CreateSession API
Returns a temporary security credentials for workloads who have been authenticated with IAM Roles Anywhere to access Amazon resources.
Request Syntax
POST /sessions HTTP/1.1 Content-type: application/json { "durationSeconds":
number
, "profileArn":string
, "roleArn":string
, "trustAnchorArn":string
, }
URI Request Parameters
The request does not use any URI parameters.
Request Body
The request accepts the following data in JSON format.
durationSeconds
-
The duration, in seconds, of the role session. The value is optional and can range from 900 seconds (15 minutes) up to 43200 seconds (12 hours). Please see the
Expiration
subsection of the Credentials Object section for more details on how this value is used in determining the expiration of the vended session.Type: Number
Required: No
profileArn
-
The Amazon Resource Name (ARN) of the profile.
Type: String
Required: Yes
roleArn
-
The Amazon Resource Name (ARN) of the role to assume.
Type: String
Required: Yes
sessionName
-
Reserved for future use.
Type: String
Required: No
trustAnchorArn
-
The Amazon Resource Name (ARN) of the trust anchor.
Type: String
Required: Yes
Response Syntax
HTTP/1.1 201 Content-type: application/json { "credentialSet":[ { "assumedRoleUser": { "arn":
ARN
, "assumedRoleId":String
}, "credentials":{ "accessKeyId":String
, "expiration":Timestamp
, "secretAccessKey":String
, "sessionToken":String
}, "packedPolicySize":Number
, "roleArn":ARN
, "sourceIdentity":String
} ], "subjectArn":ARN
}
Response Elements
If the action is successful, the service sends back an HTTP 201 response.
The following data is returned in JSON format by the service.
assumedRoleUser
-
The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers that you can use to refer to the resulting temporary security credentials.
Type: AssumedRoleUser
object credentials
-
The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token.
Type: Credentials Object
packedPolicySize
-
A percentage value that indicates the packed size of the session policies and session tags combined passed in the request. The request fails if the packed size is greater than 100 percent, which means the policies and tags exceeded the allowed space.
Type: Integer
Valid Range: Minimum value of 0
sourceIdentity
-
The source identity is specified by the principal that is calling the CreateSession operation. For more information on how the source identity is derived please see the Trust Model section.
Type: String
Pattern:
[\p{L}\p{Z}\p{N}_.:/=+\-@]+
roleArn
-
The Amazon Resource Name (ARN) of the assumed role.
Type: String
subjectArn
-
The Amazon Resource Name (ARN) of the Subject resource.
The Subject resource records the history of the principal that is calling the CreateSession operation, including its first recorded authentication time, and last recorded authentication time.
Type: String
Credentials Object
Amazon credentials for API authentication.
AccessKeyId
-
The access key ID that identifies the temporary security credentials.
Type: String
Length Constraints: Minimum length of 16. Maximum length of 128.
Required: Yes
Expiration
-
The time at which the vended credentials expire. This value is determined based on the values set for
profileDurationSeconds
andcreateSessionDurationSeconds
, whereprofileDurationSeconds
is the value of thedurationSeconds
field that's set on the profile referenced in the call toCreateSession
, andcreateSessionDurationSeconds
is the value of thedurationSeconds
parameter in the request toCreateSession
. From this,finalDurationSeconds
is determined by the following:finalDurationSeconds = min(profileDurationSeconds, createSessionDurationSeconds)
, wherefinalDurationSeconds
is the value fordurationSeconds
that will be sent in theAssumeRole
request to assume the target role. IfcreateSessionDurationSeconds
isn't provided, thenfinalDurationSeconds = profileDurationSeconds
. From this,Expiration
is determined by the following:Expiration = CurrentTime + finalDurationSeconds
. Note that iffinalDurationSeconds
is greater than the maximum session duration (MaxSessionDuration
) set on the role, you will receive an error response from the API.Type: Timestamp
Required: Yes
SecretAccessKey
-
The secret access key that can be used to sign requests.
Type: String
Required: Yes
SessionToken
-
The token that users must pass to the service API to use the temporary credentials.
Type: String
Required: Yes
The relationship between CreateSession and AssumeRole
CreateSession is an x509 wrapper around AssumeRole