| « PreviousNext » | |
   | Did this page help you? Yes | No | Tell us about it... |
Making Requests Using Federated User Temporary Credentials - AWS SDK for PHP
You can provide temporary security credentials to your federated users and applications (see Making Requests) so they can send authenticated requests to access your AWS resources. When requesting these temporary credentials, you must provide a user name and an IAM policy describing the resource permissions you want to grant. By default, the session duration is one hour. You can explicitly set a different duration value when requesting the temporary security credentials for federated users and applications.
Note
To request temporary security credentials for federated users and applications, for added security, you might want to use a dedicated IAM user with only the necessary access permissions. The temporary user you create can never get more permissions than the IAM user who requested the temporary security credentials. For more information, go to AWS Identity and Access Management FAQs.
Making Requests Using Federated User Temporary Credentials
|
1 |
Create an instance of the |
|
2 | Create an instance of the CFPolicy by providing the IAM policy
that you wish to attach to the temporary security
credentials. |
|
3 |
Execute the The method returns you temporary security credentials. You can provide these credentials to your federated users. |
|
4 |
Any federated user who has the temporary security credentials can send requests to
Amazon S3 by creating an instance of the
Any methods in the |
The following PHP code sample demonstrates the preceding tasks.
// In real applications, the following code is part of your trusted code. It has
// your security credentials that you used to obtain temporary security credentials.
$token = new AmazonSTS();
$policy = new CFPolicy($token, array(
'Statement' => array(
array(
'Sid' => 'randomstatementid' . time(),
'Action' => array('s3:ListBucket'),
'Effect' => 'Allow',
'Resource' => 'arn:aws:s3:::YourBucketName'
)
)
));
// Fetch the session credentials.
$response1 = $token->get_federation_token(
'User1',
array(
'Policy' => $policy->get_json(),
'DurationSeconds' => 3600
));
$AccessKeyId = (string)$response1->
body->GetFederationTokenResult->Credentials->AccessKeyId;
$SecretAccessKey = (string)$response1->
body->GetFederationTokenResult->Credentials->SecretAccessKey;
$SessionToken = (string)$response1->
body->GetFederationTokenResult->Credentials->SessionToken;
// The following will be part of your less trusted code. You provide temporary security
// credentials so it can send authenticated requests to Amazon S3.
$s3 = new AmazonS3(array(
'key' => $AccessKeyId,
'secret' => $SecretAccessKey,
'token' => $SessionToken
));
// Send requests to Amazon S3.Example
The following PHP code example lists keys in the specified bucket. In the code example, you first obtain temporary security credentials for a two hour session for your federated user (User1) and use them to send authenticated requests to Amazon S3.
When requesting temporary credentials for others, for added security, you use the security credentials of an IAM user who has permissions to request temporary security credentials. You can also limit the access permissions of this IAM user to ensure that the IAM user grants only the minimum application specific permissions to the federated user. This sample only lists objects in a specific bucket. Therefore, first create an IAM user with the following policy attached.
{
"Statement":[{
"Action":["s3:ListBucket",
"sts:GetFederationToken*"
],
"Effect":"Allow",
"Resource":"*"
}
]
}The policy allows the IAM user to request temporary security credentials and access permission to only list your AWS resources. For more information about how to create an IAM user, go to Set Up a Group, Grant Permissions, and Add Users in the AWS Identity and Access Management Getting Started Guide.
You can now use the IAM user security credentials to test the following example. The example sends authenticated request to Amazon S3 using temporary security credentials. The example specifies the following policy when requesting temporary security credentials for the federated user (User1) which restricts access to list objects in a specific bucket. You must update the policy and provide your own existing bucket name.
{
"Statement":[
{
"Sid":"1",
"Action":["s3:ListBucket"],
"Effect":"Allow",
"Resource":"arn:aws:s3:::ExampleBucket"
}
]
}You must update the following sample and provide the bucket name that you specified in the preceding federated user access policy.
<?php
require_once '../aws-sdk-for-php/sdk.class.php';
header('Content-Type: text/plain; charset=utf-8');
$bucket = 'ExampleBucket';
$token = new AmazonSTS();
$policy = new CFPolicy($token, array(
'Statement' => array(
array(
'Sid' => 'randomstatementid' . time(),
'Action' => array('s3:ListBucket'),
'Effect' => 'Allow',
'Resource' => 'arn:aws:s3:::ExampleBucket'
)
)
));
// Fetch the session credentials.
$response1 = $token->get_federation_token(
'User1',
array(
'Policy' => $policy->get_json(),
'DurationSeconds' => 3600
));
$AccessKeyId = (string)$response1->
body->GetFederationTokenResult->Credentials->AccessKeyId;
$SecretAccessKey = (string)$response1->
body->GetFederationTokenResult->Credentials->SecretAccessKey;
$SessionToken = (string)$response1->
body->GetFederationTokenResult->Credentials->SessionToken;
// Instantiate the class.
$s3 = new AmazonS3(array(
'key' => $AccessKeyId,
'secret' => $SecretAccessKey,
'token' => $SessionToken
));
// Get object list using temporary credentials.
//$response = $s3->get_object_list($bucket);
$response = $s3->list_objects($bucket);
// Success?
print_r($response);
