@aws-sdk/client-sts
Version:
AWS SDK for JavaScript Sts Client for Node.js, Browser and React Native
114 lines (113 loc) • 6.88 kB
JavaScript
;
Object.defineProperty(exports, "__esModule", { value: true });
exports.GetSessionTokenCommand = void 0;
const middleware_serde_1 = require("@aws-sdk/middleware-serde");
const middleware_signing_1 = require("@aws-sdk/middleware-signing");
const smithy_client_1 = require("@aws-sdk/smithy-client");
const models_0_1 = require("../models/models_0");
const Aws_query_1 = require("../protocols/Aws_query");
/**
* <p>Returns a set of temporary credentials for an Amazon Web Services account or IAM user. The
* credentials consist of an access key ID, a secret access key, and a security token.
* Typically, you use <code>GetSessionToken</code> if you want to use MFA to protect
* programmatic calls to specific Amazon Web Services API operations like Amazon EC2 <code>StopInstances</code>.
* MFA-enabled IAM users would need to call <code>GetSessionToken</code> and submit an MFA
* code that is associated with their MFA device. Using the temporary security credentials
* that are returned from the call, IAM users can then make programmatic calls to API
* operations that require MFA authentication. If you do not supply a correct MFA code, then
* the API returns an access denied error. For a comparison of <code>GetSessionToken</code>
* with the other API operations that produce temporary credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting
* Temporary Security Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
* STS API operations</a> in the <i>IAM User Guide</i>.</p>
* <p>
* <b>Session Duration</b>
* </p>
* <p>The <code>GetSessionToken</code> operation must be called by using the long-term Amazon Web Services
* security credentials of the Amazon Web Services account root user or an IAM user. Credentials that are
* created by IAM users are valid for the duration that you specify. This duration can range
* from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours), with a default
* of 43,200 seconds (12 hours). Credentials based on account credentials can range from 900
* seconds (15 minutes) up to 3,600 seconds (1 hour), with a default of 1 hour. </p>
* <p>
* <b>Permissions</b>
* </p>
* <p>The temporary security credentials created by <code>GetSessionToken</code> can be used
* to make API calls to any Amazon Web Services service with the following exceptions:</p>
* <ul>
* <li>
* <p>You cannot call any IAM API operations unless MFA authentication information is
* included in the request.</p>
* </li>
* <li>
* <p>You cannot call any STS API <i>except</i>
* <code>AssumeRole</code> or <code>GetCallerIdentity</code>.</p>
* </li>
* </ul>
* <note>
* <p>We recommend that you do not call <code>GetSessionToken</code> with Amazon Web Services account
* root user credentials. Instead, follow our <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users">best practices</a> by
* creating one or more IAM users, giving them the necessary permissions, and using IAM
* users for everyday interaction with Amazon Web Services. </p>
* </note>
* <p>The credentials that are returned by <code>GetSessionToken</code> are based on
* permissions associated with the user whose credentials were used to call the operation. If
* <code>GetSessionToken</code> is called using Amazon Web Services account root user credentials, the
* temporary credentials have root user permissions. Similarly, if
* <code>GetSessionToken</code> is called using the credentials of an IAM user, the
* temporary credentials have the same permissions as the IAM user. </p>
* <p>For more information about using <code>GetSessionToken</code> to create temporary
* credentials, go to <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken">Temporary
* Credentials for Users in Untrusted Environments</a> in the
* <i>IAM User Guide</i>. </p>
* @example
* Use a bare-bones client and the command you need to make an API call.
* ```javascript
* import { STSClient, GetSessionTokenCommand } from "@aws-sdk/client-sts"; // ES Modules import
* // const { STSClient, GetSessionTokenCommand } = require("@aws-sdk/client-sts"); // CommonJS import
* const client = new STSClient(config);
* const command = new GetSessionTokenCommand(input);
* const response = await client.send(command);
* ```
*
* @see {@link GetSessionTokenCommandInput} for command's `input` shape.
* @see {@link GetSessionTokenCommandOutput} for command's `response` shape.
* @see {@link STSClientResolvedConfig | config} for command's `input` shape.
*
*/
class GetSessionTokenCommand extends smithy_client_1.Command {
// Start section: command_properties
// End section: command_properties
constructor(input) {
// Start section: command_constructor
super();
this.input = input;
// End section: command_constructor
}
/**
* @internal
*/
resolveMiddleware(clientStack, configuration, options) {
this.middlewareStack.use(middleware_serde_1.getSerdePlugin(configuration, this.serialize, this.deserialize));
this.middlewareStack.use(middleware_signing_1.getAwsAuthPlugin(configuration));
const stack = clientStack.concat(this.middlewareStack);
const { logger } = configuration;
const clientName = "STSClient";
const commandName = "GetSessionTokenCommand";
const handlerExecutionContext = {
logger,
clientName,
commandName,
inputFilterSensitiveLog: models_0_1.GetSessionTokenRequest.filterSensitiveLog,
outputFilterSensitiveLog: models_0_1.GetSessionTokenResponse.filterSensitiveLog,
};
const { requestHandler } = configuration;
return stack.resolve((request) => requestHandler.handle(request.request, options || {}), handlerExecutionContext);
}
serialize(input, context) {
return Aws_query_1.serializeAws_queryGetSessionTokenCommand(input, context);
}
deserialize(output, context) {
return Aws_query_1.deserializeAws_queryGetSessionTokenCommand(output, context);
}
}
exports.GetSessionTokenCommand = GetSessionTokenCommand;