tessl/maven-com-amazonaws--aws-java-sdk-sts
Java client library for Amazon Web Services Security Token Service (AWS STS) enabling temporary security credentials and federated user access
—
Pending
federation.mddocs/
Federation Operations
Federation functionality for obtaining temporary credentials through external identity providers and custom federation brokers. This enables proxy applications to distribute temporary credentials without embedding long-term AWS credentials.
Capabilities
Federation Token Generation
Returns temporary security credentials for federated users through a custom identity broker.
/**
* Returns temporary security credentials for federated users
* @param getFederationTokenRequest Request containing federated user name and policies
* @return Result containing temporary credentials and federated user information
* @throws MalformedPolicyDocumentException If session policy is malformed
* @throws PackedPolicyTooLargeException If session policies exceed size limits
* @throws RegionDisabledException If STS not activated in requested region
*/
GetFederationTokenResult getFederationToken(GetFederationTokenRequest getFederationTokenRequest);Request and Result Types:
public class GetFederationTokenRequest extends AmazonWebServiceRequest {
public GetFederationTokenRequest();
// Required parameters
public String getName();
public void setName(String name);
public GetFederationTokenRequest withName(String name);
// Optional parameters
public String getPolicy();
public void setPolicy(String policy);
public GetFederationTokenRequest withPolicy(String policy);
public List<PolicyDescriptorType> getPolicyArns();
public void setPolicyArns(List<PolicyDescriptorType> policyArns);
public GetFederationTokenRequest withPolicyArns(PolicyDescriptorType... policyArns);
public Integer getDurationSeconds();
public void setDurationSeconds(Integer durationSeconds);
public GetFederationTokenRequest withDurationSeconds(Integer durationSeconds);
public List<Tag> getTags();
public void setTags(List<Tag> tags);
public GetFederationTokenRequest withTags(Tag... tags);
}
public class GetFederationTokenResult {
public Credentials getCredentials();
public void setCredentials(Credentials credentials);
public FederatedUser getFederatedUser();
public void setFederatedUser(FederatedUser federatedUser);
public Integer getPackedPolicySize();
public void setPackedPolicySize(Integer packedPolicySize);
}Usage Examples:
import com.amazonaws.services.securitytoken.AWSSecurityTokenService;
import com.amazonaws.services.securitytoken.model.*;
// Basic federation token request
GetFederationTokenRequest request = new GetFederationTokenRequest()
.withName("ProxyUser")
.withDurationSeconds(3600);
GetFederationTokenResult result = stsClient.getFederationToken(request);
Credentials federatedCredentials = result.getCredentials();
FederatedUser federatedUser = result.getFederatedUser();
System.out.println("Federated User ID: " + federatedUser.getFederatedUserId());
System.out.println("Federated User ARN: " + federatedUser.getArn());
// Federation token with inline session policy
String sessionPolicy = "{"
+ "\"Version\": \"2012-10-17\","
+ "\"Statement\": [{"
+ "\"Effect\": \"Allow\","
+ "\"Action\": [\"s3:GetObject\", \"s3:ListBucket\"],"
+ "\"Resource\": ["
+ "\"arn:aws:s3:::my-app-bucket\","
+ "\"arn:aws:s3:::my-app-bucket/*\""
+ "]"
+ "}]"
+ "}";
GetFederationTokenRequest policyRequest = new GetFederationTokenRequest()
.withName("S3User")
.withPolicy(sessionPolicy)
.withDurationSeconds(7200);
GetFederationTokenResult policyResult = stsClient.getFederationToken(policyRequest);
// Federation token with managed policy ARNs
List<PolicyDescriptorType> managedPolicies = Arrays.asList(
new PolicyDescriptorType().withArn("arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"),
new PolicyDescriptorType().withArn("arn:aws:iam::123456789012:policy/MyCustomPolicy")
);
GetFederationTokenRequest managedPolicyRequest = new GetFederationTokenRequest()
.withName("ManagedPolicyUser")
.withPolicyArns(managedPolicies)
.withDurationSeconds(1800);
GetFederationTokenResult managedPolicyResult = stsClient.getFederationToken(managedPolicyRequest);
// Federation token with session tags
List<Tag> sessionTags = Arrays.asList(
new Tag().withKey("Department").withValue("Engineering"),
new Tag().withKey("Project").withValue("WebApp"),
new Tag().withKey("Environment").withValue("Production")
);
GetFederationTokenRequest taggedRequest = new GetFederationTokenRequest()
.withName("TaggedUser")
.withTags(sessionTags)
.withDurationSeconds(3600);
GetFederationTokenResult taggedResult = stsClient.getFederationToken(taggedRequest);Federation Use Cases and Best Practices
Proxy Application Pattern
Federation tokens are designed for proxy applications that need to distribute temporary credentials:
/**
* Example proxy service that creates federation tokens for different users
*/
public class FederationProxyService {
private final AWSSecurityTokenService stsClient;
public FederationProxyService(AWSSecurityTokenService stsClient) {
this.stsClient = stsClient;
}
/**
* Create federation token for a specific user with limited S3 access
*/
public Credentials createS3UserCredentials(String username, String bucketName) {
String userSpecificPolicy = createS3BucketPolicy(bucketName);
GetFederationTokenRequest request = new GetFederationTokenRequest()
.withName(username)
.withPolicy(userSpecificPolicy)
.withDurationSeconds(3600)
.withTags(
new Tag().withKey("Username").withValue(username),
new Tag().withKey("AccessType").withValue("S3Limited")
);
GetFederationTokenResult result = stsClient.getFederationToken(request);
return result.getCredentials();
}
private String createS3BucketPolicy(String bucketName) {
return "{"
+ "\"Version\": \"2012-10-17\","
+ "\"Statement\": [{"
+ "\"Effect\": \"Allow\","
+ "\"Action\": [\"s3:GetObject\", \"s3:PutObject\", \"s3:ListBucket\"],"
+ "\"Resource\": ["
+ "\"arn:aws:s3:::" + bucketName + "\","
+ "\"arn:aws:s3:::" + bucketName + "/*\""
+ "]"
+ "}]"
+ "}";
}
}Session Duration Limits
Federation tokens have specific duration limits:
- IAM User credentials: 900 seconds (15 minutes) to 129,600 seconds (36 hours), default 43,200 seconds (12 hours)
- Root user credentials: Maximum 3,600 seconds (1 hour)
// Configure appropriate duration based on use case
GetFederationTokenRequest shortTermRequest = new GetFederationTokenRequest()
.withName("ShortTermUser")
.withDurationSeconds(900); // 15 minutes minimum
GetFederationTokenRequest longTermRequest = new GetFederationTokenRequest()
.withName("LongTermUser")
.withDurationSeconds(129600); // 36 hours maximum for IAM usersPermission Limitations
Federation tokens have specific permission limitations:
- Cannot call IAM operations unless MFA authentication information is included
- Cannot call STS operations except
GetCallerIdentity - Session policies limit permissions - cannot grant more than the calling user's permissions
- Resource-based policies can grant additional permissions if they specifically reference the federated user session
// Example of checking federation token limitations
public void demonstrateFederationLimitations() {
GetFederationTokenRequest request = new GetFederationTokenRequest()
.withName("LimitedUser");
GetFederationTokenResult result = stsClient.getFederationToken(request);
// These operations will work with federation tokens:
// - Most AWS service operations (S3, EC2, etc.)
// - GetCallerIdentity
// These operations will NOT work with federation tokens:
// - IAM operations (CreateUser, AttachUserPolicy, etc.)
// - Other STS operations (AssumeRole, GetSessionToken, etc.)
}Corporate Network Integration
Federation tokens are ideal for corporate proxy applications:
/**
* Example corporate identity broker
*/
public class CorporateIdentityBroker {
private final AWSSecurityTokenService stsClient;
public CorporateIdentityBroker() {
// This proxy service runs with long-term IAM user credentials
this.stsClient = AWSSecurityTokenServiceClientBuilder.standard()
.withCredentials(new DefaultAWSCredentialsProviderChain())
.build();
}
/**
* Authenticate corporate user and return AWS credentials
*/
public Credentials authenticateUser(String corporateUsername, String corporatePassword) {
// 1. Validate corporate credentials (LDAP, Active Directory, etc.)
if (!validateCorporateCredentials(corporateUsername, corporatePassword)) {
throw new AuthenticationException("Invalid corporate credentials");
}
// 2. Determine user's permissions based on corporate role
String sessionPolicy = determineUserPermissions(corporateUsername);
// 3. Create federation token
GetFederationTokenRequest request = new GetFederationTokenRequest()
.withName(corporateUsername)
.withPolicy(sessionPolicy)
.withDurationSeconds(28800) // 8 hours
.withTags(
new Tag().withKey("CorporateUser").withValue(corporateUsername),
new Tag().withKey("AuthMethod").withValue("Corporate")
);
GetFederationTokenResult result = stsClient.getFederationToken(request);
return result.getCredentials();
}
private boolean validateCorporateCredentials(String username, String password) {
// Implement corporate authentication logic
return true;
}
private String determineUserPermissions(String username) {
// Implement role-based permission mapping
return "{ /* user-specific policy */ }";
}
}Install with Tessl CLI
npx tessl i tessl/maven-com-amazonaws--aws-java-sdk-sts