2023-03-31 05:36:53 -07:00
# AWS STS code examples for the SDK for Python
## Overview
Shows how to use the AWS SDK for Python (Boto3) to work with AWS Security Token Service (AWS STS).
<!--custom.overview.start-->
<!--custom.overview.end-->
2024-01-05 10:05:03 -05:00
_ AWS STS creates and provides trusted users with temporary security credentials that can control access to your AWS resources. _
2023-03-31 05:36:53 -07:00
## ⚠ Important
2024-01-05 10:05:03 -05:00
* Running this code might result in charges to your AWS account. For more details, see [AWS Pricing ](https://aws.amazon.com/pricing/ ) and [Free Tier ](https://aws.amazon.com/free/ ).
2023-03-31 05:36:53 -07:00
* Running the tests might result in charges to your AWS account.
* We recommend that you grant your code least privilege. At most, grant only the minimum permissions required to perform the task. For more information, see [Grant least privilege ](https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#grant-least-privilege ).
* This code is not tested in every AWS Region. For more information, see [AWS Regional Services ](https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services ).
<!--custom.important.start-->
<!--custom.important.end-->
## Code examples
2023-04-13 11:38:14 -07:00
### Prerequisites
For prerequisites, see the [README ](../../README.md#Prerequisites ) in the `python` folder.
Install the packages required by these examples by running the following in a virtual environment:
```
python -m pip install -r requirements.txt
```
<!--custom.prerequisites.start-->
<!--custom.prerequisites.end-->
2023-03-31 05:36:53 -07:00
### Single actions
Code excerpts that show you how to call individual service functions.
2024-04-30 12:22:08 -07:00
- [AssumeRole ](assume_role_mfa.py#L181 )
- [GetSessionToken ](session_token.py#L117 )
2023-03-31 05:36:53 -07:00
### Scenarios
Code examples that show you how to accomplish a specific task by calling multiple
functions within the same service.
2024-01-05 10:05:03 -05:00
- [Assume an IAM role that requires an MFA token ](assume_role_mfa.py )
- [Construct a URL for federated users ](federated_url.py )
- [Get a session token that requires an MFA token ](session_token.py )
<!--custom.examples.start-->
<!--custom.examples.end-->
2023-03-31 05:36:53 -07:00
## Run the examples
### Instructions
<!--custom.instructions.start-->
<!--custom.instructions.end-->
2023-04-13 11:38:14 -07:00
2023-03-31 05:36:53 -07:00
#### Assume an IAM role that requires an MFA token
This example shows you how to assume a role that requires an MFA token.
2024-01-05 10:05:03 -05:00
- Create an IAM role that grants permission to list Amazon S3 buckets.
- Create an IAM user that has permission to assume the role only when MFA credentials are provided.
- Register an MFA device for the user.
- Assume the role and use temporary credentials to list S3 buckets.
2023-03-31 05:36:53 -07:00
2023-04-13 11:38:14 -07:00
<!--custom.scenario_prereqs.sts_Scenario_AssumeRoleMfa.start-->
<!--custom.scenario_prereqs.sts_Scenario_AssumeRoleMfa.end-->
2023-03-31 05:36:53 -07:00
Start the example by running the following at a command prompt:
```
python assume_role_mfa.py
```
2023-10-13 14:57:41 -05:00
2023-03-31 05:36:53 -07:00
<!--custom.scenarios.sts_Scenario_AssumeRoleMfa.start-->
<!--custom.scenarios.sts_Scenario_AssumeRoleMfa.end-->
#### Construct a URL for federated users
This example shows you how to do the following:
2024-01-05 10:05:03 -05:00
- Create an IAM role that grants read-only access to the current account's Amazon S3 resources.
- Get a security token from the AWS federation endpoint.
- Construct a URL that can be used to access the console with federated credentials.
2023-03-31 05:36:53 -07:00
2023-04-13 11:38:14 -07:00
<!--custom.scenario_prereqs.sts_Scenario_ConstructFederatedUrl.start-->
<!--custom.scenario_prereqs.sts_Scenario_ConstructFederatedUrl.end-->
2023-03-31 05:36:53 -07:00
Start the example by running the following at a command prompt:
```
python federated_url.py
```
2023-10-13 14:57:41 -05:00
2023-03-31 05:36:53 -07:00
<!--custom.scenarios.sts_Scenario_ConstructFederatedUrl.start-->
<!--custom.scenarios.sts_Scenario_ConstructFederatedUrl.end-->
#### Get a session token that requires an MFA token
This example shows you how to get a session token that requires an MFA token.
2024-01-05 10:05:03 -05:00
- Create an IAM role that grants permission to list Amazon S3 buckets.
- Create an IAM user that has permission to assume the role only when MFA credentials are provided.
- Register an MFA device for the user.
- Provide MFA credentials to get a session token and use temporary credentials to list S3 buckets.
2023-03-31 05:36:53 -07:00
2023-04-13 11:38:14 -07:00
<!--custom.scenario_prereqs.sts_Scenario_SessionTokenMfa.start-->
<!--custom.scenario_prereqs.sts_Scenario_SessionTokenMfa.end-->
2023-03-31 05:36:53 -07:00
Start the example by running the following at a command prompt:
```
python session_token.py
```
2023-10-13 14:57:41 -05:00
2023-03-31 05:36:53 -07:00
<!--custom.scenarios.sts_Scenario_SessionTokenMfa.start-->
<!--custom.scenarios.sts_Scenario_SessionTokenMfa.end-->
### Tests
⚠ Running tests might result in charges to your AWS account.
To find instructions for running these tests, see the [README ](../../README.md#Tests )
in the `python` folder.
<!--custom.tests.start-->
<!--custom.tests.end-->
## Additional resources
2024-01-05 10:05:03 -05:00
- [AWS STS User Guide ](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html )
- [AWS STS API Reference ](https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html )
- [SDK for Python AWS STS reference ](https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/sts.html )
2023-03-31 05:36:53 -07:00
<!--custom.resources.start-->
<!--custom.resources.end-->
---
Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
SPDX-License-Identifier: Apache-2.0
