Using Temporary Security Credentials
AWS STS (API Version 2011-06-15)
AWS Documentation » AWS Identity and Access Management » Using Temporary Security Credentials » Creating Temporary Security Credentials » Creating Temporary Security Credentials to Enable Access for IAM Users
« PreviousNext »
View the PDF for this guide.Go to the AWS Discussion Forum for this product.Go to the Kindle Store to download this guide in Kindle format.Did this page help you?  Yes | No |  Tell us about it...

Creating Temporary Security Credentials to Enable Access for IAM Users

IAM users can use the AWS Security Token Service GetSessionToken API action to create temporary security credentials for themselves. This enables access for IAM users or AWS accounts whose permissions are already defined. Because the credentials are temporary, they provide enhanced security when you have an IAM user who will be accessing your resources through a less secure environment, such as a mobile device or web browser.

By default, temporary security credentials for an IAM user are valid for a maximum of 12 hours, but you can request a duration as short as 15 minutes, or as long as 36 hours. For security reasons, a token for an AWS account's root identity is restricted to a duration of one hour.

GetSessionToken returns temporary security credentials consisting of a security token, an Access Key ID, and a Secret Access Key. The following example shows a sample request and response using GetSessionToken. The response also includes the expiration time of the temporary security credentials.

Example Request

https://sts.amazonaws.com/
?Version=2011-06-15
&Action=GetSessionToken
&DurationSeconds=3600
&AUTHPARAMS

Example Response

<GetSessionTokenResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
  <GetSessionTokenResult>
    <Credentials>
      <SessionToken>
       AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/L
       To6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3z
       rkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtp
       Z3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE
      </SessionToken>
      <SecretAccessKey>
      wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY
      </SecretAccessKey>
      <Expiration>2011-07-11T19:55:29.611Z</Expiration>
      <AccessKeyId>AKIAIOSFODNN7EXAMPLE</AccessKeyId>
    </Credentials>
  </GetSessionTokenResult>
  <ResponseMetadata>
    <RequestId>58c5dbae-abef-11e0-8cfe-09039844ac7d</RequestId>
  </ResponseMetadata>
</GetSessionTokenResponse>

Temporary Security Credentials for IAM Users with Multi-Factor Authentication (MFA)

Optionally, the GetSessionToken request can include SerialNumber and TokenCode values for AWS Multi-Factor Authentication (MFA) verification. If the provided values are valid, STS provides temporary security credentials that include the state of MFA authentication so the temporary security credentials can be used to access the MFA-protected APIs or AWS websites for as long as the MFA authentication is valid.

The following is an example of a GetSessionToken request with an MFA verification code and device serial number using the STS Query API. 

https://sts.amazonaws.com/
?Version=2011-06-15
&Action=GetSessionToken
&DurationSeconds=7200
&SerialNumber=YourMFADeviceSerialNumber
&TokenCode=123456
&AUTHPARAMS

Related Topics

Document Conventions« PreviousNext »
Terms of UseDid this page help you?  Yes | No |  Tell us about it...