Security Token Service

Security Token Service: Identity and Access Management component to get temporary access keys compatible with AWS S3 API.

Temporary access keys as an authentication method are only supported in Yandex Object Storage.

With temporary keys, you can set up granular access to Object Storage buckets for multiple users with a single service account. The service account permissions must include all the permissions you want to grant using temporary keys.

A temporary access key is created based on a static key, but, unlike it, it has a limited lifetime and access permissions. Access permissions and lifetime are set for each temporary key individually.

The maximum key lifetime is 12 hours.

To set up access permissions for the key, you need an access policy in JSON format based on this schema.

Temporary Security Token Service keys inherit the access permissions of the service account, but are limited by the access policy. If you set the access policy for a temporary key to allow operations that are not allowed for a service account, such operations will not be performed.

This means you can, for instance, provide different users with temporary permissions to read and write objects to different prefixes (folders) of the same bucket. To solve this task using static keys, you would need to create a dedicated service account for each user, while the number of service accounts in the cloud is limited.

A temporary key consists of the following parts:

• Key ID (same as the static key ID)
• Secret key
• Session token

To get a temporary access key using Security Token Service, use the AWS Command Line Interface (AWS CLI) or an HTTP API compatible with the AWS STS API.

For more information, see Creating a temporary access key using Security Token Service.

See alsoSee also

• Access management methods in Object Storage: Overview