Returns a set of temporary credentials for an Amazon Web Services account or IAM user. The credentials consist of an access key ID, a secret access key, and a security token. Typically, you use
GetSessionToken if you want to use MFA to protect programmatic calls to specific Amazon Web Services API operations like Amazon EC2
StopInstances.
MFA-enabled IAM users must call
GetSessionToken and submit an MFA code that is associated with their MFA device. Using the temporary security credentials that the call returns, IAM users can then make programmatic calls to API operations that require MFA authentication. An incorrect MFA code causes the API to return an access denied error. For a comparison of
GetSessionToken with the other API operations that produce temporary credentials, see
Requesting Temporary Security Credentials and
Comparing the Amazon Web Services STS API operations in the
IAM User Guide.
No permissions are required for users to perform this operation. The purpose of the
sts:GetSessionToken operation is to authenticate the user using MFA. You cannot use policies to control authentication operations. For more information, see
Permissions for GetSessionToken in the
IAM User Guide.
Session Duration The
GetSessionToken operation must be called by using the long-term Amazon Web Services security credentials of an IAM user. Credentials that are created by IAM users are valid for the duration that you specify. This duration can range from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours), with a default of 43,200 seconds (12 hours). Credentials based on account credentials can range from 900 seconds (15 minutes) up to 3,600 seconds (1 hour), with a default of 1 hour.
Permissions The temporary security credentials created by
GetSessionToken can be used to make API calls to any Amazon Web Services service with the following exceptions:
- You cannot call any IAM API operations unless MFA authentication information is included in the request.
- You cannot call any STS API exceptAssumeRole or GetCallerIdentity.
The credentials that
GetSessionToken returns are based on permissions associated with the IAM user whose credentials were used to call the operation. The temporary credentials have the same permissions as the IAM user.
Although it is possible to call
GetSessionToken using the security credentials of an Amazon Web Services account root user rather than an IAM user, we do not recommend it. If
GetSessionToken is called using root user credentials, the temporary credentials have root user permissions. For more information, see
Safeguard your root user credentials and don't use them for everyday tasks in the
IAM User Guide For more information about using
GetSessionToken to create temporary credentials, see
Temporary Credentials for Users in Untrusted Environments in the
IAM User Guide.