AWS Security ChangesHomeSearch

AWS IAM documentation change

Service: IAM · 2025-06-13 · Documentation low

File: IAM/latest/UserGuide/reference_policies_variables.md

Summary

Updated terminology from 'federated users' to 'federated principals' and 'AWS STS federated user principal' to align with current naming conventions. Adjusted section headers and descriptions to use consistent principal terminology.

Security assessment

The changes are terminological updates for consistency rather than addressing security vulnerabilities. No evidence of security fixes or vulnerability disclosures related to this terminology change.

Diff

diff --git a/IAM/latest/UserGuide/reference_policies_variables.md b/IAM/latest/UserGuide/reference_policies_variables.md
index 2338cb315..d50420e18 100644
--- a//IAM/latest/UserGuide/reference_policies_variables.md
+++ b//IAM/latest/UserGuide/reference_policies_variables.md
@@ -273,3 +273,3 @@ IAM user | `IAM-user-name` | [unique ID](./reference_identifiers.html#identifier
-Federated user | (not present) | `account`:`caller-specified-name` | `FederatedUser`  
-OIDC federated user For information about policy keys that are available when you use web identity federation, see [Available keys for AWS OIDC federation](./reference_policies_iam-condition-keys.html#condition-keys-wif).  | (not present) |  `role-id`:`caller-specified-role-name` where `role-id` is the [unique id of the role](./reference_identifiers.html#identifiers-unique-ids) and the caller-specified-role-name is specified by the [RoleSessionName parameter](https://docs.aws.amazon.com/IAM/latest/APIReference/API_AssumeRole.html#API_AssumeRoleWithWebIdentity_RequestParameters) passed to the AssumeRoleWithWebIdentity request. | `AssumedRole`  
-SAML federated user For information about policy keys that are available when you use SAML federation, see [Uniquely identifying users in SAML-based federation](./id_roles_providers_saml.html#CreatingSAML-userid).  | (not present) |  `role-id`:`caller-specified-role-name` where `role-id` is the [unique id of the role](./reference_identifiers.html#identifiers-unique-ids) and the caller-specified-role-name is specified by the Attribute element with the [Name attribute](./id_roles_providers_create_saml_assertions.html) set to https://aws.amazon.com/SAML/attributes/RoleSessionName. | `AssumedRole`  
+AWS STS federated user principal | (not present) | `account`:`caller-specified-name` | `FederatedUser`  
+OIDC federated principal For information about policy keys that are available when you use web identity federation, see [Available keys for AWS OIDC federation](./reference_policies_iam-condition-keys.html#condition-keys-wif).  | (not present) |  `role-id`:`caller-specified-role-name` where `role-id` is the [unique id of the role](./reference_identifiers.html#identifiers-unique-ids) and the caller-specified-role-name is specified by the [RoleSessionName parameter](https://docs.aws.amazon.com/IAM/latest/APIReference/API_AssumeRole.html#API_AssumeRoleWithWebIdentity_RequestParameters) passed to the AssumeRoleWithWebIdentity request. | `AssumedRole`  
+SAML federated principal For information about policy keys that are available when you use SAML federation, see [Uniquely identifying users in SAML-based federation](./id_roles_providers_saml.html#CreatingSAML-userid).  | (not present) |  `role-id`:`caller-specified-role-name` where `role-id` is the [unique id of the role](./reference_identifiers.html#identifiers-unique-ids) and the caller-specified-role-name is specified by the Attribute element with the [Name attribute](./id_roles_providers_create_saml_assertions.html) set to https://aws.amazon.com/SAML/attributes/RoleSessionName. | `AssumedRole`  
@@ -293 +293 @@ For the items in this table, note the following:
-### Information available in requests for federated users
+### Information available in requests for federated principals
@@ -295 +295 @@ For the items in this table, note the following:
-Federated users are users who are authenticated using a system other than IAM. For example, a company might have an application for use in-house that makes calls to AWS. It might be impractical to give an IAM identity to every corporate user who uses the application. Instead, the company might use a proxy (middle-tier) application that has a single IAM identity, or the company might use a SAML identity provider (IdP). The proxy application or SAML IdP authenticates individual users using the corporate network. A proxy application can then use its IAM identity to get temporary security credentials for individual users. A SAML IdP can in effect exchange identity information for AWS temporary security credentials. The temporary credentials can then be used to access AWS resources. 
+Federated principals are users who are authenticated using a system other than IAM. For example, a company might have an application for use in-house that makes calls to AWS. It might be impractical to give an IAM identity to every corporate user who uses the application. Instead, the company might use a proxy (middle-tier) application that has a single IAM identity, or the company might use a SAML identity provider (IdP). The proxy application or SAML IdP authenticates individual users using the corporate network. A proxy application can then use its IAM identity to get temporary security credentials for individual users. A SAML IdP can in effect exchange identity information for AWS temporary security credentials. The temporary credentials can then be used to access AWS resources.