STS class

AWS Security Token Service (STS) enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users). This guide provides descriptions of the STS API. For more information about using this service, see Temporary Security Credentials.

Constructors

STS({String? region, AwsClientCredentials? credentials, AwsClientCredentialsProvider? credentialsProvider, Client? client, String? endpointUrl})

Properties

hashCode → int

The hash code for this object.

no setter, inherited

runtimeType → Type

A representation of the runtime type of the object.

no setter, inherited

shapes → Map<String, Shape>

final

Methods

assumeRole({required String roleArn, required String roleSessionName, int? durationSeconds, String? externalId, String? policy, List<PolicyDescriptorType>? policyArns, String? serialNumber, List<Tag>? tags, String? tokenCode, List<String>? transitiveTagKeys}) → Future<AssumeRoleResponse>

Returns a set of temporary security credentials that you can use to access AWS resources that you might not normally have access to. These temporary credentials consist of an access key ID, a secret access key, and a security token. Typically, you use AssumeRole within your account or for cross-account access. For a comparison of AssumeRole with other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide. For cross-account access, imagine that you own multiple accounts and need to access resources in each account. You could create long-term credentials in each account to access those resources. However, managing all those credentials and remembering which one can access which account can be time consuming. Instead, you can create one set of long-term credentials in one account. Then use temporary security credentials to access all the other accounts by assuming roles in those accounts. For more information about roles, see IAM Roles in the IAM User Guide.

assumeRoleWithSAML({required String principalArn, required String roleArn, required String sAMLAssertion, int? durationSeconds, String? policy, List<PolicyDescriptorType>? policyArns}) → Future<AssumeRoleWithSAMLResponse>

Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication response. This operation provides a mechanism for tying an enterprise identity store or directory to role-based AWS access without user-specific credentials or configuration. For a comparison of AssumeRoleWithSAML with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide.

assumeRoleWithWebIdentity({required String roleArn, required String roleSessionName, required String webIdentityToken, int? durationSeconds, String? policy, List<PolicyDescriptorType>? policyArns, String? providerId}) → Future<AssumeRoleWithWebIdentityResponse>

Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application with a web identity provider. Example providers include Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible identity provider.

close() → void

Closes the internal HTTP client if none was provided at creation. If a client was passed as a constructor argument, this becomes a noop.

decodeAuthorizationMessage({required String encodedMessage}) → Future<DecodeAuthorizationMessageResponse>

Decodes additional information about the authorization status of a request from an encoded message returned in response to an AWS request.

getAccessKeyInfo({required String accessKeyId}) → Future<GetAccessKeyInfoResponse>

Returns the account identifier for the specified access key ID.

getCallerIdentity() → Future<GetCallerIdentityResponse>

Returns details about the IAM user or role whose credentials are used to call the operation.

getFederationToken({required String name, int? durationSeconds, String? policy, List<PolicyDescriptorType>? policyArns, List<Tag>? tags}) → Future<GetFederationTokenResponse>

Returns a set of temporary security credentials (consisting of an access key ID, a secret access key, and a security token) for a federated user. A typical use is in a proxy application that gets temporary security credentials on behalf of distributed applications inside a corporate network. You must call the GetFederationToken operation using the long-term security credentials of an IAM user. As a result, this call is appropriate in contexts where those credentials can be safely stored, usually in a server-based application. For a comparison of GetFederationToken with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide. You can also call GetFederationToken using the security credentials of an AWS account root user, but we do not recommend it. Instead, we recommend that you create an IAM user for the purpose of the proxy application. Then attach a policy to the IAM user that limits federated users to only the actions and resources that they need to access. For more information, see IAM Best Practices in the IAM User Guide.

getSessionToken({int? durationSeconds, String? serialNumber, String? tokenCode}) → Future<GetSessionTokenResponse>

Returns a set of temporary credentials for an AWS account or IAM user. The credentials consist of an access key ID, a secret access key, and a security token. Typically, you use GetSessionToken if you want to use MFA to protect programmatic calls to specific AWS API operations like Amazon EC2 StopInstances. MFA-enabled IAM users would need to call GetSessionToken and submit an MFA code that is associated with their MFA device. Using the temporary security credentials that are returned from the call, IAM users can then make programmatic calls to API operations that require MFA authentication. If you do not supply a correct MFA code, then the API returns an access denied error. For a comparison of GetSessionToken with the other API operations that produce temporary credentials, see Requesting Temporary Security Credentials and Comparing the AWS STS API operations in the IAM User Guide.

noSuchMethod(Invocation invocation) → dynamic

Invoked when a nonexistent method or property is accessed.

inherited

toString() → String

A string representation of this object.

inherited

Operators

operator ==(Object other) → bool

The equality operator.

inherited