Retrieving Short-Term API Credentials
The Stax API requires short-term session credentials be used to access resources. These credentials consist of an Access Key ID, Secret Access Key, and Session Token.
Using the Stax Console
When logged into the Stax Console users can retrieve these credentials from the Profile page.
The console shows the three required strings as well as when the credentials will expire.
Using API Tokens
API Tokens allow you to programmatically retrieve short-term API credentials for use in automated workflows and tools.
You can use several methods to retrieve short-term API credentials. The example below demonstrates using the AWS CLI's congito-idp initiate-auth method.
-
Retrieve the API endpoint details for your Stax installation. Replace <endpoint> below with the appropriate API endpoint for your Stax Region
curl -s <endpoint> | base64 --decode | jq -r '.ApiAuth'
This will return a JSON payload with information required in the following steps 2. Request the short-term credentials from the AWS API using the cognito-idp initiate-auth method. Perform replacements as shown:
aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --client-id <clientid> --auth-parameters "USERNAME=<accesskey>,PASSWORD=<secretkey>" | jq -r '.AuthenticationResult.IdToken'
Token | Replace with |
---|---|
<clientid> | The userPoolWebClientId you retrieved in the first step |
<accesskey> | Your Stax API Token Access Key |
<secretkey> | Your Stax API Token Secret Key |
This command will return the ID Token you'll need in the next step. 3. Retrieve your Identity ID using the cognito-identity get-id method. Perform replacements as shown:
aws cognito-identity get-id --identity-pool-id <identityPoolId> --logins "cognito-idp.<region>.amazonaws.com/<userPoolId>=<IdToken>" | jq -r '.IdentityId'
Token | Replace with |
---|---|
<identityPoolId> | The identityPoolId you retrieved in the first step |
<region> | The region you retrieved in the first step |
<userPoolId> | The userPoolIdyou retrieved in the first step |
<IdToken> | The ID Token you retrieved retrieved in the previous step |
This command will return the Identity ID you'll need in the next step. 4. Retrieve the session information using the cognito-identity get-credentials-for-identity method. Perform replacements as shown:
aws cognito-identity get-credentials-for-identity --identity-id <identityID> --logins "cognito-idp.<region>.amazonaws.com/<userPoolId>=<IdToken>"
Token | Replace with |
---|---|
<identityID> | The Identity ID you retrieved in the previous step |
<region> | The region you retrieved in the first step |
<userPoolId> | The userPoolIdyou retrieved in the first step |
<IdToken> | The ID Token you retrieved in the previous step |
This command will return a JSON payload containing a Credentials object with the short-term Access Key ID, Secret Access Key, and Session Token. You can use these credentials to access the Stax API.