--- title: "Using Temporary Security Credentials With Wasabi STS" slug: "aws-sts-with-wasabi" updated: 2026-06-13T14:15:41Z published: 2026-06-13T14:15:41Z canonical: "docs.wasabi.com/aws-sts-with-wasabi" --- > ## Documentation Index > Fetch the complete documentation index at: https://docs.wasabi.com/llms.txt > Use this file to discover all available pages before exploring further. # Using Temporary Security Credentials With Wasabi STS Wasabi provides an S3-compatible Security Token Service (STS) that lets you generate short-lived, scoped credentials instead of using long-lived access keys. This is useful for granting temporary access to applications, services, or users without exposing your permanent credentials. Because Wasabi's STS is S3-compatible, you interact with it using the standard AWS SDK with the endpoint overridden to point to Wasabi at **sts.wasabisys.com**. ## Supported API Methods | Method | Description | | --- | --- | | [GetSessionToken](/docs/aws-sts-with-wasabi#getsessiontoken) | Creates temporary credentials from your existing access key. | | [AssumeRole](/docs/aws-sts-with-wasabi#assumerole) | Creates temporary credentials scoped to a Wasabi IAM role. Supports inline policies for further restriction. | | [GetCallerIdentity](/docs/aws-sts-with-wasabi#getcalleridentity) | Returns the account ID, user ID, and ARN of the calling credentials. | ## Requirements - A Wasabi account with an access key and secret key configured in your AWS credentials file (~/.aws/credentials) - AWS Java SDK 2.x - For AssumeRole: a Wasabi IAM role ARN and a sub-user (AssumeRole cannot be called with root credentials) ## Configuration All examples in this guide use the following constants. Replace these with your own values: ```java static String s3Uri = "https://s3.wasabisys.com"; static String stsUri = "https://sts.wasabisys.com"; static String credentialsProfile = "your-wasabi-profile"; static String roleArn = "arn:aws:iam::ACCOUNT_ID:role/YOUR_ROLE";  // AssumeRole only ``` ## GetSessionToken GetSessionToken creates temporary credentials derived from your existing access key. Use this when you want time-limited credentials without restricting permissions beyond what the original key allows. ```java ProfileCredentialsProvider provider = ProfileCredentialsProvider.builder()        .profileName(credentialsProfile)        .build(); StsClient stsClient = StsClient.builder()        .httpClientBuilder(ApacheHttpClient.builder())        .endpointOverride(new URI(stsUri))        .credentialsProvider(provider)        .build(); GetSessionTokenRequest request = GetSessionTokenRequest.builder()        .durationSeconds(900)        .build(); GetSessionTokenResponse result = stsClient.getSessionToken(request); Credentials credentials = result.credentials(); // Use the temporary credentials with the S3 client AwsSessionCredentials sessionCredentials = AwsSessionCredentials.create(        credentials.accessKeyId(),        credentials.secretAccessKey(),        credentials.sessionToken() ); S3Client s3Client = S3Client.builder()        .httpClientBuilder(ApacheHttpClient.builder())        .endpointOverride(new URI(s3Uri))        .credentialsProvider(StaticCredentialsProvider.create(sessionCredentials))        .build(); // Example: create a bucket using the temporary credentials String bucketName = "my-bucket"; CreateBucketResponse response = s3Client.createBucket(        CreateBucketRequest.builder().bucket(bucketName).build() ); if (response.sdkHttpResponse().isSuccessful()) {    System.out.println("Bucket created: " + bucketName); } ``` ## AssumeRole AssumeRole creates temporary credentials by assuming a Wasabi IAM role, restricting access to only the permissions that role grants. This must be called using sub-user credentials—root credentials are not supported. ```java AssumeRoleRequest assumeRole = AssumeRoleRequest.builder()        .roleArn(roleArn)        .roleSessionName("my-session")        .durationSeconds(900)        .build(); ProfileCredentialsProvider provider = ProfileCredentialsProvider.builder()        .profileName(credentialsProfile)        .build(); StsClient stsClient = StsClient.builder()        .httpClientBuilder(ApacheHttpClient.builder())        .endpointOverride(new URI(stsUri))        .credentialsProvider(provider)        .build(); Credentials assumedCredentials = stsClient.assumeRole(assumeRole).credentials(); AwsSessionCredentials sessionCredentials = AwsSessionCredentials.create(        assumedCredentials.accessKeyId(),        assumedCredentials.secretAccessKey(),        assumedCredentials.sessionToken() ); S3Client s3Client = S3Client.builder()        .httpClientBuilder(ApacheHttpClient.builder())        .endpointOverride(new URI(s3Uri))        .credentialsProvider(StaticCredentialsProvider.create(sessionCredentials))        .build(); // Example: list objects in a bucket using the assumed role credentials String bucketName = "my-bucket"; ListObjectsResponse response = s3Client.listObjects(        ListObjectsRequest.builder().bucket(bucketName).build() ); System.out.println("Objects found: " + response.contents().size()); ``` ### Restricting Permissions With an Inline Policy You can pass an inline policy to AssumeRole to further narrow permissions beyond what the role itself allows. The effective permissions are the intersection of the role's policy and the inline policy. This example assumes a role but denies bucket creation: ```java String restrictedPolicy = """        {            "Version": "2012-10-17",            "Statement": [                {                    "Effect": "Allow",                    "Action": "s3:*",                    "Resource": ["*"]                },                {                    "Effect": "Deny",                    "Action": "s3:CreateBucket",                    "Resource": ["*"]                }            ]        }        """; AssumeRoleRequest assumeRole = AssumeRoleRequest.builder()        .roleArn(roleArn)        .roleSessionName("restricted-session")        .durationSeconds(900)        .policy(restrictedPolicy)        .build(); // STS client setup and credential extraction is the same as above // This will succeed (allowed by policy) ListObjectsResponse listResponse = s3Client.listObjects(        ListObjectsRequest.builder().bucket("my-bucket").build() ); // This will fail (denied by inline policy) try {    s3Client.createBucket(CreateBucketRequest.builder().bucket("new-bucket").build()); } catch (Exception ex) {    System.out.println("Denied: " + ex.getMessage()); } ``` ## GetCallerIdentity GetCallerIdentity returns the account and identity details for the credentials being used. This is useful for verifying which identity a set of credentials belongs to. ```java ProfileCredentialsProvider provider = ProfileCredentialsProvider.builder()        .profileName(credentialsProfile)        .build(); StsClient stsClient = StsClient.builder()        .httpClientBuilder(ApacheHttpClient.builder())        .endpointOverride(new URI(stsUri))        .credentialsProvider(provider)        .build(); GetCallerIdentityResponse response = stsClient.getCallerIdentity(); System.out.println("Account : " + response.account()); System.out.println("User ID : " + response.userId()); System.out.println("ARN     : " + response.arn()); ``` > For more information on Wasabi's IAM and STS support, refer to [IAM and STS Support](https://docs.wasabi.com/docs/iam-and-sts-support). For the full list of AWS SDK integration guides, see [AWS SDKs, Tools, and Services With Wasabi](https://docs.wasabi.com/docs/how-do-i-use-aws-sdks-tools-and-aws-services-other-than-aws-s3-with-wasabi).