Retrieving short-term API Credentials

The Stax API requires that short-term credentials are used for making API requests. These can be retrieved using the Stax Console or API Tokens.

Article Tags
On This Page
Using the Stax ConsoleUsing API TokensSee also

The Stax API requires short-term session credentials be used to access resources. These credentials consist of an Access Key ID, Secret Access Key, and Session Token.

Using the Stax Console

When logged into the Stax Console users can retrieve these credentials from the Profile page.

Short-Term API Credentials

The console shows the three required strings as well as when the credentials will expire.

Using API Tokens

API Tokens allow you to programmatically retrieve short-term API credentials for use in automated workflows and tools.

You can use several methods to retrieve short-term API credentials. The example below demonstrates using the AWS CLI's congito-idp initiate-auth method.

  1. Retrieve the API endpoint details for your Stax installation. Replace <endpoint> below with the appropriate API endpoint for your Stax Region

    curl -s <endpoint> | base64 --decode | jq -r '.ApiAuth'
    

    This will return a JSON payload with information required in the following steps.

  2. Request the short-term credentials from the AWS API using the cognito-idp initiate-auth method. Perform replacements as shown:

    aws cognito-idp initiate-auth --auth-flow USER_PASSWORD_AUTH --client-id <clientid> --auth-parameters "USERNAME=<accesskey>,PASSWORD=<secretkey>" | jq -r '.AuthenticationResult.IdToken'
    
    TokenReplace with
    <clientid>The userPoolWebClientId you retrieved in the first step
    <accesskey>Your Stax API Token Access Key
    <secretkey>Your Stax API Token Secret Key

    This command will return the ID Token you'll need in the next step.

  3. Retrieve your Identity ID using the cognito-identity get-id method. Perform replacements as shown:

    aws cognito-identity get-id --identity-pool-id <identityPoolId> --logins "cognito-idp.<region>.amazonaws.com/<userPoolId>=<IdToken>" | jq -r '.IdentityId'
    
    TokenReplace with
    <identityPoolId>The identityPoolId you retrieved in the first step
    <region>The region you retrieved in the first step
    <userPoolId>The userPoolId you retrieved in the first step
    <IdToken>The ID Token you retrieved in the previous step

    This command will return the Identity ID you'll need in the next step.

  4. Retrieve the session information using the cognito-identity get-credentials-for-identity method. Perform replacements as shown:

    aws cognito-identity get-credentials-for-identity --identity-id <identityID> --logins "cognito-idp.<region>.amazonaws.com/<userPoolId>=<IdToken>"
    
    TokenReplace with
    <identityID>The Identity ID you retrieved in the previous step
    <region>The region you retrieved in the first step
    <userPoolId>The userPoolId you retrieved in the first step
    <IdToken>The ID Token you retrieved in the previous step

    This command will return a JSON payload containing a Credentials object with the short-term Access Key ID, Secret Access Key, and Session Token. You can use these credentials to access the Stax API.

See also