import { STSClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../STSClient"; import { GetFederationTokenRequest, GetFederationTokenResponse } from "../models/models_0"; import { deserializeAws_queryGetFederationTokenCommand, serializeAws_queryGetFederationTokenCommand, } from "../protocols/Aws_query"; import { getSerdePlugin } from "@aws-sdk/middleware-serde"; import { getAwsAuthPlugin } from "@aws-sdk/middleware-signing"; import { HttpRequest as __HttpRequest, HttpResponse as __HttpResponse } from "@aws-sdk/protocol-http"; import { Command as $Command } from "@aws-sdk/smithy-client"; import { FinalizeHandlerArguments, Handler, HandlerExecutionContext, MiddlewareStack, HttpHandlerOptions as __HttpHandlerOptions, MetadataBearer as __MetadataBearer, SerdeContext as __SerdeContext, } from "@aws-sdk/types"; export interface GetFederationTokenCommandInput extends GetFederationTokenRequest {} export interface GetFederationTokenCommandOutput extends GetFederationTokenResponse, __MetadataBearer {} /** *
Returns a set of temporary security credentials (consisting of an access key ID, a
* secret access key, and a security token) for a federated user. A typical use is in a proxy
* application that gets temporary security credentials on behalf of distributed applications
* inside a corporate network. You must call the GetFederationToken
operation
* using the long-term security credentials of an IAM user. As a result, this call is
* appropriate in contexts where those credentials can be safely stored, usually in a
* server-based application. For a comparison of GetFederationToken
with the
* other API operations that produce temporary credentials, see Requesting Temporary Security
* Credentials and Comparing the
* STS API operations in the IAM User Guide.
You can create a mobile-based or browser-based app that can authenticate users using
* a web identity provider like Login with Amazon, Facebook, Google, or an OpenID
* Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or
* AssumeRoleWithWebIdentity
. For more information, see Federation Through a Web-based Identity Provider in the
* IAM User Guide.
You can also call GetFederationToken
using the security credentials of an
* Amazon Web Services account root user, but we do not recommend it. Instead, we recommend that you create
* an IAM user for the purpose of the proxy application. Then attach a policy to the IAM
* user that limits federated users to only the actions and resources that they need to
* access. For more information, see IAM Best Practices in the
* IAM User Guide.
* Session duration *
*The temporary credentials are valid for the specified duration, from 900 seconds (15 * minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is * 43,200 seconds (12 hours). Temporary credentials that are obtained by using Amazon Web Services account * root user credentials have a maximum duration of 3,600 seconds (1 hour).
** Permissions *
*You can use the temporary credentials created by GetFederationToken
in any
* Amazon Web Services service except the following:
You cannot call any IAM operations using the CLI or the Amazon Web Services API.
*You cannot call any STS operations except GetCallerIdentity
.
You must pass an inline or managed session policy to * this operation. You can pass a single JSON policy document to use as an inline session * policy. You can also specify up to 10 managed policies to use as managed session policies. * The plaintext that you use for both inline and managed session policies can't exceed 2,048 * characters.
*Though the session policy parameters are optional, if you do not pass a policy, then the
* resulting federated user session has no permissions. When you pass session policies, the
* session permissions are the intersection of the IAM user policies and the session
* policies that you pass. This gives you a way to further restrict the permissions for a
* federated user. You cannot use session policies to grant more permissions than those that
* are defined in the permissions policy of the IAM user. For more information, see Session
* Policies in the IAM User Guide. For information about
* using GetFederationToken
to create temporary security credentials, see GetFederationToken—Federation Through a Custom Identity Broker.
You can use the credentials to access a resource that has a resource-based policy. If
* that policy specifically references the federated user session in the
* Principal
element of the policy, the session has the permissions allowed by
* the policy. These permissions are granted in addition to the permissions granted by the
* session policies.
* Tags *
*(Optional) You can pass tag key-value pairs to your session. These are called session * tags. For more information about session tags, see Passing Session Tags in STS in the * IAM User Guide.
*You can create a mobile-based or browser-based app that can authenticate users
* using a web identity provider like Login with Amazon, Facebook, Google, or an OpenID
* Connect-compatible identity provider. In this case, we recommend that you use Amazon Cognito or
* AssumeRoleWithWebIdentity
. For more information, see Federation Through a Web-based Identity Provider in the
* IAM User Guide.
You can also call GetFederationToken
using the security credentials of an
* Amazon Web Services account root user, but we do not recommend it. Instead, we recommend that you
* create an IAM user for the purpose of the proxy application. Then attach a policy to
* the IAM user that limits federated users to only the actions and resources that they
* need to access. For more information, see IAM Best Practices in the
* IAM User Guide.
* Session duration *
*The temporary credentials are valid for the specified duration, from 900 seconds (15 * minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is * 43,200 seconds (12 hours). Temporary credentials that are obtained by using Amazon Web Services * account root user credentials have a maximum duration of 3,600 seconds (1 hour).
** Permissions *
*You can use the temporary credentials created by GetFederationToken
in
* any Amazon Web Services service except the following:
You cannot call any IAM operations using the CLI or the Amazon Web Services API. *
*You cannot call any STS operations except
* GetCallerIdentity
.
You must pass an inline or managed session policy to * this operation. You can pass a single JSON policy document to use as an inline session * policy. You can also specify up to 10 managed policies to use as managed session * policies. The plain text that you use for both inline and managed session policies can't * exceed 2,048 characters.
*Though the session policy parameters are optional, if you do not pass a policy, then
* the resulting federated user session has no permissions. When you pass session policies,
* the session permissions are the intersection of the IAM user policies and the session
* policies that you pass. This gives you a way to further restrict the permissions for a
* federated user. You cannot use session policies to grant more permissions than those
* that are defined in the permissions policy of the IAM user. For more information, see
* Session Policies
* in the IAM User Guide. For information about using
* GetFederationToken
to create temporary security credentials, see GetFederationToken—Federation Through a Custom Identity Broker.
You can use the credentials to access a resource that has a resource-based policy. If
* that policy specifically references the federated user session in the
* Principal
element of the policy, the session has the permissions
* allowed by the policy. These permissions are granted in addition to the permissions
* granted by the session policies.
* Tags *
*(Optional) You can pass tag key-value pairs to your session. These are called session * tags. For more information about session tags, see Passing Session Tags in STS in * the IAM User Guide.
*An administrator must grant you the permissions necessary to pass session tags. The * administrator can also create granular permissions to allow you to pass only specific * session tags. For more information, see Tutorial: Using * Tags for Attribute-Based Access Control in the * IAM User Guide.
*Tag key–value pairs are not case sensitive, but case is preserved. This means that you
* cannot have separate Department
and department
tag keys.
* Assume that the user that you are federating has the
* Department
=Marketing
tag and you pass the
* department
=engineering
session tag.
* Department
and department
are not saved as separate tags,
* and the session tag passed in the request takes precedence over the user tag.