Select your cookie preferences

We use essential cookies and similar tools that are necessary to provide our site and services. We use performance cookies to collect anonymous statistics, so we can understand how customers use our site and make improvements. Essential cookies cannot be deactivated, but you can choose “Customize” or “Decline” to decline performance cookies.

If you agree, AWS and approved third parties will also use cookies to provide useful site features, remember your preferences, and display relevant content, including relevant advertising. To accept or decline all non-essential cookies, choose “Accept” or “Decline.” To make more detailed choices, choose “Customize.”

Preferences
Contact Us
Feedback
AWS Documentation
Create an AWS Account

Using AWS Security Token Service on a Snowball Edge

PDF
RSS
Focus mode
Using AWS Security Token Service on a Snowball Edge - AWS Snowball Edge Developer Guide
Using the AWS CLI and API operations on a Snowball EdgeSupported AWS STSAWS CLI commands on a Snowball EdgeSupported AWS STS API operations on a Snowball Edge

The AWS Security Token Service (AWS STS) helps you request temporary, limited-privilege credentials for IAM users.

Important

For AWS services to work properly on a Snowball Edge, you must allow the ports for the services. For details, see Port requirements for AWS services on a Snowball Edge.

Using the AWS CLI and API operations on a Snowball Edge

When using the AWS CLI or API operations to issue IAM, AWS STS, Amazon S3, and Amazon EC2 commands on Snowball Edge device, you must specify the region as "snow." You can do this using AWS configure or within the command itself, as in the following examples.

aws configure --profile snowballEdge
AWS Access Key ID [None]: defgh
AWS Secret Access Key [None]: 1234567
Default region name [None]: snow
Default output format [None]: json

Or

aws iam list-users --endpoint http://192.0.2.0:6078 --region snow --profile snowballEdge
Note

The access key ID and access secret key that are use locally on AWS Snowball Edge can't be interchanged with the keys in the AWS Cloud.

Supported AWS STSAWS CLI commands on a Snowball Edge

Only the assume-role command is supported locally.

The following parameters are supported for assume-role:

  • role-arn

  • role-session-name

  • duration-seconds

Example command to assume a role on a Snowball Edge

To assume a role, use the following command.


    aws sts assume-role --role-arn "arn:aws:iam::123456789012:role/example-role" --role-session-name AWSCLI-Session  --endpoint http://snow-device-IP-address:7078

For more information about using the assume-role command, see How do I assume an IAM role using the AWS CLI?

For more information about using AWS STS, see Using Temporary Security Credentials in the IAM User Guide.

Supported AWS STS API operations on a Snowball Edge

Only the AssumeRole API is supported locally.

The following parameters are supported for AssumeRole:

  • RoleArn

  • RoleSessionName

  • DurationSeconds

Example of assuming a role
https://sts.amazonaws.com/
?Version=2011-06-15
&Action=AssumeRole
&RoleSessionName=session-example
&RoleArn=arn:aws:iam::123456789012:role/demo
&DurationSeconds=3600

On this page

PrivacySite termsCookie preferences
© 2025, Amazon Web Services, Inc. or its affiliates. All rights reserved.