AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQW
   LWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGd
   QrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU
   9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz
   +scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA==
  </SessionToken>
  <SecretAccessKey>
   wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY
  </SecretAccessKey>
  <Expiration>2011-07-15T23:28:33.359Z</Expiration>
  <AccessKeyId>AKIAIOSFODNN7EXAMPLE</AccessKeyId>
</Credentials>
<AssumedRoleUser>
  <Arn>arn:aws:sts::123456789012:assumed-role/demo/Bob</Arn>
  <AssumedRoleId>ARO123EXAMPLE123:Bob</AssumedRoleId>
</AssumedRoleUser>
<PackedPolicySize>6</PackedPolicySize>
</AssumeRoleResult>
<ResponseMetadata>
<RequestId>c6104cbe-af31-11e0-8154-cbc7ccf896c7</RequestId>
</ResponseMetadata>
</AssumeRoleResponse>

To request temporary security credentials, you can operate using the AWS Security Token Service (AWS STS) in the AWS API. These actions include the creation of a trusted user, and provide temporary security credentials to control access to AWS resources. For more information on AWS STS, see the temporary security credentials . To understand the various methods used at the time to assume the role of a request temporary security credentials, see use IAM roles .

AssumeRole - custom identity agency commission and joint cross-account

AssumeRoleWithWebIdentity - joint Web-based identity provider

AssumeRoleWithSAML - through a joint enterprise is compatible with SAML 2.0 identity provider

GetFederationToken - joint identity through custom proxy

GetSessionToken scrip untrusted user environments -

WS STS API	Who to call	Certificate life cycle (minimum \| maximum \| default value)	MFA support ¹	Session Policy Support ²	Restrictions on temporary certificate generated
AssumeRole	IAM IAM role with an existing user or temporary security credentials	15 minutes \| maximum session duration setting ³ \| 1 Xiaoshi	Yes	Yes	You can not call `GetFederationToken` or `GetSessionToken`.
AssumeRoleWithSAML	Any user; sponsor must pass SAML authentication response, authentication indicating the identity provider from the known	15 minutes \| maximum session duration setting ³ \| 1 Xiaoshi	no	Yes	You can not call `GetFederationToken` or `GetSessionToken`.
AssumeRoleWithWebIdentity	Any user; sponsor Web identity token must be passed, indicating authentication of the identity provider from the known	15 minutes \| maximum session duration setting ³ \| 1 Xiaoshi	no	Yes	You can not call `GetFederationToken` or `GetSessionToken`.
GetFederationToken	AWS IAM user or root user account	IAM users: 15 minutes \| 36 Xiaoshi \| 12 Xiaoshi Root: 15 minutes \| 1 Xiaoshi \| 1 Xiaoshi	no	Yes	IAM API operation can not be called directly. ⁴ In addition to not call `GetCallerIdentity` outside of AWS STS API operations. Allowed to log in to the console via SSO. ⁵
GetSessionToken	AWS IAM user or root user account	IAM users: 15 minutes \| 36 Xiaoshi \| 12 Xiaoshi Root: 15 minutes \| 1 Xiaoshi \| 1 Xiaoshi	Yes	no	Unless the request comes MFA information, otherwise can not be called IAM API operations. In addition to not call `AssumeRole` or `GetCallerIdentity` AWS STS API operation outside. 不允许通过 SSO 登录到控制台。⁶

<GetFederationTokenResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
<GetFederationTokenResult>
<Credentials>
  <SessionToken>
   AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQW
   LWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGd
   QrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU
   9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz
   +scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCEXAMPLE==
  </SessionToken>
  <SecretAccessKey>
  wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY
  </SecretAccessKey>
  <Expiration>2019-04-15T23:28:33.359Z</Expiration>
  <AccessKeyId>AKIAIOSFODNN7EXAMPLE;</AccessKeyId>
</Credentials>
<FederatedUser>
  <Arn>arn:aws:sts::123456789012:federated-user/Jean</Arn>
  <FederatedUserId>123456789012:Jean</FederatedUserId>
</FederatedUser>
<PackedPolicySize>2</PackedPolicySize>
</GetFederationTokenResult>
<ResponseMetadata>
<RequestId>c6104cbe-af31-11e0-8154-cbc7ccf896c7</RequestId>
</ResponseMetadata>
</GetFederationTokenResponse>

AWS Security Token Service

AssumeRole - custom identity agency commission and joint cross-account

AssumeRoleWithWebIdentity - joint Web-based identity provider

AssumeRoleWithSAML - through a joint enterprise is compatible with SAML 2.0 identity provider

GetFederationToken - joint identity through custom proxy

GetSessionToken scrip untrusted user environments -

Guess you like