STS class
AWS Security Token Service (STS) enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users). This guide provides descriptions of the STS API. For more information about using this service, see Temporary Security Credentials.
Constructors
- STS({String? region, AwsClientCredentials? credentials, AwsClientCredentialsProvider? credentialsProvider, Client? client, String? endpointUrl})
Properties
Methods
-
assumeRole(
{required String roleArn, required String roleSessionName, int? durationSeconds, String? externalId, String? policy, List< PolicyDescriptorType> ? policyArns, String? serialNumber, List<Tag> ? tags, String? tokenCode, List<String> ? transitiveTagKeys}) → Future<AssumeRoleResponse> -
Returns a set of temporary security credentials that you can use to access
AWS resources that you might not normally have access to. These temporary
credentials consist of an access key ID, a secret access key, and a
security token. Typically, you use
AssumeRole
within your account or for cross-account access. For a comparison ofAssumeRole
with other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide. For cross-account access, imagine that you own multiple accounts and need to access resources in each account. You could create long-term credentials in each account to access those resources. However, managing all those credentials and remembering which one can access which account can be time consuming. Instead, you can create one set of long-term credentials in one account. Then use temporary security credentials to access all the other accounts by assuming roles in those accounts. For more information about roles, see IAM Roles in the IAM User Guide. -
assumeRoleWithSAML(
{required String principalArn, required String roleArn, required String sAMLAssertion, int? durationSeconds, String? policy, List< PolicyDescriptorType> ? policyArns}) → Future<AssumeRoleWithSAMLResponse> -
Returns a set of temporary security credentials for users who have been
authenticated via a SAML authentication response. This operation provides
a mechanism for tying an enterprise identity store or directory to
role-based AWS access without user-specific credentials or configuration.
For a comparison of
AssumeRoleWithSAML
with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide. -
assumeRoleWithWebIdentity(
{required String roleArn, required String roleSessionName, required String webIdentityToken, int? durationSeconds, String? policy, List< PolicyDescriptorType> ? policyArns, String? providerId}) → Future<AssumeRoleWithWebIdentityResponse> - Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider. Example providers include Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible identity provider.
-
close(
) → void - Closes the internal HTTP client if none was provided at creation. If a client was passed as a constructor argument, this becomes a noop.
-
decodeAuthorizationMessage(
{required String encodedMessage}) → Future< DecodeAuthorizationMessageResponse> - Decodes additional information about the authorization status of a request from an encoded message returned in response to an AWS request.
-
getAccessKeyInfo(
{required String accessKeyId}) → Future< GetAccessKeyInfoResponse> - Returns the account identifier for the specified access key ID.
-
getCallerIdentity(
) → Future< GetCallerIdentityResponse> - Returns details about the IAM user or role whose credentials are used to call the operation.
-
getFederationToken(
{required String name, int? durationSeconds, String? policy, List< PolicyDescriptorType> ? policyArns, List<Tag> ? tags}) → Future<GetFederationTokenResponse> -
Returns a set of temporary security credentials (consisting of an access
key ID, a secret access key, and a security token) for a federated user. A
typical use is in a proxy application that gets temporary security
credentials on behalf of distributed applications inside a corporate
network. You must call the
GetFederationToken
operation using the long-term security credentials of an IAM user. As a result, this call is appropriate in contexts where those credentials can be safely stored, usually in a server-based application. For a comparison ofGetFederationToken
with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide. You can also callGetFederationToken
using the security credentials of an AWS account root user, but we do not recommend it. Instead, we recommend that you create an IAM user for the purpose of the proxy application. Then attach a policy to the IAM user that limits federated users to only the actions and resources that they need to access. For more information, see IAM Best Practices in the IAM User Guide. -
getSessionToken(
{int? durationSeconds, String? serialNumber, String? tokenCode}) → Future< GetSessionTokenResponse> -
Returns a set of temporary credentials for an AWS account or IAM user. The
credentials consist of an access key ID, a secret access key, and a
security token. Typically, you use
GetSessionToken
if you want to use MFA to protect programmatic calls to specific AWS API operations like Amazon EC2StopInstances
. MFA-enabled IAM users would need to callGetSessionToken
and submit an MFA code that is associated with their MFA device. Using the temporary security credentials that are returned from the call, IAM users can then make programmatic calls to API operations that require MFA authentication. If you do not supply a correct MFA code, then the API returns an access denied error. For a comparison ofGetSessionToken
with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide. -
noSuchMethod(
Invocation invocation) → dynamic -
Invoked when a nonexistent method or property is accessed.
inherited
-
toString(
) → String -
A string representation of this object.
inherited
Operators
-
operator ==(
Object other) → bool -
The equality operator.
inherited