Skip to content

STS

Protocol: Query (XML) — POST http://localhost:4566/ with Action= parameter

Supported Actions

Action Description
GetCallerIdentity Returns the account ID, user ID, and ARN
AssumeRole Assume an IAM role, returns temporary credentials
AssumeRoleWithWebIdentity Assume a role using a web identity token (OIDC)
AssumeRoleWithSAML Assume a role using a SAML assertion
GetSessionToken Get temporary credentials for an IAM user
GetFederationToken Get temporary credentials for a federated user
DecodeAuthorizationMessage Decode an encoded authorization failure message

Examples

export AWS_ENDPOINT=http://localhost:4566

# Get caller identity (always works, useful for smoke testing)
aws sts get-caller-identity --endpoint-url $AWS_ENDPOINT

# Assume a role
aws sts assume-role \
  --role-arn arn:aws:iam::000000000000:role/my-role \
  --role-session-name dev-session \
  --endpoint-url $AWS_ENDPOINT

# Get a session token
aws sts get-session-token --endpoint-url $AWS_ENDPOINT

GetCallerIdentity is commonly used in CI pipelines and integration tests as a quick connectivity check before running more complex tests.