When I use the GetFederationToken API to generate temporary credentials, the ${aws:userName} policy variable does not work.

When using the GetFederationToken API, use the ${aws:userID} policy variable instead of the ${aws:userName} policy variable. The following JSON policy provides an example where the ${aws:userName} policy variable has been replaced with the ${aws:userID} policy variable:

    "Version": "2012-10-17",
    "Statement": [
                "Action": [
            "Resource": "arn:aws:s3:::TESTBUCKET/${aws:userid}/*",
            "Effect": "Allow"
            "Action": "s3:ListBucket",
            "Resource": "arn:aws:s3:::TESTBUCKET",
            "Effect": "Allow",
            "Condition": {
                "s3:prefix": [

The value for the aws:userid variable should be "ACCOUNTNUMBER:caller-specified-name".

When calling the GetFederationToken API, the Name parameter value must follow the guidelines established in GetFederationToken. For example, if you specify the friendly name Bob, the correct format would be "123456789102:Bob". This would be used to name your session and would allow access to the S3 bucket with a matching prefix.

Note: This example assumes that the caller-specified-name (friendly name) portion of the aws:userid variable is unique. The friendly name should be unique to prevent a scenario where another user with the same friendly name is not granted access to resources specified in the JSON policy. For more information, see Unique IDs.

Did this page help you? Yes | No

Back to the AWS Support Knowledge Center

Need help? Visit the AWS Support Center

Published: 2016-03-29

Updated: 2017-03-03