import { STSClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../STSClient"; import { GetSessionTokenRequest, GetSessionTokenResponse } from "../models/models_0"; import { deserializeAws_queryGetSessionTokenCommand, serializeAws_queryGetSessionTokenCommand, } from "../protocols/Aws_query"; import { getSerdePlugin } from "@aws-sdk/middleware-serde"; import { getAwsAuthPlugin } from "@aws-sdk/middleware-signing"; import { HttpRequest as __HttpRequest, HttpResponse as __HttpResponse } from "@aws-sdk/protocol-http"; import { Command as $Command } from "@aws-sdk/smithy-client"; import { FinalizeHandlerArguments, Handler, HandlerExecutionContext, MiddlewareStack, HttpHandlerOptions as __HttpHandlerOptions, MetadataBearer as __MetadataBearer, SerdeContext as __SerdeContext, } from "@aws-sdk/types"; export interface GetSessionTokenCommandInput extends GetSessionTokenRequest {} export interface GetSessionTokenCommandOutput extends GetSessionTokenResponse, __MetadataBearer {} /** *
Returns a set of temporary credentials for an Amazon Web Services account or IAM user. The
* credentials consist of an access key ID, a secret access key, and a security token.
* Typically, you use GetSessionToken
if you want to use MFA to protect
* programmatic calls to specific Amazon Web Services API operations like Amazon EC2 StopInstances
.
* MFA-enabled IAM users would need to call GetSessionToken
and submit an MFA
* code that is associated with their MFA device. Using the temporary security credentials
* that are returned from the call, IAM users can then make programmatic calls to API
* operations that require MFA authentication. If you do not supply a correct MFA code, then
* the API returns an access denied error. For a comparison of GetSessionToken
* with the other API operations that produce temporary credentials, see Requesting
* Temporary Security Credentials and Comparing the
* STS API operations in the IAM User Guide.
* Session Duration *
*The GetSessionToken
operation must be called by using the long-term Amazon Web Services
* security credentials of the Amazon Web Services account root user or an IAM user. Credentials that are
* created by IAM users are valid for the duration that you specify. This duration can range
* from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours), with a default
* of 43,200 seconds (12 hours). Credentials based on account credentials can range from 900
* seconds (15 minutes) up to 3,600 seconds (1 hour), with a default of 1 hour.
* Permissions *
*The temporary security credentials created by GetSessionToken
can be used
* to make API calls to any Amazon Web Services service with the following exceptions:
You cannot call any IAM API operations unless MFA authentication information is * included in the request.
*You cannot call any STS API except
* AssumeRole
or GetCallerIdentity
.
We recommend that you do not call GetSessionToken
with Amazon Web Services account
* root user credentials. Instead, follow our best practices by
* creating one or more IAM users, giving them the necessary permissions, and using IAM
* users for everyday interaction with Amazon Web Services.
The credentials that are returned by GetSessionToken
are based on
* permissions associated with the user whose credentials were used to call the operation. If
* GetSessionToken
is called using Amazon Web Services account root user credentials, the
* temporary credentials have root user permissions. Similarly, if
* GetSessionToken
is called using the credentials of an IAM user, the
* temporary credentials have the same permissions as the IAM user.
For more information about using GetSessionToken
to create temporary
* credentials, go to Temporary
* Credentials for Users in Untrusted Environments in the
* IAM User Guide.