VM::EC2::Security::Token - Temporary security token object
# under your account
$ec2 = VM::EC2->new(...); # as usual
my $policy = VM::EC2::Security::Policy->new;
my $token = $ec2->get_federation_token(-name => 'TemporaryUser',
-duration => 60*60*3, # 3 hrs, as seconds
-policy => $policy);
my $serialized = $token->credentials->serialize;
# get the serialized token to the temporary user
# under the temporary user's account
my $serialized = get_data_somehow();
# create a copy of the token from its serialized form
my $token = VM::EC2::Security::Credentials->new_from_serialized($serialized);
# open a new EC2 connection with this token. User will be
# able to run all the methods specified in the policy.
my $ec2 = VM::EC2->new(-security_token => $token);
# convenience routine; will return a VM::EC2 object authorized
# to use the current token
my $ec2 = $token->new_ec2;
VM::EC2::Security::Token objects allow you to grant a user access to some or all
of your EC2 resources for a limited period of time. The user does not have to
have his own AWS account.
Token objects are returned by calls to VM::EC2->
. The former call
is used to create a temporary user with privileges restricted to those listed
in the accompanying policy (a VM::EC2::Security::Policy object). The latter
call is used in conjunction with multi-factor authentication devices, such as
smart cards. The tokens returned by get_session_token()
associated with a user account nor a policy, and grant privileges to all EC2
actions and resources. Both federation and session tokens have an expiry time
between a few seconds and 36 hours.
A VM::EC2::Security::Credentials object contained within the token contains the
temporary secret access key, acess key ID, and a session token string that
unlocks the access key. The credentials object can be serialized into a form
suitable for sending to a user via a secure channel, such as SSL or S/MIME
e-mail, and unserialized at the receiving end into a copy of the original
Either the token object, or its contained credentials object can be used passed
to VM::EC2-> new()
via the -security_token
parameter in order
to gain access to EC2 resources.
credentials() -- The VM::EC2::Security::Credentials object
that contains the session token, access key ID,
and secret key.
federatedUser() -- the VM::EC2::Security::FederatedUser object that
contains information about the temporary user
packedPolicySize() -- A percentage value indicating the size of the policy in
packed form relative to the maximum allowed size.
Policies in excess of 100% will be rejected by the
secret_access_key()-- Convenience method that calls the credentials object's
access_key_id() -- Convenience method that calls the credentials object's
session_token() -- Convenience method that calls the credentials object's
new_ec2(@args) -- Convenience method that returns a VM::EC2 object authorized
with the current token. You may pass any of the arguments
accepted by VM::EC2->new(), except that -access_key and
-secret_key will be ignored if present.
When used in a string context, this object will interpolate as the session
token, and can be used for the -security_token parameter in VM::EC2->
VM::EC2 VM::EC2::Generic VM::EC2::Security::Credentials
Lincoln Stein <firstname.lastname@example.org>.
Copyright (c) 2011 Ontario Institute for Cancer Research
This package and its accompanying libraries is free software; you can
redistribute it and/or modify it under the terms of the GPL (either version 1,
or at your option, any later version) or the Artistic License 2.0. Refer to
LICENSE for the full license text. In addition, please see DISCLAIMER.txt for
disclaimers of warranty.