+ "smithy.api#documentation": "<p>Returns a set of temporary credentials for an Amazon Web Services account or IAM user. The\n credentials consist of an access key ID, a secret access key, and a security token.\n Typically, you use <code>GetSessionToken</code> if you want to use MFA to protect\n programmatic calls to specific Amazon Web Services API operations like Amazon EC2 <code>StopInstances</code>.\n MFA-enabled IAM users would need to call <code>GetSessionToken</code> and submit an MFA\n code that is associated with their MFA device. Using the temporary security credentials\n that are returned from the call, IAM users can then make programmatic calls to API\n operations that require MFA authentication. If you do not supply a correct MFA code, then\n the API returns an access denied error. For a comparison of <code>GetSessionToken</code>\n with the other API operations that produce temporary credentials, see <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html\">Requesting\n Temporary Security Credentials</a> and <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison\">Comparing the\n Amazon Web Services STS API operations</a> in the <i>IAM User Guide</i>.</p>\n <note>\n <p>No permissions are required for users to perform this operation. The purpose of the\n <code>sts:GetSessionToken</code> operation is to authenticate the user using MFA. You\n cannot use policies to control authentication operations. For more information, see\n <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html\">Permissions for GetSessionToken</a> in the\n <i>IAM User Guide</i>.</p>\n </note>\n <p>\n <b>Session Duration</b>\n </p>\n <p>The <code>GetSessionToken</code> operation must be called by using the long-term Amazon Web Services\n security credentials of the Amazon Web Services account root user or an IAM user. Credentials that are\n created by IAM users are valid for the duration that you specify. This duration can range\n from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours), with a default\n of 43,200 seconds (12 hours). Credentials based on account credentials can range from 900\n seconds (15 minutes) up to 3,600 seconds (1 hour), with a default of 1 hour. </p>\n <p>\n <b>Permissions</b>\n </p>\n <p>The temporary security credentials created by <code>GetSessionToken</code> can be used\n to make API calls to any Amazon Web Services service with the following exceptions:</p>\n <ul>\n <li>\n <p>You cannot call any IAM API operations unless MFA authentication information is\n included in the request.</p>\n </li>\n <li>\n <p>You cannot call any STS API <i>except</i>\n <code>AssumeRole</code> or <code>GetCallerIdentity</code>.</p>\n </li>\n </ul>\n <note>\n <p>We recommend that you do not call <code>GetSessionToken</code> with Amazon Web Services account\n root user credentials. Instead, follow our <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users\">best practices</a> by\n creating one or more IAM users, giving them the necessary permissions, and using IAM\n users for everyday interaction with Amazon Web Services. </p>\n </note>\n <p>The credentials that are returned by <code>GetSessionToken</code> are based on\n permissions associated with the user whose credentials were used to call the operation. If\n <code>GetSessionToken</code> is called using Amazon Web Services account root user credentials, the\n temporary credentials have root user permissions. Similarly, if\n <code>GetSessionToken</code> is called using the credentials of an IAM user, the\n temporary credentials have the same permissions as the IAM user. </p>\n <p>For more information about using <code>GetSessionToken</code> to create temporary\n credentials, go to <a href=\"https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken\">Temporary\n Credentials for Users in Untrusted Environments</a> in the\n <i>IAM User Guide</i>. </p>"
0 commit comments