Returns a set of temporary security credentials (consisting of an access key ID, a
secret access key, and a security token) for a federated user. A typical use is in a proxy
application that gets temporary security credentials on behalf of distributed applications
inside a corporate network. You must call the GetFederationToken operation
using the long-term security credentials of an IAM user. As a result, this call is
appropriate in contexts where those credentials can be safely stored, usually in a
server-based application. For a comparison of GetFederationToken with the
other API operations that produce temporary credentials, see Requesting Temporary Security
Credentials and Comparing the
Amazon Web Services STS API operations in the IAM User Guide.
You can create a mobile-based or browser-based app that can authenticate users using
a web identity provider like Login with Amazon, Facebook, Google, or an OpenID
Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or
AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the
IAM User Guide.
You can also call GetFederationToken using the security credentials of an
Amazon Web Services account root user, but we do not recommend it. Instead, we recommend that you create
an IAM user for the purpose of the proxy application. Then attach a policy to the IAM
user that limits federated users to only the actions and resources that they need to
access. For more information, see IAM Best Practices in the
IAM User Guide.
Session duration
The temporary credentials are valid for the specified duration, from 900 seconds (15
minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is
43,200 seconds (12 hours). Temporary credentials obtained by using the Amazon Web Services account root
user credentials have a maximum duration of 3,600 seconds (1 hour).
Permissions
You can use the temporary credentials created by GetFederationToken in any
Amazon Web Services service with the following exceptions:
You cannot call any IAM operations using the CLI or the Amazon Web Services API. This limitation does not apply to console sessions.
You cannot call any STS operations except GetCallerIdentity.
You can use temporary credentials for single sign-on (SSO) to the console.
You must pass an inline or managed session policy to
this operation. You can pass a single JSON policy document to use as an inline session
policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as
managed session policies. The plaintext that you use for both inline and managed session
policies can't exceed 2,048 characters.
Though the session policy parameters are optional, if you do not pass a policy, then the
resulting federated user session has no permissions. When you pass session policies, the
session permissions are the intersection of the IAM user policies and the session
policies that you pass. This gives you a way to further restrict the permissions for a
federated user. You cannot use session policies to grant more permissions than those that
are defined in the permissions policy of the IAM user. For more information, see Session
Policies in the IAM User Guide. For information about
using GetFederationToken to create temporary security credentials, see GetFederationToken—Federation Through a Custom Identity Broker.
You can use the credentials to access a resource that has a resource-based policy. If
that policy specifically references the federated user session in the
Principal element of the policy, the session has the permissions allowed by
the policy. These permissions are granted in addition to the permissions granted by the
session policies.
Tags
(Optional) You can pass tag key-value pairs to your session. These are called session
tags. For more information about session tags, see Passing Session Tags in STS in the
IAM User Guide.
You can create a mobile-based or browser-based app that can authenticate users using
a web identity provider like Login with Amazon, Facebook, Google, or an OpenID
Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or
AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the
IAM User Guide.
An administrator must grant you the permissions necessary to pass session tags. The
administrator can also create granular permissions to allow you to pass only specific
session tags. For more information, see Tutorial: Using Tags
for Attribute-Based Access Control in the
IAM User Guide.
Tag key–value pairs are not case sensitive, but case is preserved. This means that you
cannot have separate Department and department tag keys. Assume
that the user that you are federating has the
Department=Marketing tag and you pass the
department=engineering session tag. Department
and department are not saved as separate tags, and the session tag passed in
the request takes precedence over the user tag.
example
Use a bare-bones client and the command you need to make an API call.
The request was rejected because the total packed size of the session policies and
session tags combined was too large. An Amazon Web Services conversion compresses the session policy
document, session policy ARNs, and session tags into a packed binary format that has a
separate limit. The error message indicates by percentage how close the policies and
tags are to the upper size limit. For more information, see Passing Session Tags in STS in
the IAM User Guide.
You could receive this error even though you meet other defined session policy and
session tag limits. For more information, see IAM and STS Entity
Character Limits in the IAM User Guide.
Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user. A typical use is in a proxy application that gets temporary security credentials on behalf of distributed applications inside a corporate network. You must call the
GetFederationTokenoperation using the long-term security credentials of an IAM user. As a result, this call is appropriate in contexts where those credentials can be safely stored, usually in a server-based application. For a comparison ofGetFederationTokenwith the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the Amazon Web Services STS API operations in the IAM User Guide.You can create a mobile-based or browser-based app that can authenticate users using a web identity provider like Login with Amazon, Facebook, Google, or an OpenID Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or
AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the IAM User Guide.You can also call
GetFederationTokenusing the security credentials of an Amazon Web Services account root user, but we do not recommend it. Instead, we recommend that you create an IAM user for the purpose of the proxy application. Then attach a policy to the IAM user that limits federated users to only the actions and resources that they need to access. For more information, see IAM Best Practices in the IAM User Guide.Session duration
The temporary credentials are valid for the specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is 43,200 seconds (12 hours). Temporary credentials obtained by using the Amazon Web Services account root user credentials have a maximum duration of 3,600 seconds (1 hour).
Permissions
You can use the temporary credentials created by
GetFederationTokenin any Amazon Web Services service with the following exceptions:You cannot call any IAM operations using the CLI or the Amazon Web Services API. This limitation does not apply to console sessions.
You cannot call any STS operations except
GetCallerIdentity.You can use temporary credentials for single sign-on (SSO) to the console.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters.
Though the session policy parameters are optional, if you do not pass a policy, then the resulting federated user session has no permissions. When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide. For information about using
GetFederationTokento create temporary security credentials, see GetFederationToken—Federation Through a Custom Identity Broker.You can use the credentials to access a resource that has a resource-based policy. If that policy specifically references the federated user session in the
Principalelement of the policy, the session has the permissions allowed by the policy. These permissions are granted in addition to the permissions granted by the session policies.Tags
(Optional) You can pass tag key-value pairs to your session. These are called session tags. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
You can create a mobile-based or browser-based app that can authenticate users using a web identity provider like Login with Amazon, Facebook, Google, or an OpenID Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or
AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the IAM User Guide.An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
Tag key–value pairs are not case sensitive, but case is preserved. This means that you cannot have separate
Departmentanddepartmenttag keys. Assume that the user that you are federating has theDepartment=Marketingtag and you pass thedepartment=engineeringsession tag.Departmentanddepartmentare not saved as separate tags, and the session tag passed in the request takes precedence over the user tag.Use a bare-bones client and the command you need to make an API call.
import { STSClient, GetFederationTokenCommand } from "@aws-sdk/client-sts"; // ES Modules import // const { STSClient, GetFederationTokenCommand } = require("@aws-sdk/client-sts"); // CommonJS import const client = new STSClient(config); const command = new GetFederationTokenCommand(input); const response = await client.send(command);GetFederationTokenCommandInput for command's
inputshape.GetFederationTokenCommandOutput for command's
responseshape.config for STSClient's
configshape.MalformedPolicyDocumentException (client fault)
The request was rejected because the policy document was malformed. The error message describes the specific error.
PackedPolicyTooLargeException (client fault)
The request was rejected because the total packed size of the session policies and session tags combined was too large. An Amazon Web Services conversion compresses the session policy document, session policy ARNs, and session tags into a packed binary format that has a separate limit. The error message indicates by percentage how close the policies and tags are to the upper size limit. For more information, see Passing Session Tags in STS in the IAM User Guide.
You could receive this error even though you meet other defined session policy and session tag limits. For more information, see IAM and STS Entity Character Limits in the IAM User Guide.
RegionDisabledException (client fault)
STS is not activated in the requested region for the account that is being asked to generate credentials. The account administrator must use the IAM console to activate STS in that region. For more information, see Activating and Deactivating Amazon Web Services STS in an Amazon Web Services Region in the IAM User Guide.
To get temporary credentials for a role by using GetFederationToken
// const input = { "DurationSeconds": 3600, "Name": "testFedUserSession", "Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:ListAllMyBuckets\",\"Resource\":\"*\"}]}", "Tags": [ { "Key": "Project", "Value": "Pegasus" }, { "Key": "Cost-Center", "Value": "98765" } ] }; const command = new GetFederationTokenCommand(input); const response = await client.send(command); /* response == { "Credentials": { "AccessKeyId": "AKIAIOSFODNN7EXAMPLE", "Expiration": "2011-07-15T23:28:33.359Z", "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY", "SessionToken": "AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQWLWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGdQrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz+scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA==" }, "FederatedUser": { "Arn": "arn:aws:sts::123456789012:federated-user/Bob", "FederatedUserId": "123456789012:Bob" }, "PackedPolicySize": 8 } *\/ // example id: to-get-temporary-credentials-for-a-role-by-using-getfederationtoken-1480540749900