Difference between revisions of "Aws sts get-session-token"
Jump to navigation
Jump to search
(→Errors) |
(→Errors) |
||
| (35 intermediate revisions by 2 users not shown) | |||
| Line 1: | Line 1: | ||
{{lowercase}} | {{lowercase}} | ||
| − | https:// | + | https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/get-session-token.html |
| − | * <code>[[aws sts]] get-session-token --serial-number <mfa_device> --token-code <token></code> | + | [[aws sts]] get-session-token --profile "$1" [[--serial-number]] "$2" [[--token-code]] $MFA_CODE |
| + | |||
| + | * Duration: 12 hours (43,200 seconds) as the default. Valid range: 15 minutes to 36 hours (129,600 seconds). | ||
| + | |||
| + | == Examples == | ||
| + | * <code>[[aws sts]] get-session-token --serial-number <[[mfa_device]]> [[--token-code]] <token></code> | ||
* <code>[[aws sts]] get-session-token --serial-number [[arn]]:aws:iam::62405745487395:mfa/yourname --token-code 123456</code> | * <code>[[aws sts]] get-session-token --serial-number [[arn]]:aws:iam::62405745487395:mfa/yourname --token-code 123456</code> | ||
| + | * <code>[[aws sts]] get-session-token --serial-number [[arn]]:aws:iam::62405745487395:mfa/yourname --duration-seconds 129600 --token-code 123456 </code> | ||
| + | * <code>[[aws sts]] get-session-token --serial-number [[arn]]:aws:iam::62405745487395:mfa/yourname --duration-seconds 129600 --token-code 123456 --output text</code> | ||
| + | |||
| + | == Synopsys == | ||
| + | get-session-token | ||
| + | [--duration-seconds <value>] | ||
| + | [--serial-number <value>] | ||
| + | [--token-code <value>] | ||
| + | [--cli-input-json <value>] | ||
| + | [--generate-cli-skeleton <value>] | ||
== Example == | == Example == | ||
| Line 10: | Line 25: | ||
[[--serial-number]] "[[arn]]:aws:iam::62405745487395:[[mfa]]/yourname" \ | [[--serial-number]] "[[arn]]:aws:iam::62405745487395:[[mfa]]/yourname" \ | ||
--token-code 123456 | --token-code 123456 | ||
| − | + | ||
{ | { | ||
"Credentials": { | "Credentials": { | ||
| − | "AccessKeyId": "AKIAIOSFODNN7EXAMPLE", | + | "[[AccessKeyId]]": "AKIAIOSFODNN7EXAMPLE", |
| − | "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY", | + | "[[SecretAccessKey]]": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY", |
| − | "SessionToken": "AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE", | + | "[[SessionToken]]": "AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE", |
"Expiration": "2020-05-19T18:06:10+00:00" | "Expiration": "2020-05-19T18:06:10+00:00" | ||
} | } | ||
| Line 22: | Line 37: | ||
== Errors == | == Errors == | ||
[[An error occurred (AccessDenied) when calling the GetSessionToken operation: MultiFactorAuthentication failed, unable to validate MFA code. Please verify your MFA serial number is valid and associated with this user.]] | [[An error occurred (AccessDenied) when calling the GetSessionToken operation: MultiFactorAuthentication failed, unable to validate MFA code. Please verify your MFA serial number is valid and associated with this user.]] | ||
| + | Solution: make sure you are using a [[mfa]] [[ARN]], <code>arn:aws:iam::62405745487395:[[mfa]]/yourname</code> | ||
| − | Solution: | + | [[An error occurred (AuthFailure) when calling the DescribeInstances operation: AWS was not able to validate the provided access credentials]] |
| + | Solution: make sure to add your generated credentials including [[AWS_SESSION_TOKEN]] to your [[credentials]] file | ||
| + | |||
| + | [[An error occurred (AccessDenied) when calling the GetSessionToken operation: MultiFactorAuthentication failed, must provide both MFA serial number and one time pass code.]] | ||
| + | |||
| + | An error occurred ([[ExpiredToken]]) when calling the XXX operation: The provided token has expired. | ||
| + | |||
| + | An error occurred ([[InvalidClientTokenId]]) when calling the GetSessionToken operation: [[The security token included in the request is invalid]] | ||
| + | |||
| + | An error occurred ([[ExpiredToken]]) when calling the GetSessionToken operation: [[The security token included in the request is expired]] | ||
== Related terms == | == Related terms == | ||
* [[MFA]] | * [[MFA]] | ||
* <code>[[aws iam list-virtual-mfa-devices --output text]]</code> | * <code>[[aws iam list-virtual-mfa-devices --output text]]</code> | ||
| + | * <code>[[AWS_SESSION_TOKEN]]</code> | ||
| + | * <code>[[AWS_DEFAULT_REGION]]</code> | ||
| + | * <code>[[aws-sts-get-session-token]]</code> script | ||
| + | * [[Terraform AWS provider]]: <code>[[assume_role]]</code> | ||
| + | * <code>[[aws sts get-federation-token]]</code> | ||
| + | * [[1password]] | ||
| + | * [[aws eks get-token]] | ||
| + | |||
| + | == Activities == | ||
| + | * Read https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/ | ||
| + | * [[Using temporary credentials with AWS resources]] | ||
| − | ==See also== | + | == See also == |
* {{aws sts}} | * {{aws sts}} | ||
* {{aws iam}} | * {{aws iam}} | ||
[[Category:AWS]] | [[Category:AWS]] | ||
Revision as of 10:02, 12 February 2024
https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/get-session-token.html
aws sts get-session-token --profile "$1" --serial-number "$2" --token-code $MFA_CODE
- Duration: 12 hours (43,200 seconds) as the default. Valid range: 15 minutes to 36 hours (129,600 seconds).
Examples
aws sts get-session-token --serial-number <mfa_device> --token-code <token>aws sts get-session-token --serial-number arn:aws:iam::62405745487395:mfa/yourname --token-code 123456aws sts get-session-token --serial-number arn:aws:iam::62405745487395:mfa/yourname --duration-seconds 129600 --token-code 123456aws sts get-session-token --serial-number arn:aws:iam::62405745487395:mfa/yourname --duration-seconds 129600 --token-code 123456 --output text
Synopsys
get-session-token [--duration-seconds <value>] [--serial-number <value>] [--token-code <value>] [--cli-input-json <value>] [--generate-cli-skeleton <value>]
Example
aws sts get-session-token \
--duration-seconds 900 \
--serial-number "arn:aws:iam::62405745487395:mfa/yourname" \
--token-code 123456
{
"Credentials": {
"AccessKeyId": "AKIAIOSFODNN7EXAMPLE",
"SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY",
"SessionToken": "AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE",
"Expiration": "2020-05-19T18:06:10+00:00"
}
}
Errors
An error occurred (AccessDenied) when calling the GetSessionToken operation: MultiFactorAuthentication failed, unable to validate MFA code. Please verify your MFA serial number is valid and associated with this user.
Solution: make sure you are using a mfa ARN, arn:aws:iam::62405745487395:mfa/yourname
An error occurred (AuthFailure) when calling the DescribeInstances operation: AWS was not able to validate the provided access credentials Solution: make sure to add your generated credentials including AWS_SESSION_TOKEN to your credentials file
An error occurred (AccessDenied) when calling the GetSessionToken operation: MultiFactorAuthentication failed, must provide both MFA serial number and one time pass code.
An error occurred (ExpiredToken) when calling the XXX operation: The provided token has expired.
An error occurred (InvalidClientTokenId) when calling the GetSessionToken operation: The security token included in the request is invalid
An error occurred (ExpiredToken) when calling the GetSessionToken operation: The security token included in the request is expired
Related terms
- MFA
aws iam list-virtual-mfa-devices --output textAWS_SESSION_TOKENAWS_DEFAULT_REGIONaws-sts-get-session-tokenscript- Terraform AWS provider:
assume_role aws sts get-federation-token- 1password
- aws eks get-token
Activities
- Read https://aws.amazon.com/premiumsupport/knowledge-center/authenticate-mfa-cli/
- Using temporary credentials with AWS resources
See also
- AWS STS
(sts:),aws sts[get-session-token|get-caller-identity|assume-role | assume-role-with-web-identity | assume-role-with-saml | get-access-key-info ] aws iam[create-user,create-group, get-user,list-users|list-policies|list-attached-user-policies|attach-user-policy|list-attached-user-policies|list-roles|get-account-summary|put-group-policy | put-role-policy | put-user-policy|create-login-profile|aws iam delete-virtual-mfa-device|aws iam list-virtual-mfa-devices|aws iam create-saml-provider|aws iam list-account-aliases|aws iam create-role | aws iam change-password| enable-mfa-device | list-instance-profiles
Advertising:
