Revokes the current client access token (CAT) and returns new CAT for clients to use when reconnecting to secure tunneling to access the same tunnel.

Requires permission to access the RotateTunnelAccessToken action.


Rotating the CAT doesn't extend the tunnel duration. For example, say the tunnel duration is 12 hours and the tunnel has already been open for 4 hours. When you rotate the access tokens, the new tokens that are generated can only be used for the remaining 8 hours.

See also: AWS API Documentation

Request Syntax

response = client.rotate_tunnel_access_token(
        'thingName': 'string',
        'services': [
  • tunnelId (string) --


    The tunnel for which you want to rotate the access tokens.

  • clientMode (string) --


    The mode of the client that will use the client token, which can be either the source or destination, or both source and destination.

  • destinationConfig (dict) --

    The destination configuration.

    • thingName (string) --

      The name of the IoT thing to which you want to connect.

    • services (list) -- [REQUIRED]

      A list of service names that identify the target application. The IoT client running on the destination device reads this value and uses it to look up a port or an IP address and a port. The IoT client instantiates the local proxy, which uses this information to connect to the destination application.

      • (string) --
Return type



Response Syntax

    'tunnelArn': 'string',
    'sourceAccessToken': 'string',
    'destinationAccessToken': 'string'

Response Structure

  • (dict) --

    • tunnelArn (string) --

      The Amazon Resource Name for the tunnel.

    • sourceAccessToken (string) --

      The client access token that the source local proxy uses to connect to IoT Secure Tunneling.

    • destinationAccessToken (string) --

      The client access token that the destination local proxy uses to connect to IoT Secure Tunneling.


  • IoTSecureTunneling.Client.exceptions.ResourceNotFoundException