Security Token Service

Security Token Service: Identity and Access Management component used to get temporary access keys compatible with AWS S3 API.

Temporary access keys as an authentication method are only supported in Yandex Object Storage.

With temporary keys, you can set up granular access to Object Storage buckets for multiple users with a single service account. The service account permissions must include all the permissions you want to grant using temporary keys.

A temporary access key is created based on a static key, but, unlike it, it has a limited lifetime and access permissions. Access permissions and lifetime are set for each temporary key individually.

The maximum key lifetime is 12 hours.

To set up access permissions for the key, you need an access policy in JSON format based on this schema.

Temporary Security Token Service keys inherit the access permissions of the service account but are limited by the bucket-level access policy. If you set up a temporary key’s access policy to allow operations the service account has no permissions for, such operations will not be performed.

This means you can, for instance, provide different users with temporary permissions to read and write objects to different prefixes (folders) of the same bucket. To solve this task using static keys, you would need to create a dedicated service account for each user, while the number of service accounts in the cloud is limited.

A temporary key consists of the following parts:

• Key ID (same as the static key ID)
• Secret key
• Session token

To get a temporary access key using Security Token Service, use the AWS Command Line Interface (AWS CLI) or an HTTP API compatible with the AWS STS API.

There is a separate API endpoint for Security Token Service: https://sts.yandexcloud.net.

For more information, see this Creating a temporary access key using Security Token Service article.

See alsoSee also

• Access management methods in Object Storage: Overview