Example code using IAM query API operations Example code using Python Example code using Java Example showing how to construct the URL (Ruby)

Enable custom identity broker access to the AWS console

You can write and run code to create a URL that lets users who sign in to your organization's network securely access the AWS Management Console. The URL includes a sign-in token that you get from AWS and that authenticates the user to AWS. The resulting console session might include a distinct AccessKeyId due to federation. To trace the access key usage for federation sign-in through related CloudTrail events, see Logging IAM and AWS STS API calls with AWS CloudTrail and AWS Management Console sign-in events.

Note

If your organization uses an identity provider (IdP) that is compatible with SAML, you can set up access to the console without writing code. This works with providers like Microsoft's Active Directory Federation Services or open-source Shibboleth. For details, see Enabling SAML 2.0 federated principals to access the AWS Management Console.

To enable your organization's users to access the AWS Management Console, you can create a custom identity broker that performs the following steps:

Verify that the user is authenticated by your local identity system.
Call the AWS Security Token Service (AWS STS) AssumeRole (recommended) or GetFederationToken API operations to obtain temporary security credentials for the user. To learn about the different methods that you can use to assume a role, see Methods to assume a role. To learn how to pass optional session tags when you obtain your security credentials, see Pass session tags in AWS STS.
- If you use one of the AssumeRole* API operations to get the temporary security credentials for a role, you can include the DurationSeconds parameter in your call. This parameter specifies the duration of your role session, from 900 seconds (15 minutes) up to the maximum session duration setting for the role. When you use DurationSeconds in an AssumeRole* operation, you must call it as an IAM user with long-term credentials. Otherwise, the call to the federation endpoint in step 3 fails. To learn how to view or change the maximum value for a role, see Update the maximum session duration for a role.
- If you use the GetFederationToken API operation to get the credentials, you can include the DurationSeconds parameter in your call. This parameter specifies the duration of your role session. The value can range from 900 seconds (15 minutes) to 129,600 seconds (36 hours). You can make this API call only by using the long-term AWS security credentials of an IAM user. You can also make these calls using AWS account root user credentials, but we do not recommend it. If you make this call as the root user, the default session lasts for one hour. Or you can specify a session from 900 seconds (15 minutes) up to 3,600 seconds (one hour).
Call the AWS federation endpoint and supply the temporary security credentials to request a sign-in token.
Construct a URL for the console that includes the token:
- If you use one of the AssumeRole* API operations in your URL, you can include the SessionDuration HTTP parameter. This parameter specifies the duration of the console session, from 900 seconds (15 minutes) to 43200 seconds (12 hours).
- If you use the GetFederationToken API operation in your URL, you can include the DurationSeconds parameter. This parameter specifies the duration of the federated console session. The value can range from 900 seconds (15 minutes) to 129,600 seconds (36 hours).
  Note
  Your SessionDuration cannot be greater than or equal to the maximum session duration setting for the role you're assuming. For example, you're set the maximum session duration for the role you want to assume to 5 hours. Your SessionDuration parameter can be 16524 seconds or 4 hours and 59 seconds.
  
  Do not use the SessionDuration HTTP parameter when you get temporary credentials with GetFederationToken. The operation will fail.
  
  Using the credentials for one role to assume a different role is called role chaining. When you use role chaining, your new credentials are limited to a maximum duration of one hour. When you use roles to grant permissions to applications that run on EC2 instances, those applications are not subject to this limitation.
  
  Do not use the SessionDuration HTTP parameter when you get temporary credentials through role chaining. The operation will fail.
Give the URL to the user or invoke the URL on the user's behalf.

The URL that the federation endpoint provides is valid for 15 minutes after it is created. This differs from the duration (in seconds) of the temporary security credential session that is associated with the URL. Those credentials are valid for the duration you specified when you created them, starting from the time they were created.

Important

The URL grants access to your AWS resources through the AWS Management Console if you have enabled permissions in the associated temporary security credentials. For this reason, you should treat the URL as a secret. We recommend returning the URL through a secure redirect, for example, by using a 302 HTTP response status code over an SSL connection. For more information about the 302 HTTP response status code, go to RFC 2616, section 10.3.3.

To complete these tasks, you can use the HTTPS Query API for AWS Identity and Access Management (IAM) and the AWS Security Token Service (AWS STS). Or, you can use programming languages, such as Java, Ruby, or C#, along with the appropriate AWS SDK. Each of these methods is described in the following topics.

Topics

Example code using IAM query API operations
Example code using Python
Example code using Java
Example showing how to construct the URL (Ruby)

Example code using IAM query API operations

You can construct a URL that gives roles and federated principals direct access to the AWS Management Console. This task uses the IAM and AWS STS HTTPS Query API. For more information about making query requests, see Making Query Requests.

Note

The following procedure contains examples of text strings. To enhance readability, line breaks have been added to some of the longer examples. When you create these strings for your own use, you should omit any line breaks.

To give roles and federated principals access to your resources from the AWS Management Console

Authenticate the user in your identity and authorization system.
Obtain temporary security credentials for the user. The temporary credentials consist of an access key ID, a secret access key, and a session token. For more information about creating temporary credentials, see Temporary security credentials in IAM.

To get temporary credentials, you call either the AWS STS AssumeRole API (recommended) or the GetFederationToken API. For more information about the differences between these API operations, see Understanding the API Options for Securely Delegating Access to Your AWS Account in the AWS Security Blog.

Important
When you use the GetFederationToken API to create temporary security credentials, you must specify the permissions that the credentials grant to the user who assumes the role. For any of the API operations that begin with AssumeRole*, you use an IAM role to assign permissions. For the other API operations, the mechanism varies with the API. For more details, see Permissions for temporary security credentials. Additionally, if you use the AssumeRole* API operations, you must call them as an IAM user with long-term credentials. Otherwise, the call to the federation endpoint in step 3 fails.
After you obtain the temporary security credentials, build them into a JSON session string to exchange them for a sign-in token. The following example shows how to encode the credentials. You replace the placeholder text with the appropriate values from the credentials that you receive in the previous step.
```
{"sessionId":"*** temporary access key ID ***",
"sessionKey":"*** temporary secret access key ***",
"sessionToken":"*** session token ***"}
```
URL encode the session string from the previous step. Because the information that you are encoding is sensitive, we recommend that you avoid using a web service for this encoding. Instead, use a locally installed function or feature in your development toolkit to securely encode this information. You can use the urllib.quote_plus function in Python, the URLEncoder.encode function in Java, or the CGI.escape function in Ruby. See the examples later in this topic.
Note
AWS supports POST requests here.

Send your request to the AWS federation endpoint:

For a list of possible region-code values, see the Region column in AWS Sign-In endpoints. You can optionally use the default AWS Sign-In federation endpoint:

The request must include the Action and Session parameters, and (optionally) if you used an AssumeRole* API operation, a SessionDuration HTTP parameter as shown in the following example.
```
Action = getSigninToken
SessionDuration = time in seconds
Session = *** the URL encoded JSON string created in steps 3 & 4 ***
```
Note
The following instructions in this step only work using GET requests.

The SessionDuration HTTP parameter specifies the duration of the console session. This is separate from the duration of the temporary credentials that you specify using the DurationSeconds parameter. You can specify a SessionDuration maximum value of 43,200 (12 hours). If the SessionDuration parameter is missing, then the session defaults to the duration of the credentials that you retrieved from AWS STS in step 2 (which defaults to one hour). See the documentation for the AssumeRole API for details about how to specify a duration using the DurationSeconds parameter. The ability to create a console session that is longer than one hour is intrinsic to the getSigninToken operation of the federation endpoint.
Note
- Your SessionDuration cannot be greater than or equal to the maximum session duration setting for the role you're assuming. For example, you're set the maximum session duration for the role you want to assume to 5 hours. Your SessionDuration parameter can be 16524 seconds or 4 hours and 59 seconds.
- Do not use the SessionDuration HTTP parameter when you get temporary credentials with GetFederationToken. The operation will fail.
- Using the credentials for one role to assume a different role is called role chaining. When you use role chaining, your new credentials are limited to a maximum duration of one hour. When you use roles to grant permissions to applications that run on EC2 instances, those applications are not subject to this limitation.
- Do not use the SessionDuration HTTP parameter when you get temporary credentials through role chaining. The operation will fail.
When you enable console sessions with an extended duration, you increase the risk of credential exposure. To help you mitigate this risk, you can immediately disable the active console sessions for any role by choosing Revoke Sessions on the Role Summary IAM console page. For more information, see Revoke IAM role temporary security credentials.

The following is an example of what your request might look like. The lines are wrapped here for readability, but you should submit it as a one-line string.

The response from the federation endpoint is a JSON document with a SigninToken value. It will look similar to the following example.
```
{"SigninToken":"*** the SigninToken string ***"}
```
Note
AWS supports POST requests here.

Finally, create the URL that your users can use to access the AWS Management Console. The URL is the same federation URL endpoint that you used in Step 5, plus the following parameters:
```
?Action = login
&Issuer = *** the form-urlencoded URL for your internal sign-in page ***
&Destination = *** the form-urlencoded URL to the desired AWS console page ***
&SigninToken = *** the value of SigninToken received in the previous step ***
```
Note
The following instructions in this step only work using GET API.

The following example shows what the final URL might look like. The URL is valid for 15 minutes from the time it is created. The temporary security credentials and console session embedded within the URL are valid for the duration you specify in the SessionDuration HTTP parameter when you initially request them.

Example code using Python

The following examples show how to use Python to programmatically construct a URL that gives users direct access to the AWS Management Console. There are two examples:

Federate via GET requests to AWS
Federate via POST requests to AWS

Both examples use the the AWS SDK for Python (Boto3) and AssumeRole API to obtain temporary security credentials.

Do not include SessionDuration if your AssumeRoleSession credentials are from role chaining. If you include SessionDuration, the operation will fail.

Use GET Requests

Use POST Requests

Example code using Java

The following example shows how to use Java to programmatically construct a URL that gives users direct access to the AWS Management Console. The following code snippet uses the AWS SDK for Java.

Example showing how to construct the URL (Ruby)

The following example shows how to use Ruby to programmatically construct a URL that gives users direct access to the AWS Management Console. This code snippet uses the AWS SDK for Ruby.

Javascript is disabled or is unavailable in your browser.

To use the Amazon Web Services Documentation, Javascript must be enabled. Please refer to your browser's Help pages for instructions.

Document Conventions

AWS STS Regions and endpoints

Tags for IAM resources