github.com/aavshr/aws-sdk-go@v1.41.3/service/sts/api.go (about) 1 // Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT. 2 3 package sts 4 5 import ( 6 "fmt" 7 "time" 8 9 "github.com/aavshr/aws-sdk-go/aws" 10 "github.com/aavshr/aws-sdk-go/aws/awsutil" 11 "github.com/aavshr/aws-sdk-go/aws/credentials" 12 "github.com/aavshr/aws-sdk-go/aws/request" 13 ) 14 15 const opAssumeRole = "AssumeRole" 16 17 // AssumeRoleRequest generates a "aws/request.Request" representing the 18 // client's request for the AssumeRole operation. The "output" return 19 // value will be populated with the request's response once the request completes 20 // successfully. 21 // 22 // Use "Send" method on the returned Request to send the API call to the service. 23 // the "output" return value is not valid until after Send returns without error. 24 // 25 // See AssumeRole for more information on using the AssumeRole 26 // API call, and error handling. 27 // 28 // This method is useful when you want to inject custom logic or configuration 29 // into the SDK's request lifecycle. Such as custom headers, or retry logic. 30 // 31 // 32 // // Example sending a request using the AssumeRoleRequest method. 33 // req, resp := client.AssumeRoleRequest(params) 34 // 35 // err := req.Send() 36 // if err == nil { // resp is now filled 37 // fmt.Println(resp) 38 // } 39 // 40 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole 41 func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, output *AssumeRoleOutput) { 42 op := &request.Operation{ 43 Name: opAssumeRole, 44 HTTPMethod: "POST", 45 HTTPPath: "/", 46 } 47 48 if input == nil { 49 input = &AssumeRoleInput{} 50 } 51 52 output = &AssumeRoleOutput{} 53 req = c.newRequest(op, input, output) 54 return 55 } 56 57 // AssumeRole API operation for AWS Security Token Service. 58 // 59 // Returns a set of temporary security credentials that you can use to access 60 // Amazon Web Services resources that you might not normally have access to. 61 // These temporary credentials consist of an access key ID, a secret access 62 // key, and a security token. Typically, you use AssumeRole within your account 63 // or for cross-account access. For a comparison of AssumeRole with other API 64 // operations that produce temporary credentials, see Requesting Temporary Security 65 // Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) 66 // and Comparing the STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) 67 // in the IAM User Guide. 68 // 69 // Permissions 70 // 71 // The temporary security credentials created by AssumeRole can be used to make 72 // API calls to any Amazon Web Services service with the following exception: 73 // You cannot call the STS GetFederationToken or GetSessionToken API operations. 74 // 75 // (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 76 // to this operation. You can pass a single JSON policy document to use as an 77 // inline session policy. You can also specify up to 10 managed policies to 78 // use as managed session policies. The plaintext that you use for both inline 79 // and managed session policies can't exceed 2,048 characters. Passing policies 80 // to this operation returns new temporary credentials. The resulting session's 81 // permissions are the intersection of the role's identity-based policy and 82 // the session policies. You can use the role's temporary credentials in subsequent 83 // Amazon Web Services API calls to access resources in the account that owns 84 // the role. You cannot use session policies to grant more permissions than 85 // those allowed by the identity-based policy of the role that is being assumed. 86 // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 87 // in the IAM User Guide. 88 // 89 // To assume a role from a different account, your account must be trusted by 90 // the role. The trust relationship is defined in the role's trust policy when 91 // the role is created. That trust policy states which accounts are allowed 92 // to delegate that access to users in the account. 93 // 94 // A user who wants to access a role in a different account must also have permissions 95 // that are delegated from the user account administrator. The administrator 96 // must attach a policy that allows the user to call AssumeRole for the ARN 97 // of the role in the other account. If the user is in the same account as the 98 // role, then you can do either of the following: 99 // 100 // * Attach a policy to the user (identical to the previous user in a different 101 // account). 102 // 103 // * Add the user as a principal directly in the role's trust policy. 104 // 105 // In this case, the trust policy acts as an IAM resource-based policy. Users 106 // in the same account as the role do not need explicit permission to assume 107 // the role. For more information about trust policies and resource-based policies, 108 // see IAM Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) 109 // in the IAM User Guide. 110 // 111 // Tags 112 // 113 // (Optional) You can pass tag key-value pairs to your session. These tags are 114 // called session tags. For more information about session tags, see Passing 115 // Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) 116 // in the IAM User Guide. 117 // 118 // An administrator must grant you the permissions necessary to pass session 119 // tags. The administrator can also create granular permissions to allow you 120 // to pass only specific session tags. For more information, see Tutorial: Using 121 // Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) 122 // in the IAM User Guide. 123 // 124 // You can set the session tags as transitive. Transitive tags persist during 125 // role chaining. For more information, see Chaining Roles with Session Tags 126 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining) 127 // in the IAM User Guide. 128 // 129 // Using MFA with AssumeRole 130 // 131 // (Optional) You can include multi-factor authentication (MFA) information 132 // when you call AssumeRole. This is useful for cross-account scenarios to ensure 133 // that the user that assumes the role has been authenticated with an Amazon 134 // Web Services MFA device. In that scenario, the trust policy of the role being 135 // assumed includes a condition that tests for MFA authentication. If the caller 136 // does not include valid MFA information, the request to assume the role is 137 // denied. The condition in a trust policy that tests for MFA authentication 138 // might look like the following example. 139 // 140 // "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}} 141 // 142 // For more information, see Configuring MFA-Protected API Access (https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html) 143 // in the IAM User Guide guide. 144 // 145 // To use MFA with AssumeRole, you pass values for the SerialNumber and TokenCode 146 // parameters. The SerialNumber value identifies the user's hardware or virtual 147 // MFA device. The TokenCode is the time-based one-time password (TOTP) that 148 // the MFA device produces. 149 // 150 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions 151 // with awserr.Error's Code and Message methods to get detailed information about 152 // the error. 153 // 154 // See the AWS API reference guide for AWS Security Token Service's 155 // API operation AssumeRole for usage and error information. 156 // 157 // Returned Error Codes: 158 // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument" 159 // The request was rejected because the policy document was malformed. The error 160 // message describes the specific error. 161 // 162 // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" 163 // The request was rejected because the total packed size of the session policies 164 // and session tags combined was too large. An Amazon Web Services conversion 165 // compresses the session policy document, session policy ARNs, and session 166 // tags into a packed binary format that has a separate limit. The error message 167 // indicates by percentage how close the policies and tags are to the upper 168 // size limit. For more information, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) 169 // in the IAM User Guide. 170 // 171 // You could receive this error even though you meet other defined session policy 172 // and session tag limits. For more information, see IAM and STS Entity Character 173 // Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) 174 // in the IAM User Guide. 175 // 176 // * ErrCodeRegionDisabledException "RegionDisabledException" 177 // STS is not activated in the requested region for the account that is being 178 // asked to generate credentials. The account administrator must use the IAM 179 // console to activate STS in that region. For more information, see Activating 180 // and Deactivating Amazon Web Services STS in an Amazon Web Services Region 181 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) 182 // in the IAM User Guide. 183 // 184 // * ErrCodeExpiredTokenException "ExpiredTokenException" 185 // The web identity token that was passed is expired or is not valid. Get a 186 // new identity token from the identity provider and then retry the request. 187 // 188 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole 189 func (c *STS) AssumeRole(input *AssumeRoleInput) (*AssumeRoleOutput, error) { 190 req, out := c.AssumeRoleRequest(input) 191 return out, req.Send() 192 } 193 194 // AssumeRoleWithContext is the same as AssumeRole with the addition of 195 // the ability to pass a context and additional request options. 196 // 197 // See AssumeRole for details on how to use this API operation. 198 // 199 // The context must be non-nil and will be used for request cancellation. If 200 // the context is nil a panic will occur. In the future the SDK may create 201 // sub-contexts for http.Requests. See https://golang.org/pkg/context/ 202 // for more information on using Contexts. 203 func (c *STS) AssumeRoleWithContext(ctx aws.Context, input *AssumeRoleInput, opts ...request.Option) (*AssumeRoleOutput, error) { 204 req, out := c.AssumeRoleRequest(input) 205 req.SetContext(ctx) 206 req.ApplyOptions(opts...) 207 return out, req.Send() 208 } 209 210 const opAssumeRoleWithSAML = "AssumeRoleWithSAML" 211 212 // AssumeRoleWithSAMLRequest generates a "aws/request.Request" representing the 213 // client's request for the AssumeRoleWithSAML operation. The "output" return 214 // value will be populated with the request's response once the request completes 215 // successfully. 216 // 217 // Use "Send" method on the returned Request to send the API call to the service. 218 // the "output" return value is not valid until after Send returns without error. 219 // 220 // See AssumeRoleWithSAML for more information on using the AssumeRoleWithSAML 221 // API call, and error handling. 222 // 223 // This method is useful when you want to inject custom logic or configuration 224 // into the SDK's request lifecycle. Such as custom headers, or retry logic. 225 // 226 // 227 // // Example sending a request using the AssumeRoleWithSAMLRequest method. 228 // req, resp := client.AssumeRoleWithSAMLRequest(params) 229 // 230 // err := req.Send() 231 // if err == nil { // resp is now filled 232 // fmt.Println(resp) 233 // } 234 // 235 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML 236 func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *request.Request, output *AssumeRoleWithSAMLOutput) { 237 op := &request.Operation{ 238 Name: opAssumeRoleWithSAML, 239 HTTPMethod: "POST", 240 HTTPPath: "/", 241 } 242 243 if input == nil { 244 input = &AssumeRoleWithSAMLInput{} 245 } 246 247 output = &AssumeRoleWithSAMLOutput{} 248 req = c.newRequest(op, input, output) 249 req.Config.Credentials = credentials.AnonymousCredentials 250 return 251 } 252 253 // AssumeRoleWithSAML API operation for AWS Security Token Service. 254 // 255 // Returns a set of temporary security credentials for users who have been authenticated 256 // via a SAML authentication response. This operation provides a mechanism for 257 // tying an enterprise identity store or directory to role-based Amazon Web 258 // Services access without user-specific credentials or configuration. For a 259 // comparison of AssumeRoleWithSAML with the other API operations that produce 260 // temporary credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) 261 // and Comparing the STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) 262 // in the IAM User Guide. 263 // 264 // The temporary security credentials returned by this operation consist of 265 // an access key ID, a secret access key, and a security token. Applications 266 // can use these temporary security credentials to sign calls to Amazon Web 267 // Services services. 268 // 269 // Session Duration 270 // 271 // By default, the temporary security credentials created by AssumeRoleWithSAML 272 // last for one hour. However, you can use the optional DurationSeconds parameter 273 // to specify the duration of your session. Your role session lasts for the 274 // duration that you specify, or until the time specified in the SAML authentication 275 // response's SessionNotOnOrAfter value, whichever is shorter. You can provide 276 // a DurationSeconds value from 900 seconds (15 minutes) up to the maximum session 277 // duration setting for the role. This setting can have a value from 1 hour 278 // to 12 hours. To learn how to view the maximum value for your role, see View 279 // the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) 280 // in the IAM User Guide. The maximum session duration limit applies when you 281 // use the AssumeRole* API operations or the assume-role* CLI commands. However 282 // the limit does not apply when you use those operations to create a console 283 // URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) 284 // in the IAM User Guide. 285 // 286 // Role chaining (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining) 287 // limits your CLI or Amazon Web Services API role session to a maximum of one 288 // hour. When you use the AssumeRole API operation to assume a role, you can 289 // specify the duration of your role session with the DurationSeconds parameter. 290 // You can specify a parameter value of up to 43200 seconds (12 hours), depending 291 // on the maximum session duration setting for your role. However, if you assume 292 // a role using role chaining and provide a DurationSeconds parameter value 293 // greater than one hour, the operation fails. 294 // 295 // Permissions 296 // 297 // The temporary security credentials created by AssumeRoleWithSAML can be used 298 // to make API calls to any Amazon Web Services service with the following exception: 299 // you cannot call the STS GetFederationToken or GetSessionToken API operations. 300 // 301 // (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 302 // to this operation. You can pass a single JSON policy document to use as an 303 // inline session policy. You can also specify up to 10 managed policies to 304 // use as managed session policies. The plaintext that you use for both inline 305 // and managed session policies can't exceed 2,048 characters. Passing policies 306 // to this operation returns new temporary credentials. The resulting session's 307 // permissions are the intersection of the role's identity-based policy and 308 // the session policies. You can use the role's temporary credentials in subsequent 309 // Amazon Web Services API calls to access resources in the account that owns 310 // the role. You cannot use session policies to grant more permissions than 311 // those allowed by the identity-based policy of the role that is being assumed. 312 // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 313 // in the IAM User Guide. 314 // 315 // Calling AssumeRoleWithSAML does not require the use of Amazon Web Services 316 // security credentials. The identity of the caller is validated by using keys 317 // in the metadata document that is uploaded for the SAML provider entity for 318 // your identity provider. 319 // 320 // Calling AssumeRoleWithSAML can result in an entry in your CloudTrail logs. 321 // The entry includes the value in the NameID element of the SAML assertion. 322 // We recommend that you use a NameIDType that is not associated with any personally 323 // identifiable information (PII). For example, you could instead use the persistent 324 // identifier (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent). 325 // 326 // Tags 327 // 328 // (Optional) You can configure your IdP to pass attributes into your SAML assertion 329 // as session tags. Each session tag consists of a key name and an associated 330 // value. For more information about session tags, see Passing Session Tags 331 // in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) 332 // in the IAM User Guide. 333 // 334 // You can pass up to 50 session tags. The plaintext session tag keys can’t 335 // exceed 128 characters and the values can’t exceed 256 characters. For these 336 // and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) 337 // in the IAM User Guide. 338 // 339 // An Amazon Web Services conversion compresses the passed session policies 340 // and session tags into a packed binary format that has a separate limit. Your 341 // request can fail for this limit even if your plaintext meets the other requirements. 342 // The PackedPolicySize response element indicates by percentage how close the 343 // policies and tags for your request are to the upper size limit. 344 // 345 // You can pass a session tag with the same key as a tag that is attached to 346 // the role. When you do, session tags override the role's tags with the same 347 // key. 348 // 349 // An administrator must grant you the permissions necessary to pass session 350 // tags. The administrator can also create granular permissions to allow you 351 // to pass only specific session tags. For more information, see Tutorial: Using 352 // Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) 353 // in the IAM User Guide. 354 // 355 // You can set the session tags as transitive. Transitive tags persist during 356 // role chaining. For more information, see Chaining Roles with Session Tags 357 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining) 358 // in the IAM User Guide. 359 // 360 // SAML Configuration 361 // 362 // Before your application can call AssumeRoleWithSAML, you must configure your 363 // SAML identity provider (IdP) to issue the claims required by Amazon Web Services. 364 // Additionally, you must use Identity and Access Management (IAM) to create 365 // a SAML provider entity in your Amazon Web Services account that represents 366 // your identity provider. You must also create an IAM role that specifies this 367 // SAML provider in its trust policy. 368 // 369 // For more information, see the following resources: 370 // 371 // * About SAML 2.0-based Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) 372 // in the IAM User Guide. 373 // 374 // * Creating SAML Identity Providers (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html) 375 // in the IAM User Guide. 376 // 377 // * Configuring a Relying Party and Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html) 378 // in the IAM User Guide. 379 // 380 // * Creating a Role for SAML 2.0 Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html) 381 // in the IAM User Guide. 382 // 383 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions 384 // with awserr.Error's Code and Message methods to get detailed information about 385 // the error. 386 // 387 // See the AWS API reference guide for AWS Security Token Service's 388 // API operation AssumeRoleWithSAML for usage and error information. 389 // 390 // Returned Error Codes: 391 // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument" 392 // The request was rejected because the policy document was malformed. The error 393 // message describes the specific error. 394 // 395 // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" 396 // The request was rejected because the total packed size of the session policies 397 // and session tags combined was too large. An Amazon Web Services conversion 398 // compresses the session policy document, session policy ARNs, and session 399 // tags into a packed binary format that has a separate limit. The error message 400 // indicates by percentage how close the policies and tags are to the upper 401 // size limit. For more information, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) 402 // in the IAM User Guide. 403 // 404 // You could receive this error even though you meet other defined session policy 405 // and session tag limits. For more information, see IAM and STS Entity Character 406 // Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) 407 // in the IAM User Guide. 408 // 409 // * ErrCodeIDPRejectedClaimException "IDPRejectedClaim" 410 // The identity provider (IdP) reported that authentication failed. This might 411 // be because the claim is invalid. 412 // 413 // If this error is returned for the AssumeRoleWithWebIdentity operation, it 414 // can also mean that the claim has expired or has been explicitly revoked. 415 // 416 // * ErrCodeInvalidIdentityTokenException "InvalidIdentityToken" 417 // The web identity token that was passed could not be validated by Amazon Web 418 // Services. Get a new identity token from the identity provider and then retry 419 // the request. 420 // 421 // * ErrCodeExpiredTokenException "ExpiredTokenException" 422 // The web identity token that was passed is expired or is not valid. Get a 423 // new identity token from the identity provider and then retry the request. 424 // 425 // * ErrCodeRegionDisabledException "RegionDisabledException" 426 // STS is not activated in the requested region for the account that is being 427 // asked to generate credentials. The account administrator must use the IAM 428 // console to activate STS in that region. For more information, see Activating 429 // and Deactivating Amazon Web Services STS in an Amazon Web Services Region 430 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) 431 // in the IAM User Guide. 432 // 433 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML 434 func (c *STS) AssumeRoleWithSAML(input *AssumeRoleWithSAMLInput) (*AssumeRoleWithSAMLOutput, error) { 435 req, out := c.AssumeRoleWithSAMLRequest(input) 436 return out, req.Send() 437 } 438 439 // AssumeRoleWithSAMLWithContext is the same as AssumeRoleWithSAML with the addition of 440 // the ability to pass a context and additional request options. 441 // 442 // See AssumeRoleWithSAML for details on how to use this API operation. 443 // 444 // The context must be non-nil and will be used for request cancellation. If 445 // the context is nil a panic will occur. In the future the SDK may create 446 // sub-contexts for http.Requests. See https://golang.org/pkg/context/ 447 // for more information on using Contexts. 448 func (c *STS) AssumeRoleWithSAMLWithContext(ctx aws.Context, input *AssumeRoleWithSAMLInput, opts ...request.Option) (*AssumeRoleWithSAMLOutput, error) { 449 req, out := c.AssumeRoleWithSAMLRequest(input) 450 req.SetContext(ctx) 451 req.ApplyOptions(opts...) 452 return out, req.Send() 453 } 454 455 const opAssumeRoleWithWebIdentity = "AssumeRoleWithWebIdentity" 456 457 // AssumeRoleWithWebIdentityRequest generates a "aws/request.Request" representing the 458 // client's request for the AssumeRoleWithWebIdentity operation. The "output" return 459 // value will be populated with the request's response once the request completes 460 // successfully. 461 // 462 // Use "Send" method on the returned Request to send the API call to the service. 463 // the "output" return value is not valid until after Send returns without error. 464 // 465 // See AssumeRoleWithWebIdentity for more information on using the AssumeRoleWithWebIdentity 466 // API call, and error handling. 467 // 468 // This method is useful when you want to inject custom logic or configuration 469 // into the SDK's request lifecycle. Such as custom headers, or retry logic. 470 // 471 // 472 // // Example sending a request using the AssumeRoleWithWebIdentityRequest method. 473 // req, resp := client.AssumeRoleWithWebIdentityRequest(params) 474 // 475 // err := req.Send() 476 // if err == nil { // resp is now filled 477 // fmt.Println(resp) 478 // } 479 // 480 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity 481 func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityInput) (req *request.Request, output *AssumeRoleWithWebIdentityOutput) { 482 op := &request.Operation{ 483 Name: opAssumeRoleWithWebIdentity, 484 HTTPMethod: "POST", 485 HTTPPath: "/", 486 } 487 488 if input == nil { 489 input = &AssumeRoleWithWebIdentityInput{} 490 } 491 492 output = &AssumeRoleWithWebIdentityOutput{} 493 req = c.newRequest(op, input, output) 494 req.Config.Credentials = credentials.AnonymousCredentials 495 return 496 } 497 498 // AssumeRoleWithWebIdentity API operation for AWS Security Token Service. 499 // 500 // Returns a set of temporary security credentials for users who have been authenticated 501 // in a mobile or web application with a web identity provider. Example providers 502 // include Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID 503 // Connect-compatible identity provider. 504 // 505 // For mobile applications, we recommend that you use Amazon Cognito. You can 506 // use Amazon Cognito with the Amazon Web Services SDK for iOS Developer Guide 507 // (http://aws.amazon.com/sdkforios/) and the Amazon Web Services SDK for Android 508 // Developer Guide (http://aws.amazon.com/sdkforandroid/) to uniquely identify 509 // a user. You can also supply the user with a consistent identity throughout 510 // the lifetime of an application. 511 // 512 // To learn more about Amazon Cognito, see Amazon Cognito Overview (https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840) 513 // in Amazon Web Services SDK for Android Developer Guide and Amazon Cognito 514 // Overview (https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664) 515 // in the Amazon Web Services SDK for iOS Developer Guide. 516 // 517 // Calling AssumeRoleWithWebIdentity does not require the use of Amazon Web 518 // Services security credentials. Therefore, you can distribute an application 519 // (for example, on mobile devices) that requests temporary security credentials 520 // without including long-term Amazon Web Services credentials in the application. 521 // You also don't need to deploy server-based proxy services that use long-term 522 // Amazon Web Services credentials. Instead, the identity of the caller is validated 523 // by using a token from the web identity provider. For a comparison of AssumeRoleWithWebIdentity 524 // with the other API operations that produce temporary credentials, see Requesting 525 // Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) 526 // and Comparing the STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) 527 // in the IAM User Guide. 528 // 529 // The temporary security credentials returned by this API consist of an access 530 // key ID, a secret access key, and a security token. Applications can use these 531 // temporary security credentials to sign calls to Amazon Web Services service 532 // API operations. 533 // 534 // Session Duration 535 // 536 // By default, the temporary security credentials created by AssumeRoleWithWebIdentity 537 // last for one hour. However, you can use the optional DurationSeconds parameter 538 // to specify the duration of your session. You can provide a value from 900 539 // seconds (15 minutes) up to the maximum session duration setting for the role. 540 // This setting can have a value from 1 hour to 12 hours. To learn how to view 541 // the maximum value for your role, see View the Maximum Session Duration Setting 542 // for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) 543 // in the IAM User Guide. The maximum session duration limit applies when you 544 // use the AssumeRole* API operations or the assume-role* CLI commands. However 545 // the limit does not apply when you use those operations to create a console 546 // URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) 547 // in the IAM User Guide. 548 // 549 // Permissions 550 // 551 // The temporary security credentials created by AssumeRoleWithWebIdentity can 552 // be used to make API calls to any Amazon Web Services service with the following 553 // exception: you cannot call the STS GetFederationToken or GetSessionToken 554 // API operations. 555 // 556 // (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 557 // to this operation. You can pass a single JSON policy document to use as an 558 // inline session policy. You can also specify up to 10 managed policies to 559 // use as managed session policies. The plaintext that you use for both inline 560 // and managed session policies can't exceed 2,048 characters. Passing policies 561 // to this operation returns new temporary credentials. The resulting session's 562 // permissions are the intersection of the role's identity-based policy and 563 // the session policies. You can use the role's temporary credentials in subsequent 564 // Amazon Web Services API calls to access resources in the account that owns 565 // the role. You cannot use session policies to grant more permissions than 566 // those allowed by the identity-based policy of the role that is being assumed. 567 // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 568 // in the IAM User Guide. 569 // 570 // Tags 571 // 572 // (Optional) You can configure your IdP to pass attributes into your web identity 573 // token as session tags. Each session tag consists of a key name and an associated 574 // value. For more information about session tags, see Passing Session Tags 575 // in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) 576 // in the IAM User Guide. 577 // 578 // You can pass up to 50 session tags. The plaintext session tag keys can’t 579 // exceed 128 characters and the values can’t exceed 256 characters. For these 580 // and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) 581 // in the IAM User Guide. 582 // 583 // An Amazon Web Services conversion compresses the passed session policies 584 // and session tags into a packed binary format that has a separate limit. Your 585 // request can fail for this limit even if your plaintext meets the other requirements. 586 // The PackedPolicySize response element indicates by percentage how close the 587 // policies and tags for your request are to the upper size limit. 588 // 589 // You can pass a session tag with the same key as a tag that is attached to 590 // the role. When you do, the session tag overrides the role tag with the same 591 // key. 592 // 593 // An administrator must grant you the permissions necessary to pass session 594 // tags. The administrator can also create granular permissions to allow you 595 // to pass only specific session tags. For more information, see Tutorial: Using 596 // Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) 597 // in the IAM User Guide. 598 // 599 // You can set the session tags as transitive. Transitive tags persist during 600 // role chaining. For more information, see Chaining Roles with Session Tags 601 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining) 602 // in the IAM User Guide. 603 // 604 // Identities 605 // 606 // Before your application can call AssumeRoleWithWebIdentity, you must have 607 // an identity token from a supported identity provider and create a role that 608 // the application can assume. The role that your application assumes must trust 609 // the identity provider that is associated with the identity token. In other 610 // words, the identity provider must be specified in the role's trust policy. 611 // 612 // Calling AssumeRoleWithWebIdentity can result in an entry in your CloudTrail 613 // logs. The entry includes the Subject (http://openid.net/specs/openid-connect-core-1_0.html#Claims) 614 // of the provided web identity token. We recommend that you avoid using any 615 // personally identifiable information (PII) in this field. For example, you 616 // could instead use a GUID or a pairwise identifier, as suggested in the OIDC 617 // specification (http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes). 618 // 619 // For more information about how to use web identity federation and the AssumeRoleWithWebIdentity 620 // API, see the following resources: 621 // 622 // * Using Web Identity Federation API Operations for Mobile Apps (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html) 623 // and Federation Through a Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity). 624 // 625 // * Web Identity Federation Playground (https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/). 626 // Walk through the process of authenticating through Login with Amazon, 627 // Facebook, or Google, getting temporary security credentials, and then 628 // using those credentials to make a request to Amazon Web Services. 629 // 630 // * Amazon Web Services SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/) 631 // and Amazon Web Services SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/). 632 // These toolkits contain sample apps that show how to invoke the identity 633 // providers. The toolkits then show how to use the information from these 634 // providers to get and use temporary security credentials. 635 // 636 // * Web Identity Federation with Mobile Applications (http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications). 637 // This article discusses web identity federation and shows an example of 638 // how to use web identity federation to get access to content in Amazon 639 // S3. 640 // 641 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions 642 // with awserr.Error's Code and Message methods to get detailed information about 643 // the error. 644 // 645 // See the AWS API reference guide for AWS Security Token Service's 646 // API operation AssumeRoleWithWebIdentity for usage and error information. 647 // 648 // Returned Error Codes: 649 // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument" 650 // The request was rejected because the policy document was malformed. The error 651 // message describes the specific error. 652 // 653 // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" 654 // The request was rejected because the total packed size of the session policies 655 // and session tags combined was too large. An Amazon Web Services conversion 656 // compresses the session policy document, session policy ARNs, and session 657 // tags into a packed binary format that has a separate limit. The error message 658 // indicates by percentage how close the policies and tags are to the upper 659 // size limit. For more information, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) 660 // in the IAM User Guide. 661 // 662 // You could receive this error even though you meet other defined session policy 663 // and session tag limits. For more information, see IAM and STS Entity Character 664 // Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) 665 // in the IAM User Guide. 666 // 667 // * ErrCodeIDPRejectedClaimException "IDPRejectedClaim" 668 // The identity provider (IdP) reported that authentication failed. This might 669 // be because the claim is invalid. 670 // 671 // If this error is returned for the AssumeRoleWithWebIdentity operation, it 672 // can also mean that the claim has expired or has been explicitly revoked. 673 // 674 // * ErrCodeIDPCommunicationErrorException "IDPCommunicationError" 675 // The request could not be fulfilled because the identity provider (IDP) that 676 // was asked to verify the incoming identity token could not be reached. This 677 // is often a transient error caused by network conditions. Retry the request 678 // a limited number of times so that you don't exceed the request rate. If the 679 // error persists, the identity provider might be down or not responding. 680 // 681 // * ErrCodeInvalidIdentityTokenException "InvalidIdentityToken" 682 // The web identity token that was passed could not be validated by Amazon Web 683 // Services. Get a new identity token from the identity provider and then retry 684 // the request. 685 // 686 // * ErrCodeExpiredTokenException "ExpiredTokenException" 687 // The web identity token that was passed is expired or is not valid. Get a 688 // new identity token from the identity provider and then retry the request. 689 // 690 // * ErrCodeRegionDisabledException "RegionDisabledException" 691 // STS is not activated in the requested region for the account that is being 692 // asked to generate credentials. The account administrator must use the IAM 693 // console to activate STS in that region. For more information, see Activating 694 // and Deactivating Amazon Web Services STS in an Amazon Web Services Region 695 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) 696 // in the IAM User Guide. 697 // 698 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity 699 func (c *STS) AssumeRoleWithWebIdentity(input *AssumeRoleWithWebIdentityInput) (*AssumeRoleWithWebIdentityOutput, error) { 700 req, out := c.AssumeRoleWithWebIdentityRequest(input) 701 return out, req.Send() 702 } 703 704 // AssumeRoleWithWebIdentityWithContext is the same as AssumeRoleWithWebIdentity with the addition of 705 // the ability to pass a context and additional request options. 706 // 707 // See AssumeRoleWithWebIdentity for details on how to use this API operation. 708 // 709 // The context must be non-nil and will be used for request cancellation. If 710 // the context is nil a panic will occur. In the future the SDK may create 711 // sub-contexts for http.Requests. See https://golang.org/pkg/context/ 712 // for more information on using Contexts. 713 func (c *STS) AssumeRoleWithWebIdentityWithContext(ctx aws.Context, input *AssumeRoleWithWebIdentityInput, opts ...request.Option) (*AssumeRoleWithWebIdentityOutput, error) { 714 req, out := c.AssumeRoleWithWebIdentityRequest(input) 715 req.SetContext(ctx) 716 req.ApplyOptions(opts...) 717 return out, req.Send() 718 } 719 720 const opDecodeAuthorizationMessage = "DecodeAuthorizationMessage" 721 722 // DecodeAuthorizationMessageRequest generates a "aws/request.Request" representing the 723 // client's request for the DecodeAuthorizationMessage operation. The "output" return 724 // value will be populated with the request's response once the request completes 725 // successfully. 726 // 727 // Use "Send" method on the returned Request to send the API call to the service. 728 // the "output" return value is not valid until after Send returns without error. 729 // 730 // See DecodeAuthorizationMessage for more information on using the DecodeAuthorizationMessage 731 // API call, and error handling. 732 // 733 // This method is useful when you want to inject custom logic or configuration 734 // into the SDK's request lifecycle. Such as custom headers, or retry logic. 735 // 736 // 737 // // Example sending a request using the DecodeAuthorizationMessageRequest method. 738 // req, resp := client.DecodeAuthorizationMessageRequest(params) 739 // 740 // err := req.Send() 741 // if err == nil { // resp is now filled 742 // fmt.Println(resp) 743 // } 744 // 745 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessage 746 func (c *STS) DecodeAuthorizationMessageRequest(input *DecodeAuthorizationMessageInput) (req *request.Request, output *DecodeAuthorizationMessageOutput) { 747 op := &request.Operation{ 748 Name: opDecodeAuthorizationMessage, 749 HTTPMethod: "POST", 750 HTTPPath: "/", 751 } 752 753 if input == nil { 754 input = &DecodeAuthorizationMessageInput{} 755 } 756 757 output = &DecodeAuthorizationMessageOutput{} 758 req = c.newRequest(op, input, output) 759 return 760 } 761 762 // DecodeAuthorizationMessage API operation for AWS Security Token Service. 763 // 764 // Decodes additional information about the authorization status of a request 765 // from an encoded message returned in response to an Amazon Web Services request. 766 // 767 // For example, if a user is not authorized to perform an operation that he 768 // or she has requested, the request returns a Client.UnauthorizedOperation 769 // response (an HTTP 403 response). Some Amazon Web Services operations additionally 770 // return an encoded message that can provide details about this authorization 771 // failure. 772 // 773 // Only certain Amazon Web Services operations return an encoded authorization 774 // message. The documentation for an individual operation indicates whether 775 // that operation returns an encoded message in addition to returning an HTTP 776 // code. 777 // 778 // The message is encoded because the details of the authorization status can 779 // constitute privileged information that the user who requested the operation 780 // should not see. To decode an authorization status message, a user must be 781 // granted permissions via an IAM policy to request the DecodeAuthorizationMessage 782 // (sts:DecodeAuthorizationMessage) action. 783 // 784 // The decoded message includes the following type of information: 785 // 786 // * Whether the request was denied due to an explicit deny or due to the 787 // absence of an explicit allow. For more information, see Determining Whether 788 // a Request is Allowed or Denied (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow) 789 // in the IAM User Guide. 790 // 791 // * The principal who made the request. 792 // 793 // * The requested action. 794 // 795 // * The requested resource. 796 // 797 // * The values of condition keys in the context of the user's request. 798 // 799 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions 800 // with awserr.Error's Code and Message methods to get detailed information about 801 // the error. 802 // 803 // See the AWS API reference guide for AWS Security Token Service's 804 // API operation DecodeAuthorizationMessage for usage and error information. 805 // 806 // Returned Error Codes: 807 // * ErrCodeInvalidAuthorizationMessageException "InvalidAuthorizationMessageException" 808 // The error returned if the message passed to DecodeAuthorizationMessage was 809 // invalid. This can happen if the token contains invalid characters, such as 810 // linebreaks. 811 // 812 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessage 813 func (c *STS) DecodeAuthorizationMessage(input *DecodeAuthorizationMessageInput) (*DecodeAuthorizationMessageOutput, error) { 814 req, out := c.DecodeAuthorizationMessageRequest(input) 815 return out, req.Send() 816 } 817 818 // DecodeAuthorizationMessageWithContext is the same as DecodeAuthorizationMessage with the addition of 819 // the ability to pass a context and additional request options. 820 // 821 // See DecodeAuthorizationMessage for details on how to use this API operation. 822 // 823 // The context must be non-nil and will be used for request cancellation. If 824 // the context is nil a panic will occur. In the future the SDK may create 825 // sub-contexts for http.Requests. See https://golang.org/pkg/context/ 826 // for more information on using Contexts. 827 func (c *STS) DecodeAuthorizationMessageWithContext(ctx aws.Context, input *DecodeAuthorizationMessageInput, opts ...request.Option) (*DecodeAuthorizationMessageOutput, error) { 828 req, out := c.DecodeAuthorizationMessageRequest(input) 829 req.SetContext(ctx) 830 req.ApplyOptions(opts...) 831 return out, req.Send() 832 } 833 834 const opGetAccessKeyInfo = "GetAccessKeyInfo" 835 836 // GetAccessKeyInfoRequest generates a "aws/request.Request" representing the 837 // client's request for the GetAccessKeyInfo operation. The "output" return 838 // value will be populated with the request's response once the request completes 839 // successfully. 840 // 841 // Use "Send" method on the returned Request to send the API call to the service. 842 // the "output" return value is not valid until after Send returns without error. 843 // 844 // See GetAccessKeyInfo for more information on using the GetAccessKeyInfo 845 // API call, and error handling. 846 // 847 // This method is useful when you want to inject custom logic or configuration 848 // into the SDK's request lifecycle. Such as custom headers, or retry logic. 849 // 850 // 851 // // Example sending a request using the GetAccessKeyInfoRequest method. 852 // req, resp := client.GetAccessKeyInfoRequest(params) 853 // 854 // err := req.Send() 855 // if err == nil { // resp is now filled 856 // fmt.Println(resp) 857 // } 858 // 859 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfo 860 func (c *STS) GetAccessKeyInfoRequest(input *GetAccessKeyInfoInput) (req *request.Request, output *GetAccessKeyInfoOutput) { 861 op := &request.Operation{ 862 Name: opGetAccessKeyInfo, 863 HTTPMethod: "POST", 864 HTTPPath: "/", 865 } 866 867 if input == nil { 868 input = &GetAccessKeyInfoInput{} 869 } 870 871 output = &GetAccessKeyInfoOutput{} 872 req = c.newRequest(op, input, output) 873 return 874 } 875 876 // GetAccessKeyInfo API operation for AWS Security Token Service. 877 // 878 // Returns the account identifier for the specified access key ID. 879 // 880 // Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) 881 // and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). 882 // For more information about access keys, see Managing Access Keys for IAM 883 // Users (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) 884 // in the IAM User Guide. 885 // 886 // When you pass an access key ID to this operation, it returns the ID of the 887 // Amazon Web Services account to which the keys belong. Access key IDs beginning 888 // with AKIA are long-term credentials for an IAM user or the Amazon Web Services 889 // account root user. Access key IDs beginning with ASIA are temporary credentials 890 // that are created using STS operations. If the account in the response belongs 891 // to you, you can sign in as the root user and review your root user access 892 // keys. Then, you can pull a credentials report (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html) 893 // to learn which IAM user owns the keys. To learn who requested the temporary 894 // credentials for an ASIA access key, view the STS events in your CloudTrail 895 // logs (https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html) 896 // in the IAM User Guide. 897 // 898 // This operation does not indicate the state of the access key. The key might 899 // be active, inactive, or deleted. Active keys might not have permissions to 900 // perform an operation. Providing a deleted access key might return an error 901 // that the key doesn't exist. 902 // 903 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions 904 // with awserr.Error's Code and Message methods to get detailed information about 905 // the error. 906 // 907 // See the AWS API reference guide for AWS Security Token Service's 908 // API operation GetAccessKeyInfo for usage and error information. 909 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfo 910 func (c *STS) GetAccessKeyInfo(input *GetAccessKeyInfoInput) (*GetAccessKeyInfoOutput, error) { 911 req, out := c.GetAccessKeyInfoRequest(input) 912 return out, req.Send() 913 } 914 915 // GetAccessKeyInfoWithContext is the same as GetAccessKeyInfo with the addition of 916 // the ability to pass a context and additional request options. 917 // 918 // See GetAccessKeyInfo for details on how to use this API operation. 919 // 920 // The context must be non-nil and will be used for request cancellation. If 921 // the context is nil a panic will occur. In the future the SDK may create 922 // sub-contexts for http.Requests. See https://golang.org/pkg/context/ 923 // for more information on using Contexts. 924 func (c *STS) GetAccessKeyInfoWithContext(ctx aws.Context, input *GetAccessKeyInfoInput, opts ...request.Option) (*GetAccessKeyInfoOutput, error) { 925 req, out := c.GetAccessKeyInfoRequest(input) 926 req.SetContext(ctx) 927 req.ApplyOptions(opts...) 928 return out, req.Send() 929 } 930 931 const opGetCallerIdentity = "GetCallerIdentity" 932 933 // GetCallerIdentityRequest generates a "aws/request.Request" representing the 934 // client's request for the GetCallerIdentity operation. The "output" return 935 // value will be populated with the request's response once the request completes 936 // successfully. 937 // 938 // Use "Send" method on the returned Request to send the API call to the service. 939 // the "output" return value is not valid until after Send returns without error. 940 // 941 // See GetCallerIdentity for more information on using the GetCallerIdentity 942 // API call, and error handling. 943 // 944 // This method is useful when you want to inject custom logic or configuration 945 // into the SDK's request lifecycle. Such as custom headers, or retry logic. 946 // 947 // 948 // // Example sending a request using the GetCallerIdentityRequest method. 949 // req, resp := client.GetCallerIdentityRequest(params) 950 // 951 // err := req.Send() 952 // if err == nil { // resp is now filled 953 // fmt.Println(resp) 954 // } 955 // 956 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentity 957 func (c *STS) GetCallerIdentityRequest(input *GetCallerIdentityInput) (req *request.Request, output *GetCallerIdentityOutput) { 958 op := &request.Operation{ 959 Name: opGetCallerIdentity, 960 HTTPMethod: "POST", 961 HTTPPath: "/", 962 } 963 964 if input == nil { 965 input = &GetCallerIdentityInput{} 966 } 967 968 output = &GetCallerIdentityOutput{} 969 req = c.newRequest(op, input, output) 970 return 971 } 972 973 // GetCallerIdentity API operation for AWS Security Token Service. 974 // 975 // Returns details about the IAM user or role whose credentials are used to 976 // call the operation. 977 // 978 // No permissions are required to perform this operation. If an administrator 979 // adds a policy to your IAM user or role that explicitly denies access to the 980 // sts:GetCallerIdentity action, you can still perform this operation. Permissions 981 // are not required because the same information is returned when an IAM user 982 // or role is denied access. To view an example response, see I Am Not Authorized 983 // to Perform: iam:DeleteVirtualMFADevice (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa) 984 // in the IAM User Guide. 985 // 986 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions 987 // with awserr.Error's Code and Message methods to get detailed information about 988 // the error. 989 // 990 // See the AWS API reference guide for AWS Security Token Service's 991 // API operation GetCallerIdentity for usage and error information. 992 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentity 993 func (c *STS) GetCallerIdentity(input *GetCallerIdentityInput) (*GetCallerIdentityOutput, error) { 994 req, out := c.GetCallerIdentityRequest(input) 995 return out, req.Send() 996 } 997 998 // GetCallerIdentityWithContext is the same as GetCallerIdentity with the addition of 999 // the ability to pass a context and additional request options. 1000 // 1001 // See GetCallerIdentity for details on how to use this API operation. 1002 // 1003 // The context must be non-nil and will be used for request cancellation. If 1004 // the context is nil a panic will occur. In the future the SDK may create 1005 // sub-contexts for http.Requests. See https://golang.org/pkg/context/ 1006 // for more information on using Contexts. 1007 func (c *STS) GetCallerIdentityWithContext(ctx aws.Context, input *GetCallerIdentityInput, opts ...request.Option) (*GetCallerIdentityOutput, error) { 1008 req, out := c.GetCallerIdentityRequest(input) 1009 req.SetContext(ctx) 1010 req.ApplyOptions(opts...) 1011 return out, req.Send() 1012 } 1013 1014 const opGetFederationToken = "GetFederationToken" 1015 1016 // GetFederationTokenRequest generates a "aws/request.Request" representing the 1017 // client's request for the GetFederationToken operation. The "output" return 1018 // value will be populated with the request's response once the request completes 1019 // successfully. 1020 // 1021 // Use "Send" method on the returned Request to send the API call to the service. 1022 // the "output" return value is not valid until after Send returns without error. 1023 // 1024 // See GetFederationToken for more information on using the GetFederationToken 1025 // API call, and error handling. 1026 // 1027 // This method is useful when you want to inject custom logic or configuration 1028 // into the SDK's request lifecycle. Such as custom headers, or retry logic. 1029 // 1030 // 1031 // // Example sending a request using the GetFederationTokenRequest method. 1032 // req, resp := client.GetFederationTokenRequest(params) 1033 // 1034 // err := req.Send() 1035 // if err == nil { // resp is now filled 1036 // fmt.Println(resp) 1037 // } 1038 // 1039 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationToken 1040 func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *request.Request, output *GetFederationTokenOutput) { 1041 op := &request.Operation{ 1042 Name: opGetFederationToken, 1043 HTTPMethod: "POST", 1044 HTTPPath: "/", 1045 } 1046 1047 if input == nil { 1048 input = &GetFederationTokenInput{} 1049 } 1050 1051 output = &GetFederationTokenOutput{} 1052 req = c.newRequest(op, input, output) 1053 return 1054 } 1055 1056 // GetFederationToken API operation for AWS Security Token Service. 1057 // 1058 // Returns a set of temporary security credentials (consisting of an access 1059 // key ID, a secret access key, and a security token) for a federated user. 1060 // A typical use is in a proxy application that gets temporary security credentials 1061 // on behalf of distributed applications inside a corporate network. You must 1062 // call the GetFederationToken operation using the long-term security credentials 1063 // of an IAM user. As a result, this call is appropriate in contexts where those 1064 // credentials can be safely stored, usually in a server-based application. 1065 // For a comparison of GetFederationToken with the other API operations that 1066 // produce temporary credentials, see Requesting Temporary Security Credentials 1067 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) 1068 // and Comparing the STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) 1069 // in the IAM User Guide. 1070 // 1071 // You can create a mobile-based or browser-based app that can authenticate 1072 // users using a web identity provider like Login with Amazon, Facebook, Google, 1073 // or an OpenID Connect-compatible identity provider. In this case, we recommend 1074 // that you use Amazon Cognito (http://aws.amazon.com/cognito/) or AssumeRoleWithWebIdentity. 1075 // For more information, see Federation Through a Web-based Identity Provider 1076 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity) 1077 // in the IAM User Guide. 1078 // 1079 // You can also call GetFederationToken using the security credentials of an 1080 // Amazon Web Services account root user, but we do not recommend it. Instead, 1081 // we recommend that you create an IAM user for the purpose of the proxy application. 1082 // Then attach a policy to the IAM user that limits federated users to only 1083 // the actions and resources that they need to access. For more information, 1084 // see IAM Best Practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) 1085 // in the IAM User Guide. 1086 // 1087 // Session duration 1088 // 1089 // The temporary credentials are valid for the specified duration, from 900 1090 // seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default 1091 // session duration is 43,200 seconds (12 hours). Temporary credentials that 1092 // are obtained by using Amazon Web Services account root user credentials have 1093 // a maximum duration of 3,600 seconds (1 hour). 1094 // 1095 // Permissions 1096 // 1097 // You can use the temporary credentials created by GetFederationToken in any 1098 // Amazon Web Services service except the following: 1099 // 1100 // * You cannot call any IAM operations using the CLI or the Amazon Web Services 1101 // API. 1102 // 1103 // * You cannot call any STS operations except GetCallerIdentity. 1104 // 1105 // You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 1106 // to this operation. You can pass a single JSON policy document to use as an 1107 // inline session policy. You can also specify up to 10 managed policies to 1108 // use as managed session policies. The plaintext that you use for both inline 1109 // and managed session policies can't exceed 2,048 characters. 1110 // 1111 // Though the session policy parameters are optional, if you do not pass a policy, 1112 // then the resulting federated user session has no permissions. When you pass 1113 // session policies, the session permissions are the intersection of the IAM 1114 // user policies and the session policies that you pass. This gives you a way 1115 // to further restrict the permissions for a federated user. You cannot use 1116 // session policies to grant more permissions than those that are defined in 1117 // the permissions policy of the IAM user. For more information, see Session 1118 // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 1119 // in the IAM User Guide. For information about using GetFederationToken to 1120 // create temporary security credentials, see GetFederationToken—Federation 1121 // Through a Custom Identity Broker (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken). 1122 // 1123 // You can use the credentials to access a resource that has a resource-based 1124 // policy. If that policy specifically references the federated user session 1125 // in the Principal element of the policy, the session has the permissions allowed 1126 // by the policy. These permissions are granted in addition to the permissions 1127 // granted by the session policies. 1128 // 1129 // Tags 1130 // 1131 // (Optional) You can pass tag key-value pairs to your session. These are called 1132 // session tags. For more information about session tags, see Passing Session 1133 // Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) 1134 // in the IAM User Guide. 1135 // 1136 // You can create a mobile-based or browser-based app that can authenticate 1137 // users using a web identity provider like Login with Amazon, Facebook, Google, 1138 // or an OpenID Connect-compatible identity provider. In this case, we recommend 1139 // that you use Amazon Cognito (http://aws.amazon.com/cognito/) or AssumeRoleWithWebIdentity. 1140 // For more information, see Federation Through a Web-based Identity Provider 1141 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity) 1142 // in the IAM User Guide. 1143 // 1144 // You can also call GetFederationToken using the security credentials of an 1145 // Amazon Web Services account root user, but we do not recommend it. Instead, 1146 // we recommend that you create an IAM user for the purpose of the proxy application. 1147 // Then attach a policy to the IAM user that limits federated users to only 1148 // the actions and resources that they need to access. For more information, 1149 // see IAM Best Practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) 1150 // in the IAM User Guide. 1151 // 1152 // Session duration 1153 // 1154 // The temporary credentials are valid for the specified duration, from 900 1155 // seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default 1156 // session duration is 43,200 seconds (12 hours). Temporary credentials that 1157 // are obtained by using Amazon Web Services account root user credentials have 1158 // a maximum duration of 3,600 seconds (1 hour). 1159 // 1160 // Permissions 1161 // 1162 // You can use the temporary credentials created by GetFederationToken in any 1163 // Amazon Web Services service except the following: 1164 // 1165 // * You cannot call any IAM operations using the CLI or the Amazon Web Services 1166 // API. 1167 // 1168 // * You cannot call any STS operations except GetCallerIdentity. 1169 // 1170 // You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 1171 // to this operation. You can pass a single JSON policy document to use as an 1172 // inline session policy. You can also specify up to 10 managed policies to 1173 // use as managed session policies. The plain text that you use for both inline 1174 // and managed session policies can't exceed 2,048 characters. 1175 // 1176 // Though the session policy parameters are optional, if you do not pass a policy, 1177 // then the resulting federated user session has no permissions. When you pass 1178 // session policies, the session permissions are the intersection of the IAM 1179 // user policies and the session policies that you pass. This gives you a way 1180 // to further restrict the permissions for a federated user. You cannot use 1181 // session policies to grant more permissions than those that are defined in 1182 // the permissions policy of the IAM user. For more information, see Session 1183 // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 1184 // in the IAM User Guide. For information about using GetFederationToken to 1185 // create temporary security credentials, see GetFederationToken—Federation 1186 // Through a Custom Identity Broker (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken). 1187 // 1188 // You can use the credentials to access a resource that has a resource-based 1189 // policy. If that policy specifically references the federated user session 1190 // in the Principal element of the policy, the session has the permissions allowed 1191 // by the policy. These permissions are granted in addition to the permissions 1192 // granted by the session policies. 1193 // 1194 // Tags 1195 // 1196 // (Optional) You can pass tag key-value pairs to your session. These are called 1197 // session tags. For more information about session tags, see Passing Session 1198 // Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) 1199 // in the IAM User Guide. 1200 // 1201 // An administrator must grant you the permissions necessary to pass session 1202 // tags. The administrator can also create granular permissions to allow you 1203 // to pass only specific session tags. For more information, see Tutorial: Using 1204 // Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) 1205 // in the IAM User Guide. 1206 // 1207 // Tag key–value pairs are not case sensitive, but case is preserved. This 1208 // means that you cannot have separate Department and department tag keys. Assume 1209 // that the user that you are federating has the Department=Marketing tag and 1210 // you pass the department=engineering session tag. Department and department 1211 // are not saved as separate tags, and the session tag passed in the request 1212 // takes precedence over the user tag. 1213 // 1214 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions 1215 // with awserr.Error's Code and Message methods to get detailed information about 1216 // the error. 1217 // 1218 // See the AWS API reference guide for AWS Security Token Service's 1219 // API operation GetFederationToken for usage and error information. 1220 // 1221 // Returned Error Codes: 1222 // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument" 1223 // The request was rejected because the policy document was malformed. The error 1224 // message describes the specific error. 1225 // 1226 // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" 1227 // The request was rejected because the total packed size of the session policies 1228 // and session tags combined was too large. An Amazon Web Services conversion 1229 // compresses the session policy document, session policy ARNs, and session 1230 // tags into a packed binary format that has a separate limit. The error message 1231 // indicates by percentage how close the policies and tags are to the upper 1232 // size limit. For more information, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) 1233 // in the IAM User Guide. 1234 // 1235 // You could receive this error even though you meet other defined session policy 1236 // and session tag limits. For more information, see IAM and STS Entity Character 1237 // Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) 1238 // in the IAM User Guide. 1239 // 1240 // * ErrCodeRegionDisabledException "RegionDisabledException" 1241 // STS is not activated in the requested region for the account that is being 1242 // asked to generate credentials. The account administrator must use the IAM 1243 // console to activate STS in that region. For more information, see Activating 1244 // and Deactivating Amazon Web Services STS in an Amazon Web Services Region 1245 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) 1246 // in the IAM User Guide. 1247 // 1248 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationToken 1249 func (c *STS) GetFederationToken(input *GetFederationTokenInput) (*GetFederationTokenOutput, error) { 1250 req, out := c.GetFederationTokenRequest(input) 1251 return out, req.Send() 1252 } 1253 1254 // GetFederationTokenWithContext is the same as GetFederationToken with the addition of 1255 // the ability to pass a context and additional request options. 1256 // 1257 // See GetFederationToken for details on how to use this API operation. 1258 // 1259 // The context must be non-nil and will be used for request cancellation. If 1260 // the context is nil a panic will occur. In the future the SDK may create 1261 // sub-contexts for http.Requests. See https://golang.org/pkg/context/ 1262 // for more information on using Contexts. 1263 func (c *STS) GetFederationTokenWithContext(ctx aws.Context, input *GetFederationTokenInput, opts ...request.Option) (*GetFederationTokenOutput, error) { 1264 req, out := c.GetFederationTokenRequest(input) 1265 req.SetContext(ctx) 1266 req.ApplyOptions(opts...) 1267 return out, req.Send() 1268 } 1269 1270 const opGetSessionToken = "GetSessionToken" 1271 1272 // GetSessionTokenRequest generates a "aws/request.Request" representing the 1273 // client's request for the GetSessionToken operation. The "output" return 1274 // value will be populated with the request's response once the request completes 1275 // successfully. 1276 // 1277 // Use "Send" method on the returned Request to send the API call to the service. 1278 // the "output" return value is not valid until after Send returns without error. 1279 // 1280 // See GetSessionToken for more information on using the GetSessionToken 1281 // API call, and error handling. 1282 // 1283 // This method is useful when you want to inject custom logic or configuration 1284 // into the SDK's request lifecycle. Such as custom headers, or retry logic. 1285 // 1286 // 1287 // // Example sending a request using the GetSessionTokenRequest method. 1288 // req, resp := client.GetSessionTokenRequest(params) 1289 // 1290 // err := req.Send() 1291 // if err == nil { // resp is now filled 1292 // fmt.Println(resp) 1293 // } 1294 // 1295 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionToken 1296 func (c *STS) GetSessionTokenRequest(input *GetSessionTokenInput) (req *request.Request, output *GetSessionTokenOutput) { 1297 op := &request.Operation{ 1298 Name: opGetSessionToken, 1299 HTTPMethod: "POST", 1300 HTTPPath: "/", 1301 } 1302 1303 if input == nil { 1304 input = &GetSessionTokenInput{} 1305 } 1306 1307 output = &GetSessionTokenOutput{} 1308 req = c.newRequest(op, input, output) 1309 return 1310 } 1311 1312 // GetSessionToken API operation for AWS Security Token Service. 1313 // 1314 // Returns a set of temporary credentials for an Amazon Web Services account 1315 // or IAM user. The credentials consist of an access key ID, a secret access 1316 // key, and a security token. Typically, you use GetSessionToken if you want 1317 // to use MFA to protect programmatic calls to specific Amazon Web Services 1318 // API operations like Amazon EC2 StopInstances. MFA-enabled IAM users would 1319 // need to call GetSessionToken and submit an MFA code that is associated with 1320 // their MFA device. Using the temporary security credentials that are returned 1321 // from the call, IAM users can then make programmatic calls to API operations 1322 // that require MFA authentication. If you do not supply a correct MFA code, 1323 // then the API returns an access denied error. For a comparison of GetSessionToken 1324 // with the other API operations that produce temporary credentials, see Requesting 1325 // Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) 1326 // and Comparing the STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) 1327 // in the IAM User Guide. 1328 // 1329 // Session Duration 1330 // 1331 // The GetSessionToken operation must be called by using the long-term Amazon 1332 // Web Services security credentials of the Amazon Web Services account root 1333 // user or an IAM user. Credentials that are created by IAM users are valid 1334 // for the duration that you specify. This duration can range from 900 seconds 1335 // (15 minutes) up to a maximum of 129,600 seconds (36 hours), with a default 1336 // of 43,200 seconds (12 hours). Credentials based on account credentials can 1337 // range from 900 seconds (15 minutes) up to 3,600 seconds (1 hour), with a 1338 // default of 1 hour. 1339 // 1340 // Permissions 1341 // 1342 // The temporary security credentials created by GetSessionToken can be used 1343 // to make API calls to any Amazon Web Services service with the following exceptions: 1344 // 1345 // * You cannot call any IAM API operations unless MFA authentication information 1346 // is included in the request. 1347 // 1348 // * You cannot call any STS API except AssumeRole or GetCallerIdentity. 1349 // 1350 // We recommend that you do not call GetSessionToken with Amazon Web Services 1351 // account root user credentials. Instead, follow our best practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users) 1352 // by creating one or more IAM users, giving them the necessary permissions, 1353 // and using IAM users for everyday interaction with Amazon Web Services. 1354 // 1355 // The credentials that are returned by GetSessionToken are based on permissions 1356 // associated with the user whose credentials were used to call the operation. 1357 // If GetSessionToken is called using Amazon Web Services account root user 1358 // credentials, the temporary credentials have root user permissions. Similarly, 1359 // if GetSessionToken is called using the credentials of an IAM user, the temporary 1360 // credentials have the same permissions as the IAM user. 1361 // 1362 // For more information about using GetSessionToken to create temporary credentials, 1363 // go to Temporary Credentials for Users in Untrusted Environments (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken) 1364 // in the IAM User Guide. 1365 // 1366 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions 1367 // with awserr.Error's Code and Message methods to get detailed information about 1368 // the error. 1369 // 1370 // See the AWS API reference guide for AWS Security Token Service's 1371 // API operation GetSessionToken for usage and error information. 1372 // 1373 // Returned Error Codes: 1374 // * ErrCodeRegionDisabledException "RegionDisabledException" 1375 // STS is not activated in the requested region for the account that is being 1376 // asked to generate credentials. The account administrator must use the IAM 1377 // console to activate STS in that region. For more information, see Activating 1378 // and Deactivating Amazon Web Services STS in an Amazon Web Services Region 1379 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) 1380 // in the IAM User Guide. 1381 // 1382 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionToken 1383 func (c *STS) GetSessionToken(input *GetSessionTokenInput) (*GetSessionTokenOutput, error) { 1384 req, out := c.GetSessionTokenRequest(input) 1385 return out, req.Send() 1386 } 1387 1388 // GetSessionTokenWithContext is the same as GetSessionToken with the addition of 1389 // the ability to pass a context and additional request options. 1390 // 1391 // See GetSessionToken for details on how to use this API operation. 1392 // 1393 // The context must be non-nil and will be used for request cancellation. If 1394 // the context is nil a panic will occur. In the future the SDK may create 1395 // sub-contexts for http.Requests. See https://golang.org/pkg/context/ 1396 // for more information on using Contexts. 1397 func (c *STS) GetSessionTokenWithContext(ctx aws.Context, input *GetSessionTokenInput, opts ...request.Option) (*GetSessionTokenOutput, error) { 1398 req, out := c.GetSessionTokenRequest(input) 1399 req.SetContext(ctx) 1400 req.ApplyOptions(opts...) 1401 return out, req.Send() 1402 } 1403 1404 type AssumeRoleInput struct { 1405 _ struct{} `type:"structure"` 1406 1407 // The duration, in seconds, of the role session. The value specified can can 1408 // range from 900 seconds (15 minutes) up to the maximum session duration that 1409 // is set for the role. The maximum session duration setting can have a value 1410 // from 1 hour to 12 hours. If you specify a value higher than this setting 1411 // or the administrator setting (whichever is lower), the operation fails. For 1412 // example, if you specify a session duration of 12 hours, but your administrator 1413 // set the maximum session duration to 6 hours, your operation fails. To learn 1414 // how to view the maximum value for your role, see View the Maximum Session 1415 // Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) 1416 // in the IAM User Guide. 1417 // 1418 // By default, the value is set to 3600 seconds. 1419 // 1420 // The DurationSeconds parameter is separate from the duration of a console 1421 // session that you might request using the returned credentials. The request 1422 // to the federation endpoint for a console sign-in token takes a SessionDuration 1423 // parameter that specifies the maximum length of the console session. For more 1424 // information, see Creating a URL that Enables Federated Users to Access the 1425 // Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) 1426 // in the IAM User Guide. 1427 DurationSeconds *int64 `min:"900" type:"integer"` 1428 1429 // A unique identifier that might be required when you assume a role in another 1430 // account. If the administrator of the account to which the role belongs provided 1431 // you with an external ID, then provide that value in the ExternalId parameter. 1432 // This value can be any string, such as a passphrase or account number. A cross-account 1433 // role is usually set up to trust everyone in an account. Therefore, the administrator 1434 // of the trusting account might send an external ID to the administrator of 1435 // the trusted account. That way, only someone with the ID can assume the role, 1436 // rather than everyone in the account. For more information about the external 1437 // ID, see How to Use an External ID When Granting Access to Your Amazon Web 1438 // Services Resources to a Third Party (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html) 1439 // in the IAM User Guide. 1440 // 1441 // The regex used to validate this parameter is a string of characters consisting 1442 // of upper- and lower-case alphanumeric characters with no spaces. You can 1443 // also include underscores or any of the following characters: =,.@:/- 1444 ExternalId *string `min:"2" type:"string"` 1445 1446 // An IAM policy in JSON format that you want to use as an inline session policy. 1447 // 1448 // This parameter is optional. Passing policies to this operation returns new 1449 // temporary credentials. The resulting session's permissions are the intersection 1450 // of the role's identity-based policy and the session policies. You can use 1451 // the role's temporary credentials in subsequent Amazon Web Services API calls 1452 // to access resources in the account that owns the role. You cannot use session 1453 // policies to grant more permissions than those allowed by the identity-based 1454 // policy of the role that is being assumed. For more information, see Session 1455 // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 1456 // in the IAM User Guide. 1457 // 1458 // The plaintext that you use for both inline and managed session policies can't 1459 // exceed 2,048 characters. The JSON policy characters can be any ASCII character 1460 // from the space character to the end of the valid character list (\u0020 through 1461 // \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage 1462 // return (\u000D) characters. 1463 // 1464 // An Amazon Web Services conversion compresses the passed session policies 1465 // and session tags into a packed binary format that has a separate limit. Your 1466 // request can fail for this limit even if your plaintext meets the other requirements. 1467 // The PackedPolicySize response element indicates by percentage how close the 1468 // policies and tags for your request are to the upper size limit. 1469 Policy *string `min:"1" type:"string"` 1470 1471 // The Amazon Resource Names (ARNs) of the IAM managed policies that you want 1472 // to use as managed session policies. The policies must exist in the same account 1473 // as the role. 1474 // 1475 // This parameter is optional. You can provide up to 10 managed policy ARNs. 1476 // However, the plaintext that you use for both inline and managed session policies 1477 // can't exceed 2,048 characters. For more information about ARNs, see Amazon 1478 // Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) 1479 // in the Amazon Web Services General Reference. 1480 // 1481 // An Amazon Web Services conversion compresses the passed session policies 1482 // and session tags into a packed binary format that has a separate limit. Your 1483 // request can fail for this limit even if your plaintext meets the other requirements. 1484 // The PackedPolicySize response element indicates by percentage how close the 1485 // policies and tags for your request are to the upper size limit. 1486 // 1487 // Passing policies to this operation returns new temporary credentials. The 1488 // resulting session's permissions are the intersection of the role's identity-based 1489 // policy and the session policies. You can use the role's temporary credentials 1490 // in subsequent Amazon Web Services API calls to access resources in the account 1491 // that owns the role. You cannot use session policies to grant more permissions 1492 // than those allowed by the identity-based policy of the role that is being 1493 // assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 1494 // in the IAM User Guide. 1495 PolicyArns []*PolicyDescriptorType `type:"list"` 1496 1497 // The Amazon Resource Name (ARN) of the role to assume. 1498 // 1499 // RoleArn is a required field 1500 RoleArn *string `min:"20" type:"string" required:"true"` 1501 1502 // An identifier for the assumed role session. 1503 // 1504 // Use the role session name to uniquely identify a session when the same role 1505 // is assumed by different principals or for different reasons. In cross-account 1506 // scenarios, the role session name is visible to, and can be logged by the 1507 // account that owns the role. The role session name is also used in the ARN 1508 // of the assumed role principal. This means that subsequent cross-account API 1509 // requests that use the temporary security credentials will expose the role 1510 // session name to the external account in their CloudTrail logs. 1511 // 1512 // The regex used to validate this parameter is a string of characters consisting 1513 // of upper- and lower-case alphanumeric characters with no spaces. You can 1514 // also include underscores or any of the following characters: =,.@- 1515 // 1516 // RoleSessionName is a required field 1517 RoleSessionName *string `min:"2" type:"string" required:"true"` 1518 1519 // The identification number of the MFA device that is associated with the user 1520 // who is making the AssumeRole call. Specify this value if the trust policy 1521 // of the role being assumed includes a condition that requires MFA authentication. 1522 // The value is either the serial number for a hardware device (such as GAHT12345678) 1523 // or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user). 1524 // 1525 // The regex used to validate this parameter is a string of characters consisting 1526 // of upper- and lower-case alphanumeric characters with no spaces. You can 1527 // also include underscores or any of the following characters: =,.@- 1528 SerialNumber *string `min:"9" type:"string"` 1529 1530 // The source identity specified by the principal that is calling the AssumeRole 1531 // operation. 1532 // 1533 // You can require users to specify a source identity when they assume a role. 1534 // You do this by using the sts:SourceIdentity condition key in a role trust 1535 // policy. You can use source identity information in CloudTrail logs to determine 1536 // who took actions with a role. You can use the aws:SourceIdentity condition 1537 // key to further control access to Amazon Web Services resources based on the 1538 // value of source identity. For more information about using source identity, 1539 // see Monitor and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) 1540 // in the IAM User Guide. 1541 // 1542 // The regex used to validate this parameter is a string of characters consisting 1543 // of upper- and lower-case alphanumeric characters with no spaces. You can 1544 // also include underscores or any of the following characters: =,.@-. You cannot 1545 // use a value that begins with the text aws:. This prefix is reserved for Amazon 1546 // Web Services internal use. 1547 SourceIdentity *string `min:"2" type:"string"` 1548 1549 // A list of session tags that you want to pass. Each session tag consists of 1550 // a key name and an associated value. For more information about session tags, 1551 // see Tagging STS Sessions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) 1552 // in the IAM User Guide. 1553 // 1554 // This parameter is optional. You can pass up to 50 session tags. The plaintext 1555 // session tag keys can’t exceed 128 characters, and the values can’t exceed 1556 // 256 characters. For these and additional limits, see IAM and STS Character 1557 // Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) 1558 // in the IAM User Guide. 1559 // 1560 // An Amazon Web Services conversion compresses the passed session policies 1561 // and session tags into a packed binary format that has a separate limit. Your 1562 // request can fail for this limit even if your plaintext meets the other requirements. 1563 // The PackedPolicySize response element indicates by percentage how close the 1564 // policies and tags for your request are to the upper size limit. 1565 // 1566 // You can pass a session tag with the same key as a tag that is already attached 1567 // to the role. When you do, session tags override a role tag with the same 1568 // key. 1569 // 1570 // Tag key–value pairs are not case sensitive, but case is preserved. This 1571 // means that you cannot have separate Department and department tag keys. Assume 1572 // that the role has the Department=Marketing tag and you pass the department=engineering 1573 // session tag. Department and department are not saved as separate tags, and 1574 // the session tag passed in the request takes precedence over the role tag. 1575 // 1576 // Additionally, if you used temporary credentials to perform this operation, 1577 // the new session inherits any transitive session tags from the calling session. 1578 // If you pass a session tag with the same key as an inherited tag, the operation 1579 // fails. To view the inherited tags for a session, see the CloudTrail logs. 1580 // For more information, see Viewing Session Tags in CloudTrail (https://docs.aws.amazon.com/IAM/latest/UserGuide/session-tags.html#id_session-tags_ctlogs) 1581 // in the IAM User Guide. 1582 Tags []*Tag `type:"list"` 1583 1584 // The value provided by the MFA device, if the trust policy of the role being 1585 // assumed requires MFA. (In other words, if the policy includes a condition 1586 // that tests for MFA). If the role being assumed requires MFA and if the TokenCode 1587 // value is missing or expired, the AssumeRole call returns an "access denied" 1588 // error. 1589 // 1590 // The format for this parameter, as described by its regex pattern, is a sequence 1591 // of six numeric digits. 1592 TokenCode *string `min:"6" type:"string"` 1593 1594 // A list of keys for session tags that you want to set as transitive. If you 1595 // set a tag key as transitive, the corresponding key and value passes to subsequent 1596 // sessions in a role chain. For more information, see Chaining Roles with Session 1597 // Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining) 1598 // in the IAM User Guide. 1599 // 1600 // This parameter is optional. When you set session tags as transitive, the 1601 // session policy and session tags packed binary limit is not affected. 1602 // 1603 // If you choose not to specify a transitive tag key, then no tags are passed 1604 // from this session to any subsequent sessions. 1605 TransitiveTagKeys []*string `type:"list"` 1606 } 1607 1608 // String returns the string representation. 1609 // 1610 // API parameter values that are decorated as "sensitive" in the API will not 1611 // be included in the string output. The member name will be present, but the 1612 // value will be replaced with "sensitive". 1613 func (s AssumeRoleInput) String() string { 1614 return awsutil.Prettify(s) 1615 } 1616 1617 // GoString returns the string representation. 1618 // 1619 // API parameter values that are decorated as "sensitive" in the API will not 1620 // be included in the string output. The member name will be present, but the 1621 // value will be replaced with "sensitive". 1622 func (s AssumeRoleInput) GoString() string { 1623 return s.String() 1624 } 1625 1626 // Validate inspects the fields of the type to determine if they are valid. 1627 func (s *AssumeRoleInput) Validate() error { 1628 invalidParams := request.ErrInvalidParams{Context: "AssumeRoleInput"} 1629 if s.DurationSeconds != nil && *s.DurationSeconds < 900 { 1630 invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) 1631 } 1632 if s.ExternalId != nil && len(*s.ExternalId) < 2 { 1633 invalidParams.Add(request.NewErrParamMinLen("ExternalId", 2)) 1634 } 1635 if s.Policy != nil && len(*s.Policy) < 1 { 1636 invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) 1637 } 1638 if s.RoleArn == nil { 1639 invalidParams.Add(request.NewErrParamRequired("RoleArn")) 1640 } 1641 if s.RoleArn != nil && len(*s.RoleArn) < 20 { 1642 invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20)) 1643 } 1644 if s.RoleSessionName == nil { 1645 invalidParams.Add(request.NewErrParamRequired("RoleSessionName")) 1646 } 1647 if s.RoleSessionName != nil && len(*s.RoleSessionName) < 2 { 1648 invalidParams.Add(request.NewErrParamMinLen("RoleSessionName", 2)) 1649 } 1650 if s.SerialNumber != nil && len(*s.SerialNumber) < 9 { 1651 invalidParams.Add(request.NewErrParamMinLen("SerialNumber", 9)) 1652 } 1653 if s.SourceIdentity != nil && len(*s.SourceIdentity) < 2 { 1654 invalidParams.Add(request.NewErrParamMinLen("SourceIdentity", 2)) 1655 } 1656 if s.TokenCode != nil && len(*s.TokenCode) < 6 { 1657 invalidParams.Add(request.NewErrParamMinLen("TokenCode", 6)) 1658 } 1659 if s.PolicyArns != nil { 1660 for i, v := range s.PolicyArns { 1661 if v == nil { 1662 continue 1663 } 1664 if err := v.Validate(); err != nil { 1665 invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams)) 1666 } 1667 } 1668 } 1669 if s.Tags != nil { 1670 for i, v := range s.Tags { 1671 if v == nil { 1672 continue 1673 } 1674 if err := v.Validate(); err != nil { 1675 invalidParams.AddNested(fmt.Sprintf("%s[%v]", "Tags", i), err.(request.ErrInvalidParams)) 1676 } 1677 } 1678 } 1679 1680 if invalidParams.Len() > 0 { 1681 return invalidParams 1682 } 1683 return nil 1684 } 1685 1686 // SetDurationSeconds sets the DurationSeconds field's value. 1687 func (s *AssumeRoleInput) SetDurationSeconds(v int64) *AssumeRoleInput { 1688 s.DurationSeconds = &v 1689 return s 1690 } 1691 1692 // SetExternalId sets the ExternalId field's value. 1693 func (s *AssumeRoleInput) SetExternalId(v string) *AssumeRoleInput { 1694 s.ExternalId = &v 1695 return s 1696 } 1697 1698 // SetPolicy sets the Policy field's value. 1699 func (s *AssumeRoleInput) SetPolicy(v string) *AssumeRoleInput { 1700 s.Policy = &v 1701 return s 1702 } 1703 1704 // SetPolicyArns sets the PolicyArns field's value. 1705 func (s *AssumeRoleInput) SetPolicyArns(v []*PolicyDescriptorType) *AssumeRoleInput { 1706 s.PolicyArns = v 1707 return s 1708 } 1709 1710 // SetRoleArn sets the RoleArn field's value. 1711 func (s *AssumeRoleInput) SetRoleArn(v string) *AssumeRoleInput { 1712 s.RoleArn = &v 1713 return s 1714 } 1715 1716 // SetRoleSessionName sets the RoleSessionName field's value. 1717 func (s *AssumeRoleInput) SetRoleSessionName(v string) *AssumeRoleInput { 1718 s.RoleSessionName = &v 1719 return s 1720 } 1721 1722 // SetSerialNumber sets the SerialNumber field's value. 1723 func (s *AssumeRoleInput) SetSerialNumber(v string) *AssumeRoleInput { 1724 s.SerialNumber = &v 1725 return s 1726 } 1727 1728 // SetSourceIdentity sets the SourceIdentity field's value. 1729 func (s *AssumeRoleInput) SetSourceIdentity(v string) *AssumeRoleInput { 1730 s.SourceIdentity = &v 1731 return s 1732 } 1733 1734 // SetTags sets the Tags field's value. 1735 func (s *AssumeRoleInput) SetTags(v []*Tag) *AssumeRoleInput { 1736 s.Tags = v 1737 return s 1738 } 1739 1740 // SetTokenCode sets the TokenCode field's value. 1741 func (s *AssumeRoleInput) SetTokenCode(v string) *AssumeRoleInput { 1742 s.TokenCode = &v 1743 return s 1744 } 1745 1746 // SetTransitiveTagKeys sets the TransitiveTagKeys field's value. 1747 func (s *AssumeRoleInput) SetTransitiveTagKeys(v []*string) *AssumeRoleInput { 1748 s.TransitiveTagKeys = v 1749 return s 1750 } 1751 1752 // Contains the response to a successful AssumeRole request, including temporary 1753 // Amazon Web Services credentials that can be used to make Amazon Web Services 1754 // requests. 1755 type AssumeRoleOutput struct { 1756 _ struct{} `type:"structure"` 1757 1758 // The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers 1759 // that you can use to refer to the resulting temporary security credentials. 1760 // For example, you can reference these credentials as a principal in a resource-based 1761 // policy by using the ARN or assumed role ID. The ARN and ID include the RoleSessionName 1762 // that you specified when you called AssumeRole. 1763 AssumedRoleUser *AssumedRoleUser `type:"structure"` 1764 1765 // The temporary security credentials, which include an access key ID, a secret 1766 // access key, and a security (or session) token. 1767 // 1768 // The size of the security token that STS API operations return is not fixed. 1769 // We strongly recommend that you make no assumptions about the maximum size. 1770 Credentials *Credentials `type:"structure"` 1771 1772 // A percentage value that indicates the packed size of the session policies 1773 // and session tags combined passed in the request. The request fails if the 1774 // packed size is greater than 100 percent, which means the policies and tags 1775 // exceeded the allowed space. 1776 PackedPolicySize *int64 `type:"integer"` 1777 1778 // The source identity specified by the principal that is calling the AssumeRole 1779 // operation. 1780 // 1781 // You can require users to specify a source identity when they assume a role. 1782 // You do this by using the sts:SourceIdentity condition key in a role trust 1783 // policy. You can use source identity information in CloudTrail logs to determine 1784 // who took actions with a role. You can use the aws:SourceIdentity condition 1785 // key to further control access to Amazon Web Services resources based on the 1786 // value of source identity. For more information about using source identity, 1787 // see Monitor and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) 1788 // in the IAM User Guide. 1789 // 1790 // The regex used to validate this parameter is a string of characters consisting 1791 // of upper- and lower-case alphanumeric characters with no spaces. You can 1792 // also include underscores or any of the following characters: =,.@- 1793 SourceIdentity *string `min:"2" type:"string"` 1794 } 1795 1796 // String returns the string representation. 1797 // 1798 // API parameter values that are decorated as "sensitive" in the API will not 1799 // be included in the string output. The member name will be present, but the 1800 // value will be replaced with "sensitive". 1801 func (s AssumeRoleOutput) String() string { 1802 return awsutil.Prettify(s) 1803 } 1804 1805 // GoString returns the string representation. 1806 // 1807 // API parameter values that are decorated as "sensitive" in the API will not 1808 // be included in the string output. The member name will be present, but the 1809 // value will be replaced with "sensitive". 1810 func (s AssumeRoleOutput) GoString() string { 1811 return s.String() 1812 } 1813 1814 // SetAssumedRoleUser sets the AssumedRoleUser field's value. 1815 func (s *AssumeRoleOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleOutput { 1816 s.AssumedRoleUser = v 1817 return s 1818 } 1819 1820 // SetCredentials sets the Credentials field's value. 1821 func (s *AssumeRoleOutput) SetCredentials(v *Credentials) *AssumeRoleOutput { 1822 s.Credentials = v 1823 return s 1824 } 1825 1826 // SetPackedPolicySize sets the PackedPolicySize field's value. 1827 func (s *AssumeRoleOutput) SetPackedPolicySize(v int64) *AssumeRoleOutput { 1828 s.PackedPolicySize = &v 1829 return s 1830 } 1831 1832 // SetSourceIdentity sets the SourceIdentity field's value. 1833 func (s *AssumeRoleOutput) SetSourceIdentity(v string) *AssumeRoleOutput { 1834 s.SourceIdentity = &v 1835 return s 1836 } 1837 1838 type AssumeRoleWithSAMLInput struct { 1839 _ struct{} `type:"structure"` 1840 1841 // The duration, in seconds, of the role session. Your role session lasts for 1842 // the duration that you specify for the DurationSeconds parameter, or until 1843 // the time specified in the SAML authentication response's SessionNotOnOrAfter 1844 // value, whichever is shorter. You can provide a DurationSeconds value from 1845 // 900 seconds (15 minutes) up to the maximum session duration setting for the 1846 // role. This setting can have a value from 1 hour to 12 hours. If you specify 1847 // a value higher than this setting, the operation fails. For example, if you 1848 // specify a session duration of 12 hours, but your administrator set the maximum 1849 // session duration to 6 hours, your operation fails. To learn how to view the 1850 // maximum value for your role, see View the Maximum Session Duration Setting 1851 // for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) 1852 // in the IAM User Guide. 1853 // 1854 // By default, the value is set to 3600 seconds. 1855 // 1856 // The DurationSeconds parameter is separate from the duration of a console 1857 // session that you might request using the returned credentials. The request 1858 // to the federation endpoint for a console sign-in token takes a SessionDuration 1859 // parameter that specifies the maximum length of the console session. For more 1860 // information, see Creating a URL that Enables Federated Users to Access the 1861 // Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) 1862 // in the IAM User Guide. 1863 DurationSeconds *int64 `min:"900" type:"integer"` 1864 1865 // An IAM policy in JSON format that you want to use as an inline session policy. 1866 // 1867 // This parameter is optional. Passing policies to this operation returns new 1868 // temporary credentials. The resulting session's permissions are the intersection 1869 // of the role's identity-based policy and the session policies. You can use 1870 // the role's temporary credentials in subsequent Amazon Web Services API calls 1871 // to access resources in the account that owns the role. You cannot use session 1872 // policies to grant more permissions than those allowed by the identity-based 1873 // policy of the role that is being assumed. For more information, see Session 1874 // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 1875 // in the IAM User Guide. 1876 // 1877 // The plaintext that you use for both inline and managed session policies can't 1878 // exceed 2,048 characters. The JSON policy characters can be any ASCII character 1879 // from the space character to the end of the valid character list (\u0020 through 1880 // \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage 1881 // return (\u000D) characters. 1882 // 1883 // An Amazon Web Services conversion compresses the passed session policies 1884 // and session tags into a packed binary format that has a separate limit. Your 1885 // request can fail for this limit even if your plaintext meets the other requirements. 1886 // The PackedPolicySize response element indicates by percentage how close the 1887 // policies and tags for your request are to the upper size limit. 1888 Policy *string `min:"1" type:"string"` 1889 1890 // The Amazon Resource Names (ARNs) of the IAM managed policies that you want 1891 // to use as managed session policies. The policies must exist in the same account 1892 // as the role. 1893 // 1894 // This parameter is optional. You can provide up to 10 managed policy ARNs. 1895 // However, the plaintext that you use for both inline and managed session policies 1896 // can't exceed 2,048 characters. For more information about ARNs, see Amazon 1897 // Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) 1898 // in the Amazon Web Services General Reference. 1899 // 1900 // An Amazon Web Services conversion compresses the passed session policies 1901 // and session tags into a packed binary format that has a separate limit. Your 1902 // request can fail for this limit even if your plaintext meets the other requirements. 1903 // The PackedPolicySize response element indicates by percentage how close the 1904 // policies and tags for your request are to the upper size limit. 1905 // 1906 // Passing policies to this operation returns new temporary credentials. The 1907 // resulting session's permissions are the intersection of the role's identity-based 1908 // policy and the session policies. You can use the role's temporary credentials 1909 // in subsequent Amazon Web Services API calls to access resources in the account 1910 // that owns the role. You cannot use session policies to grant more permissions 1911 // than those allowed by the identity-based policy of the role that is being 1912 // assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 1913 // in the IAM User Guide. 1914 PolicyArns []*PolicyDescriptorType `type:"list"` 1915 1916 // The Amazon Resource Name (ARN) of the SAML provider in IAM that describes 1917 // the IdP. 1918 // 1919 // PrincipalArn is a required field 1920 PrincipalArn *string `min:"20" type:"string" required:"true"` 1921 1922 // The Amazon Resource Name (ARN) of the role that the caller is assuming. 1923 // 1924 // RoleArn is a required field 1925 RoleArn *string `min:"20" type:"string" required:"true"` 1926 1927 // The base64 encoded SAML authentication response provided by the IdP. 1928 // 1929 // For more information, see Configuring a Relying Party and Adding Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html) 1930 // in the IAM User Guide. 1931 // 1932 // SAMLAssertion is a required field 1933 SAMLAssertion *string `min:"4" type:"string" required:"true"` 1934 } 1935 1936 // String returns the string representation. 1937 // 1938 // API parameter values that are decorated as "sensitive" in the API will not 1939 // be included in the string output. The member name will be present, but the 1940 // value will be replaced with "sensitive". 1941 func (s AssumeRoleWithSAMLInput) String() string { 1942 return awsutil.Prettify(s) 1943 } 1944 1945 // GoString returns the string representation. 1946 // 1947 // API parameter values that are decorated as "sensitive" in the API will not 1948 // be included in the string output. The member name will be present, but the 1949 // value will be replaced with "sensitive". 1950 func (s AssumeRoleWithSAMLInput) GoString() string { 1951 return s.String() 1952 } 1953 1954 // Validate inspects the fields of the type to determine if they are valid. 1955 func (s *AssumeRoleWithSAMLInput) Validate() error { 1956 invalidParams := request.ErrInvalidParams{Context: "AssumeRoleWithSAMLInput"} 1957 if s.DurationSeconds != nil && *s.DurationSeconds < 900 { 1958 invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) 1959 } 1960 if s.Policy != nil && len(*s.Policy) < 1 { 1961 invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) 1962 } 1963 if s.PrincipalArn == nil { 1964 invalidParams.Add(request.NewErrParamRequired("PrincipalArn")) 1965 } 1966 if s.PrincipalArn != nil && len(*s.PrincipalArn) < 20 { 1967 invalidParams.Add(request.NewErrParamMinLen("PrincipalArn", 20)) 1968 } 1969 if s.RoleArn == nil { 1970 invalidParams.Add(request.NewErrParamRequired("RoleArn")) 1971 } 1972 if s.RoleArn != nil && len(*s.RoleArn) < 20 { 1973 invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20)) 1974 } 1975 if s.SAMLAssertion == nil { 1976 invalidParams.Add(request.NewErrParamRequired("SAMLAssertion")) 1977 } 1978 if s.SAMLAssertion != nil && len(*s.SAMLAssertion) < 4 { 1979 invalidParams.Add(request.NewErrParamMinLen("SAMLAssertion", 4)) 1980 } 1981 if s.PolicyArns != nil { 1982 for i, v := range s.PolicyArns { 1983 if v == nil { 1984 continue 1985 } 1986 if err := v.Validate(); err != nil { 1987 invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams)) 1988 } 1989 } 1990 } 1991 1992 if invalidParams.Len() > 0 { 1993 return invalidParams 1994 } 1995 return nil 1996 } 1997 1998 // SetDurationSeconds sets the DurationSeconds field's value. 1999 func (s *AssumeRoleWithSAMLInput) SetDurationSeconds(v int64) *AssumeRoleWithSAMLInput { 2000 s.DurationSeconds = &v 2001 return s 2002 } 2003 2004 // SetPolicy sets the Policy field's value. 2005 func (s *AssumeRoleWithSAMLInput) SetPolicy(v string) *AssumeRoleWithSAMLInput { 2006 s.Policy = &v 2007 return s 2008 } 2009 2010 // SetPolicyArns sets the PolicyArns field's value. 2011 func (s *AssumeRoleWithSAMLInput) SetPolicyArns(v []*PolicyDescriptorType) *AssumeRoleWithSAMLInput { 2012 s.PolicyArns = v 2013 return s 2014 } 2015 2016 // SetPrincipalArn sets the PrincipalArn field's value. 2017 func (s *AssumeRoleWithSAMLInput) SetPrincipalArn(v string) *AssumeRoleWithSAMLInput { 2018 s.PrincipalArn = &v 2019 return s 2020 } 2021 2022 // SetRoleArn sets the RoleArn field's value. 2023 func (s *AssumeRoleWithSAMLInput) SetRoleArn(v string) *AssumeRoleWithSAMLInput { 2024 s.RoleArn = &v 2025 return s 2026 } 2027 2028 // SetSAMLAssertion sets the SAMLAssertion field's value. 2029 func (s *AssumeRoleWithSAMLInput) SetSAMLAssertion(v string) *AssumeRoleWithSAMLInput { 2030 s.SAMLAssertion = &v 2031 return s 2032 } 2033 2034 // Contains the response to a successful AssumeRoleWithSAML request, including 2035 // temporary Amazon Web Services credentials that can be used to make Amazon 2036 // Web Services requests. 2037 type AssumeRoleWithSAMLOutput struct { 2038 _ struct{} `type:"structure"` 2039 2040 // The identifiers for the temporary security credentials that the operation 2041 // returns. 2042 AssumedRoleUser *AssumedRoleUser `type:"structure"` 2043 2044 // The value of the Recipient attribute of the SubjectConfirmationData element 2045 // of the SAML assertion. 2046 Audience *string `type:"string"` 2047 2048 // The temporary security credentials, which include an access key ID, a secret 2049 // access key, and a security (or session) token. 2050 // 2051 // The size of the security token that STS API operations return is not fixed. 2052 // We strongly recommend that you make no assumptions about the maximum size. 2053 Credentials *Credentials `type:"structure"` 2054 2055 // The value of the Issuer element of the SAML assertion. 2056 Issuer *string `type:"string"` 2057 2058 // A hash value based on the concatenation of the following: 2059 // 2060 // * The Issuer response value. 2061 // 2062 // * The Amazon Web Services account ID. 2063 // 2064 // * The friendly name (the last part of the ARN) of the SAML provider in 2065 // IAM. 2066 // 2067 // The combination of NameQualifier and Subject can be used to uniquely identify 2068 // a federated user. 2069 // 2070 // The following pseudocode shows how the hash value is calculated: 2071 // 2072 // BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" 2073 // ) ) 2074 NameQualifier *string `type:"string"` 2075 2076 // A percentage value that indicates the packed size of the session policies 2077 // and session tags combined passed in the request. The request fails if the 2078 // packed size is greater than 100 percent, which means the policies and tags 2079 // exceeded the allowed space. 2080 PackedPolicySize *int64 `type:"integer"` 2081 2082 // The value in the SourceIdentity attribute in the SAML assertion. 2083 // 2084 // You can require users to set a source identity value when they assume a role. 2085 // You do this by using the sts:SourceIdentity condition key in a role trust 2086 // policy. That way, actions that are taken with the role are associated with 2087 // that user. After the source identity is set, the value cannot be changed. 2088 // It is present in the request for all actions that are taken by the role and 2089 // persists across chained role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining) 2090 // sessions. You can configure your SAML identity provider to use an attribute 2091 // associated with your users, like user name or email, as the source identity 2092 // when calling AssumeRoleWithSAML. You do this by adding an attribute to the 2093 // SAML assertion. For more information about using source identity, see Monitor 2094 // and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) 2095 // in the IAM User Guide. 2096 // 2097 // The regex used to validate this parameter is a string of characters consisting 2098 // of upper- and lower-case alphanumeric characters with no spaces. You can 2099 // also include underscores or any of the following characters: =,.@- 2100 SourceIdentity *string `min:"2" type:"string"` 2101 2102 // The value of the NameID element in the Subject element of the SAML assertion. 2103 Subject *string `type:"string"` 2104 2105 // The format of the name ID, as defined by the Format attribute in the NameID 2106 // element of the SAML assertion. Typical examples of the format are transient 2107 // or persistent. 2108 // 2109 // If the format includes the prefix urn:oasis:names:tc:SAML:2.0:nameid-format, 2110 // that prefix is removed. For example, urn:oasis:names:tc:SAML:2.0:nameid-format:transient 2111 // is returned as transient. If the format includes any other prefix, the format 2112 // is returned with no modifications. 2113 SubjectType *string `type:"string"` 2114 } 2115 2116 // String returns the string representation. 2117 // 2118 // API parameter values that are decorated as "sensitive" in the API will not 2119 // be included in the string output. The member name will be present, but the 2120 // value will be replaced with "sensitive". 2121 func (s AssumeRoleWithSAMLOutput) String() string { 2122 return awsutil.Prettify(s) 2123 } 2124 2125 // GoString returns the string representation. 2126 // 2127 // API parameter values that are decorated as "sensitive" in the API will not 2128 // be included in the string output. The member name will be present, but the 2129 // value will be replaced with "sensitive". 2130 func (s AssumeRoleWithSAMLOutput) GoString() string { 2131 return s.String() 2132 } 2133 2134 // SetAssumedRoleUser sets the AssumedRoleUser field's value. 2135 func (s *AssumeRoleWithSAMLOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleWithSAMLOutput { 2136 s.AssumedRoleUser = v 2137 return s 2138 } 2139 2140 // SetAudience sets the Audience field's value. 2141 func (s *AssumeRoleWithSAMLOutput) SetAudience(v string) *AssumeRoleWithSAMLOutput { 2142 s.Audience = &v 2143 return s 2144 } 2145 2146 // SetCredentials sets the Credentials field's value. 2147 func (s *AssumeRoleWithSAMLOutput) SetCredentials(v *Credentials) *AssumeRoleWithSAMLOutput { 2148 s.Credentials = v 2149 return s 2150 } 2151 2152 // SetIssuer sets the Issuer field's value. 2153 func (s *AssumeRoleWithSAMLOutput) SetIssuer(v string) *AssumeRoleWithSAMLOutput { 2154 s.Issuer = &v 2155 return s 2156 } 2157 2158 // SetNameQualifier sets the NameQualifier field's value. 2159 func (s *AssumeRoleWithSAMLOutput) SetNameQualifier(v string) *AssumeRoleWithSAMLOutput { 2160 s.NameQualifier = &v 2161 return s 2162 } 2163 2164 // SetPackedPolicySize sets the PackedPolicySize field's value. 2165 func (s *AssumeRoleWithSAMLOutput) SetPackedPolicySize(v int64) *AssumeRoleWithSAMLOutput { 2166 s.PackedPolicySize = &v 2167 return s 2168 } 2169 2170 // SetSourceIdentity sets the SourceIdentity field's value. 2171 func (s *AssumeRoleWithSAMLOutput) SetSourceIdentity(v string) *AssumeRoleWithSAMLOutput { 2172 s.SourceIdentity = &v 2173 return s 2174 } 2175 2176 // SetSubject sets the Subject field's value. 2177 func (s *AssumeRoleWithSAMLOutput) SetSubject(v string) *AssumeRoleWithSAMLOutput { 2178 s.Subject = &v 2179 return s 2180 } 2181 2182 // SetSubjectType sets the SubjectType field's value. 2183 func (s *AssumeRoleWithSAMLOutput) SetSubjectType(v string) *AssumeRoleWithSAMLOutput { 2184 s.SubjectType = &v 2185 return s 2186 } 2187 2188 type AssumeRoleWithWebIdentityInput struct { 2189 _ struct{} `type:"structure"` 2190 2191 // The duration, in seconds, of the role session. The value can range from 900 2192 // seconds (15 minutes) up to the maximum session duration setting for the role. 2193 // This setting can have a value from 1 hour to 12 hours. If you specify a value 2194 // higher than this setting, the operation fails. For example, if you specify 2195 // a session duration of 12 hours, but your administrator set the maximum session 2196 // duration to 6 hours, your operation fails. To learn how to view the maximum 2197 // value for your role, see View the Maximum Session Duration Setting for a 2198 // Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) 2199 // in the IAM User Guide. 2200 // 2201 // By default, the value is set to 3600 seconds. 2202 // 2203 // The DurationSeconds parameter is separate from the duration of a console 2204 // session that you might request using the returned credentials. The request 2205 // to the federation endpoint for a console sign-in token takes a SessionDuration 2206 // parameter that specifies the maximum length of the console session. For more 2207 // information, see Creating a URL that Enables Federated Users to Access the 2208 // Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) 2209 // in the IAM User Guide. 2210 DurationSeconds *int64 `min:"900" type:"integer"` 2211 2212 // An IAM policy in JSON format that you want to use as an inline session policy. 2213 // 2214 // This parameter is optional. Passing policies to this operation returns new 2215 // temporary credentials. The resulting session's permissions are the intersection 2216 // of the role's identity-based policy and the session policies. You can use 2217 // the role's temporary credentials in subsequent Amazon Web Services API calls 2218 // to access resources in the account that owns the role. You cannot use session 2219 // policies to grant more permissions than those allowed by the identity-based 2220 // policy of the role that is being assumed. For more information, see Session 2221 // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 2222 // in the IAM User Guide. 2223 // 2224 // The plaintext that you use for both inline and managed session policies can't 2225 // exceed 2,048 characters. The JSON policy characters can be any ASCII character 2226 // from the space character to the end of the valid character list (\u0020 through 2227 // \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage 2228 // return (\u000D) characters. 2229 // 2230 // An Amazon Web Services conversion compresses the passed session policies 2231 // and session tags into a packed binary format that has a separate limit. Your 2232 // request can fail for this limit even if your plaintext meets the other requirements. 2233 // The PackedPolicySize response element indicates by percentage how close the 2234 // policies and tags for your request are to the upper size limit. 2235 Policy *string `min:"1" type:"string"` 2236 2237 // The Amazon Resource Names (ARNs) of the IAM managed policies that you want 2238 // to use as managed session policies. The policies must exist in the same account 2239 // as the role. 2240 // 2241 // This parameter is optional. You can provide up to 10 managed policy ARNs. 2242 // However, the plaintext that you use for both inline and managed session policies 2243 // can't exceed 2,048 characters. For more information about ARNs, see Amazon 2244 // Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) 2245 // in the Amazon Web Services General Reference. 2246 // 2247 // An Amazon Web Services conversion compresses the passed session policies 2248 // and session tags into a packed binary format that has a separate limit. Your 2249 // request can fail for this limit even if your plaintext meets the other requirements. 2250 // The PackedPolicySize response element indicates by percentage how close the 2251 // policies and tags for your request are to the upper size limit. 2252 // 2253 // Passing policies to this operation returns new temporary credentials. The 2254 // resulting session's permissions are the intersection of the role's identity-based 2255 // policy and the session policies. You can use the role's temporary credentials 2256 // in subsequent Amazon Web Services API calls to access resources in the account 2257 // that owns the role. You cannot use session policies to grant more permissions 2258 // than those allowed by the identity-based policy of the role that is being 2259 // assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 2260 // in the IAM User Guide. 2261 PolicyArns []*PolicyDescriptorType `type:"list"` 2262 2263 // The fully qualified host component of the domain name of the identity provider. 2264 // 2265 // Specify this value only for OAuth 2.0 access tokens. Currently www.amazon.com 2266 // and graph.facebook.com are the only supported identity providers for OAuth 2267 // 2.0 access tokens. Do not include URL schemes and port numbers. 2268 // 2269 // Do not specify this value for OpenID Connect ID tokens. 2270 ProviderId *string `min:"4" type:"string"` 2271 2272 // The Amazon Resource Name (ARN) of the role that the caller is assuming. 2273 // 2274 // RoleArn is a required field 2275 RoleArn *string `min:"20" type:"string" required:"true"` 2276 2277 // An identifier for the assumed role session. Typically, you pass the name 2278 // or identifier that is associated with the user who is using your application. 2279 // That way, the temporary security credentials that your application will use 2280 // are associated with that user. This session name is included as part of the 2281 // ARN and assumed role ID in the AssumedRoleUser response element. 2282 // 2283 // The regex used to validate this parameter is a string of characters consisting 2284 // of upper- and lower-case alphanumeric characters with no spaces. You can 2285 // also include underscores or any of the following characters: =,.@- 2286 // 2287 // RoleSessionName is a required field 2288 RoleSessionName *string `min:"2" type:"string" required:"true"` 2289 2290 // The OAuth 2.0 access token or OpenID Connect ID token that is provided by 2291 // the identity provider. Your application must get this token by authenticating 2292 // the user who is using your application with a web identity provider before 2293 // the application makes an AssumeRoleWithWebIdentity call. 2294 // 2295 // WebIdentityToken is a required field 2296 WebIdentityToken *string `min:"4" type:"string" required:"true"` 2297 } 2298 2299 // String returns the string representation. 2300 // 2301 // API parameter values that are decorated as "sensitive" in the API will not 2302 // be included in the string output. The member name will be present, but the 2303 // value will be replaced with "sensitive". 2304 func (s AssumeRoleWithWebIdentityInput) String() string { 2305 return awsutil.Prettify(s) 2306 } 2307 2308 // GoString returns the string representation. 2309 // 2310 // API parameter values that are decorated as "sensitive" in the API will not 2311 // be included in the string output. The member name will be present, but the 2312 // value will be replaced with "sensitive". 2313 func (s AssumeRoleWithWebIdentityInput) GoString() string { 2314 return s.String() 2315 } 2316 2317 // Validate inspects the fields of the type to determine if they are valid. 2318 func (s *AssumeRoleWithWebIdentityInput) Validate() error { 2319 invalidParams := request.ErrInvalidParams{Context: "AssumeRoleWithWebIdentityInput"} 2320 if s.DurationSeconds != nil && *s.DurationSeconds < 900 { 2321 invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) 2322 } 2323 if s.Policy != nil && len(*s.Policy) < 1 { 2324 invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) 2325 } 2326 if s.ProviderId != nil && len(*s.ProviderId) < 4 { 2327 invalidParams.Add(request.NewErrParamMinLen("ProviderId", 4)) 2328 } 2329 if s.RoleArn == nil { 2330 invalidParams.Add(request.NewErrParamRequired("RoleArn")) 2331 } 2332 if s.RoleArn != nil && len(*s.RoleArn) < 20 { 2333 invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20)) 2334 } 2335 if s.RoleSessionName == nil { 2336 invalidParams.Add(request.NewErrParamRequired("RoleSessionName")) 2337 } 2338 if s.RoleSessionName != nil && len(*s.RoleSessionName) < 2 { 2339 invalidParams.Add(request.NewErrParamMinLen("RoleSessionName", 2)) 2340 } 2341 if s.WebIdentityToken == nil { 2342 invalidParams.Add(request.NewErrParamRequired("WebIdentityToken")) 2343 } 2344 if s.WebIdentityToken != nil && len(*s.WebIdentityToken) < 4 { 2345 invalidParams.Add(request.NewErrParamMinLen("WebIdentityToken", 4)) 2346 } 2347 if s.PolicyArns != nil { 2348 for i, v := range s.PolicyArns { 2349 if v == nil { 2350 continue 2351 } 2352 if err := v.Validate(); err != nil { 2353 invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams)) 2354 } 2355 } 2356 } 2357 2358 if invalidParams.Len() > 0 { 2359 return invalidParams 2360 } 2361 return nil 2362 } 2363 2364 // SetDurationSeconds sets the DurationSeconds field's value. 2365 func (s *AssumeRoleWithWebIdentityInput) SetDurationSeconds(v int64) *AssumeRoleWithWebIdentityInput { 2366 s.DurationSeconds = &v 2367 return s 2368 } 2369 2370 // SetPolicy sets the Policy field's value. 2371 func (s *AssumeRoleWithWebIdentityInput) SetPolicy(v string) *AssumeRoleWithWebIdentityInput { 2372 s.Policy = &v 2373 return s 2374 } 2375 2376 // SetPolicyArns sets the PolicyArns field's value. 2377 func (s *AssumeRoleWithWebIdentityInput) SetPolicyArns(v []*PolicyDescriptorType) *AssumeRoleWithWebIdentityInput { 2378 s.PolicyArns = v 2379 return s 2380 } 2381 2382 // SetProviderId sets the ProviderId field's value. 2383 func (s *AssumeRoleWithWebIdentityInput) SetProviderId(v string) *AssumeRoleWithWebIdentityInput { 2384 s.ProviderId = &v 2385 return s 2386 } 2387 2388 // SetRoleArn sets the RoleArn field's value. 2389 func (s *AssumeRoleWithWebIdentityInput) SetRoleArn(v string) *AssumeRoleWithWebIdentityInput { 2390 s.RoleArn = &v 2391 return s 2392 } 2393 2394 // SetRoleSessionName sets the RoleSessionName field's value. 2395 func (s *AssumeRoleWithWebIdentityInput) SetRoleSessionName(v string) *AssumeRoleWithWebIdentityInput { 2396 s.RoleSessionName = &v 2397 return s 2398 } 2399 2400 // SetWebIdentityToken sets the WebIdentityToken field's value. 2401 func (s *AssumeRoleWithWebIdentityInput) SetWebIdentityToken(v string) *AssumeRoleWithWebIdentityInput { 2402 s.WebIdentityToken = &v 2403 return s 2404 } 2405 2406 // Contains the response to a successful AssumeRoleWithWebIdentity request, 2407 // including temporary Amazon Web Services credentials that can be used to make 2408 // Amazon Web Services requests. 2409 type AssumeRoleWithWebIdentityOutput struct { 2410 _ struct{} `type:"structure"` 2411 2412 // The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers 2413 // that you can use to refer to the resulting temporary security credentials. 2414 // For example, you can reference these credentials as a principal in a resource-based 2415 // policy by using the ARN or assumed role ID. The ARN and ID include the RoleSessionName 2416 // that you specified when you called AssumeRole. 2417 AssumedRoleUser *AssumedRoleUser `type:"structure"` 2418 2419 // The intended audience (also known as client ID) of the web identity token. 2420 // This is traditionally the client identifier issued to the application that 2421 // requested the web identity token. 2422 Audience *string `type:"string"` 2423 2424 // The temporary security credentials, which include an access key ID, a secret 2425 // access key, and a security token. 2426 // 2427 // The size of the security token that STS API operations return is not fixed. 2428 // We strongly recommend that you make no assumptions about the maximum size. 2429 Credentials *Credentials `type:"structure"` 2430 2431 // A percentage value that indicates the packed size of the session policies 2432 // and session tags combined passed in the request. The request fails if the 2433 // packed size is greater than 100 percent, which means the policies and tags 2434 // exceeded the allowed space. 2435 PackedPolicySize *int64 `type:"integer"` 2436 2437 // The issuing authority of the web identity token presented. For OpenID Connect 2438 // ID tokens, this contains the value of the iss field. For OAuth 2.0 access 2439 // tokens, this contains the value of the ProviderId parameter that was passed 2440 // in the AssumeRoleWithWebIdentity request. 2441 Provider *string `type:"string"` 2442 2443 // The value of the source identity that is returned in the JSON web token (JWT) 2444 // from the identity provider. 2445 // 2446 // You can require users to set a source identity value when they assume a role. 2447 // You do this by using the sts:SourceIdentity condition key in a role trust 2448 // policy. That way, actions that are taken with the role are associated with 2449 // that user. After the source identity is set, the value cannot be changed. 2450 // It is present in the request for all actions that are taken by the role and 2451 // persists across chained role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining) 2452 // sessions. You can configure your identity provider to use an attribute associated 2453 // with your users, like user name or email, as the source identity when calling 2454 // AssumeRoleWithWebIdentity. You do this by adding a claim to the JSON web 2455 // token. To learn more about OIDC tokens and claims, see Using Tokens with 2456 // User Pools (https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html) 2457 // in the Amazon Cognito Developer Guide. For more information about using source 2458 // identity, see Monitor and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) 2459 // in the IAM User Guide. 2460 // 2461 // The regex used to validate this parameter is a string of characters consisting 2462 // of upper- and lower-case alphanumeric characters with no spaces. You can 2463 // also include underscores or any of the following characters: =,.@- 2464 SourceIdentity *string `min:"2" type:"string"` 2465 2466 // The unique user identifier that is returned by the identity provider. This 2467 // identifier is associated with the WebIdentityToken that was submitted with 2468 // the AssumeRoleWithWebIdentity call. The identifier is typically unique to 2469 // the user and the application that acquired the WebIdentityToken (pairwise 2470 // identifier). For OpenID Connect ID tokens, this field contains the value 2471 // returned by the identity provider as the token's sub (Subject) claim. 2472 SubjectFromWebIdentityToken *string `min:"6" type:"string"` 2473 } 2474 2475 // String returns the string representation. 2476 // 2477 // API parameter values that are decorated as "sensitive" in the API will not 2478 // be included in the string output. The member name will be present, but the 2479 // value will be replaced with "sensitive". 2480 func (s AssumeRoleWithWebIdentityOutput) String() string { 2481 return awsutil.Prettify(s) 2482 } 2483 2484 // GoString returns the string representation. 2485 // 2486 // API parameter values that are decorated as "sensitive" in the API will not 2487 // be included in the string output. The member name will be present, but the 2488 // value will be replaced with "sensitive". 2489 func (s AssumeRoleWithWebIdentityOutput) GoString() string { 2490 return s.String() 2491 } 2492 2493 // SetAssumedRoleUser sets the AssumedRoleUser field's value. 2494 func (s *AssumeRoleWithWebIdentityOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleWithWebIdentityOutput { 2495 s.AssumedRoleUser = v 2496 return s 2497 } 2498 2499 // SetAudience sets the Audience field's value. 2500 func (s *AssumeRoleWithWebIdentityOutput) SetAudience(v string) *AssumeRoleWithWebIdentityOutput { 2501 s.Audience = &v 2502 return s 2503 } 2504 2505 // SetCredentials sets the Credentials field's value. 2506 func (s *AssumeRoleWithWebIdentityOutput) SetCredentials(v *Credentials) *AssumeRoleWithWebIdentityOutput { 2507 s.Credentials = v 2508 return s 2509 } 2510 2511 // SetPackedPolicySize sets the PackedPolicySize field's value. 2512 func (s *AssumeRoleWithWebIdentityOutput) SetPackedPolicySize(v int64) *AssumeRoleWithWebIdentityOutput { 2513 s.PackedPolicySize = &v 2514 return s 2515 } 2516 2517 // SetProvider sets the Provider field's value. 2518 func (s *AssumeRoleWithWebIdentityOutput) SetProvider(v string) *AssumeRoleWithWebIdentityOutput { 2519 s.Provider = &v 2520 return s 2521 } 2522 2523 // SetSourceIdentity sets the SourceIdentity field's value. 2524 func (s *AssumeRoleWithWebIdentityOutput) SetSourceIdentity(v string) *AssumeRoleWithWebIdentityOutput { 2525 s.SourceIdentity = &v 2526 return s 2527 } 2528 2529 // SetSubjectFromWebIdentityToken sets the SubjectFromWebIdentityToken field's value. 2530 func (s *AssumeRoleWithWebIdentityOutput) SetSubjectFromWebIdentityToken(v string) *AssumeRoleWithWebIdentityOutput { 2531 s.SubjectFromWebIdentityToken = &v 2532 return s 2533 } 2534 2535 // The identifiers for the temporary security credentials that the operation 2536 // returns. 2537 type AssumedRoleUser struct { 2538 _ struct{} `type:"structure"` 2539 2540 // The ARN of the temporary security credentials that are returned from the 2541 // AssumeRole action. For more information about ARNs and how to use them in 2542 // policies, see IAM Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) 2543 // in the IAM User Guide. 2544 // 2545 // Arn is a required field 2546 Arn *string `min:"20" type:"string" required:"true"` 2547 2548 // A unique identifier that contains the role ID and the role session name of 2549 // the role that is being assumed. The role ID is generated by Amazon Web Services 2550 // when the role is created. 2551 // 2552 // AssumedRoleId is a required field 2553 AssumedRoleId *string `min:"2" type:"string" required:"true"` 2554 } 2555 2556 // String returns the string representation. 2557 // 2558 // API parameter values that are decorated as "sensitive" in the API will not 2559 // be included in the string output. The member name will be present, but the 2560 // value will be replaced with "sensitive". 2561 func (s AssumedRoleUser) String() string { 2562 return awsutil.Prettify(s) 2563 } 2564 2565 // GoString returns the string representation. 2566 // 2567 // API parameter values that are decorated as "sensitive" in the API will not 2568 // be included in the string output. The member name will be present, but the 2569 // value will be replaced with "sensitive". 2570 func (s AssumedRoleUser) GoString() string { 2571 return s.String() 2572 } 2573 2574 // SetArn sets the Arn field's value. 2575 func (s *AssumedRoleUser) SetArn(v string) *AssumedRoleUser { 2576 s.Arn = &v 2577 return s 2578 } 2579 2580 // SetAssumedRoleId sets the AssumedRoleId field's value. 2581 func (s *AssumedRoleUser) SetAssumedRoleId(v string) *AssumedRoleUser { 2582 s.AssumedRoleId = &v 2583 return s 2584 } 2585 2586 // Amazon Web Services credentials for API authentication. 2587 type Credentials struct { 2588 _ struct{} `type:"structure"` 2589 2590 // The access key ID that identifies the temporary security credentials. 2591 // 2592 // AccessKeyId is a required field 2593 AccessKeyId *string `min:"16" type:"string" required:"true"` 2594 2595 // The date on which the current credentials expire. 2596 // 2597 // Expiration is a required field 2598 Expiration *time.Time `type:"timestamp" required:"true"` 2599 2600 // The secret access key that can be used to sign requests. 2601 // 2602 // SecretAccessKey is a required field 2603 SecretAccessKey *string `type:"string" required:"true"` 2604 2605 // The token that users must pass to the service API to use the temporary credentials. 2606 // 2607 // SessionToken is a required field 2608 SessionToken *string `type:"string" required:"true"` 2609 } 2610 2611 // String returns the string representation. 2612 // 2613 // API parameter values that are decorated as "sensitive" in the API will not 2614 // be included in the string output. The member name will be present, but the 2615 // value will be replaced with "sensitive". 2616 func (s Credentials) String() string { 2617 return awsutil.Prettify(s) 2618 } 2619 2620 // GoString returns the string representation. 2621 // 2622 // API parameter values that are decorated as "sensitive" in the API will not 2623 // be included in the string output. The member name will be present, but the 2624 // value will be replaced with "sensitive". 2625 func (s Credentials) GoString() string { 2626 return s.String() 2627 } 2628 2629 // SetAccessKeyId sets the AccessKeyId field's value. 2630 func (s *Credentials) SetAccessKeyId(v string) *Credentials { 2631 s.AccessKeyId = &v 2632 return s 2633 } 2634 2635 // SetExpiration sets the Expiration field's value. 2636 func (s *Credentials) SetExpiration(v time.Time) *Credentials { 2637 s.Expiration = &v 2638 return s 2639 } 2640 2641 // SetSecretAccessKey sets the SecretAccessKey field's value. 2642 func (s *Credentials) SetSecretAccessKey(v string) *Credentials { 2643 s.SecretAccessKey = &v 2644 return s 2645 } 2646 2647 // SetSessionToken sets the SessionToken field's value. 2648 func (s *Credentials) SetSessionToken(v string) *Credentials { 2649 s.SessionToken = &v 2650 return s 2651 } 2652 2653 type DecodeAuthorizationMessageInput struct { 2654 _ struct{} `type:"structure"` 2655 2656 // The encoded message that was returned with the response. 2657 // 2658 // EncodedMessage is a required field 2659 EncodedMessage *string `min:"1" type:"string" required:"true"` 2660 } 2661 2662 // String returns the string representation. 2663 // 2664 // API parameter values that are decorated as "sensitive" in the API will not 2665 // be included in the string output. The member name will be present, but the 2666 // value will be replaced with "sensitive". 2667 func (s DecodeAuthorizationMessageInput) String() string { 2668 return awsutil.Prettify(s) 2669 } 2670 2671 // GoString returns the string representation. 2672 // 2673 // API parameter values that are decorated as "sensitive" in the API will not 2674 // be included in the string output. The member name will be present, but the 2675 // value will be replaced with "sensitive". 2676 func (s DecodeAuthorizationMessageInput) GoString() string { 2677 return s.String() 2678 } 2679 2680 // Validate inspects the fields of the type to determine if they are valid. 2681 func (s *DecodeAuthorizationMessageInput) Validate() error { 2682 invalidParams := request.ErrInvalidParams{Context: "DecodeAuthorizationMessageInput"} 2683 if s.EncodedMessage == nil { 2684 invalidParams.Add(request.NewErrParamRequired("EncodedMessage")) 2685 } 2686 if s.EncodedMessage != nil && len(*s.EncodedMessage) < 1 { 2687 invalidParams.Add(request.NewErrParamMinLen("EncodedMessage", 1)) 2688 } 2689 2690 if invalidParams.Len() > 0 { 2691 return invalidParams 2692 } 2693 return nil 2694 } 2695 2696 // SetEncodedMessage sets the EncodedMessage field's value. 2697 func (s *DecodeAuthorizationMessageInput) SetEncodedMessage(v string) *DecodeAuthorizationMessageInput { 2698 s.EncodedMessage = &v 2699 return s 2700 } 2701 2702 // A document that contains additional information about the authorization status 2703 // of a request from an encoded message that is returned in response to an Amazon 2704 // Web Services request. 2705 type DecodeAuthorizationMessageOutput struct { 2706 _ struct{} `type:"structure"` 2707 2708 // An XML document that contains the decoded message. 2709 DecodedMessage *string `type:"string"` 2710 } 2711 2712 // String returns the string representation. 2713 // 2714 // API parameter values that are decorated as "sensitive" in the API will not 2715 // be included in the string output. The member name will be present, but the 2716 // value will be replaced with "sensitive". 2717 func (s DecodeAuthorizationMessageOutput) String() string { 2718 return awsutil.Prettify(s) 2719 } 2720 2721 // GoString returns the string representation. 2722 // 2723 // API parameter values that are decorated as "sensitive" in the API will not 2724 // be included in the string output. The member name will be present, but the 2725 // value will be replaced with "sensitive". 2726 func (s DecodeAuthorizationMessageOutput) GoString() string { 2727 return s.String() 2728 } 2729 2730 // SetDecodedMessage sets the DecodedMessage field's value. 2731 func (s *DecodeAuthorizationMessageOutput) SetDecodedMessage(v string) *DecodeAuthorizationMessageOutput { 2732 s.DecodedMessage = &v 2733 return s 2734 } 2735 2736 // Identifiers for the federated user that is associated with the credentials. 2737 type FederatedUser struct { 2738 _ struct{} `type:"structure"` 2739 2740 // The ARN that specifies the federated user that is associated with the credentials. 2741 // For more information about ARNs and how to use them in policies, see IAM 2742 // Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) 2743 // in the IAM User Guide. 2744 // 2745 // Arn is a required field 2746 Arn *string `min:"20" type:"string" required:"true"` 2747 2748 // The string that identifies the federated user associated with the credentials, 2749 // similar to the unique ID of an IAM user. 2750 // 2751 // FederatedUserId is a required field 2752 FederatedUserId *string `min:"2" type:"string" required:"true"` 2753 } 2754 2755 // String returns the string representation. 2756 // 2757 // API parameter values that are decorated as "sensitive" in the API will not 2758 // be included in the string output. The member name will be present, but the 2759 // value will be replaced with "sensitive". 2760 func (s FederatedUser) String() string { 2761 return awsutil.Prettify(s) 2762 } 2763 2764 // GoString returns the string representation. 2765 // 2766 // API parameter values that are decorated as "sensitive" in the API will not 2767 // be included in the string output. The member name will be present, but the 2768 // value will be replaced with "sensitive". 2769 func (s FederatedUser) GoString() string { 2770 return s.String() 2771 } 2772 2773 // SetArn sets the Arn field's value. 2774 func (s *FederatedUser) SetArn(v string) *FederatedUser { 2775 s.Arn = &v 2776 return s 2777 } 2778 2779 // SetFederatedUserId sets the FederatedUserId field's value. 2780 func (s *FederatedUser) SetFederatedUserId(v string) *FederatedUser { 2781 s.FederatedUserId = &v 2782 return s 2783 } 2784 2785 type GetAccessKeyInfoInput struct { 2786 _ struct{} `type:"structure"` 2787 2788 // The identifier of an access key. 2789 // 2790 // This parameter allows (through its regex pattern) a string of characters 2791 // that can consist of any upper- or lowercase letter or digit. 2792 // 2793 // AccessKeyId is a required field 2794 AccessKeyId *string `min:"16" type:"string" required:"true"` 2795 } 2796 2797 // String returns the string representation. 2798 // 2799 // API parameter values that are decorated as "sensitive" in the API will not 2800 // be included in the string output. The member name will be present, but the 2801 // value will be replaced with "sensitive". 2802 func (s GetAccessKeyInfoInput) String() string { 2803 return awsutil.Prettify(s) 2804 } 2805 2806 // GoString returns the string representation. 2807 // 2808 // API parameter values that are decorated as "sensitive" in the API will not 2809 // be included in the string output. The member name will be present, but the 2810 // value will be replaced with "sensitive". 2811 func (s GetAccessKeyInfoInput) GoString() string { 2812 return s.String() 2813 } 2814 2815 // Validate inspects the fields of the type to determine if they are valid. 2816 func (s *GetAccessKeyInfoInput) Validate() error { 2817 invalidParams := request.ErrInvalidParams{Context: "GetAccessKeyInfoInput"} 2818 if s.AccessKeyId == nil { 2819 invalidParams.Add(request.NewErrParamRequired("AccessKeyId")) 2820 } 2821 if s.AccessKeyId != nil && len(*s.AccessKeyId) < 16 { 2822 invalidParams.Add(request.NewErrParamMinLen("AccessKeyId", 16)) 2823 } 2824 2825 if invalidParams.Len() > 0 { 2826 return invalidParams 2827 } 2828 return nil 2829 } 2830 2831 // SetAccessKeyId sets the AccessKeyId field's value. 2832 func (s *GetAccessKeyInfoInput) SetAccessKeyId(v string) *GetAccessKeyInfoInput { 2833 s.AccessKeyId = &v 2834 return s 2835 } 2836 2837 type GetAccessKeyInfoOutput struct { 2838 _ struct{} `type:"structure"` 2839 2840 // The number used to identify the Amazon Web Services account. 2841 Account *string `type:"string"` 2842 } 2843 2844 // String returns the string representation. 2845 // 2846 // API parameter values that are decorated as "sensitive" in the API will not 2847 // be included in the string output. The member name will be present, but the 2848 // value will be replaced with "sensitive". 2849 func (s GetAccessKeyInfoOutput) String() string { 2850 return awsutil.Prettify(s) 2851 } 2852 2853 // GoString returns the string representation. 2854 // 2855 // API parameter values that are decorated as "sensitive" in the API will not 2856 // be included in the string output. The member name will be present, but the 2857 // value will be replaced with "sensitive". 2858 func (s GetAccessKeyInfoOutput) GoString() string { 2859 return s.String() 2860 } 2861 2862 // SetAccount sets the Account field's value. 2863 func (s *GetAccessKeyInfoOutput) SetAccount(v string) *GetAccessKeyInfoOutput { 2864 s.Account = &v 2865 return s 2866 } 2867 2868 type GetCallerIdentityInput struct { 2869 _ struct{} `type:"structure"` 2870 } 2871 2872 // String returns the string representation. 2873 // 2874 // API parameter values that are decorated as "sensitive" in the API will not 2875 // be included in the string output. The member name will be present, but the 2876 // value will be replaced with "sensitive". 2877 func (s GetCallerIdentityInput) String() string { 2878 return awsutil.Prettify(s) 2879 } 2880 2881 // GoString returns the string representation. 2882 // 2883 // API parameter values that are decorated as "sensitive" in the API will not 2884 // be included in the string output. The member name will be present, but the 2885 // value will be replaced with "sensitive". 2886 func (s GetCallerIdentityInput) GoString() string { 2887 return s.String() 2888 } 2889 2890 // Contains the response to a successful GetCallerIdentity request, including 2891 // information about the entity making the request. 2892 type GetCallerIdentityOutput struct { 2893 _ struct{} `type:"structure"` 2894 2895 // The Amazon Web Services account ID number of the account that owns or contains 2896 // the calling entity. 2897 Account *string `type:"string"` 2898 2899 // The Amazon Web Services ARN associated with the calling entity. 2900 Arn *string `min:"20" type:"string"` 2901 2902 // The unique identifier of the calling entity. The exact value depends on the 2903 // type of entity that is making the call. The values returned are those listed 2904 // in the aws:userid column in the Principal table (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable) 2905 // found on the Policy Variables reference page in the IAM User Guide. 2906 UserId *string `type:"string"` 2907 } 2908 2909 // String returns the string representation. 2910 // 2911 // API parameter values that are decorated as "sensitive" in the API will not 2912 // be included in the string output. The member name will be present, but the 2913 // value will be replaced with "sensitive". 2914 func (s GetCallerIdentityOutput) String() string { 2915 return awsutil.Prettify(s) 2916 } 2917 2918 // GoString returns the string representation. 2919 // 2920 // API parameter values that are decorated as "sensitive" in the API will not 2921 // be included in the string output. The member name will be present, but the 2922 // value will be replaced with "sensitive". 2923 func (s GetCallerIdentityOutput) GoString() string { 2924 return s.String() 2925 } 2926 2927 // SetAccount sets the Account field's value. 2928 func (s *GetCallerIdentityOutput) SetAccount(v string) *GetCallerIdentityOutput { 2929 s.Account = &v 2930 return s 2931 } 2932 2933 // SetArn sets the Arn field's value. 2934 func (s *GetCallerIdentityOutput) SetArn(v string) *GetCallerIdentityOutput { 2935 s.Arn = &v 2936 return s 2937 } 2938 2939 // SetUserId sets the UserId field's value. 2940 func (s *GetCallerIdentityOutput) SetUserId(v string) *GetCallerIdentityOutput { 2941 s.UserId = &v 2942 return s 2943 } 2944 2945 type GetFederationTokenInput struct { 2946 _ struct{} `type:"structure"` 2947 2948 // The duration, in seconds, that the session should last. Acceptable durations 2949 // for federation sessions range from 900 seconds (15 minutes) to 129,600 seconds 2950 // (36 hours), with 43,200 seconds (12 hours) as the default. Sessions obtained 2951 // using Amazon Web Services account root user credentials are restricted to 2952 // a maximum of 3,600 seconds (one hour). If the specified duration is longer 2953 // than one hour, the session obtained by using root user credentials defaults 2954 // to one hour. 2955 DurationSeconds *int64 `min:"900" type:"integer"` 2956 2957 // The name of the federated user. The name is used as an identifier for the 2958 // temporary security credentials (such as Bob). For example, you can reference 2959 // the federated user name in a resource-based policy, such as in an Amazon 2960 // S3 bucket policy. 2961 // 2962 // The regex used to validate this parameter is a string of characters consisting 2963 // of upper- and lower-case alphanumeric characters with no spaces. You can 2964 // also include underscores or any of the following characters: =,.@- 2965 // 2966 // Name is a required field 2967 Name *string `min:"2" type:"string" required:"true"` 2968 2969 // An IAM policy in JSON format that you want to use as an inline session policy. 2970 // 2971 // You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 2972 // to this operation. You can pass a single JSON policy document to use as an 2973 // inline session policy. You can also specify up to 10 managed policies to 2974 // use as managed session policies. 2975 // 2976 // This parameter is optional. However, if you do not pass any session policies, 2977 // then the resulting federated user session has no permissions. 2978 // 2979 // When you pass session policies, the session permissions are the intersection 2980 // of the IAM user policies and the session policies that you pass. This gives 2981 // you a way to further restrict the permissions for a federated user. You cannot 2982 // use session policies to grant more permissions than those that are defined 2983 // in the permissions policy of the IAM user. For more information, see Session 2984 // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 2985 // in the IAM User Guide. 2986 // 2987 // The resulting credentials can be used to access a resource that has a resource-based 2988 // policy. If that policy specifically references the federated user session 2989 // in the Principal element of the policy, the session has the permissions allowed 2990 // by the policy. These permissions are granted in addition to the permissions 2991 // that are granted by the session policies. 2992 // 2993 // The plaintext that you use for both inline and managed session policies can't 2994 // exceed 2,048 characters. The JSON policy characters can be any ASCII character 2995 // from the space character to the end of the valid character list (\u0020 through 2996 // \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage 2997 // return (\u000D) characters. 2998 // 2999 // An Amazon Web Services conversion compresses the passed session policies 3000 // and session tags into a packed binary format that has a separate limit. Your 3001 // request can fail for this limit even if your plaintext meets the other requirements. 3002 // The PackedPolicySize response element indicates by percentage how close the 3003 // policies and tags for your request are to the upper size limit. 3004 Policy *string `min:"1" type:"string"` 3005 3006 // The Amazon Resource Names (ARNs) of the IAM managed policies that you want 3007 // to use as a managed session policy. The policies must exist in the same account 3008 // as the IAM user that is requesting federated access. 3009 // 3010 // You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 3011 // to this operation. You can pass a single JSON policy document to use as an 3012 // inline session policy. You can also specify up to 10 managed policies to 3013 // use as managed session policies. The plaintext that you use for both inline 3014 // and managed session policies can't exceed 2,048 characters. You can provide 3015 // up to 10 managed policy ARNs. For more information about ARNs, see Amazon 3016 // Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) 3017 // in the Amazon Web Services General Reference. 3018 // 3019 // This parameter is optional. However, if you do not pass any session policies, 3020 // then the resulting federated user session has no permissions. 3021 // 3022 // When you pass session policies, the session permissions are the intersection 3023 // of the IAM user policies and the session policies that you pass. This gives 3024 // you a way to further restrict the permissions for a federated user. You cannot 3025 // use session policies to grant more permissions than those that are defined 3026 // in the permissions policy of the IAM user. For more information, see Session 3027 // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 3028 // in the IAM User Guide. 3029 // 3030 // The resulting credentials can be used to access a resource that has a resource-based 3031 // policy. If that policy specifically references the federated user session 3032 // in the Principal element of the policy, the session has the permissions allowed 3033 // by the policy. These permissions are granted in addition to the permissions 3034 // that are granted by the session policies. 3035 // 3036 // An Amazon Web Services conversion compresses the passed session policies 3037 // and session tags into a packed binary format that has a separate limit. Your 3038 // request can fail for this limit even if your plaintext meets the other requirements. 3039 // The PackedPolicySize response element indicates by percentage how close the 3040 // policies and tags for your request are to the upper size limit. 3041 PolicyArns []*PolicyDescriptorType `type:"list"` 3042 3043 // A list of session tags. Each session tag consists of a key name and an associated 3044 // value. For more information about session tags, see Passing Session Tags 3045 // in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) 3046 // in the IAM User Guide. 3047 // 3048 // This parameter is optional. You can pass up to 50 session tags. The plaintext 3049 // session tag keys can’t exceed 128 characters and the values can’t exceed 3050 // 256 characters. For these and additional limits, see IAM and STS Character 3051 // Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) 3052 // in the IAM User Guide. 3053 // 3054 // An Amazon Web Services conversion compresses the passed session policies 3055 // and session tags into a packed binary format that has a separate limit. Your 3056 // request can fail for this limit even if your plaintext meets the other requirements. 3057 // The PackedPolicySize response element indicates by percentage how close the 3058 // policies and tags for your request are to the upper size limit. 3059 // 3060 // You can pass a session tag with the same key as a tag that is already attached 3061 // to the user you are federating. When you do, session tags override a user 3062 // tag with the same key. 3063 // 3064 // Tag key–value pairs are not case sensitive, but case is preserved. This 3065 // means that you cannot have separate Department and department tag keys. Assume 3066 // that the role has the Department=Marketing tag and you pass the department=engineering 3067 // session tag. Department and department are not saved as separate tags, and 3068 // the session tag passed in the request takes precedence over the role tag. 3069 Tags []*Tag `type:"list"` 3070 } 3071 3072 // String returns the string representation. 3073 // 3074 // API parameter values that are decorated as "sensitive" in the API will not 3075 // be included in the string output. The member name will be present, but the 3076 // value will be replaced with "sensitive". 3077 func (s GetFederationTokenInput) String() string { 3078 return awsutil.Prettify(s) 3079 } 3080 3081 // GoString returns the string representation. 3082 // 3083 // API parameter values that are decorated as "sensitive" in the API will not 3084 // be included in the string output. The member name will be present, but the 3085 // value will be replaced with "sensitive". 3086 func (s GetFederationTokenInput) GoString() string { 3087 return s.String() 3088 } 3089 3090 // Validate inspects the fields of the type to determine if they are valid. 3091 func (s *GetFederationTokenInput) Validate() error { 3092 invalidParams := request.ErrInvalidParams{Context: "GetFederationTokenInput"} 3093 if s.DurationSeconds != nil && *s.DurationSeconds < 900 { 3094 invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) 3095 } 3096 if s.Name == nil { 3097 invalidParams.Add(request.NewErrParamRequired("Name")) 3098 } 3099 if s.Name != nil && len(*s.Name) < 2 { 3100 invalidParams.Add(request.NewErrParamMinLen("Name", 2)) 3101 } 3102 if s.Policy != nil && len(*s.Policy) < 1 { 3103 invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) 3104 } 3105 if s.PolicyArns != nil { 3106 for i, v := range s.PolicyArns { 3107 if v == nil { 3108 continue 3109 } 3110 if err := v.Validate(); err != nil { 3111 invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams)) 3112 } 3113 } 3114 } 3115 if s.Tags != nil { 3116 for i, v := range s.Tags { 3117 if v == nil { 3118 continue 3119 } 3120 if err := v.Validate(); err != nil { 3121 invalidParams.AddNested(fmt.Sprintf("%s[%v]", "Tags", i), err.(request.ErrInvalidParams)) 3122 } 3123 } 3124 } 3125 3126 if invalidParams.Len() > 0 { 3127 return invalidParams 3128 } 3129 return nil 3130 } 3131 3132 // SetDurationSeconds sets the DurationSeconds field's value. 3133 func (s *GetFederationTokenInput) SetDurationSeconds(v int64) *GetFederationTokenInput { 3134 s.DurationSeconds = &v 3135 return s 3136 } 3137 3138 // SetName sets the Name field's value. 3139 func (s *GetFederationTokenInput) SetName(v string) *GetFederationTokenInput { 3140 s.Name = &v 3141 return s 3142 } 3143 3144 // SetPolicy sets the Policy field's value. 3145 func (s *GetFederationTokenInput) SetPolicy(v string) *GetFederationTokenInput { 3146 s.Policy = &v 3147 return s 3148 } 3149 3150 // SetPolicyArns sets the PolicyArns field's value. 3151 func (s *GetFederationTokenInput) SetPolicyArns(v []*PolicyDescriptorType) *GetFederationTokenInput { 3152 s.PolicyArns = v 3153 return s 3154 } 3155 3156 // SetTags sets the Tags field's value. 3157 func (s *GetFederationTokenInput) SetTags(v []*Tag) *GetFederationTokenInput { 3158 s.Tags = v 3159 return s 3160 } 3161 3162 // Contains the response to a successful GetFederationToken request, including 3163 // temporary Amazon Web Services credentials that can be used to make Amazon 3164 // Web Services requests. 3165 type GetFederationTokenOutput struct { 3166 _ struct{} `type:"structure"` 3167 3168 // The temporary security credentials, which include an access key ID, a secret 3169 // access key, and a security (or session) token. 3170 // 3171 // The size of the security token that STS API operations return is not fixed. 3172 // We strongly recommend that you make no assumptions about the maximum size. 3173 Credentials *Credentials `type:"structure"` 3174 3175 // Identifiers for the federated user associated with the credentials (such 3176 // as arn:aws:sts::123456789012:federated-user/Bob or 123456789012:Bob). You 3177 // can use the federated user's ARN in your resource-based policies, such as 3178 // an Amazon S3 bucket policy. 3179 FederatedUser *FederatedUser `type:"structure"` 3180 3181 // A percentage value that indicates the packed size of the session policies 3182 // and session tags combined passed in the request. The request fails if the 3183 // packed size is greater than 100 percent, which means the policies and tags 3184 // exceeded the allowed space. 3185 PackedPolicySize *int64 `type:"integer"` 3186 } 3187 3188 // String returns the string representation. 3189 // 3190 // API parameter values that are decorated as "sensitive" in the API will not 3191 // be included in the string output. The member name will be present, but the 3192 // value will be replaced with "sensitive". 3193 func (s GetFederationTokenOutput) String() string { 3194 return awsutil.Prettify(s) 3195 } 3196 3197 // GoString returns the string representation. 3198 // 3199 // API parameter values that are decorated as "sensitive" in the API will not 3200 // be included in the string output. The member name will be present, but the 3201 // value will be replaced with "sensitive". 3202 func (s GetFederationTokenOutput) GoString() string { 3203 return s.String() 3204 } 3205 3206 // SetCredentials sets the Credentials field's value. 3207 func (s *GetFederationTokenOutput) SetCredentials(v *Credentials) *GetFederationTokenOutput { 3208 s.Credentials = v 3209 return s 3210 } 3211 3212 // SetFederatedUser sets the FederatedUser field's value. 3213 func (s *GetFederationTokenOutput) SetFederatedUser(v *FederatedUser) *GetFederationTokenOutput { 3214 s.FederatedUser = v 3215 return s 3216 } 3217 3218 // SetPackedPolicySize sets the PackedPolicySize field's value. 3219 func (s *GetFederationTokenOutput) SetPackedPolicySize(v int64) *GetFederationTokenOutput { 3220 s.PackedPolicySize = &v 3221 return s 3222 } 3223 3224 type GetSessionTokenInput struct { 3225 _ struct{} `type:"structure"` 3226 3227 // The duration, in seconds, that the credentials should remain valid. Acceptable 3228 // durations for IAM user sessions range from 900 seconds (15 minutes) to 129,600 3229 // seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions 3230 // for Amazon Web Services account owners are restricted to a maximum of 3,600 3231 // seconds (one hour). If the duration is longer than one hour, the session 3232 // for Amazon Web Services account owners defaults to one hour. 3233 DurationSeconds *int64 `min:"900" type:"integer"` 3234 3235 // The identification number of the MFA device that is associated with the IAM 3236 // user who is making the GetSessionToken call. Specify this value if the IAM 3237 // user has a policy that requires MFA authentication. The value is either the 3238 // serial number for a hardware device (such as GAHT12345678) or an Amazon Resource 3239 // Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user). 3240 // You can find the device for an IAM user by going to the Management Console 3241 // and viewing the user's security credentials. 3242 // 3243 // The regex used to validate this parameter is a string of characters consisting 3244 // of upper- and lower-case alphanumeric characters with no spaces. You can 3245 // also include underscores or any of the following characters: =,.@:/- 3246 SerialNumber *string `min:"9" type:"string"` 3247 3248 // The value provided by the MFA device, if MFA is required. If any policy requires 3249 // the IAM user to submit an MFA code, specify this value. If MFA authentication 3250 // is required, the user must provide a code when requesting a set of temporary 3251 // security credentials. A user who fails to provide the code receives an "access 3252 // denied" response when requesting resources that require MFA authentication. 3253 // 3254 // The format for this parameter, as described by its regex pattern, is a sequence 3255 // of six numeric digits. 3256 TokenCode *string `min:"6" type:"string"` 3257 } 3258 3259 // String returns the string representation. 3260 // 3261 // API parameter values that are decorated as "sensitive" in the API will not 3262 // be included in the string output. The member name will be present, but the 3263 // value will be replaced with "sensitive". 3264 func (s GetSessionTokenInput) String() string { 3265 return awsutil.Prettify(s) 3266 } 3267 3268 // GoString returns the string representation. 3269 // 3270 // API parameter values that are decorated as "sensitive" in the API will not 3271 // be included in the string output. The member name will be present, but the 3272 // value will be replaced with "sensitive". 3273 func (s GetSessionTokenInput) GoString() string { 3274 return s.String() 3275 } 3276 3277 // Validate inspects the fields of the type to determine if they are valid. 3278 func (s *GetSessionTokenInput) Validate() error { 3279 invalidParams := request.ErrInvalidParams{Context: "GetSessionTokenInput"} 3280 if s.DurationSeconds != nil && *s.DurationSeconds < 900 { 3281 invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) 3282 } 3283 if s.SerialNumber != nil && len(*s.SerialNumber) < 9 { 3284 invalidParams.Add(request.NewErrParamMinLen("SerialNumber", 9)) 3285 } 3286 if s.TokenCode != nil && len(*s.TokenCode) < 6 { 3287 invalidParams.Add(request.NewErrParamMinLen("TokenCode", 6)) 3288 } 3289 3290 if invalidParams.Len() > 0 { 3291 return invalidParams 3292 } 3293 return nil 3294 } 3295 3296 // SetDurationSeconds sets the DurationSeconds field's value. 3297 func (s *GetSessionTokenInput) SetDurationSeconds(v int64) *GetSessionTokenInput { 3298 s.DurationSeconds = &v 3299 return s 3300 } 3301 3302 // SetSerialNumber sets the SerialNumber field's value. 3303 func (s *GetSessionTokenInput) SetSerialNumber(v string) *GetSessionTokenInput { 3304 s.SerialNumber = &v 3305 return s 3306 } 3307 3308 // SetTokenCode sets the TokenCode field's value. 3309 func (s *GetSessionTokenInput) SetTokenCode(v string) *GetSessionTokenInput { 3310 s.TokenCode = &v 3311 return s 3312 } 3313 3314 // Contains the response to a successful GetSessionToken request, including 3315 // temporary Amazon Web Services credentials that can be used to make Amazon 3316 // Web Services requests. 3317 type GetSessionTokenOutput struct { 3318 _ struct{} `type:"structure"` 3319 3320 // The temporary security credentials, which include an access key ID, a secret 3321 // access key, and a security (or session) token. 3322 // 3323 // The size of the security token that STS API operations return is not fixed. 3324 // We strongly recommend that you make no assumptions about the maximum size. 3325 Credentials *Credentials `type:"structure"` 3326 } 3327 3328 // String returns the string representation. 3329 // 3330 // API parameter values that are decorated as "sensitive" in the API will not 3331 // be included in the string output. The member name will be present, but the 3332 // value will be replaced with "sensitive". 3333 func (s GetSessionTokenOutput) String() string { 3334 return awsutil.Prettify(s) 3335 } 3336 3337 // GoString returns the string representation. 3338 // 3339 // API parameter values that are decorated as "sensitive" in the API will not 3340 // be included in the string output. The member name will be present, but the 3341 // value will be replaced with "sensitive". 3342 func (s GetSessionTokenOutput) GoString() string { 3343 return s.String() 3344 } 3345 3346 // SetCredentials sets the Credentials field's value. 3347 func (s *GetSessionTokenOutput) SetCredentials(v *Credentials) *GetSessionTokenOutput { 3348 s.Credentials = v 3349 return s 3350 } 3351 3352 // A reference to the IAM managed policy that is passed as a session policy 3353 // for a role session or a federated user session. 3354 type PolicyDescriptorType struct { 3355 _ struct{} `type:"structure"` 3356 3357 // The Amazon Resource Name (ARN) of the IAM managed policy to use as a session 3358 // policy for the role. For more information about ARNs, see Amazon Resource 3359 // Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) 3360 // in the Amazon Web Services General Reference. 3361 Arn *string `locationName:"arn" min:"20" type:"string"` 3362 } 3363 3364 // String returns the string representation. 3365 // 3366 // API parameter values that are decorated as "sensitive" in the API will not 3367 // be included in the string output. The member name will be present, but the 3368 // value will be replaced with "sensitive". 3369 func (s PolicyDescriptorType) String() string { 3370 return awsutil.Prettify(s) 3371 } 3372 3373 // GoString returns the string representation. 3374 // 3375 // API parameter values that are decorated as "sensitive" in the API will not 3376 // be included in the string output. The member name will be present, but the 3377 // value will be replaced with "sensitive". 3378 func (s PolicyDescriptorType) GoString() string { 3379 return s.String() 3380 } 3381 3382 // Validate inspects the fields of the type to determine if they are valid. 3383 func (s *PolicyDescriptorType) Validate() error { 3384 invalidParams := request.ErrInvalidParams{Context: "PolicyDescriptorType"} 3385 if s.Arn != nil && len(*s.Arn) < 20 { 3386 invalidParams.Add(request.NewErrParamMinLen("Arn", 20)) 3387 } 3388 3389 if invalidParams.Len() > 0 { 3390 return invalidParams 3391 } 3392 return nil 3393 } 3394 3395 // SetArn sets the Arn field's value. 3396 func (s *PolicyDescriptorType) SetArn(v string) *PolicyDescriptorType { 3397 s.Arn = &v 3398 return s 3399 } 3400 3401 // You can pass custom key-value pair attributes when you assume a role or federate 3402 // a user. These are called session tags. You can then use the session tags 3403 // to control access to resources. For more information, see Tagging STS Sessions 3404 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) in 3405 // the IAM User Guide. 3406 type Tag struct { 3407 _ struct{} `type:"structure"` 3408 3409 // The key for a session tag. 3410 // 3411 // You can pass up to 50 session tags. The plain text session tag keys can’t 3412 // exceed 128 characters. For these and additional limits, see IAM and STS Character 3413 // Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) 3414 // in the IAM User Guide. 3415 // 3416 // Key is a required field 3417 Key *string `min:"1" type:"string" required:"true"` 3418 3419 // The value for a session tag. 3420 // 3421 // You can pass up to 50 session tags. The plain text session tag values can’t 3422 // exceed 256 characters. For these and additional limits, see IAM and STS Character 3423 // Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) 3424 // in the IAM User Guide. 3425 // 3426 // Value is a required field 3427 Value *string `type:"string" required:"true"` 3428 } 3429 3430 // String returns the string representation. 3431 // 3432 // API parameter values that are decorated as "sensitive" in the API will not 3433 // be included in the string output. The member name will be present, but the 3434 // value will be replaced with "sensitive". 3435 func (s Tag) String() string { 3436 return awsutil.Prettify(s) 3437 } 3438 3439 // GoString returns the string representation. 3440 // 3441 // API parameter values that are decorated as "sensitive" in the API will not 3442 // be included in the string output. The member name will be present, but the 3443 // value will be replaced with "sensitive". 3444 func (s Tag) GoString() string { 3445 return s.String() 3446 } 3447 3448 // Validate inspects the fields of the type to determine if they are valid. 3449 func (s *Tag) Validate() error { 3450 invalidParams := request.ErrInvalidParams{Context: "Tag"} 3451 if s.Key == nil { 3452 invalidParams.Add(request.NewErrParamRequired("Key")) 3453 } 3454 if s.Key != nil && len(*s.Key) < 1 { 3455 invalidParams.Add(request.NewErrParamMinLen("Key", 1)) 3456 } 3457 if s.Value == nil { 3458 invalidParams.Add(request.NewErrParamRequired("Value")) 3459 } 3460 3461 if invalidParams.Len() > 0 { 3462 return invalidParams 3463 } 3464 return nil 3465 } 3466 3467 // SetKey sets the Key field's value. 3468 func (s *Tag) SetKey(v string) *Tag { 3469 s.Key = &v 3470 return s 3471 } 3472 3473 // SetValue sets the Value field's value. 3474 func (s *Tag) SetValue(v string) *Tag { 3475 s.Value = &v 3476 return s 3477 }