By using AWS re:Post, you agree to the Terms of Use
/AWS CLI STS logout/

AWS CLI STS logout


Hello, is there possibility to force "session access keys" that were created by "aws sts get-session-token" to expire?

2 Answers
Accepted Answer

Hey there,

Individual sessions on an IAM Role cannot be revoked. The option here is a broad stroke in which you revoke all sessions which were initiated at, and prior to, a fixed point in time. What that 'revoke session' option does in the UI is modify your IAM Role in question with an IAM Policy that revokes any session initiated prior to whatever time you set it to.

Can this same functionality be done via the CLI? Indeed it can, you simply add a policy (Customer Managed or Inline) to the role, which contains a revocation statement. This document gives an example of the IAM Policy that I'm referring to, and I've provided it below, too.

To clarify - In order to achieve the same end-goal via the CLI as you would through the GUI, you must manually add a revocation policy to the role. There is no API such as 'RevokeSession'.

  "Version": "2012-10-17",
  "Statement": {
    "Effect": "Deny",
    "Action": "*",
    "Resource": "*",
    "Condition": {"DateLessThan": {"aws:TokenIssueTime": "2014-05-07T23:47:00Z"}}
answered 4 months ago

Hi, Good Question

You can go to the role that was assumed in IAM and click on Revoke sessions More info at

Please accept the answer if this works for you or let me know so that I can further look into this

Cheers Sri

answered 4 months ago
  • Thank you for the answer, but is there AWS CLI way to revoke sessions?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions