1 // Code generated by smithy-go-codegen DO NOT EDIT.
2 3 package sts
4 5 import (
6 "context"
7 "fmt"
8 awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware"
9 "github.com/aws/aws-sdk-go-v2/service/sts/types"
10 "github.com/aws/smithy-go/middleware"
11 smithyhttp "github.com/aws/smithy-go/transport/http"
12 )
13 14 // Returns a set of temporary credentials for an Amazon Web Services account or
15 // IAM user. The credentials consist of an access key ID, a secret access key, and
16 // a security token. Typically, you use GetSessionToken if you want to use MFA to
17 // protect programmatic calls to specific Amazon Web Services API operations like
18 // Amazon EC2 StopInstances .
19 //
20 // MFA-enabled IAM users must call GetSessionToken and submit an MFA code that is
21 // associated with their MFA device. Using the temporary security credentials that
22 // the call returns, IAM users can then make programmatic calls to API operations
23 // that require MFA authentication. An incorrect MFA code causes the API to return
24 // an access denied error. For a comparison of GetSessionToken with the other API
25 // operations that produce temporary credentials, see [Requesting Temporary Security Credentials]and [Compare STS credentials] in the IAM User Guide.
26 //
27 // No permissions are required for users to perform this operation. The purpose of
28 // the sts:GetSessionToken operation is to authenticate the user using MFA. You
29 // cannot use policies to control authentication operations. For more information,
30 // see [Permissions for GetSessionToken]in the IAM User Guide.
31 //
32 // # Session Duration
33 //
34 // The GetSessionToken operation must be called by using the long-term Amazon Web
35 // Services security credentials of an IAM user. Credentials that are created by
36 // IAM users are valid for the duration that you specify. This duration can range
37 // from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours),
38 // with a default of 43,200 seconds (12 hours). Credentials based on account
39 // credentials can range from 900 seconds (15 minutes) up to 3,600 seconds (1
40 // hour), with a default of 1 hour.
41 //
42 // # Permissions
43 //
44 // The temporary security credentials created by GetSessionToken can be used to
45 // make API calls to any Amazon Web Services service with the following exceptions:
46 //
47 // - You cannot call any IAM API operations unless MFA authentication
48 // information is included in the request.
49 //
50 // - You cannot call any STS API except AssumeRole or GetCallerIdentity .
51 //
52 // The credentials that GetSessionToken returns are based on permissions
53 // associated with the IAM user whose credentials were used to call the operation.
54 // The temporary credentials have the same permissions as the IAM user.
55 //
56 // Although it is possible to call GetSessionToken using the security credentials
57 // of an Amazon Web Services account root user rather than an IAM user, we do not
58 // recommend it. If GetSessionToken is called using root user credentials, the
59 // temporary credentials have root user permissions. For more information, see [Safeguard your root user credentials and don't use them for everyday tasks]in
60 // the IAM User Guide
61 //
62 // For more information about using GetSessionToken to create temporary
63 // credentials, see [Temporary Credentials for Users in Untrusted Environments]in the IAM User Guide.
64 //
65 // [Permissions for GetSessionToken]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html
66 // [Temporary Credentials for Users in Untrusted Environments]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken
67 // [Safeguard your root user credentials and don't use them for everyday tasks]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
68 // [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
69 // [Compare STS credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html
70 func (c *Client) GetSessionToken(ctx context.Context, params *GetSessionTokenInput, optFns ...func(*Options)) (*GetSessionTokenOutput, error) {
71 if params == nil {
72 params = &GetSessionTokenInput{}
73 }
74 75 result, metadata, err := c.invokeOperation(ctx, "GetSessionToken", params, optFns, c.addOperationGetSessionTokenMiddlewares)
76 if err != nil {
77 return nil, err
78 }
79 80 out := result.(*GetSessionTokenOutput)
81 out.ResultMetadata = metadata
82 return out, nil
83 }
84 85 type GetSessionTokenInput struct {
86 87 // The duration, in seconds, that the credentials should remain valid. Acceptable
88 // durations for IAM user sessions range from 900 seconds (15 minutes) to 129,600
89 // seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions for
90 // Amazon Web Services account owners are restricted to a maximum of 3,600 seconds
91 // (one hour). If the duration is longer than one hour, the session for Amazon Web
92 // Services account owners defaults to one hour.
93 DurationSeconds *int32
94 95 // The identification number of the MFA device that is associated with the IAM
96 // user who is making the GetSessionToken call. Specify this value if the IAM user
97 // has a policy that requires MFA authentication. The value is either the serial
98 // number for a hardware device (such as GAHT12345678 ) or an Amazon Resource Name
99 // (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user ). You
100 // can find the device for an IAM user by going to the Amazon Web Services
101 // Management Console and viewing the user's security credentials.
102 //
103 // The regex used to validate this parameter is a string of characters consisting
104 // of upper- and lower-case alphanumeric characters with no spaces. You can also
105 // include underscores or any of the following characters: =,.@:/-
106 SerialNumber *string
107 108 // The value provided by the MFA device, if MFA is required. If any policy
109 // requires the IAM user to submit an MFA code, specify this value. If MFA
110 // authentication is required, the user must provide a code when requesting a set
111 // of temporary security credentials. A user who fails to provide the code receives
112 // an "access denied" response when requesting resources that require MFA
113 // authentication.
114 //
115 // The format for this parameter, as described by its regex pattern, is a sequence
116 // of six numeric digits.
117 TokenCode *string
118 119 noSmithyDocumentSerde
120 }
121 122 // Contains the response to a successful GetSessionToken request, including temporary Amazon Web
123 // Services credentials that can be used to make Amazon Web Services requests.
124 type GetSessionTokenOutput struct {
125 126 // The temporary security credentials, which include an access key ID, a secret
127 // access key, and a security (or session) token.
128 //
129 // The size of the security token that STS API operations return is not fixed. We
130 // strongly recommend that you make no assumptions about the maximum size.
131 Credentials *types.Credentials
132 133 // Metadata pertaining to the operation's result.
134 ResultMetadata middleware.Metadata
135 136 noSmithyDocumentSerde
137 }
138 139 func (c *Client) addOperationGetSessionTokenMiddlewares(stack *middleware.Stack, options Options) (err error) {
140 if err := stack.Serialize.Add(&setOperationInputMiddleware{}, middleware.After); err != nil {
141 return err
142 }
143 err = stack.Serialize.Add(&awsAwsquery_serializeOpGetSessionToken{}, middleware.After)
144 if err != nil {
145 return err
146 }
147 err = stack.Deserialize.Add(&awsAwsquery_deserializeOpGetSessionToken{}, middleware.After)
148 if err != nil {
149 return err
150 }
151 if err := addProtocolFinalizerMiddlewares(stack, options, "GetSessionToken"); err != nil {
152 return fmt.Errorf("add protocol finalizers: %v", err)
153 }
154 155 if err = addlegacyEndpointContextSetter(stack, options); err != nil {
156 return err
157 }
158 if err = addSetLoggerMiddleware(stack, options); err != nil {
159 return err
160 }
161 if err = addClientRequestID(stack); err != nil {
162 return err
163 }
164 if err = addComputeContentLength(stack); err != nil {
165 return err
166 }
167 if err = addResolveEndpointMiddleware(stack, options); err != nil {
168 return err
169 }
170 if err = addComputePayloadSHA256(stack); err != nil {
171 return err
172 }
173 if err = addRetry(stack, options); err != nil {
174 return err
175 }
176 if err = addRawResponseToMetadata(stack); err != nil {
177 return err
178 }
179 if err = addRecordResponseTiming(stack); err != nil {
180 return err
181 }
182 if err = addSpanRetryLoop(stack, options); err != nil {
183 return err
184 }
185 if err = addClientUserAgent(stack, options); err != nil {
186 return err
187 }
188 if err = smithyhttp.AddErrorCloseResponseBodyMiddleware(stack); err != nil {
189 return err
190 }
191 if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil {
192 return err
193 }
194 if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
195 return err
196 }
197 if err = addTimeOffsetBuild(stack, c); err != nil {
198 return err
199 }
200 if err = addUserAgentRetryMode(stack, options); err != nil {
201 return err
202 }
203 if err = addCredentialSource(stack, options); err != nil {
204 return err
205 }
206 if err = stack.Initialize.Add(newServiceMetadataMiddleware_opGetSessionToken(options.Region), middleware.Before); err != nil {
207 return err
208 }
209 if err = addRecursionDetection(stack); err != nil {
210 return err
211 }
212 if err = addRequestIDRetrieverMiddleware(stack); err != nil {
213 return err
214 }
215 if err = addResponseErrorMiddleware(stack); err != nil {
216 return err
217 }
218 if err = addRequestResponseLogging(stack, options); err != nil {
219 return err
220 }
221 if err = addDisableHTTPSMiddleware(stack, options); err != nil {
222 return err
223 }
224 if err = addInterceptBeforeRetryLoop(stack, options); err != nil {
225 return err
226 }
227 if err = addInterceptAttempt(stack, options); err != nil {
228 return err
229 }
230 if err = addInterceptors(stack, options); err != nil {
231 return err
232 }
233 return nil
234 }
235 236 func newServiceMetadataMiddleware_opGetSessionToken(region string) *awsmiddleware.RegisterServiceMetadata {
237 return &awsmiddleware.RegisterServiceMetadata{
238 Region: region,
239 ServiceID: ServiceID,
240 OperationName: "GetSessionToken",
241 }
242 }
243