Returns a set of temporary credentials for an AWS account or IAM user. The credentials consist of an access key ID, a secret access key, and a security token. Typically, you use GetSessionToken
if you want to use MFA to protect programmatic calls to specific AWS API operations like Amazon EC2 StopInstances
. MFA-enabled IAM users would need to call GetSessionToken
and submit an MFA code that is associated with their MFA device. Using the temporary security credentials that are returned from the call, IAM users can then make programmatic calls to API operations that require MFA authentication. If you do not supply a correct MFA code, then the API returns an access denied error. For a comparison of GetSessionToken
with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide .
Session Duration
The GetSessionToken
operation must be called by using the long-term AWS security credentials of the AWS account root user or an IAM user. Credentials that are created by IAM users are valid for the duration that you specify. This duration can range from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours), with a default of 43,200 seconds (12 hours). Credentials based on account credentials can range from 900 seconds (15 minutes) up to 3,600 seconds (1 hour), with a default of 1 hour.
Permissions
The temporary security credentials created by GetSessionToken
can be used to make API calls to any AWS service with the following exceptions:
You cannot call any IAM API operations unless MFA authentication information is included in the request.
You cannot call any STS API except AssumeRole
or GetCallerIdentity
.
Note
We recommend that you do not call GetSessionToken
with AWS account root user credentials. Instead, follow our best practices by creating one or more IAM users, giving them the necessary permissions, and using IAM users for everyday interaction with AWS.
The credentials that are returned by GetSessionToken
are based on permissions associated with the user whose credentials were used to call the operation. If GetSessionToken
is called using AWS account root user credentials, the temporary credentials have root user permissions. Similarly, if GetSessionToken
is called using the credentials of an IAM user, the temporary credentials have the same permissions as the IAM user.
For more information about using GetSessionToken
to create temporary credentials, go to Temporary Credentials for Users in Untrusted Environments in the IAM User Guide .
See also: AWS API Documentation
See ‘aws help’ for descriptions of global parameters.
get-session-token
[--duration-seconds <value>]
[--serial-number <value>]
[--token-code <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
--duration-seconds
(integer)
The duration, in seconds, that the credentials should remain valid. Acceptable durations for IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions for AWS account owners are restricted to a maximum of 3,600 seconds (one hour). If the duration is longer than one hour, the session for AWS account owners defaults to one hour.
--serial-number
(string)
The identification number of the MFA device that is associated with the IAM user who is making the
GetSessionToken
call. Specify this value if the IAM user has a policy that requires MFA authentication. The value is either the serial number for a hardware device (such asGAHT12345678
) or an Amazon Resource Name (ARN) for a virtual device (such asarn:aws:iam::123456789012:mfa/user
). You can find the device for an IAM user by going to the AWS Management Console and viewing the user’s security credentials.The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
--token-code
(string)
The value provided by the MFA device, if MFA is required. If any policy requires the IAM user to submit an MFA code, specify this value. If MFA authentication is required, the user must provide a code when requesting a set of temporary security credentials. A user who fails to provide the code receives an “access denied” response when requesting resources that require MFA authentication.
The format for this parameter, as described by its regex pattern, is a sequence of six numeric digits.
--cli-input-json
| --cli-input-yaml
(string)
Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton
. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml
.
--generate-cli-skeleton
(string)
Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input
, prints a sample input JSON that can be used as an argument for --cli-input-json
. Similarly, if provided yaml-input
it will print a sample input YAML that can be used with --cli-input-yaml
. If provided with the value output
, it validates the command inputs and returns a sample output JSON for that command.
See ‘aws help’ for descriptions of global parameters.
To get a set of short term credentials for an IAM identity
The following get-session-token
example retrieves a set of short-term credentials for the IAM identity making the call. The resulting credentials can be used for requests where multi-factor authentication (MFA) is required by policy. The credentials expire 15 minutes after they are generated.
aws sts get-session-token \
--duration-seconds 900 \
--serial-number "YourMFADeviceSerialNumber" \
--token-code 123456
Output:
{
"Credentials": {
"AccessKeyId": "AKIAIOSFODNN7EXAMPLE",
"SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY",
"SessionToken": "AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE",
"Expiration": "2020-05-19T18:06:10+00:00"
}
}
For more information, see Requesting Temporary Security Credentials in the IAM User Guide.
Credentials -> (structure)
The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token.
Note
The size of the security token that STS API operations return is not fixed. We strongly recommend that you make no assumptions about the maximum size.
AccessKeyId -> (string)
The access key ID that identifies the temporary security credentials.
SecretAccessKey -> (string)
The secret access key that can be used to sign requests.
SessionToken -> (string)
The token that users must pass to the service API to use the temporary credentials.
Expiration -> (timestamp)
The date on which the current credentials expire.