STS Version

STS Version 1

默认情况下,STS提供一个全球的单一访问入口: https://sts.amazon.com ,这个入口在us-east-1

从这个入口获取的token,默认仅在当前帐号开启的region里生效:

image-20230816063854792

例如我们没有开启一个region,在执行AWS CLI时可能会报以下错误:

aws rds describe-db-clusters --region af-south-1

An error occurred (InvalidClientTokenId) when calling the DescribeDBClusters operation: The security token included in the request is invalid.

当然也可以设置,从global endpoint里获取的token在所有aws region生效:

image-20230816064529951

STS Version 2

AWS建议使用Regional STS endpoints来进行访问,它可以减少延迟。它的入口如: https://sts.ap-northeast-1.amazonaws.com

Regional STS endpoints获取的token,在所有AWS Region都生效

image-20230816062629008

参考:

https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html