To enable them to do so, the SysOps administrator has created an application that authenticates a user and generates a SAML assertionWhich API call should be used to retrieve credentials for federated programmatic access?

By:
In: SOA-C01
Tagged:
With: 2 Comments
A company uses LDAP-based credentials and has a Security Assertion Markup Language (SAML) 2.0 identity provider.A SysOps administrator has configured various federated roles in a new AWS account to provide AWS Management Console access for groups of users that use the existing LDAP-based credentials.Several groups want to use the AWS CLI on their workstations to automate daily tasks.

To enable them to do so, the SysOps administrator has created an application that authenticates a user and generates a SAML assertionWhich API call should be used to retrieve credentials for federated programmatic access?

sts:AssumeRole

sts:AssumeRoleWithSAML

sts:AssumeRoleWithWebIdentity

sts:GetFederationToken

Explanations:

sts:AssumeRoleis used for assuming a role directly with AWS credentials. It does not support SAML assertions for federated users.

sts:AssumeRoleWithSAMLis specifically designed to retrieve temporary security credentials for federated users using SAML assertions. This is the correct API call for SAML-based authentication.

sts:AssumeRoleWithWebIdentityis used for assuming roles with web identity providers like Amazon Cognito, Facebook, or Google, not for SAML assertions.

sts:GetFederationTokenis used for granting federated users temporary credentials but it is an older API that doesn’t support the more secure SAML-based authentication model used in this case.

2026-03-30

2 Comments

  1. Andrea
    Author

    I weigh that the answer is:
    sts:AssumeRoleWithSAML

  2. Sean
    Author

    I suspect that the answer is:
    sts:AssumeRoleWithSAML

Leave a Reply

Your email address will not be published. Required fields are marked *

thirteen + fourteen =