Use temporary credentials from Amazon STS - Amazon SDK for PHP
Getting temporary credentialsProviding temporary credentials to the Amazon SDK for PHP
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Use temporary credentials from Amazon STS

Amazon Security Token Service (Amazon STS) enables you to request limited privilege, temporary credentials for IAM users, or for users that you authenticate via identity federation. For deeper understanding, see Temporary Security Credentials in the IAM User Guide. You can use temporary security credentials to access most Amazon services. For a list of the services that accept temporary security credentials, see Amazon services that work with IAM in the IAM User Guide.

One common use case for temporary credentials is to grant mobile or client-side applications access to Amazon resources by authenticating users through third-party identity providers (see Web Identity Federation).

Getting temporary credentials

Amazon STS has several operations that return temporary credentials, but the GetSessionToken operation is the simplest to demonstrate. The following snippet retrieves temporary credentials by calling the getSessionToken method of the PHP SDK's STS client.

$sdk = new Aws\Sdk([
    'region'   => 'us-east-1',
]);

$stsClient = $sdk->createSts();

$result = $stsClient->getSessionToken();

The result for GetSessionToken and the other Amazon STS operations always contains a 'Credentials' value. If you print the $result (for example by using print_r($result)), it looks like the following.

Array
(
    ...
    [Credentials] => Array
    (
        [SessionToken] => '<base64 encoded session token value>'
        [SecretAccessKey] => '<temporary secret access key value>'
        [Expiration] => 2013-11-01T01:57:52Z
        [AccessKeyId] => '<temporary access key value>'
    )
    ...
)

Providing temporary credentials to the Amazon SDK for PHP

You can use temporary credentials with another Amazon client by instantiating the client and passing in the values received from Amazon STS directly.

use Aws\S3\S3Client;

$result = $stsClient->getSessionToken();

$s3Client = new S3Client([
    'version'     => '2006-03-01',
    'region'      => 'us-west-2',
    'credentials' => [
        'key'    => $result['Credentials']['AccessKeyId'],
        'secret' => $result['Credentials']['SecretAccessKey'],
        'token'  => $result['Credentials']['SessionToken']
    ]
]);

You can also construct an Aws\Credentials\Credentials object and use that when instantiating the client.

use Aws\Credentials\Credentials;
use Aws\S3\S3Client;

$result = $stsClient->getSessionToken();

$credentials = new Credentials(
    $result['Credentials']['AccessKeyId'],
    $result['Credentials']['SecretAccessKey'],
    $result['Credentials']['SessionToken']
);

$s3Client = new S3Client([
    'version'     => '2006-03-01',
    'region'      => 'us-west-2',
    'credentials' => $credentials
]);

However, the best way to provide temporary credentials is to use the createCredentials() helper method included with the StsClient. This method extracts the data from an Amazon STS result and creates the Credentials object for you.

$result = $stsClient->getSessionToken();
$credentials = $stsClient->createCredentials($result);

$s3Client = new S3Client([
    'version'     => '2006-03-01',
    'region'      => 'us-west-2',
    'credentials' => $credentials
]);

For more information about why you might need to use temporary credentials in your application or project, see Scenarios for Granting Temporary Access in the Amazon STS documentation.