api_op_GetSessionToken.go (9081B)
1 // Code generated by smithy-go-codegen DO NOT EDIT. 2 3 package sts 4 5 import ( 6 "context" 7 awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware" 8 "github.com/aws/aws-sdk-go-v2/aws/signer/v4" 9 "github.com/aws/aws-sdk-go-v2/service/sts/types" 10 "github.com/aws/smithy-go/middleware" 11 smithyhttp "github.com/aws/smithy-go/transport/http" 12 ) 13 14 // Returns a set of temporary credentials for an Amazon Web Services account or IAM 15 // user. The credentials consist of an access key ID, a secret access key, and a 16 // security token. Typically, you use GetSessionToken if you want to use MFA to 17 // protect programmatic calls to specific Amazon Web Services API operations like 18 // Amazon EC2 StopInstances. MFA-enabled IAM users would need to call 19 // GetSessionToken and submit an MFA code that is associated with their MFA device. 20 // Using the temporary security credentials that are returned from the call, IAM 21 // users can then make programmatic calls to API operations that require MFA 22 // authentication. If you do not supply a correct MFA code, then the API returns an 23 // access denied error. For a comparison of GetSessionToken with the other API 24 // operations that produce temporary credentials, see Requesting Temporary Security 25 // Credentials 26 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) 27 // and Comparing the Amazon Web Services STS API operations 28 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) 29 // in the IAM User Guide. No permissions are required for users to perform this 30 // operation. The purpose of the sts:GetSessionToken operation is to authenticate 31 // the user using MFA. You cannot use policies to control authentication 32 // operations. For more information, see Permissions for GetSessionToken 33 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html) 34 // in the IAM User Guide. Session Duration The GetSessionToken operation must be 35 // called by using the long-term Amazon Web Services security credentials of the 36 // Amazon Web Services account root user or an IAM user. Credentials that are 37 // created by IAM users are valid for the duration that you specify. This duration 38 // can range from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 39 // hours), with a default of 43,200 seconds (12 hours). Credentials based on 40 // account credentials can range from 900 seconds (15 minutes) up to 3,600 seconds 41 // (1 hour), with a default of 1 hour. Permissions The temporary security 42 // credentials created by GetSessionToken can be used to make API calls to any 43 // Amazon Web Services service with the following exceptions: 44 // 45 // * You cannot call 46 // any IAM API operations unless MFA authentication information is included in the 47 // request. 48 // 49 // * You cannot call any STS API except AssumeRole or 50 // GetCallerIdentity. 51 // 52 // We recommend that you do not call GetSessionToken with 53 // Amazon Web Services account root user credentials. Instead, follow our best 54 // practices 55 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users) 56 // by creating one or more IAM users, giving them the necessary permissions, and 57 // using IAM users for everyday interaction with Amazon Web Services. The 58 // credentials that are returned by GetSessionToken are based on permissions 59 // associated with the user whose credentials were used to call the operation. If 60 // GetSessionToken is called using Amazon Web Services account root user 61 // credentials, the temporary credentials have root user permissions. Similarly, if 62 // GetSessionToken is called using the credentials of an IAM user, the temporary 63 // credentials have the same permissions as the IAM user. For more information 64 // about using GetSessionToken to create temporary credentials, go to Temporary 65 // Credentials for Users in Untrusted Environments 66 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken) 67 // in the IAM User Guide. 68 func (c *Client) GetSessionToken(ctx context.Context, params *GetSessionTokenInput, optFns ...func(*Options)) (*GetSessionTokenOutput, error) { 69 if params == nil { 70 params = &GetSessionTokenInput{} 71 } 72 73 result, metadata, err := c.invokeOperation(ctx, "GetSessionToken", params, optFns, c.addOperationGetSessionTokenMiddlewares) 74 if err != nil { 75 return nil, err 76 } 77 78 out := result.(*GetSessionTokenOutput) 79 out.ResultMetadata = metadata 80 return out, nil 81 } 82 83 type GetSessionTokenInput struct { 84 85 // The duration, in seconds, that the credentials should remain valid. Acceptable 86 // durations for IAM user sessions range from 900 seconds (15 minutes) to 129,600 87 // seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions for 88 // Amazon Web Services account owners are restricted to a maximum of 3,600 seconds 89 // (one hour). If the duration is longer than one hour, the session for Amazon Web 90 // Services account owners defaults to one hour. 91 DurationSeconds *int32 92 93 // The identification number of the MFA device that is associated with the IAM user 94 // who is making the GetSessionToken call. Specify this value if the IAM user has a 95 // policy that requires MFA authentication. The value is either the serial number 96 // for a hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) 97 // for a virtual device (such as arn:aws:iam::123456789012:mfa/user). You can find 98 // the device for an IAM user by going to the Amazon Web Services Management 99 // Console and viewing the user's security credentials. The regex used to validate 100 // this parameter is a string of characters consisting of upper- and lower-case 101 // alphanumeric characters with no spaces. You can also include underscores or any 102 // of the following characters: =,.@:/- 103 SerialNumber *string 104 105 // The value provided by the MFA device, if MFA is required. If any policy requires 106 // the IAM user to submit an MFA code, specify this value. If MFA authentication is 107 // required, the user must provide a code when requesting a set of temporary 108 // security credentials. A user who fails to provide the code receives an "access 109 // denied" response when requesting resources that require MFA authentication. The 110 // format for this parameter, as described by its regex pattern, is a sequence of 111 // six numeric digits. 112 TokenCode *string 113 114 noSmithyDocumentSerde 115 } 116 117 // Contains the response to a successful GetSessionToken request, including 118 // temporary Amazon Web Services credentials that can be used to make Amazon Web 119 // Services requests. 120 type GetSessionTokenOutput struct { 121 122 // The temporary security credentials, which include an access key ID, a secret 123 // access key, and a security (or session) token. The size of the security token 124 // that STS API operations return is not fixed. We strongly recommend that you make 125 // no assumptions about the maximum size. 126 Credentials *types.Credentials 127 128 // Metadata pertaining to the operation's result. 129 ResultMetadata middleware.Metadata 130 131 noSmithyDocumentSerde 132 } 133 134 func (c *Client) addOperationGetSessionTokenMiddlewares(stack *middleware.Stack, options Options) (err error) { 135 err = stack.Serialize.Add(&awsAwsquery_serializeOpGetSessionToken{}, middleware.After) 136 if err != nil { 137 return err 138 } 139 err = stack.Deserialize.Add(&awsAwsquery_deserializeOpGetSessionToken{}, middleware.After) 140 if err != nil { 141 return err 142 } 143 if err = addSetLoggerMiddleware(stack, options); err != nil { 144 return err 145 } 146 if err = awsmiddleware.AddClientRequestIDMiddleware(stack); err != nil { 147 return err 148 } 149 if err = smithyhttp.AddComputeContentLengthMiddleware(stack); err != nil { 150 return err 151 } 152 if err = addResolveEndpointMiddleware(stack, options); err != nil { 153 return err 154 } 155 if err = v4.AddComputePayloadSHA256Middleware(stack); err != nil { 156 return err 157 } 158 if err = addRetryMiddlewares(stack, options); err != nil { 159 return err 160 } 161 if err = addHTTPSignerV4Middleware(stack, options); err != nil { 162 return err 163 } 164 if err = awsmiddleware.AddRawResponseToMetadata(stack); err != nil { 165 return err 166 } 167 if err = awsmiddleware.AddRecordResponseTiming(stack); err != nil { 168 return err 169 } 170 if err = addClientUserAgent(stack); err != nil { 171 return err 172 } 173 if err = smithyhttp.AddErrorCloseResponseBodyMiddleware(stack); err != nil { 174 return err 175 } 176 if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { 177 return err 178 } 179 if err = stack.Initialize.Add(newServiceMetadataMiddleware_opGetSessionToken(options.Region), middleware.Before); err != nil { 180 return err 181 } 182 if err = addRequestIDRetrieverMiddleware(stack); err != nil { 183 return err 184 } 185 if err = addResponseErrorMiddleware(stack); err != nil { 186 return err 187 } 188 if err = addRequestResponseLogging(stack, options); err != nil { 189 return err 190 } 191 return nil 192 } 193 194 func newServiceMetadataMiddleware_opGetSessionToken(region string) *awsmiddleware.RegisterServiceMetadata { 195 return &awsmiddleware.RegisterServiceMetadata{ 196 Region: region, 197 ServiceID: ServiceID, 198 SigningName: "sts", 199 OperationName: "GetSessionToken", 200 } 201 }