public class GetFederationTokenRequest extends AmazonWebServiceRequest implements Serializable
Returns a set of temporary security credentials (consisting of an access key
ID, a secret access key, and a security token) for a federated user. A
typical use is in a proxy application that gets temporary security
credentials on behalf of distributed applications inside a corporate network.
You must call the GetFederationToken operation using the
long-term security credentials of an IAM user. As a result, this call is
appropriate in contexts where those credentials can be safely stored, usually
in a server-based application. For a comparison of
GetFederationToken with the other API operations that produce
temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide.
You can create a mobile-based or browser-based app that can authenticate
users using a web identity provider like Login with Amazon, Facebook, Google,
or an OpenID Connect-compatible identity provider. In this case, we recommend
that you use Amazon Cognito or
AssumeRoleWithWebIdentity. For more information, see Federation Through a Web-based Identity Provider in the IAM User
Guide.
You can also call GetFederationToken using the security
credentials of an AWS account root user, but we do not recommend it. Instead,
we recommend that you create an IAM user for the purpose of the proxy
application. Then attach a policy to the IAM user that limits federated users
to only the actions and resources that they need to access. For more
information, see IAM Best Practices in the IAM User Guide.
Session duration
The temporary credentials are valid for the specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is 43,200 seconds (12 hours). Temporary credentials that are obtained by using AWS account root user credentials have a maximum duration of 3,600 seconds (1 hour).
Permissions
You can use the temporary credentials created by
GetFederationToken in any AWS service except the following:
You cannot call any IAM operations using the AWS CLI or the AWS API.
You cannot call any STS operations except GetCallerIdentity.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plain text that you use for both inline and managed session policies can't exceed 2,048 characters.
Though the session policy parameters are optional, if you do not pass a
policy, then the resulting federated user session has no permissions. When
you pass session policies, the session permissions are the intersection of
the IAM user policies and the session policies that you pass. This gives you
a way to further restrict the permissions for a federated user. You cannot
use session policies to grant more permissions than those that are defined in
the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide. For information about
using GetFederationToken to create temporary security
credentials, see GetFederationToken—Federation Through a Custom Identity Broker.
You can use the credentials to access a resource that has a resource-based
policy. If that policy specifically references the federated user session in
the Principal element of the policy, the session has the
permissions allowed by the policy. These permissions are granted in addition
to the permissions granted by the session policies.
Tags
(Optional) You can pass tag key-value pairs to your session. These are called session tags. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
An administrator must grant you the permissions necessary to pass session tags. The administrator can also create granular permissions to allow you to pass only specific session tags. For more information, see Tutorial: Using Tags for Attribute-Based Access Control in the IAM User Guide.
Tag key–value pairs are not case sensitive, but case is preserved. This means
that you cannot have separate Department and
department tag keys. Assume that the user that you are
federating has the Department=Marketing tag and you
pass the department=engineering session tag.
Department and department are not saved as separate
tags, and the session tag passed in the request takes precedence over the
user tag.
| Constructor and Description |
|---|
GetFederationTokenRequest()
Default constructor for GetFederationTokenRequest object.
|
GetFederationTokenRequest(String name)
Constructs a new GetFederationTokenRequest object.
|
| Modifier and Type | Method and Description |
|---|---|
boolean |
equals(Object obj) |
Integer |
getDurationSeconds()
The duration, in seconds, that the session should last.
|
String |
getName()
The name of the federated user.
|
String |
getPolicy()
An IAM policy in JSON format that you want to use as an inline session
policy.
|
List<PolicyDescriptorType> |
getPolicyArns()
The Amazon Resource Names (ARNs) of the IAM managed policies that you
want to use as a managed session policy.
|
List<Tag> |
getTags()
A list of session tags.
|
int |
hashCode() |
void |
setDurationSeconds(Integer durationSeconds)
The duration, in seconds, that the session should last.
|
void |
setName(String name)
The name of the federated user.
|
void |
setPolicy(String policy)
An IAM policy in JSON format that you want to use as an inline session
policy.
|
void |
setPolicyArns(Collection<PolicyDescriptorType> policyArns)
The Amazon Resource Names (ARNs) of the IAM managed policies that you
want to use as a managed session policy.
|
void |
setTags(Collection<Tag> tags)
A list of session tags.
|
String |
toString()
Returns a string representation of this object; useful for testing and
debugging.
|
GetFederationTokenRequest |
withDurationSeconds(Integer durationSeconds)
The duration, in seconds, that the session should last.
|
GetFederationTokenRequest |
withName(String name)
The name of the federated user.
|
GetFederationTokenRequest |
withPolicy(String policy)
An IAM policy in JSON format that you want to use as an inline session
policy.
|
GetFederationTokenRequest |
withPolicyArns(Collection<PolicyDescriptorType> policyArns)
The Amazon Resource Names (ARNs) of the IAM managed policies that you
want to use as a managed session policy.
|
GetFederationTokenRequest |
withPolicyArns(PolicyDescriptorType... policyArns)
The Amazon Resource Names (ARNs) of the IAM managed policies that you
want to use as a managed session policy.
|
GetFederationTokenRequest |
withTags(Collection<Tag> tags)
A list of session tags.
|
GetFederationTokenRequest |
withTags(Tag... tags)
A list of session tags.
|
clone, copyBaseTo, getCloneRoot, getCloneSource, getGeneralProgressListener, getRequestClientOptions, getRequestCredentials, getRequestMetricCollector, setGeneralProgressListener, setRequestCredentials, setRequestMetricCollector, withGeneralProgressListener, withRequestMetricCollectorpublic GetFederationTokenRequest()
public GetFederationTokenRequest(String name)
name -
The name of the federated user. The name is used as an
identifier for the temporary security credentials (such as
Bob). For example, you can reference the
federated user name in a resource-based policy, such as in an
Amazon S3 bucket policy.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
public String getName()
The name of the federated user. The name is used as an identifier for the
temporary security credentials (such as Bob). For example,
you can reference the federated user name in a resource-based policy,
such as in an Amazon S3 bucket policy.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
Constraints:
Length: 2 - 32
Pattern: [\w+=,.@-]*
The name of the federated user. The name is used as an identifier
for the temporary security credentials (such as Bob
). For example, you can reference the federated user name in a
resource-based policy, such as in an Amazon S3 bucket policy.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
public void setName(String name)
The name of the federated user. The name is used as an identifier for the
temporary security credentials (such as Bob). For example,
you can reference the federated user name in a resource-based policy,
such as in an Amazon S3 bucket policy.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
Constraints:
Length: 2 - 32
Pattern: [\w+=,.@-]*
name -
The name of the federated user. The name is used as an
identifier for the temporary security credentials (such as
Bob). For example, you can reference the
federated user name in a resource-based policy, such as in an
Amazon S3 bucket policy.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
public GetFederationTokenRequest withName(String name)
The name of the federated user. The name is used as an identifier for the
temporary security credentials (such as Bob). For example,
you can reference the federated user name in a resource-based policy,
such as in an Amazon S3 bucket policy.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
Returns a reference to this object so that method calls can be chained together.
Constraints:
Length: 2 - 32
Pattern: [\w+=,.@-]*
name -
The name of the federated user. The name is used as an
identifier for the temporary security credentials (such as
Bob). For example, you can reference the
federated user name in a resource-based policy, such as in an
Amazon S3 bucket policy.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
public String getPolicy()
An IAM policy in JSON format that you want to use as an inline session policy.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies.
This parameter is optional. However, if you do not pass any session policies, then the resulting federated user session has no permissions.
When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide.
The resulting credentials can be used to access a resource that has a
resource-based policy. If that policy specifically references the
federated user session in the Principal element of the
policy, the session has the permissions allowed by the policy. These
permissions are granted in addition to the permissions that are granted
by the session policies.
The plain text that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list ( through ÿ). It can also include the tab ( ), linefeed ( ), and carriage return ( ) characters.
An AWS conversion compresses the passed session policies and session tags
into a packed binary format that has a separate limit. Your request can
fail for this limit even if your plain text meets the other requirements.
The PackedPolicySize response element indicates by
percentage how close the policies and tags for your request are to the
upper size limit.
Constraints:
Length: 1 - 2048
Pattern: [ -ÿ]+
An IAM policy in JSON format that you want to use as an inline session policy.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies.
This parameter is optional. However, if you do not pass any session policies, then the resulting federated user session has no permissions.
When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide.
The resulting credentials can be used to access a resource that
has a resource-based policy. If that policy specifically
references the federated user session in the
Principal element of the policy, the session has the
permissions allowed by the policy. These permissions are granted
in addition to the permissions that are granted by the session
policies.
The plain text that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list ( through ÿ). It can also include the tab ( ), linefeed ( ), and carriage return ( ) characters.
An AWS conversion compresses the passed session policies and
session tags into a packed binary format that has a separate
limit. Your request can fail for this limit even if your plain
text meets the other requirements. The
PackedPolicySize response element indicates by
percentage how close the policies and tags for your request are
to the upper size limit.
public void setPolicy(String policy)
An IAM policy in JSON format that you want to use as an inline session policy.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies.
This parameter is optional. However, if you do not pass any session policies, then the resulting federated user session has no permissions.
When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide.
The resulting credentials can be used to access a resource that has a
resource-based policy. If that policy specifically references the
federated user session in the Principal element of the
policy, the session has the permissions allowed by the policy. These
permissions are granted in addition to the permissions that are granted
by the session policies.
The plain text that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list ( through ÿ). It can also include the tab ( ), linefeed ( ), and carriage return ( ) characters.
An AWS conversion compresses the passed session policies and session tags
into a packed binary format that has a separate limit. Your request can
fail for this limit even if your plain text meets the other requirements.
The PackedPolicySize response element indicates by
percentage how close the policies and tags for your request are to the
upper size limit.
Constraints:
Length: 1 - 2048
Pattern: [ -ÿ]+
policy - An IAM policy in JSON format that you want to use as an inline session policy.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies.
This parameter is optional. However, if you do not pass any session policies, then the resulting federated user session has no permissions.
When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide.
The resulting credentials can be used to access a resource
that has a resource-based policy. If that policy specifically
references the federated user session in the
Principal element of the policy, the session has
the permissions allowed by the policy. These permissions are
granted in addition to the permissions that are granted by the
session policies.
The plain text that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list ( through ÿ). It can also include the tab ( ), linefeed ( ), and carriage return ( ) characters.
An AWS conversion compresses the passed session policies and
session tags into a packed binary format that has a separate
limit. Your request can fail for this limit even if your plain
text meets the other requirements. The
PackedPolicySize response element indicates by
percentage how close the policies and tags for your request
are to the upper size limit.
public GetFederationTokenRequest withPolicy(String policy)
An IAM policy in JSON format that you want to use as an inline session policy.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies.
This parameter is optional. However, if you do not pass any session policies, then the resulting federated user session has no permissions.
When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide.
The resulting credentials can be used to access a resource that has a
resource-based policy. If that policy specifically references the
federated user session in the Principal element of the
policy, the session has the permissions allowed by the policy. These
permissions are granted in addition to the permissions that are granted
by the session policies.
The plain text that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list ( through ÿ). It can also include the tab ( ), linefeed ( ), and carriage return ( ) characters.
An AWS conversion compresses the passed session policies and session tags
into a packed binary format that has a separate limit. Your request can
fail for this limit even if your plain text meets the other requirements.
The PackedPolicySize response element indicates by
percentage how close the policies and tags for your request are to the
upper size limit.
Returns a reference to this object so that method calls can be chained together.
Constraints:
Length: 1 - 2048
Pattern: [ -ÿ]+
policy - An IAM policy in JSON format that you want to use as an inline session policy.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies.
This parameter is optional. However, if you do not pass any session policies, then the resulting federated user session has no permissions.
When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide.
The resulting credentials can be used to access a resource
that has a resource-based policy. If that policy specifically
references the federated user session in the
Principal element of the policy, the session has
the permissions allowed by the policy. These permissions are
granted in addition to the permissions that are granted by the
session policies.
The plain text that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list ( through ÿ). It can also include the tab ( ), linefeed ( ), and carriage return ( ) characters.
An AWS conversion compresses the passed session policies and
session tags into a packed binary format that has a separate
limit. Your request can fail for this limit even if your plain
text meets the other requirements. The
PackedPolicySize response element indicates by
percentage how close the policies and tags for your request
are to the upper size limit.
public List<PolicyDescriptorType> getPolicyArns()
The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as a managed session policy. The policies must exist in the same account as the IAM user that is requesting federated access.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plain text that you use for both inline and managed session policies can't exceed 2,048 characters. You can provide up to 10 managed policy ARNs. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
This parameter is optional. However, if you do not pass any session policies, then the resulting federated user session has no permissions.
When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide.
The resulting credentials can be used to access a resource that has a
resource-based policy. If that policy specifically references the
federated user session in the Principal element of the
policy, the session has the permissions allowed by the policy. These
permissions are granted in addition to the permissions that are granted
by the session policies.
An AWS conversion compresses the passed session policies and session tags
into a packed binary format that has a separate limit. Your request can
fail for this limit even if your plain text meets the other requirements.
The PackedPolicySize response element indicates by
percentage how close the policies and tags for your request are to the
upper size limit.
The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as a managed session policy. The policies must exist in the same account as the IAM user that is requesting federated access.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plain text that you use for both inline and managed session policies can't exceed 2,048 characters. You can provide up to 10 managed policy ARNs. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
This parameter is optional. However, if you do not pass any session policies, then the resulting federated user session has no permissions.
When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide.
The resulting credentials can be used to access a resource that
has a resource-based policy. If that policy specifically
references the federated user session in the
Principal element of the policy, the session has the
permissions allowed by the policy. These permissions are granted
in addition to the permissions that are granted by the session
policies.
An AWS conversion compresses the passed session policies and
session tags into a packed binary format that has a separate
limit. Your request can fail for this limit even if your plain
text meets the other requirements. The
PackedPolicySize response element indicates by
percentage how close the policies and tags for your request are
to the upper size limit.
public void setPolicyArns(Collection<PolicyDescriptorType> policyArns)
The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as a managed session policy. The policies must exist in the same account as the IAM user that is requesting federated access.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plain text that you use for both inline and managed session policies can't exceed 2,048 characters. You can provide up to 10 managed policy ARNs. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
This parameter is optional. However, if you do not pass any session policies, then the resulting federated user session has no permissions.
When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide.
The resulting credentials can be used to access a resource that has a
resource-based policy. If that policy specifically references the
federated user session in the Principal element of the
policy, the session has the permissions allowed by the policy. These
permissions are granted in addition to the permissions that are granted
by the session policies.
An AWS conversion compresses the passed session policies and session tags
into a packed binary format that has a separate limit. Your request can
fail for this limit even if your plain text meets the other requirements.
The PackedPolicySize response element indicates by
percentage how close the policies and tags for your request are to the
upper size limit.
policyArns - The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as a managed session policy. The policies must exist in the same account as the IAM user that is requesting federated access.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plain text that you use for both inline and managed session policies can't exceed 2,048 characters. You can provide up to 10 managed policy ARNs. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
This parameter is optional. However, if you do not pass any session policies, then the resulting federated user session has no permissions.
When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide.
The resulting credentials can be used to access a resource
that has a resource-based policy. If that policy specifically
references the federated user session in the
Principal element of the policy, the session has
the permissions allowed by the policy. These permissions are
granted in addition to the permissions that are granted by the
session policies.
An AWS conversion compresses the passed session policies and
session tags into a packed binary format that has a separate
limit. Your request can fail for this limit even if your plain
text meets the other requirements. The
PackedPolicySize response element indicates by
percentage how close the policies and tags for your request
are to the upper size limit.
public GetFederationTokenRequest withPolicyArns(PolicyDescriptorType... policyArns)
The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as a managed session policy. The policies must exist in the same account as the IAM user that is requesting federated access.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plain text that you use for both inline and managed session policies can't exceed 2,048 characters. You can provide up to 10 managed policy ARNs. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
This parameter is optional. However, if you do not pass any session policies, then the resulting federated user session has no permissions.
When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide.
The resulting credentials can be used to access a resource that has a
resource-based policy. If that policy specifically references the
federated user session in the Principal element of the
policy, the session has the permissions allowed by the policy. These
permissions are granted in addition to the permissions that are granted
by the session policies.
An AWS conversion compresses the passed session policies and session tags
into a packed binary format that has a separate limit. Your request can
fail for this limit even if your plain text meets the other requirements.
The PackedPolicySize response element indicates by
percentage how close the policies and tags for your request are to the
upper size limit.
Returns a reference to this object so that method calls can be chained together.
policyArns - The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as a managed session policy. The policies must exist in the same account as the IAM user that is requesting federated access.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plain text that you use for both inline and managed session policies can't exceed 2,048 characters. You can provide up to 10 managed policy ARNs. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
This parameter is optional. However, if you do not pass any session policies, then the resulting federated user session has no permissions.
When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide.
The resulting credentials can be used to access a resource
that has a resource-based policy. If that policy specifically
references the federated user session in the
Principal element of the policy, the session has
the permissions allowed by the policy. These permissions are
granted in addition to the permissions that are granted by the
session policies.
An AWS conversion compresses the passed session policies and
session tags into a packed binary format that has a separate
limit. Your request can fail for this limit even if your plain
text meets the other requirements. The
PackedPolicySize response element indicates by
percentage how close the policies and tags for your request
are to the upper size limit.
public GetFederationTokenRequest withPolicyArns(Collection<PolicyDescriptorType> policyArns)
The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as a managed session policy. The policies must exist in the same account as the IAM user that is requesting federated access.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plain text that you use for both inline and managed session policies can't exceed 2,048 characters. You can provide up to 10 managed policy ARNs. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
This parameter is optional. However, if you do not pass any session policies, then the resulting federated user session has no permissions.
When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide.
The resulting credentials can be used to access a resource that has a
resource-based policy. If that policy specifically references the
federated user session in the Principal element of the
policy, the session has the permissions allowed by the policy. These
permissions are granted in addition to the permissions that are granted
by the session policies.
An AWS conversion compresses the passed session policies and session tags
into a packed binary format that has a separate limit. Your request can
fail for this limit even if your plain text meets the other requirements.
The PackedPolicySize response element indicates by
percentage how close the policies and tags for your request are to the
upper size limit.
Returns a reference to this object so that method calls can be chained together.
policyArns - The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as a managed session policy. The policies must exist in the same account as the IAM user that is requesting federated access.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plain text that you use for both inline and managed session policies can't exceed 2,048 characters. You can provide up to 10 managed policy ARNs. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
This parameter is optional. However, if you do not pass any session policies, then the resulting federated user session has no permissions.
When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide.
The resulting credentials can be used to access a resource
that has a resource-based policy. If that policy specifically
references the federated user session in the
Principal element of the policy, the session has
the permissions allowed by the policy. These permissions are
granted in addition to the permissions that are granted by the
session policies.
An AWS conversion compresses the passed session policies and
session tags into a packed binary format that has a separate
limit. Your request can fail for this limit even if your plain
text meets the other requirements. The
PackedPolicySize response element indicates by
percentage how close the policies and tags for your request
are to the upper size limit.
public Integer getDurationSeconds()
The duration, in seconds, that the session should last. Acceptable durations for federation sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions obtained using AWS account root user credentials are restricted to a maximum of 3,600 seconds (one hour). If the specified duration is longer than one hour, the session obtained by using root user credentials defaults to one hour.
Constraints:
Range: 900 - 129600
The duration, in seconds, that the session should last. Acceptable durations for federation sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions obtained using AWS account root user credentials are restricted to a maximum of 3,600 seconds (one hour). If the specified duration is longer than one hour, the session obtained by using root user credentials defaults to one hour.
public void setDurationSeconds(Integer durationSeconds)
The duration, in seconds, that the session should last. Acceptable durations for federation sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions obtained using AWS account root user credentials are restricted to a maximum of 3,600 seconds (one hour). If the specified duration is longer than one hour, the session obtained by using root user credentials defaults to one hour.
Constraints:
Range: 900 - 129600
durationSeconds - The duration, in seconds, that the session should last. Acceptable durations for federation sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions obtained using AWS account root user credentials are restricted to a maximum of 3,600 seconds (one hour). If the specified duration is longer than one hour, the session obtained by using root user credentials defaults to one hour.
public GetFederationTokenRequest withDurationSeconds(Integer durationSeconds)
The duration, in seconds, that the session should last. Acceptable durations for federation sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions obtained using AWS account root user credentials are restricted to a maximum of 3,600 seconds (one hour). If the specified duration is longer than one hour, the session obtained by using root user credentials defaults to one hour.
Returns a reference to this object so that method calls can be chained together.
Constraints:
Range: 900 - 129600
durationSeconds - The duration, in seconds, that the session should last. Acceptable durations for federation sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions obtained using AWS account root user credentials are restricted to a maximum of 3,600 seconds (one hour). If the specified duration is longer than one hour, the session obtained by using root user credentials defaults to one hour.
public List<Tag> getTags()
A list of session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
This parameter is optional. You can pass up to 50 session tags. The plain text session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An AWS conversion compresses the passed session policies and session tags
into a packed binary format that has a separate limit. Your request can
fail for this limit even if your plain text meets the other requirements.
The PackedPolicySize response element indicates by
percentage how close the policies and tags for your request are to the
upper size limit.
You can pass a session tag with the same key as a tag that is already attached to the user you are federating. When you do, session tags override a user tag with the same key.
Tag key–value pairs are not case sensitive, but case is preserved. This
means that you cannot have separate Department and
department tag keys. Assume that the role has the
Department=Marketing tag and you pass the
department=engineering session tag.
Department and department are not saved as
separate tags, and the session tag passed in the request takes precedence
over the role tag.
A list of session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
This parameter is optional. You can pass up to 50 session tags. The plain text session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An AWS conversion compresses the passed session policies and
session tags into a packed binary format that has a separate
limit. Your request can fail for this limit even if your plain
text meets the other requirements. The
PackedPolicySize response element indicates by
percentage how close the policies and tags for your request are
to the upper size limit.
You can pass a session tag with the same key as a tag that is already attached to the user you are federating. When you do, session tags override a user tag with the same key.
Tag key–value pairs are not case sensitive, but case is
preserved. This means that you cannot have separate
Department and department tag keys.
Assume that the role has the Department=
Marketing tag and you pass the
department=engineering session tag.
Department and department are not saved
as separate tags, and the session tag passed in the request takes
precedence over the role tag.
public void setTags(Collection<Tag> tags)
A list of session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
This parameter is optional. You can pass up to 50 session tags. The plain text session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An AWS conversion compresses the passed session policies and session tags
into a packed binary format that has a separate limit. Your request can
fail for this limit even if your plain text meets the other requirements.
The PackedPolicySize response element indicates by
percentage how close the policies and tags for your request are to the
upper size limit.
You can pass a session tag with the same key as a tag that is already attached to the user you are federating. When you do, session tags override a user tag with the same key.
Tag key–value pairs are not case sensitive, but case is preserved. This
means that you cannot have separate Department and
department tag keys. Assume that the role has the
Department=Marketing tag and you pass the
department=engineering session tag.
Department and department are not saved as
separate tags, and the session tag passed in the request takes precedence
over the role tag.
tags - A list of session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
This parameter is optional. You can pass up to 50 session tags. The plain text session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An AWS conversion compresses the passed session policies and
session tags into a packed binary format that has a separate
limit. Your request can fail for this limit even if your plain
text meets the other requirements. The
PackedPolicySize response element indicates by
percentage how close the policies and tags for your request
are to the upper size limit.
You can pass a session tag with the same key as a tag that is already attached to the user you are federating. When you do, session tags override a user tag with the same key.
Tag key–value pairs are not case sensitive, but case is
preserved. This means that you cannot have separate
Department and department tag keys.
Assume that the role has the Department=
Marketing tag and you pass the
department=engineering session tag.
Department and department are not
saved as separate tags, and the session tag passed in the
request takes precedence over the role tag.
public GetFederationTokenRequest withTags(Tag... tags)
A list of session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
This parameter is optional. You can pass up to 50 session tags. The plain text session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An AWS conversion compresses the passed session policies and session tags
into a packed binary format that has a separate limit. Your request can
fail for this limit even if your plain text meets the other requirements.
The PackedPolicySize response element indicates by
percentage how close the policies and tags for your request are to the
upper size limit.
You can pass a session tag with the same key as a tag that is already attached to the user you are federating. When you do, session tags override a user tag with the same key.
Tag key–value pairs are not case sensitive, but case is preserved. This
means that you cannot have separate Department and
department tag keys. Assume that the role has the
Department=Marketing tag and you pass the
department=engineering session tag.
Department and department are not saved as
separate tags, and the session tag passed in the request takes precedence
over the role tag.
Returns a reference to this object so that method calls can be chained together.
tags - A list of session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
This parameter is optional. You can pass up to 50 session tags. The plain text session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An AWS conversion compresses the passed session policies and
session tags into a packed binary format that has a separate
limit. Your request can fail for this limit even if your plain
text meets the other requirements. The
PackedPolicySize response element indicates by
percentage how close the policies and tags for your request
are to the upper size limit.
You can pass a session tag with the same key as a tag that is already attached to the user you are federating. When you do, session tags override a user tag with the same key.
Tag key–value pairs are not case sensitive, but case is
preserved. This means that you cannot have separate
Department and department tag keys.
Assume that the role has the Department=
Marketing tag and you pass the
department=engineering session tag.
Department and department are not
saved as separate tags, and the session tag passed in the
request takes precedence over the role tag.
public GetFederationTokenRequest withTags(Collection<Tag> tags)
A list of session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
This parameter is optional. You can pass up to 50 session tags. The plain text session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An AWS conversion compresses the passed session policies and session tags
into a packed binary format that has a separate limit. Your request can
fail for this limit even if your plain text meets the other requirements.
The PackedPolicySize response element indicates by
percentage how close the policies and tags for your request are to the
upper size limit.
You can pass a session tag with the same key as a tag that is already attached to the user you are federating. When you do, session tags override a user tag with the same key.
Tag key–value pairs are not case sensitive, but case is preserved. This
means that you cannot have separate Department and
department tag keys. Assume that the role has the
Department=Marketing tag and you pass the
department=engineering session tag.
Department and department are not saved as
separate tags, and the session tag passed in the request takes precedence
over the role tag.
Returns a reference to this object so that method calls can be chained together.
tags - A list of session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
This parameter is optional. You can pass up to 50 session tags. The plain text session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An AWS conversion compresses the passed session policies and
session tags into a packed binary format that has a separate
limit. Your request can fail for this limit even if your plain
text meets the other requirements. The
PackedPolicySize response element indicates by
percentage how close the policies and tags for your request
are to the upper size limit.
You can pass a session tag with the same key as a tag that is already attached to the user you are federating. When you do, session tags override a user tag with the same key.
Tag key–value pairs are not case sensitive, but case is
preserved. This means that you cannot have separate
Department and department tag keys.
Assume that the role has the Department=
Marketing tag and you pass the
department=engineering session tag.
Department and department are not
saved as separate tags, and the session tag passed in the
request takes precedence over the role tag.
public String toString()
toString in class ObjectObject.toString()Copyright © 2020. All rights reserved.