GetSessionToken if you want to use MFA to protect programmatic
calls to specific AWS APIs like Amazon EC2 StopInstances. MFA-enabled
IAM users would need to call GetSessionToken and submit an MFA code that
is associated with their MFA device. Using the temporary security credentials that
are returned from the call, IAM users can then make programmatic calls to APIs that
require MFA authentication. If you do not supply a correct MFA code, then the API
returns an access denied error.
The GetSessionToken action must be called by using the long-term AWS
security credentials of the AWS account or an IAM user. Credentials that are created
by IAM users are valid for the duration that you specify, between 900 seconds (15
minutes) and 129600 seconds (36 hours); credentials that are created by using account
credentials have a maximum duration of 3600 seconds (1 hour).
We recommend that you do not call GetSessionToken with root account credentials.
Instead, follow our best
practices by creating one or more IAM users, giving them the necessary permissions,
and using IAM users for everyday interaction with AWS.
The permissions associated with the temporary security credentials returned by GetSessionToken
are based on the permissions associated with account or IAM user whose credentials
are used to call the action. If GetSessionToken is called using root
account credentials, the temporary credentials have root account permissions. Similarly,
if GetSessionToken is called using the credentials of an IAM user, the
temporary credentials have the same permissions as the IAM user.
For more information about using GetSessionToken to create temporary
credentials, go to Temporary
Credentials for Users in Untrusted Environments in the Using IAM.
Inheritance Hierarchy
Amazon.Runtime.AmazonWebServiceRequest
Amazon.SecurityToken.AmazonSecurityTokenServiceRequest
Amazon.SecurityToken.Model.GetSessionTokenRequest
Namespace: Amazon.SecurityToken.Model
Assembly: AWSSDK.dll
Version: (assembly version)
Syntax
public class GetSessionTokenRequest : AmazonSecurityTokenServiceRequest IRequestEvents
The GetSessionTokenRequest type exposes the following members
Constructors
| Name | Description | |
|---|---|---|
|
GetSessionTokenRequest() | Empty constructor used to set properties independently even when a simple constructor is available |
Properties
| Name | Type | Description | |
|---|---|---|---|
|
|
DurationSeconds | System.Int32 |
Gets and sets the property DurationSeconds.
The duration, in seconds, that the credentials should remain valid. Acceptable durations for IAM user sessions range from 900 seconds (15 minutes) to 129600 seconds (36 hours), with 43200 seconds (12 hours) as the default. Sessions for AWS account owners are restricted to a maximum of 3600 seconds (one hour). If the duration is longer than one hour, the session for AWS account owners defaults to one hour. |
|
|
SerialNumber | System.String |
Gets and sets the property SerialNumber.
The identification number of the MFA device that is associated with the IAM user who
is making the |
|
|
TokenCode | System.String |
Gets and sets the property TokenCode.
The value provided by the MFA device, if MFA is required. If any policy requires the IAM user to submit an MFA code, specify this value. If MFA authentication is required, and the user does not provide a code when requesting a set of temporary security credentials, the user will receive an "access denied" response when requesting resources that require MFA authentication. |
Version Information
.NET Framework:
Supported in: 4.5, 4.0, 3.5
.NET for Windows Store apps:
Supported in: Windows 8.1, Windows 8
.NET for Windows Phone:
Supported in: Windows Phone 8.1, Windows Phone 8