Struct aws_sdk_sts::client::fluent_builders::GetSessionToken [−][src]
pub struct GetSessionToken<C = DynConnector, M = AwsMiddleware, R = Standard> { /* fields omitted */ }
Expand description
Fluent builder constructing a request to GetSessionToken
.
Returns a set of temporary credentials for an Amazon Web Services account or IAM user. The
credentials consist of an access key ID, a secret access key, and a security token.
Typically, you use GetSessionToken
if you want to use MFA to protect
programmatic calls to specific Amazon Web Services API operations like Amazon EC2 StopInstances
.
MFA-enabled IAM users would need to call GetSessionToken
and submit an MFA
code that is associated with their MFA device. Using the temporary security credentials
that are returned from the call, IAM users can then make programmatic calls to API
operations that require MFA authentication. If you do not supply a correct MFA code, then
the API returns an access denied error. For a comparison of GetSessionToken
with the other API operations that produce temporary credentials, see Requesting
Temporary Security Credentials and Comparing the
STS API operations in the IAM User Guide.
Session Duration
The GetSessionToken
operation must be called by using the long-term Amazon Web Services
security credentials of the Amazon Web Services account root user or an IAM user. Credentials that are
created by IAM users are valid for the duration that you specify. This duration can range
from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours), with a default
of 43,200 seconds (12 hours). Credentials based on account credentials can range from 900
seconds (15 minutes) up to 3,600 seconds (1 hour), with a default of 1 hour.
Permissions
The temporary security credentials created by GetSessionToken
can be used
to make API calls to any Amazon Web Services service with the following exceptions:
-
You cannot call any IAM API operations unless MFA authentication information is included in the request.
-
You cannot call any STS API except
AssumeRole
orGetCallerIdentity
.
We recommend that you do not call GetSessionToken
with Amazon Web Services account
root user credentials. Instead, follow our best practices by
creating one or more IAM users, giving them the necessary permissions, and using IAM
users for everyday interaction with Amazon Web Services.
The credentials that are returned by GetSessionToken
are based on
permissions associated with the user whose credentials were used to call the operation. If
GetSessionToken
is called using Amazon Web Services account root user credentials, the
temporary credentials have root user permissions. Similarly, if
GetSessionToken
is called using the credentials of an IAM user, the
temporary credentials have the same permissions as the IAM user.
For more information about using GetSessionToken
to create temporary
credentials, go to Temporary
Credentials for Users in Untrusted Environments in the
IAM User Guide.
Implementations
impl<C, M, R> GetSessionToken<C, M, R> where
C: SmithyConnector,
M: SmithyMiddleware<C>,
R: NewRequestPolicy,
impl<C, M, R> GetSessionToken<C, M, R> where
C: SmithyConnector,
M: SmithyMiddleware<C>,
R: NewRequestPolicy,
pub async fn send(
self
) -> Result<GetSessionTokenOutput, SdkError<GetSessionTokenError>> where
R::Policy: SmithyRetryPolicy<GetSessionTokenInputOperationOutputAlias, GetSessionTokenOutput, GetSessionTokenError, GetSessionTokenInputOperationRetryAlias>,
pub async fn send(
self
) -> Result<GetSessionTokenOutput, SdkError<GetSessionTokenError>> where
R::Policy: SmithyRetryPolicy<GetSessionTokenInputOperationOutputAlias, GetSessionTokenOutput, GetSessionTokenError, GetSessionTokenInputOperationRetryAlias>,
Sends the request and returns the response.
If an error occurs, an SdkError
will be returned with additional details that
can be matched against.
By default, any retryable failures will be retried twice. Retry behavior is configurable with the RetryConfig, which can be set when configuring the client.
The duration, in seconds, that the credentials should remain valid. Acceptable durations for IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions for Amazon Web Services account owners are restricted to a maximum of 3,600 seconds (one hour). If the duration is longer than one hour, the session for Amazon Web Services account owners defaults to one hour.
The duration, in seconds, that the credentials should remain valid. Acceptable durations for IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions for Amazon Web Services account owners are restricted to a maximum of 3,600 seconds (one hour). If the duration is longer than one hour, the session for Amazon Web Services account owners defaults to one hour.
The identification number of the MFA device that is associated with the IAM user who
is making the GetSessionToken
call. Specify this value if the IAM user
has a policy that requires MFA authentication. The value is either the serial number for
a hardware device (such as GAHT12345678
) or an Amazon Resource Name (ARN)
for a virtual device (such as arn:aws:iam::123456789012:mfa/user
). You can
find the device for an IAM user by going to the Management Console and viewing the user's
security credentials.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
The identification number of the MFA device that is associated with the IAM user who
is making the GetSessionToken
call. Specify this value if the IAM user
has a policy that requires MFA authentication. The value is either the serial number for
a hardware device (such as GAHT12345678
) or an Amazon Resource Name (ARN)
for a virtual device (such as arn:aws:iam::123456789012:mfa/user
). You can
find the device for an IAM user by going to the Management Console and viewing the user's
security credentials.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
The value provided by the MFA device, if MFA is required. If any policy requires the IAM user to submit an MFA code, specify this value. If MFA authentication is required, the user must provide a code when requesting a set of temporary security credentials. A user who fails to provide the code receives an "access denied" response when requesting resources that require MFA authentication.
The format for this parameter, as described by its regex pattern, is a sequence of six numeric digits.
The value provided by the MFA device, if MFA is required. If any policy requires the IAM user to submit an MFA code, specify this value. If MFA authentication is required, the user must provide a code when requesting a set of temporary security credentials. A user who fails to provide the code receives an "access denied" response when requesting resources that require MFA authentication.
The format for this parameter, as described by its regex pattern, is a sequence of six numeric digits.
Trait Implementations
Auto Trait Implementations
impl<C = DynConnector, M = AwsMiddleware, R = Standard> !RefUnwindSafe for GetSessionToken<C, M, R>
impl<C, M, R> Send for GetSessionToken<C, M, R> where
C: Send + Sync,
M: Send + Sync,
R: Send + Sync,
impl<C, M, R> Sync for GetSessionToken<C, M, R> where
C: Send + Sync,
M: Send + Sync,
R: Send + Sync,
impl<C, M, R> Unpin for GetSessionToken<C, M, R>
impl<C = DynConnector, M = AwsMiddleware, R = Standard> !UnwindSafe for GetSessionToken<C, M, R>
Blanket Implementations
Mutably borrows from an owned value. Read more
Attaches the provided Subscriber
to this type, returning a
WithDispatch
wrapper. Read more
Attaches the current default Subscriber
to this type, returning a
WithDispatch
wrapper. Read more