Using S3 Sync with Temporary Security Credentials

Amazon has a service called AWS Security Token Service which allows you to generate temporary credentials to access your AWS resources. SprightlySoft S3 Sync can be configured to use temporary credentials. The following article shows how to generate temporary credentials and use them with S3 Sync.

AWS Security Token Service is typically used by large organizations that do not want to manage many permanent AWS Identity and Access Management (IAM) users. These organizations will generate a temporary IAM user through STS that exists for only a few hours. An organization user will be able to use this IAM account for their required task. No extra work is required to expire the temporary account. To read more about Security Token Service see

The organization will call the GetFederationToken function of the STS service to generate temporary security credentials. When calling this function the organization will choose how long the credentials are valid for. To read more about the GetFederationToken function see

The GetFederationToken function will return an AccessKeyId, SecretAccessKey, and SessionToken. These values can be used with S3 Sync to preform a file synchronization. Enter the AccessKeyId and SecretAccessKey and you normally would in the application. The SessionToken value needs to go in the RequestHeaders parameter in the format of “x-amz-security-token:[STSVALUE]”. When S3 Sync makes calls to Amazon it will add a x-amz-security-token header in every request. Amazon will validate the token in conjunction with the AccessKeyId and SecretAccessKey.

The following is an example of a S3 Sync command line using temporary credentials and a session token.

C:\Program Files (x86)\SprightlySoft\S3 Sync\S3Sync.exe" -AWSAccessKeyId xxxxxxxxxxxx -AWSSecretAccessKey xxxxxxxxxxxx -BucketName mybucket -SyncDirection Upload -LocalFolderPath "C:\myfolder" -LicenseKey xxxxxxxxxxxx -RequestHeaders "x-amz-security-token:xxxxxxxxxxxx"