Returns a set of temporary credentials for an AWS account or IAM user. The
credentials consist of an access key ID, a secret access key, and a security token. Typically,
GetSessionToken if you want to use MFA to protect programmatic calls to
specific AWS APIs like Amazon EC2
StopInstances. MFA-enabled IAM users would
need to call
GetSessionToken and submit an MFA code that is associated with their
MFA device. Using the temporary security credentials that are returned from the call, IAM
users can then make programmatic calls to APIs that require MFA authentication. If you do not
supply a correct MFA code, then the API returns an access denied error. For a comparison of
GetSessionToken with the other APIs that produce temporary credentials, see
Temporary Security Credentials and Comparing the
AWS STS APIs in the IAM User Guide.
GetSessionToken action must be called by using the long-term AWS
security credentials of the AWS account or an IAM user. Credentials that are created by
IAM users are valid for the duration that you specify, from 900 seconds (15 minutes) up to a
maximum of 129600 seconds (36 hours), with a default of 43200 seconds (12 hours); credentials
that are created by using account credentials can range from 900 seconds (15 minutes) up to a
maximum of 3600 seconds (1 hour), with a default of 1 hour.
The temporary security credentials created by
GetSessionToken can be used
to make API calls to any AWS service with the following exceptions:
You cannot call any IAM APIs unless MFA authentication information is included in the request.
You cannot call any STS API except
We recommend that you do not call
GetSessionToken with root account
credentials. Instead, follow our best practices by
creating one or more IAM users, giving them the necessary permissions, and using IAM
users for everyday interaction with AWS.
The permissions associated with the temporary security credentials returned by
GetSessionToken are based on the permissions associated with account or IAM
user whose credentials are used to call the action. If
GetSessionToken is called
using root account credentials, the temporary credentials have root account permissions.
GetSessionToken is called using the credentials of an IAM user,
the temporary credentials have the same permissions as the IAM user.
For more information about using
GetSessionToken to create temporary
credentials, go to Temporary
Credentials for Users in Untrusted Environments in the IAM User
For information about the parameters that are common to all actions, see Common Parameters.
The duration, in seconds, that the credentials should remain valid. Acceptable durations for IAM user sessions range from 900 seconds (15 minutes) to 129600 seconds (36 hours), with 43200 seconds (12 hours) as the default. Sessions for AWS account owners are restricted to a maximum of 3600 seconds (one hour). If the duration is longer than one hour, the session for AWS account owners defaults to one hour.
Valid Range: Minimum value of 900. Maximum value of 129600.
The identification number of the MFA device that is associated with the IAM user who is making the
GetSessionTokencall. Specify this value if the IAM user has a policy that requires MFA authentication. The value is either the serial number for a hardware device (such as
GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device (such as
arn:aws:iam::123456789012:mfa/user). You can find the device for an IAM user by going to the AWS Management Console and viewing the user's security credentials.
The regex used to validated this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
Length Constraints: Minimum length of 9. Maximum length of 256.
The value provided by the MFA device, if MFA is required. If any policy requires the IAM user to submit an MFA code, specify this value. If MFA authentication is required, and the user does not provide a code when requesting a set of temporary security credentials, the user will receive an "access denied" response when requesting resources that require MFA authentication.
The format for this parameter, as described by its regex pattern, is a sequence of six numeric digits.
Length Constraints: Fixed length of 6.
The following element is returned by the service.
The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token.
Note: The size of the security token that STS APIs return is not fixed. We strongly recommend that you make no assumptions about the maximum size. As of this writing, the typical size is less than 4096 bytes, but that can vary. Also, future updates to AWS might require larger sizes.
Type: Credentials object
For information about the errors that are common to all actions, see Common Errors.
STS is not activated in the requested region for the account that is being asked to generate credentials. The account administrator must use the IAM console to activate STS in that region. For more information, see Activating and Deactivating AWS STS in an AWS Region in the IAM User Guide.
HTTP Status Code: 403
https://sts.amazonaws.com/ ?Version=2011-06-15 &Action=GetSessionToken &DurationSeconds=3600 &SerialNumber=YourMFADeviceSerialNumber &TokenCode=123456 &AUTHPARAMS
<GetSessionTokenResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/"> <GetSessionTokenResult> <Credentials> <SessionToken> AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/L To6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3z rkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtp Z3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE </SessionToken> <SecretAccessKey> wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY </SecretAccessKey> <Expiration>2011-07-11T19:55:29.611Z</Expiration> <AccessKeyId>AKIAIOSFODNN7EXAMPLE</AccessKeyId> </Credentials> </GetSessionTokenResult> <ResponseMetadata> <RequestId>58c5dbae-abef-11e0-8cfe-09039844ac7d</RequestId> </ResponseMetadata> </GetSessionTokenResponse>
For more information about using this API in one of the language-specific AWS SDKs, see the following: