Using Temporary Security Credentials With Wasabi STS

  • Published on Feb 25, 2026
  • 4 minute(s) read
Prev Next

Wasabi provides an S3-compatible Security Token Service (STS) that lets you generate short-lived, scoped credentials instead of using long-lived access keys. This is useful for granting temporary access to applications, services, or users without exposing your permanent credentials.

Because Wasabi's STS is S3-compatible, you interact with it using the standard AWS SDK with the endpoint overridden to point to Wasabi at sts.wasabisys.com.

Supported API Methods

Method

Description

GetSessionToken

Creates temporary credentials from your existing access key.

AssumeRole

Creates temporary credentials scoped to a Wasabi IAM role. Supports inline policies for further restriction.

GetCallerIdentity

Returns the account ID, user ID, and ARN of the calling credentials.

Prerequisites

  • A Wasabi account with an access key and secret key configured in your AWS credentials file (~/.aws/credentials)

  • AWS Java SDK 2.x

  • For AssumeRole: a Wasabi IAM role ARN and a sub-user (AssumeRole cannot be called with root credentials)

Configuration

All examples in this guide use the following constants. Replace these with your own values:

static String s3Uri = "https://s3.wasabisys.com";
static String stsUri = "https://sts.wasabisys.com";
static String credentialsProfile = "your-wasabi-profile";
static String roleArn = "arn:aws:iam::ACCOUNT_ID:role/YOUR_ROLE";  // AssumeRole only

GetSessionToken

GetSessionToken creates temporary credentials derived from your existing access key. Use this when you want time-limited credentials without restricting permissions beyond what the original key allows.

ProfileCredentialsProvider provider = ProfileCredentialsProvider.builder()
        .profileName(credentialsProfile)
        .build();

StsClient stsClient = StsClient.builder()
        .httpClientBuilder(ApacheHttpClient.builder())
        .endpointOverride(new URI(stsUri))
        .credentialsProvider(provider)
        .build();

GetSessionTokenRequest request = GetSessionTokenRequest.builder()
        .durationSeconds(900)
        .build();

GetSessionTokenResponse result = stsClient.getSessionToken(request);
Credentials credentials = result.credentials();

// Use the temporary credentials with the S3 client
AwsSessionCredentials sessionCredentials = AwsSessionCredentials.create(
        credentials.accessKeyId(),
        credentials.secretAccessKey(),
        credentials.sessionToken()
);

S3Client s3Client = S3Client.builder()
        .httpClientBuilder(ApacheHttpClient.builder())
        .endpointOverride(new URI(s3Uri))
        .credentialsProvider(StaticCredentialsProvider.create(sessionCredentials))
        .build();

// Example: create a bucket using the temporary credentials
String bucketName = "my-bucket";
CreateBucketResponse response = s3Client.createBucket(
        CreateBucketRequest.builder().bucket(bucketName).build()
);

if (response.sdkHttpResponse().isSuccessful()) {
    System.out.println("Bucket created: " + bucketName);
}

AssumeRole

AssumeRole creates temporary credentials by assuming a Wasabi IAM role, restricting access to only the permissions that role grants. This must be called using sub-user credentials—root credentials are not supported.

AssumeRoleRequest assumeRole = AssumeRoleRequest.builder()
        .roleArn(roleArn)
        .roleSessionName("my-session")
        .durationSeconds(900)
        .build();

ProfileCredentialsProvider provider = ProfileCredentialsProvider.builder()
        .profileName(credentialsProfile)
        .build();

StsClient stsClient = StsClient.builder()
        .httpClientBuilder(ApacheHttpClient.builder())
        .endpointOverride(new URI(stsUri))
        .credentialsProvider(provider)
        .build();

Credentials assumedCredentials = stsClient.assumeRole(assumeRole).credentials();

AwsSessionCredentials sessionCredentials = AwsSessionCredentials.create(
        assumedCredentials.accessKeyId(),
        assumedCredentials.secretAccessKey(),
        assumedCredentials.sessionToken()
);

S3Client s3Client = S3Client.builder()
        .httpClientBuilder(ApacheHttpClient.builder())
        .endpointOverride(new URI(s3Uri))
        .credentialsProvider(StaticCredentialsProvider.create(sessionCredentials))
        .build();

// Example: list objects in a bucket using the assumed role credentials
String bucketName = "my-bucket";
ListObjectsResponse response = s3Client.listObjects(
        ListObjectsRequest.builder().bucket(bucketName).build()
);
System.out.println("Objects found: " + response.contents().size());

Restricting Permissions With an Inline Policy

You can pass an inline policy to AssumeRole to further narrow permissions beyond what the role itself allows. The effective permissions are the intersection of the role's policy and the inline policy.

This example assumes a role but denies bucket creation:

String restrictedPolicy = """
        {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Effect": "Allow",
                    "Action": "s3:*",
                    "Resource": ["*"]
                },
                {
                    "Effect": "Deny",
                    "Action": "s3:CreateBucket",
                    "Resource": ["*"]
                }
            ]
        }
        """;

AssumeRoleRequest assumeRole = AssumeRoleRequest.builder()
        .roleArn(roleArn)
        .roleSessionName("restricted-session")
        .durationSeconds(900)
        .policy(restrictedPolicy)
        .build();

// STS client setup and credential extraction is the same as above

// This will succeed (allowed by policy)
ListObjectsResponse listResponse = s3Client.listObjects(
        ListObjectsRequest.builder().bucket("my-bucket").build()
);

// This will fail (denied by inline policy)
try {
    s3Client.createBucket(CreateBucketRequest.builder().bucket("new-bucket").build());
} catch (Exception ex) {
    System.out.println("Denied: " + ex.getMessage());
}

GetCallerIdentity

GetCallerIdentity returns the account and identity details for the credentials being used. This is useful for verifying which identity a set of credentials belongs to.

ProfileCredentialsProvider provider = ProfileCredentialsProvider.builder()
        .profileName(credentialsProfile)
        .build();

StsClient stsClient = StsClient.builder()
        .httpClientBuilder(ApacheHttpClient.builder())
        .endpointOverride(new URI(stsUri))
        .credentialsProvider(provider)
        .build();

GetCallerIdentityResponse response = stsClient.getCallerIdentity();

System.out.println("Account : " + response.account());
System.out.println("User ID : " + response.userId());
System.out.println("ARN     : " + response.arn());

For more information on Wasabi's IAM and STS support, refer to IAM and STS Support. For the full list of AWS SDK integration guides, see AWS SDKs, Tools, and Services With Wasabi.

Copyright © 2026 by Wasabi Technologies LLC
75 Arlington Street, Suite 810, Boston, MA 02116 USA
All Rights Reserved
Visit Wasabi (wwww.wasabi.com)

WASABI and the WASABI logo are trademarks of Wasabi Technologies LLC and may not be used without permission of Wasabi Technologies. All other names are used for identification purposes only and are trademarks or registered trademarks of their respective companies.

Information presented herein is subject to change without notice. Companies, names, and data used in examples are fictitious unless otherwise noted. No part of this information may be reproduced or transmitted in any form by means electronic or mechanical, for any purpose, without express written permission of Wasabi Technologies.