0
0
AwsHow-ToBeginner · 4 min read

How to Use Temporary Credentials in AWS: Simple Guide

Use AWS Security Token Service (STS) to get temporary credentials like AccessKeyId, SecretAccessKey, and SessionToken. These credentials let you access AWS resources securely for a limited time without using permanent keys.
📐

Syntax

To use temporary credentials, call the AssumeRole API from AWS STS. It returns temporary security credentials with these parts:

  • AccessKeyId: Your temporary access key.
  • SecretAccessKey: Your temporary secret key.
  • SessionToken: A token to include in requests.
  • Expiration: When the credentials expire.

Use these credentials in your AWS SDK or CLI by setting them as environment variables or in configuration.

bash
aws sts assume-role --role-arn arn:aws:iam::123456789012:role/demo --role-session-name session1

# Response includes:
# {
#   "Credentials": {
#     "AccessKeyId": "ASIA...",
#     "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY",
#     "SessionToken": "AQoDYXdzEJr...",
#     "Expiration": "2024-06-01T12:34:56Z"
#   },
#   "AssumedRoleUser": {...}
# }
💻

Example

This example shows how to get temporary credentials using AWS CLI and then use them to list S3 buckets.

bash
aws sts assume-role --role-arn arn:aws:iam::123456789012:role/demo --role-session-name session1 > temp_creds.json

export AWS_ACCESS_KEY_ID=$(jq -r '.Credentials.AccessKeyId' temp_creds.json)
export AWS_SECRET_ACCESS_KEY=$(jq -r '.Credentials.SecretAccessKey' temp_creds.json)
export AWS_SESSION_TOKEN=$(jq -r '.Credentials.SessionToken' temp_creds.json)

aws s3 ls
Output
2023-12-01 10:00:00 example-bucket-1 2023-12-02 11:00:00 example-bucket-2
⚠️

Common Pitfalls

Common mistakes when using temporary credentials include:

  • Not including the SessionToken in API requests, causing authentication failures.
  • Using expired credentials without refreshing them.
  • Confusing permanent IAM user keys with temporary credentials.
  • Not setting environment variables correctly for SDKs or CLI.

Always check the Expiration time and refresh credentials before they expire.

bash
## Wrong: Missing session token
export AWS_ACCESS_KEY_ID=ASIA...
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY
# aws s3 ls  # This will fail

## Right: Include session token
export AWS_SESSION_TOKEN=AQoDYXdzEJr...
aws s3 ls  # This works
📊

Quick Reference

StepCommand / ActionDescription
1aws sts assume-roleRequest temporary credentials from AWS STS
2Set environment variablesExport AccessKeyId, SecretAccessKey, SessionToken
3Use AWS CLI or SDKMake API calls with temporary credentials
4Refresh before expirationGet new credentials before old ones expire

Key Takeaways

Use AWS STS AssumeRole to get temporary credentials with limited time and permissions.
Always include the SessionToken along with AccessKeyId and SecretAccessKey in requests.
Set temporary credentials as environment variables for AWS CLI or SDK usage.
Check and refresh credentials before they expire to avoid access failures.
Temporary credentials improve security by avoiding long-term key exposure.

Related by keyword

How to Choose AWS Region: Simple Guide for BeginnersGetting StartedHow to Use Elastic IP in AWS: Simple GuideEC2How to Set Bucket Policy in AWS S3: Simple GuideS3How to Set Lifecycle Rule in AWS S3: Simple GuideS3How to Upload File to S3 in AWS: Simple GuideS3

Up next

AWS Shared Responsibility Model: What It Is and How It WorksWhat is AWS Used For: Key Uses and ExamplesALB vs NLB vs CLB: Key Differences and When to Use EachEBS vs Instance Store in AWS: Key Differences and Usage Guide

More in IAM

How to Attach a Policy to an AWS Role: Simple StepsHow to Attach a Policy to a User in AWS IAMHow to Create Custom IAM Policy in AWS: Simple GuideHow to Create IAM Group in AWS: Step-by-Step Guide