@aws-sdk/client-sts-node
Description
AWS Security Token Service
The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users). This guide provides descriptions of the STS API. For more detailed information about using this service, go to Temporary Security Credentials.
For information about setting up signatures and authorization through the API, go to Signing AWS API Requests in the AWS General Reference. For general information about the Query API, go to Making Query Requests in Using IAM. For information about using security tokens with other AWS products, go to AWS Services That Work with IAM in the IAM User Guide.
If you're new to AWS and need additional technical information about a specific AWS product, you can find the product's technical documentation at http://aws.amazon.com/documentation/.
Endpoints
By default, AWS Security Token Service (STS) is available as a global service, and all AWS STS requests go to a single endpoint at https://sts.amazonaws.com. Global requests map to the US East (N. Virginia) region. AWS recommends using Regional AWS STS endpoints instead of the global endpoint to reduce latency, build in redundancy, and increase session token validity. For more information, see Managing AWS STS in an AWS Region in the IAM User Guide.
Most AWS Regions are enabled for operations in all AWS services by default. Those Regions are automatically activated for use with AWS STS. Some Regions, such as Asia Pacific (Hong Kong), must be manually enabled. To learn more about enabling and disabling AWS Regions, see Managing AWS Regions in the AWS General Reference. When you enable these AWS Regions, they are automatically activated for use with AWS STS. You cannot activate the STS endpoint for a Region that is disabled. Tokens that are valid in all AWS Regions are longer than tokens that are valid in Regions that are enabled by default. Changing this setting might affect existing systems where you temporarily store tokens. For more information, see Managing Global Endpoint Session Tokens in the IAM User Guide.
After you activate a Region for use with AWS STS, you can direct AWS STS API calls to that Region. AWS STS recommends that you provide both the Region and endpoint when you make calls to a Regional endpoint. You can provide the Region alone for manually enabled Regions, such as Asia Pacific (Hong Kong). In this case, the calls are directed to the STS Regional endpoint. However, if you provide the Region alone for Regions enabled by default, the calls are directed to the global endpoint of https://sts.amazonaws.com.
To view the list of AWS STS endpoints and whether they are active by default, see Writing Code to Use AWS STS Regions in the IAM User Guide.
Recording API requests
STS supports AWS CloudTrail, which is a service that records AWS calls for your AWS account and delivers log files to an Amazon S3 bucket. By using information collected by CloudTrail, you can determine what requests were successfully made to STS, who made the request, when it was made, and so on.
If you activate AWS STS endpoints in Regions other than the default global endpoint, then you must also turn on CloudTrail logging in those Regions. This is necessary to record any AWS STS API calls that are made in those Regions. For more information, see Turning On CloudTrail in Additional Regions in the AWS CloudTrail User Guide.
AWS Security Token Service (STS) is a global service with a single endpoint at https://sts.amazonaws.com. Calls to this endpoint are logged as calls to a global service. However, because this endpoint is physically located in the US East (N. Virginia) Region, your logs list us-east-1 as the event Region. CloudTrail does not write these logs to the US East (Ohio) Region unless you choose to include global service logs in that Region. CloudTrail writes calls to all Regional endpoints to their respective Regions. For example, calls to sts.us-east-2.amazonaws.com are published to the US East (Ohio) Region and calls to sts.eu-central-1.amazonaws.com are published to the EU (Frankfurt) Region.
To learn more about CloudTrail, including how to turn it on and find your log files, see the AWS CloudTrail User Guide.
Installing
To install the this package using NPM, simply type the following into a terminal window:
npm install @aws-sdk/client-sts-node
Getting Started
Import
The AWS SDK is modulized by clients and commands in CommonJS modules. To send a request, you only need to import the client(STSClient) and the commands you need, for example AssumeRoleCommand:
//JavaScript
const { STSClient } = require("@aws-sdk/client-sts-node/STSClient");
const {
AssumeRoleCommand
} = require("@aws-sdk/client-sts-node/commands/AssumeRoleCommand");//TypeScript
import { STSClient } from "@aws-sdk/client-sts-node/STSClient";
import { AssumeRoleCommand } from "@aws-sdk/client-sts-node/commands/AssumeRoleCommand";Usage
To send a request, you:
- Initiate client with configuration (e.g. credentials, region). For more information you can refer to the API reference.
- Initiate command with input parameters.
- Call
sendoperation on client with command object as input. - If you are using a custom http handler, you may call
destroy()to close open connections.
const sTS = new STSClient({region: 'region'});
//clients can be shared by different commands
const params = {
RoleArn: /**a string value*/,
RoleSessionName: /**a string value*/,
};
const assumeRoleCommand = new AssumeRoleCommand(params);
sTS.send(assumeRoleCommand).then(data => {
// do something
}).catch(error => {
// error handling
})In addition to using promises, there are 2 other ways to send a request:
// async/await
try {
const data = await sTS.send(assumeRoleCommand);
// do something
} catch (error) {
// error handling
}// callback
sTS.send(assumeRoleCommand, (err, data) => {
//do something
});The SDK can also send requests using the simplified callback style from version 2 of the SDK.
import * as AWS from "@aws-sdk/@aws-sdk/client-sts-node/STS";
const sTS = new AWS.STS({ region: "region" });
sTS.assumeRole(params, (err, data) => {
//do something
});Troubleshooting
When the service returns an exception, the error will include the exception information, as well as response metadata (e.g. request id).
try {
const data = await sTS.send(assumeRoleCommand);
// do something
} catch (error) {
const metadata = error.$metadata;
console.log(
`requestId: ${metadata.requestId}
cfId: ${metadata.cfId}
extendedRequestId: ${metadata.extendedRequestId}`
);
/*
The keys within exceptions are also parsed. You can access them by specifying exception names:
if(error.name === 'SomeServiceException') {
const value = error.specialKeyInException;
}
*/
}Getting Help
Please use these community resources for getting help. We use the GitHub issues for tracking bugs and feature requests and have limited bandwidth to address them.
- Ask a question on StackOverflow and tag it with
aws-sdk-js - Come join the AWS JavaScript community on gitter
- If it turns out that you may have found a bug, please open an issue
Contributing
This client code is generated automatically. Any modifications will be overwritten the next time the `@aws-sdk/@aws-sdk/client-sts-node' package is updated. To contribute to SDK you can checkout our code generator package.
License
This SDK is distributed under the Apache License, Version 2.0, see LICENSE for more information.