UNPKG

@aws-sdk/client-sts

Version:

AWS SDK for JavaScript Sts Client for Node.js, Browser and React Native

github.com/aws/aws-sdk-js-v3/tree/main/clients/client-sts

aws/aws-sdk-js-v3

87 lines (86 loc) 6.07 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
import { Command as $Command } from "@aws-sdk/smithy-client"; import { Handler, HttpHandlerOptions as __HttpHandlerOptions, MetadataBearer as __MetadataBearer, MiddlewareStack } from "@aws-sdk/types"; import { GetSessionTokenRequest, GetSessionTokenResponse } from "../models/models_0"; import { ServiceInputTypes, ServiceOutputTypes, STSClientResolvedConfig } from "../STSClient"; export interface GetSessionTokenCommandInput extends GetSessionTokenRequest { } export interface GetSessionTokenCommandOutput extends GetSessionTokenResponse, __MetadataBearer { } /** * <p>Returns a set of temporary credentials for an Amazon Web Services account or IAM user. The * credentials consist of an access key ID, a secret access key, and a security token. * Typically, you use <code>GetSessionToken</code> if you want to use MFA to protect * programmatic calls to specific Amazon Web Services API operations like Amazon EC2 <code>StopInstances</code>. * MFA-enabled IAM users would need to call <code>GetSessionToken</code> and submit an MFA * code that is associated with their MFA device. Using the temporary security credentials * that are returned from the call, IAM users can then make programmatic calls to API * operations that require MFA authentication. If you do not supply a correct MFA code, then * the API returns an access denied error. For a comparison of <code>GetSessionToken</code> * with the other API operations that produce temporary credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting * Temporary Security Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the * STS API operations</a> in the <i>IAM User Guide</i>.</p> * <p> * <b>Session Duration</b> * </p> * <p>The <code>GetSessionToken</code> operation must be called by using the long-term Amazon Web Services * security credentials of the Amazon Web Services account root user or an IAM user. Credentials that are * created by IAM users are valid for the duration that you specify. This duration can range * from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours), with a default * of 43,200 seconds (12 hours). Credentials based on account credentials can range from 900 * seconds (15 minutes) up to 3,600 seconds (1 hour), with a default of 1 hour. </p> * <p> * <b>Permissions</b> * </p> * <p>The temporary security credentials created by <code>GetSessionToken</code> can be used * to make API calls to any Amazon Web Services service with the following exceptions:</p> * <ul> * <li> * <p>You cannot call any IAM API operations unless MFA authentication information is * included in the request.</p> * </li> * <li> * <p>You cannot call any STS API <i>except</i> * <code>AssumeRole</code> or <code>GetCallerIdentity</code>.</p> * </li> * </ul> * <note> * <p>We recommend that you do not call <code>GetSessionToken</code> with Amazon Web Services account * root user credentials. Instead, follow our <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users">best practices</a> by * creating one or more IAM users, giving them the necessary permissions, and using IAM * users for everyday interaction with Amazon Web Services. </p> * </note> * <p>The credentials that are returned by <code>GetSessionToken</code> are based on * permissions associated with the user whose credentials were used to call the operation. If * <code>GetSessionToken</code> is called using Amazon Web Services account root user credentials, the * temporary credentials have root user permissions. Similarly, if * <code>GetSessionToken</code> is called using the credentials of an IAM user, the * temporary credentials have the same permissions as the IAM user. </p> * <p>For more information about using <code>GetSessionToken</code> to create temporary * credentials, go to <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken">Temporary * Credentials for Users in Untrusted Environments</a> in the * <i>IAM User Guide</i>. </p> * @example * Use a bare-bones client and the command you need to make an API call. * ```javascript * import { STSClient, GetSessionTokenCommand } from "@aws-sdk/client-sts"; // ES Modules import * // const { STSClient, GetSessionTokenCommand } = require("@aws-sdk/client-sts"); // CommonJS import * const client = new STSClient(config); * const command = new GetSessionTokenCommand(input); * const response = await client.send(command); * ``` * * @see {@link GetSessionTokenCommandInput} for command's `input` shape. * @see {@link GetSessionTokenCommandOutput} for command's `response` shape. * @see {@link STSClientResolvedConfig | config} for command's `input` shape. * */ export declare class GetSessionTokenCommand extends $Command<GetSessionTokenCommandInput, GetSessionTokenCommandOutput, STSClientResolvedConfig> { readonly input: GetSessionTokenCommandInput; constructor(input: GetSessionTokenCommandInput); /** * @internal */ resolveMiddleware(clientStack: MiddlewareStack<ServiceInputTypes, ServiceOutputTypes>, configuration: STSClientResolvedConfig, options?: __HttpHandlerOptions): Handler<GetSessionTokenCommandInput, GetSessionTokenCommandOutput>; private serialize; private deserialize; }