SYSTEM Cited by 2 sources

AWS Security Token Service (STS)

What it is

AWS Security Token Service (STS) is the AWS service that mints short-lived credentials for IAM principals — the output of AssumeRole, AssumeRoleWithSAML, AssumeRoleWithWebIdentity, and GetSessionToken.

Regional endpoints in cross-partition design

STS regional endpoints are named as one of the five cross-partition authentication tactics: "AWS Security Token Service (AWS STS) regional endpoints" alongside IAM roles with trust relationships and external IDs, resource-based policies, and Organizations-managed cross-account roles. (Source: sources/2026-01-30-aws-sovereign-failover-design-digital-sovereignty)

The design point: STS in each partition has its own regional endpoints; a cross-partition workload assumes roles against the STS endpoint in the target partition, not via a single global STS endpoint.

AssumeRoleWithWebIdentity and OIDC federation

The Fly.io AWS without Access Keys post is the canonical wiki walkthrough of AssumeRoleWithWebIdentity — STS's token-exchange API for OIDC federation.

From the post:

STS's main job is to vend short-lived AWS credentials, usually through some variant of an API called AssumeRole. Specifically, in our case: AssumeRoleWithWebIdentity tells STS to cough up an AWS keypair given an OIDC token (that matches a pre-configured trust relationship).

Mechanics:

• Caller presents an OIDC JWT.
• STS verifies the JWT's signature against the IdP's discovery endpoint at https://<issuer>/.well-known/openid-configuration (Fly.io: https://oidc.fly.io/<org>/.well-known/openid-configuration — keys "managed on isolated hardware").
• STS checks the target Role's trust policy: the IdP must be named as Federated principal; the JWT's aud must match the StringEquals condition; the JWT's sub must match any StringLike/StringEquals condition.
• STS returns short-lived credentials (default 1 hour; minimum 15 minutes via DurationSeconds).

Short-lived credential semantics

Fly.io's one-line framing is canonical for what STS buys you:

AWS STS credentials are short-lived. Because they're generated dynamically, rather than stored in a configuration file or environment variable, they're already a little bit annoying for an attacker to recover. But they're also dead in minutes. They have a sharply limited blast radius. They rotate themselves, and fail closed. (Source: sources/2024-06-19-flyio-aws-without-access-keys)

See concepts/short-lived-credential-auth for the broader concept framing.

SDK integration: AWS_WEB_IDENTITY_TOKEN_FILE

The AWS SDK's credential provider chain looks for AWS_WEB_IDENTITY_TOKEN_FILE + AWS_ROLE_ARN + AWS_ROLE_SESSION_NAME as a matched triple. When all three are set and the file is readable, the SDK automatically calls AssumeRoleWithWebIdentity on behalf of the application and refreshes the STS credential as it nears expiry.

This is the hook EKS IRSA, GitHub Actions OIDC, and Fly init all use. See patterns/init-as-credential-broker for the guest-side plumbing pattern.

Seen in

• sources/2026-01-30-aws-sovereign-failover-design-digital-sovereignty — STS regional endpoints named as cross-partition auth tactic.
• sources/2024-06-19-flyio-aws-without-access-keys — canonical wiki walkthrough of AssumeRoleWithWebIdentity; OIDC-token-to- STS-credential exchange; STS verifying JWTs against .well-known/openid-configuration; the "dead in minutes / sharply limited blast radius / rotate themselves / fail closed" formulation of short-lived-credential semantics.

Related

• systems/aws-iam, systems/oidc-fly-io.
• concepts/cross-partition-authentication, concepts/aws-partition, concepts/short-lived-credential-auth, concepts/oidc-federation-for-cloud-access, concepts/ephemeral-credentials.
• patterns/oidc-role-assumption-for-cross-cloud-auth.