Returns a set of temporary security credentials (consisting of an access key ID, a * secret access key, and a security token) for a user. A typical use is in a proxy * application that gets temporary security credentials on behalf of distributed applications * inside a corporate network.
*You must call the GetFederationToken operation
* using the long-term security credentials of an IAM user. As a result, this call is
* appropriate in contexts where those credentials can be safeguarded, usually in a
* server-based application. For a comparison of GetFederationToken with the
* other API operations that produce temporary credentials, see Requesting Temporary Security
* Credentials and Comparing the
* Amazon Web Services STS API operations in the IAM User Guide.
Although it is possible to call GetFederationToken using the security credentials of an
* Amazon Web Services account root user rather than an IAM user that you create for the purpose of a proxy application, we do not recommend it. For more information, see Safeguard your root user credentials and don't use them for everyday tasks in the
* IAM User Guide.
You can create a mobile-based or browser-based app that can authenticate users using
* a web identity provider like Login with Amazon, Facebook, Google, or an OpenID
* Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or
* AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the
* IAM User Guide.
* Session duration *
*The temporary credentials are valid for the specified duration, from 900 seconds (15 * minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is * 43,200 seconds (12 hours). Temporary credentials obtained by using the root user credentials have a maximum duration of 3,600 seconds (1 hour).
** Permissions *
*You can use the temporary credentials created by GetFederationToken in any
* Amazon Web Services service with the following exceptions:
You cannot call any IAM operations using the CLI or the Amazon Web Services API. This limitation does not apply to console sessions.
*You cannot call any STS operations except GetCallerIdentity.
You can use temporary credentials for single sign-on (SSO) to the console.
*You must pass an inline or managed session policy to * this operation. You can pass a single JSON policy document to use as an inline session * policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as * managed session policies. The plaintext that you use for both inline and managed session * policies can't exceed 2,048 characters.
*Though the session policy parameters are optional, if you do not pass a policy, then the
* resulting federated user session has no permissions. When you pass session policies, the
* session permissions are the intersection of the IAM user policies and the session
* policies that you pass. This gives you a way to further restrict the permissions for a
* federated user. You cannot use session policies to grant more permissions than those that
* are defined in the permissions policy of the IAM user. For more information, see Session
* Policies in the IAM User Guide. For information about
* using GetFederationToken to create temporary security credentials, see GetFederationToken—Federation Through a Custom Identity Broker.
You can use the credentials to access a resource that has a resource-based policy. If
* that policy specifically references the federated user session in the
* Principal element of the policy, the session has the permissions allowed by
* the policy. These permissions are granted in addition to the permissions granted by the
* session policies.
* Tags *
*(Optional) You can pass tag key-value pairs to your session. These are called session * tags. For more information about session tags, see Passing Session Tags in STS in the * IAM User Guide.
*You can create a mobile-based or browser-based app that can authenticate users using
* a web identity provider like Login with Amazon, Facebook, Google, or an OpenID
* Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or
* AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the
* IAM User Guide.
An administrator must grant you the permissions necessary to pass session tags. The * administrator can also create granular permissions to allow you to pass only specific * session tags. For more information, see Tutorial: Using Tags * for Attribute-Based Access Control in the * IAM User Guide.
*Tag key–value pairs are not case sensitive, but case is preserved. This means that you
* cannot have separate Department and department tag keys. Assume
* that the user that you are federating has the
* Department=Marketing tag and you pass the
* department=engineering session tag. Department
* and department are not saved as separate tags, and the session tag passed in
* the request takes precedence over the user tag.
The request was rejected because the policy document was malformed. The error message * describes the specific error.
* * @throws {@link PackedPolicyTooLargeException} (client fault) *The request was rejected because the total packed size of the session policies and * session tags combined was too large. An Amazon Web Services conversion compresses the session policy * document, session policy ARNs, and session tags into a packed binary format that has a * separate limit. The error message indicates by percentage how close the policies and * tags are to the upper size limit. For more information, see Passing Session Tags in STS in * the IAM User Guide.
*You could receive this error even though you meet other defined session policy and * session tag limits. For more information, see IAM and STS Entity * Character Limits in the IAM User Guide.
* * @throws {@link RegionDisabledException} (client fault) *STS is not activated in the requested region for the account that is being asked to * generate credentials. The account administrator must use the IAM console to activate STS * in that region. For more information, see Activating and * Deactivating Amazon Web Services STS in an Amazon Web Services Region in the IAM User * Guide.
* * @throws {@link STSServiceException} *Base exception class for all service exceptions from STS service.
* * @example To get temporary credentials for a role by using GetFederationToken * ```javascript * // * const input = { * "DurationSeconds": 3600, * "Name": "testFedUserSession", * "Policy": "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:ListAllMyBuckets\",\"Resource\":\"*\"}]}", * "Tags": [ * { * "Key": "Project", * "Value": "Pegasus" * }, * { * "Key": "Cost-Center", * "Value": "98765" * } * ] * }; * const command = new GetFederationTokenCommand(input); * const response = await client.send(command); * /* response == * { * "Credentials": { * "AccessKeyId": "AKIAIOSFODNN7EXAMPLE", * "Expiration": "2011-07-15T23:28:33.359Z", * "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY", * "SessionToken": "AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQWLWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGdQrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz+scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA==" * }, * "FederatedUser": { * "Arn": "arn:aws:sts::123456789012:federated-user/Bob", * "FederatedUserId": "123456789012:Bob" * }, * "PackedPolicySize": 8 * } * *\/ * // example id: to-get-temporary-credentials-for-a-role-by-using-getfederationtoken-1480540749900 * ``` * */ export declare class GetFederationTokenCommand extends $Command