api_op_GetSessionToken.go (10903B)
1 // Code generated by smithy-go-codegen DO NOT EDIT. 2 3 package sts 4 5 import ( 6 "context" 7 "fmt" 8 awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware" 9 "github.com/aws/aws-sdk-go-v2/service/sts/types" 10 "github.com/aws/smithy-go/middleware" 11 smithyhttp "github.com/aws/smithy-go/transport/http" 12 ) 13 14 // Returns a set of temporary credentials for an Amazon Web Services account or 15 // IAM user. The credentials consist of an access key ID, a secret access key, and 16 // a security token. Typically, you use GetSessionToken if you want to use MFA to 17 // protect programmatic calls to specific Amazon Web Services API operations like 18 // Amazon EC2 StopInstances . 19 // 20 // MFA-enabled IAM users must call GetSessionToken and submit an MFA code that is 21 // associated with their MFA device. Using the temporary security credentials that 22 // the call returns, IAM users can then make programmatic calls to API operations 23 // that require MFA authentication. An incorrect MFA code causes the API to return 24 // an access denied error. For a comparison of GetSessionToken with the other API 25 // operations that produce temporary credentials, see [Requesting Temporary Security Credentials]and [Compare STS credentials] in the IAM User Guide. 26 // 27 // No permissions are required for users to perform this operation. The purpose of 28 // the sts:GetSessionToken operation is to authenticate the user using MFA. You 29 // cannot use policies to control authentication operations. For more information, 30 // see [Permissions for GetSessionToken]in the IAM User Guide. 31 // 32 // # Session Duration 33 // 34 // The GetSessionToken operation must be called by using the long-term Amazon Web 35 // Services security credentials of an IAM user. Credentials that are created by 36 // IAM users are valid for the duration that you specify. This duration can range 37 // from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours), 38 // with a default of 43,200 seconds (12 hours). Credentials based on account 39 // credentials can range from 900 seconds (15 minutes) up to 3,600 seconds (1 40 // hour), with a default of 1 hour. 41 // 42 // # Permissions 43 // 44 // The temporary security credentials created by GetSessionToken can be used to 45 // make API calls to any Amazon Web Services service with the following exceptions: 46 // 47 // - You cannot call any IAM API operations unless MFA authentication 48 // information is included in the request. 49 // 50 // - You cannot call any STS API except AssumeRole or GetCallerIdentity . 51 // 52 // The credentials that GetSessionToken returns are based on permissions 53 // associated with the IAM user whose credentials were used to call the operation. 54 // The temporary credentials have the same permissions as the IAM user. 55 // 56 // Although it is possible to call GetSessionToken using the security credentials 57 // of an Amazon Web Services account root user rather than an IAM user, we do not 58 // recommend it. If GetSessionToken is called using root user credentials, the 59 // temporary credentials have root user permissions. For more information, see [Safeguard your root user credentials and don't use them for everyday tasks]in 60 // the IAM User Guide 61 // 62 // For more information about using GetSessionToken to create temporary 63 // credentials, see [Temporary Credentials for Users in Untrusted Environments]in the IAM User Guide. 64 // 65 // [Permissions for GetSessionToken]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html 66 // [Temporary Credentials for Users in Untrusted Environments]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken 67 // [Safeguard your root user credentials and don't use them for everyday tasks]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials 68 // [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html 69 // [Compare STS credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html 70 func (c *Client) GetSessionToken(ctx context.Context, params *GetSessionTokenInput, optFns ...func(*Options)) (*GetSessionTokenOutput, error) { 71 if params == nil { 72 params = &GetSessionTokenInput{} 73 } 74 75 result, metadata, err := c.invokeOperation(ctx, "GetSessionToken", params, optFns, c.addOperationGetSessionTokenMiddlewares) 76 if err != nil { 77 return nil, err 78 } 79 80 out := result.(*GetSessionTokenOutput) 81 out.ResultMetadata = metadata 82 return out, nil 83 } 84 85 type GetSessionTokenInput struct { 86 87 // The duration, in seconds, that the credentials should remain valid. Acceptable 88 // durations for IAM user sessions range from 900 seconds (15 minutes) to 129,600 89 // seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions for 90 // Amazon Web Services account owners are restricted to a maximum of 3,600 seconds 91 // (one hour). If the duration is longer than one hour, the session for Amazon Web 92 // Services account owners defaults to one hour. 93 DurationSeconds *int32 94 95 // The identification number of the MFA device that is associated with the IAM 96 // user who is making the GetSessionToken call. Specify this value if the IAM user 97 // has a policy that requires MFA authentication. The value is either the serial 98 // number for a hardware device (such as GAHT12345678 ) or an Amazon Resource Name 99 // (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user ). You 100 // can find the device for an IAM user by going to the Amazon Web Services 101 // Management Console and viewing the user's security credentials. 102 // 103 // The regex used to validate this parameter is a string of characters consisting 104 // of upper- and lower-case alphanumeric characters with no spaces. You can also 105 // include underscores or any of the following characters: =,.@:/- 106 SerialNumber *string 107 108 // The value provided by the MFA device, if MFA is required. If any policy 109 // requires the IAM user to submit an MFA code, specify this value. If MFA 110 // authentication is required, the user must provide a code when requesting a set 111 // of temporary security credentials. A user who fails to provide the code receives 112 // an "access denied" response when requesting resources that require MFA 113 // authentication. 114 // 115 // The format for this parameter, as described by its regex pattern, is a sequence 116 // of six numeric digits. 117 TokenCode *string 118 119 noSmithyDocumentSerde 120 } 121 122 // Contains the response to a successful GetSessionToken request, including temporary Amazon Web 123 // Services credentials that can be used to make Amazon Web Services requests. 124 type GetSessionTokenOutput struct { 125 126 // The temporary security credentials, which include an access key ID, a secret 127 // access key, and a security (or session) token. 128 // 129 // The size of the security token that STS API operations return is not fixed. We 130 // strongly recommend that you make no assumptions about the maximum size. 131 Credentials *types.Credentials 132 133 // Metadata pertaining to the operation's result. 134 ResultMetadata middleware.Metadata 135 136 noSmithyDocumentSerde 137 } 138 139 func (c *Client) addOperationGetSessionTokenMiddlewares(stack *middleware.Stack, options Options) (err error) { 140 if err := stack.Serialize.Add(&setOperationInputMiddleware{}, middleware.After); err != nil { 141 return err 142 } 143 err = stack.Serialize.Add(&awsAwsquery_serializeOpGetSessionToken{}, middleware.After) 144 if err != nil { 145 return err 146 } 147 err = stack.Deserialize.Add(&awsAwsquery_deserializeOpGetSessionToken{}, middleware.After) 148 if err != nil { 149 return err 150 } 151 if err := addProtocolFinalizerMiddlewares(stack, options, "GetSessionToken"); err != nil { 152 return fmt.Errorf("add protocol finalizers: %v", err) 153 } 154 155 if err = addlegacyEndpointContextSetter(stack, options); err != nil { 156 return err 157 } 158 if err = addSetLoggerMiddleware(stack, options); err != nil { 159 return err 160 } 161 if err = addClientRequestID(stack); err != nil { 162 return err 163 } 164 if err = addComputeContentLength(stack); err != nil { 165 return err 166 } 167 if err = addResolveEndpointMiddleware(stack, options); err != nil { 168 return err 169 } 170 if err = addComputePayloadSHA256(stack); err != nil { 171 return err 172 } 173 if err = addRetry(stack, options); err != nil { 174 return err 175 } 176 if err = addRawResponseToMetadata(stack); err != nil { 177 return err 178 } 179 if err = addRecordResponseTiming(stack); err != nil { 180 return err 181 } 182 if err = addSpanRetryLoop(stack, options); err != nil { 183 return err 184 } 185 if err = addClientUserAgent(stack, options); err != nil { 186 return err 187 } 188 if err = smithyhttp.AddErrorCloseResponseBodyMiddleware(stack); err != nil { 189 return err 190 } 191 if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { 192 return err 193 } 194 if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil { 195 return err 196 } 197 if err = addTimeOffsetBuild(stack, c); err != nil { 198 return err 199 } 200 if err = addUserAgentRetryMode(stack, options); err != nil { 201 return err 202 } 203 if err = addCredentialSource(stack, options); err != nil { 204 return err 205 } 206 if err = stack.Initialize.Add(newServiceMetadataMiddleware_opGetSessionToken(options.Region), middleware.Before); err != nil { 207 return err 208 } 209 if err = addRecursionDetection(stack); err != nil { 210 return err 211 } 212 if err = addRequestIDRetrieverMiddleware(stack); err != nil { 213 return err 214 } 215 if err = addResponseErrorMiddleware(stack); err != nil { 216 return err 217 } 218 if err = addRequestResponseLogging(stack, options); err != nil { 219 return err 220 } 221 if err = addDisableHTTPSMiddleware(stack, options); err != nil { 222 return err 223 } 224 if err = addInterceptBeforeRetryLoop(stack, options); err != nil { 225 return err 226 } 227 if err = addInterceptAttempt(stack, options); err != nil { 228 return err 229 } 230 if err = addInterceptExecution(stack, options); err != nil { 231 return err 232 } 233 if err = addInterceptBeforeSerialization(stack, options); err != nil { 234 return err 235 } 236 if err = addInterceptAfterSerialization(stack, options); err != nil { 237 return err 238 } 239 if err = addInterceptBeforeSigning(stack, options); err != nil { 240 return err 241 } 242 if err = addInterceptAfterSigning(stack, options); err != nil { 243 return err 244 } 245 if err = addInterceptTransmit(stack, options); err != nil { 246 return err 247 } 248 if err = addInterceptBeforeDeserialization(stack, options); err != nil { 249 return err 250 } 251 if err = addInterceptAfterDeserialization(stack, options); err != nil { 252 return err 253 } 254 if err = addSpanInitializeStart(stack); err != nil { 255 return err 256 } 257 if err = addSpanInitializeEnd(stack); err != nil { 258 return err 259 } 260 if err = addSpanBuildRequestStart(stack); err != nil { 261 return err 262 } 263 if err = addSpanBuildRequestEnd(stack); err != nil { 264 return err 265 } 266 return nil 267 } 268 269 func newServiceMetadataMiddleware_opGetSessionToken(region string) *awsmiddleware.RegisterServiceMetadata { 270 return &awsmiddleware.RegisterServiceMetadata{ 271 Region: region, 272 ServiceID: ServiceID, 273 OperationName: "GetSessionToken", 274 } 275 }