AgentSkillsCN

awsflow-sts

使用 awsflow VS Code 扩展中的 STSTool,获取调用者身份、扮演角色、解码授权消息,并获取临时凭证。

SKILL.md
--- frontmatter
name: awsflow-sts
description: Get caller identity, assume roles, decode authorization messages, and get temporary credentials using the awsflow VS Code extension STSTool.

awsflow-sts

Use the STSTool language tool in VS Code to manage AWS STS (Security Token Service) operations — identity verification, role assumption, temporary credentials, and authorization debugging.

When to Use

  • User wants to verify their AWS identity (who am I?)
  • User wants to assume an IAM role
  • User wants to get temporary security credentials
  • User wants to decode an encoded authorization failure message
  • User wants to get a federation token
  • User wants to look up account info for an access key
  • User needs SAML or web identity token-based role assumption

Tool Reference

Tool name: STSTool

Input Schema

json
{
  "command": "<CommandName>",
  "params": { ... }
}

Commands (10 total)

CommandDescription
AssumeRoleAssume an IAM role and get temporary credentials
AssumeRoleWithSAMLAssume a role using a SAML assertion
AssumeRoleWithWebIdentityAssume a role using a web identity (OIDC) token
DecodeAuthorizationMessageDecode an encoded authorization failure message
GetAccessKeyInfoGet the account ID for an access key
GetCallerIdentityGet the identity of the calling credentials (account, ARN, user ID)
GetDelegatedAccessTokenGet a delegated access token
GetFederationTokenGet temporary credentials for a federated user
GetSessionTokenGet temporary session credentials (with optional MFA)
GetWebIdentityTokenGet a web identity token for a role

Parameters

ParameterTypeDescription
RoleArnstringIAM role ARN (Required by: AssumeRole, AssumeRoleWithSAML, AssumeRoleWithWebIdentity, GetDelegatedAccessToken, GetWebIdentityToken)
RoleSessionNamestringSession name for role assumption (Required by: AssumeRole, AssumeRoleWithWebIdentity, GetWebIdentityToken)
DurationSecondsnumberToken lifetime in seconds (Used by: AssumeRole, GetDelegatedAccessToken, GetFederationToken, GetSessionToken, GetWebIdentityToken)
ExternalIdstringExternal ID for cross-account role assumption (Used by: AssumeRole)
PolicyArnsarrayManaged policy ARNs for session policies (Used by: AssumeRole, AssumeRoleWithWebIdentity, AssumeRoleWithSAML)
PolicystringIAM policy JSON string for temporary credentials (Used by: AssumeRole, GetFederationToken)
TransitiveTagKeysarraySession tag keys to set as transitive (Used by: AssumeRole)
SourceIdentitystringSource identity for role chaining (Used by: AssumeRole)
TagsarraySession tags as [{Key, Value}] (Used by: AssumeRole, GetFederationToken)
SAMLAssertionstringBase64-encoded SAML authentication response (Required by: AssumeRoleWithSAML)
PrincipalArnstringARN of SAML provider (Required by: AssumeRoleWithSAML)
WebIdentityTokenstringWeb identity (OIDC) token (Required by: AssumeRoleWithWebIdentity, GetWebIdentityToken)
ProviderIdstringIdentity provider ID (Used by: AssumeRoleWithWebIdentity, GetWebIdentityToken)
EncodedMessagestringEncoded authorization failure message (Required by: DecodeAuthorizationMessage)
AccessKeyIdstringAWS access key ID (Required by: GetAccessKeyInfo)
DelegationTokenLifetimeSecondsnumberDelegated token lifetime in seconds (Used by: GetDelegatedAccessToken)
NamestringSession or federation token name (Required by: GetFederationToken)
SerialNumberstringMFA device serial number (Used by: GetSessionToken)
TokenCodestringMFA token code (Used by: GetSessionToken)

Usage Examples

Check current identity

json
{ "command": "GetCallerIdentity", "params": {} }

Assume a role

json
{ "command": "AssumeRole", "params": { "RoleArn": "arn:aws:iam::123456789012:role/MyRole", "RoleSessionName": "my-session", "DurationSeconds": 3600 } }

Assume a role with external ID (cross-account)

json
{ "command": "AssumeRole", "params": { "RoleArn": "arn:aws:iam::987654321098:role/CrossAccountRole", "RoleSessionName": "cross-account-session", "ExternalId": "my-external-id" } }

Decode an authorization failure message

json
{ "command": "DecodeAuthorizationMessage", "params": { "EncodedMessage": "<encoded-message-string>" } }

Get account ID for an access key

json
{ "command": "GetAccessKeyInfo", "params": { "AccessKeyId": "AKIAIOSFODNN7EXAMPLE" } }

Get session token with MFA

json
{ "command": "GetSessionToken", "params": { "DurationSeconds": 3600, "SerialNumber": "arn:aws:iam::123456789012:mfa/user", "TokenCode": "123456" } }

Get federation token

json
{ "command": "GetFederationToken", "params": { "Name": "federated-user", "DurationSeconds": 3600, "Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"*\"}]}" } }

Assume role with web identity

json
{ "command": "AssumeRoleWithWebIdentity", "params": { "RoleArn": "arn:aws:iam::123456789012:role/WebIdentityRole", "RoleSessionName": "web-session", "WebIdentityToken": "<oidc-token>" } }

Related Services

STS is foundational to AWS security and is used alongside:

RelationshipTool
Manages IAM roles/policiesIAMTool
Session managementSessionTool (in awsflow-general)
Test AWS connectivityTestAwsConnectionTool (in awsflow-general)
All AWS services require valid credentialsAll awsflow tools

Tips

  • Start with GetCallerIdentity to verify which account and identity you're operating as.
  • Use DecodeAuthorizationMessage when you get "Encoded authorization failure" errors — it reveals the denied action, resource, and conditions.
  • AssumeRole with ExternalId is required for cross-account access when the trust policy mandates it.
  • GetSessionToken with MFA is useful when your account requires MFA for sensitive operations.
  • Temporary credentials from STS calls are valid for the specified DurationSeconds (default varies by command).