Security Token Service
Security Token Service: Identity and Access Management component to get temporary access keys compatible with AWS S3 API.
Temporary access keys as an authentication method are only supported in Yandex Object Storage.
With temporary keys, you can set up granular access to Object Storage buckets for multiple users with a single service account. The service account permissions must include all the permissions you want to grant using temporary keys.
A temporary access key is created based on a static key, but, unlike it, it has a limited lifetime and access permissions. Access permissions and lifetime are set for each temporary key individually.
The maximum key lifetime is 12 hours.
To set up access permissions for the key, you need an access policy in JSON format based on this schema.
Temporary Security Token Service keys inherit the access permissions of the service account, but are limited by the access policy. If you set the access policy for a temporary key to allow operations that are not allowed for a service account, such operations will not be performed.
Warning
The access is checked by object ACL after checking the Security Token Service policy. Therefore, if the service account through which you obtain temporary access keys has ACL permissions configured for objects in the bucket, those objects will become available for temporary access key requests, regardless of the specified policy. For more information, see how the access management works in Object Storage.
This means you can, for instance, provide different users with temporary permissions to read and write objects to different prefixes (folders) of the same bucket. To solve this task using static keys, you would need to create a dedicated service account for each user, while the number of service accounts in the cloud is limited.
A temporary key consists of the following parts:
- Key ID (same as the static key ID)
- Secret key
- Session token
To get a temporary access key using Security Token Service, use the AWS Command Line Interface (AWS CLI) or an HTTP API compatible with the AWS STS API
There is a separate API endpoint for Security Token Service: https://sts.yandexcloud.net
.
For more information, see Creating a temporary access key using Security Token Service.
Warning
You cannot revoke a temporary key. However, you can delete a static key used to issue a temporary one.
This will revoke permissions for all temporary access keys created based on the deleted static key.