Creating Temporary Security Credentials to Enable Access for Federated Users

To grant temporary access to a non-AWS user whose identity you can authenticate (a federated user) use the AWS STS GetFederationToken action. This action is useful if you have non-AWS users that you authenticate with an external service, such as Microsoft Active Directory, LDAP, or Kerberos. You might use GetFederationToken in a broker application you build that enables your users to sign in to your authentication system, and to receive temporary security credentials that they can use to access your AWS resources. To see an example of this kind of application, go to Identity Federation Sample Application for an Active Directory Use Case at AWS Sample Code & Libraries.

When you create temporary security credentials for a federated user, you specify a user identity and request a maximum duration for the temporary security credentials to remain valid. Credentials created by IAM users are valid for the specified duration, between 15 minutes and 36 hours; credentials created using account credentials last one hour. You can also use the Policy parameter to pass in an IAM policy that specifies the permissions to apply to the federated user. The GetFederationToken action returns temporary security credentials consisting of the security token, an Access Key ID, and a Secret Access Key.

The following example shows a sample request and response using GetFederationToken. In this example, the request includes the name for a federated user named Jean, and it includes a value for the Policy parameter. This policy grants the federated user permission to access Amazon Simple Storage Service (Amazon S3) only. In addition to the temporary security credentials, the response includes the Amazon Resource Name (ARN) for the federated user, and the expiration time of the credentials.

https://sts.amazonaws.com/
?Version=2011-06-15
&Action=GetFederationToken
&Name=Jean
&Policy=%7B%22Statement%22%3A%5B%7B%22Sid%22%3A%22Stmt1%22%2C%22Effect%22%
 3A%22Allow%22%2C%22Action%22%3A%22s3%3A*%22%2C%22Resource%22%3A%22*%22%7D
 %5D%7D
&DurationSeconds=3600
&AUTHPARAMS

<GetFederationTokenResponse xmlns="https://sts.amazonaws.com/doc/
	2011-06-15/">
  <GetFederationTokenResult>
    <Credentials>
      <SessionToken>
       AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQW
       LWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGd
       QrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU
       9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz
       +scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCEXAMPLE==
      </SessionToken>
      <SecretAccessKey>
      wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY
      </SecretAccessKey>
      <Expiration>2011-07-15T23:28:33.359Z</Expiration>
      <AccessKeyId>AKIAIOSFODNN7EXAMPLE;</AccessKeyId>
    </Credentials>
    <FederatedUser>
      <Arn>arn:aws:sts::123456789012:federated-user/Jean</Arn>
      <FederatedUserId>123456789012:Jean</FederatedUserId>
    </FederatedUser>
    <PackedPolicySize>6</PackedPolicySize>
  </GetFederationTokenResult>
  <ResponseMetadata>
    <RequestId>c6104cbe-af31-11e0-8154-cbc7ccf896c7</RequestId>
  </ResponseMetadata>
</GetFederationTokenResponse>

If you prefer to grant permissions at the resource level, you can omit the Policy parameter. However, you should be aware that if you do not include a policy for the federated user, the temporary security credentials will not grant any permissions. In this case, you must use resource policies to grant the federated user access to your AWS resources.

For example, if your AWS account number is 111122223333, and you have an Amazon S3 bucket that you want to allow Susan to access even though her temporary security credentials don't include a policy for the bucket, you would need to ensure that the bucket has a policy with an ARN that matches Susan's ARN, such as arn:aws:sts::111122223333:federated-user/Susan.