Yandex Cloud
Search
Contact UsGet started
  • Blog
  • Pricing
  • Documentation
  • All Services
  • System Status
    • Featured
    • Infrastructure & Network
    • Data Platform
    • Containers
    • Developer tools
    • Serverless
    • Security
    • Monitoring & Resources
    • ML & AI
    • Business tools
  • All Solutions
    • By industry
    • By use case
    • Economics and Pricing
    • Security
    • Technical Support
    • Customer Stories
    • Gateway to Russia
    • Cloud for Startups
    • Education and Science
  • Blog
  • Pricing
  • Documentation
Yandex project
© 2025 Yandex.Cloud LLC
Yandex Identity and Access Management
    • Overview
      • How to choose the correct authentication method
      • IAM token
      • API key
      • Static access key
      • Security Token Service
      • Authorized key
      • OAuth_token
      • ID token
      • Cookie
      • Refresh token
    • Service access to user resources
    • Identity federations
    • Workload identity federations
    • Quotas and limits
  • Secure use of Yandex Cloud
  • Access management
  • Pricing policy
  • Role reference
  • Terraform reference
  • Monitoring metrics
  • Audit Trails events
  • Release notes
  1. Concepts
  2. Authentication
  3. Security Token Service

Security Token Service

Written by
Yandex Cloud
Updated at May 5, 2025

Security Token Service: Identity and Access Management component used to get temporary access keys compatible with AWS S3 API.

Temporary access keys as an authentication method are only supported in Yandex Object Storage.

With temporary keys, you can set up granular access to Object Storage buckets for multiple users with a single service account. The service account permissions must include all the permissions you want to grant using temporary keys.

A temporary access key is created based on a static key, but, unlike it, it has a limited lifetime and access permissions. Access permissions and lifetime are set for each temporary key individually.

The maximum key lifetime is 12 hours.

To set up access permissions for the key, you need an access policy in JSON format based on this schema.

Temporary Security Token Service keys inherit the access permissions of the service account but are limited by the bucket-level access policy. If you set up a temporary key’s access policy to allow operations the service account has no permissions for, such operations will not be performed.

Tip

If a service account has roles in Object Storage for a folder, users with temporary keys will get view access to buckets in that folder. We recommend assigning service account roles for specific buckets, rather than a folder.

Warning

The access is checked by object ACL after checking the Security Token Service policy. Therefore, if the service account through which you obtain temporary access keys has ACL permissions configured for objects in the bucket, those objects will become available for temporary access key requests, regardless of the specified policy. For more information, see how the access management works in Object Storage.

This means you can, for instance, provide different users with temporary permissions to read and write objects to different prefixes (folders) of the same bucket. To solve this task using static keys, you would need to create a dedicated service account for each user, while the number of service accounts in the cloud is limited.

A temporary key consists of the following parts:

  • Key ID (same as the static key ID)
  • Secret key
  • Session token

To get a temporary access key using Security Token Service, use the AWS Command Line Interface (AWS CLI) or an HTTP API compatible with the AWS STS API.

There is a separate API endpoint for Security Token Service: https://sts.yandexcloud.net.

For more information, see this Creating a temporary access key using Security Token Service article.

Warning

You cannot revoke a temporary key. However, you can delete a static key used to issue a temporary one.

This will revoke permissions for all temporary access keys created based on the deleted static key.

See alsoSee also

  • Access management methods in Object Storage: Overview

Was the article helpful?

Previous
Static access key
Next
Authorized key
Yandex project
© 2025 Yandex.Cloud LLC