Returns a set of temporary credentials for an Amazon Web Services account or IAM user. The
credentials consist of an access key ID, a secret access key, and a security token.
Typically, you use GetSessionToken if you want to use MFA to protect
programmatic calls to specific Amazon Web Services API operations like Amazon EC2 StopInstances.
MFA-enabled IAM users would need to call GetSessionToken and submit an MFA
code that is associated with their MFA device. Using the temporary security credentials
that are returned from the call, IAM users can then make programmatic calls to API
operations that require MFA authentication. If you do not supply a correct MFA code, then
the API returns an access denied error. For a comparison of GetSessionToken
with the other API operations that produce temporary credentials, see Requesting
Temporary Security Credentials and Comparing the
Amazon Web Services STS API operations in the IAM User Guide.
No permissions are required for users to perform this operation. The purpose of the
sts:GetSessionToken operation is to authenticate the user using MFA. You
cannot use policies to control authentication operations. For more information, see
Permissions for GetSessionToken in the
IAM User Guide.
Session Duration
The GetSessionToken operation must be called by using the long-term Amazon Web Services
security credentials of the Amazon Web Services account root user or an IAM user. Credentials that are
created by IAM users are valid for the duration that you specify. This duration can range
from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours), with a default
of 43,200 seconds (12 hours). Credentials based on account credentials can range from 900
seconds (15 minutes) up to 3,600 seconds (1 hour), with a default of 1 hour.
Permissions
The temporary security credentials created by GetSessionToken can be used
to make API calls to any Amazon Web Services service with the following exceptions:
You cannot call any IAM API operations unless MFA authentication information is
included in the request.
You cannot call any STS API exceptAssumeRole or GetCallerIdentity.
We recommend that you do not call GetSessionToken with Amazon Web Services account
root user credentials. Instead, follow our best practices by
creating one or more IAM users, giving them the necessary permissions, and using IAM
users for everyday interaction with Amazon Web Services.
The credentials that are returned by GetSessionToken are based on
permissions associated with the user whose credentials were used to call the operation. If
GetSessionToken is called using Amazon Web Services account root user credentials, the
temporary credentials have root user permissions. Similarly, if
GetSessionToken is called using the credentials of an IAM user, the
temporary credentials have the same permissions as the IAM user.
Returns a set of temporary credentials for an Amazon Web Services account or IAM user. The credentials consist of an access key ID, a secret access key, and a security token. Typically, you use
GetSessionTokenif you want to use MFA to protect programmatic calls to specific Amazon Web Services API operations like Amazon EC2StopInstances. MFA-enabled IAM users would need to callGetSessionTokenand submit an MFA code that is associated with their MFA device. Using the temporary security credentials that are returned from the call, IAM users can then make programmatic calls to API operations that require MFA authentication. If you do not supply a correct MFA code, then the API returns an access denied error. For a comparison ofGetSessionTokenwith the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the Amazon Web Services STS API operations in the IAM User Guide.No permissions are required for users to perform this operation. The purpose of the
sts:GetSessionTokenoperation is to authenticate the user using MFA. You cannot use policies to control authentication operations. For more information, see Permissions for GetSessionToken in the IAM User Guide.Session Duration
The
GetSessionTokenoperation must be called by using the long-term Amazon Web Services security credentials of the Amazon Web Services account root user or an IAM user. Credentials that are created by IAM users are valid for the duration that you specify. This duration can range from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours), with a default of 43,200 seconds (12 hours). Credentials based on account credentials can range from 900 seconds (15 minutes) up to 3,600 seconds (1 hour), with a default of 1 hour.Permissions
The temporary security credentials created by
GetSessionTokencan be used to make API calls to any Amazon Web Services service with the following exceptions:You cannot call any IAM API operations unless MFA authentication information is included in the request.
You cannot call any STS API except
AssumeRoleorGetCallerIdentity.We recommend that you do not call
GetSessionTokenwith Amazon Web Services account root user credentials. Instead, follow our best practices by creating one or more IAM users, giving them the necessary permissions, and using IAM users for everyday interaction with Amazon Web Services.The credentials that are returned by
GetSessionTokenare based on permissions associated with the user whose credentials were used to call the operation. IfGetSessionTokenis called using Amazon Web Services account root user credentials, the temporary credentials have root user permissions. Similarly, ifGetSessionTokenis called using the credentials of an IAM user, the temporary credentials have the same permissions as the IAM user.For more information about using
GetSessionTokento create temporary credentials, go to Temporary Credentials for Users in Untrusted Environments in the IAM User Guide.Use a bare-bones client and the command you need to make an API call.
import { STSClient, GetSessionTokenCommand } from "@aws-sdk/client-sts"; // ES Modules import // const { STSClient, GetSessionTokenCommand } = require("@aws-sdk/client-sts"); // CommonJS import const client = new STSClient(config); const command = new GetSessionTokenCommand(input); const response = await client.send(command);GetSessionTokenCommandInput for command's
inputshape.GetSessionTokenCommandOutput for command's
responseshape.config for STSClient's
configshape.RegionDisabledException (client fault)
STS is not activated in the requested region for the account that is being asked to generate credentials. The account administrator must use the IAM console to activate STS in that region. For more information, see Activating and Deactivating Amazon Web Services STS in an Amazon Web Services Region in the IAM User Guide.
To get temporary credentials for an IAM user or an AWS account
// const input = { "DurationSeconds": 3600, "SerialNumber": "YourMFASerialNumber", "TokenCode": "123456" }; const command = new GetSessionTokenCommand(input); const response = await client.send(command); /* response == { "Credentials": { "AccessKeyId": "AKIAIOSFODNN7EXAMPLE", "Expiration": "2011-07-11T19:55:29.611Z", "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY", "SessionToken": "AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE" } } *\/ // example id: to-get-temporary-credentials-for-an-iam-user-or-an-aws-account-1480540814038