<AssumeRoleResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/"> <AssumeRoleResult> <Credentials> <SessionToken> AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQW LWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGd QrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU 9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz +scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA== </SessionToken> <SecretAccessKey> wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY </SecretAccessKey> <Expiration>2011-07-15T23:28:33.359Z</Expiration> <AccessKeyId>AKIAIOSFODNN7EXAMPLE</AccessKeyId> </Credentials> <AssumedRoleUser> <Arn>arn:aws:sts::123456789012:assumed-role/demo/Bob</Arn> <AssumedRoleId>ARO123EXAMPLE123:Bob</AssumedRoleId> </AssumedRoleUser> <PackedPolicySize>6</PackedPolicySize> </AssumeRoleResult> <ResponseMetadata> <RequestId>c6104cbe-af31-11e0-8154-cbc7ccf896c7</RequestId> </ResponseMetadata> </AssumeRoleResponse>
To request temporary security credentials, you can operate using the AWS Security Token Service (AWS STS) in the AWS API. These actions include the creation of a trusted user, and provide temporary security credentials to control access to AWS resources. For more information on AWS STS, see the temporary security credentials . To understand the various methods used at the time to assume the role of a request temporary security credentials, see use IAM roles .
AssumeRole - custom identity agency commission and joint cross-account
AssumeRoleWithWebIdentity - joint Web-based identity provider
AssumeRoleWithSAML - through a joint enterprise is compatible with SAML 2.0 identity provider
GetFederationToken - joint identity through custom proxy
GetSessionToken scrip untrusted user environments -
WS STS API | Who to call | Certificate life cycle (minimum | maximum | default value) | MFA support ¹ | Session Policy Support ² | Restrictions on temporary certificate generated |
---|---|---|---|---|---|
AssumeRole | IAM IAM role with an existing user or temporary security credentials | 15 minutes | maximum session duration setting ³ | 1 Xiaoshi | Yes | Yes | You can not call |
AssumeRoleWithSAML | Any user; sponsor must pass SAML authentication response, authentication indicating the identity provider from the known | 15 minutes | maximum session duration setting ³ | 1 Xiaoshi | no | Yes | You can not call |
AssumeRoleWithWebIdentity | Any user; sponsor Web identity token must be passed, indicating authentication of the identity provider from the known | 15 minutes | maximum session duration setting ³ | 1 Xiaoshi | no | Yes | You can not call |
GetFederationToken | AWS IAM user or root user account | IAM users: 15 minutes | 36 Xiaoshi | 12 Xiaoshi Root: 15 minutes | 1 Xiaoshi | 1 Xiaoshi |
no | Yes | IAM API operation can not be called directly. ⁴ In addition to not call Allowed to log in to the console via SSO. ⁵ |
GetSessionToken | AWS IAM user or root user account | IAM users: 15 minutes | 36 Xiaoshi | 12 Xiaoshi Root: 15 minutes | 1 Xiaoshi | 1 Xiaoshi |
Yes | no | Unless the request comes MFA information, otherwise can not be called IAM API operations. In addition to not call 不允许通过 SSO 登录到控制台。⁶ |
<GetFederationTokenResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/"> <GetFederationTokenResult> <Credentials> <SessionToken> AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQW LWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGd QrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU 9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz +scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCEXAMPLE== </SessionToken> <SecretAccessKey> wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY </SecretAccessKey> <Expiration>2019-04-15T23:28:33.359Z</Expiration> <AccessKeyId>AKIAIOSFODNN7EXAMPLE;</AccessKeyId> </Credentials> <FederatedUser> <Arn>arn:aws:sts::123456789012:federated-user/Jean</Arn> <FederatedUserId>123456789012:Jean</FederatedUserId> </FederatedUser> <PackedPolicySize>2</PackedPolicySize> </GetFederationTokenResult> <ResponseMetadata> <RequestId>c6104cbe-af31-11e0-8154-cbc7ccf896c7</RequestId> </ResponseMetadata> </GetFederationTokenResponse>