CreateSession API - IAM Roles Anywhere

CreateSession API

Returns a temporary security credentials for workloads who have been authenticated with IAM Roles Anywhere to access AWS resources.

Request Syntax

POST /sessions HTTP/1.1 Content-type: application/json { "durationSeconds": number, "profileArn": string, "roleArn": string, "sessionName": string, "trustAnchorArn": string, }

URI Request Parameters

The request does not use any URI parameters.

Request Body

The request accepts the following data in JSON format.

durationSeconds

The duration, in seconds, of the role session. The value specified can range from 900 seconds (15 minutes) up to 3600 seconds (1 hour).

Type: Number

Required: No

profileArn

The Amazon Resource Name (ARN) of the profile.

Type: String

Required: Yes

roleArn

The Amazon Resource Name (ARN) of the role to assume.

Type: String

Required: Yes

sessionName

An identifier for the assumed role session.

Type: String

Required: No

trustAnchorArn

The Amazon Resource Name (ARN) of the trust anchor.

Type: String

Required: Yes

Response Syntax

HTTP/1.1 201 Content-type: application/json { "credentialSet":[ { "assumedRoleUser": { "arn": ARN, "assumedRoleId": String }, "credentials":{ "accessKeyId": String, "expiration": Timestamp, "secretAccessKey": String, "sessionToken": String }, "packedPolicySize": Number, "roleArn": ARN, "sourceIdentity": String } ], "subjectArn": ARN }

Response Elements

If the action is successful, the service sends back an HTTP 201 response.

The following data is returned in JSON format by the service.

assumedRoleUser

The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers that you can use to refer to the resulting temporary security credentials.

Type: AssumedRoleUser object

credentials

The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token.

Type: Credentials Object

packedPolicySize

A percentage value that indicates the packed size of the session policies and session tags combined passed in the request. The request fails if the packed size is greater than 100 percent, which means the policies and tags exceeded the allowed space.

Type: Integer

Valid Range: Minimum value of 0

sourceIdentity

The source identity is specified by the principal that is calling the CreateSession operation.

Type: String

Pattern: [\p{L}\p{Z}\p{N}_.:/=+\-@]+

roleArn

The Amazon Resource Name (ARN) of the assumed role.

Type: String

subjectArn

The Amazon Resource Name (ARN) of the Subject resource.

The Subject resource records the history of the principal that is calling the CreateSession operation, including its first recorded authentication time, and last recorded authentication time.

Type: String

Credentials Object

AWS credentials for API authentication.

AccessKeyId

The access key ID that identifies the temporary security credentials.

Type: String

Length Constraints: Minimum length of 16. Maximum length of 128.

Required: Yes

Expiration

The date on which the current credentials expire.

Type: Timestamp

Required: Yes

SecretAccessKey

The secret access key that can be used to sign requests.

Type: String

Required: Yes

SessionToken

The token that users must pass to the service API to use the temporary credentials.

Type: String

Required: Yes

The relationship between CreateSession and AssumeRole

CreateSession is an x509 wrapper around AssumeRole. The temporary session credentials are delivered to RolesAnywhere by AssumeRole, and then passed on without modification in the result of CreateSession. CreateSession is not included in any SDK or client as there is not yet native SDK or client support for CreateSession's signing process.