The GetFederationToken action returns a set of temporary credentials for a federated user with the user name and policy specified in the request. The credentials consist of an Access Key ID, a Secret Access Key, and a security token. Credentials created by IAM users are valid for the specified duration, between 15 minutes and 36 hours; credentials created using account credentials have a maximum duration of one hour.
The federated user who holds these credentials has any permissions allowed by the intersection of the specified policy and any resource or user policies that apply to the caller of the GetFederationToken API, and any resource policies that apply to the federated user’s Amazon Resource Name (ARN). For more information about how token permissions work, see Controlling Permissions in Temporary Credentials in Using IAM. For information about using GetFederationToken to create temporary credentials, see Creating Temporary Credentials to Enable Access for Federated Users in Using IAM.
Access
public
Parameters
Parameter |
Type |
Required |
Description |
---|---|---|---|
|
Required |
The name of the federated user associated with the credentials. For information about limitations on user names, go to Limitations on IAM Entities in Using IAM. [Constraints: The value must be between 2 and 32 characters, and must match the following regular expression pattern: |
|
|
Optional |
An associative array of parameters that can have the following keys:
|
Returns
Type |
Description |
---|---|
A |
Examples
Create a new temporary user then generate session credentials.
// Instantiate the class $token = new AmazonSTS(); $response = $token->get_federation_token('my-user'); // Success? var_dump($response->isOK());Result:
bool(true)
Create a new temporary user, apply a policy, then generate session credentials.
// Instantiate the class $token = new AmazonSTS(); // Generate a new IAM policy (https://awspolicygen.s3.amazonaws.com/policygen.html) $policy = new CFPolicy($token, array( 'Statement' => array( array( 'Sid' => 'SID' . time(), 'Action' => array('s3:GetObject', 's3:GetObjectVersion', 's3:ListBucket', 's3:ListBucketVersions'), 'Effect' => 'Allow', 'Resource' => 'arn:aws:s3:::my-bucket/*' ) ) )); // Fetch the session credentials $response = $token->get_federation_token('my-user', array( 'Policy' => $policy->get_json(), 'DurationSeconds' => 3600 )); // Success? var_dump($response->isOK());Result:
bool(true)
Source
Method defined in services/sts.class.php | Toggle source view (7 lines) | View on GitHub