AWS services or capabilities described in AWS Documentation may vary by region/location. Click Getting Started with Amazon AWS to see specific differences applicable to the China (Beijing) Region.
Returns a set of temporary credentials for an AWS account or IAM user. The credentials
consist of an access key ID, a secret access key, and a security token. Typically,
GetSessionToken if you want to use MFA to protect programmatic
calls to specific AWS APIs like Amazon EC2
IAM users would need to call
GetSessionToken and submit an MFA code that
is associated with their MFA device. Using the temporary security credentials that
are returned from the call, IAM users can then make programmatic calls to APIs that
require MFA authentication. If you do not supply a correct MFA code, then the API
returns an access denied error. For a comparison of
the other APIs that produce temporary credentials, see Requesting
Temporary Security Credentials and Comparing
the AWS STS APIs in the IAM User Guide.
GetSessionToken action must be called by using the long-term AWS
security credentials of the AWS account or an IAM user. Credentials that are created
by IAM users are valid for the duration that you specify, from 900 seconds (15 minutes)
up to a maximum of 129600 seconds (36 hours), with a default of 43200 seconds (12
hours); credentials that are created by using account credentials can range from 900
seconds (15 minutes) up to a maximum of 3600 seconds (1 hour), with a default of 1
The temporary security credentials created by
GetSessionToken can be
used to make API calls to any AWS service with the following exceptions:
You cannot call any IAM APIs unless MFA authentication information is included in the request.
You cannot call any STS API except
We recommend that you do not call
GetSessionToken with root account credentials.
Instead, follow our best
practices by creating one or more IAM users, giving them the necessary permissions,
and using IAM users for everyday interaction with AWS.
The permissions associated with the temporary security credentials returned by
are based on the permissions associated with account or IAM user whose credentials
are used to call the action. If
GetSessionToken is called using root
account credentials, the temporary credentials have root account permissions. Similarly,
GetSessionToken is called using the credentials of an IAM user, the
temporary credentials have the same permissions as the IAM user.
For more information about using
GetSessionToken to create temporary
credentials, go to Temporary
Credentials for Users in Untrusted Environments in the IAM User Guide.
For .NET Core and PCL this operation is only available in asynchronous form. Please refer to GetSessionTokenAsync.
public virtual GetSessionTokenResponse GetSessionToken()
|RegionDisabledException||STS is not activated in the requested region for the account that is being asked to generate credentials. The account administrator must use the IAM console to activate STS in that region. For more information, see Activating and Deactivating AWS STS in an AWS Region in the IAM User Guide.|
Supported in: 4.5, 4.0, 3.5
Portable Class Library:
Supported in: Windows Store Apps
Supported in: Windows Phone 8.1
Supported in: Xamarin Android
Supported in: Xamarin iOS (Unified)
Supported in: Xamarin.Forms
Supported Versions: 4.6 and above
Supported Platforms: Android, iOS, Standalone