Copyright | (c) 2013-2015 Brendan Hay |
---|---|
License | Mozilla Public License, v. 2.0. |
Maintainer | Brendan Hay <brendan.g.hay@gmail.com> |
Stability | auto-generated |
Portability | non-portable (GHC extensions) |
Safe Haskell | None |
Language | Haskell2010 |
Returns a set of temporary credentials for an AWS account or IAM user.
The credentials consist of an access key ID, a secret access key, and a
security token. Typically, you use GetSessionToken
if you want to use
MFA to protect programmatic calls to specific AWS APIs like Amazon EC2
StopInstances
. MFA-enabled IAM users would need to call
GetSessionToken
and submit an MFA code that is associated with their
MFA device. Using the temporary security credentials that are returned
from the call, IAM users can then make programmatic calls to APIs that
require MFA authentication.
The GetSessionToken
action must be called by using the long-term AWS
security credentials of the AWS account or an IAM user. Credentials that
are created by IAM users are valid for the duration that you specify,
between 900 seconds (15 minutes) and 129600 seconds (36 hours);
credentials that are created by using account credentials have a maximum
duration of 3600 seconds (1 hour).
We recommend that you do not call GetSessionToken
with root account
credentials. Instead, follow our
best practices
by creating one or more IAM users, giving them the necessary
permissions, and using IAM users for everyday interaction with AWS.
The permissions associated with the temporary security credentials
returned by GetSessionToken
are based on the permissions associated
with account or IAM user whose credentials are used to call the action.
If GetSessionToken
is called using root account credentials, the
temporary credentials have root account permissions. Similarly, if
GetSessionToken
is called using the credentials of an IAM user, the
temporary credentials have the same permissions as the IAM user.
For more information about using GetSessionToken
to create temporary
credentials, go to
Creating Temporary Credentials to Enable Access for IAM Users.
See: AWS API Reference for GetSessionToken.
- getSessionToken :: GetSessionToken
- data GetSessionToken
- gstTokenCode :: Lens' GetSessionToken (Maybe Text)
- gstDurationSeconds :: Lens' GetSessionToken (Maybe Natural)
- gstSerialNumber :: Lens' GetSessionToken (Maybe Text)
- getSessionTokenResponse :: Int -> GetSessionTokenResponse
- data GetSessionTokenResponse
- gstrsCredentials :: Lens' GetSessionTokenResponse (Maybe Credentials)
- gstrsStatus :: Lens' GetSessionTokenResponse Int
Creating a Request
getSessionToken :: GetSessionToken Source
Creates a value of GetSessionToken
with the minimum fields required to make a request.
Use one of the following lenses to modify other fields as desired:
data GetSessionToken Source
See: getSessionToken
smart constructor.
Request Lenses
gstTokenCode :: Lens' GetSessionToken (Maybe Text) Source
The value provided by the MFA device, if MFA is required. If any policy requires the IAM user to submit an MFA code, specify this value. If MFA authentication is required, and the user does not provide a code when requesting a set of temporary security credentials, the user will receive an "access denied" response when requesting resources that require MFA authentication.
gstDurationSeconds :: Lens' GetSessionToken (Maybe Natural) Source
The duration, in seconds, that the credentials should remain valid. Acceptable durations for IAM user sessions range from 900 seconds (15 minutes) to 129600 seconds (36 hours), with 43200 seconds (12 hours) as the default. Sessions for AWS account owners are restricted to a maximum of 3600 seconds (one hour). If the duration is longer than one hour, the session for AWS account owners defaults to one hour.
gstSerialNumber :: Lens' GetSessionToken (Maybe Text) Source
The identification number of the MFA device that is associated with the
IAM user who is making the GetSessionToken
call. Specify this value if
the IAM user has a policy that requires MFA authentication. The value is
either the serial number for a hardware device (such as GAHT12345678
)
or an Amazon Resource Name (ARN) for a virtual device (such as
'arn:aws:iam::123456789012:mfa\/user'). You can find the device for an
IAM user by going to the AWS Management Console and viewing the user's
security credentials.
Destructuring the Response
getSessionTokenResponse Source
Creates a value of GetSessionTokenResponse
with the minimum fields required to make a request.
Use one of the following lenses to modify other fields as desired:
data GetSessionTokenResponse Source
Contains the response to a successful GetSessionToken request, including temporary AWS credentials that can be used to make AWS requests.
See: getSessionTokenResponse
smart constructor.
Response Lenses
gstrsCredentials :: Lens' GetSessionTokenResponse (Maybe Credentials) Source
The session credentials for API authentication.
gstrsStatus :: Lens' GetSessionTokenResponse Int Source
The response status code.