Safe Haskell | None |
---|---|
Language | Haskell2010 |
Returns a set of temporary credentials for an AWS account or IAM user. The
credentials consist of an access key ID, a secret access key, and a security
token. Typically, you use GetSessionToken
if you want to use MFA to protect
programmatic calls to specific AWS APIs like Amazon EC2 StopInstances
.
MFA-enabled IAM users would need to call GetSessionToken
and submit an MFA
code that is associated with their MFA device. Using the temporary security
credentials that are returned from the call, IAM users can then make
programmatic calls to APIs that require MFA authentication.
The GetSessionToken
action must be called by using the long-term AWS
security credentials of the AWS account or an IAM user. Credentials that are
created by IAM users are valid for the duration that you specify, between 900
seconds (15 minutes) and 129600 seconds (36 hours); credentials that are
created by using account credentials have a maximum duration of 3600 seconds
(1 hour).
The permissions associated with the temporary security credentials returned
by GetSessionToken
are based on the permissions associated with account or
IAM user whose credentials are used to call the action. If GetSessionToken
is
called using root account credentials, the temporary credentials have root
account permissions. Similarly, if GetSessionToken
is called using the
credentials of an IAM user, the temporary credentials have the same
permissions as the IAM user.
For more information about using GetSessionToken
to create temporary
credentials, go to Creating Temporary Credentials to Enable Access for IAM
Users in Using Temporary Security Credentials.
http://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html
- data GetSessionToken
- getSessionToken :: GetSessionToken
- gstDurationSeconds :: Lens' GetSessionToken (Maybe Natural)
- gstSerialNumber :: Lens' GetSessionToken (Maybe Text)
- gstTokenCode :: Lens' GetSessionToken (Maybe Text)
- data GetSessionTokenResponse
- getSessionTokenResponse :: GetSessionTokenResponse
- gstrCredentials :: Lens' GetSessionTokenResponse (Maybe Credentials)
Request
data GetSessionToken Source
Request constructor
getSessionToken :: GetSessionToken Source
GetSessionToken
constructor.
The fields accessible through corresponding lenses are:
Request lenses
gstDurationSeconds :: Lens' GetSessionToken (Maybe Natural) Source
The duration, in seconds, that the credentials should remain valid. Acceptable durations for IAM user sessions range from 900 seconds (15 minutes) to 129600 seconds (36 hours), with 43200 seconds (12 hours) as the default. Sessions for AWS account owners are restricted to a maximum of 3600 seconds (one hour). If the duration is longer than one hour, the session for AWS account owners defaults to one hour.
gstSerialNumber :: Lens' GetSessionToken (Maybe Text) Source
The identification number of the MFA device that is associated with the IAM
user who is making the GetSessionToken
call. Specify this value if the IAM
user has a policy that requires MFA authentication. The value is either the
serial number for a hardware device (such as GAHT12345678
) or an Amazon
Resource Name (ARN) for a virtual device (such as 'arn:aws:iam::123456789012:mfa/user'). You can find the device for an IAM user by going to the AWS Management
Console and viewing the user's security credentials.
gstTokenCode :: Lens' GetSessionToken (Maybe Text) Source
The value provided by the MFA device, if MFA is required. If any policy requires the IAM user to submit an MFA code, specify this value. If MFA authentication is required, and the user does not provide a code when requesting a set of temporary security credentials, the user will receive an "access denied" response when requesting resources that require MFA authentication.
Response
Response constructor
getSessionTokenResponse :: GetSessionTokenResponse Source
GetSessionTokenResponse
constructor.
The fields accessible through corresponding lenses are:
Response lenses
gstrCredentials :: Lens' GetSessionTokenResponse (Maybe Credentials) Source
The session credentials for API authentication.