Copyright (c) 2026 MindMesh Academy. All rights reserved. This content is proprietary and may not be reproduced or distributed without permission.

5.1.2. Temporary Credentials and Token Mechanisms

First Principle: Temporary credentials expire automatically, eliminating the risk of persistent credential exposure. Every workload and every human access should use temporary credentials — long-term keys are a security liability.

AWS Security Token Service (STS):
  • Issues temporary credentials (access key + secret key + session token) with configurable expiration
  • Used behind the scenes by: IAM roles, Identity Center, Cognito, cross-account access
  • Key API actions:
    • AssumeRole — Get credentials for an IAM role (most common)
    • AssumeRoleWithSAML — Get credentials using SAML assertion from IdP
    • AssumeRoleWithWebIdentity — Get credentials using web identity token (mobile/web apps)
    • GetSessionToken — Get temp credentials for IAM user with MFA
S3 Presigned URLs:
  • Generate time-limited URLs that grant temporary access to specific S3 objects
  • Include the signer's credentials in the URL — permissions match the signer's permissions
  • Expiration configurable (default 1 hour for IAM users, 15 minutes for IAM roles)
  • Use case: grant temporary download access to private S3 objects without sharing credentials

IAM Roles Anywhere (new in C03):

  • Enables on-premises workloads to assume IAM roles using X.509 certificates
  • No long-term access keys needed for hybrid environments
  • Trust anchor: certificate authority (AWS Private CA or external CA) that issues certificates
  • Profile: maps certificates to IAM roles with session policies
  • Use case: on-premises servers, IoT devices, and partner systems that need AWS API access

⚠️ Exam Trap: IAM Roles Anywhere uses X.509 certificates (not SAML or OIDC) for on-premises workloads. If a question describes on-premises servers needing AWS access without long-term keys, Roles Anywhere is the answer.

Scenario: A hybrid architecture has on-premises batch processing servers that need to write to S3. Currently, they use long-term access keys stored in configuration files. You migrate to IAM Roles Anywhere: issue X.509 certificates from AWS Private CA, define a trust anchor and profile, and the servers assume IAM roles for temporary credentials.

Reflection Question: Why does IAM Roles Anywhere specifically solve the long-term credential problem for on-premises workloads, and how does it differ from federation?

Alvin Varughese
Written byAlvin Varughese
Founder15 professional certifications