2017-11-22 20:39:52 +00:00
// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
package sts
import (
2019-05-24 22:03:06 +00:00
"fmt"
2017-11-22 20:39:52 +00:00
"time"
"github.com/aws/aws-sdk-go/aws"
"github.com/aws/aws-sdk-go/aws/awsutil"
2019-05-24 22:03:06 +00:00
"github.com/aws/aws-sdk-go/aws/credentials"
2017-11-22 20:39:52 +00:00
"github.com/aws/aws-sdk-go/aws/request"
)
const opAssumeRole = "AssumeRole"
// AssumeRoleRequest generates a "aws/request.Request" representing the
// client's request for the AssumeRole operation. The "output" return
2019-05-24 22:03:06 +00:00
// value will be populated with the request's response once the request completes
// successfully.
2017-11-22 20:39:52 +00:00
//
// Use "Send" method on the returned Request to send the API call to the service.
// the "output" return value is not valid until after Send returns without error.
//
// See AssumeRole for more information on using the AssumeRole
// API call, and error handling.
//
// This method is useful when you want to inject custom logic or configuration
// into the SDK's request lifecycle. Such as custom headers, or retry logic.
//
//
// // Example sending a request using the AssumeRoleRequest method.
// req, resp := client.AssumeRoleRequest(params)
//
// err := req.Send()
// if err == nil { // resp is now filled
// fmt.Println(resp)
// }
//
2019-05-24 22:03:06 +00:00
// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole
2017-11-22 20:39:52 +00:00
func ( c * STS ) AssumeRoleRequest ( input * AssumeRoleInput ) ( req * request . Request , output * AssumeRoleOutput ) {
op := & request . Operation {
Name : opAssumeRole ,
HTTPMethod : "POST" ,
HTTPPath : "/" ,
}
if input == nil {
input = & AssumeRoleInput { }
}
output = & AssumeRoleOutput { }
req = c . newRequest ( op , input , output )
return
}
// AssumeRole API operation for AWS Security Token Service.
//
2019-05-24 22:03:06 +00:00
// Returns a set of temporary security credentials that you can use to access
// AWS resources that you might not normally have access to. These temporary
// credentials consist of an access key ID, a secret access key, and a security
// token. Typically, you use AssumeRole within your account or for cross-account
// access. For a comparison of AssumeRole with other API operations that produce
// temporary credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
// and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
2017-11-22 20:39:52 +00:00
// in the IAM User Guide.
//
2019-05-24 22:03:06 +00:00
// You cannot use AWS account root user credentials to call AssumeRole. You
// must use credentials for an IAM user or an IAM role to call AssumeRole.
2017-11-22 20:39:52 +00:00
//
// For cross-account access, imagine that you own multiple accounts and need
// to access resources in each account. You could create long-term credentials
// in each account to access those resources. However, managing all those credentials
// and remembering which one can access which account can be time consuming.
2019-05-24 22:03:06 +00:00
// Instead, you can create one set of long-term credentials in one account.
// Then use temporary security credentials to access all the other accounts
2017-11-22 20:39:52 +00:00
// by assuming roles in those accounts. For more information about roles, see
2019-05-24 22:03:06 +00:00
// IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)
2017-11-22 20:39:52 +00:00
// in the IAM User Guide.
//
2019-05-24 22:03:06 +00:00
// By default, the temporary security credentials created by AssumeRole last
// for one hour. However, you can use the optional DurationSeconds parameter
// to specify the duration of your session. You can provide a value from 900
// seconds (15 minutes) up to the maximum session duration setting for the role.
// This setting can have a value from 1 hour to 12 hours. To learn how to view
// the maximum value for your role, see View the Maximum Session Duration Setting
// for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
// in the IAM User Guide. The maximum session duration limit applies when you
// use the AssumeRole* API operations or the assume-role* CLI commands. However
// the limit does not apply when you use those operations to create a console
// URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
2017-11-22 20:39:52 +00:00
// in the IAM User Guide.
//
// The temporary security credentials created by AssumeRole can be used to make
2019-05-24 22:03:06 +00:00
// API calls to any AWS service with the following exception: You cannot call
// the AWS STS GetFederationToken or GetSessionToken API operations.
//
// (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policies to
// use as managed session policies. The plain text that you use for both inline
// and managed session policies shouldn't exceed 2048 characters. Passing policies
// to this operation returns new temporary credentials. The resulting session's
// permissions are the intersection of the role's identity-based policy and
// the session policies. You can use the role's temporary credentials in subsequent
// AWS API calls to access resources in the account that owns the role. You
// cannot use session policies to grant more permissions than those allowed
// by the identity-based policy of the role that is being assumed. For more
// information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session)
2017-11-22 20:39:52 +00:00
// in the IAM User Guide.
//
2019-05-24 22:03:06 +00:00
// To assume a role from a different account, your AWS account must be trusted
// by the role. The trust relationship is defined in the role's trust policy
// when the role is created. That trust policy states which accounts are allowed
// to delegate that access to users in the account.
//
// A user who wants to access a role in a different account must also have permissions
// that are delegated from the user account administrator. The administrator
// must attach a policy that allows the user to call AssumeRole for the ARN
// of the role in the other account. If the user is in the same account as the
// role, then you can do either of the following:
//
// * Attach a policy to the user (identical to the previous user in a different
// account).
//
// * Add the user as a principal directly in the role's trust policy.
2017-11-22 20:39:52 +00:00
//
2019-05-24 22:03:06 +00:00
// In this case, the trust policy acts as an IAM resource-based policy. Users
// in the same account as the role do not need explicit permission to assume
// the role. For more information about trust policies and resource-based policies,
// see IAM Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)
// in the IAM User Guide.
2017-11-22 20:39:52 +00:00
//
// Using MFA with AssumeRole
//
2019-05-24 22:03:06 +00:00
// (Optional) You can include multi-factor authentication (MFA) information
// when you call AssumeRole. This is useful for cross-account scenarios to ensure
// that the user that assumes the role has been authenticated with an AWS MFA
// device. In that scenario, the trust policy of the role being assumed includes
// a condition that tests for MFA authentication. If the caller does not include
// valid MFA information, the request to assume the role is denied. The condition
// in a trust policy that tests for MFA authentication might look like the following
// example.
2017-11-22 20:39:52 +00:00
//
// "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}
//
2019-05-24 22:03:06 +00:00
// For more information, see Configuring MFA-Protected API Access (https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html)
2017-11-22 20:39:52 +00:00
// in the IAM User Guide guide.
//
// To use MFA with AssumeRole, you pass values for the SerialNumber and TokenCode
// parameters. The SerialNumber value identifies the user's hardware or virtual
// MFA device. The TokenCode is the time-based one-time password (TOTP) that
2019-05-24 22:03:06 +00:00
// the MFA device produces.
2017-11-22 20:39:52 +00:00
//
// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
// with awserr.Error's Code and Message methods to get detailed information about
// the error.
//
// See the AWS API reference guide for AWS Security Token Service's
// API operation AssumeRole for usage and error information.
//
// Returned Error Codes:
// * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument"
// The request was rejected because the policy document was malformed. The error
// message describes the specific error.
//
// * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge"
// The request was rejected because the policy document was too large. The error
// message describes how big the policy document is, in packed form, as a percentage
// of what the API allows.
//
// * ErrCodeRegionDisabledException "RegionDisabledException"
// STS is not activated in the requested region for the account that is being
// asked to generate credentials. The account administrator must use the IAM
// console to activate STS in that region. For more information, see Activating
2019-05-24 22:03:06 +00:00
// and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
2017-11-22 20:39:52 +00:00
// in the IAM User Guide.
//
2019-05-24 22:03:06 +00:00
// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole
2017-11-22 20:39:52 +00:00
func ( c * STS ) AssumeRole ( input * AssumeRoleInput ) ( * AssumeRoleOutput , error ) {
req , out := c . AssumeRoleRequest ( input )
return out , req . Send ( )
}
// AssumeRoleWithContext is the same as AssumeRole with the addition of
// the ability to pass a context and additional request options.
//
// See AssumeRole for details on how to use this API operation.
//
// The context must be non-nil and will be used for request cancellation. If
// the context is nil a panic will occur. In the future the SDK may create
// sub-contexts for http.Requests. See https://golang.org/pkg/context/
// for more information on using Contexts.
func ( c * STS ) AssumeRoleWithContext ( ctx aws . Context , input * AssumeRoleInput , opts ... request . Option ) ( * AssumeRoleOutput , error ) {
req , out := c . AssumeRoleRequest ( input )
req . SetContext ( ctx )
req . ApplyOptions ( opts ... )
return out , req . Send ( )
}
const opAssumeRoleWithSAML = "AssumeRoleWithSAML"
// AssumeRoleWithSAMLRequest generates a "aws/request.Request" representing the
// client's request for the AssumeRoleWithSAML operation. The "output" return
2019-05-24 22:03:06 +00:00
// value will be populated with the request's response once the request completes
// successfully.
2017-11-22 20:39:52 +00:00
//
// Use "Send" method on the returned Request to send the API call to the service.
// the "output" return value is not valid until after Send returns without error.
//
// See AssumeRoleWithSAML for more information on using the AssumeRoleWithSAML
// API call, and error handling.
//
// This method is useful when you want to inject custom logic or configuration
// into the SDK's request lifecycle. Such as custom headers, or retry logic.
//
//
// // Example sending a request using the AssumeRoleWithSAMLRequest method.
// req, resp := client.AssumeRoleWithSAMLRequest(params)
//
// err := req.Send()
// if err == nil { // resp is now filled
// fmt.Println(resp)
// }
//
2019-05-24 22:03:06 +00:00
// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML
2017-11-22 20:39:52 +00:00
func ( c * STS ) AssumeRoleWithSAMLRequest ( input * AssumeRoleWithSAMLInput ) ( req * request . Request , output * AssumeRoleWithSAMLOutput ) {
op := & request . Operation {
Name : opAssumeRoleWithSAML ,
HTTPMethod : "POST" ,
HTTPPath : "/" ,
}
if input == nil {
input = & AssumeRoleWithSAMLInput { }
}
output = & AssumeRoleWithSAMLOutput { }
req = c . newRequest ( op , input , output )
2019-05-24 22:03:06 +00:00
req . Config . Credentials = credentials . AnonymousCredentials
2017-11-22 20:39:52 +00:00
return
}
// AssumeRoleWithSAML API operation for AWS Security Token Service.
//
// Returns a set of temporary security credentials for users who have been authenticated
// via a SAML authentication response. This operation provides a mechanism for
// tying an enterprise identity store or directory to role-based AWS access
// without user-specific credentials or configuration. For a comparison of AssumeRoleWithSAML
2019-05-24 22:03:06 +00:00
// with the other API operations that produce temporary credentials, see Requesting
// Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
// and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
2017-11-22 20:39:52 +00:00
// in the IAM User Guide.
//
// The temporary security credentials returned by this operation consist of
// an access key ID, a secret access key, and a security token. Applications
// can use these temporary security credentials to sign calls to AWS services.
//
2019-05-24 22:03:06 +00:00
// By default, the temporary security credentials created by AssumeRoleWithSAML
// last for one hour. However, you can use the optional DurationSeconds parameter
// to specify the duration of your session. Your role session lasts for the
// duration that you specify, or until the time specified in the SAML authentication
// response's SessionNotOnOrAfter value, whichever is shorter. You can provide
// a DurationSeconds value from 900 seconds (15 minutes) up to the maximum session
// duration setting for the role. This setting can have a value from 1 hour
// to 12 hours. To learn how to view the maximum value for your role, see View
// the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
// in the IAM User Guide. The maximum session duration limit applies when you
// use the AssumeRole* API operations or the assume-role* CLI commands. However
// the limit does not apply when you use those operations to create a console
// URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
// in the IAM User Guide.
2017-11-22 20:39:52 +00:00
//
// The temporary security credentials created by AssumeRoleWithSAML can be used
// to make API calls to any AWS service with the following exception: you cannot
2019-05-24 22:03:06 +00:00
// call the STS GetFederationToken or GetSessionToken API operations.
//
// (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policies to
// use as managed session policies. The plain text that you use for both inline
// and managed session policies shouldn't exceed 2048 characters. Passing policies
// to this operation returns new temporary credentials. The resulting session's
// permissions are the intersection of the role's identity-based policy and
// the session policies. You can use the role's temporary credentials in subsequent
// AWS API calls to access resources in the account that owns the role. You
// cannot use session policies to grant more permissions than those allowed
// by the identity-based policy of the role that is being assumed. For more
// information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session)
2017-11-22 20:39:52 +00:00
// in the IAM User Guide.
//
// Before your application can call AssumeRoleWithSAML, you must configure your
// SAML identity provider (IdP) to issue the claims required by AWS. Additionally,
// you must use AWS Identity and Access Management (IAM) to create a SAML provider
2019-05-24 22:03:06 +00:00
// entity in your AWS account that represents your identity provider. You must
// also create an IAM role that specifies this SAML provider in its trust policy.
2017-11-22 20:39:52 +00:00
//
// Calling AssumeRoleWithSAML does not require the use of AWS security credentials.
// The identity of the caller is validated by using keys in the metadata document
// that is uploaded for the SAML provider entity for your identity provider.
//
// Calling AssumeRoleWithSAML can result in an entry in your AWS CloudTrail
// logs. The entry includes the value in the NameID element of the SAML assertion.
// We recommend that you use a NameIDType that is not associated with any personally
// identifiable information (PII). For example, you could instead use the Persistent
// Identifier (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent).
//
// For more information, see the following resources:
//
2019-05-24 22:03:06 +00:00
// * About SAML 2.0-based Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html)
2017-11-22 20:39:52 +00:00
// in the IAM User Guide.
//
2019-05-24 22:03:06 +00:00
// * Creating SAML Identity Providers (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)
2017-11-22 20:39:52 +00:00
// in the IAM User Guide.
//
2019-05-24 22:03:06 +00:00
// * Configuring a Relying Party and Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html)
2017-11-22 20:39:52 +00:00
// in the IAM User Guide.
//
2019-05-24 22:03:06 +00:00
// * Creating a Role for SAML 2.0 Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html)
2017-11-22 20:39:52 +00:00
// in the IAM User Guide.
//
// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
// with awserr.Error's Code and Message methods to get detailed information about
// the error.
//
// See the AWS API reference guide for AWS Security Token Service's
// API operation AssumeRoleWithSAML for usage and error information.
//
// Returned Error Codes:
// * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument"
// The request was rejected because the policy document was malformed. The error
// message describes the specific error.
//
// * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge"
// The request was rejected because the policy document was too large. The error
// message describes how big the policy document is, in packed form, as a percentage
// of what the API allows.
//
// * ErrCodeIDPRejectedClaimException "IDPRejectedClaim"
// The identity provider (IdP) reported that authentication failed. This might
// be because the claim is invalid.
//
// If this error is returned for the AssumeRoleWithWebIdentity operation, it
// can also mean that the claim has expired or has been explicitly revoked.
//
// * ErrCodeInvalidIdentityTokenException "InvalidIdentityToken"
// The web identity token that was passed could not be validated by AWS. Get
// a new identity token from the identity provider and then retry the request.
//
// * ErrCodeExpiredTokenException "ExpiredTokenException"
// The web identity token that was passed is expired or is not valid. Get a
// new identity token from the identity provider and then retry the request.
//
// * ErrCodeRegionDisabledException "RegionDisabledException"
// STS is not activated in the requested region for the account that is being
// asked to generate credentials. The account administrator must use the IAM
// console to activate STS in that region. For more information, see Activating
2019-05-24 22:03:06 +00:00
// and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
2017-11-22 20:39:52 +00:00
// in the IAM User Guide.
//
2019-05-24 22:03:06 +00:00
// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML
2017-11-22 20:39:52 +00:00
func ( c * STS ) AssumeRoleWithSAML ( input * AssumeRoleWithSAMLInput ) ( * AssumeRoleWithSAMLOutput , error ) {
req , out := c . AssumeRoleWithSAMLRequest ( input )
return out , req . Send ( )
}
// AssumeRoleWithSAMLWithContext is the same as AssumeRoleWithSAML with the addition of
// the ability to pass a context and additional request options.
//
// See AssumeRoleWithSAML for details on how to use this API operation.
//
// The context must be non-nil and will be used for request cancellation. If
// the context is nil a panic will occur. In the future the SDK may create
// sub-contexts for http.Requests. See https://golang.org/pkg/context/
// for more information on using Contexts.
func ( c * STS ) AssumeRoleWithSAMLWithContext ( ctx aws . Context , input * AssumeRoleWithSAMLInput , opts ... request . Option ) ( * AssumeRoleWithSAMLOutput , error ) {
req , out := c . AssumeRoleWithSAMLRequest ( input )
req . SetContext ( ctx )
req . ApplyOptions ( opts ... )
return out , req . Send ( )
}
const opAssumeRoleWithWebIdentity = "AssumeRoleWithWebIdentity"
// AssumeRoleWithWebIdentityRequest generates a "aws/request.Request" representing the
// client's request for the AssumeRoleWithWebIdentity operation. The "output" return
2019-05-24 22:03:06 +00:00
// value will be populated with the request's response once the request completes
// successfully.
2017-11-22 20:39:52 +00:00
//
// Use "Send" method on the returned Request to send the API call to the service.
// the "output" return value is not valid until after Send returns without error.
//
// See AssumeRoleWithWebIdentity for more information on using the AssumeRoleWithWebIdentity
// API call, and error handling.
//
// This method is useful when you want to inject custom logic or configuration
// into the SDK's request lifecycle. Such as custom headers, or retry logic.
//
//
// // Example sending a request using the AssumeRoleWithWebIdentityRequest method.
// req, resp := client.AssumeRoleWithWebIdentityRequest(params)
//
// err := req.Send()
// if err == nil { // resp is now filled
// fmt.Println(resp)
// }
//
2019-05-24 22:03:06 +00:00
// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity
2017-11-22 20:39:52 +00:00
func ( c * STS ) AssumeRoleWithWebIdentityRequest ( input * AssumeRoleWithWebIdentityInput ) ( req * request . Request , output * AssumeRoleWithWebIdentityOutput ) {
op := & request . Operation {
Name : opAssumeRoleWithWebIdentity ,
HTTPMethod : "POST" ,
HTTPPath : "/" ,
}
if input == nil {
input = & AssumeRoleWithWebIdentityInput { }
}
output = & AssumeRoleWithWebIdentityOutput { }
req = c . newRequest ( op , input , output )
2019-05-24 22:03:06 +00:00
req . Config . Credentials = credentials . AnonymousCredentials
2017-11-22 20:39:52 +00:00
return
}
// AssumeRoleWithWebIdentity API operation for AWS Security Token Service.
//
// Returns a set of temporary security credentials for users who have been authenticated
2019-05-24 22:03:06 +00:00
// in a mobile or web application with a web identity provider. Example providers
// include Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID
// Connect-compatible identity provider.
2017-11-22 20:39:52 +00:00
//
// For mobile applications, we recommend that you use Amazon Cognito. You can
2019-05-24 22:03:06 +00:00
// use Amazon Cognito with the AWS SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/)
// and the AWS SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/)
// to uniquely identify a user. You can also supply the user with a consistent
// identity throughout the lifetime of an application.
//
// To learn more about Amazon Cognito, see Amazon Cognito Overview (https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840)
// in AWS SDK for Android Developer Guide and Amazon Cognito Overview (https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664)
2017-11-22 20:39:52 +00:00
// in the AWS SDK for iOS Developer Guide.
//
// Calling AssumeRoleWithWebIdentity does not require the use of AWS security
// credentials. Therefore, you can distribute an application (for example, on
// mobile devices) that requests temporary security credentials without including
2019-05-24 22:03:06 +00:00
// long-term AWS credentials in the application. You also don't need to deploy
// server-based proxy services that use long-term AWS credentials. Instead,
// the identity of the caller is validated by using a token from the web identity
// provider. For a comparison of AssumeRoleWithWebIdentity with the other API
// operations that produce temporary credentials, see Requesting Temporary Security
// Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
// and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
2017-11-22 20:39:52 +00:00
// in the IAM User Guide.
//
// The temporary security credentials returned by this API consist of an access
// key ID, a secret access key, and a security token. Applications can use these
2019-05-24 22:03:06 +00:00
// temporary security credentials to sign calls to AWS service API operations.
//
// By default, the temporary security credentials created by AssumeRoleWithWebIdentity
// last for one hour. However, you can use the optional DurationSeconds parameter
// to specify the duration of your session. You can provide a value from 900
// seconds (15 minutes) up to the maximum session duration setting for the role.
// This setting can have a value from 1 hour to 12 hours. To learn how to view
// the maximum value for your role, see View the Maximum Session Duration Setting
// for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
// in the IAM User Guide. The maximum session duration limit applies when you
// use the AssumeRole* API operations or the assume-role* CLI commands. However
// the limit does not apply when you use those operations to create a console
// URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
// in the IAM User Guide.
2017-11-22 20:39:52 +00:00
//
// The temporary security credentials created by AssumeRoleWithWebIdentity can
// be used to make API calls to any AWS service with the following exception:
2019-05-24 22:03:06 +00:00
// you cannot call the STS GetFederationToken or GetSessionToken API operations.
//
// (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policies to
// use as managed session policies. The plain text that you use for both inline
// and managed session policies shouldn't exceed 2048 characters. Passing policies
// to this operation returns new temporary credentials. The resulting session's
// permissions are the intersection of the role's identity-based policy and
// the session policies. You can use the role's temporary credentials in subsequent
// AWS API calls to access resources in the account that owns the role. You
// cannot use session policies to grant more permissions than those allowed
// by the identity-based policy of the role that is being assumed. For more
// information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session)
2017-11-22 20:39:52 +00:00
// in the IAM User Guide.
//
// Before your application can call AssumeRoleWithWebIdentity, you must have
// an identity token from a supported identity provider and create a role that
// the application can assume. The role that your application assumes must trust
// the identity provider that is associated with the identity token. In other
// words, the identity provider must be specified in the role's trust policy.
//
// Calling AssumeRoleWithWebIdentity can result in an entry in your AWS CloudTrail
// logs. The entry includes the Subject (http://openid.net/specs/openid-connect-core-1_0.html#Claims)
// of the provided Web Identity Token. We recommend that you avoid using any
// personally identifiable information (PII) in this field. For example, you
// could instead use a GUID or a pairwise identifier, as suggested in the OIDC
// specification (http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes).
//
// For more information about how to use web identity federation and the AssumeRoleWithWebIdentity
// API, see the following resources:
//
2019-05-24 22:03:06 +00:00
// * Using Web Identity Federation API Operations for Mobile Apps (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html)
// and Federation Through a Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity).
2017-11-22 20:39:52 +00:00
//
//
// * Web Identity Federation Playground (https://web-identity-federation-playground.s3.amazonaws.com/index.html).
2019-05-24 22:03:06 +00:00
// Walk through the process of authenticating through Login with Amazon,
// Facebook, or Google, getting temporary security credentials, and then
// using those credentials to make a request to AWS.
2017-11-22 20:39:52 +00:00
//
2019-05-24 22:03:06 +00:00
// * AWS SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/) and
// AWS SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/).
// These toolkits contain sample apps that show how to invoke the identity
// providers, and then how to use the information from these providers to
// get and use temporary security credentials.
2017-11-22 20:39:52 +00:00
//
2019-05-24 22:03:06 +00:00
// * Web Identity Federation with Mobile Applications (http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications).
2017-11-22 20:39:52 +00:00
// This article discusses web identity federation and shows an example of
// how to use web identity federation to get access to content in Amazon
// S3.
//
// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
// with awserr.Error's Code and Message methods to get detailed information about
// the error.
//
// See the AWS API reference guide for AWS Security Token Service's
// API operation AssumeRoleWithWebIdentity for usage and error information.
//
// Returned Error Codes:
// * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument"
// The request was rejected because the policy document was malformed. The error
// message describes the specific error.
//
// * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge"
// The request was rejected because the policy document was too large. The error
// message describes how big the policy document is, in packed form, as a percentage
// of what the API allows.
//
// * ErrCodeIDPRejectedClaimException "IDPRejectedClaim"
// The identity provider (IdP) reported that authentication failed. This might
// be because the claim is invalid.
//
// If this error is returned for the AssumeRoleWithWebIdentity operation, it
// can also mean that the claim has expired or has been explicitly revoked.
//
// * ErrCodeIDPCommunicationErrorException "IDPCommunicationError"
// The request could not be fulfilled because the non-AWS identity provider
// (IDP) that was asked to verify the incoming identity token could not be reached.
// This is often a transient error caused by network conditions. Retry the request
// a limited number of times so that you don't exceed the request rate. If the
// error persists, the non-AWS identity provider might be down or not responding.
//
// * ErrCodeInvalidIdentityTokenException "InvalidIdentityToken"
// The web identity token that was passed could not be validated by AWS. Get
// a new identity token from the identity provider and then retry the request.
//
// * ErrCodeExpiredTokenException "ExpiredTokenException"
// The web identity token that was passed is expired or is not valid. Get a
// new identity token from the identity provider and then retry the request.
//
// * ErrCodeRegionDisabledException "RegionDisabledException"
// STS is not activated in the requested region for the account that is being
// asked to generate credentials. The account administrator must use the IAM
// console to activate STS in that region. For more information, see Activating
2019-05-24 22:03:06 +00:00
// and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
2017-11-22 20:39:52 +00:00
// in the IAM User Guide.
//
2019-05-24 22:03:06 +00:00
// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity
2017-11-22 20:39:52 +00:00
func ( c * STS ) AssumeRoleWithWebIdentity ( input * AssumeRoleWithWebIdentityInput ) ( * AssumeRoleWithWebIdentityOutput , error ) {
req , out := c . AssumeRoleWithWebIdentityRequest ( input )
return out , req . Send ( )
}
// AssumeRoleWithWebIdentityWithContext is the same as AssumeRoleWithWebIdentity with the addition of
// the ability to pass a context and additional request options.
//
// See AssumeRoleWithWebIdentity for details on how to use this API operation.
//
// The context must be non-nil and will be used for request cancellation. If
// the context is nil a panic will occur. In the future the SDK may create
// sub-contexts for http.Requests. See https://golang.org/pkg/context/
// for more information on using Contexts.
func ( c * STS ) AssumeRoleWithWebIdentityWithContext ( ctx aws . Context , input * AssumeRoleWithWebIdentityInput , opts ... request . Option ) ( * AssumeRoleWithWebIdentityOutput , error ) {
req , out := c . AssumeRoleWithWebIdentityRequest ( input )
req . SetContext ( ctx )
req . ApplyOptions ( opts ... )
return out , req . Send ( )
}
const opDecodeAuthorizationMessage = "DecodeAuthorizationMessage"
// DecodeAuthorizationMessageRequest generates a "aws/request.Request" representing the
// client's request for the DecodeAuthorizationMessage operation. The "output" return
2019-05-24 22:03:06 +00:00
// value will be populated with the request's response once the request completes
// successfully.
2017-11-22 20:39:52 +00:00
//
// Use "Send" method on the returned Request to send the API call to the service.
// the "output" return value is not valid until after Send returns without error.
//
// See DecodeAuthorizationMessage for more information on using the DecodeAuthorizationMessage
// API call, and error handling.
//
// This method is useful when you want to inject custom logic or configuration
// into the SDK's request lifecycle. Such as custom headers, or retry logic.
//
//
// // Example sending a request using the DecodeAuthorizationMessageRequest method.
// req, resp := client.DecodeAuthorizationMessageRequest(params)
//
// err := req.Send()
// if err == nil { // resp is now filled
// fmt.Println(resp)
// }
//
2019-05-24 22:03:06 +00:00
// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessage
2017-11-22 20:39:52 +00:00
func ( c * STS ) DecodeAuthorizationMessageRequest ( input * DecodeAuthorizationMessageInput ) ( req * request . Request , output * DecodeAuthorizationMessageOutput ) {
op := & request . Operation {
Name : opDecodeAuthorizationMessage ,
HTTPMethod : "POST" ,
HTTPPath : "/" ,
}
if input == nil {
input = & DecodeAuthorizationMessageInput { }
}
output = & DecodeAuthorizationMessageOutput { }
req = c . newRequest ( op , input , output )
return
}
// DecodeAuthorizationMessage API operation for AWS Security Token Service.
//
// Decodes additional information about the authorization status of a request
// from an encoded message returned in response to an AWS request.
//
2019-05-24 22:03:06 +00:00
// For example, if a user is not authorized to perform an operation that he
// or she has requested, the request returns a Client.UnauthorizedOperation
// response (an HTTP 403 response). Some AWS operations additionally return
// an encoded message that can provide details about this authorization failure.
2017-11-22 20:39:52 +00:00
//
2019-05-24 22:03:06 +00:00
// Only certain AWS operations return an encoded authorization message. The
// documentation for an individual operation indicates whether that operation
// returns an encoded message in addition to returning an HTTP code.
2017-11-22 20:39:52 +00:00
//
// The message is encoded because the details of the authorization status can
2019-05-24 22:03:06 +00:00
// constitute privileged information that the user who requested the operation
2017-11-22 20:39:52 +00:00
// should not see. To decode an authorization status message, a user must be
// granted permissions via an IAM policy to request the DecodeAuthorizationMessage
// (sts:DecodeAuthorizationMessage) action.
//
// The decoded message includes the following type of information:
//
// * Whether the request was denied due to an explicit deny or due to the
// absence of an explicit allow. For more information, see Determining Whether
2019-05-24 22:03:06 +00:00
// a Request is Allowed or Denied (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow)
2017-11-22 20:39:52 +00:00
// in the IAM User Guide.
//
// * The principal who made the request.
//
// * The requested action.
//
// * The requested resource.
//
// * The values of condition keys in the context of the user's request.
//
// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
// with awserr.Error's Code and Message methods to get detailed information about
// the error.
//
// See the AWS API reference guide for AWS Security Token Service's
// API operation DecodeAuthorizationMessage for usage and error information.
//
// Returned Error Codes:
// * ErrCodeInvalidAuthorizationMessageException "InvalidAuthorizationMessageException"
// The error returned if the message passed to DecodeAuthorizationMessage was
// invalid. This can happen if the token contains invalid characters, such as
// linebreaks.
//
2019-05-24 22:03:06 +00:00
// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessage
2017-11-22 20:39:52 +00:00
func ( c * STS ) DecodeAuthorizationMessage ( input * DecodeAuthorizationMessageInput ) ( * DecodeAuthorizationMessageOutput , error ) {
req , out := c . DecodeAuthorizationMessageRequest ( input )
return out , req . Send ( )
}
// DecodeAuthorizationMessageWithContext is the same as DecodeAuthorizationMessage with the addition of
// the ability to pass a context and additional request options.
//
// See DecodeAuthorizationMessage for details on how to use this API operation.
//
// The context must be non-nil and will be used for request cancellation. If
// the context is nil a panic will occur. In the future the SDK may create
// sub-contexts for http.Requests. See https://golang.org/pkg/context/
// for more information on using Contexts.
func ( c * STS ) DecodeAuthorizationMessageWithContext ( ctx aws . Context , input * DecodeAuthorizationMessageInput , opts ... request . Option ) ( * DecodeAuthorizationMessageOutput , error ) {
req , out := c . DecodeAuthorizationMessageRequest ( input )
req . SetContext ( ctx )
req . ApplyOptions ( opts ... )
return out , req . Send ( )
}
const opGetCallerIdentity = "GetCallerIdentity"
// GetCallerIdentityRequest generates a "aws/request.Request" representing the
// client's request for the GetCallerIdentity operation. The "output" return
2019-05-24 22:03:06 +00:00
// value will be populated with the request's response once the request completes
// successfully.
2017-11-22 20:39:52 +00:00
//
// Use "Send" method on the returned Request to send the API call to the service.
// the "output" return value is not valid until after Send returns without error.
//
// See GetCallerIdentity for more information on using the GetCallerIdentity
// API call, and error handling.
//
// This method is useful when you want to inject custom logic or configuration
// into the SDK's request lifecycle. Such as custom headers, or retry logic.
//
//
// // Example sending a request using the GetCallerIdentityRequest method.
// req, resp := client.GetCallerIdentityRequest(params)
//
// err := req.Send()
// if err == nil { // resp is now filled
// fmt.Println(resp)
// }
//
2019-05-24 22:03:06 +00:00
// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentity
2017-11-22 20:39:52 +00:00
func ( c * STS ) GetCallerIdentityRequest ( input * GetCallerIdentityInput ) ( req * request . Request , output * GetCallerIdentityOutput ) {
op := & request . Operation {
Name : opGetCallerIdentity ,
HTTPMethod : "POST" ,
HTTPPath : "/" ,
}
if input == nil {
input = & GetCallerIdentityInput { }
}
output = & GetCallerIdentityOutput { }
req = c . newRequest ( op , input , output )
return
}
// GetCallerIdentity API operation for AWS Security Token Service.
//
// Returns details about the IAM identity whose credentials are used to call
// the API.
//
// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
// with awserr.Error's Code and Message methods to get detailed information about
// the error.
//
// See the AWS API reference guide for AWS Security Token Service's
// API operation GetCallerIdentity for usage and error information.
2019-05-24 22:03:06 +00:00
// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentity
2017-11-22 20:39:52 +00:00
func ( c * STS ) GetCallerIdentity ( input * GetCallerIdentityInput ) ( * GetCallerIdentityOutput , error ) {
req , out := c . GetCallerIdentityRequest ( input )
return out , req . Send ( )
}
// GetCallerIdentityWithContext is the same as GetCallerIdentity with the addition of
// the ability to pass a context and additional request options.
//
// See GetCallerIdentity for details on how to use this API operation.
//
// The context must be non-nil and will be used for request cancellation. If
// the context is nil a panic will occur. In the future the SDK may create
// sub-contexts for http.Requests. See https://golang.org/pkg/context/
// for more information on using Contexts.
func ( c * STS ) GetCallerIdentityWithContext ( ctx aws . Context , input * GetCallerIdentityInput , opts ... request . Option ) ( * GetCallerIdentityOutput , error ) {
req , out := c . GetCallerIdentityRequest ( input )
req . SetContext ( ctx )
req . ApplyOptions ( opts ... )
return out , req . Send ( )
}
const opGetFederationToken = "GetFederationToken"
// GetFederationTokenRequest generates a "aws/request.Request" representing the
// client's request for the GetFederationToken operation. The "output" return
2019-05-24 22:03:06 +00:00
// value will be populated with the request's response once the request completes
// successfully.
2017-11-22 20:39:52 +00:00
//
// Use "Send" method on the returned Request to send the API call to the service.
// the "output" return value is not valid until after Send returns without error.
//
// See GetFederationToken for more information on using the GetFederationToken
// API call, and error handling.
//
// This method is useful when you want to inject custom logic or configuration
// into the SDK's request lifecycle. Such as custom headers, or retry logic.
//
//
// // Example sending a request using the GetFederationTokenRequest method.
// req, resp := client.GetFederationTokenRequest(params)
//
// err := req.Send()
// if err == nil { // resp is now filled
// fmt.Println(resp)
// }
//
2019-05-24 22:03:06 +00:00
// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationToken
2017-11-22 20:39:52 +00:00
func ( c * STS ) GetFederationTokenRequest ( input * GetFederationTokenInput ) ( req * request . Request , output * GetFederationTokenOutput ) {
op := & request . Operation {
Name : opGetFederationToken ,
HTTPMethod : "POST" ,
HTTPPath : "/" ,
}
if input == nil {
input = & GetFederationTokenInput { }
}
output = & GetFederationTokenOutput { }
req = c . newRequest ( op , input , output )
return
}
// GetFederationToken API operation for AWS Security Token Service.
//
// Returns a set of temporary security credentials (consisting of an access
// key ID, a secret access key, and a security token) for a federated user.
// A typical use is in a proxy application that gets temporary security credentials
2019-05-24 22:03:06 +00:00
// on behalf of distributed applications inside a corporate network. You must
// call the GetFederationToken operation using the long-term security credentials
// of an IAM user. As a result, this call is appropriate in contexts where those
2017-11-22 20:39:52 +00:00
// credentials can be safely stored, usually in a server-based application.
2019-05-24 22:03:06 +00:00
// For a comparison of GetFederationToken with the other API operations that
// produce temporary credentials, see Requesting Temporary Security Credentials
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
// and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
2017-11-22 20:39:52 +00:00
// in the IAM User Guide.
//
2019-05-24 22:03:06 +00:00
// You can create a mobile-based or browser-based app that can authenticate
2017-11-22 20:39:52 +00:00
// users using a web identity provider like Login with Amazon, Facebook, Google,
2019-05-24 22:03:06 +00:00
// or an OpenID Connect-compatible identity provider. In this case, we recommend
// that you use Amazon Cognito (http://aws.amazon.com/cognito/) or AssumeRoleWithWebIdentity.
2017-11-22 20:39:52 +00:00
// For more information, see Federation Through a Web-based Identity Provider
2019-05-24 22:03:06 +00:00
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity).
//
// You can also call GetFederationToken using the security credentials of an
// AWS account root user, but we do not recommend it. Instead, we recommend
// that you create an IAM user for the purpose of the proxy application. Then
// attach a policy to the IAM user that limits federated users to only the actions
// and resources that they need to access. For more information, see IAM Best
// Practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
2017-11-22 20:39:52 +00:00
// in the IAM User Guide.
//
2019-05-24 22:03:06 +00:00
// The temporary credentials are valid for the specified duration, from 900
// seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default
// is 43,200 seconds (12 hours). Temporary credentials that are obtained by
// using AWS account root user credentials have a maximum duration of 3,600
// seconds (1 hour).
2017-11-22 20:39:52 +00:00
//
// The temporary security credentials created by GetFederationToken can be used
// to make API calls to any AWS service with the following exceptions:
//
2019-05-24 22:03:06 +00:00
// * You cannot use these credentials to call any IAM API operations.
2017-11-22 20:39:52 +00:00
//
2019-05-24 22:03:06 +00:00
// * You cannot call any STS API operations except GetCallerIdentity.
2017-11-22 20:39:52 +00:00
//
// Permissions
//
2019-05-24 22:03:06 +00:00
// You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policies to
// use as managed session policies. The plain text that you use for both inline
// and managed session policies shouldn't exceed 2048 characters.
//
// Though the session policy parameters are optional, if you do not pass a policy,
// then the resulting federated user session has no permissions. The only exception
// is when the credentials are used to access a resource that has a resource-based
// policy that specifically references the federated user session in the Principal
// element of the policy. When you pass session policies, the session permissions
// are the intersection of the IAM user policies and the session policies that
// you pass. This gives you a way to further restrict the permissions for a
// federated user. You cannot use session policies to grant more permissions
// than those that are defined in the permissions policy of the IAM user. For
// more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. For information about using GetFederationToken to
// create temporary security credentials, see GetFederationToken—Federation
// Through a Custom Identity Broker (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken).
2017-11-22 20:39:52 +00:00
//
// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
// with awserr.Error's Code and Message methods to get detailed information about
// the error.
//
// See the AWS API reference guide for AWS Security Token Service's
// API operation GetFederationToken for usage and error information.
//
// Returned Error Codes:
// * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument"
// The request was rejected because the policy document was malformed. The error
// message describes the specific error.
//
// * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge"
// The request was rejected because the policy document was too large. The error
// message describes how big the policy document is, in packed form, as a percentage
// of what the API allows.
//
// * ErrCodeRegionDisabledException "RegionDisabledException"
// STS is not activated in the requested region for the account that is being
// asked to generate credentials. The account administrator must use the IAM
// console to activate STS in that region. For more information, see Activating
2019-05-24 22:03:06 +00:00
// and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
2017-11-22 20:39:52 +00:00
// in the IAM User Guide.
//
2019-05-24 22:03:06 +00:00
// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationToken
2017-11-22 20:39:52 +00:00
func ( c * STS ) GetFederationToken ( input * GetFederationTokenInput ) ( * GetFederationTokenOutput , error ) {
req , out := c . GetFederationTokenRequest ( input )
return out , req . Send ( )
}
// GetFederationTokenWithContext is the same as GetFederationToken with the addition of
// the ability to pass a context and additional request options.
//
// See GetFederationToken for details on how to use this API operation.
//
// The context must be non-nil and will be used for request cancellation. If
// the context is nil a panic will occur. In the future the SDK may create
// sub-contexts for http.Requests. See https://golang.org/pkg/context/
// for more information on using Contexts.
func ( c * STS ) GetFederationTokenWithContext ( ctx aws . Context , input * GetFederationTokenInput , opts ... request . Option ) ( * GetFederationTokenOutput , error ) {
req , out := c . GetFederationTokenRequest ( input )
req . SetContext ( ctx )
req . ApplyOptions ( opts ... )
return out , req . Send ( )
}
const opGetSessionToken = "GetSessionToken"
// GetSessionTokenRequest generates a "aws/request.Request" representing the
// client's request for the GetSessionToken operation. The "output" return
2019-05-24 22:03:06 +00:00
// value will be populated with the request's response once the request completes
// successfully.
2017-11-22 20:39:52 +00:00
//
// Use "Send" method on the returned Request to send the API call to the service.
// the "output" return value is not valid until after Send returns without error.
//
// See GetSessionToken for more information on using the GetSessionToken
// API call, and error handling.
//
// This method is useful when you want to inject custom logic or configuration
// into the SDK's request lifecycle. Such as custom headers, or retry logic.
//
//
// // Example sending a request using the GetSessionTokenRequest method.
// req, resp := client.GetSessionTokenRequest(params)
//
// err := req.Send()
// if err == nil { // resp is now filled
// fmt.Println(resp)
// }
//
2019-05-24 22:03:06 +00:00
// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionToken
2017-11-22 20:39:52 +00:00
func ( c * STS ) GetSessionTokenRequest ( input * GetSessionTokenInput ) ( req * request . Request , output * GetSessionTokenOutput ) {
op := & request . Operation {
Name : opGetSessionToken ,
HTTPMethod : "POST" ,
HTTPPath : "/" ,
}
if input == nil {
input = & GetSessionTokenInput { }
}
output = & GetSessionTokenOutput { }
req = c . newRequest ( op , input , output )
return
}
// GetSessionToken API operation for AWS Security Token Service.
//
// Returns a set of temporary credentials for an AWS account or IAM user. The
// credentials consist of an access key ID, a secret access key, and a security
// token. Typically, you use GetSessionToken if you want to use MFA to protect
2019-05-24 22:03:06 +00:00
// programmatic calls to specific AWS API operations like Amazon EC2 StopInstances.
// MFA-enabled IAM users would need to call GetSessionToken and submit an MFA
// code that is associated with their MFA device. Using the temporary security
// credentials that are returned from the call, IAM users can then make programmatic
// calls to API operations that require MFA authentication. If you do not supply
// a correct MFA code, then the API returns an access denied error. For a comparison
// of GetSessionToken with the other API operations that produce temporary credentials,
// see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
// and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
2017-11-22 20:39:52 +00:00
// in the IAM User Guide.
//
2019-05-24 22:03:06 +00:00
// The GetSessionToken operation must be called by using the long-term AWS security
// credentials of the AWS account root user or an IAM user. Credentials that
// are created by IAM users are valid for the duration that you specify. This
// duration can range from 900 seconds (15 minutes) up to a maximum of 129,600
// seconds (36 hours), with a default of 43,200 seconds (12 hours). Credentials
// based on account credentials can range from 900 seconds (15 minutes) up to
// 3,600 seconds (1 hour), with a default of 1 hour.
2017-11-22 20:39:52 +00:00
//
// The temporary security credentials created by GetSessionToken can be used
// to make API calls to any AWS service with the following exceptions:
//
2019-05-24 22:03:06 +00:00
// * You cannot call any IAM API operations unless MFA authentication information
// is included in the request.
2017-11-22 20:39:52 +00:00
//
// * You cannot call any STS API exceptAssumeRole or GetCallerIdentity.
//
2019-05-24 22:03:06 +00:00
// We recommend that you do not call GetSessionToken with AWS account root user
// credentials. Instead, follow our best practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users)
2017-11-22 20:39:52 +00:00
// by creating one or more IAM users, giving them the necessary permissions,
// and using IAM users for everyday interaction with AWS.
//
2019-05-24 22:03:06 +00:00
// The credentials that are returned by GetSessionToken are based on permissions
// associated with the user whose credentials were used to call the operation.
// If GetSessionToken is called using AWS account root user credentials, the
// temporary credentials have root user permissions. Similarly, if GetSessionToken
// is called using the credentials of an IAM user, the temporary credentials
// have the same permissions as the IAM user.
2017-11-22 20:39:52 +00:00
//
// For more information about using GetSessionToken to create temporary credentials,
2019-05-24 22:03:06 +00:00
// go to Temporary Credentials for Users in Untrusted Environments (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken)
2017-11-22 20:39:52 +00:00
// in the IAM User Guide.
//
// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
// with awserr.Error's Code and Message methods to get detailed information about
// the error.
//
// See the AWS API reference guide for AWS Security Token Service's
// API operation GetSessionToken for usage and error information.
//
// Returned Error Codes:
// * ErrCodeRegionDisabledException "RegionDisabledException"
// STS is not activated in the requested region for the account that is being
// asked to generate credentials. The account administrator must use the IAM
// console to activate STS in that region. For more information, see Activating
2019-05-24 22:03:06 +00:00
// and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
2017-11-22 20:39:52 +00:00
// in the IAM User Guide.
//
2019-05-24 22:03:06 +00:00
// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionToken
2017-11-22 20:39:52 +00:00
func ( c * STS ) GetSessionToken ( input * GetSessionTokenInput ) ( * GetSessionTokenOutput , error ) {
req , out := c . GetSessionTokenRequest ( input )
return out , req . Send ( )
}
// GetSessionTokenWithContext is the same as GetSessionToken with the addition of
// the ability to pass a context and additional request options.
//
// See GetSessionToken for details on how to use this API operation.
//
// The context must be non-nil and will be used for request cancellation. If
// the context is nil a panic will occur. In the future the SDK may create
// sub-contexts for http.Requests. See https://golang.org/pkg/context/
// for more information on using Contexts.
func ( c * STS ) GetSessionTokenWithContext ( ctx aws . Context , input * GetSessionTokenInput , opts ... request . Option ) ( * GetSessionTokenOutput , error ) {
req , out := c . GetSessionTokenRequest ( input )
req . SetContext ( ctx )
req . ApplyOptions ( opts ... )
return out , req . Send ( )
}
type AssumeRoleInput struct {
_ struct { } ` type:"structure" `
// The duration, in seconds, of the role session. The value can range from 900
2019-05-24 22:03:06 +00:00
// seconds (15 minutes) up to the maximum session duration setting for the role.
// This setting can have a value from 1 hour to 12 hours. If you specify a value
// higher than this setting, the operation fails. For example, if you specify
// a session duration of 12 hours, but your administrator set the maximum session
// duration to 6 hours, your operation fails. To learn how to view the maximum
// value for your role, see View the Maximum Session Duration Setting for a
// Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
// in the IAM User Guide.
//
// By default, the value is set to 3600 seconds.
//
// The DurationSeconds parameter is separate from the duration of a console
// session that you might request using the returned credentials. The request
// to the federation endpoint for a console sign-in token takes a SessionDuration
// parameter that specifies the maximum length of the console session. For more
// information, see Creating a URL that Enables Federated Users to Access the
// AWS Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
2017-11-22 20:39:52 +00:00
// in the IAM User Guide.
DurationSeconds * int64 ` min:"900" type:"integer" `
2019-05-24 22:03:06 +00:00
// A unique identifier that might be required when you assume a role in another
// account. If the administrator of the account to which the role belongs provided
// you with an external ID, then provide that value in the ExternalId parameter.
// This value can be any string, such as a passphrase or account number. A cross-account
// role is usually set up to trust everyone in an account. Therefore, the administrator
// of the trusting account might send an external ID to the administrator of
// the trusted account. That way, only someone with the ID can assume the role,
// rather than everyone in the account. For more information about the external
// ID, see How to Use an External ID When Granting Access to Your AWS Resources
// to a Third Party (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html)
2017-11-22 20:39:52 +00:00
// in the IAM User Guide.
//
2019-05-24 22:03:06 +00:00
// The regex used to validate this parameter is a string of characters consisting
2017-11-22 20:39:52 +00:00
// of upper- and lower-case alphanumeric characters with no spaces. You can
// also include underscores or any of the following characters: =,.@:/-
ExternalId * string ` min:"2" type:"string" `
2019-05-24 22:03:06 +00:00
// An IAM policy in JSON format that you want to use as an inline session policy.
//
// This parameter is optional. Passing policies to this operation returns new
// temporary credentials. The resulting session's permissions are the intersection
// of the role's identity-based policy and the session policies. You can use
// the role's temporary credentials in subsequent AWS API calls to access resources
// in the account that owns the role. You cannot use session policies to grant
// more permissions than those allowed by the identity-based policy of the role
// that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session)
2017-11-22 20:39:52 +00:00
// in the IAM User Guide.
//
2019-05-24 22:03:06 +00:00
// The plain text that you use for both inline and managed session policies
// shouldn't exceed 2048 characters. The JSON policy characters can be any ASCII
// character from the space character to the end of the valid character list
// (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A),
2017-11-22 20:39:52 +00:00
// and carriage return (\u000D) characters.
//
2019-05-24 22:03:06 +00:00
// The characters in this parameter count towards the 2048 character session
// policy guideline. However, an AWS conversion compresses the session policies
// into a packed binary format that has a separate limit. This is the enforced
// limit. The PackedPolicySize response element indicates by percentage how
// close the policy is to the upper size limit.
2017-11-22 20:39:52 +00:00
Policy * string ` min:"1" type:"string" `
2019-05-24 22:03:06 +00:00
// The Amazon Resource Names (ARNs) of the IAM managed policies that you want
// to use as managed session policies. The policies must exist in the same account
// as the role.
//
// This parameter is optional. You can provide up to 10 managed policy ARNs.
// However, the plain text that you use for both inline and managed session
// policies shouldn't exceed 2048 characters. For more information about ARNs,
// see Amazon Resource Names (ARNs) and AWS Service Namespaces (general/latest/gr/aws-arns-and-namespaces.html)
// in the AWS General Reference.
//
// The characters in this parameter count towards the 2048 character session
// policy guideline. However, an AWS conversion compresses the session policies
// into a packed binary format that has a separate limit. This is the enforced
// limit. The PackedPolicySize response element indicates by percentage how
// close the policy is to the upper size limit.
//
// Passing policies to this operation returns new temporary credentials. The
// resulting session's permissions are the intersection of the role's identity-based
// policy and the session policies. You can use the role's temporary credentials
// in subsequent AWS API calls to access resources in the account that owns
// the role. You cannot use session policies to grant more permissions than
// those allowed by the identity-based policy of the role that is being assumed.
// For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide.
PolicyArns [ ] * PolicyDescriptorType ` type:"list" `
2017-11-22 20:39:52 +00:00
// The Amazon Resource Name (ARN) of the role to assume.
//
// RoleArn is a required field
RoleArn * string ` min:"20" type:"string" required:"true" `
// An identifier for the assumed role session.
//
// Use the role session name to uniquely identify a session when the same role
// is assumed by different principals or for different reasons. In cross-account
// scenarios, the role session name is visible to, and can be logged by the
// account that owns the role. The role session name is also used in the ARN
// of the assumed role principal. This means that subsequent cross-account API
2019-05-24 22:03:06 +00:00
// requests that use the temporary security credentials will expose the role
// session name to the external account in their AWS CloudTrail logs.
2017-11-22 20:39:52 +00:00
//
// The regex used to validate this parameter is a string of characters consisting
// of upper- and lower-case alphanumeric characters with no spaces. You can
// also include underscores or any of the following characters: =,.@-
//
// RoleSessionName is a required field
RoleSessionName * string ` min:"2" type:"string" required:"true" `
// The identification number of the MFA device that is associated with the user
// who is making the AssumeRole call. Specify this value if the trust policy
// of the role being assumed includes a condition that requires MFA authentication.
// The value is either the serial number for a hardware device (such as GAHT12345678)
// or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user).
//
// The regex used to validate this parameter is a string of characters consisting
// of upper- and lower-case alphanumeric characters with no spaces. You can
// also include underscores or any of the following characters: =,.@-
SerialNumber * string ` min:"9" type:"string" `
// The value provided by the MFA device, if the trust policy of the role being
// assumed requires MFA (that is, if the policy includes a condition that tests
// for MFA). If the role being assumed requires MFA and if the TokenCode value
// is missing or expired, the AssumeRole call returns an "access denied" error.
//
// The format for this parameter, as described by its regex pattern, is a sequence
// of six numeric digits.
TokenCode * string ` min:"6" type:"string" `
}
// String returns the string representation
func ( s AssumeRoleInput ) String ( ) string {
return awsutil . Prettify ( s )
}
// GoString returns the string representation
func ( s AssumeRoleInput ) GoString ( ) string {
return s . String ( )
}
// Validate inspects the fields of the type to determine if they are valid.
func ( s * AssumeRoleInput ) Validate ( ) error {
invalidParams := request . ErrInvalidParams { Context : "AssumeRoleInput" }
if s . DurationSeconds != nil && * s . DurationSeconds < 900 {
invalidParams . Add ( request . NewErrParamMinValue ( "DurationSeconds" , 900 ) )
}
if s . ExternalId != nil && len ( * s . ExternalId ) < 2 {
invalidParams . Add ( request . NewErrParamMinLen ( "ExternalId" , 2 ) )
}
if s . Policy != nil && len ( * s . Policy ) < 1 {
invalidParams . Add ( request . NewErrParamMinLen ( "Policy" , 1 ) )
}
if s . RoleArn == nil {
invalidParams . Add ( request . NewErrParamRequired ( "RoleArn" ) )
}
if s . RoleArn != nil && len ( * s . RoleArn ) < 20 {
invalidParams . Add ( request . NewErrParamMinLen ( "RoleArn" , 20 ) )
}
if s . RoleSessionName == nil {
invalidParams . Add ( request . NewErrParamRequired ( "RoleSessionName" ) )
}
if s . RoleSessionName != nil && len ( * s . RoleSessionName ) < 2 {
invalidParams . Add ( request . NewErrParamMinLen ( "RoleSessionName" , 2 ) )
}
if s . SerialNumber != nil && len ( * s . SerialNumber ) < 9 {
invalidParams . Add ( request . NewErrParamMinLen ( "SerialNumber" , 9 ) )
}
if s . TokenCode != nil && len ( * s . TokenCode ) < 6 {
invalidParams . Add ( request . NewErrParamMinLen ( "TokenCode" , 6 ) )
}
2019-05-24 22:03:06 +00:00
if s . PolicyArns != nil {
for i , v := range s . PolicyArns {
if v == nil {
continue
}
if err := v . Validate ( ) ; err != nil {
invalidParams . AddNested ( fmt . Sprintf ( "%s[%v]" , "PolicyArns" , i ) , err . ( request . ErrInvalidParams ) )
}
}
}
2017-11-22 20:39:52 +00:00
if invalidParams . Len ( ) > 0 {
return invalidParams
}
return nil
}
// SetDurationSeconds sets the DurationSeconds field's value.
func ( s * AssumeRoleInput ) SetDurationSeconds ( v int64 ) * AssumeRoleInput {
s . DurationSeconds = & v
return s
}
// SetExternalId sets the ExternalId field's value.
func ( s * AssumeRoleInput ) SetExternalId ( v string ) * AssumeRoleInput {
s . ExternalId = & v
return s
}
// SetPolicy sets the Policy field's value.
func ( s * AssumeRoleInput ) SetPolicy ( v string ) * AssumeRoleInput {
s . Policy = & v
return s
}
2019-05-24 22:03:06 +00:00
// SetPolicyArns sets the PolicyArns field's value.
func ( s * AssumeRoleInput ) SetPolicyArns ( v [ ] * PolicyDescriptorType ) * AssumeRoleInput {
s . PolicyArns = v
return s
}
2017-11-22 20:39:52 +00:00
// SetRoleArn sets the RoleArn field's value.
func ( s * AssumeRoleInput ) SetRoleArn ( v string ) * AssumeRoleInput {
s . RoleArn = & v
return s
}
// SetRoleSessionName sets the RoleSessionName field's value.
func ( s * AssumeRoleInput ) SetRoleSessionName ( v string ) * AssumeRoleInput {
s . RoleSessionName = & v
return s
}
// SetSerialNumber sets the SerialNumber field's value.
func ( s * AssumeRoleInput ) SetSerialNumber ( v string ) * AssumeRoleInput {
s . SerialNumber = & v
return s
}
// SetTokenCode sets the TokenCode field's value.
func ( s * AssumeRoleInput ) SetTokenCode ( v string ) * AssumeRoleInput {
s . TokenCode = & v
return s
}
// Contains the response to a successful AssumeRole request, including temporary
// AWS credentials that can be used to make AWS requests.
type AssumeRoleOutput struct {
_ struct { } ` type:"structure" `
// The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers
// that you can use to refer to the resulting temporary security credentials.
// For example, you can reference these credentials as a principal in a resource-based
// policy by using the ARN or assumed role ID. The ARN and ID include the RoleSessionName
// that you specified when you called AssumeRole.
AssumedRoleUser * AssumedRoleUser ` type:"structure" `
// The temporary security credentials, which include an access key ID, a secret
// access key, and a security (or session) token.
//
2019-05-24 22:03:06 +00:00
// The size of the security token that STS API operations return is not fixed.
// We strongly recommend that you make no assumptions about the maximum size.
2017-11-22 20:39:52 +00:00
Credentials * Credentials ` type:"structure" `
// A percentage value that indicates the size of the policy in packed form.
// The service rejects any policy with a packed size greater than 100 percent,
// which means the policy exceeded the allowed space.
PackedPolicySize * int64 ` type:"integer" `
}
// String returns the string representation
func ( s AssumeRoleOutput ) String ( ) string {
return awsutil . Prettify ( s )
}
// GoString returns the string representation
func ( s AssumeRoleOutput ) GoString ( ) string {
return s . String ( )
}
// SetAssumedRoleUser sets the AssumedRoleUser field's value.
func ( s * AssumeRoleOutput ) SetAssumedRoleUser ( v * AssumedRoleUser ) * AssumeRoleOutput {
s . AssumedRoleUser = v
return s
}
// SetCredentials sets the Credentials field's value.
func ( s * AssumeRoleOutput ) SetCredentials ( v * Credentials ) * AssumeRoleOutput {
s . Credentials = v
return s
}
// SetPackedPolicySize sets the PackedPolicySize field's value.
func ( s * AssumeRoleOutput ) SetPackedPolicySize ( v int64 ) * AssumeRoleOutput {
s . PackedPolicySize = & v
return s
}
type AssumeRoleWithSAMLInput struct {
_ struct { } ` type:"structure" `
2019-05-24 22:03:06 +00:00
// The duration, in seconds, of the role session. Your role session lasts for
// the duration that you specify for the DurationSeconds parameter, or until
// the time specified in the SAML authentication response's SessionNotOnOrAfter
// value, whichever is shorter. You can provide a DurationSeconds value from
// 900 seconds (15 minutes) up to the maximum session duration setting for the
// role. This setting can have a value from 1 hour to 12 hours. If you specify
// a value higher than this setting, the operation fails. For example, if you
// specify a session duration of 12 hours, but your administrator set the maximum
// session duration to 6 hours, your operation fails. To learn how to view the
// maximum value for your role, see View the Maximum Session Duration Setting
// for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
// in the IAM User Guide.
//
// By default, the value is set to 3600 seconds.
//
// The DurationSeconds parameter is separate from the duration of a console
// session that you might request using the returned credentials. The request
// to the federation endpoint for a console sign-in token takes a SessionDuration
// parameter that specifies the maximum length of the console session. For more
// information, see Creating a URL that Enables Federated Users to Access the
// AWS Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
2017-11-22 20:39:52 +00:00
// in the IAM User Guide.
DurationSeconds * int64 ` min:"900" type:"integer" `
2019-05-24 22:03:06 +00:00
// An IAM policy in JSON format that you want to use as an inline session policy.
//
// This parameter is optional. Passing policies to this operation returns new
// temporary credentials. The resulting session's permissions are the intersection
// of the role's identity-based policy and the session policies. You can use
// the role's temporary credentials in subsequent AWS API calls to access resources
// in the account that owns the role. You cannot use session policies to grant
// more permissions than those allowed by the identity-based policy of the role
// that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session)
2017-11-22 20:39:52 +00:00
// in the IAM User Guide.
//
2019-05-24 22:03:06 +00:00
// The plain text that you use for both inline and managed session policies
// shouldn't exceed 2048 characters. The JSON policy characters can be any ASCII
// character from the space character to the end of the valid character list
// (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A),
2017-11-22 20:39:52 +00:00
// and carriage return (\u000D) characters.
//
2019-05-24 22:03:06 +00:00
// The characters in this parameter count towards the 2048 character session
// policy guideline. However, an AWS conversion compresses the session policies
// into a packed binary format that has a separate limit. This is the enforced
// limit. The PackedPolicySize response element indicates by percentage how
// close the policy is to the upper size limit.
2017-11-22 20:39:52 +00:00
Policy * string ` min:"1" type:"string" `
2019-05-24 22:03:06 +00:00
// The Amazon Resource Names (ARNs) of the IAM managed policies that you want
// to use as managed session policies. The policies must exist in the same account
// as the role.
//
// This parameter is optional. You can provide up to 10 managed policy ARNs.
// However, the plain text that you use for both inline and managed session
// policies shouldn't exceed 2048 characters. For more information about ARNs,
// see Amazon Resource Names (ARNs) and AWS Service Namespaces (general/latest/gr/aws-arns-and-namespaces.html)
// in the AWS General Reference.
//
// The characters in this parameter count towards the 2048 character session
// policy guideline. However, an AWS conversion compresses the session policies
// into a packed binary format that has a separate limit. This is the enforced
// limit. The PackedPolicySize response element indicates by percentage how
// close the policy is to the upper size limit.
//
// Passing policies to this operation returns new temporary credentials. The
// resulting session's permissions are the intersection of the role's identity-based
// policy and the session policies. You can use the role's temporary credentials
// in subsequent AWS API calls to access resources in the account that owns
// the role. You cannot use session policies to grant more permissions than
// those allowed by the identity-based policy of the role that is being assumed.
// For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide.
PolicyArns [ ] * PolicyDescriptorType ` type:"list" `
2017-11-22 20:39:52 +00:00
// The Amazon Resource Name (ARN) of the SAML provider in IAM that describes
// the IdP.
//
// PrincipalArn is a required field
PrincipalArn * string ` min:"20" type:"string" required:"true" `
// The Amazon Resource Name (ARN) of the role that the caller is assuming.
//
// RoleArn is a required field
RoleArn * string ` min:"20" type:"string" required:"true" `
// The base-64 encoded SAML authentication response provided by the IdP.
//
2019-05-24 22:03:06 +00:00
// For more information, see Configuring a Relying Party and Adding Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html)
// in the IAM User Guide.
2017-11-22 20:39:52 +00:00
//
// SAMLAssertion is a required field
SAMLAssertion * string ` min:"4" type:"string" required:"true" `
}
// String returns the string representation
func ( s AssumeRoleWithSAMLInput ) String ( ) string {
return awsutil . Prettify ( s )
}
// GoString returns the string representation
func ( s AssumeRoleWithSAMLInput ) GoString ( ) string {
return s . String ( )
}
// Validate inspects the fields of the type to determine if they are valid.
func ( s * AssumeRoleWithSAMLInput ) Validate ( ) error {
invalidParams := request . ErrInvalidParams { Context : "AssumeRoleWithSAMLInput" }
if s . DurationSeconds != nil && * s . DurationSeconds < 900 {
invalidParams . Add ( request . NewErrParamMinValue ( "DurationSeconds" , 900 ) )
}
if s . Policy != nil && len ( * s . Policy ) < 1 {
invalidParams . Add ( request . NewErrParamMinLen ( "Policy" , 1 ) )
}
if s . PrincipalArn == nil {
invalidParams . Add ( request . NewErrParamRequired ( "PrincipalArn" ) )
}
if s . PrincipalArn != nil && len ( * s . PrincipalArn ) < 20 {
invalidParams . Add ( request . NewErrParamMinLen ( "PrincipalArn" , 20 ) )
}
if s . RoleArn == nil {
invalidParams . Add ( request . NewErrParamRequired ( "RoleArn" ) )
}
if s . RoleArn != nil && len ( * s . RoleArn ) < 20 {
invalidParams . Add ( request . NewErrParamMinLen ( "RoleArn" , 20 ) )
}
if s . SAMLAssertion == nil {
invalidParams . Add ( request . NewErrParamRequired ( "SAMLAssertion" ) )
}
if s . SAMLAssertion != nil && len ( * s . SAMLAssertion ) < 4 {
invalidParams . Add ( request . NewErrParamMinLen ( "SAMLAssertion" , 4 ) )
}
2019-05-24 22:03:06 +00:00
if s . PolicyArns != nil {
for i , v := range s . PolicyArns {
if v == nil {
continue
}
if err := v . Validate ( ) ; err != nil {
invalidParams . AddNested ( fmt . Sprintf ( "%s[%v]" , "PolicyArns" , i ) , err . ( request . ErrInvalidParams ) )
}
}
}
2017-11-22 20:39:52 +00:00
if invalidParams . Len ( ) > 0 {
return invalidParams
}
return nil
}
// SetDurationSeconds sets the DurationSeconds field's value.
func ( s * AssumeRoleWithSAMLInput ) SetDurationSeconds ( v int64 ) * AssumeRoleWithSAMLInput {
s . DurationSeconds = & v
return s
}
// SetPolicy sets the Policy field's value.
func ( s * AssumeRoleWithSAMLInput ) SetPolicy ( v string ) * AssumeRoleWithSAMLInput {
s . Policy = & v
return s
}
2019-05-24 22:03:06 +00:00
// SetPolicyArns sets the PolicyArns field's value.
func ( s * AssumeRoleWithSAMLInput ) SetPolicyArns ( v [ ] * PolicyDescriptorType ) * AssumeRoleWithSAMLInput {
s . PolicyArns = v
return s
}
2017-11-22 20:39:52 +00:00
// SetPrincipalArn sets the PrincipalArn field's value.
func ( s * AssumeRoleWithSAMLInput ) SetPrincipalArn ( v string ) * AssumeRoleWithSAMLInput {
s . PrincipalArn = & v
return s
}
// SetRoleArn sets the RoleArn field's value.
func ( s * AssumeRoleWithSAMLInput ) SetRoleArn ( v string ) * AssumeRoleWithSAMLInput {
s . RoleArn = & v
return s
}
// SetSAMLAssertion sets the SAMLAssertion field's value.
func ( s * AssumeRoleWithSAMLInput ) SetSAMLAssertion ( v string ) * AssumeRoleWithSAMLInput {
s . SAMLAssertion = & v
return s
}
// Contains the response to a successful AssumeRoleWithSAML request, including
// temporary AWS credentials that can be used to make AWS requests.
type AssumeRoleWithSAMLOutput struct {
_ struct { } ` type:"structure" `
// The identifiers for the temporary security credentials that the operation
// returns.
AssumedRoleUser * AssumedRoleUser ` type:"structure" `
// The value of the Recipient attribute of the SubjectConfirmationData element
// of the SAML assertion.
Audience * string ` type:"string" `
// The temporary security credentials, which include an access key ID, a secret
// access key, and a security (or session) token.
//
2019-05-24 22:03:06 +00:00
// The size of the security token that STS API operations return is not fixed.
// We strongly recommend that you make no assumptions about the maximum size.
2017-11-22 20:39:52 +00:00
Credentials * Credentials ` type:"structure" `
// The value of the Issuer element of the SAML assertion.
Issuer * string ` type:"string" `
// A hash value based on the concatenation of the Issuer response value, the
// AWS account ID, and the friendly name (the last part of the ARN) of the SAML
// provider in IAM. The combination of NameQualifier and Subject can be used
// to uniquely identify a federated user.
//
// The following pseudocode shows how the hash value is calculated:
//
// BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP"
// ) )
NameQualifier * string ` type:"string" `
// A percentage value that indicates the size of the policy in packed form.
// The service rejects any policy with a packed size greater than 100 percent,
// which means the policy exceeded the allowed space.
PackedPolicySize * int64 ` type:"integer" `
// The value of the NameID element in the Subject element of the SAML assertion.
Subject * string ` type:"string" `
// The format of the name ID, as defined by the Format attribute in the NameID
// element of the SAML assertion. Typical examples of the format are transient
// or persistent.
//
// If the format includes the prefix urn:oasis:names:tc:SAML:2.0:nameid-format,
// that prefix is removed. For example, urn:oasis:names:tc:SAML:2.0:nameid-format:transient
// is returned as transient. If the format includes any other prefix, the format
// is returned with no modifications.
SubjectType * string ` type:"string" `
}
// String returns the string representation
func ( s AssumeRoleWithSAMLOutput ) String ( ) string {
return awsutil . Prettify ( s )
}
// GoString returns the string representation
func ( s AssumeRoleWithSAMLOutput ) GoString ( ) string {
return s . String ( )
}
// SetAssumedRoleUser sets the AssumedRoleUser field's value.
func ( s * AssumeRoleWithSAMLOutput ) SetAssumedRoleUser ( v * AssumedRoleUser ) * AssumeRoleWithSAMLOutput {
s . AssumedRoleUser = v
return s
}
// SetAudience sets the Audience field's value.
func ( s * AssumeRoleWithSAMLOutput ) SetAudience ( v string ) * AssumeRoleWithSAMLOutput {
s . Audience = & v
return s
}
// SetCredentials sets the Credentials field's value.
func ( s * AssumeRoleWithSAMLOutput ) SetCredentials ( v * Credentials ) * AssumeRoleWithSAMLOutput {
s . Credentials = v
return s
}
// SetIssuer sets the Issuer field's value.
func ( s * AssumeRoleWithSAMLOutput ) SetIssuer ( v string ) * AssumeRoleWithSAMLOutput {
s . Issuer = & v
return s
}
// SetNameQualifier sets the NameQualifier field's value.
func ( s * AssumeRoleWithSAMLOutput ) SetNameQualifier ( v string ) * AssumeRoleWithSAMLOutput {
s . NameQualifier = & v
return s
}
// SetPackedPolicySize sets the PackedPolicySize field's value.
func ( s * AssumeRoleWithSAMLOutput ) SetPackedPolicySize ( v int64 ) * AssumeRoleWithSAMLOutput {
s . PackedPolicySize = & v
return s
}
// SetSubject sets the Subject field's value.
func ( s * AssumeRoleWithSAMLOutput ) SetSubject ( v string ) * AssumeRoleWithSAMLOutput {
s . Subject = & v
return s
}
// SetSubjectType sets the SubjectType field's value.
func ( s * AssumeRoleWithSAMLOutput ) SetSubjectType ( v string ) * AssumeRoleWithSAMLOutput {
s . SubjectType = & v
return s
}
type AssumeRoleWithWebIdentityInput struct {
_ struct { } ` type:"structure" `
// The duration, in seconds, of the role session. The value can range from 900
2019-05-24 22:03:06 +00:00
// seconds (15 minutes) up to the maximum session duration setting for the role.
// This setting can have a value from 1 hour to 12 hours. If you specify a value
// higher than this setting, the operation fails. For example, if you specify
// a session duration of 12 hours, but your administrator set the maximum session
// duration to 6 hours, your operation fails. To learn how to view the maximum
// value for your role, see View the Maximum Session Duration Setting for a
// Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
// in the IAM User Guide.
//
// By default, the value is set to 3600 seconds.
//
// The DurationSeconds parameter is separate from the duration of a console
// session that you might request using the returned credentials. The request
// to the federation endpoint for a console sign-in token takes a SessionDuration
// parameter that specifies the maximum length of the console session. For more
// information, see Creating a URL that Enables Federated Users to Access the
// AWS Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
2017-11-22 20:39:52 +00:00
// in the IAM User Guide.
DurationSeconds * int64 ` min:"900" type:"integer" `
2019-05-24 22:03:06 +00:00
// An IAM policy in JSON format that you want to use as an inline session policy.
2017-11-22 20:39:52 +00:00
//
2019-05-24 22:03:06 +00:00
// This parameter is optional. Passing policies to this operation returns new
// temporary credentials. The resulting session's permissions are the intersection
// of the role's identity-based policy and the session policies. You can use
// the role's temporary credentials in subsequent AWS API calls to access resources
// in the account that owns the role. You cannot use session policies to grant
// more permissions than those allowed by the identity-based policy of the role
// that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session)
2017-11-22 20:39:52 +00:00
// in the IAM User Guide.
//
2019-05-24 22:03:06 +00:00
// The plain text that you use for both inline and managed session policies
// shouldn't exceed 2048 characters. The JSON policy characters can be any ASCII
// character from the space character to the end of the valid character list
// (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A),
2017-11-22 20:39:52 +00:00
// and carriage return (\u000D) characters.
//
2019-05-24 22:03:06 +00:00
// The characters in this parameter count towards the 2048 character session
// policy guideline. However, an AWS conversion compresses the session policies
// into a packed binary format that has a separate limit. This is the enforced
// limit. The PackedPolicySize response element indicates by percentage how
// close the policy is to the upper size limit.
2017-11-22 20:39:52 +00:00
Policy * string ` min:"1" type:"string" `
2019-05-24 22:03:06 +00:00
// The Amazon Resource Names (ARNs) of the IAM managed policies that you want
// to use as managed session policies. The policies must exist in the same account
// as the role.
//
// This parameter is optional. You can provide up to 10 managed policy ARNs.
// However, the plain text that you use for both inline and managed session
// policies shouldn't exceed 2048 characters. For more information about ARNs,
// see Amazon Resource Names (ARNs) and AWS Service Namespaces (general/latest/gr/aws-arns-and-namespaces.html)
// in the AWS General Reference.
//
// The characters in this parameter count towards the 2048 character session
// policy guideline. However, an AWS conversion compresses the session policies
// into a packed binary format that has a separate limit. This is the enforced
// limit. The PackedPolicySize response element indicates by percentage how
// close the policy is to the upper size limit.
//
// Passing policies to this operation returns new temporary credentials. The
// resulting session's permissions are the intersection of the role's identity-based
// policy and the session policies. You can use the role's temporary credentials
// in subsequent AWS API calls to access resources in the account that owns
// the role. You cannot use session policies to grant more permissions than
// those allowed by the identity-based policy of the role that is being assumed.
// For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide.
PolicyArns [ ] * PolicyDescriptorType ` type:"list" `
2017-11-22 20:39:52 +00:00
// The fully qualified host component of the domain name of the identity provider.
//
// Specify this value only for OAuth 2.0 access tokens. Currently www.amazon.com
// and graph.facebook.com are the only supported identity providers for OAuth
// 2.0 access tokens. Do not include URL schemes and port numbers.
//
// Do not specify this value for OpenID Connect ID tokens.
ProviderId * string ` min:"4" type:"string" `
// The Amazon Resource Name (ARN) of the role that the caller is assuming.
//
// RoleArn is a required field
RoleArn * string ` min:"20" type:"string" required:"true" `
// An identifier for the assumed role session. Typically, you pass the name
// or identifier that is associated with the user who is using your application.
// That way, the temporary security credentials that your application will use
// are associated with that user. This session name is included as part of the
// ARN and assumed role ID in the AssumedRoleUser response element.
//
// The regex used to validate this parameter is a string of characters consisting
// of upper- and lower-case alphanumeric characters with no spaces. You can
// also include underscores or any of the following characters: =,.@-
//
// RoleSessionName is a required field
RoleSessionName * string ` min:"2" type:"string" required:"true" `
// The OAuth 2.0 access token or OpenID Connect ID token that is provided by
// the identity provider. Your application must get this token by authenticating
// the user who is using your application with a web identity provider before
// the application makes an AssumeRoleWithWebIdentity call.
//
// WebIdentityToken is a required field
WebIdentityToken * string ` min:"4" type:"string" required:"true" `
}
// String returns the string representation
func ( s AssumeRoleWithWebIdentityInput ) String ( ) string {
return awsutil . Prettify ( s )
}
// GoString returns the string representation
func ( s AssumeRoleWithWebIdentityInput ) GoString ( ) string {
return s . String ( )
}
// Validate inspects the fields of the type to determine if they are valid.
func ( s * AssumeRoleWithWebIdentityInput ) Validate ( ) error {
invalidParams := request . ErrInvalidParams { Context : "AssumeRoleWithWebIdentityInput" }
if s . DurationSeconds != nil && * s . DurationSeconds < 900 {
invalidParams . Add ( request . NewErrParamMinValue ( "DurationSeconds" , 900 ) )
}
if s . Policy != nil && len ( * s . Policy ) < 1 {
invalidParams . Add ( request . NewErrParamMinLen ( "Policy" , 1 ) )
}
if s . ProviderId != nil && len ( * s . ProviderId ) < 4 {
invalidParams . Add ( request . NewErrParamMinLen ( "ProviderId" , 4 ) )
}
if s . RoleArn == nil {
invalidParams . Add ( request . NewErrParamRequired ( "RoleArn" ) )
}
if s . RoleArn != nil && len ( * s . RoleArn ) < 20 {
invalidParams . Add ( request . NewErrParamMinLen ( "RoleArn" , 20 ) )
}
if s . RoleSessionName == nil {
invalidParams . Add ( request . NewErrParamRequired ( "RoleSessionName" ) )
}
if s . RoleSessionName != nil && len ( * s . RoleSessionName ) < 2 {
invalidParams . Add ( request . NewErrParamMinLen ( "RoleSessionName" , 2 ) )
}
if s . WebIdentityToken == nil {
invalidParams . Add ( request . NewErrParamRequired ( "WebIdentityToken" ) )
}
if s . WebIdentityToken != nil && len ( * s . WebIdentityToken ) < 4 {
invalidParams . Add ( request . NewErrParamMinLen ( "WebIdentityToken" , 4 ) )
}
2019-05-24 22:03:06 +00:00
if s . PolicyArns != nil {
for i , v := range s . PolicyArns {
if v == nil {
continue
}
if err := v . Validate ( ) ; err != nil {
invalidParams . AddNested ( fmt . Sprintf ( "%s[%v]" , "PolicyArns" , i ) , err . ( request . ErrInvalidParams ) )
}
}
}
2017-11-22 20:39:52 +00:00
if invalidParams . Len ( ) > 0 {
return invalidParams
}
return nil
}
// SetDurationSeconds sets the DurationSeconds field's value.
func ( s * AssumeRoleWithWebIdentityInput ) SetDurationSeconds ( v int64 ) * AssumeRoleWithWebIdentityInput {
s . DurationSeconds = & v
return s
}
// SetPolicy sets the Policy field's value.
func ( s * AssumeRoleWithWebIdentityInput ) SetPolicy ( v string ) * AssumeRoleWithWebIdentityInput {
s . Policy = & v
return s
}
2019-05-24 22:03:06 +00:00
// SetPolicyArns sets the PolicyArns field's value.
func ( s * AssumeRoleWithWebIdentityInput ) SetPolicyArns ( v [ ] * PolicyDescriptorType ) * AssumeRoleWithWebIdentityInput {
s . PolicyArns = v
return s
}
2017-11-22 20:39:52 +00:00
// SetProviderId sets the ProviderId field's value.
func ( s * AssumeRoleWithWebIdentityInput ) SetProviderId ( v string ) * AssumeRoleWithWebIdentityInput {
s . ProviderId = & v
return s
}
// SetRoleArn sets the RoleArn field's value.
func ( s * AssumeRoleWithWebIdentityInput ) SetRoleArn ( v string ) * AssumeRoleWithWebIdentityInput {
s . RoleArn = & v
return s
}
// SetRoleSessionName sets the RoleSessionName field's value.
func ( s * AssumeRoleWithWebIdentityInput ) SetRoleSessionName ( v string ) * AssumeRoleWithWebIdentityInput {
s . RoleSessionName = & v
return s
}
// SetWebIdentityToken sets the WebIdentityToken field's value.
func ( s * AssumeRoleWithWebIdentityInput ) SetWebIdentityToken ( v string ) * AssumeRoleWithWebIdentityInput {
s . WebIdentityToken = & v
return s
}
// Contains the response to a successful AssumeRoleWithWebIdentity request,
// including temporary AWS credentials that can be used to make AWS requests.
type AssumeRoleWithWebIdentityOutput struct {
_ struct { } ` type:"structure" `
// The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers
// that you can use to refer to the resulting temporary security credentials.
// For example, you can reference these credentials as a principal in a resource-based
// policy by using the ARN or assumed role ID. The ARN and ID include the RoleSessionName
// that you specified when you called AssumeRole.
AssumedRoleUser * AssumedRoleUser ` type:"structure" `
// The intended audience (also known as client ID) of the web identity token.
// This is traditionally the client identifier issued to the application that
// requested the web identity token.
Audience * string ` type:"string" `
// The temporary security credentials, which include an access key ID, a secret
// access key, and a security token.
//
2019-05-24 22:03:06 +00:00
// The size of the security token that STS API operations return is not fixed.
// We strongly recommend that you make no assumptions about the maximum size.
2017-11-22 20:39:52 +00:00
Credentials * Credentials ` type:"structure" `
// A percentage value that indicates the size of the policy in packed form.
// The service rejects any policy with a packed size greater than 100 percent,
// which means the policy exceeded the allowed space.
PackedPolicySize * int64 ` type:"integer" `
// The issuing authority of the web identity token presented. For OpenID Connect
2019-05-24 22:03:06 +00:00
// ID tokens, this contains the value of the iss field. For OAuth 2.0 access
2017-11-22 20:39:52 +00:00
// tokens, this contains the value of the ProviderId parameter that was passed
// in the AssumeRoleWithWebIdentity request.
Provider * string ` type:"string" `
// The unique user identifier that is returned by the identity provider. This
// identifier is associated with the WebIdentityToken that was submitted with
// the AssumeRoleWithWebIdentity call. The identifier is typically unique to
// the user and the application that acquired the WebIdentityToken (pairwise
// identifier). For OpenID Connect ID tokens, this field contains the value
// returned by the identity provider as the token's sub (Subject) claim.
SubjectFromWebIdentityToken * string ` min:"6" type:"string" `
}
// String returns the string representation
func ( s AssumeRoleWithWebIdentityOutput ) String ( ) string {
return awsutil . Prettify ( s )
}
// GoString returns the string representation
func ( s AssumeRoleWithWebIdentityOutput ) GoString ( ) string {
return s . String ( )
}
// SetAssumedRoleUser sets the AssumedRoleUser field's value.
func ( s * AssumeRoleWithWebIdentityOutput ) SetAssumedRoleUser ( v * AssumedRoleUser ) * AssumeRoleWithWebIdentityOutput {
s . AssumedRoleUser = v
return s
}
// SetAudience sets the Audience field's value.
func ( s * AssumeRoleWithWebIdentityOutput ) SetAudience ( v string ) * AssumeRoleWithWebIdentityOutput {
s . Audience = & v
return s
}
// SetCredentials sets the Credentials field's value.
func ( s * AssumeRoleWithWebIdentityOutput ) SetCredentials ( v * Credentials ) * AssumeRoleWithWebIdentityOutput {
s . Credentials = v
return s
}
// SetPackedPolicySize sets the PackedPolicySize field's value.
func ( s * AssumeRoleWithWebIdentityOutput ) SetPackedPolicySize ( v int64 ) * AssumeRoleWithWebIdentityOutput {
s . PackedPolicySize = & v
return s
}
// SetProvider sets the Provider field's value.
func ( s * AssumeRoleWithWebIdentityOutput ) SetProvider ( v string ) * AssumeRoleWithWebIdentityOutput {
s . Provider = & v
return s
}
// SetSubjectFromWebIdentityToken sets the SubjectFromWebIdentityToken field's value.
func ( s * AssumeRoleWithWebIdentityOutput ) SetSubjectFromWebIdentityToken ( v string ) * AssumeRoleWithWebIdentityOutput {
s . SubjectFromWebIdentityToken = & v
return s
}
// The identifiers for the temporary security credentials that the operation
// returns.
type AssumedRoleUser struct {
_ struct { } ` type:"structure" `
// The ARN of the temporary security credentials that are returned from the
// AssumeRole action. For more information about ARNs and how to use them in
2019-05-24 22:03:06 +00:00
// policies, see IAM Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
2017-11-22 20:39:52 +00:00
// in Using IAM.
//
// Arn is a required field
Arn * string ` min:"20" type:"string" required:"true" `
// A unique identifier that contains the role ID and the role session name of
// the role that is being assumed. The role ID is generated by AWS when the
// role is created.
//
// AssumedRoleId is a required field
AssumedRoleId * string ` min:"2" type:"string" required:"true" `
}
// String returns the string representation
func ( s AssumedRoleUser ) String ( ) string {
return awsutil . Prettify ( s )
}
// GoString returns the string representation
func ( s AssumedRoleUser ) GoString ( ) string {
return s . String ( )
}
// SetArn sets the Arn field's value.
func ( s * AssumedRoleUser ) SetArn ( v string ) * AssumedRoleUser {
s . Arn = & v
return s
}
// SetAssumedRoleId sets the AssumedRoleId field's value.
func ( s * AssumedRoleUser ) SetAssumedRoleId ( v string ) * AssumedRoleUser {
s . AssumedRoleId = & v
return s
}
// AWS credentials for API authentication.
type Credentials struct {
_ struct { } ` type:"structure" `
// The access key ID that identifies the temporary security credentials.
//
// AccessKeyId is a required field
AccessKeyId * string ` min:"16" type:"string" required:"true" `
// The date on which the current credentials expire.
//
// Expiration is a required field
2019-05-24 22:03:06 +00:00
Expiration * time . Time ` type:"timestamp" required:"true" `
2017-11-22 20:39:52 +00:00
// The secret access key that can be used to sign requests.
//
// SecretAccessKey is a required field
SecretAccessKey * string ` type:"string" required:"true" `
// The token that users must pass to the service API to use the temporary credentials.
//
// SessionToken is a required field
SessionToken * string ` type:"string" required:"true" `
}
// String returns the string representation
func ( s Credentials ) String ( ) string {
return awsutil . Prettify ( s )
}
// GoString returns the string representation
func ( s Credentials ) GoString ( ) string {
return s . String ( )
}
// SetAccessKeyId sets the AccessKeyId field's value.
func ( s * Credentials ) SetAccessKeyId ( v string ) * Credentials {
s . AccessKeyId = & v
return s
}
// SetExpiration sets the Expiration field's value.
func ( s * Credentials ) SetExpiration ( v time . Time ) * Credentials {
s . Expiration = & v
return s
}
// SetSecretAccessKey sets the SecretAccessKey field's value.
func ( s * Credentials ) SetSecretAccessKey ( v string ) * Credentials {
s . SecretAccessKey = & v
return s
}
// SetSessionToken sets the SessionToken field's value.
func ( s * Credentials ) SetSessionToken ( v string ) * Credentials {
s . SessionToken = & v
return s
}
type DecodeAuthorizationMessageInput struct {
_ struct { } ` type:"structure" `
// The encoded message that was returned with the response.
//
// EncodedMessage is a required field
EncodedMessage * string ` min:"1" type:"string" required:"true" `
}
// String returns the string representation
func ( s DecodeAuthorizationMessageInput ) String ( ) string {
return awsutil . Prettify ( s )
}
// GoString returns the string representation
func ( s DecodeAuthorizationMessageInput ) GoString ( ) string {
return s . String ( )
}
// Validate inspects the fields of the type to determine if they are valid.
func ( s * DecodeAuthorizationMessageInput ) Validate ( ) error {
invalidParams := request . ErrInvalidParams { Context : "DecodeAuthorizationMessageInput" }
if s . EncodedMessage == nil {
invalidParams . Add ( request . NewErrParamRequired ( "EncodedMessage" ) )
}
if s . EncodedMessage != nil && len ( * s . EncodedMessage ) < 1 {
invalidParams . Add ( request . NewErrParamMinLen ( "EncodedMessage" , 1 ) )
}
if invalidParams . Len ( ) > 0 {
return invalidParams
}
return nil
}
// SetEncodedMessage sets the EncodedMessage field's value.
func ( s * DecodeAuthorizationMessageInput ) SetEncodedMessage ( v string ) * DecodeAuthorizationMessageInput {
s . EncodedMessage = & v
return s
}
// A document that contains additional information about the authorization status
// of a request from an encoded message that is returned in response to an AWS
// request.
type DecodeAuthorizationMessageOutput struct {
_ struct { } ` type:"structure" `
// An XML document that contains the decoded message.
DecodedMessage * string ` type:"string" `
}
// String returns the string representation
func ( s DecodeAuthorizationMessageOutput ) String ( ) string {
return awsutil . Prettify ( s )
}
// GoString returns the string representation
func ( s DecodeAuthorizationMessageOutput ) GoString ( ) string {
return s . String ( )
}
// SetDecodedMessage sets the DecodedMessage field's value.
func ( s * DecodeAuthorizationMessageOutput ) SetDecodedMessage ( v string ) * DecodeAuthorizationMessageOutput {
s . DecodedMessage = & v
return s
}
// Identifiers for the federated user that is associated with the credentials.
type FederatedUser struct {
_ struct { } ` type:"structure" `
// The ARN that specifies the federated user that is associated with the credentials.
// For more information about ARNs and how to use them in policies, see IAM
2019-05-24 22:03:06 +00:00
// Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
2017-11-22 20:39:52 +00:00
// in Using IAM.
//
// Arn is a required field
Arn * string ` min:"20" type:"string" required:"true" `
// The string that identifies the federated user associated with the credentials,
// similar to the unique ID of an IAM user.
//
// FederatedUserId is a required field
FederatedUserId * string ` min:"2" type:"string" required:"true" `
}
// String returns the string representation
func ( s FederatedUser ) String ( ) string {
return awsutil . Prettify ( s )
}
// GoString returns the string representation
func ( s FederatedUser ) GoString ( ) string {
return s . String ( )
}
// SetArn sets the Arn field's value.
func ( s * FederatedUser ) SetArn ( v string ) * FederatedUser {
s . Arn = & v
return s
}
// SetFederatedUserId sets the FederatedUserId field's value.
func ( s * FederatedUser ) SetFederatedUserId ( v string ) * FederatedUser {
s . FederatedUserId = & v
return s
}
type GetCallerIdentityInput struct {
_ struct { } ` type:"structure" `
}
// String returns the string representation
func ( s GetCallerIdentityInput ) String ( ) string {
return awsutil . Prettify ( s )
}
// GoString returns the string representation
func ( s GetCallerIdentityInput ) GoString ( ) string {
return s . String ( )
}
// Contains the response to a successful GetCallerIdentity request, including
// information about the entity making the request.
type GetCallerIdentityOutput struct {
_ struct { } ` type:"structure" `
// The AWS account ID number of the account that owns or contains the calling
// entity.
Account * string ` type:"string" `
// The AWS ARN associated with the calling entity.
Arn * string ` min:"20" type:"string" `
// The unique identifier of the calling entity. The exact value depends on the
2019-05-24 22:03:06 +00:00
// type of entity that is making the call. The values returned are those listed
// in the aws:userid column in the Principal table (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable)
2017-11-22 20:39:52 +00:00
// found on the Policy Variables reference page in the IAM User Guide.
UserId * string ` type:"string" `
}
// String returns the string representation
func ( s GetCallerIdentityOutput ) String ( ) string {
return awsutil . Prettify ( s )
}
// GoString returns the string representation
func ( s GetCallerIdentityOutput ) GoString ( ) string {
return s . String ( )
}
// SetAccount sets the Account field's value.
func ( s * GetCallerIdentityOutput ) SetAccount ( v string ) * GetCallerIdentityOutput {
s . Account = & v
return s
}
// SetArn sets the Arn field's value.
func ( s * GetCallerIdentityOutput ) SetArn ( v string ) * GetCallerIdentityOutput {
s . Arn = & v
return s
}
// SetUserId sets the UserId field's value.
func ( s * GetCallerIdentityOutput ) SetUserId ( v string ) * GetCallerIdentityOutput {
s . UserId = & v
return s
}
type GetFederationTokenInput struct {
_ struct { } ` type:"structure" `
// The duration, in seconds, that the session should last. Acceptable durations
2019-05-24 22:03:06 +00:00
// for federation sessions range from 900 seconds (15 minutes) to 129,600 seconds
// (36 hours), with 43,200 seconds (12 hours) as the default. Sessions obtained
// using AWS account root user credentials are restricted to a maximum of 3,600
2017-11-22 20:39:52 +00:00
// seconds (one hour). If the specified duration is longer than one hour, the
2019-05-24 22:03:06 +00:00
// session obtained by using root user credentials defaults to one hour.
2017-11-22 20:39:52 +00:00
DurationSeconds * int64 ` min:"900" type:"integer" `
// The name of the federated user. The name is used as an identifier for the
// temporary security credentials (such as Bob). For example, you can reference
// the federated user name in a resource-based policy, such as in an Amazon
// S3 bucket policy.
//
// The regex used to validate this parameter is a string of characters consisting
// of upper- and lower-case alphanumeric characters with no spaces. You can
// also include underscores or any of the following characters: =,.@-
//
// Name is a required field
Name * string ` min:"2" type:"string" required:"true" `
2019-05-24 22:03:06 +00:00
// An IAM policy in JSON format that you want to use as an inline session policy.
2017-11-22 20:39:52 +00:00
//
2019-05-24 22:03:06 +00:00
// You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policies to
// use as managed session policies.
2017-11-22 20:39:52 +00:00
//
2019-05-24 22:03:06 +00:00
// This parameter is optional. However, if you do not pass any session policies,
// then the resulting federated user session has no permissions. The only exception
// is when the credentials are used to access a resource that has a resource-based
// policy that specifically references the federated user session in the Principal
// element of the policy.
//
// When you pass session policies, the session permissions are the intersection
// of the IAM user policies and the session policies that you pass. This gives
// you a way to further restrict the permissions for a federated user. You cannot
// use session policies to grant more permissions than those that are defined
// in the permissions policy of the IAM user. For more information, see Session
// Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide.
//
// The plain text that you use for both inline and managed session policies
// shouldn't exceed 2048 characters. The JSON policy characters can be any ASCII
// character from the space character to the end of the valid character list
// (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A),
// and carriage return (\u000D) characters.
//
// The characters in this parameter count towards the 2048 character session
// policy guideline. However, an AWS conversion compresses the session policies
// into a packed binary format that has a separate limit. This is the enforced
// limit. The PackedPolicySize response element indicates by percentage how
// close the policy is to the upper size limit.
2017-11-22 20:39:52 +00:00
Policy * string ` min:"1" type:"string" `
2019-05-24 22:03:06 +00:00
// The Amazon Resource Names (ARNs) of the IAM managed policies that you want
// to use as a managed session policy. The policies must exist in the same account
// as the IAM user that is requesting federated access.
//
// You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policies to
// use as managed session policies. The plain text that you use for both inline
// and managed session policies shouldn't exceed 2048 characters. You can provide
// up to 10 managed policy ARNs. For more information about ARNs, see Amazon
// Resource Names (ARNs) and AWS Service Namespaces (general/latest/gr/aws-arns-and-namespaces.html)
// in the AWS General Reference.
//
// This parameter is optional. However, if you do not pass any session policies,
// then the resulting federated user session has no permissions. The only exception
// is when the credentials are used to access a resource that has a resource-based
// policy that specifically references the federated user session in the Principal
// element of the policy.
//
// When you pass session policies, the session permissions are the intersection
// of the IAM user policies and the session policies that you pass. This gives
// you a way to further restrict the permissions for a federated user. You cannot
// use session policies to grant more permissions than those that are defined
// in the permissions policy of the IAM user. For more information, see Session
// Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide.
//
// The characters in this parameter count towards the 2048 character session
// policy guideline. However, an AWS conversion compresses the session policies
// into a packed binary format that has a separate limit. This is the enforced
// limit. The PackedPolicySize response element indicates by percentage how
// close the policy is to the upper size limit.
PolicyArns [ ] * PolicyDescriptorType ` type:"list" `
2017-11-22 20:39:52 +00:00
}
// String returns the string representation
func ( s GetFederationTokenInput ) String ( ) string {
return awsutil . Prettify ( s )
}
// GoString returns the string representation
func ( s GetFederationTokenInput ) GoString ( ) string {
return s . String ( )
}
// Validate inspects the fields of the type to determine if they are valid.
func ( s * GetFederationTokenInput ) Validate ( ) error {
invalidParams := request . ErrInvalidParams { Context : "GetFederationTokenInput" }
if s . DurationSeconds != nil && * s . DurationSeconds < 900 {
invalidParams . Add ( request . NewErrParamMinValue ( "DurationSeconds" , 900 ) )
}
if s . Name == nil {
invalidParams . Add ( request . NewErrParamRequired ( "Name" ) )
}
if s . Name != nil && len ( * s . Name ) < 2 {
invalidParams . Add ( request . NewErrParamMinLen ( "Name" , 2 ) )
}
if s . Policy != nil && len ( * s . Policy ) < 1 {
invalidParams . Add ( request . NewErrParamMinLen ( "Policy" , 1 ) )
}
2019-05-24 22:03:06 +00:00
if s . PolicyArns != nil {
for i , v := range s . PolicyArns {
if v == nil {
continue
}
if err := v . Validate ( ) ; err != nil {
invalidParams . AddNested ( fmt . Sprintf ( "%s[%v]" , "PolicyArns" , i ) , err . ( request . ErrInvalidParams ) )
}
}
}
2017-11-22 20:39:52 +00:00
if invalidParams . Len ( ) > 0 {
return invalidParams
}
return nil
}
// SetDurationSeconds sets the DurationSeconds field's value.
func ( s * GetFederationTokenInput ) SetDurationSeconds ( v int64 ) * GetFederationTokenInput {
s . DurationSeconds = & v
return s
}
// SetName sets the Name field's value.
func ( s * GetFederationTokenInput ) SetName ( v string ) * GetFederationTokenInput {
s . Name = & v
return s
}
// SetPolicy sets the Policy field's value.
func ( s * GetFederationTokenInput ) SetPolicy ( v string ) * GetFederationTokenInput {
s . Policy = & v
return s
}
2019-05-24 22:03:06 +00:00
// SetPolicyArns sets the PolicyArns field's value.
func ( s * GetFederationTokenInput ) SetPolicyArns ( v [ ] * PolicyDescriptorType ) * GetFederationTokenInput {
s . PolicyArns = v
return s
}
2017-11-22 20:39:52 +00:00
// Contains the response to a successful GetFederationToken request, including
// temporary AWS credentials that can be used to make AWS requests.
type GetFederationTokenOutput struct {
_ struct { } ` type:"structure" `
// The temporary security credentials, which include an access key ID, a secret
// access key, and a security (or session) token.
//
2019-05-24 22:03:06 +00:00
// The size of the security token that STS API operations return is not fixed.
// We strongly recommend that you make no assumptions about the maximum size.
2017-11-22 20:39:52 +00:00
Credentials * Credentials ` type:"structure" `
// Identifiers for the federated user associated with the credentials (such
// as arn:aws:sts::123456789012:federated-user/Bob or 123456789012:Bob). You
// can use the federated user's ARN in your resource-based policies, such as
// an Amazon S3 bucket policy.
FederatedUser * FederatedUser ` type:"structure" `
// A percentage value indicating the size of the policy in packed form. The
// service rejects policies for which the packed size is greater than 100 percent
// of the allowed value.
PackedPolicySize * int64 ` type:"integer" `
}
// String returns the string representation
func ( s GetFederationTokenOutput ) String ( ) string {
return awsutil . Prettify ( s )
}
// GoString returns the string representation
func ( s GetFederationTokenOutput ) GoString ( ) string {
return s . String ( )
}
// SetCredentials sets the Credentials field's value.
func ( s * GetFederationTokenOutput ) SetCredentials ( v * Credentials ) * GetFederationTokenOutput {
s . Credentials = v
return s
}
// SetFederatedUser sets the FederatedUser field's value.
func ( s * GetFederationTokenOutput ) SetFederatedUser ( v * FederatedUser ) * GetFederationTokenOutput {
s . FederatedUser = v
return s
}
// SetPackedPolicySize sets the PackedPolicySize field's value.
func ( s * GetFederationTokenOutput ) SetPackedPolicySize ( v int64 ) * GetFederationTokenOutput {
s . PackedPolicySize = & v
return s
}
type GetSessionTokenInput struct {
_ struct { } ` type:"structure" `
// The duration, in seconds, that the credentials should remain valid. Acceptable
2019-05-24 22:03:06 +00:00
// durations for IAM user sessions range from 900 seconds (15 minutes) to 129,600
// seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions
// for AWS account owners are restricted to a maximum of 3,600 seconds (one
// hour). If the duration is longer than one hour, the session for AWS account
// owners defaults to one hour.
2017-11-22 20:39:52 +00:00
DurationSeconds * int64 ` min:"900" type:"integer" `
// The identification number of the MFA device that is associated with the IAM
// user who is making the GetSessionToken call. Specify this value if the IAM
// user has a policy that requires MFA authentication. The value is either the
// serial number for a hardware device (such as GAHT12345678) or an Amazon Resource
// Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user).
// You can find the device for an IAM user by going to the AWS Management Console
// and viewing the user's security credentials.
//
2019-05-24 22:03:06 +00:00
// The regex used to validate this parameter is a string of characters consisting
2017-11-22 20:39:52 +00:00
// of upper- and lower-case alphanumeric characters with no spaces. You can
// also include underscores or any of the following characters: =,.@:/-
SerialNumber * string ` min:"9" type:"string" `
// The value provided by the MFA device, if MFA is required. If any policy requires
// the IAM user to submit an MFA code, specify this value. If MFA authentication
2019-05-24 22:03:06 +00:00
// is required, the user must provide a code when requesting a set of temporary
// security credentials. A user who fails to provide the code receives an "access
// denied" response when requesting resources that require MFA authentication.
2017-11-22 20:39:52 +00:00
//
// The format for this parameter, as described by its regex pattern, is a sequence
// of six numeric digits.
TokenCode * string ` min:"6" type:"string" `
}
// String returns the string representation
func ( s GetSessionTokenInput ) String ( ) string {
return awsutil . Prettify ( s )
}
// GoString returns the string representation
func ( s GetSessionTokenInput ) GoString ( ) string {
return s . String ( )
}
// Validate inspects the fields of the type to determine if they are valid.
func ( s * GetSessionTokenInput ) Validate ( ) error {
invalidParams := request . ErrInvalidParams { Context : "GetSessionTokenInput" }
if s . DurationSeconds != nil && * s . DurationSeconds < 900 {
invalidParams . Add ( request . NewErrParamMinValue ( "DurationSeconds" , 900 ) )
}
if s . SerialNumber != nil && len ( * s . SerialNumber ) < 9 {
invalidParams . Add ( request . NewErrParamMinLen ( "SerialNumber" , 9 ) )
}
if s . TokenCode != nil && len ( * s . TokenCode ) < 6 {
invalidParams . Add ( request . NewErrParamMinLen ( "TokenCode" , 6 ) )
}
if invalidParams . Len ( ) > 0 {
return invalidParams
}
return nil
}
// SetDurationSeconds sets the DurationSeconds field's value.
func ( s * GetSessionTokenInput ) SetDurationSeconds ( v int64 ) * GetSessionTokenInput {
s . DurationSeconds = & v
return s
}
// SetSerialNumber sets the SerialNumber field's value.
func ( s * GetSessionTokenInput ) SetSerialNumber ( v string ) * GetSessionTokenInput {
s . SerialNumber = & v
return s
}
// SetTokenCode sets the TokenCode field's value.
func ( s * GetSessionTokenInput ) SetTokenCode ( v string ) * GetSessionTokenInput {
s . TokenCode = & v
return s
}
// Contains the response to a successful GetSessionToken request, including
// temporary AWS credentials that can be used to make AWS requests.
type GetSessionTokenOutput struct {
_ struct { } ` type:"structure" `
// The temporary security credentials, which include an access key ID, a secret
// access key, and a security (or session) token.
//
2019-05-24 22:03:06 +00:00
// The size of the security token that STS API operations return is not fixed.
// We strongly recommend that you make no assumptions about the maximum size.
2017-11-22 20:39:52 +00:00
Credentials * Credentials ` type:"structure" `
}
// String returns the string representation
func ( s GetSessionTokenOutput ) String ( ) string {
return awsutil . Prettify ( s )
}
// GoString returns the string representation
func ( s GetSessionTokenOutput ) GoString ( ) string {
return s . String ( )
}
// SetCredentials sets the Credentials field's value.
func ( s * GetSessionTokenOutput ) SetCredentials ( v * Credentials ) * GetSessionTokenOutput {
s . Credentials = v
return s
}
2019-05-24 22:03:06 +00:00
// A reference to the IAM managed policy that is passed as a session policy
// for a role session or a federated user session.
type PolicyDescriptorType struct {
_ struct { } ` type:"structure" `
// The Amazon Resource Name (ARN) of the IAM managed policy to use as a session
// policy for the role. For more information about ARNs, see Amazon Resource
// Names (ARNs) and AWS Service Namespaces (general/latest/gr/aws-arns-and-namespaces.html)
// in the AWS General Reference.
Arn * string ` locationName:"arn" min:"20" type:"string" `
}
// String returns the string representation
func ( s PolicyDescriptorType ) String ( ) string {
return awsutil . Prettify ( s )
}
// GoString returns the string representation
func ( s PolicyDescriptorType ) GoString ( ) string {
return s . String ( )
}
// Validate inspects the fields of the type to determine if they are valid.
func ( s * PolicyDescriptorType ) Validate ( ) error {
invalidParams := request . ErrInvalidParams { Context : "PolicyDescriptorType" }
if s . Arn != nil && len ( * s . Arn ) < 20 {
invalidParams . Add ( request . NewErrParamMinLen ( "Arn" , 20 ) )
}
if invalidParams . Len ( ) > 0 {
return invalidParams
}
return nil
}
// SetArn sets the Arn field's value.
func ( s * PolicyDescriptorType ) SetArn ( v string ) * PolicyDescriptorType {
s . Arn = & v
return s
}