[Yandex Cloud documentation](../../index.md) > [Yandex Object Storage](../index.md) > [Access management](overview.md) > Security Token Service

# Security Token Service

_Security Token Service_: Identity and Access Management component used to get _temporary access keys_ compatible with [AWS S3 API](../s3/index.md).

Temporary access keys as an authentication method are only supported in [Yandex Object Storage](../index.md).

{% note info %}

Creating temporary access keys for service accounts may be prohibited by [access policies](../../iam/concepts/access-control/access-policies.md) at the [folder](../../resource-manager/concepts/resources-hierarchy.md#folder), [cloud](../../resource-manager/concepts/resources-hierarchy.md#cloud), or [organization](../../organization/concepts/organization.md) level.

{% endnote %}

With temporary keys, you can set up granular access to Object Storage [buckets](../concepts/bucket.md) for multiple users with a single [service account](../../iam/concepts/users/service-accounts.md). The service account permissions must include all the permissions you want to grant using temporary keys.

A temporary access key is created based on a [static key](../../iam/concepts/authorization/access-key.md), but, unlike it, it has a limited lifetime and access permissions. Access permissions and lifetime are set for each temporary key individually.

The maximum key lifetime is 12 hours.

To set up access permissions for the key, you need an [access policy](policy.md) in JSON format based on [this schema](../s3/api-ref/policy/scheme.md).

{% note warning %}

One Security Token Service access policy is set only for a specific bucket. You cannot use a single temporary key for multiple buckets.

{% endnote %}

Temporary Security Token Service keys inherit the access permissions of the service account but are limited by the bucket-level access policy. If you set up a temporary key’s access policy to allow operations the service account has no permissions for, such operations will not be performed.

{% note tip %}

If a service account has roles in Object Storage for a folder, users with temporary keys will get view access to buckets in that folder. We recommend assigning service account roles for specific buckets, rather than a folder.

{% endnote %}

{% note warning %}

The access is checked by object [ACL](acl.md) after checking the Security Token Service policy. Therefore, if the service account through which you obtain temporary access keys has ACL permissions configured for objects in the bucket, those objects will become available for temporary access key requests, regardless of the specified policy. For more information, see the Object Storage [access management mechanisms diagram](overview.md).

{% endnote %}

This means you can, for instance, provide different users with temporary permissions to read and write objects to different [prefixes (folders)](../concepts/object.md#folder) of the same bucket. To solve this task using static keys, you would need to create a dedicated service account for each user, while the number of service accounts in the cloud is [limited](../../iam/concepts/limits.md#iam-quotas).

A temporary key consists of the following parts:
* Key ID (same as the static key ID)
* Secret key
* Session token

To get a temporary access key using Security Token Service, use the [AWS Command Line Interface (AWS CLI)](../tools/aws-cli.md) or an HTTP API compatible with the [AWS STS API](https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html).

There is a separate [API endpoint](../../api-design-guide/concepts/endpoints.md) for Security Token Service: `https://sts.yandexcloud.net`.

Learn more in [Creating a temporary access key using Security Token Service](../../iam/operations/sa/create-sts-key.md).

{% note warning %}

You cannot revoke a temporary key. However, you can [delete](../../iam/operations/authentication/manage-access-keys.md#delete-access-key) a static key used to issue a temporary one.

This will revoke permissions for all temporary access keys created based on the deleted static key.

{% endnote %}


#### Useful links {#see-also}

* [Access management methods in Object Storage: Overview](overview.md)
* [Ephemeral access keys compatible with AWS APIs](ephemeral-keys.md)