Explanation: Currently the STS API command GetSessionToken is available to every IAM user in your account without previous permission. In contrast, the GetFederationToken command is restricted and explicit permissions need to be granted so a user can issue calls to this particular Action.
Reference:
http://docs.aws.amazon.com/STS/latest/UsingSTS/STSPermission.html