File Coverage

blib/lib/Paws/STS.pm

Criterion	Covered	Total	%
statement	13	31	41.9
branch			n/a
condition			n/a
subroutine	5	13	38.4
pod	7	11	63.6
total	25	55	45.4

line	stmt	sub	pod	time	code
1					package Paws::STS;
2	1	1		11310	use Moose;
	1	3		2
	1			9
	3			2940
	3			6
	3			23
3	14	14	0	56	sub service { 'sts' }
4	0	0	0	0	sub version { '2011-06-15' }
5	0	0	0	0	sub flattened_arrays { 0 }
6					has max_attempts => (is => 'ro', isa => 'Int', default => 5);
7					has retry => (is => 'ro', isa => 'HashRef', default => sub {
8					{ base => 'rand', type => 'exponential', growth_factor => 2 }
9					});
10					has retriables => (is => 'ro', isa => 'ArrayRef', default => sub { [
11					] });
12
13					with 'Paws::API::Caller', 'Paws::API::EndpointResolver', 'Paws::Net::V4Signature', 'Paws::Net::QueryCaller', 'Paws::Net::XMLResponse';
14
15					has '+region_rules' => (default => sub {
16					my $regioninfo;
17					$regioninfo = [
18					{
19					constraints => [
20					[
21					'region',
22					'startsWith',
23					'cn-'
24					]
25					],
26					uri => '{scheme}://{service}.{region}.amazonaws.com.cn'
27					},
28					{
29					constraints => [
30					[
31					'region',
32					'startsWith',
33					'us-gov'
34					]
35					],
36					uri => 'https://{service}.{region}.amazonaws.com'
37					},
38					{
39					constraints => [
40					[
41					'region',
42					'equals',
43					undef
44					]
45					],
46					properties => {
47					credentialScope => {
48					region => 'us-east-1'
49					}
50					},
51					uri => 'https://sts.amazonaws.com'
52					},
53					{
54					uri => 'https://{service}.{region}.amazonaws.com'
55					}
56					];
57
58					return $regioninfo;
59					});
60
61
62					sub AssumeRole {
63	0	0	1	0	my $self = shift;
64	0			0	my $call_object = $self->new_with_coercions('Paws::STS::AssumeRole', @_);
65	0			0	return $self->caller->do_call($self, $call_object);
66					}
67					sub AssumeRoleWithSAML {
68	0	0	1	0	my $self = shift;
69	0			0	my $call_object = $self->new_with_coercions('Paws::STS::AssumeRoleWithSAML', @_);
70	0			0	return $self->caller->do_call($self, $call_object);
71					}
72					sub AssumeRoleWithWebIdentity {
73	0	0	1	0	my $self = shift;
74	0			0	my $call_object = $self->new_with_coercions('Paws::STS::AssumeRoleWithWebIdentity', @_);
75	0			0	return $self->caller->do_call($self, $call_object);
76					}
77					sub DecodeAuthorizationMessage {
78	0	0	1	0	my $self = shift;
79	0			0	my $call_object = $self->new_with_coercions('Paws::STS::DecodeAuthorizationMessage', @_);
80	0			0	return $self->caller->do_call($self, $call_object);
81					}
82					sub GetCallerIdentity {
83	0	0	1	0	my $self = shift;
84	0			0	my $call_object = $self->new_with_coercions('Paws::STS::GetCallerIdentity', @_);
85	0			0	return $self->caller->do_call($self, $call_object);
86					}
87					sub GetFederationToken {
88	1	1	1	11	my $self = shift;
89	1			7	my $call_object = $self->new_with_coercions('Paws::STS::GetFederationToken', @_);
90	1			692	return $self->caller->do_call($self, $call_object);
91					}
92					sub GetSessionToken {
93	1	1	1	237	my $self = shift;
94	1			4	my $call_object = $self->new_with_coercions('Paws::STS::GetSessionToken', @_);
95	1			471	return $self->caller->do_call($self, $call_object);
96					}
97
98
99
100	0	0	0		sub operations { qw/AssumeRole AssumeRoleWithSAML AssumeRoleWithWebIdentity DecodeAuthorizationMessage GetCallerIdentity GetFederationToken GetSessionToken / }
101
102					1;
103
104					### main pod documentation begin ###
105
106					=head1 NAME
107
108					Paws::STS - Perl Interface to AWS AWS Security Token Service
109
110					=head1 SYNOPSIS
111
112					use Paws;
113
114					my $obj = Paws->service('STS');
115					my $res = $obj->Method(
116					Arg1 => $val1,
117					Arg2 => [ 'V1', 'V2' ],
118					# if Arg3 is an object, the HashRef will be used as arguments to the constructor
119					# of the arguments type
120					Arg3 => { Att1 => 'Val1' },
121					# if Arg4 is an array of objects, the HashRefs will be passed as arguments to
122					# the constructor of the arguments type
123					Arg4 => [ { Att1 => 'Val1' }, { Att1 => 'Val2' } ],
124					);
125
126					=head1 DESCRIPTION
127
128					AWS Security Token Service
129
130					The AWS Security Token Service (STS) is a web service that enables you
131					to request temporary, limited-privilege credentials for AWS Identity
132					and Access Management (IAM) users or for users that you authenticate
133					(federated users). This guide provides descriptions of the STS API. For
134					more detailed information about using this service, go to Temporary
135					Security Credentials.
136
137					As an alternative to using the API, you can use one of the AWS SDKs,
138					which consist of libraries and sample code for various programming
139					languages and platforms (Java, Ruby, .NET, iOS, Android, etc.). The
140					SDKs provide a convenient way to create programmatic access to STS. For
141					example, the SDKs take care of cryptographically signing requests,
142					managing errors, and retrying requests automatically. For information
143					about the AWS SDKs, including how to download and install them, see the
144					Tools for Amazon Web Services page.
145
146					For information about setting up signatures and authorization through
147					the API, go to Signing AWS API Requests in the I<AWS General
148					Reference>. For general information about the Query API, go to Making
149					Query Requests in I<Using IAM>. For information about using security
150					tokens with other AWS products, go to AWS Services That Work with IAM
151					in the I<IAM User Guide>.
152
153					If you're new to AWS and need additional technical information about a
154					specific AWS product, you can find the product's technical
155					documentation at http://aws.amazon.com/documentation/.
156
157					B<Endpoints>
158
159					The AWS Security Token Service (STS) has a default endpoint of
160					https://sts.amazonaws.com that maps to the US East (N. Virginia)
161					region. Additional regions are available and are activated by default.
162					For more information, see Activating and Deactivating AWS STS in an AWS
163					Region in the I<IAM User Guide>.
164
165					For information about STS endpoints, see Regions and Endpoints in the
166					I<AWS General Reference>.
167
168					B<Recording API requests>
169
170					STS supports AWS CloudTrail, which is a service that records AWS calls
171					for your AWS account and delivers log files to an Amazon S3 bucket. By
172					using information collected by CloudTrail, you can determine what
173					requests were successfully made to STS, who made the request, when it
174					was made, and so on. To learn more about CloudTrail, including how to
175					turn it on and find your log files, see the AWS CloudTrail User Guide.
176
177					=head1 METHODS
178
179					=head2 AssumeRole(RoleArn => Str, RoleSessionName => Str, [DurationSeconds => Int, ExternalId => Str, Policy => Str, SerialNumber => Str, TokenCode => Str])
180
181					Each argument is described in detail in: L<Paws::STS::AssumeRole>
182
183					Returns: a L<Paws::STS::AssumeRoleResponse> instance
184
185					Returns a set of temporary security credentials (consisting of an
186					access key ID, a secret access key, and a security token) that you can
187					use to access AWS resources that you might not normally have access to.
188					Typically, you use C<AssumeRole> for cross-account access or
189					federation. For a comparison of C<AssumeRole> with the other APIs that
190					produce temporary credentials, see Requesting Temporary Security
191					Credentials and Comparing the AWS STS APIs in the I<IAM User Guide>.
192
193					B<Important:> You cannot call C<AssumeRole> by using AWS root account
194					credentials; access is denied. You must use credentials for an IAM user
195					or an IAM role to call C<AssumeRole>.
196
197					For cross-account access, imagine that you own multiple accounts and
198					need to access resources in each account. You could create long-term
199					credentials in each account to access those resources. However,
200					managing all those credentials and remembering which one can access
201					which account can be time consuming. Instead, you can create one set of
202					long-term credentials in one account and then use temporary security
203					credentials to access all the other accounts by assuming roles in those
204					accounts. For more information about roles, see IAM Roles (Delegation
205					and Federation) in the I<IAM User Guide>.
206
207					For federation, you can, for example, grant single sign-on access to
208					the AWS Management Console. If you already have an identity and
209					authentication system in your corporate network, you don't have to
210					recreate user identities in AWS in order to grant those user identities
211					access to AWS. Instead, after a user has been authenticated, you call
212					C<AssumeRole> (and specify the role with the appropriate permissions)
213					to get temporary security credentials for that user. With those
214					temporary security credentials, you construct a sign-in URL that users
215					can use to access the console. For more information, see Common
216					Scenarios for Temporary Credentials in the I<IAM User Guide>.
217
218					The temporary security credentials are valid for the duration that you
219					specified when calling C<AssumeRole>, which can be from 900 seconds (15
220					minutes) to a maximum of 3600 seconds (1 hour). The default is 1 hour.
221
222					The temporary security credentials created by C<AssumeRole> can be used
223					to make API calls to any AWS service with the following exception: you
224					cannot call the STS service's C<GetFederationToken> or
225					C<GetSessionToken> APIs.
226
227					Optionally, you can pass an IAM access policy to this operation. If you
228					choose not to pass a policy, the temporary security credentials that
229					are returned by the operation have the permissions that are defined in
230					the access policy of the role that is being assumed. If you pass a
231					policy to this operation, the temporary security credentials that are
232					returned by the operation have the permissions that are allowed by both
233					the access policy of the role that is being assumed, I< B<and> > the
234					policy that you pass. This gives you a way to further restrict the
235					permissions for the resulting temporary security credentials. You
236					cannot use the passed policy to grant permissions that are in excess of
237					those allowed by the access policy of the role that is being assumed.
238					For more information, see Permissions for AssumeRole,
239					AssumeRoleWithSAML, and AssumeRoleWithWebIdentity in the I<IAM User
240					Guide>.
241
242					To assume a role, your AWS account must be trusted by the role. The
243					trust relationship is defined in the role's trust policy when the role
244					is created. That trust policy states which accounts are allowed to
245					delegate access to this account's role.
246
247					The user who wants to access the role must also have permissions
248					delegated from the role's administrator. If the user is in a different
249					account than the role, then the user's administrator must attach a
250					policy that allows the user to call AssumeRole on the ARN of the role
251					in the other account. If the user is in the same account as the role,
252					then you can either attach a policy to the user (identical to the
253					previous different account user), or you can add the user as a
254					principal directly in the role's trust policy
255
256					B<Using MFA with AssumeRole>
257
258					You can optionally include multi-factor authentication (MFA)
259					information when you call C<AssumeRole>. This is useful for
260					cross-account scenarios in which you want to make sure that the user
261					who is assuming the role has been authenticated using an AWS MFA
262					device. In that scenario, the trust policy of the role being assumed
263					includes a condition that tests for MFA authentication; if the caller
264					does not include valid MFA information, the request to assume the role
265					is denied. The condition in a trust policy that tests for MFA
266					authentication might look like the following example.
267
268					C<"Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}>
269
270					For more information, see Configuring MFA-Protected API Access in the
271					I<IAM User Guide> guide.
272
273					To use MFA with C<AssumeRole>, you pass values for the C<SerialNumber>
274					and C<TokenCode> parameters. The C<SerialNumber> value identifies the
275					user's hardware or virtual MFA device. The C<TokenCode> is the
276					time-based one-time password (TOTP) that the MFA devices produces.
277
278
279					=head2 AssumeRoleWithSAML(PrincipalArn => Str, RoleArn => Str, SAMLAssertion => Str, [DurationSeconds => Int, Policy => Str])
280
281					Each argument is described in detail in: L<Paws::STS::AssumeRoleWithSAML>
282
283					Returns: a L<Paws::STS::AssumeRoleWithSAMLResponse> instance
284
285					Returns a set of temporary security credentials for users who have been
286					authenticated via a SAML authentication response. This operation
287					provides a mechanism for tying an enterprise identity store or
288					directory to role-based AWS access without user-specific credentials or
289					configuration. For a comparison of C<AssumeRoleWithSAML> with the other
290					APIs that produce temporary credentials, see Requesting Temporary
291					Security Credentials and Comparing the AWS STS APIs in the I<IAM User
292					Guide>.
293
294					The temporary security credentials returned by this operation consist
295					of an access key ID, a secret access key, and a security token.
296					Applications can use these temporary security credentials to sign calls
297					to AWS services.
298
299					The temporary security credentials are valid for the duration that you
300					specified when calling C<AssumeRole>, or until the time specified in
301					the SAML authentication response's C<SessionNotOnOrAfter> value,
302					whichever is shorter. The duration can be from 900 seconds (15 minutes)
303					to a maximum of 3600 seconds (1 hour). The default is 1 hour.
304
305					The temporary security credentials created by C<AssumeRoleWithSAML> can
306					be used to make API calls to any AWS service with the following
307					exception: you cannot call the STS service's C<GetFederationToken> or
308					C<GetSessionToken> APIs.
309
310					Optionally, you can pass an IAM access policy to this operation. If you
311					choose not to pass a policy, the temporary security credentials that
312					are returned by the operation have the permissions that are defined in
313					the access policy of the role that is being assumed. If you pass a
314					policy to this operation, the temporary security credentials that are
315					returned by the operation have the permissions that are allowed by the
316					intersection of both the access policy of the role that is being
317					assumed, I< B<and> > the policy that you pass. This means that both
318					policies must grant the permission for the action to be allowed. This
319					gives you a way to further restrict the permissions for the resulting
320					temporary security credentials. You cannot use the passed policy to
321					grant permissions that are in excess of those allowed by the access
322					policy of the role that is being assumed. For more information, see
323					Permissions for AssumeRole, AssumeRoleWithSAML, and
324					AssumeRoleWithWebIdentity in the I<IAM User Guide>.
325
326					Before your application can call C<AssumeRoleWithSAML>, you must
327					configure your SAML identity provider (IdP) to issue the claims
328					required by AWS. Additionally, you must use AWS Identity and Access
329					Management (IAM) to create a SAML provider entity in your AWS account
330					that represents your identity provider, and create an IAM role that
331					specifies this SAML provider in its trust policy.
332
333					Calling C<AssumeRoleWithSAML> does not require the use of AWS security
334					credentials. The identity of the caller is validated by using keys in
335					the metadata document that is uploaded for the SAML provider entity for
336					your identity provider.
337
338					Calling C<AssumeRoleWithSAML> can result in an entry in your AWS
339					CloudTrail logs. The entry includes the value in the C<NameID> element
340					of the SAML assertion. We recommend that you use a NameIDType that is
341					not associated with any personally identifiable information (PII). For
342					example, you could instead use the Persistent Identifier
343					(C<urn:oasis:names:tc:SAML:2.0:nameid-format:persistent>).
344
345					For more information, see the following resources:
346
347					=over
348
349					=item *
350
351					About SAML 2.0-based Federation in the I<IAM User Guide>.
352
353					=item *
354
355					Creating SAML Identity Providers in the I<IAM User Guide>.
356
357					=item *
358
359					Configuring a Relying Party and Claims in the I<IAM User Guide>.
360
361					=item *
362
363					Creating a Role for SAML 2.0 Federation in the I<IAM User Guide>.
364
365					=back
366
367
368
369					=head2 AssumeRoleWithWebIdentity(RoleArn => Str, RoleSessionName => Str, WebIdentityToken => Str, [DurationSeconds => Int, Policy => Str, ProviderId => Str])
370
371					Each argument is described in detail in: L<Paws::STS::AssumeRoleWithWebIdentity>
372
373					Returns: a L<Paws::STS::AssumeRoleWithWebIdentityResponse> instance
374
375					Returns a set of temporary security credentials for users who have been
376					authenticated in a mobile or web application with a web identity
377					provider, such as Amazon Cognito, Login with Amazon, Facebook, Google,
378					or any OpenID Connect-compatible identity provider.
379
380					For mobile applications, we recommend that you use Amazon Cognito. You
381					can use Amazon Cognito with the AWS SDK for iOS and the AWS SDK for
382					Android to uniquely identify a user and supply the user with a
383					consistent identity throughout the lifetime of an application.
384
385					To learn more about Amazon Cognito, see Amazon Cognito Overview in the
386					I<AWS SDK for Android Developer Guide> guide and Amazon Cognito
387					Overview in the I<AWS SDK for iOS Developer Guide>.
388
389					Calling C<AssumeRoleWithWebIdentity> does not require the use of AWS
390					security credentials. Therefore, you can distribute an application (for
391					example, on mobile devices) that requests temporary security
392					credentials without including long-term AWS credentials in the
393					application, and without deploying server-based proxy services that use
394					long-term AWS credentials. Instead, the identity of the caller is
395					validated by using a token from the web identity provider. For a
396					comparison of C<AssumeRoleWithWebIdentity> with the other APIs that
397					produce temporary credentials, see Requesting Temporary Security
398					Credentials and Comparing the AWS STS APIs in the I<IAM User Guide>.
399
400					The temporary security credentials returned by this API consist of an
401					access key ID, a secret access key, and a security token. Applications
402					can use these temporary security credentials to sign calls to AWS
403					service APIs.
404
405					The credentials are valid for the duration that you specified when
406					calling C<AssumeRoleWithWebIdentity>, which can be from 900 seconds (15
407					minutes) to a maximum of 3600 seconds (1 hour). The default is 1 hour.
408
409					The temporary security credentials created by
410					C<AssumeRoleWithWebIdentity> can be used to make API calls to any AWS
411					service with the following exception: you cannot call the STS service's
412					C<GetFederationToken> or C<GetSessionToken> APIs.
413
414					Optionally, you can pass an IAM access policy to this operation. If you
415					choose not to pass a policy, the temporary security credentials that
416					are returned by the operation have the permissions that are defined in
417					the access policy of the role that is being assumed. If you pass a
418					policy to this operation, the temporary security credentials that are
419					returned by the operation have the permissions that are allowed by both
420					the access policy of the role that is being assumed, I< B<and> > the
421					policy that you pass. This gives you a way to further restrict the
422					permissions for the resulting temporary security credentials. You
423					cannot use the passed policy to grant permissions that are in excess of
424					those allowed by the access policy of the role that is being assumed.
425					For more information, see Permissions for AssumeRole,
426					AssumeRoleWithSAML, and AssumeRoleWithWebIdentity in the I<IAM User
427					Guide>.
428
429					Before your application can call C<AssumeRoleWithWebIdentity>, you must
430					have an identity token from a supported identity provider and create a
431					role that the application can assume. The role that your application
432					assumes must trust the identity provider that is associated with the
433					identity token. In other words, the identity provider must be specified
434					in the role's trust policy.
435
436					Calling C<AssumeRoleWithWebIdentity> can result in an entry in your AWS
437					CloudTrail logs. The entry includes the Subject of the provided Web
438					Identity Token. We recommend that you avoid using any personally
439					identifiable information (PII) in this field. For example, you could
440					instead use a GUID or a pairwise identifier, as suggested in the OIDC
441					specification.
442
443					For more information about how to use web identity federation and the
444					C<AssumeRoleWithWebIdentity> API, see the following resources:
445
446					=over
447
448					=item *
449
450					Using Web Identity Federation APIs for Mobile Apps and Federation
451					Through a Web-based Identity Provider.
452
453					=item *
454
455					Web Identity Federation Playground. This interactive website lets you
456					walk through the process of authenticating via Login with Amazon,
457					Facebook, or Google, getting temporary security credentials, and then
458					using those credentials to make a request to AWS.
459
460					=item *
461
462					AWS SDK for iOS and AWS SDK for Android. These toolkits contain sample
463					apps that show how to invoke the identity providers, and then how to
464					use the information from these providers to get and use temporary
465					security credentials.
466
467					=item *
468
469					Web Identity Federation with Mobile Applications. This article
470					discusses web identity federation and shows an example of how to use
471					web identity federation to get access to content in Amazon S3.
472
473					=back
474
475
476
477					=head2 DecodeAuthorizationMessage(EncodedMessage => Str)
478
479					Each argument is described in detail in: L<Paws::STS::DecodeAuthorizationMessage>
480
481					Returns: a L<Paws::STS::DecodeAuthorizationMessageResponse> instance
482
483					Decodes additional information about the authorization status of a
484					request from an encoded message returned in response to an AWS request.
485
486					For example, if a user is not authorized to perform an action that he
487					or she has requested, the request returns a
488					C<Client.UnauthorizedOperation> response (an HTTP 403 response). Some
489					AWS actions additionally return an encoded message that can provide
490					details about this authorization failure.
491
492					Only certain AWS actions return an encoded authorization message. The
493					documentation for an individual action indicates whether that action
494					returns an encoded message in addition to returning an HTTP code.
495
496					The message is encoded because the details of the authorization status
497					can constitute privileged information that the user who requested the
498					action should not see. To decode an authorization status message, a
499					user must be granted permissions via an IAM policy to request the
500					C<DecodeAuthorizationMessage> (C<sts:DecodeAuthorizationMessage>)
501					action.
502
503					The decoded message includes the following type of information:
504
505					=over
506
507					=item *
508
509					Whether the request was denied due to an explicit deny or due to the
510					absence of an explicit allow. For more information, see Determining
511					Whether a Request is Allowed or Denied in the I<IAM User Guide>.
512
513					=item *
514
515					The principal who made the request.
516
517					=item *
518
519					The requested action.
520
521					=item *
522
523					The requested resource.
524
525					=item *
526
527					The values of condition keys in the context of the user's request.
528
529					=back
530
531
532
533					=head2 GetCallerIdentity()
534
535					Each argument is described in detail in: L<Paws::STS::GetCallerIdentity>
536
537					Returns: a L<Paws::STS::GetCallerIdentityResponse> instance
538
539					Returns details about the IAM identity whose credentials are used to
540					call the API.
541
542
543					=head2 GetFederationToken(Name => Str, [DurationSeconds => Int, Policy => Str])
544
545					Each argument is described in detail in: L<Paws::STS::GetFederationToken>
546
547					Returns: a L<Paws::STS::GetFederationTokenResponse> instance
548
549					Returns a set of temporary security credentials (consisting of an
550					access key ID, a secret access key, and a security token) for a
551					federated user. A typical use is in a proxy application that gets
552					temporary security credentials on behalf of distributed applications
553					inside a corporate network. Because you must call the
554					C<GetFederationToken> action using the long-term security credentials
555					of an IAM user, this call is appropriate in contexts where those
556					credentials can be safely stored, usually in a server-based
557					application. For a comparison of C<GetFederationToken> with the other
558					APIs that produce temporary credentials, see Requesting Temporary
559					Security Credentials and Comparing the AWS STS APIs in the I<IAM User
560					Guide>.
561
562					If you are creating a mobile-based or browser-based app that can
563					authenticate users using a web identity provider like Login with
564					Amazon, Facebook, Google, or an OpenID Connect-compatible identity
565					provider, we recommend that you use Amazon Cognito or
566					C<AssumeRoleWithWebIdentity>. For more information, see Federation
567					Through a Web-based Identity Provider.
568
569					The C<GetFederationToken> action must be called by using the long-term
570					AWS security credentials of an IAM user. You can also call
571					C<GetFederationToken> using the security credentials of an AWS root
572					account, but we do not recommended it. Instead, we recommend that you
573					create an IAM user for the purpose of the proxy application and then
574					attach a policy to the IAM user that limits federated users to only the
575					actions and resources that they need access to. For more information,
576					see IAM Best Practices in the I<IAM User Guide>.
577
578					The temporary security credentials that are obtained by using the
579					long-term credentials of an IAM user are valid for the specified
580					duration, from 900 seconds (15 minutes) up to a maximium of 129600
581					seconds (36 hours). The default is 43200 seconds (12 hours). Temporary
582					credentials that are obtained by using AWS root account credentials
583					have a maximum duration of 3600 seconds (1 hour).
584
585					The temporary security credentials created by C<GetFederationToken> can
586					be used to make API calls to any AWS service with the following
587					exceptions:
588
589					=over
590
591					=item *
592
593					You cannot use these credentials to call any IAM APIs.
594
595					=item *
596
597					You cannot call any STS APIs except C<GetCallerIdentity>.
598
599					=back
600
601					B<Permissions>
602
603					The permissions for the temporary security credentials returned by
604					C<GetFederationToken> are determined by a combination of the following:
605
606					=over
607
608					=item *
609
610					The policy or policies that are attached to the IAM user whose
611					credentials are used to call C<GetFederationToken>.
612
613					=item *
614
615					The policy that is passed as a parameter in the call.
616
617					=back
618
619					The passed policy is attached to the temporary security credentials
620					that result from the C<GetFederationToken> API call--that is, to the
621					I<federated user>. When the federated user makes an AWS request, AWS
622					evaluates the policy attached to the federated user in combination with
623					the policy or policies attached to the IAM user whose credentials were
624					used to call C<GetFederationToken>. AWS allows the federated user's
625					request only when both the federated user I< B<and> > the IAM user are
626					explicitly allowed to perform the requested action. The passed policy
627					cannot grant more permissions than those that are defined in the IAM
628					user policy.
629
630					A typical use case is that the permissions of the IAM user whose
631					credentials are used to call C<GetFederationToken> are designed to
632					allow access to all the actions and resources that any federated user
633					will need. Then, for individual users, you pass a policy to the
634					operation that scopes down the permissions to a level that's
635					appropriate to that individual user, using a policy that allows only a
636					subset of permissions that are granted to the IAM user.
637
638					If you do not pass a policy, the resulting temporary security
639					credentials have no effective permissions. The only exception is when
640					the temporary security credentials are used to access a resource that
641					has a resource-based policy that specifically allows the federated user
642					to access the resource.
643
644					For more information about how permissions work, see Permissions for
645					GetFederationToken. For information about using C<GetFederationToken>
646					to create temporary security credentials, see
647					GetFederationTokenE<mdash>Federation Through a Custom Identity Broker.
648
649
650					=head2 GetSessionToken([DurationSeconds => Int, SerialNumber => Str, TokenCode => Str])
651
652					Each argument is described in detail in: L<Paws::STS::GetSessionToken>
653
654					Returns: a L<Paws::STS::GetSessionTokenResponse> instance
655
656					Returns a set of temporary credentials for an AWS account or IAM user.
657					The credentials consist of an access key ID, a secret access key, and a
658					security token. Typically, you use C<GetSessionToken> if you want to
659					use MFA to protect programmatic calls to specific AWS APIs like Amazon
660					EC2 C<StopInstances>. MFA-enabled IAM users would need to call
661					C<GetSessionToken> and submit an MFA code that is associated with their
662					MFA device. Using the temporary security credentials that are returned
663					from the call, IAM users can then make programmatic calls to APIs that
664					require MFA authentication. If you do not supply a correct MFA code,
665					then the API returns an access denied error. For a comparison of
666					C<GetSessionToken> with the other APIs that produce temporary
667					credentials, see Requesting Temporary Security Credentials and
668					Comparing the AWS STS APIs in the I<IAM User Guide>.
669
670					The C<GetSessionToken> action must be called by using the long-term AWS
671					security credentials of the AWS account or an IAM user. Credentials
672					that are created by IAM users are valid for the duration that you
673					specify, from 900 seconds (15 minutes) up to a maximum of 129600
674					seconds (36 hours), with a default of 43200 seconds (12 hours);
675					credentials that are created by using account credentials can range
676					from 900 seconds (15 minutes) up to a maximum of 3600 seconds (1 hour),
677					with a default of 1 hour.
678
679					The temporary security credentials created by C<GetSessionToken> can be
680					used to make API calls to any AWS service with the following
681					exceptions:
682
683					=over
684
685					=item *
686
687					You cannot call any IAM APIs unless MFA authentication information is
688					included in the request.
689
690					=item *
691
692					You cannot call any STS API I<except> C<AssumeRole> or
693					C<GetCallerIdentity>.
694
695					=back
696
697					We recommend that you do not call C<GetSessionToken> with root account
698					credentials. Instead, follow our best practices by creating one or more
699					IAM users, giving them the necessary permissions, and using IAM users
700					for everyday interaction with AWS.
701
702					The permissions associated with the temporary security credentials
703					returned by C<GetSessionToken> are based on the permissions associated
704					with account or IAM user whose credentials are used to call the action.
705					If C<GetSessionToken> is called using root account credentials, the
706					temporary credentials have root account permissions. Similarly, if
707					C<GetSessionToken> is called using the credentials of an IAM user, the
708					temporary credentials have the same permissions as the IAM user.
709
710					For more information about using C<GetSessionToken> to create temporary
711					credentials, go to Temporary Credentials for Users in Untrusted
712					Environments in the I<IAM User Guide>.
713
714
715
716
717					=head1 PAGINATORS
718
719					Paginator methods are helpers that repetively call methods that return partial results
720
721
722
723
724					=head1 SEE ALSO
725
726					This service class forms part of L<Paws>
727
728					=head1 BUGS and CONTRIBUTIONS
729
730					The source code is located here: https://github.com/pplu/aws-sdk-perl
731
732					Please report bugs to: https://github.com/pplu/aws-sdk-perl/issues
733
734					=cut
735