For mobile applications, we recommend that you use Amazon Cognito. You can use Amazon Cognito with the AWS SDK for iOS and the AWS SDK for Android to uniquely identify a user and supply the user with a consistent identity throughout the lifetime of an application.
AssumeRoleWithWebIdentity does not require the use of AWS security
credentials. Therefore, you can distribute an application (for example, on mobile
devices) that requests temporary security credentials without including long-term
AWS credentials in the application, and without deploying server-based proxy services
that use long-term AWS credentials. Instead, the identity of the caller is validated
by using a token from the web identity provider.
The temporary security credentials returned by this API consist of an access key ID,
a secret access key, and a security token. Applications can use these temporary security
credentials to sign calls to AWS service APIs. The credentials are valid for the duration
that you specified when calling
AssumeRoleWithWebIdentity, which can
be from 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the temporary
security credentials are valid for 1 hour.
Optionally, you can pass an IAM access policy to this operation. If you choose not to pass a policy, the temporary security credentials that are returned by the operation have the permissions that are defined in the access policy of the role that is being assumed. If you pass a policy to this operation, the temporary security credentials that are returned by the operation have the permissions that are allowed by both the access policy of the role that is being assumed, and the policy that you pass. This gives you a way to further restrict the permissions for the resulting temporary security credentials. You cannot use the passed policy to grant permissions that are in excess of those allowed by the access policy of the role that is being assumed. For more information, see Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity in the Using IAM.
Before your application can call
AssumeRoleWithWebIdentity, you must
have an identity token from a supported identity provider and create a role that the
application can assume. The role that your application assumes must trust the identity
provider that is associated with the identity token. In other words, the identity
provider must be specified in the role's trust policy.
For more information about how to use web identity federation and the
API, see the following resources:
Version: (assembly version)
public abstract AssumeRoleWithWebIdentityResponse AssumeRoleWithWebIdentity( AssumeRoleWithWebIdentityRequest request )
Container for the necessary parameters to execute the AssumeRoleWithWebIdentity service method.
|ExpiredTokenException||The web identity token that was passed is expired or is not valid. Get a new identity token from the identity provider and then retry the request.|
|IDPCommunicationErrorException||The request could not be fulfilled because the non-AWS identity provider (IDP) that was asked to verify the incoming identity token could not be reached. This is often a transient error caused by network conditions. Retry the request a limited number of times so that you don't exceed the request rate. If the error persists, the non-AWS identity provider might be down or not responding.|
|IDPRejectedClaimException||The identity provider (IdP) reported that authentication failed. This might be because the claim is invalid. If this error is returned for the AssumeRoleWithWebIdentity operation, it can also mean that the claim has expired or has been explicitly revoked.|
|InvalidIdentityTokenException||The web identity token that was passed could not be validated by AWS. Get a new identity token from the identity provider and then retry the request.|
|MalformedPolicyDocumentException||The request was rejected because the policy document was malformed. The error message describes the specific error.|
|PackedPolicyTooLargeException||The request was rejected because the policy document was too large. The error message describes how big the policy document is, in packed form, as a percentage of what the API allows.|
|RegionDisabledException||STS is not activated in the requested region for the account that is being asked to create temporary credentials. The account administrator must activate STS in that region using the IAM Console. For more information, see Activating and Deactivating AWS STS in an AWS Region in the Using IAM.|
Supported in: 4.5, 4.0, 3.5