Using Temporary Credentials from AWS STS
AWS Security Token Service (AWS STS) enables you to request limited privilege, temporary credentials for IAM users, or for users that you authenticate via identity federation.
One common use case for temporary credentials is to grant mobile or client-side applications access to AWS resources by authenticating users through third-party identity providers (see Web Identity Federation).
Temporary credentials generated by AWS STS are not supported by every service. To determine whether the service you are using supports temporary credentials, see IAM Temporary Security Credentials.
Getting Temporary Credentials
AWS STS has several operations that return temporary credentials, but the
GetSessionToken
operation is the simplest to demonstrate.
Assuming you have an instance of Aws\Sts\StsClient
stored in the
$stsClient
variable, you call it as follows.
$result = $stsClient->getSessionToken();
The result for GetSessionToken
and the other AWS STS operations always
contains a 'Credentials'
value. If you print the result
(e.g., print_r($result)
), it looks like the following.
Array ( ... [Credentials] => Array ( [SessionToken] => '<base64 encoded session token value>' [SecretAccessKey] => '<temporary secret access key value>' [Expiration] => 2013-11-01T01:57:52Z [AccessKeyId] => '<temporary access key value>' ) ... )
Providing Temporary Credentials to the AWS SDK for PHP
You can use temporary credentials with another AWS client by instantiating the client and passing in the values received from AWS STS directly.
use Aws\S3\S3Client; $result = $stsClient->getSessionToken(); $s3Client = new S3Client([ 'version' => '2006-03-01', 'region' => 'us-west-2', 'credentials' => [ 'key' => $result['Credentials']['AccessKeyId'], 'secret' => $result['Credentials']['SecretAccessKey'], 'token' => $result['Credentials']['SessionToken'] ] ]);
You can also construct an Aws\Credentials\Credentials
object and use that
when instantiating the client.
use Aws\Credentials\Credentials; use Aws\S3\S3Client; $result = $stsClient->getSessionToken(); $credentials = new Credentials( $result['Credentials']['AccessKeyId'], $result['Credentials']['SecretAccessKey'], $result['Credentials']['SessionToken'] ); $s3Client = new S3Client([ 'version' => '2006-03-01', 'region' => 'us-west-2', 'credentials' => $credentials ]);
However, the best way to provide temporary credentials is to use the
createCredentials()
helper method included with the StsClient
. This
method extracts the data from an AWS STS result and creates the Credentials
object for you.
$result = $stsClient->getSessionToken(); $credentials = $stsClient->createCredentials($result); $s3Client = new S3Client([ 'version' => '2006-03-01', 'region' => 'us-west-2', 'credentials' => $credentials ]);
For more information about why you might need to use temporary credentials in your application or project, see Scenarios for Granting Temporary Access in the AWS STS documentation.