{-# LANGUAGE DeriveDataTypeable #-} {-# LANGUAGE DeriveGeneric #-} {-# LANGUAGE OverloadedStrings #-} {-# LANGUAGE RecordWildCards #-} {-# LANGUAGE TypeFamilies #-} {-# OPTIONS_GHC -fno-warn-unused-imports #-} {-# OPTIONS_GHC -fno-warn-unused-binds #-} {-# OPTIONS_GHC -fno-warn-unused-matches #-} -- Derived from AWS service descriptions, licensed under Apache 2.0. -- | -- Module : Network.AWS.STS.GetSessionToken -- Copyright : (c) 2013-2015 Brendan Hay -- License : Mozilla Public License, v. 2.0. -- Maintainer : Brendan Hay <brendan.g.hay@gmail.com> -- Stability : auto-generated -- Portability : non-portable (GHC extensions) -- -- Returns a set of temporary credentials for an AWS account or IAM user. -- The credentials consist of an access key ID, a secret access key, and a -- security token. Typically, you use 'GetSessionToken' if you want to use -- MFA to protect programmatic calls to specific AWS APIs like Amazon EC2 -- 'StopInstances'. MFA-enabled IAM users would need to call -- 'GetSessionToken' and submit an MFA code that is associated with their -- MFA device. Using the temporary security credentials that are returned -- from the call, IAM users can then make programmatic calls to APIs that -- require MFA authentication. -- -- The 'GetSessionToken' action must be called by using the long-term AWS -- security credentials of the AWS account or an IAM user. Credentials that -- are created by IAM users are valid for the duration that you specify, -- between 900 seconds (15 minutes) and 129600 seconds (36 hours); -- credentials that are created by using account credentials have a maximum -- duration of 3600 seconds (1 hour). -- -- We recommend that you do not call 'GetSessionToken' with root account -- credentials. Instead, follow our -- <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html#create-iam-users best practices> -- by creating one or more IAM users, giving them the necessary -- permissions, and using IAM users for everyday interaction with AWS. -- -- The permissions associated with the temporary security credentials -- returned by 'GetSessionToken' are based on the permissions associated -- with account or IAM user whose credentials are used to call the action. -- If 'GetSessionToken' is called using root account credentials, the -- temporary credentials have root account permissions. Similarly, if -- 'GetSessionToken' is called using the credentials of an IAM user, the -- temporary credentials have the same permissions as the IAM user. -- -- For more information about using 'GetSessionToken' to create temporary -- credentials, go to -- <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingSessionTokens.html Creating Temporary Credentials to Enable Access for IAM Users>. -- -- /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html AWS API Reference> for GetSessionToken. module Network.AWS.STS.GetSessionToken ( -- * Creating a Request getSessionToken , GetSessionToken -- * Request Lenses , gstTokenCode , gstDurationSeconds , gstSerialNumber -- * Destructuring the Response , getSessionTokenResponse , GetSessionTokenResponse -- * Response Lenses , gstrsCredentials , gstrsResponseStatus ) where import Network.AWS.Prelude import Network.AWS.Request import Network.AWS.Response import Network.AWS.STS.Types import Network.AWS.STS.Types.Product -- | /See:/ 'getSessionToken' smart constructor. data GetSessionToken = GetSessionToken' { _gstTokenCode :: !(Maybe Text) , _gstDurationSeconds :: !(Maybe Nat) , _gstSerialNumber :: !(Maybe Text) } deriving (Eq,Read,Show,Data,Typeable,Generic) -- | Creates a value of 'GetSessionToken' with the minimum fields required to make a request. -- -- Use one of the following lenses to modify other fields as desired: -- -- * 'gstTokenCode' -- -- * 'gstDurationSeconds' -- -- * 'gstSerialNumber' getSessionToken :: GetSessionToken getSessionToken = GetSessionToken' { _gstTokenCode = Nothing , _gstDurationSeconds = Nothing , _gstSerialNumber = Nothing } -- | The value provided by the MFA device, if MFA is required. If any policy -- requires the IAM user to submit an MFA code, specify this value. If MFA -- authentication is required, and the user does not provide a code when -- requesting a set of temporary security credentials, the user will -- receive an \"access denied\" response when requesting resources that -- require MFA authentication. gstTokenCode :: Lens' GetSessionToken (Maybe Text) gstTokenCode = lens _gstTokenCode (\ s a -> s{_gstTokenCode = a}); -- | The duration, in seconds, that the credentials should remain valid. -- Acceptable durations for IAM user sessions range from 900 seconds (15 -- minutes) to 129600 seconds (36 hours), with 43200 seconds (12 hours) as -- the default. Sessions for AWS account owners are restricted to a maximum -- of 3600 seconds (one hour). If the duration is longer than one hour, the -- session for AWS account owners defaults to one hour. gstDurationSeconds :: Lens' GetSessionToken (Maybe Natural) gstDurationSeconds = lens _gstDurationSeconds (\ s a -> s{_gstDurationSeconds = a}) . mapping _Nat; -- | The identification number of the MFA device that is associated with the -- IAM user who is making the 'GetSessionToken' call. Specify this value if -- the IAM user has a policy that requires MFA authentication. The value is -- either the serial number for a hardware device (such as 'GAHT12345678') -- or an Amazon Resource Name (ARN) for a virtual device (such as -- 'arn:aws:iam::123456789012:mfa\/user'). You can find the device for an -- IAM user by going to the AWS Management Console and viewing the user\'s -- security credentials. gstSerialNumber :: Lens' GetSessionToken (Maybe Text) gstSerialNumber = lens _gstSerialNumber (\ s a -> s{_gstSerialNumber = a}); instance AWSRequest GetSessionToken where type Rs GetSessionToken = GetSessionTokenResponse request = postQuery sTS response = receiveXMLWrapper "GetSessionTokenResult" (\ s h x -> GetSessionTokenResponse' <$> (x .@? "Credentials") <*> (pure (fromEnum s))) instance ToHeaders GetSessionToken where toHeaders = const mempty instance ToPath GetSessionToken where toPath = const "/" instance ToQuery GetSessionToken where toQuery GetSessionToken'{..} = mconcat ["Action" =: ("GetSessionToken" :: ByteString), "Version" =: ("2011-06-15" :: ByteString), "TokenCode" =: _gstTokenCode, "DurationSeconds" =: _gstDurationSeconds, "SerialNumber" =: _gstSerialNumber] -- | Contains the response to a successful GetSessionToken request, including -- temporary AWS credentials that can be used to make AWS requests. -- -- /See:/ 'getSessionTokenResponse' smart constructor. data GetSessionTokenResponse = GetSessionTokenResponse' { _gstrsCredentials :: !(Maybe Credentials) , _gstrsResponseStatus :: !Int } deriving (Eq,Read,Show,Data,Typeable,Generic) -- | Creates a value of 'GetSessionTokenResponse' with the minimum fields required to make a request. -- -- Use one of the following lenses to modify other fields as desired: -- -- * 'gstrsCredentials' -- -- * 'gstrsResponseStatus' getSessionTokenResponse :: Int -- ^ 'gstrsResponseStatus' -> GetSessionTokenResponse getSessionTokenResponse pResponseStatus_ = GetSessionTokenResponse' { _gstrsCredentials = Nothing , _gstrsResponseStatus = pResponseStatus_ } -- | The session credentials for API authentication. gstrsCredentials :: Lens' GetSessionTokenResponse (Maybe Credentials) gstrsCredentials = lens _gstrsCredentials (\ s a -> s{_gstrsCredentials = a}); -- | The response status code. gstrsResponseStatus :: Lens' GetSessionTokenResponse Int gstrsResponseStatus = lens _gstrsResponseStatus (\ s a -> s{_gstrsResponseStatus = a});