Setting up temporary credentials or a Role ARN for Amazon S3

Instead of adding another IAM user to your Amazon S3 account, you can grant them access with temporary security credentials and a Session token. Or, you can create a Role ARN (Amazon Resource Name) and then grant permission to that role to access the account. The trusted user can then use the role.

You can assign role policies to the temporary credentials to limit the permissions. For example, you can assign read-only access or access to a particular S3 bucket.

Prerequisite: You must be the IAM owner of the Amazon S3 account.

You can set up one of the following authentication combinations:

  • Access key, Secret key, and Session token
  • Access key, Secret key, Role ARN, Role session name, and optional Duration seconds
  • Access key, Secret key, Role ARN, Role session name, External ID, and optional Duration seconds

Access key, Secret key, and Session token

Use the AWS Security Token Service (AWS STS) operations in the AWS API to obtain temporary security credentials. These credentials consist of an Access key, a Secret key, and a Session token that expires within a configurable amount of time. For instructions, see the AWS documentation: Requesting temporary security credentials.

Access key, Secret key, Role ARN, Role session name, and optional Duration seconds

If someone else has their own S3 account, you can create a temporary role for that person to access your S3 account. Create the role either with the AWS Management Console or the AWS CLI. See Creating a role to delegate permissions to an IAM user

The Role ARN is the Amazon Resource Name for connection's role.
The Role session name identifies the session to S3 administrators. For example, your IAM username.
The Duration seconds parameter is optional. The minimum is 15 minutes. The maximum is 36 hours, the default is 1 hour. The duration seconds timer starts every time that the connection is established.

You then provide values for the Access key, Secret key, Role ARN, Role session name, and optional Duration seconds to the user who will create the connection.

Access key, Secret key, Role ARN, Role session name, External ID, and optional Duration seconds

If someone else has their own S3 account, you can create a temporary role for that person to access your S3 account. With this combination, the External ID is a unique string that you specify and that the user must enter for extra security. First, create the role either with the AWS Management Console or the AWS CLI. See Creating a role to delegate permissions to an IAM user. To create the External ID, see How to use an external ID when granting access to your AWS resources to a third party.

You then provide the values for the Access key, Secret key, Role ARN, Role session name, External ID, and optional Duration seconds to the user who will create the connection.

Learn more

Amazon Resource Names (ARNs)

Parent topic: Amazon S3 connection