/** * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. * SPDX-License-Identifier: Apache-2.0. */ #pragma once #include #include #include #include #include #include #include namespace Aws { namespace STS { /** * Security Token Service

Security Token Service (STS) * enables you to request temporary, limited-privilege credentials for users. This * guide provides descriptions of the STS API. For more information about using * this service, see Temporary * Security Credentials.

*/ class AWS_STS_API STSClient : public Aws::Client::AWSXMLClient, public Aws::Client::ClientWithAsyncTemplateMethods { public: typedef Aws::Client::AWSXMLClient BASECLASS; static const char* SERVICE_NAME; static const char* ALLOCATION_TAG; typedef STSClientConfiguration ClientConfigurationType; typedef STSEndpointProvider EndpointProviderType; /** * Initializes client to use DefaultCredentialProviderChain, with default http client factory, and optional client config. If client config * is not specified, it will be initialized to default values. */ STSClient(const Aws::STS::STSClientConfiguration& clientConfiguration = Aws::STS::STSClientConfiguration(), std::shared_ptr endpointProvider = Aws::MakeShared(ALLOCATION_TAG)); /** * Initializes client to use SimpleAWSCredentialsProvider, with default http client factory, and optional client config. If client config * is not specified, it will be initialized to default values. */ STSClient(const Aws::Auth::AWSCredentials& credentials, std::shared_ptr endpointProvider = Aws::MakeShared(ALLOCATION_TAG), const Aws::STS::STSClientConfiguration& clientConfiguration = Aws::STS::STSClientConfiguration()); /** * Initializes client to use specified credentials provider with specified client config. If http client factory is not supplied, * the default http client factory will be used */ STSClient(const std::shared_ptr& credentialsProvider, std::shared_ptr endpointProvider = Aws::MakeShared(ALLOCATION_TAG), const Aws::STS::STSClientConfiguration& clientConfiguration = Aws::STS::STSClientConfiguration()); /* Legacy constructors due deprecation */ /** * Initializes client to use DefaultCredentialProviderChain, with default http client factory, and optional client config. If client config * is not specified, it will be initialized to default values. */ STSClient(const Aws::Client::ClientConfiguration& clientConfiguration); /** * Initializes client to use SimpleAWSCredentialsProvider, with default http client factory, and optional client config. If client config * is not specified, it will be initialized to default values. */ STSClient(const Aws::Auth::AWSCredentials& credentials, const Aws::Client::ClientConfiguration& clientConfiguration); /** * Initializes client to use specified credentials provider with specified client config. If http client factory is not supplied, * the default http client factory will be used */ STSClient(const std::shared_ptr& credentialsProvider, const Aws::Client::ClientConfiguration& clientConfiguration); /* End of legacy constructors due deprecation */ virtual ~STSClient(); /** * Converts any request object to a presigned URL with the GET method, using region for the signer and a timeout of 15 minutes. */ Aws::String ConvertRequestToPresignedUrl(const Aws::AmazonSerializableWebServiceRequest& requestToConvert, const char* region) const; /** *

Returns a set of temporary security credentials that you can use to access * Amazon Web Services resources. These temporary credentials consist of an access * key ID, a secret access key, and a security token. Typically, you use * AssumeRole within your account or for cross-account access. For a * comparison of AssumeRole with other API operations that produce * temporary credentials, see Requesting * Temporary Security Credentials and Comparing * the Amazon Web Services STS API operations in the IAM User Guide.

*

Permissions

The temporary security credentials created by * AssumeRole can be used to make API calls to any Amazon Web Services * service with the following exception: You cannot call the Amazon Web Services * STS GetFederationToken or GetSessionToken API * operations.

(Optional) You can pass inline or managed session * policies to this operation. You can pass a single JSON policy document to * use as an inline session policy. You can also specify up to 10 managed policy * Amazon Resource Names (ARNs) to use as managed session policies. The plaintext * that you use for both inline and managed session policies can't exceed 2,048 * characters. Passing policies to this operation returns new temporary * credentials. The resulting session's permissions are the intersection of the * role's identity-based policy and the session policies. You can use the role's * temporary credentials in subsequent Amazon Web Services API calls to access * resources in the account that owns the role. You cannot use session policies to * grant more permissions than those allowed by the identity-based policy of the * role that is being assumed. For more information, see Session * Policies in the IAM User Guide.

When you create a role, you * create two policies: a role trust policy that specifies who can assume * the role, and a permissions policy that specifies what can be done with * the role. You specify the trusted principal that is allowed to assume the role * in the role trust policy.

To assume a role from a different account, your * Amazon Web Services account must be trusted by the role. The trust relationship * is defined in the role's trust policy when the role is created. That trust * policy states which accounts are allowed to delegate that access to users in the * account.

A user who wants to access a role in a different account must * also have permissions that are delegated from the account administrator. The * administrator must attach a policy that allows the user to call * AssumeRole for the ARN of the role in the other account.

To * allow a user to assume a role in the same account, you can do either of the * following:

  • Attach a policy to the user that allows the user to * call AssumeRole (as long as the role's trust policy trusts the * account).

  • Add the user as a principal directly in the role's * trust policy.

You can do either because the role’s trust * policy acts as an IAM resource-based policy. When a resource-based policy grants * access to a principal in the same account, no additional identity-based policy * is required. For more information about trust policies and resource-based * policies, see IAM * Policies in the IAM User Guide.

Tags

*

(Optional) You can pass tag key-value pairs to your session. These tags are * called session tags. For more information about session tags, see Passing * Session Tags in STS in the IAM User Guide.

An administrator * must grant you the permissions necessary to pass session tags. The administrator * can also create granular permissions to allow you to pass only specific session * tags. For more information, see Tutorial: * Using Tags for Attribute-Based Access Control in the IAM User * Guide.

You can set the session tags as transitive. Transitive tags * persist during role chaining. For more information, see Chaining * Roles with Session Tags in the IAM User Guide.

Using MFA * with AssumeRole

(Optional) You can include multi-factor * authentication (MFA) information when you call AssumeRole. This is * useful for cross-account scenarios to ensure that the user that assumes the role * has been authenticated with an Amazon Web Services MFA device. In that scenario, * the trust policy of the role being assumed includes a condition that tests for * MFA authentication. If the caller does not include valid MFA information, the * request to assume the role is denied. The condition in a trust policy that tests * for MFA authentication might look like the following example.

* "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}

*

For more information, see Configuring * MFA-Protected API Access in the IAM User Guide guide.

To use * MFA with AssumeRole, you pass values for the * SerialNumber and TokenCode parameters. The * SerialNumber value identifies the user's hardware or virtual MFA * device. The TokenCode is the time-based one-time password (TOTP) * that the MFA device produces.

See Also:

AWS API * Reference

*/ virtual Model::AssumeRoleOutcome AssumeRole(const Model::AssumeRoleRequest& request) const; /** * A Callable wrapper for AssumeRole that returns a future to the operation so that it can be executed in parallel to other requests. */ template Model::AssumeRoleOutcomeCallable AssumeRoleCallable(const AssumeRoleRequestT& request) const { return SubmitCallable(&STSClient::AssumeRole, request); } /** * An Async wrapper for AssumeRole that queues the request into a thread executor and triggers associated callback when operation has finished. */ template void AssumeRoleAsync(const AssumeRoleRequestT& request, const AssumeRoleResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const { return SubmitAsync(&STSClient::AssumeRole, request, handler, context); } /** *

Returns a set of temporary security credentials for users who have been * authenticated via a SAML authentication response. This operation provides a * mechanism for tying an enterprise identity store or directory to role-based * Amazon Web Services access without user-specific credentials or configuration. * For a comparison of AssumeRoleWithSAML with the other API * operations that produce temporary credentials, see Requesting * Temporary Security Credentials and Comparing * the Amazon Web Services STS API operations in the IAM User Guide.

*

The temporary security credentials returned by this operation consist of an * access key ID, a secret access key, and a security token. Applications can use * these temporary security credentials to sign calls to Amazon Web Services * services.

Session Duration

By default, the temporary * security credentials created by AssumeRoleWithSAML last for one * hour. However, you can use the optional DurationSeconds parameter * to specify the duration of your session. Your role session lasts for the * duration that you specify, or until the time specified in the SAML * authentication response's SessionNotOnOrAfter value, whichever is * shorter. You can provide a DurationSeconds value from 900 seconds * (15 minutes) up to the maximum session duration setting for the role. This * setting can have a value from 1 hour to 12 hours. To learn how to view the * maximum value for your role, see View * the Maximum Session Duration Setting for a Role in the IAM User * Guide. The maximum session duration limit applies when you use the * AssumeRole* API operations or the assume-role* CLI * commands. However the limit does not apply when you use those operations to * create a console URL. For more information, see Using * IAM Roles in the IAM User Guide.

Role * chaining limits your CLI or Amazon Web Services API role session to a * maximum of one hour. When you use the AssumeRole API operation to * assume a role, you can specify the duration of your role session with the * DurationSeconds parameter. You can specify a parameter value of up * to 43200 seconds (12 hours), depending on the maximum session duration setting * for your role. However, if you assume a role using role chaining and provide a * DurationSeconds parameter value greater than one hour, the * operation fails.

Permissions

The temporary * security credentials created by AssumeRoleWithSAML can be used to * make API calls to any Amazon Web Services service with the following exception: * you cannot call the STS GetFederationToken or * GetSessionToken API operations.

(Optional) You can pass * inline or managed session * policies to this operation. You can pass a single JSON policy document to * use as an inline session policy. You can also specify up to 10 managed policy * Amazon Resource Names (ARNs) to use as managed session policies. The plaintext * that you use for both inline and managed session policies can't exceed 2,048 * characters. Passing policies to this operation returns new temporary * credentials. The resulting session's permissions are the intersection of the * role's identity-based policy and the session policies. You can use the role's * temporary credentials in subsequent Amazon Web Services API calls to access * resources in the account that owns the role. You cannot use session policies to * grant more permissions than those allowed by the identity-based policy of the * role that is being assumed. For more information, see Session * Policies in the IAM User Guide.

Calling * AssumeRoleWithSAML does not require the use of Amazon Web Services * security credentials. The identity of the caller is validated by using keys in * the metadata document that is uploaded for the SAML provider entity for your * identity provider.

Calling AssumeRoleWithSAML * can result in an entry in your CloudTrail logs. The entry includes the value in * the NameID element of the SAML assertion. We recommend that you use * a NameIDType that is not associated with any personally * identifiable information (PII). For example, you could instead use the * persistent identifier * (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent).

*

Tags

(Optional) You can configure your IdP to * pass attributes into your SAML assertion as session tags. Each session tag * consists of a key name and an associated value. For more information about * session tags, see Passing * Session Tags in STS in the IAM User Guide.

You can pass up to * 50 session tags. The plaintext session tag keys can’t exceed 128 characters and * the values can’t exceed 256 characters. For these and additional limits, see IAM * and STS Character Limits in the IAM User Guide.

An * Amazon Web Services conversion compresses the passed inline session policy, * managed policy ARNs, and session tags into a packed binary format that has a * separate limit. Your request can fail for this limit even if your plaintext * meets the other requirements. The PackedPolicySize response element * indicates by percentage how close the policies and tags for your request are to * the upper size limit.

You can pass a session tag with the same * key as a tag that is attached to the role. When you do, session tags override * the role's tags with the same key.

An administrator must grant you the * permissions necessary to pass session tags. The administrator can also create * granular permissions to allow you to pass only specific session tags. For more * information, see Tutorial: * Using Tags for Attribute-Based Access Control in the IAM User * Guide.

You can set the session tags as transitive. Transitive tags * persist during role chaining. For more information, see Chaining * Roles with Session Tags in the IAM User Guide.

SAML * Configuration

Before your application can call * AssumeRoleWithSAML, you must configure your SAML identity provider * (IdP) to issue the claims required by Amazon Web Services. Additionally, you * must use Identity and Access Management (IAM) to create a SAML provider entity * in your Amazon Web Services account that represents your identity provider. You * must also create an IAM role that specifies this SAML provider in its trust * policy.

For more information, see the following resources:

See Also:

AWS * API Reference

*/ virtual Model::AssumeRoleWithSAMLOutcome AssumeRoleWithSAML(const Model::AssumeRoleWithSAMLRequest& request) const; /** * A Callable wrapper for AssumeRoleWithSAML that returns a future to the operation so that it can be executed in parallel to other requests. */ template Model::AssumeRoleWithSAMLOutcomeCallable AssumeRoleWithSAMLCallable(const AssumeRoleWithSAMLRequestT& request) const { return SubmitCallable(&STSClient::AssumeRoleWithSAML, request); } /** * An Async wrapper for AssumeRoleWithSAML that queues the request into a thread executor and triggers associated callback when operation has finished. */ template void AssumeRoleWithSAMLAsync(const AssumeRoleWithSAMLRequestT& request, const AssumeRoleWithSAMLResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const { return SubmitAsync(&STSClient::AssumeRoleWithSAML, request, handler, context); } /** *

Returns a set of temporary security credentials for users who have been * authenticated in a mobile or web application with a web identity provider. * Example providers include the OAuth 2.0 providers Login with Amazon and * Facebook, or any OpenID Connect-compatible identity provider such as Google or * Amazon * Cognito federated identities.

For mobile applications, we * recommend that you use Amazon Cognito. You can use Amazon Cognito with the Amazon Web Services SDK for iOS * Developer Guide and the Amazon Web Services SDK for Android * Developer Guide to uniquely identify a user. You can also supply the user * with a consistent identity throughout the lifetime of an application.

To * learn more about Amazon Cognito, see Amazon * Cognito identity pools in Amazon Cognito Developer Guide.

*

Calling AssumeRoleWithWebIdentity does not require the use of * Amazon Web Services security credentials. Therefore, you can distribute an * application (for example, on mobile devices) that requests temporary security * credentials without including long-term Amazon Web Services credentials in the * application. You also don't need to deploy server-based proxy services that use * long-term Amazon Web Services credentials. Instead, the identity of the caller * is validated by using a token from the web identity provider. For a comparison * of AssumeRoleWithWebIdentity with the other API operations that * produce temporary credentials, see Requesting * Temporary Security Credentials and Comparing * the Amazon Web Services STS API operations in the IAM User Guide.

*

The temporary security credentials returned by this API consist of an access * key ID, a secret access key, and a security token. Applications can use these * temporary security credentials to sign calls to Amazon Web Services service API * operations.

Session Duration

By default, the temporary * security credentials created by AssumeRoleWithWebIdentity last for * one hour. However, you can use the optional DurationSeconds * parameter to specify the duration of your session. You can provide a value from * 900 seconds (15 minutes) up to the maximum session duration setting for the * role. This setting can have a value from 1 hour to 12 hours. To learn how to * view the maximum value for your role, see View * the Maximum Session Duration Setting for a Role in the IAM User * Guide. The maximum session duration limit applies when you use the * AssumeRole* API operations or the assume-role* CLI * commands. However the limit does not apply when you use those operations to * create a console URL. For more information, see Using * IAM Roles in the IAM User Guide.

Permissions

*

The temporary security credentials created by * AssumeRoleWithWebIdentity can be used to make API calls to any * Amazon Web Services service with the following exception: you cannot call the * STS GetFederationToken or GetSessionToken API * operations.

(Optional) You can pass inline or managed session * policies to this operation. You can pass a single JSON policy document to * use as an inline session policy. You can also specify up to 10 managed policy * Amazon Resource Names (ARNs) to use as managed session policies. The plaintext * that you use for both inline and managed session policies can't exceed 2,048 * characters. Passing policies to this operation returns new temporary * credentials. The resulting session's permissions are the intersection of the * role's identity-based policy and the session policies. You can use the role's * temporary credentials in subsequent Amazon Web Services API calls to access * resources in the account that owns the role. You cannot use session policies to * grant more permissions than those allowed by the identity-based policy of the * role that is being assumed. For more information, see Session * Policies in the IAM User Guide.

Tags

*

(Optional) You can configure your IdP to pass attributes into your web * identity token as session tags. Each session tag consists of a key name and an * associated value. For more information about session tags, see Passing * Session Tags in STS in the IAM User Guide.

You can pass up to * 50 session tags. The plaintext session tag keys can’t exceed 128 characters and * the values can’t exceed 256 characters. For these and additional limits, see IAM * and STS Character Limits in the IAM User Guide.

An * Amazon Web Services conversion compresses the passed inline session policy, * managed policy ARNs, and session tags into a packed binary format that has a * separate limit. Your request can fail for this limit even if your plaintext * meets the other requirements. The PackedPolicySize response element * indicates by percentage how close the policies and tags for your request are to * the upper size limit.

You can pass a session tag with the same * key as a tag that is attached to the role. When you do, the session tag * overrides the role tag with the same key.

An administrator must grant you * the permissions necessary to pass session tags. The administrator can also * create granular permissions to allow you to pass only specific session tags. For * more information, see Tutorial: * Using Tags for Attribute-Based Access Control in the IAM User * Guide.

You can set the session tags as transitive. Transitive tags * persist during role chaining. For more information, see Chaining * Roles with Session Tags in the IAM User Guide.

* Identities

Before your application can call * AssumeRoleWithWebIdentity, you must have an identity token from a * supported identity provider and create a role that the application can assume. * The role that your application assumes must trust the identity provider that is * associated with the identity token. In other words, the identity provider must * be specified in the role's trust policy.

Calling * AssumeRoleWithWebIdentity can result in an entry in your CloudTrail * logs. The entry includes the Subject * of the provided web identity token. We recommend that you avoid using any * personally identifiable information (PII) in this field. For example, you could * instead use a GUID or a pairwise identifier, as suggested * in the OIDC specification.

For more information about * how to use web identity federation and the * AssumeRoleWithWebIdentity API, see the following resources:

*

See Also:

* AWS * API Reference

*/ virtual Model::AssumeRoleWithWebIdentityOutcome AssumeRoleWithWebIdentity(const Model::AssumeRoleWithWebIdentityRequest& request) const; /** * A Callable wrapper for AssumeRoleWithWebIdentity that returns a future to the operation so that it can be executed in parallel to other requests. */ template Model::AssumeRoleWithWebIdentityOutcomeCallable AssumeRoleWithWebIdentityCallable(const AssumeRoleWithWebIdentityRequestT& request) const { return SubmitCallable(&STSClient::AssumeRoleWithWebIdentity, request); } /** * An Async wrapper for AssumeRoleWithWebIdentity that queues the request into a thread executor and triggers associated callback when operation has finished. */ template void AssumeRoleWithWebIdentityAsync(const AssumeRoleWithWebIdentityRequestT& request, const AssumeRoleWithWebIdentityResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const { return SubmitAsync(&STSClient::AssumeRoleWithWebIdentity, request, handler, context); } /** *

Decodes additional information about the authorization status of a request * from an encoded message returned in response to an Amazon Web Services * request.

For example, if a user is not authorized to perform an operation * that he or she has requested, the request returns a * Client.UnauthorizedOperation response (an HTTP 403 response). Some * Amazon Web Services operations additionally return an encoded message that can * provide details about this authorization failure.

Only certain * Amazon Web Services operations return an encoded authorization message. The * documentation for an individual operation indicates whether that operation * returns an encoded message in addition to returning an HTTP code.

*

The message is encoded because the details of the authorization status can * contain privileged information that the user who requested the operation should * not see. To decode an authorization status message, a user must be granted * permissions through an IAM policy * to request the DecodeAuthorizationMessage * (sts:DecodeAuthorizationMessage) action.

The decoded * message includes the following type of information:

  • Whether the * request was denied due to an explicit deny or due to the absence of an explicit * allow. For more information, see Determining * Whether a Request is Allowed or Denied in the IAM User Guide.

    *

  • The principal who made the request.

  • The * requested action.

  • The requested resource.

  • *

    The values of condition keys in the context of the user's request.

    • *

See Also:

AWS * API Reference

*/ virtual Model::DecodeAuthorizationMessageOutcome DecodeAuthorizationMessage(const Model::DecodeAuthorizationMessageRequest& request) const; /** * A Callable wrapper for DecodeAuthorizationMessage that returns a future to the operation so that it can be executed in parallel to other requests. */ template Model::DecodeAuthorizationMessageOutcomeCallable DecodeAuthorizationMessageCallable(const DecodeAuthorizationMessageRequestT& request) const { return SubmitCallable(&STSClient::DecodeAuthorizationMessage, request); } /** * An Async wrapper for DecodeAuthorizationMessage that queues the request into a thread executor and triggers associated callback when operation has finished. */ template void DecodeAuthorizationMessageAsync(const DecodeAuthorizationMessageRequestT& request, const DecodeAuthorizationMessageResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const { return SubmitAsync(&STSClient::DecodeAuthorizationMessage, request, handler, context); } /** *

Returns the account identifier for the specified access key ID.

Access * keys consist of two parts: an access key ID (for example, * AKIAIOSFODNN7EXAMPLE) and a secret access key (for example, * wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). For more information * about access keys, see Managing * Access Keys for IAM Users in the IAM User Guide.

When you pass * an access key ID to this operation, it returns the ID of the Amazon Web Services * account to which the keys belong. Access key IDs beginning with * AKIA are long-term credentials for an IAM user or the Amazon Web * Services account root user. Access key IDs beginning with ASIA are * temporary credentials that are created using STS operations. If the account in * the response belongs to you, you can sign in as the root user and review your * root user access keys. Then, you can pull a credentials * report to learn which IAM user owns the keys. To learn who requested the * temporary credentials for an ASIA access key, view the STS events * in your CloudTrail * logs in the IAM User Guide.

This operation does not indicate * the state of the access key. The key might be active, inactive, or deleted. * Active keys might not have permissions to perform an operation. Providing a * deleted access key might return an error that the key doesn't * exist.

See Also:

AWS * API Reference

*/ virtual Model::GetAccessKeyInfoOutcome GetAccessKeyInfo(const Model::GetAccessKeyInfoRequest& request) const; /** * A Callable wrapper for GetAccessKeyInfo that returns a future to the operation so that it can be executed in parallel to other requests. */ template Model::GetAccessKeyInfoOutcomeCallable GetAccessKeyInfoCallable(const GetAccessKeyInfoRequestT& request) const { return SubmitCallable(&STSClient::GetAccessKeyInfo, request); } /** * An Async wrapper for GetAccessKeyInfo that queues the request into a thread executor and triggers associated callback when operation has finished. */ template void GetAccessKeyInfoAsync(const GetAccessKeyInfoRequestT& request, const GetAccessKeyInfoResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const { return SubmitAsync(&STSClient::GetAccessKeyInfo, request, handler, context); } /** *

Returns details about the IAM user or role whose credentials are used to call * the operation.

No permissions are required to perform this * operation. If an administrator attaches a policy to your identity that * explicitly denies access to the sts:GetCallerIdentity action, you * can still perform this operation. Permissions are not required because the same * information is returned when access is denied. To view an example response, see * I * Am Not Authorized to Perform: iam:DeleteVirtualMFADevice in the IAM User * Guide.

See Also:

AWS * API Reference

*/ virtual Model::GetCallerIdentityOutcome GetCallerIdentity(const Model::GetCallerIdentityRequest& request) const; /** * A Callable wrapper for GetCallerIdentity that returns a future to the operation so that it can be executed in parallel to other requests. */ template Model::GetCallerIdentityOutcomeCallable GetCallerIdentityCallable(const GetCallerIdentityRequestT& request) const { return SubmitCallable(&STSClient::GetCallerIdentity, request); } /** * An Async wrapper for GetCallerIdentity that queues the request into a thread executor and triggers associated callback when operation has finished. */ template void GetCallerIdentityAsync(const GetCallerIdentityRequestT& request, const GetCallerIdentityResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const { return SubmitAsync(&STSClient::GetCallerIdentity, request, handler, context); } /** *

Returns a set of temporary security credentials (consisting of an access key * ID, a secret access key, and a security token) for a user. A typical use is in a * proxy application that gets temporary security credentials on behalf of * distributed applications inside a corporate network.

You must call the * GetFederationToken operation using the long-term security * credentials of an IAM user. As a result, this call is appropriate in contexts * where those credentials can be safeguarded, usually in a server-based * application. For a comparison of GetFederationToken with the other * API operations that produce temporary credentials, see Requesting * Temporary Security Credentials and Comparing * the Amazon Web Services STS API operations in the IAM User Guide.

*

Although it is possible to call GetFederationToken using the * security credentials of an Amazon Web Services account root user rather than an * IAM user that you create for the purpose of a proxy application, we do not * recommend it. For more information, see Safeguard * your root user credentials and don't use them for everyday tasks in the * IAM User Guide.

You can create a mobile-based or * browser-based app that can authenticate users using a web identity provider like * Login with Amazon, Facebook, Google, or an OpenID Connect-compatible identity * provider. In this case, we recommend that you use Amazon Cognito or * AssumeRoleWithWebIdentity. For more information, see Federation * Through a Web-based Identity Provider in the IAM User Guide.

*

Session duration

The temporary credentials are valid * for the specified duration, from 900 seconds (15 minutes) up to a maximum of * 129,600 seconds (36 hours). The default session duration is 43,200 seconds (12 * hours). Temporary credentials obtained by using the root user credentials have a * maximum duration of 3,600 seconds (1 hour).

Permissions

*

You can use the temporary credentials created by * GetFederationToken in any Amazon Web Services service with the * following exceptions:

  • You cannot call any IAM operations using * the CLI or the Amazon Web Services API. This limitation does not apply to * console sessions.

  • You cannot call any STS operations except * GetCallerIdentity.

You can use temporary * credentials for single sign-on (SSO) to the console.

You must pass an * inline or managed session * policy to this operation. You can pass a single JSON policy document to use * as an inline session policy. You can also specify up to 10 managed policy Amazon * Resource Names (ARNs) to use as managed session policies. The plaintext that you * use for both inline and managed session policies can't exceed 2,048 * characters.

Though the session policy parameters are optional, if you do * not pass a policy, then the resulting federated user session has no permissions. * When you pass session policies, the session permissions are the intersection of * the IAM user policies and the session policies that you pass. This gives you a * way to further restrict the permissions for a federated user. You cannot use * session policies to grant more permissions than those that are defined in the * permissions policy of the IAM user. For more information, see Session * Policies in the IAM User Guide. For information about using * GetFederationToken to create temporary security credentials, see GetFederationToken—Federation * Through a Custom Identity Broker.

You can use the credentials to * access a resource that has a resource-based policy. If that policy specifically * references the federated user session in the Principal element of * the policy, the session has the permissions allowed by the policy. These * permissions are granted in addition to the permissions granted by the session * policies.

Tags

(Optional) You can pass tag key-value * pairs to your session. These are called session tags. For more information about * session tags, see Passing * Session Tags in STS in the IAM User Guide.

You can * create a mobile-based or browser-based app that can authenticate users using a * web identity provider like Login with Amazon, Facebook, Google, or an OpenID * Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or * AssumeRoleWithWebIdentity. For more information, see Federation * Through a Web-based Identity Provider in the IAM User Guide.

*

An administrator must grant you the permissions necessary to pass * session tags. The administrator can also create granular permissions to allow * you to pass only specific session tags. For more information, see Tutorial: * Using Tags for Attribute-Based Access Control in the IAM User * Guide.

Tag key–value pairs are not case sensitive, but case is * preserved. This means that you cannot have separate Department and * department tag keys. Assume that the user that you are federating * has the Department=Marketing tag and you pass the * department=engineering session tag. * Department and department are not saved as separate * tags, and the session tag passed in the request takes precedence over the user * tag.

See Also:

AWS * API Reference

*/ virtual Model::GetFederationTokenOutcome GetFederationToken(const Model::GetFederationTokenRequest& request) const; /** * A Callable wrapper for GetFederationToken that returns a future to the operation so that it can be executed in parallel to other requests. */ template Model::GetFederationTokenOutcomeCallable GetFederationTokenCallable(const GetFederationTokenRequestT& request) const { return SubmitCallable(&STSClient::GetFederationToken, request); } /** * An Async wrapper for GetFederationToken that queues the request into a thread executor and triggers associated callback when operation has finished. */ template void GetFederationTokenAsync(const GetFederationTokenRequestT& request, const GetFederationTokenResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const { return SubmitAsync(&STSClient::GetFederationToken, request, handler, context); } /** *

Returns a set of temporary credentials for an Amazon Web Services account or * IAM user. The credentials consist of an access key ID, a secret access key, and * a security token. Typically, you use GetSessionToken if you want to * use MFA to protect programmatic calls to specific Amazon Web Services API * operations like Amazon EC2 StopInstances.

MFA-enabled IAM * users must call GetSessionToken and submit an MFA code that is * associated with their MFA device. Using the temporary security credentials that * the call returns, IAM users can then make programmatic calls to API operations * that require MFA authentication. An incorrect MFA code causes the API to return * an access denied error. For a comparison of GetSessionToken with * the other API operations that produce temporary credentials, see Requesting * Temporary Security Credentials and Comparing * the Amazon Web Services STS API operations in the IAM User Guide.

*

No permissions are required for users to perform this operation. The * purpose of the sts:GetSessionToken operation is to authenticate the * user using MFA. You cannot use policies to control authentication operations. * For more information, see Permissions * for GetSessionToken in the IAM User Guide.

Session * Duration

The GetSessionToken operation must be called * by using the long-term Amazon Web Services security credentials of an IAM user. * Credentials that are created by IAM users are valid for the duration that you * specify. This duration can range from 900 seconds (15 minutes) up to a maximum * of 129,600 seconds (36 hours), with a default of 43,200 seconds (12 hours). * Credentials based on account credentials can range from 900 seconds (15 minutes) * up to 3,600 seconds (1 hour), with a default of 1 hour.

* Permissions

The temporary security credentials created by * GetSessionToken can be used to make API calls to any Amazon Web * Services service with the following exceptions:

  • You cannot call * any IAM API operations unless MFA authentication information is included in the * request.

  • You cannot call any STS API except * AssumeRole or GetCallerIdentity.

*

The credentials that GetSessionToken returns are based on * permissions associated with the IAM user whose credentials were used to call the * operation. The temporary credentials have the same permissions as the IAM * user.

Although it is possible to call GetSessionToken * using the security credentials of an Amazon Web Services account root user * rather than an IAM user, we do not recommend it. If GetSessionToken * is called using root user credentials, the temporary credentials have root user * permissions. For more information, see Safeguard * your root user credentials and don't use them for everyday tasks in the * IAM User Guide

For more information about using * GetSessionToken to create temporary credentials, see Temporary * Credentials for Users in Untrusted Environments in the IAM User * Guide.

See Also:

AWS * API Reference

*/ virtual Model::GetSessionTokenOutcome GetSessionToken(const Model::GetSessionTokenRequest& request) const; /** * A Callable wrapper for GetSessionToken that returns a future to the operation so that it can be executed in parallel to other requests. */ template Model::GetSessionTokenOutcomeCallable GetSessionTokenCallable(const GetSessionTokenRequestT& request) const { return SubmitCallable(&STSClient::GetSessionToken, request); } /** * An Async wrapper for GetSessionToken that queues the request into a thread executor and triggers associated callback when operation has finished. */ template void GetSessionTokenAsync(const GetSessionTokenRequestT& request, const GetSessionTokenResponseReceivedHandler& handler, const std::shared_ptr& context = nullptr) const { return SubmitAsync(&STSClient::GetSessionToken, request, handler, context); } void OverrideEndpoint(const Aws::String& endpoint); std::shared_ptr& accessEndpointProvider(); private: friend class Aws::Client::ClientWithAsyncTemplateMethods; void init(const STSClientConfiguration& clientConfiguration); STSClientConfiguration m_clientConfiguration; std::shared_ptr m_executor; std::shared_ptr m_endpointProvider; }; } // namespace STS } // namespace Aws