Sample code for 30+ languages & platforms
Tcl

AWS Security Token Service (STS) AssumeRole

See more AWS Security Token Service Examples

Returns a set of temporary security credentials that you can use to access AWS resources. These temporary credentials consist of an access key ID, a secret access key, and a security token. Typically, you use AssumeRole within your account or for cross-account access.

Chilkat Tcl Downloads

Tcl

load ./chilkat.dll

set success 0

# This example requires the Chilkat API to have been previously unlocked.
# See Global Unlock Sample for sample code.

set rest [new_CkRest]

# Connect to the Amazon AWS REST server.
# such as https://sts.us-west-2.amazonaws.com/
set bTls 1
set port 443
set bAutoReconnect 1
set success [CkRest_Connect $rest "sts.us-west-2.amazonaws.com" $port $bTls $bAutoReconnect]

# Provide AWS credentials for the REST call.
set authAws [new_CkAuthAws]

CkAuthAws_put_AccessKey $authAws "AWS_ACCESS_KEY"
CkAuthAws_put_SecretKey $authAws "AWS_SECRET_KEY"
# the region should match our URL above..
# See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
CkAuthAws_put_Region $authAws "us-west-2"
CkAuthAws_put_ServiceName $authAws "sts"

CkRest_SetAuthAws $rest $authAws

# Sample Request
# https://sts.amazonaws.com/
# ?Version=2011-06-15
# &Action=AssumeRole
# &RoleSessionName=testAR
# &RoleArn=arn:aws:iam::123456789012:role/demo
# &PolicyArns.member.1.arn=arn:aws:iam::123456789012:policy/demopolicy1
# &PolicyArns.member.2.arn=arn:aws:iam::123456789012:policy/demopolicy2
# &Policy={"Version":"2012-10-17","Statement":[{"Sid":"Stmt1",
# "Effect":"Allow","Action":"s3:*","Resource":"*"}]}
# &DurationSeconds=3600
# &Tags.member.1.Key=Project
# &Tags.member.1.Value=Pegasus
# &Tags.member.2.Key=Team
# &Tags.member.2.Value=Engineering
# &Tags.member.3.Key=Cost-Center
# &Tags.member.3.Value=12345
# &TransitiveTagKeys.member.1=Project
# &TransitiveTagKeys.member.2=Cost-Center
# &ExternalId=123ABC
# &SourceIdentity=Alice
# &AUTHPARAMS

CkRest_AddQueryParam $rest "Version" "2011-06-15"
CkRest_AddQueryParam $rest "Action" "AssumeRole"
CkRest_AddQueryParam $rest "DurationSeconds" "3600"

CkRest_AddQueryParam $rest "RoleSessionName" "testAR"
CkRest_AddQueryParam $rest "RoleArn" "arn:aws:iam::123456789012:role/demo"
CkRest_AddQueryParam $rest "PolicyArns.member.1.arn" "arn:aws:iam::123456789012:policy/demopolicy1"
CkRest_AddQueryParam $rest "PolicyArns.member.2.arn" "arn:aws:iam::123456789012:policy/demopolicy2"
CkRest_AddQueryParam $rest "Policy" "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:*\",\"Resource\":\"*\"}]}"
CkRest_AddQueryParam $rest "Tags.member.1.Key" "Project"
CkRest_AddQueryParam $rest "Tags.member.1.Value" "Pegasus"
CkRest_AddQueryParam $rest "Tags.member.2.Key" "Team"
CkRest_AddQueryParam $rest "Tags.member.2.Value" "Engineering"
CkRest_AddQueryParam $rest "Tags.member.3.Key" "Cost-Center"
CkRest_AddQueryParam $rest "Tags.member.3.Value" "12345"
CkRest_AddQueryParam $rest "TransitiveTagKeys.member.1" "Project"
CkRest_AddQueryParam $rest "TransitiveTagKeys.member.2" "Cost-Center"
CkRest_AddQueryParam $rest "ExternalId" "123ABC"
CkRest_AddQueryParam $rest "SourceIdentity" "Alice"

set responseXml [CkRest_fullRequestNoBody $rest "GET" "/"]
if {[CkRest_get_LastMethodSuccess $rest] != 1} then {
    puts [CkRest_lastErrorText $rest]
    delete_CkRest $rest
    delete_CkAuthAws $authAws
    exit
}

# A successful response will have a status code equal to 200.
if {[CkRest_get_ResponseStatusCode $rest] != 200} then {
    puts "response status code = [CkRest_get_ResponseStatusCode $rest]"
    puts "response status text = [CkRest_responseStatusText $rest]"
    puts "response header: [CkRest_responseHeader $rest]"
    puts "response body: $responseXml"
    delete_CkRest $rest
    delete_CkAuthAws $authAws
    exit
}

# Examine the successful XML response (shown below)
set xml [new_CkXml]

CkXml_LoadXml $xml $responseXml
puts [CkXml_getXml $xml]

# Sample response:

# <AssumeRoleResponse xmlns="https://sts.amazonaws.com/doc/2011-06-15/">
#   <AssumeRoleResult>
#   <SourceIdentity>Alice</SourceIdentity>
#     <AssumedRoleUser>
#       <Arn>arn:aws:sts::123456789012:assumed-role/demo/TestAR</Arn>
#       <AssumedRoleId>ARO123EXAMPLE123:TestAR</AssumedRoleId>
#     </AssumedRoleUser>
#     <Credentials>
#       <AccessKeyId>ASIAIOSFODNN7EXAMPLE</AccessKeyId>
#       <SecretAccessKey>wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY</SecretAccessKey>
#       <SessionToken>
#        AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQW
#        LWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGd
#        QrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU
#        9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz
#        +scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA==
#       </SessionToken>
#       <Expiration>2019-11-09T13:34:41Z</Expiration>
#     </Credentials>
#     <PackedPolicySize>6</PackedPolicySize>
#   </AssumeRoleResult>
#   <ResponseMetadata>
#     <RequestId>c6104cbe-af31-11e0-8154-cbc7ccf896c7</RequestId>
#   </ResponseMetadata>
# </AssumeRoleResponse>

# Sample parse code:

set AssumeRoleResponse_xmlns [CkXml_getAttrValue $xml "xmlns"]
set SourceIdentity [CkXml_getChildContent $xml "AssumeRoleResult|SourceIdentity"]
set Arn [CkXml_getChildContent $xml "AssumeRoleResult|AssumedRoleUser|Arn"]
set AssumedRoleId [CkXml_getChildContent $xml "AssumeRoleResult|AssumedRoleUser|AssumedRoleId"]
set AccessKeyId [CkXml_getChildContent $xml "AssumeRoleResult|Credentials|AccessKeyId"]
set SecretAccessKey [CkXml_getChildContent $xml "AssumeRoleResult|Credentials|SecretAccessKey"]
set SessionToken [CkXml_getChildContent $xml "AssumeRoleResult|Credentials|SessionToken"]
set Expiration [CkXml_getChildContent $xml "AssumeRoleResult|Credentials|Expiration"]
set PackedPolicySize [CkXml_GetChildIntValue $xml "AssumeRoleResult|PackedPolicySize"]
set RequestId [CkXml_getChildContent $xml "ResponseMetadata|RequestId"]

# Save the session token XML to a file for use by another Chilkat example..
set success [CkXml_SaveXml $xml "qa_data/tokens/aws_session_token.xml"]

delete_CkRest $rest
delete_CkAuthAws $authAws
delete_CkXml $xml