Returns a set of temporary credentials for an AWS account or IAM user.
The credentials consist of an access key ID, a secret access key, and a
security token. Typically, you use
GetSessionToken if you want to use
MFA to protect programmatic calls to specific AWS API operations like
StopInstances. MFA-enabled IAM users would need to call
GetSessionToken and submit an MFA code that is associated with their
MFA device. Using the temporary security credentials that are returned
from the call, IAM users can then make programmatic calls to API
operations that require MFA authentication. If you do not supply a
correct MFA code, then the API returns an access denied error. For a
GetSessionToken with the other API operations that
produce temporary credentials, see Requesting Temporary Security Credentials
and Comparing the AWS STS API operations
in the IAM User Guide.
sts_get_session_token(DurationSeconds, SerialNumber, TokenCode)
The duration, in seconds, that the credentials should remain valid. Acceptable durations for IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions for AWS account owners are restricted to a maximum of 3,600 seconds (one hour). If the duration is longer than one hour, the session for AWS account owners defaults to one hour.
The identification number of the MFA device that is associated with the
IAM user who is making the
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,[email protected]:/-
The value provided by the MFA device, if MFA is required. If any policy requires the IAM user to submit an MFA code, specify this value. If MFA authentication is required, the user must provide a code when requesting a set of temporary security credentials. A user who fails to provide the code receives an \"access denied\" response when requesting resources that require MFA authentication.
The format for this parameter, as described by its regex pattern, is a sequence of six numeric digits.
GetSessionToken operation must be called by using the long-term
AWS security credentials of the AWS account root user or an IAM user.
Credentials that are created by IAM users are valid for the duration
that you specify. This duration can range from 900 seconds (15 minutes)
up to a maximum of 129,600 seconds (36 hours), with a default of 43,200
seconds (12 hours). Credentials based on account credentials can range
from 900 seconds (15 minutes) up to 3,600 seconds (1 hour), with a
default of 1 hour.
The temporary security credentials created by
GetSessionToken can be
used to make API calls to any AWS service with the following exceptions:
You cannot call any IAM API operations unless MFA authentication information is included in the request.
You cannot call any STS API except
We recommend that you do not call
GetSessionToken with AWS account
root user credentials. Instead, follow our best practices
by creating one or more IAM users, giving them the necessary
permissions, and using IAM users for everyday interaction with AWS.
The credentials that are returned by
GetSessionToken are based on
permissions associated with the user whose credentials were used to call
the operation. If
GetSessionToken is called using AWS account root
user credentials, the temporary credentials have root user permissions.
GetSessionToken is called using the credentials of an
IAM user, the temporary credentials have the same permissions as the IAM
For more information about using
GetSessionToken to create temporary
credentials, go to Temporary Credentials for Users in Untrusted Environments
in the IAM User Guide.
1 2 3 4 5
svc$get_session_token( DurationSeconds = 123, SerialNumber = "string", TokenCode = "string" )
1 2 3 4 5 6
# svc$get_session_token( DurationSeconds = 3600L, SerialNumber = "YourMFASerialNumber", TokenCode = "123456" )
Add the following code to your website.
For more information on customizing the embed code, read Embedding Snippets.