get_federation_token ( $name, $opt )

The GetFederationToken action returns a set of temporary credentials for a federated user with the user name and policy specified in the request. The credentials consist of an Access Key ID, a Secret Access Key, and a security token. Credentials created by IAM users are valid for the specified duration, between 15 minutes and 36 hours; credentials created using account credentials have a maximum duration of one hour.

The federated user who holds these credentials has any permissions allowed by the intersection of the specified policy and any resource or user policies that apply to the caller of the GetFederationToken API, and any resource policies that apply to the federated user’s Amazon Resource Name (ARN). For more information about how token permissions work, see Controlling Permissions in Temporary Credentials in Using IAM. For information about using GetFederationToken to create temporary credentials, see Creating Temporary Credentials to Enable Access for Federated Users in Using IAM.

Access

public

Parameters

Parameter

Type

Required

Description

$name

string

Required

The name of the federated user associated with the credentials. For information about limitations on user names, go to Limitations on IAM Entities in Using IAM. [Constraints: The value must be between 2 and 32 characters, and must match the following regular expression pattern: [\w+=,.@-]*]

$opt

array

Optional

An associative array of parameters that can have the following keys:

  • Policy - string - Optional - A policy specifying the permissions to associate with the credentials. The caller can delegate their own permissions by specifying a policy, and both policies will be checked when a service call is made. For more information about how permissions work in the context of temporary credentials, see Controlling Permissions in Temporary Credentials in Using IAM. [Constraints: The value must be between 1 and 2048 characters, and must match the following regular expression pattern: [\u0009\u000A\u000D\u0020-\u00FF]+]
  • DurationSeconds - integer - Optional - The duration, in seconds, that the session should last. Acceptable durations for federation sessions range from 900s (15 minutes) to 129600s (36 hours), with 43200s (12 hours) as the default. Sessions for AWS account owners are restricted to a maximum of 3600s (one hour). If the duration is longer than one hour, the session for AWS account owners defaults to one hour.
  • curlopts - array - Optional - A set of values to pass directly into curl_setopt(), where the key is a pre-defined CURLOPT_* constant.
  • returnCurlHandle - boolean - Optional - A private toggle specifying that the cURL handle be returned rather than actually completing the request. This toggle is useful for manually managed batch requests.

Returns

Type

Description

CFResponse

A CFResponse object containing a parsed HTTP response.

Examples

Create a new temporary user then generate session credentials.

// Instantiate the class
$token = new AmazonSTS();

$response = $token->get_federation_token('my-user');

// Success?
var_dump($response->isOK());
Result:
bool(true)

Create a new temporary user, apply a policy, then generate session credentials.

// Instantiate the class
$token = new AmazonSTS();

// Generate a new IAM policy (https://awspolicygen.s3.amazonaws.com/policygen.html)
$policy = new CFPolicy($token, array(
	'Statement' => array(
		array(
			'Sid' => 'SID' . time(),
			'Action' => array('s3:GetObject', 's3:GetObjectVersion', 's3:ListBucket', 's3:ListBucketVersions'),
			'Effect' => 'Allow',
			'Resource' => 'arn:aws:s3:::my-bucket/*'
		)
	)
));

// Fetch the session credentials
$response = $token->get_federation_token('my-user', array(
	'Policy' => $policy->get_json(),
	'DurationSeconds' => 3600
));

// Success?
var_dump($response->isOK());
Result:
bool(true)

Source

Method defined in services/sts.class.php | Toggle source view (7 lines) | View on GitHub

public function get_federation_token($name, $opt = null)
{
    if (!$opt) $opt = array();
    $opt['Name'] = $name;
    
    return $this->authenticate('GetFederationToken', $opt);
}

Copyright © 2010–2013 Amazon Web Services, LLC


Feedback