|« PreviousNext »|
|Did this page help you? Yes | No | Tell us about it...|
Returns a set of temporary security credentials (consisting of an access key ID, a secret
access key, and a security token) for a federated user. A typical use is in a proxy
application that is getting temporary security credentials on behalf of distributed
applications inside a corporate network. Because you must call the
GetFederationToken action using the long-term security credentials of an IAM
user, this call is appropriate in contexts where those credentials can be safely stored,
usually in a server-based application.
Note: Do not use this call in mobile applications or client-based web applications that
directly get temporary security credentials. For those types of applications, use
GetFederationToken action must be called by using the long-term AWS
security credentials of the AWS account or an IAM user. Credentials that are created by IAM
users are valid for the specified duration, between 900 seconds (15 minutes) and 129600
seconds (36 hours); credentials that are created by using account credentials have a maximum
duration of 3600 seconds (1 hour).
Optionally, you can pass an AWS IAM access policy to this operation. The temporary security credentials that
are returned by the operation have the permissions that are associated with the entity that is making
GetFederationToken call, except for any permissions explicitly denied by the policy you pass.
This gives you a way to further restrict the permissions for the resulting temporary security credentials. These policies and any
applicable resource-based policies are evaluated when calls to AWS are made using the temporary security credentials.
For more information about how permissions work, see Controlling Permissions in Temporary Credentials in Using Temporary Security
Credentials. For information about using
GetFederationToken to create
temporary security credentials, see Creating Temporary Credentials to Enable Access for Federated Users in
Using Temporary Security Credentials.
For information about the common parameters that all actions use, see Common Parameters.
The duration, in seconds, that the session should last. Acceptable durations for federation sessions range from 900 seconds (15 minutes) to 129600 seconds (36 hours), with 43200 seconds (12 hours) as the default. Sessions for AWS account owners are restricted to a maximum of 3600 seconds (one hour). If the duration is longer than one hour, the session for AWS account owners defaults to one hour.
The name of the federated user. The name is used as an identifier for the temporary security
credentials (such as
Bob). For example, you can reference the federated user name
in a resource-based policy, such as in an Amazon S3 bucket policy.
Length constraints: Minimum length of 2. Maximum length of 32.
An AWS IAM policy in JSON format.
By default, federated users have no permissions; they do not inherit any from the IAM user. When you specify a policy, the federated user's permissions are based on the specified policy and the IAM user's policy. If you don't specify a policy, federated users can only access AWS resources that explicitly allow those federated users in a resource policy, such as in an Amazon S3 bucket policy.
Length constraints: Minimum length of 1. Maximum length of 2048.
returned in a structure named
Credentials for the service API authentication.
Identifiers for the federated user associated with the credentials (such as
You can use the federated user's ARN in your resource policies like in an Amazon S3 bucket
A percentage value indicating the size of the policy in packed form. The service rejects policies for which the packed size is greater than 100 percent of the allowed value.
For information about the errors that are common to all actions, see Common Errors.
The request was rejected because the policy document was malformed. The error message describes the specific error.
HTTP Status Code: 400
The request was rejected because the policy document was too large. The error message describes how big the policy document is, in packed form, as a percentage of what the API allows.
HTTP Status Code: 400
https://sts.amazonaws.com/ ?Version=2011-06-15 &Action=GetFederationToken &Name=Bob &Policy=%7B%22Version%22%3A%222012-10-17%22%2C%22Statement%22%3A%5B%7B%22Sid%22%3A%22Stmt1%22%2C%22Effect%22% 3A%22Allow%22%2C%22Action%22%3A%22s3%3A*%22%2C%22Resource%22%3A%22*%22%7D %5D%7D &DurationSeconds=3600 &AUTHPARAMS
<GetFederationTokenResponse xmlns="https://sts.amazonaws.com/doc/ 2011-06-15/"> <GetFederationTokenResult> <Credentials> <SessionToken> AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQW LWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGd QrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU 9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz +scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA== </SessionToken> <SecretAccessKey> wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY </SecretAccessKey> <Expiration>2011-07-15T23:28:33.359Z</Expiration> <AccessKeyId>AKIAIOSFODNN7EXAMPLE</AccessKeyId> </Credentials> <FederatedUser> <Arn>arn:aws:sts::123456789012:federated-user/Bob</Arn> <FederatedUserId>123456789012:Bob</FederatedUserId> </FederatedUser> <PackedPolicySize>6</PackedPolicySize> </GetFederationTokenResult> <ResponseMetadata> <RequestId>c6104cbe-af31-11e0-8154-cbc7ccf896c7</RequestId> </ResponseMetadata> </GetFederationTokenResponse>