1 // Code generated by smithy-go-codegen DO NOT EDIT. 2 3 package sts 4 5 import ( 6 "context" 7 "fmt" 8 awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware" 9 "github.com/aws/aws-sdk-go-v2/service/sts/types" 10 "github.com/aws/smithy-go/middleware" 11 smithyhttp "github.com/aws/smithy-go/transport/http" 12 ) 13 14 // Returns a set of temporary credentials for an Amazon Web Services account or 15 // IAM user. The credentials consist of an access key ID, a secret access key, and 16 // a security token. Typically, you use GetSessionToken if you want to use MFA to 17 // protect programmatic calls to specific Amazon Web Services API operations like 18 // Amazon EC2 StopInstances . MFA-enabled IAM users must call GetSessionToken and 19 // submit an MFA code that is associated with their MFA device. Using the temporary 20 // security credentials that the call returns, IAM users can then make programmatic 21 // calls to API operations that require MFA authentication. An incorrect MFA code 22 // causes the API to return an access denied error. For a comparison of 23 // GetSessionToken with the other API operations that produce temporary 24 // credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) 25 // and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) 26 // in the IAM User Guide. No permissions are required for users to perform this 27 // operation. The purpose of the sts:GetSessionToken operation is to authenticate 28 // the user using MFA. You cannot use policies to control authentication 29 // operations. For more information, see Permissions for GetSessionToken (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html) 30 // in the IAM User Guide. Session Duration The GetSessionToken operation must be 31 // called by using the long-term Amazon Web Services security credentials of an IAM 32 // user. Credentials that are created by IAM users are valid for the duration that 33 // you specify. This duration can range from 900 seconds (15 minutes) up to a 34 // maximum of 129,600 seconds (36 hours), with a default of 43,200 seconds (12 35 // hours). Credentials based on account credentials can range from 900 seconds (15 36 // minutes) up to 3,600 seconds (1 hour), with a default of 1 hour. Permissions The 37 // temporary security credentials created by GetSessionToken can be used to make 38 // API calls to any Amazon Web Services service with the following exceptions: 39 // - You cannot call any IAM API operations unless MFA authentication 40 // information is included in the request. 41 // - You cannot call any STS API except AssumeRole or GetCallerIdentity . 42 // 43 // The credentials that GetSessionToken returns are based on permissions 44 // associated with the IAM user whose credentials were used to call the operation. 45 // The temporary credentials have the same permissions as the IAM user. Although it 46 // is possible to call GetSessionToken using the security credentials of an Amazon 47 // Web Services account root user rather than an IAM user, we do not recommend it. 48 // If GetSessionToken is called using root user credentials, the temporary 49 // credentials have root user permissions. For more information, see Safeguard 50 // your root user credentials and don't use them for everyday tasks (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials) 51 // in the IAM User Guide For more information about using GetSessionToken to 52 // create temporary credentials, see Temporary Credentials for Users in Untrusted 53 // Environments (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken) 54 // in the IAM User Guide. 55 func (c *Client) GetSessionToken(ctx context.Context, params *GetSessionTokenInput, optFns ...func(*Options)) (*GetSessionTokenOutput, error) { 56 if params == nil { 57 params = &GetSessionTokenInput{} 58 } 59 60 result, metadata, err := c.invokeOperation(ctx, "GetSessionToken", params, optFns, c.addOperationGetSessionTokenMiddlewares) 61 if err != nil { 62 return nil, err 63 } 64 65 out := result.(*GetSessionTokenOutput) 66 out.ResultMetadata = metadata 67 return out, nil 68 } 69 70 type GetSessionTokenInput struct { 71 72 // The duration, in seconds, that the credentials should remain valid. Acceptable 73 // durations for IAM user sessions range from 900 seconds (15 minutes) to 129,600 74 // seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions for 75 // Amazon Web Services account owners are restricted to a maximum of 3,600 seconds 76 // (one hour). If the duration is longer than one hour, the session for Amazon Web 77 // Services account owners defaults to one hour. 78 DurationSeconds *int32 79 80 // The identification number of the MFA device that is associated with the IAM 81 // user who is making the GetSessionToken call. Specify this value if the IAM user 82 // has a policy that requires MFA authentication. The value is either the serial 83 // number for a hardware device (such as GAHT12345678 ) or an Amazon Resource Name 84 // (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user ). You 85 // can find the device for an IAM user by going to the Amazon Web Services 86 // Management Console and viewing the user's security credentials. The regex used 87 // to validate this parameter is a string of characters consisting of upper- and 88 // lower-case alphanumeric characters with no spaces. You can also include 89 // underscores or any of the following characters: =,.@:/- 90 SerialNumber *string 91 92 // The value provided by the MFA device, if MFA is required. If any policy 93 // requires the IAM user to submit an MFA code, specify this value. If MFA 94 // authentication is required, the user must provide a code when requesting a set 95 // of temporary security credentials. A user who fails to provide the code receives 96 // an "access denied" response when requesting resources that require MFA 97 // authentication. The format for this parameter, as described by its regex 98 // pattern, is a sequence of six numeric digits. 99 TokenCode *string 100 101 noSmithyDocumentSerde 102 } 103 104 // Contains the response to a successful GetSessionToken request, including 105 // temporary Amazon Web Services credentials that can be used to make Amazon Web 106 // Services requests. 107 type GetSessionTokenOutput struct { 108 109 // The temporary security credentials, which include an access key ID, a secret 110 // access key, and a security (or session) token. The size of the security token 111 // that STS API operations return is not fixed. We strongly recommend that you make 112 // no assumptions about the maximum size. 113 Credentials *types.Credentials 114 115 // Metadata pertaining to the operation's result. 116 ResultMetadata middleware.Metadata 117 118 noSmithyDocumentSerde 119 } 120 121 func (c *Client) addOperationGetSessionTokenMiddlewares(stack *middleware.Stack, options Options) (err error) { 122 if err := stack.Serialize.Add(&setOperationInputMiddleware{}, middleware.After); err != nil { 123 return err 124 } 125 err = stack.Serialize.Add(&awsAwsquery_serializeOpGetSessionToken{}, middleware.After) 126 if err != nil { 127 return err 128 } 129 err = stack.Deserialize.Add(&awsAwsquery_deserializeOpGetSessionToken{}, middleware.After) 130 if err != nil { 131 return err 132 } 133 if err := addProtocolFinalizerMiddlewares(stack, options, "GetSessionToken"); err != nil { 134 return fmt.Errorf("add protocol finalizers: %v", err) 135 } 136 137 if err = addlegacyEndpointContextSetter(stack, options); err != nil { 138 return err 139 } 140 if err = addSetLoggerMiddleware(stack, options); err != nil { 141 return err 142 } 143 if err = addClientRequestID(stack); err != nil { 144 return err 145 } 146 if err = addComputeContentLength(stack); err != nil { 147 return err 148 } 149 if err = addResolveEndpointMiddleware(stack, options); err != nil { 150 return err 151 } 152 if err = addComputePayloadSHA256(stack); err != nil { 153 return err 154 } 155 if err = addRetry(stack, options); err != nil { 156 return err 157 } 158 if err = addRawResponseToMetadata(stack); err != nil { 159 return err 160 } 161 if err = addRecordResponseTiming(stack); err != nil { 162 return err 163 } 164 if err = addClientUserAgent(stack, options); err != nil { 165 return err 166 } 167 if err = smithyhttp.AddErrorCloseResponseBodyMiddleware(stack); err != nil { 168 return err 169 } 170 if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { 171 return err 172 } 173 if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil { 174 return err 175 } 176 if err = stack.Initialize.Add(newServiceMetadataMiddleware_opGetSessionToken(options.Region), middleware.Before); err != nil { 177 return err 178 } 179 if err = addRecursionDetection(stack); err != nil { 180 return err 181 } 182 if err = addRequestIDRetrieverMiddleware(stack); err != nil { 183 return err 184 } 185 if err = addResponseErrorMiddleware(stack); err != nil { 186 return err 187 } 188 if err = addRequestResponseLogging(stack, options); err != nil { 189 return err 190 } 191 if err = addDisableHTTPSMiddleware(stack, options); err != nil { 192 return err 193 } 194 return nil 195 } 196 197 func newServiceMetadataMiddleware_opGetSessionToken(region string) *awsmiddleware.RegisterServiceMetadata { 198 return &awsmiddleware.RegisterServiceMetadata{ 199 Region: region, 200 ServiceID: ServiceID, 201 OperationName: "GetSessionToken", 202 } 203 } 204