Use of metadata for computing resource access

What is claimed is: 1. A computer-implemented method for controlling access to one or more computing resources, comprising: receiving, by a computer system of one or more computer systems, the computer system having one or more computing devices, a request for a session credential subsequent to successful completion of an authentication process by a user, the session credential including information enabling the user to delegate access to a specified delegatee, the information having data identifying the specified delegatee; generating, with the one or more computer systems, a session credential that encodes information identifying a type of the authentication process successfully completed by the user and one or more policies applicable to the specified delegatee; transmitting the session credential to the specified delegatee, the session credential being opaque to the specified delegatee and provided from the user to the specified delegatee; receiving the generated session credential in connection with a request from the specified delegatee to access the one or more computing resources, the one or more computing resources being distinct from the one or more computer systems generating the session credential; determining the type of authentication process successfully completed by the user, whether the user is authorized to delegate access to the specified delegatee and whether the specified delegatee is authorized to access the one or more computing resources based at least in part on the information encoded by the session credential; and determining, based at least in part on the information identifying the type of authentication process and the one or more policies applicable to the specified delegatee encoded by the session credential, whether to fulfill the request; and when determined to fulfill the request, providing to the specified delegatee the requested access to the one or more computing resources. 2. The computer-implemented method of claim 1 , wherein the user is authenticated by a first authentication process different from the authentication process, wherein the one or more policies require authentication by the authentication process to fulfill at least the request, and wherein determining whether to fulfill the request includes determining that the authentication process is encoded by the session credential. 3. The computer-implemented method of claim 1 , wherein the authentication process is a multifactor authentication process required by one or more policies to fulfill at least the request. 4. The computer-implemented method of claim 1 , wherein the session credential further encodes metadata additional to the information identifying the type of authentication process by the user and wherein determining whether to fulfill the request is further based at least in part on the encoded additional metadata. 5. The computer-implemented method of claim 1 , wherein the request is received from a second user that is different from the user. 6. The computer-implemented method of claim 1 , wherein based on at least the type of authentication process determined to have been successfully completed by the user, the user is not required to complete another authentication process in a second request. 7. The computer-implemented method of claim 6 , wherein the second request is a request for additional access. 8. The computer-implemented method of claim 1 , wherein the one or more policies are managed by a policy management component configured at least to maintain one or more virtual resource provider policies. 9. The computer-implemented method of claim 8 , wherein the policy management component is further configured to, at least: receive user-specified policies; transform user-specified policies into a normal form, including one or more policy elements of the normal form; optimize the set of normal form policies based on at least in part on one or more policy elements, including an index; and distribute the optimized set of normal form policies to a set of policy enforcement components based at least in part on the index. 10. The computer-implemented method of claim 1 , wherein the one or more policies are specified by the user to restrict or grant access to one or more specified delegatees. 11. The computer-implemented method of claim 1 , wherein the one or more policies grants one or more privileges in addition to the access encoded in the session credential. 12. The computer-implemented method of claim 1 , wherein the data identifying the specified delegatee includes a username or email address of the specified delegatee, wherein the session credential is sent to the email address. 13. The computer-implemented method of claim 1 , wherein the information includes location information, information about applications used by the user, a time stamp for the session credential, an expiration time after which the session credential is invalid, a starting time before which the session credential is invalid, renewal parameters and/or requirements for renewing the session, credentials or a reference to credentials. 14. The computer-implemented method of claim 1 , wherein the session credential transmitted from the user to the specified delegatee is a temporary session credential. 15. A computer-implemented method for controlling access to one or more computing resources, comprising: receiving, by one or more computer devices, a session credential generated by one or more computer systems from a specified delegatee in connection with a request from the specified delegatee to access the one or more computing resources, the session credential being opaque to the specified delegatee and provided by the one or more computer systems to a user, the one or more computing resources being distinct from the one or more computer systems, the session credential encoding one or more claims identifying at least one type of at least one authenticating action the user has completed and one or more policies applicable to the specified delegatee, the session credential including information enabling the user to delegate access to the specified delegatee, the information having data identifying the specified delegatee; determining, with the one or more computer devices, the at least one type of authenticating action the user has completed, whether the user is authorized to delegate access to the specified delegatee and whether the specified delegatee is authorized to access the one or more computing resources based at least in part on the one or more encoded claims; determining, based at least in part on the one or more claims encoded by the session credential and one or more policies, whether to fulfill the request to access the one or more computing resources, the one or more policies encoded in the session credential; and when determined to fulfill the request, providing the requested access. 16. The computer-implemented method of claim 15 , wherein the session credential further encodes one or more attributes about the user. 17. The computer-implemented method of claim 15 , wherein the one or more claims include a claim that the user completed an authentication process required by the one or more policies for fulfilling the request. 18. The computer-implemented method of claim 15 , wherein the user is authenticated by a first authentication process, wherein the one or more policies require authentication by a second authentication process different from the first authentication process to fulfill at least the request, and wherein the one or more claims indicate