github.com/aavshr/aws-sdk-go@v1.41.3/service/sts/api.go (about)

     1  // Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
     2  
     3  package sts
     4  
     5  import (
     6  	"fmt"
     7  	"time"
     8  
     9  	"github.com/aavshr/aws-sdk-go/aws"
    10  	"github.com/aavshr/aws-sdk-go/aws/awsutil"
    11  	"github.com/aavshr/aws-sdk-go/aws/credentials"
    12  	"github.com/aavshr/aws-sdk-go/aws/request"
    13  )
    14  
    15  const opAssumeRole = "AssumeRole"
    16  
    17  // AssumeRoleRequest generates a "aws/request.Request" representing the
    18  // client's request for the AssumeRole operation. The "output" return
    19  // value will be populated with the request's response once the request completes
    20  // successfully.
    21  //
    22  // Use "Send" method on the returned Request to send the API call to the service.
    23  // the "output" return value is not valid until after Send returns without error.
    24  //
    25  // See AssumeRole for more information on using the AssumeRole
    26  // API call, and error handling.
    27  //
    28  // This method is useful when you want to inject custom logic or configuration
    29  // into the SDK's request lifecycle. Such as custom headers, or retry logic.
    30  //
    31  //
    32  //    // Example sending a request using the AssumeRoleRequest method.
    33  //    req, resp := client.AssumeRoleRequest(params)
    34  //
    35  //    err := req.Send()
    36  //    if err == nil { // resp is now filled
    37  //        fmt.Println(resp)
    38  //    }
    39  //
    40  // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole
    41  func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, output *AssumeRoleOutput) {
    42  	op := &request.Operation{
    43  		Name:       opAssumeRole,
    44  		HTTPMethod: "POST",
    45  		HTTPPath:   "/",
    46  	}
    47  
    48  	if input == nil {
    49  		input = &AssumeRoleInput{}
    50  	}
    51  
    52  	output = &AssumeRoleOutput{}
    53  	req = c.newRequest(op, input, output)
    54  	return
    55  }
    56  
    57  // AssumeRole API operation for AWS Security Token Service.
    58  //
    59  // Returns a set of temporary security credentials that you can use to access
    60  // Amazon Web Services resources that you might not normally have access to.
    61  // These temporary credentials consist of an access key ID, a secret access
    62  // key, and a security token. Typically, you use AssumeRole within your account
    63  // or for cross-account access. For a comparison of AssumeRole with other API
    64  // operations that produce temporary credentials, see Requesting Temporary Security
    65  // Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
    66  // and Comparing the STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
    67  // in the IAM User Guide.
    68  //
    69  // Permissions
    70  //
    71  // The temporary security credentials created by AssumeRole can be used to make
    72  // API calls to any Amazon Web Services service with the following exception:
    73  // You cannot call the STS GetFederationToken or GetSessionToken API operations.
    74  //
    75  // (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
    76  // to this operation. You can pass a single JSON policy document to use as an
    77  // inline session policy. You can also specify up to 10 managed policies to
    78  // use as managed session policies. The plaintext that you use for both inline
    79  // and managed session policies can't exceed 2,048 characters. Passing policies
    80  // to this operation returns new temporary credentials. The resulting session's
    81  // permissions are the intersection of the role's identity-based policy and
    82  // the session policies. You can use the role's temporary credentials in subsequent
    83  // Amazon Web Services API calls to access resources in the account that owns
    84  // the role. You cannot use session policies to grant more permissions than
    85  // those allowed by the identity-based policy of the role that is being assumed.
    86  // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
    87  // in the IAM User Guide.
    88  //
    89  // To assume a role from a different account, your account must be trusted by
    90  // the role. The trust relationship is defined in the role's trust policy when
    91  // the role is created. That trust policy states which accounts are allowed
    92  // to delegate that access to users in the account.
    93  //
    94  // A user who wants to access a role in a different account must also have permissions
    95  // that are delegated from the user account administrator. The administrator
    96  // must attach a policy that allows the user to call AssumeRole for the ARN
    97  // of the role in the other account. If the user is in the same account as the
    98  // role, then you can do either of the following:
    99  //
   100  //    * Attach a policy to the user (identical to the previous user in a different
   101  //    account).
   102  //
   103  //    * Add the user as a principal directly in the role's trust policy.
   104  //
   105  // In this case, the trust policy acts as an IAM resource-based policy. Users
   106  // in the same account as the role do not need explicit permission to assume
   107  // the role. For more information about trust policies and resource-based policies,
   108  // see IAM Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)
   109  // in the IAM User Guide.
   110  //
   111  // Tags
   112  //
   113  // (Optional) You can pass tag key-value pairs to your session. These tags are
   114  // called session tags. For more information about session tags, see Passing
   115  // Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
   116  // in the IAM User Guide.
   117  //
   118  // An administrator must grant you the permissions necessary to pass session
   119  // tags. The administrator can also create granular permissions to allow you
   120  // to pass only specific session tags. For more information, see Tutorial: Using
   121  // Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
   122  // in the IAM User Guide.
   123  //
   124  // You can set the session tags as transitive. Transitive tags persist during
   125  // role chaining. For more information, see Chaining Roles with Session Tags
   126  // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
   127  // in the IAM User Guide.
   128  //
   129  // Using MFA with AssumeRole
   130  //
   131  // (Optional) You can include multi-factor authentication (MFA) information
   132  // when you call AssumeRole. This is useful for cross-account scenarios to ensure
   133  // that the user that assumes the role has been authenticated with an Amazon
   134  // Web Services MFA device. In that scenario, the trust policy of the role being
   135  // assumed includes a condition that tests for MFA authentication. If the caller
   136  // does not include valid MFA information, the request to assume the role is
   137  // denied. The condition in a trust policy that tests for MFA authentication
   138  // might look like the following example.
   139  //
   140  // "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}
   141  //
   142  // For more information, see Configuring MFA-Protected API Access (https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html)
   143  // in the IAM User Guide guide.
   144  //
   145  // To use MFA with AssumeRole, you pass values for the SerialNumber and TokenCode
   146  // parameters. The SerialNumber value identifies the user's hardware or virtual
   147  // MFA device. The TokenCode is the time-based one-time password (TOTP) that
   148  // the MFA device produces.
   149  //
   150  // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
   151  // with awserr.Error's Code and Message methods to get detailed information about
   152  // the error.
   153  //
   154  // See the AWS API reference guide for AWS Security Token Service's
   155  // API operation AssumeRole for usage and error information.
   156  //
   157  // Returned Error Codes:
   158  //   * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument"
   159  //   The request was rejected because the policy document was malformed. The error
   160  //   message describes the specific error.
   161  //
   162  //   * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge"
   163  //   The request was rejected because the total packed size of the session policies
   164  //   and session tags combined was too large. An Amazon Web Services conversion
   165  //   compresses the session policy document, session policy ARNs, and session
   166  //   tags into a packed binary format that has a separate limit. The error message
   167  //   indicates by percentage how close the policies and tags are to the upper
   168  //   size limit. For more information, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
   169  //   in the IAM User Guide.
   170  //
   171  //   You could receive this error even though you meet other defined session policy
   172  //   and session tag limits. For more information, see IAM and STS Entity Character
   173  //   Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
   174  //   in the IAM User Guide.
   175  //
   176  //   * ErrCodeRegionDisabledException "RegionDisabledException"
   177  //   STS is not activated in the requested region for the account that is being
   178  //   asked to generate credentials. The account administrator must use the IAM
   179  //   console to activate STS in that region. For more information, see Activating
   180  //   and Deactivating Amazon Web Services STS in an Amazon Web Services Region
   181  //   (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
   182  //   in the IAM User Guide.
   183  //
   184  //   * ErrCodeExpiredTokenException "ExpiredTokenException"
   185  //   The web identity token that was passed is expired or is not valid. Get a
   186  //   new identity token from the identity provider and then retry the request.
   187  //
   188  // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole
   189  func (c *STS) AssumeRole(input *AssumeRoleInput) (*AssumeRoleOutput, error) {
   190  	req, out := c.AssumeRoleRequest(input)
   191  	return out, req.Send()
   192  }
   193  
   194  // AssumeRoleWithContext is the same as AssumeRole with the addition of
   195  // the ability to pass a context and additional request options.
   196  //
   197  // See AssumeRole for details on how to use this API operation.
   198  //
   199  // The context must be non-nil and will be used for request cancellation. If
   200  // the context is nil a panic will occur. In the future the SDK may create
   201  // sub-contexts for http.Requests. See https://golang.org/pkg/context/
   202  // for more information on using Contexts.
   203  func (c *STS) AssumeRoleWithContext(ctx aws.Context, input *AssumeRoleInput, opts ...request.Option) (*AssumeRoleOutput, error) {
   204  	req, out := c.AssumeRoleRequest(input)
   205  	req.SetContext(ctx)
   206  	req.ApplyOptions(opts...)
   207  	return out, req.Send()
   208  }
   209  
   210  const opAssumeRoleWithSAML = "AssumeRoleWithSAML"
   211  
   212  // AssumeRoleWithSAMLRequest generates a "aws/request.Request" representing the
   213  // client's request for the AssumeRoleWithSAML operation. The "output" return
   214  // value will be populated with the request's response once the request completes
   215  // successfully.
   216  //
   217  // Use "Send" method on the returned Request to send the API call to the service.
   218  // the "output" return value is not valid until after Send returns without error.
   219  //
   220  // See AssumeRoleWithSAML for more information on using the AssumeRoleWithSAML
   221  // API call, and error handling.
   222  //
   223  // This method is useful when you want to inject custom logic or configuration
   224  // into the SDK's request lifecycle. Such as custom headers, or retry logic.
   225  //
   226  //
   227  //    // Example sending a request using the AssumeRoleWithSAMLRequest method.
   228  //    req, resp := client.AssumeRoleWithSAMLRequest(params)
   229  //
   230  //    err := req.Send()
   231  //    if err == nil { // resp is now filled
   232  //        fmt.Println(resp)
   233  //    }
   234  //
   235  // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML
   236  func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *request.Request, output *AssumeRoleWithSAMLOutput) {
   237  	op := &request.Operation{
   238  		Name:       opAssumeRoleWithSAML,
   239  		HTTPMethod: "POST",
   240  		HTTPPath:   "/",
   241  	}
   242  
   243  	if input == nil {
   244  		input = &AssumeRoleWithSAMLInput{}
   245  	}
   246  
   247  	output = &AssumeRoleWithSAMLOutput{}
   248  	req = c.newRequest(op, input, output)
   249  	req.Config.Credentials = credentials.AnonymousCredentials
   250  	return
   251  }
   252  
   253  // AssumeRoleWithSAML API operation for AWS Security Token Service.
   254  //
   255  // Returns a set of temporary security credentials for users who have been authenticated
   256  // via a SAML authentication response. This operation provides a mechanism for
   257  // tying an enterprise identity store or directory to role-based Amazon Web
   258  // Services access without user-specific credentials or configuration. For a
   259  // comparison of AssumeRoleWithSAML with the other API operations that produce
   260  // temporary credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
   261  // and Comparing the STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
   262  // in the IAM User Guide.
   263  //
   264  // The temporary security credentials returned by this operation consist of
   265  // an access key ID, a secret access key, and a security token. Applications
   266  // can use these temporary security credentials to sign calls to Amazon Web
   267  // Services services.
   268  //
   269  // Session Duration
   270  //
   271  // By default, the temporary security credentials created by AssumeRoleWithSAML
   272  // last for one hour. However, you can use the optional DurationSeconds parameter
   273  // to specify the duration of your session. Your role session lasts for the
   274  // duration that you specify, or until the time specified in the SAML authentication
   275  // response's SessionNotOnOrAfter value, whichever is shorter. You can provide
   276  // a DurationSeconds value from 900 seconds (15 minutes) up to the maximum session
   277  // duration setting for the role. This setting can have a value from 1 hour
   278  // to 12 hours. To learn how to view the maximum value for your role, see View
   279  // the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
   280  // in the IAM User Guide. The maximum session duration limit applies when you
   281  // use the AssumeRole* API operations or the assume-role* CLI commands. However
   282  // the limit does not apply when you use those operations to create a console
   283  // URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
   284  // in the IAM User Guide.
   285  //
   286  // Role chaining (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining)
   287  // limits your CLI or Amazon Web Services API role session to a maximum of one
   288  // hour. When you use the AssumeRole API operation to assume a role, you can
   289  // specify the duration of your role session with the DurationSeconds parameter.
   290  // You can specify a parameter value of up to 43200 seconds (12 hours), depending
   291  // on the maximum session duration setting for your role. However, if you assume
   292  // a role using role chaining and provide a DurationSeconds parameter value
   293  // greater than one hour, the operation fails.
   294  //
   295  // Permissions
   296  //
   297  // The temporary security credentials created by AssumeRoleWithSAML can be used
   298  // to make API calls to any Amazon Web Services service with the following exception:
   299  // you cannot call the STS GetFederationToken or GetSessionToken API operations.
   300  //
   301  // (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
   302  // to this operation. You can pass a single JSON policy document to use as an
   303  // inline session policy. You can also specify up to 10 managed policies to
   304  // use as managed session policies. The plaintext that you use for both inline
   305  // and managed session policies can't exceed 2,048 characters. Passing policies
   306  // to this operation returns new temporary credentials. The resulting session's
   307  // permissions are the intersection of the role's identity-based policy and
   308  // the session policies. You can use the role's temporary credentials in subsequent
   309  // Amazon Web Services API calls to access resources in the account that owns
   310  // the role. You cannot use session policies to grant more permissions than
   311  // those allowed by the identity-based policy of the role that is being assumed.
   312  // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
   313  // in the IAM User Guide.
   314  //
   315  // Calling AssumeRoleWithSAML does not require the use of Amazon Web Services
   316  // security credentials. The identity of the caller is validated by using keys
   317  // in the metadata document that is uploaded for the SAML provider entity for
   318  // your identity provider.
   319  //
   320  // Calling AssumeRoleWithSAML can result in an entry in your CloudTrail logs.
   321  // The entry includes the value in the NameID element of the SAML assertion.
   322  // We recommend that you use a NameIDType that is not associated with any personally
   323  // identifiable information (PII). For example, you could instead use the persistent
   324  // identifier (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent).
   325  //
   326  // Tags
   327  //
   328  // (Optional) You can configure your IdP to pass attributes into your SAML assertion
   329  // as session tags. Each session tag consists of a key name and an associated
   330  // value. For more information about session tags, see Passing Session Tags
   331  // in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
   332  // in the IAM User Guide.
   333  //
   334  // You can pass up to 50 session tags. The plaintext session tag keys can’t
   335  // exceed 128 characters and the values can’t exceed 256 characters. For these
   336  // and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
   337  // in the IAM User Guide.
   338  //
   339  // An Amazon Web Services conversion compresses the passed session policies
   340  // and session tags into a packed binary format that has a separate limit. Your
   341  // request can fail for this limit even if your plaintext meets the other requirements.
   342  // The PackedPolicySize response element indicates by percentage how close the
   343  // policies and tags for your request are to the upper size limit.
   344  //
   345  // You can pass a session tag with the same key as a tag that is attached to
   346  // the role. When you do, session tags override the role's tags with the same
   347  // key.
   348  //
   349  // An administrator must grant you the permissions necessary to pass session
   350  // tags. The administrator can also create granular permissions to allow you
   351  // to pass only specific session tags. For more information, see Tutorial: Using
   352  // Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
   353  // in the IAM User Guide.
   354  //
   355  // You can set the session tags as transitive. Transitive tags persist during
   356  // role chaining. For more information, see Chaining Roles with Session Tags
   357  // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
   358  // in the IAM User Guide.
   359  //
   360  // SAML Configuration
   361  //
   362  // Before your application can call AssumeRoleWithSAML, you must configure your
   363  // SAML identity provider (IdP) to issue the claims required by Amazon Web Services.
   364  // Additionally, you must use Identity and Access Management (IAM) to create
   365  // a SAML provider entity in your Amazon Web Services account that represents
   366  // your identity provider. You must also create an IAM role that specifies this
   367  // SAML provider in its trust policy.
   368  //
   369  // For more information, see the following resources:
   370  //
   371  //    * About SAML 2.0-based Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html)
   372  //    in the IAM User Guide.
   373  //
   374  //    * Creating SAML Identity Providers (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)
   375  //    in the IAM User Guide.
   376  //
   377  //    * Configuring a Relying Party and Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html)
   378  //    in the IAM User Guide.
   379  //
   380  //    * Creating a Role for SAML 2.0 Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html)
   381  //    in the IAM User Guide.
   382  //
   383  // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
   384  // with awserr.Error's Code and Message methods to get detailed information about
   385  // the error.
   386  //
   387  // See the AWS API reference guide for AWS Security Token Service's
   388  // API operation AssumeRoleWithSAML for usage and error information.
   389  //
   390  // Returned Error Codes:
   391  //   * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument"
   392  //   The request was rejected because the policy document was malformed. The error
   393  //   message describes the specific error.
   394  //
   395  //   * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge"
   396  //   The request was rejected because the total packed size of the session policies
   397  //   and session tags combined was too large. An Amazon Web Services conversion
   398  //   compresses the session policy document, session policy ARNs, and session
   399  //   tags into a packed binary format that has a separate limit. The error message
   400  //   indicates by percentage how close the policies and tags are to the upper
   401  //   size limit. For more information, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
   402  //   in the IAM User Guide.
   403  //
   404  //   You could receive this error even though you meet other defined session policy
   405  //   and session tag limits. For more information, see IAM and STS Entity Character
   406  //   Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
   407  //   in the IAM User Guide.
   408  //
   409  //   * ErrCodeIDPRejectedClaimException "IDPRejectedClaim"
   410  //   The identity provider (IdP) reported that authentication failed. This might
   411  //   be because the claim is invalid.
   412  //
   413  //   If this error is returned for the AssumeRoleWithWebIdentity operation, it
   414  //   can also mean that the claim has expired or has been explicitly revoked.
   415  //
   416  //   * ErrCodeInvalidIdentityTokenException "InvalidIdentityToken"
   417  //   The web identity token that was passed could not be validated by Amazon Web
   418  //   Services. Get a new identity token from the identity provider and then retry
   419  //   the request.
   420  //
   421  //   * ErrCodeExpiredTokenException "ExpiredTokenException"
   422  //   The web identity token that was passed is expired or is not valid. Get a
   423  //   new identity token from the identity provider and then retry the request.
   424  //
   425  //   * ErrCodeRegionDisabledException "RegionDisabledException"
   426  //   STS is not activated in the requested region for the account that is being
   427  //   asked to generate credentials. The account administrator must use the IAM
   428  //   console to activate STS in that region. For more information, see Activating
   429  //   and Deactivating Amazon Web Services STS in an Amazon Web Services Region
   430  //   (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
   431  //   in the IAM User Guide.
   432  //
   433  // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML
   434  func (c *STS) AssumeRoleWithSAML(input *AssumeRoleWithSAMLInput) (*AssumeRoleWithSAMLOutput, error) {
   435  	req, out := c.AssumeRoleWithSAMLRequest(input)
   436  	return out, req.Send()
   437  }
   438  
   439  // AssumeRoleWithSAMLWithContext is the same as AssumeRoleWithSAML with the addition of
   440  // the ability to pass a context and additional request options.
   441  //
   442  // See AssumeRoleWithSAML for details on how to use this API operation.
   443  //
   444  // The context must be non-nil and will be used for request cancellation. If
   445  // the context is nil a panic will occur. In the future the SDK may create
   446  // sub-contexts for http.Requests. See https://golang.org/pkg/context/
   447  // for more information on using Contexts.
   448  func (c *STS) AssumeRoleWithSAMLWithContext(ctx aws.Context, input *AssumeRoleWithSAMLInput, opts ...request.Option) (*AssumeRoleWithSAMLOutput, error) {
   449  	req, out := c.AssumeRoleWithSAMLRequest(input)
   450  	req.SetContext(ctx)
   451  	req.ApplyOptions(opts...)
   452  	return out, req.Send()
   453  }
   454  
   455  const opAssumeRoleWithWebIdentity = "AssumeRoleWithWebIdentity"
   456  
   457  // AssumeRoleWithWebIdentityRequest generates a "aws/request.Request" representing the
   458  // client's request for the AssumeRoleWithWebIdentity operation. The "output" return
   459  // value will be populated with the request's response once the request completes
   460  // successfully.
   461  //
   462  // Use "Send" method on the returned Request to send the API call to the service.
   463  // the "output" return value is not valid until after Send returns without error.
   464  //
   465  // See AssumeRoleWithWebIdentity for more information on using the AssumeRoleWithWebIdentity
   466  // API call, and error handling.
   467  //
   468  // This method is useful when you want to inject custom logic or configuration
   469  // into the SDK's request lifecycle. Such as custom headers, or retry logic.
   470  //
   471  //
   472  //    // Example sending a request using the AssumeRoleWithWebIdentityRequest method.
   473  //    req, resp := client.AssumeRoleWithWebIdentityRequest(params)
   474  //
   475  //    err := req.Send()
   476  //    if err == nil { // resp is now filled
   477  //        fmt.Println(resp)
   478  //    }
   479  //
   480  // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity
   481  func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityInput) (req *request.Request, output *AssumeRoleWithWebIdentityOutput) {
   482  	op := &request.Operation{
   483  		Name:       opAssumeRoleWithWebIdentity,
   484  		HTTPMethod: "POST",
   485  		HTTPPath:   "/",
   486  	}
   487  
   488  	if input == nil {
   489  		input = &AssumeRoleWithWebIdentityInput{}
   490  	}
   491  
   492  	output = &AssumeRoleWithWebIdentityOutput{}
   493  	req = c.newRequest(op, input, output)
   494  	req.Config.Credentials = credentials.AnonymousCredentials
   495  	return
   496  }
   497  
   498  // AssumeRoleWithWebIdentity API operation for AWS Security Token Service.
   499  //
   500  // Returns a set of temporary security credentials for users who have been authenticated
   501  // in a mobile or web application with a web identity provider. Example providers
   502  // include Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID
   503  // Connect-compatible identity provider.
   504  //
   505  // For mobile applications, we recommend that you use Amazon Cognito. You can
   506  // use Amazon Cognito with the Amazon Web Services SDK for iOS Developer Guide
   507  // (http://aws.amazon.com/sdkforios/) and the Amazon Web Services SDK for Android
   508  // Developer Guide (http://aws.amazon.com/sdkforandroid/) to uniquely identify
   509  // a user. You can also supply the user with a consistent identity throughout
   510  // the lifetime of an application.
   511  //
   512  // To learn more about Amazon Cognito, see Amazon Cognito Overview (https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840)
   513  // in Amazon Web Services SDK for Android Developer Guide and Amazon Cognito
   514  // Overview (https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664)
   515  // in the Amazon Web Services SDK for iOS Developer Guide.
   516  //
   517  // Calling AssumeRoleWithWebIdentity does not require the use of Amazon Web
   518  // Services security credentials. Therefore, you can distribute an application
   519  // (for example, on mobile devices) that requests temporary security credentials
   520  // without including long-term Amazon Web Services credentials in the application.
   521  // You also don't need to deploy server-based proxy services that use long-term
   522  // Amazon Web Services credentials. Instead, the identity of the caller is validated
   523  // by using a token from the web identity provider. For a comparison of AssumeRoleWithWebIdentity
   524  // with the other API operations that produce temporary credentials, see Requesting
   525  // Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
   526  // and Comparing the STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
   527  // in the IAM User Guide.
   528  //
   529  // The temporary security credentials returned by this API consist of an access
   530  // key ID, a secret access key, and a security token. Applications can use these
   531  // temporary security credentials to sign calls to Amazon Web Services service
   532  // API operations.
   533  //
   534  // Session Duration
   535  //
   536  // By default, the temporary security credentials created by AssumeRoleWithWebIdentity
   537  // last for one hour. However, you can use the optional DurationSeconds parameter
   538  // to specify the duration of your session. You can provide a value from 900
   539  // seconds (15 minutes) up to the maximum session duration setting for the role.
   540  // This setting can have a value from 1 hour to 12 hours. To learn how to view
   541  // the maximum value for your role, see View the Maximum Session Duration Setting
   542  // for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
   543  // in the IAM User Guide. The maximum session duration limit applies when you
   544  // use the AssumeRole* API operations or the assume-role* CLI commands. However
   545  // the limit does not apply when you use those operations to create a console
   546  // URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
   547  // in the IAM User Guide.
   548  //
   549  // Permissions
   550  //
   551  // The temporary security credentials created by AssumeRoleWithWebIdentity can
   552  // be used to make API calls to any Amazon Web Services service with the following
   553  // exception: you cannot call the STS GetFederationToken or GetSessionToken
   554  // API operations.
   555  //
   556  // (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
   557  // to this operation. You can pass a single JSON policy document to use as an
   558  // inline session policy. You can also specify up to 10 managed policies to
   559  // use as managed session policies. The plaintext that you use for both inline
   560  // and managed session policies can't exceed 2,048 characters. Passing policies
   561  // to this operation returns new temporary credentials. The resulting session's
   562  // permissions are the intersection of the role's identity-based policy and
   563  // the session policies. You can use the role's temporary credentials in subsequent
   564  // Amazon Web Services API calls to access resources in the account that owns
   565  // the role. You cannot use session policies to grant more permissions than
   566  // those allowed by the identity-based policy of the role that is being assumed.
   567  // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
   568  // in the IAM User Guide.
   569  //
   570  // Tags
   571  //
   572  // (Optional) You can configure your IdP to pass attributes into your web identity
   573  // token as session tags. Each session tag consists of a key name and an associated
   574  // value. For more information about session tags, see Passing Session Tags
   575  // in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
   576  // in the IAM User Guide.
   577  //
   578  // You can pass up to 50 session tags. The plaintext session tag keys can’t
   579  // exceed 128 characters and the values can’t exceed 256 characters. For these
   580  // and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
   581  // in the IAM User Guide.
   582  //
   583  // An Amazon Web Services conversion compresses the passed session policies
   584  // and session tags into a packed binary format that has a separate limit. Your
   585  // request can fail for this limit even if your plaintext meets the other requirements.
   586  // The PackedPolicySize response element indicates by percentage how close the
   587  // policies and tags for your request are to the upper size limit.
   588  //
   589  // You can pass a session tag with the same key as a tag that is attached to
   590  // the role. When you do, the session tag overrides the role tag with the same
   591  // key.
   592  //
   593  // An administrator must grant you the permissions necessary to pass session
   594  // tags. The administrator can also create granular permissions to allow you
   595  // to pass only specific session tags. For more information, see Tutorial: Using
   596  // Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
   597  // in the IAM User Guide.
   598  //
   599  // You can set the session tags as transitive. Transitive tags persist during
   600  // role chaining. For more information, see Chaining Roles with Session Tags
   601  // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
   602  // in the IAM User Guide.
   603  //
   604  // Identities
   605  //
   606  // Before your application can call AssumeRoleWithWebIdentity, you must have
   607  // an identity token from a supported identity provider and create a role that
   608  // the application can assume. The role that your application assumes must trust
   609  // the identity provider that is associated with the identity token. In other
   610  // words, the identity provider must be specified in the role's trust policy.
   611  //
   612  // Calling AssumeRoleWithWebIdentity can result in an entry in your CloudTrail
   613  // logs. The entry includes the Subject (http://openid.net/specs/openid-connect-core-1_0.html#Claims)
   614  // of the provided web identity token. We recommend that you avoid using any
   615  // personally identifiable information (PII) in this field. For example, you
   616  // could instead use a GUID or a pairwise identifier, as suggested in the OIDC
   617  // specification (http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes).
   618  //
   619  // For more information about how to use web identity federation and the AssumeRoleWithWebIdentity
   620  // API, see the following resources:
   621  //
   622  //    * Using Web Identity Federation API Operations for Mobile Apps (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html)
   623  //    and Federation Through a Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity).
   624  //
   625  //    * Web Identity Federation Playground (https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/).
   626  //    Walk through the process of authenticating through Login with Amazon,
   627  //    Facebook, or Google, getting temporary security credentials, and then
   628  //    using those credentials to make a request to Amazon Web Services.
   629  //
   630  //    * Amazon Web Services SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/)
   631  //    and Amazon Web Services SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/).
   632  //    These toolkits contain sample apps that show how to invoke the identity
   633  //    providers. The toolkits then show how to use the information from these
   634  //    providers to get and use temporary security credentials.
   635  //
   636  //    * Web Identity Federation with Mobile Applications (http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications).
   637  //    This article discusses web identity federation and shows an example of
   638  //    how to use web identity federation to get access to content in Amazon
   639  //    S3.
   640  //
   641  // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
   642  // with awserr.Error's Code and Message methods to get detailed information about
   643  // the error.
   644  //
   645  // See the AWS API reference guide for AWS Security Token Service's
   646  // API operation AssumeRoleWithWebIdentity for usage and error information.
   647  //
   648  // Returned Error Codes:
   649  //   * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument"
   650  //   The request was rejected because the policy document was malformed. The error
   651  //   message describes the specific error.
   652  //
   653  //   * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge"
   654  //   The request was rejected because the total packed size of the session policies
   655  //   and session tags combined was too large. An Amazon Web Services conversion
   656  //   compresses the session policy document, session policy ARNs, and session
   657  //   tags into a packed binary format that has a separate limit. The error message
   658  //   indicates by percentage how close the policies and tags are to the upper
   659  //   size limit. For more information, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
   660  //   in the IAM User Guide.
   661  //
   662  //   You could receive this error even though you meet other defined session policy
   663  //   and session tag limits. For more information, see IAM and STS Entity Character
   664  //   Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
   665  //   in the IAM User Guide.
   666  //
   667  //   * ErrCodeIDPRejectedClaimException "IDPRejectedClaim"
   668  //   The identity provider (IdP) reported that authentication failed. This might
   669  //   be because the claim is invalid.
   670  //
   671  //   If this error is returned for the AssumeRoleWithWebIdentity operation, it
   672  //   can also mean that the claim has expired or has been explicitly revoked.
   673  //
   674  //   * ErrCodeIDPCommunicationErrorException "IDPCommunicationError"
   675  //   The request could not be fulfilled because the identity provider (IDP) that
   676  //   was asked to verify the incoming identity token could not be reached. This
   677  //   is often a transient error caused by network conditions. Retry the request
   678  //   a limited number of times so that you don't exceed the request rate. If the
   679  //   error persists, the identity provider might be down or not responding.
   680  //
   681  //   * ErrCodeInvalidIdentityTokenException "InvalidIdentityToken"
   682  //   The web identity token that was passed could not be validated by Amazon Web
   683  //   Services. Get a new identity token from the identity provider and then retry
   684  //   the request.
   685  //
   686  //   * ErrCodeExpiredTokenException "ExpiredTokenException"
   687  //   The web identity token that was passed is expired or is not valid. Get a
   688  //   new identity token from the identity provider and then retry the request.
   689  //
   690  //   * ErrCodeRegionDisabledException "RegionDisabledException"
   691  //   STS is not activated in the requested region for the account that is being
   692  //   asked to generate credentials. The account administrator must use the IAM
   693  //   console to activate STS in that region. For more information, see Activating
   694  //   and Deactivating Amazon Web Services STS in an Amazon Web Services Region
   695  //   (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
   696  //   in the IAM User Guide.
   697  //
   698  // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity
   699  func (c *STS) AssumeRoleWithWebIdentity(input *AssumeRoleWithWebIdentityInput) (*AssumeRoleWithWebIdentityOutput, error) {
   700  	req, out := c.AssumeRoleWithWebIdentityRequest(input)
   701  	return out, req.Send()
   702  }
   703  
   704  // AssumeRoleWithWebIdentityWithContext is the same as AssumeRoleWithWebIdentity with the addition of
   705  // the ability to pass a context and additional request options.
   706  //
   707  // See AssumeRoleWithWebIdentity for details on how to use this API operation.
   708  //
   709  // The context must be non-nil and will be used for request cancellation. If
   710  // the context is nil a panic will occur. In the future the SDK may create
   711  // sub-contexts for http.Requests. See https://golang.org/pkg/context/
   712  // for more information on using Contexts.
   713  func (c *STS) AssumeRoleWithWebIdentityWithContext(ctx aws.Context, input *AssumeRoleWithWebIdentityInput, opts ...request.Option) (*AssumeRoleWithWebIdentityOutput, error) {
   714  	req, out := c.AssumeRoleWithWebIdentityRequest(input)
   715  	req.SetContext(ctx)
   716  	req.ApplyOptions(opts...)
   717  	return out, req.Send()
   718  }
   719  
   720  const opDecodeAuthorizationMessage = "DecodeAuthorizationMessage"
   721  
   722  // DecodeAuthorizationMessageRequest generates a "aws/request.Request" representing the
   723  // client's request for the DecodeAuthorizationMessage operation. The "output" return
   724  // value will be populated with the request's response once the request completes
   725  // successfully.
   726  //
   727  // Use "Send" method on the returned Request to send the API call to the service.
   728  // the "output" return value is not valid until after Send returns without error.
   729  //
   730  // See DecodeAuthorizationMessage for more information on using the DecodeAuthorizationMessage
   731  // API call, and error handling.
   732  //
   733  // This method is useful when you want to inject custom logic or configuration
   734  // into the SDK's request lifecycle. Such as custom headers, or retry logic.
   735  //
   736  //
   737  //    // Example sending a request using the DecodeAuthorizationMessageRequest method.
   738  //    req, resp := client.DecodeAuthorizationMessageRequest(params)
   739  //
   740  //    err := req.Send()
   741  //    if err == nil { // resp is now filled
   742  //        fmt.Println(resp)
   743  //    }
   744  //
   745  // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessage
   746  func (c *STS) DecodeAuthorizationMessageRequest(input *DecodeAuthorizationMessageInput) (req *request.Request, output *DecodeAuthorizationMessageOutput) {
   747  	op := &request.Operation{
   748  		Name:       opDecodeAuthorizationMessage,
   749  		HTTPMethod: "POST",
   750  		HTTPPath:   "/",
   751  	}
   752  
   753  	if input == nil {
   754  		input = &DecodeAuthorizationMessageInput{}
   755  	}
   756  
   757  	output = &DecodeAuthorizationMessageOutput{}
   758  	req = c.newRequest(op, input, output)
   759  	return
   760  }
   761  
   762  // DecodeAuthorizationMessage API operation for AWS Security Token Service.
   763  //
   764  // Decodes additional information about the authorization status of a request
   765  // from an encoded message returned in response to an Amazon Web Services request.
   766  //
   767  // For example, if a user is not authorized to perform an operation that he
   768  // or she has requested, the request returns a Client.UnauthorizedOperation
   769  // response (an HTTP 403 response). Some Amazon Web Services operations additionally
   770  // return an encoded message that can provide details about this authorization
   771  // failure.
   772  //
   773  // Only certain Amazon Web Services operations return an encoded authorization
   774  // message. The documentation for an individual operation indicates whether
   775  // that operation returns an encoded message in addition to returning an HTTP
   776  // code.
   777  //
   778  // The message is encoded because the details of the authorization status can
   779  // constitute privileged information that the user who requested the operation
   780  // should not see. To decode an authorization status message, a user must be
   781  // granted permissions via an IAM policy to request the DecodeAuthorizationMessage
   782  // (sts:DecodeAuthorizationMessage) action.
   783  //
   784  // The decoded message includes the following type of information:
   785  //
   786  //    * Whether the request was denied due to an explicit deny or due to the
   787  //    absence of an explicit allow. For more information, see Determining Whether
   788  //    a Request is Allowed or Denied (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow)
   789  //    in the IAM User Guide.
   790  //
   791  //    * The principal who made the request.
   792  //
   793  //    * The requested action.
   794  //
   795  //    * The requested resource.
   796  //
   797  //    * The values of condition keys in the context of the user's request.
   798  //
   799  // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
   800  // with awserr.Error's Code and Message methods to get detailed information about
   801  // the error.
   802  //
   803  // See the AWS API reference guide for AWS Security Token Service's
   804  // API operation DecodeAuthorizationMessage for usage and error information.
   805  //
   806  // Returned Error Codes:
   807  //   * ErrCodeInvalidAuthorizationMessageException "InvalidAuthorizationMessageException"
   808  //   The error returned if the message passed to DecodeAuthorizationMessage was
   809  //   invalid. This can happen if the token contains invalid characters, such as
   810  //   linebreaks.
   811  //
   812  // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessage
   813  func (c *STS) DecodeAuthorizationMessage(input *DecodeAuthorizationMessageInput) (*DecodeAuthorizationMessageOutput, error) {
   814  	req, out := c.DecodeAuthorizationMessageRequest(input)
   815  	return out, req.Send()
   816  }
   817  
   818  // DecodeAuthorizationMessageWithContext is the same as DecodeAuthorizationMessage with the addition of
   819  // the ability to pass a context and additional request options.
   820  //
   821  // See DecodeAuthorizationMessage for details on how to use this API operation.
   822  //
   823  // The context must be non-nil and will be used for request cancellation. If
   824  // the context is nil a panic will occur. In the future the SDK may create
   825  // sub-contexts for http.Requests. See https://golang.org/pkg/context/
   826  // for more information on using Contexts.
   827  func (c *STS) DecodeAuthorizationMessageWithContext(ctx aws.Context, input *DecodeAuthorizationMessageInput, opts ...request.Option) (*DecodeAuthorizationMessageOutput, error) {
   828  	req, out := c.DecodeAuthorizationMessageRequest(input)
   829  	req.SetContext(ctx)
   830  	req.ApplyOptions(opts...)
   831  	return out, req.Send()
   832  }
   833  
   834  const opGetAccessKeyInfo = "GetAccessKeyInfo"
   835  
   836  // GetAccessKeyInfoRequest generates a "aws/request.Request" representing the
   837  // client's request for the GetAccessKeyInfo operation. The "output" return
   838  // value will be populated with the request's response once the request completes
   839  // successfully.
   840  //
   841  // Use "Send" method on the returned Request to send the API call to the service.
   842  // the "output" return value is not valid until after Send returns without error.
   843  //
   844  // See GetAccessKeyInfo for more information on using the GetAccessKeyInfo
   845  // API call, and error handling.
   846  //
   847  // This method is useful when you want to inject custom logic or configuration
   848  // into the SDK's request lifecycle. Such as custom headers, or retry logic.
   849  //
   850  //
   851  //    // Example sending a request using the GetAccessKeyInfoRequest method.
   852  //    req, resp := client.GetAccessKeyInfoRequest(params)
   853  //
   854  //    err := req.Send()
   855  //    if err == nil { // resp is now filled
   856  //        fmt.Println(resp)
   857  //    }
   858  //
   859  // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfo
   860  func (c *STS) GetAccessKeyInfoRequest(input *GetAccessKeyInfoInput) (req *request.Request, output *GetAccessKeyInfoOutput) {
   861  	op := &request.Operation{
   862  		Name:       opGetAccessKeyInfo,
   863  		HTTPMethod: "POST",
   864  		HTTPPath:   "/",
   865  	}
   866  
   867  	if input == nil {
   868  		input = &GetAccessKeyInfoInput{}
   869  	}
   870  
   871  	output = &GetAccessKeyInfoOutput{}
   872  	req = c.newRequest(op, input, output)
   873  	return
   874  }
   875  
   876  // GetAccessKeyInfo API operation for AWS Security Token Service.
   877  //
   878  // Returns the account identifier for the specified access key ID.
   879  //
   880  // Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE)
   881  // and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY).
   882  // For more information about access keys, see Managing Access Keys for IAM
   883  // Users (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)
   884  // in the IAM User Guide.
   885  //
   886  // When you pass an access key ID to this operation, it returns the ID of the
   887  // Amazon Web Services account to which the keys belong. Access key IDs beginning
   888  // with AKIA are long-term credentials for an IAM user or the Amazon Web Services
   889  // account root user. Access key IDs beginning with ASIA are temporary credentials
   890  // that are created using STS operations. If the account in the response belongs
   891  // to you, you can sign in as the root user and review your root user access
   892  // keys. Then, you can pull a credentials report (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html)
   893  // to learn which IAM user owns the keys. To learn who requested the temporary
   894  // credentials for an ASIA access key, view the STS events in your CloudTrail
   895  // logs (https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html)
   896  // in the IAM User Guide.
   897  //
   898  // This operation does not indicate the state of the access key. The key might
   899  // be active, inactive, or deleted. Active keys might not have permissions to
   900  // perform an operation. Providing a deleted access key might return an error
   901  // that the key doesn't exist.
   902  //
   903  // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
   904  // with awserr.Error's Code and Message methods to get detailed information about
   905  // the error.
   906  //
   907  // See the AWS API reference guide for AWS Security Token Service's
   908  // API operation GetAccessKeyInfo for usage and error information.
   909  // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfo
   910  func (c *STS) GetAccessKeyInfo(input *GetAccessKeyInfoInput) (*GetAccessKeyInfoOutput, error) {
   911  	req, out := c.GetAccessKeyInfoRequest(input)
   912  	return out, req.Send()
   913  }
   914  
   915  // GetAccessKeyInfoWithContext is the same as GetAccessKeyInfo with the addition of
   916  // the ability to pass a context and additional request options.
   917  //
   918  // See GetAccessKeyInfo for details on how to use this API operation.
   919  //
   920  // The context must be non-nil and will be used for request cancellation. If
   921  // the context is nil a panic will occur. In the future the SDK may create
   922  // sub-contexts for http.Requests. See https://golang.org/pkg/context/
   923  // for more information on using Contexts.
   924  func (c *STS) GetAccessKeyInfoWithContext(ctx aws.Context, input *GetAccessKeyInfoInput, opts ...request.Option) (*GetAccessKeyInfoOutput, error) {
   925  	req, out := c.GetAccessKeyInfoRequest(input)
   926  	req.SetContext(ctx)
   927  	req.ApplyOptions(opts...)
   928  	return out, req.Send()
   929  }
   930  
   931  const opGetCallerIdentity = "GetCallerIdentity"
   932  
   933  // GetCallerIdentityRequest generates a "aws/request.Request" representing the
   934  // client's request for the GetCallerIdentity operation. The "output" return
   935  // value will be populated with the request's response once the request completes
   936  // successfully.
   937  //
   938  // Use "Send" method on the returned Request to send the API call to the service.
   939  // the "output" return value is not valid until after Send returns without error.
   940  //
   941  // See GetCallerIdentity for more information on using the GetCallerIdentity
   942  // API call, and error handling.
   943  //
   944  // This method is useful when you want to inject custom logic or configuration
   945  // into the SDK's request lifecycle. Such as custom headers, or retry logic.
   946  //
   947  //
   948  //    // Example sending a request using the GetCallerIdentityRequest method.
   949  //    req, resp := client.GetCallerIdentityRequest(params)
   950  //
   951  //    err := req.Send()
   952  //    if err == nil { // resp is now filled
   953  //        fmt.Println(resp)
   954  //    }
   955  //
   956  // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentity
   957  func (c *STS) GetCallerIdentityRequest(input *GetCallerIdentityInput) (req *request.Request, output *GetCallerIdentityOutput) {
   958  	op := &request.Operation{
   959  		Name:       opGetCallerIdentity,
   960  		HTTPMethod: "POST",
   961  		HTTPPath:   "/",
   962  	}
   963  
   964  	if input == nil {
   965  		input = &GetCallerIdentityInput{}
   966  	}
   967  
   968  	output = &GetCallerIdentityOutput{}
   969  	req = c.newRequest(op, input, output)
   970  	return
   971  }
   972  
   973  // GetCallerIdentity API operation for AWS Security Token Service.
   974  //
   975  // Returns details about the IAM user or role whose credentials are used to
   976  // call the operation.
   977  //
   978  // No permissions are required to perform this operation. If an administrator
   979  // adds a policy to your IAM user or role that explicitly denies access to the
   980  // sts:GetCallerIdentity action, you can still perform this operation. Permissions
   981  // are not required because the same information is returned when an IAM user
   982  // or role is denied access. To view an example response, see I Am Not Authorized
   983  // to Perform: iam:DeleteVirtualMFADevice (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa)
   984  // in the IAM User Guide.
   985  //
   986  // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
   987  // with awserr.Error's Code and Message methods to get detailed information about
   988  // the error.
   989  //
   990  // See the AWS API reference guide for AWS Security Token Service's
   991  // API operation GetCallerIdentity for usage and error information.
   992  // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentity
   993  func (c *STS) GetCallerIdentity(input *GetCallerIdentityInput) (*GetCallerIdentityOutput, error) {
   994  	req, out := c.GetCallerIdentityRequest(input)
   995  	return out, req.Send()
   996  }
   997  
   998  // GetCallerIdentityWithContext is the same as GetCallerIdentity with the addition of
   999  // the ability to pass a context and additional request options.
  1000  //
  1001  // See GetCallerIdentity for details on how to use this API operation.
  1002  //
  1003  // The context must be non-nil and will be used for request cancellation. If
  1004  // the context is nil a panic will occur. In the future the SDK may create
  1005  // sub-contexts for http.Requests. See https://golang.org/pkg/context/
  1006  // for more information on using Contexts.
  1007  func (c *STS) GetCallerIdentityWithContext(ctx aws.Context, input *GetCallerIdentityInput, opts ...request.Option) (*GetCallerIdentityOutput, error) {
  1008  	req, out := c.GetCallerIdentityRequest(input)
  1009  	req.SetContext(ctx)
  1010  	req.ApplyOptions(opts...)
  1011  	return out, req.Send()
  1012  }
  1013  
  1014  const opGetFederationToken = "GetFederationToken"
  1015  
  1016  // GetFederationTokenRequest generates a "aws/request.Request" representing the
  1017  // client's request for the GetFederationToken operation. The "output" return
  1018  // value will be populated with the request's response once the request completes
  1019  // successfully.
  1020  //
  1021  // Use "Send" method on the returned Request to send the API call to the service.
  1022  // the "output" return value is not valid until after Send returns without error.
  1023  //
  1024  // See GetFederationToken for more information on using the GetFederationToken
  1025  // API call, and error handling.
  1026  //
  1027  // This method is useful when you want to inject custom logic or configuration
  1028  // into the SDK's request lifecycle. Such as custom headers, or retry logic.
  1029  //
  1030  //
  1031  //    // Example sending a request using the GetFederationTokenRequest method.
  1032  //    req, resp := client.GetFederationTokenRequest(params)
  1033  //
  1034  //    err := req.Send()
  1035  //    if err == nil { // resp is now filled
  1036  //        fmt.Println(resp)
  1037  //    }
  1038  //
  1039  // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationToken
  1040  func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *request.Request, output *GetFederationTokenOutput) {
  1041  	op := &request.Operation{
  1042  		Name:       opGetFederationToken,
  1043  		HTTPMethod: "POST",
  1044  		HTTPPath:   "/",
  1045  	}
  1046  
  1047  	if input == nil {
  1048  		input = &GetFederationTokenInput{}
  1049  	}
  1050  
  1051  	output = &GetFederationTokenOutput{}
  1052  	req = c.newRequest(op, input, output)
  1053  	return
  1054  }
  1055  
  1056  // GetFederationToken API operation for AWS Security Token Service.
  1057  //
  1058  // Returns a set of temporary security credentials (consisting of an access
  1059  // key ID, a secret access key, and a security token) for a federated user.
  1060  // A typical use is in a proxy application that gets temporary security credentials
  1061  // on behalf of distributed applications inside a corporate network. You must
  1062  // call the GetFederationToken operation using the long-term security credentials
  1063  // of an IAM user. As a result, this call is appropriate in contexts where those
  1064  // credentials can be safely stored, usually in a server-based application.
  1065  // For a comparison of GetFederationToken with the other API operations that
  1066  // produce temporary credentials, see Requesting Temporary Security Credentials
  1067  // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
  1068  // and Comparing the STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
  1069  // in the IAM User Guide.
  1070  //
  1071  // You can create a mobile-based or browser-based app that can authenticate
  1072  // users using a web identity provider like Login with Amazon, Facebook, Google,
  1073  // or an OpenID Connect-compatible identity provider. In this case, we recommend
  1074  // that you use Amazon Cognito (http://aws.amazon.com/cognito/) or AssumeRoleWithWebIdentity.
  1075  // For more information, see Federation Through a Web-based Identity Provider
  1076  // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity)
  1077  // in the IAM User Guide.
  1078  //
  1079  // You can also call GetFederationToken using the security credentials of an
  1080  // Amazon Web Services account root user, but we do not recommend it. Instead,
  1081  // we recommend that you create an IAM user for the purpose of the proxy application.
  1082  // Then attach a policy to the IAM user that limits federated users to only
  1083  // the actions and resources that they need to access. For more information,
  1084  // see IAM Best Practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
  1085  // in the IAM User Guide.
  1086  //
  1087  // Session duration
  1088  //
  1089  // The temporary credentials are valid for the specified duration, from 900
  1090  // seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default
  1091  // session duration is 43,200 seconds (12 hours). Temporary credentials that
  1092  // are obtained by using Amazon Web Services account root user credentials have
  1093  // a maximum duration of 3,600 seconds (1 hour).
  1094  //
  1095  // Permissions
  1096  //
  1097  // You can use the temporary credentials created by GetFederationToken in any
  1098  // Amazon Web Services service except the following:
  1099  //
  1100  //    * You cannot call any IAM operations using the CLI or the Amazon Web Services
  1101  //    API.
  1102  //
  1103  //    * You cannot call any STS operations except GetCallerIdentity.
  1104  //
  1105  // You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
  1106  // to this operation. You can pass a single JSON policy document to use as an
  1107  // inline session policy. You can also specify up to 10 managed policies to
  1108  // use as managed session policies. The plaintext that you use for both inline
  1109  // and managed session policies can't exceed 2,048 characters.
  1110  //
  1111  // Though the session policy parameters are optional, if you do not pass a policy,
  1112  // then the resulting federated user session has no permissions. When you pass
  1113  // session policies, the session permissions are the intersection of the IAM
  1114  // user policies and the session policies that you pass. This gives you a way
  1115  // to further restrict the permissions for a federated user. You cannot use
  1116  // session policies to grant more permissions than those that are defined in
  1117  // the permissions policy of the IAM user. For more information, see Session
  1118  // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
  1119  // in the IAM User Guide. For information about using GetFederationToken to
  1120  // create temporary security credentials, see GetFederationToken—Federation
  1121  // Through a Custom Identity Broker (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken).
  1122  //
  1123  // You can use the credentials to access a resource that has a resource-based
  1124  // policy. If that policy specifically references the federated user session
  1125  // in the Principal element of the policy, the session has the permissions allowed
  1126  // by the policy. These permissions are granted in addition to the permissions
  1127  // granted by the session policies.
  1128  //
  1129  // Tags
  1130  //
  1131  // (Optional) You can pass tag key-value pairs to your session. These are called
  1132  // session tags. For more information about session tags, see Passing Session
  1133  // Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
  1134  // in the IAM User Guide.
  1135  //
  1136  // You can create a mobile-based or browser-based app that can authenticate
  1137  // users using a web identity provider like Login with Amazon, Facebook, Google,
  1138  // or an OpenID Connect-compatible identity provider. In this case, we recommend
  1139  // that you use Amazon Cognito (http://aws.amazon.com/cognito/) or AssumeRoleWithWebIdentity.
  1140  // For more information, see Federation Through a Web-based Identity Provider
  1141  // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity)
  1142  // in the IAM User Guide.
  1143  //
  1144  // You can also call GetFederationToken using the security credentials of an
  1145  // Amazon Web Services account root user, but we do not recommend it. Instead,
  1146  // we recommend that you create an IAM user for the purpose of the proxy application.
  1147  // Then attach a policy to the IAM user that limits federated users to only
  1148  // the actions and resources that they need to access. For more information,
  1149  // see IAM Best Practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
  1150  // in the IAM User Guide.
  1151  //
  1152  // Session duration
  1153  //
  1154  // The temporary credentials are valid for the specified duration, from 900
  1155  // seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default
  1156  // session duration is 43,200 seconds (12 hours). Temporary credentials that
  1157  // are obtained by using Amazon Web Services account root user credentials have
  1158  // a maximum duration of 3,600 seconds (1 hour).
  1159  //
  1160  // Permissions
  1161  //
  1162  // You can use the temporary credentials created by GetFederationToken in any
  1163  // Amazon Web Services service except the following:
  1164  //
  1165  //    * You cannot call any IAM operations using the CLI or the Amazon Web Services
  1166  //    API.
  1167  //
  1168  //    * You cannot call any STS operations except GetCallerIdentity.
  1169  //
  1170  // You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
  1171  // to this operation. You can pass a single JSON policy document to use as an
  1172  // inline session policy. You can also specify up to 10 managed policies to
  1173  // use as managed session policies. The plain text that you use for both inline
  1174  // and managed session policies can't exceed 2,048 characters.
  1175  //
  1176  // Though the session policy parameters are optional, if you do not pass a policy,
  1177  // then the resulting federated user session has no permissions. When you pass
  1178  // session policies, the session permissions are the intersection of the IAM
  1179  // user policies and the session policies that you pass. This gives you a way
  1180  // to further restrict the permissions for a federated user. You cannot use
  1181  // session policies to grant more permissions than those that are defined in
  1182  // the permissions policy of the IAM user. For more information, see Session
  1183  // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
  1184  // in the IAM User Guide. For information about using GetFederationToken to
  1185  // create temporary security credentials, see GetFederationToken—Federation
  1186  // Through a Custom Identity Broker (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken).
  1187  //
  1188  // You can use the credentials to access a resource that has a resource-based
  1189  // policy. If that policy specifically references the federated user session
  1190  // in the Principal element of the policy, the session has the permissions allowed
  1191  // by the policy. These permissions are granted in addition to the permissions
  1192  // granted by the session policies.
  1193  //
  1194  // Tags
  1195  //
  1196  // (Optional) You can pass tag key-value pairs to your session. These are called
  1197  // session tags. For more information about session tags, see Passing Session
  1198  // Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
  1199  // in the IAM User Guide.
  1200  //
  1201  // An administrator must grant you the permissions necessary to pass session
  1202  // tags. The administrator can also create granular permissions to allow you
  1203  // to pass only specific session tags. For more information, see Tutorial: Using
  1204  // Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
  1205  // in the IAM User Guide.
  1206  //
  1207  // Tag key–value pairs are not case sensitive, but case is preserved. This
  1208  // means that you cannot have separate Department and department tag keys. Assume
  1209  // that the user that you are federating has the Department=Marketing tag and
  1210  // you pass the department=engineering session tag. Department and department
  1211  // are not saved as separate tags, and the session tag passed in the request
  1212  // takes precedence over the user tag.
  1213  //
  1214  // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
  1215  // with awserr.Error's Code and Message methods to get detailed information about
  1216  // the error.
  1217  //
  1218  // See the AWS API reference guide for AWS Security Token Service's
  1219  // API operation GetFederationToken for usage and error information.
  1220  //
  1221  // Returned Error Codes:
  1222  //   * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument"
  1223  //   The request was rejected because the policy document was malformed. The error
  1224  //   message describes the specific error.
  1225  //
  1226  //   * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge"
  1227  //   The request was rejected because the total packed size of the session policies
  1228  //   and session tags combined was too large. An Amazon Web Services conversion
  1229  //   compresses the session policy document, session policy ARNs, and session
  1230  //   tags into a packed binary format that has a separate limit. The error message
  1231  //   indicates by percentage how close the policies and tags are to the upper
  1232  //   size limit. For more information, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
  1233  //   in the IAM User Guide.
  1234  //
  1235  //   You could receive this error even though you meet other defined session policy
  1236  //   and session tag limits. For more information, see IAM and STS Entity Character
  1237  //   Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
  1238  //   in the IAM User Guide.
  1239  //
  1240  //   * ErrCodeRegionDisabledException "RegionDisabledException"
  1241  //   STS is not activated in the requested region for the account that is being
  1242  //   asked to generate credentials. The account administrator must use the IAM
  1243  //   console to activate STS in that region. For more information, see Activating
  1244  //   and Deactivating Amazon Web Services STS in an Amazon Web Services Region
  1245  //   (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
  1246  //   in the IAM User Guide.
  1247  //
  1248  // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationToken
  1249  func (c *STS) GetFederationToken(input *GetFederationTokenInput) (*GetFederationTokenOutput, error) {
  1250  	req, out := c.GetFederationTokenRequest(input)
  1251  	return out, req.Send()
  1252  }
  1253  
  1254  // GetFederationTokenWithContext is the same as GetFederationToken with the addition of
  1255  // the ability to pass a context and additional request options.
  1256  //
  1257  // See GetFederationToken for details on how to use this API operation.
  1258  //
  1259  // The context must be non-nil and will be used for request cancellation. If
  1260  // the context is nil a panic will occur. In the future the SDK may create
  1261  // sub-contexts for http.Requests. See https://golang.org/pkg/context/
  1262  // for more information on using Contexts.
  1263  func (c *STS) GetFederationTokenWithContext(ctx aws.Context, input *GetFederationTokenInput, opts ...request.Option) (*GetFederationTokenOutput, error) {
  1264  	req, out := c.GetFederationTokenRequest(input)
  1265  	req.SetContext(ctx)
  1266  	req.ApplyOptions(opts...)
  1267  	return out, req.Send()
  1268  }
  1269  
  1270  const opGetSessionToken = "GetSessionToken"
  1271  
  1272  // GetSessionTokenRequest generates a "aws/request.Request" representing the
  1273  // client's request for the GetSessionToken operation. The "output" return
  1274  // value will be populated with the request's response once the request completes
  1275  // successfully.
  1276  //
  1277  // Use "Send" method on the returned Request to send the API call to the service.
  1278  // the "output" return value is not valid until after Send returns without error.
  1279  //
  1280  // See GetSessionToken for more information on using the GetSessionToken
  1281  // API call, and error handling.
  1282  //
  1283  // This method is useful when you want to inject custom logic or configuration
  1284  // into the SDK's request lifecycle. Such as custom headers, or retry logic.
  1285  //
  1286  //
  1287  //    // Example sending a request using the GetSessionTokenRequest method.
  1288  //    req, resp := client.GetSessionTokenRequest(params)
  1289  //
  1290  //    err := req.Send()
  1291  //    if err == nil { // resp is now filled
  1292  //        fmt.Println(resp)
  1293  //    }
  1294  //
  1295  // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionToken
  1296  func (c *STS) GetSessionTokenRequest(input *GetSessionTokenInput) (req *request.Request, output *GetSessionTokenOutput) {
  1297  	op := &request.Operation{
  1298  		Name:       opGetSessionToken,
  1299  		HTTPMethod: "POST",
  1300  		HTTPPath:   "/",
  1301  	}
  1302  
  1303  	if input == nil {
  1304  		input = &GetSessionTokenInput{}
  1305  	}
  1306  
  1307  	output = &GetSessionTokenOutput{}
  1308  	req = c.newRequest(op, input, output)
  1309  	return
  1310  }
  1311  
  1312  // GetSessionToken API operation for AWS Security Token Service.
  1313  //
  1314  // Returns a set of temporary credentials for an Amazon Web Services account
  1315  // or IAM user. The credentials consist of an access key ID, a secret access
  1316  // key, and a security token. Typically, you use GetSessionToken if you want
  1317  // to use MFA to protect programmatic calls to specific Amazon Web Services
  1318  // API operations like Amazon EC2 StopInstances. MFA-enabled IAM users would
  1319  // need to call GetSessionToken and submit an MFA code that is associated with
  1320  // their MFA device. Using the temporary security credentials that are returned
  1321  // from the call, IAM users can then make programmatic calls to API operations
  1322  // that require MFA authentication. If you do not supply a correct MFA code,
  1323  // then the API returns an access denied error. For a comparison of GetSessionToken
  1324  // with the other API operations that produce temporary credentials, see Requesting
  1325  // Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
  1326  // and Comparing the STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
  1327  // in the IAM User Guide.
  1328  //
  1329  // Session Duration
  1330  //
  1331  // The GetSessionToken operation must be called by using the long-term Amazon
  1332  // Web Services security credentials of the Amazon Web Services account root
  1333  // user or an IAM user. Credentials that are created by IAM users are valid
  1334  // for the duration that you specify. This duration can range from 900 seconds
  1335  // (15 minutes) up to a maximum of 129,600 seconds (36 hours), with a default
  1336  // of 43,200 seconds (12 hours). Credentials based on account credentials can
  1337  // range from 900 seconds (15 minutes) up to 3,600 seconds (1 hour), with a
  1338  // default of 1 hour.
  1339  //
  1340  // Permissions
  1341  //
  1342  // The temporary security credentials created by GetSessionToken can be used
  1343  // to make API calls to any Amazon Web Services service with the following exceptions:
  1344  //
  1345  //    * You cannot call any IAM API operations unless MFA authentication information
  1346  //    is included in the request.
  1347  //
  1348  //    * You cannot call any STS API except AssumeRole or GetCallerIdentity.
  1349  //
  1350  // We recommend that you do not call GetSessionToken with Amazon Web Services
  1351  // account root user credentials. Instead, follow our best practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users)
  1352  // by creating one or more IAM users, giving them the necessary permissions,
  1353  // and using IAM users for everyday interaction with Amazon Web Services.
  1354  //
  1355  // The credentials that are returned by GetSessionToken are based on permissions
  1356  // associated with the user whose credentials were used to call the operation.
  1357  // If GetSessionToken is called using Amazon Web Services account root user
  1358  // credentials, the temporary credentials have root user permissions. Similarly,
  1359  // if GetSessionToken is called using the credentials of an IAM user, the temporary
  1360  // credentials have the same permissions as the IAM user.
  1361  //
  1362  // For more information about using GetSessionToken to create temporary credentials,
  1363  // go to Temporary Credentials for Users in Untrusted Environments (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken)
  1364  // in the IAM User Guide.
  1365  //
  1366  // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
  1367  // with awserr.Error's Code and Message methods to get detailed information about
  1368  // the error.
  1369  //
  1370  // See the AWS API reference guide for AWS Security Token Service's
  1371  // API operation GetSessionToken for usage and error information.
  1372  //
  1373  // Returned Error Codes:
  1374  //   * ErrCodeRegionDisabledException "RegionDisabledException"
  1375  //   STS is not activated in the requested region for the account that is being
  1376  //   asked to generate credentials. The account administrator must use the IAM
  1377  //   console to activate STS in that region. For more information, see Activating
  1378  //   and Deactivating Amazon Web Services STS in an Amazon Web Services Region
  1379  //   (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
  1380  //   in the IAM User Guide.
  1381  //
  1382  // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionToken
  1383  func (c *STS) GetSessionToken(input *GetSessionTokenInput) (*GetSessionTokenOutput, error) {
  1384  	req, out := c.GetSessionTokenRequest(input)
  1385  	return out, req.Send()
  1386  }
  1387  
  1388  // GetSessionTokenWithContext is the same as GetSessionToken with the addition of
  1389  // the ability to pass a context and additional request options.
  1390  //
  1391  // See GetSessionToken for details on how to use this API operation.
  1392  //
  1393  // The context must be non-nil and will be used for request cancellation. If
  1394  // the context is nil a panic will occur. In the future the SDK may create
  1395  // sub-contexts for http.Requests. See https://golang.org/pkg/context/
  1396  // for more information on using Contexts.
  1397  func (c *STS) GetSessionTokenWithContext(ctx aws.Context, input *GetSessionTokenInput, opts ...request.Option) (*GetSessionTokenOutput, error) {
  1398  	req, out := c.GetSessionTokenRequest(input)
  1399  	req.SetContext(ctx)
  1400  	req.ApplyOptions(opts...)
  1401  	return out, req.Send()
  1402  }
  1403  
  1404  type AssumeRoleInput struct {
  1405  	_ struct{} `type:"structure"`
  1406  
  1407  	// The duration, in seconds, of the role session. The value specified can can
  1408  	// range from 900 seconds (15 minutes) up to the maximum session duration that
  1409  	// is set for the role. The maximum session duration setting can have a value
  1410  	// from 1 hour to 12 hours. If you specify a value higher than this setting
  1411  	// or the administrator setting (whichever is lower), the operation fails. For
  1412  	// example, if you specify a session duration of 12 hours, but your administrator
  1413  	// set the maximum session duration to 6 hours, your operation fails. To learn
  1414  	// how to view the maximum value for your role, see View the Maximum Session
  1415  	// Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
  1416  	// in the IAM User Guide.
  1417  	//
  1418  	// By default, the value is set to 3600 seconds.
  1419  	//
  1420  	// The DurationSeconds parameter is separate from the duration of a console
  1421  	// session that you might request using the returned credentials. The request
  1422  	// to the federation endpoint for a console sign-in token takes a SessionDuration
  1423  	// parameter that specifies the maximum length of the console session. For more
  1424  	// information, see Creating a URL that Enables Federated Users to Access the
  1425  	// Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
  1426  	// in the IAM User Guide.
  1427  	DurationSeconds *int64 `min:"900" type:"integer"`
  1428  
  1429  	// A unique identifier that might be required when you assume a role in another
  1430  	// account. If the administrator of the account to which the role belongs provided
  1431  	// you with an external ID, then provide that value in the ExternalId parameter.
  1432  	// This value can be any string, such as a passphrase or account number. A cross-account
  1433  	// role is usually set up to trust everyone in an account. Therefore, the administrator
  1434  	// of the trusting account might send an external ID to the administrator of
  1435  	// the trusted account. That way, only someone with the ID can assume the role,
  1436  	// rather than everyone in the account. For more information about the external
  1437  	// ID, see How to Use an External ID When Granting Access to Your Amazon Web
  1438  	// Services Resources to a Third Party (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html)
  1439  	// in the IAM User Guide.
  1440  	//
  1441  	// The regex used to validate this parameter is a string of characters consisting
  1442  	// of upper- and lower-case alphanumeric characters with no spaces. You can
  1443  	// also include underscores or any of the following characters: =,.@:/-
  1444  	ExternalId *string `min:"2" type:"string"`
  1445  
  1446  	// An IAM policy in JSON format that you want to use as an inline session policy.
  1447  	//
  1448  	// This parameter is optional. Passing policies to this operation returns new
  1449  	// temporary credentials. The resulting session's permissions are the intersection
  1450  	// of the role's identity-based policy and the session policies. You can use
  1451  	// the role's temporary credentials in subsequent Amazon Web Services API calls
  1452  	// to access resources in the account that owns the role. You cannot use session
  1453  	// policies to grant more permissions than those allowed by the identity-based
  1454  	// policy of the role that is being assumed. For more information, see Session
  1455  	// Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
  1456  	// in the IAM User Guide.
  1457  	//
  1458  	// The plaintext that you use for both inline and managed session policies can't
  1459  	// exceed 2,048 characters. The JSON policy characters can be any ASCII character
  1460  	// from the space character to the end of the valid character list (\u0020 through
  1461  	// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
  1462  	// return (\u000D) characters.
  1463  	//
  1464  	// An Amazon Web Services conversion compresses the passed session policies
  1465  	// and session tags into a packed binary format that has a separate limit. Your
  1466  	// request can fail for this limit even if your plaintext meets the other requirements.
  1467  	// The PackedPolicySize response element indicates by percentage how close the
  1468  	// policies and tags for your request are to the upper size limit.
  1469  	Policy *string `min:"1" type:"string"`
  1470  
  1471  	// The Amazon Resource Names (ARNs) of the IAM managed policies that you want
  1472  	// to use as managed session policies. The policies must exist in the same account
  1473  	// as the role.
  1474  	//
  1475  	// This parameter is optional. You can provide up to 10 managed policy ARNs.
  1476  	// However, the plaintext that you use for both inline and managed session policies
  1477  	// can't exceed 2,048 characters. For more information about ARNs, see Amazon
  1478  	// Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
  1479  	// in the Amazon Web Services General Reference.
  1480  	//
  1481  	// An Amazon Web Services conversion compresses the passed session policies
  1482  	// and session tags into a packed binary format that has a separate limit. Your
  1483  	// request can fail for this limit even if your plaintext meets the other requirements.
  1484  	// The PackedPolicySize response element indicates by percentage how close the
  1485  	// policies and tags for your request are to the upper size limit.
  1486  	//
  1487  	// Passing policies to this operation returns new temporary credentials. The
  1488  	// resulting session's permissions are the intersection of the role's identity-based
  1489  	// policy and the session policies. You can use the role's temporary credentials
  1490  	// in subsequent Amazon Web Services API calls to access resources in the account
  1491  	// that owns the role. You cannot use session policies to grant more permissions
  1492  	// than those allowed by the identity-based policy of the role that is being
  1493  	// assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
  1494  	// in the IAM User Guide.
  1495  	PolicyArns []*PolicyDescriptorType `type:"list"`
  1496  
  1497  	// The Amazon Resource Name (ARN) of the role to assume.
  1498  	//
  1499  	// RoleArn is a required field
  1500  	RoleArn *string `min:"20" type:"string" required:"true"`
  1501  
  1502  	// An identifier for the assumed role session.
  1503  	//
  1504  	// Use the role session name to uniquely identify a session when the same role
  1505  	// is assumed by different principals or for different reasons. In cross-account
  1506  	// scenarios, the role session name is visible to, and can be logged by the
  1507  	// account that owns the role. The role session name is also used in the ARN
  1508  	// of the assumed role principal. This means that subsequent cross-account API
  1509  	// requests that use the temporary security credentials will expose the role
  1510  	// session name to the external account in their CloudTrail logs.
  1511  	//
  1512  	// The regex used to validate this parameter is a string of characters consisting
  1513  	// of upper- and lower-case alphanumeric characters with no spaces. You can
  1514  	// also include underscores or any of the following characters: =,.@-
  1515  	//
  1516  	// RoleSessionName is a required field
  1517  	RoleSessionName *string `min:"2" type:"string" required:"true"`
  1518  
  1519  	// The identification number of the MFA device that is associated with the user
  1520  	// who is making the AssumeRole call. Specify this value if the trust policy
  1521  	// of the role being assumed includes a condition that requires MFA authentication.
  1522  	// The value is either the serial number for a hardware device (such as GAHT12345678)
  1523  	// or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user).
  1524  	//
  1525  	// The regex used to validate this parameter is a string of characters consisting
  1526  	// of upper- and lower-case alphanumeric characters with no spaces. You can
  1527  	// also include underscores or any of the following characters: =,.@-
  1528  	SerialNumber *string `min:"9" type:"string"`
  1529  
  1530  	// The source identity specified by the principal that is calling the AssumeRole
  1531  	// operation.
  1532  	//
  1533  	// You can require users to specify a source identity when they assume a role.
  1534  	// You do this by using the sts:SourceIdentity condition key in a role trust
  1535  	// policy. You can use source identity information in CloudTrail logs to determine
  1536  	// who took actions with a role. You can use the aws:SourceIdentity condition
  1537  	// key to further control access to Amazon Web Services resources based on the
  1538  	// value of source identity. For more information about using source identity,
  1539  	// see Monitor and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
  1540  	// in the IAM User Guide.
  1541  	//
  1542  	// The regex used to validate this parameter is a string of characters consisting
  1543  	// of upper- and lower-case alphanumeric characters with no spaces. You can
  1544  	// also include underscores or any of the following characters: =,.@-. You cannot
  1545  	// use a value that begins with the text aws:. This prefix is reserved for Amazon
  1546  	// Web Services internal use.
  1547  	SourceIdentity *string `min:"2" type:"string"`
  1548  
  1549  	// A list of session tags that you want to pass. Each session tag consists of
  1550  	// a key name and an associated value. For more information about session tags,
  1551  	// see Tagging STS Sessions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
  1552  	// in the IAM User Guide.
  1553  	//
  1554  	// This parameter is optional. You can pass up to 50 session tags. The plaintext
  1555  	// session tag keys can’t exceed 128 characters, and the values can’t exceed
  1556  	// 256 characters. For these and additional limits, see IAM and STS Character
  1557  	// Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
  1558  	// in the IAM User Guide.
  1559  	//
  1560  	// An Amazon Web Services conversion compresses the passed session policies
  1561  	// and session tags into a packed binary format that has a separate limit. Your
  1562  	// request can fail for this limit even if your plaintext meets the other requirements.
  1563  	// The PackedPolicySize response element indicates by percentage how close the
  1564  	// policies and tags for your request are to the upper size limit.
  1565  	//
  1566  	// You can pass a session tag with the same key as a tag that is already attached
  1567  	// to the role. When you do, session tags override a role tag with the same
  1568  	// key.
  1569  	//
  1570  	// Tag key–value pairs are not case sensitive, but case is preserved. This
  1571  	// means that you cannot have separate Department and department tag keys. Assume
  1572  	// that the role has the Department=Marketing tag and you pass the department=engineering
  1573  	// session tag. Department and department are not saved as separate tags, and
  1574  	// the session tag passed in the request takes precedence over the role tag.
  1575  	//
  1576  	// Additionally, if you used temporary credentials to perform this operation,
  1577  	// the new session inherits any transitive session tags from the calling session.
  1578  	// If you pass a session tag with the same key as an inherited tag, the operation
  1579  	// fails. To view the inherited tags for a session, see the CloudTrail logs.
  1580  	// For more information, see Viewing Session Tags in CloudTrail (https://docs.aws.amazon.com/IAM/latest/UserGuide/session-tags.html#id_session-tags_ctlogs)
  1581  	// in the IAM User Guide.
  1582  	Tags []*Tag `type:"list"`
  1583  
  1584  	// The value provided by the MFA device, if the trust policy of the role being
  1585  	// assumed requires MFA. (In other words, if the policy includes a condition
  1586  	// that tests for MFA). If the role being assumed requires MFA and if the TokenCode
  1587  	// value is missing or expired, the AssumeRole call returns an "access denied"
  1588  	// error.
  1589  	//
  1590  	// The format for this parameter, as described by its regex pattern, is a sequence
  1591  	// of six numeric digits.
  1592  	TokenCode *string `min:"6" type:"string"`
  1593  
  1594  	// A list of keys for session tags that you want to set as transitive. If you
  1595  	// set a tag key as transitive, the corresponding key and value passes to subsequent
  1596  	// sessions in a role chain. For more information, see Chaining Roles with Session
  1597  	// Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
  1598  	// in the IAM User Guide.
  1599  	//
  1600  	// This parameter is optional. When you set session tags as transitive, the
  1601  	// session policy and session tags packed binary limit is not affected.
  1602  	//
  1603  	// If you choose not to specify a transitive tag key, then no tags are passed
  1604  	// from this session to any subsequent sessions.
  1605  	TransitiveTagKeys []*string `type:"list"`
  1606  }
  1607  
  1608  // String returns the string representation.
  1609  //
  1610  // API parameter values that are decorated as "sensitive" in the API will not
  1611  // be included in the string output. The member name will be present, but the
  1612  // value will be replaced with "sensitive".
  1613  func (s AssumeRoleInput) String() string {
  1614  	return awsutil.Prettify(s)
  1615  }
  1616  
  1617  // GoString returns the string representation.
  1618  //
  1619  // API parameter values that are decorated as "sensitive" in the API will not
  1620  // be included in the string output. The member name will be present, but the
  1621  // value will be replaced with "sensitive".
  1622  func (s AssumeRoleInput) GoString() string {
  1623  	return s.String()
  1624  }
  1625  
  1626  // Validate inspects the fields of the type to determine if they are valid.
  1627  func (s *AssumeRoleInput) Validate() error {
  1628  	invalidParams := request.ErrInvalidParams{Context: "AssumeRoleInput"}
  1629  	if s.DurationSeconds != nil && *s.DurationSeconds < 900 {
  1630  		invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900))
  1631  	}
  1632  	if s.ExternalId != nil && len(*s.ExternalId) < 2 {
  1633  		invalidParams.Add(request.NewErrParamMinLen("ExternalId", 2))
  1634  	}
  1635  	if s.Policy != nil && len(*s.Policy) < 1 {
  1636  		invalidParams.Add(request.NewErrParamMinLen("Policy", 1))
  1637  	}
  1638  	if s.RoleArn == nil {
  1639  		invalidParams.Add(request.NewErrParamRequired("RoleArn"))
  1640  	}
  1641  	if s.RoleArn != nil && len(*s.RoleArn) < 20 {
  1642  		invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20))
  1643  	}
  1644  	if s.RoleSessionName == nil {
  1645  		invalidParams.Add(request.NewErrParamRequired("RoleSessionName"))
  1646  	}
  1647  	if s.RoleSessionName != nil && len(*s.RoleSessionName) < 2 {
  1648  		invalidParams.Add(request.NewErrParamMinLen("RoleSessionName", 2))
  1649  	}
  1650  	if s.SerialNumber != nil && len(*s.SerialNumber) < 9 {
  1651  		invalidParams.Add(request.NewErrParamMinLen("SerialNumber", 9))
  1652  	}
  1653  	if s.SourceIdentity != nil && len(*s.SourceIdentity) < 2 {
  1654  		invalidParams.Add(request.NewErrParamMinLen("SourceIdentity", 2))
  1655  	}
  1656  	if s.TokenCode != nil && len(*s.TokenCode) < 6 {
  1657  		invalidParams.Add(request.NewErrParamMinLen("TokenCode", 6))
  1658  	}
  1659  	if s.PolicyArns != nil {
  1660  		for i, v := range s.PolicyArns {
  1661  			if v == nil {
  1662  				continue
  1663  			}
  1664  			if err := v.Validate(); err != nil {
  1665  				invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams))
  1666  			}
  1667  		}
  1668  	}
  1669  	if s.Tags != nil {
  1670  		for i, v := range s.Tags {
  1671  			if v == nil {
  1672  				continue
  1673  			}
  1674  			if err := v.Validate(); err != nil {
  1675  				invalidParams.AddNested(fmt.Sprintf("%s[%v]", "Tags", i), err.(request.ErrInvalidParams))
  1676  			}
  1677  		}
  1678  	}
  1679  
  1680  	if invalidParams.Len() > 0 {
  1681  		return invalidParams
  1682  	}
  1683  	return nil
  1684  }
  1685  
  1686  // SetDurationSeconds sets the DurationSeconds field's value.
  1687  func (s *AssumeRoleInput) SetDurationSeconds(v int64) *AssumeRoleInput {
  1688  	s.DurationSeconds = &v
  1689  	return s
  1690  }
  1691  
  1692  // SetExternalId sets the ExternalId field's value.
  1693  func (s *AssumeRoleInput) SetExternalId(v string) *AssumeRoleInput {
  1694  	s.ExternalId = &v
  1695  	return s
  1696  }
  1697  
  1698  // SetPolicy sets the Policy field's value.
  1699  func (s *AssumeRoleInput) SetPolicy(v string) *AssumeRoleInput {
  1700  	s.Policy = &v
  1701  	return s
  1702  }
  1703  
  1704  // SetPolicyArns sets the PolicyArns field's value.
  1705  func (s *AssumeRoleInput) SetPolicyArns(v []*PolicyDescriptorType) *AssumeRoleInput {
  1706  	s.PolicyArns = v
  1707  	return s
  1708  }
  1709  
  1710  // SetRoleArn sets the RoleArn field's value.
  1711  func (s *AssumeRoleInput) SetRoleArn(v string) *AssumeRoleInput {
  1712  	s.RoleArn = &v
  1713  	return s
  1714  }
  1715  
  1716  // SetRoleSessionName sets the RoleSessionName field's value.
  1717  func (s *AssumeRoleInput) SetRoleSessionName(v string) *AssumeRoleInput {
  1718  	s.RoleSessionName = &v
  1719  	return s
  1720  }
  1721  
  1722  // SetSerialNumber sets the SerialNumber field's value.
  1723  func (s *AssumeRoleInput) SetSerialNumber(v string) *AssumeRoleInput {
  1724  	s.SerialNumber = &v
  1725  	return s
  1726  }
  1727  
  1728  // SetSourceIdentity sets the SourceIdentity field's value.
  1729  func (s *AssumeRoleInput) SetSourceIdentity(v string) *AssumeRoleInput {
  1730  	s.SourceIdentity = &v
  1731  	return s
  1732  }
  1733  
  1734  // SetTags sets the Tags field's value.
  1735  func (s *AssumeRoleInput) SetTags(v []*Tag) *AssumeRoleInput {
  1736  	s.Tags = v
  1737  	return s
  1738  }
  1739  
  1740  // SetTokenCode sets the TokenCode field's value.
  1741  func (s *AssumeRoleInput) SetTokenCode(v string) *AssumeRoleInput {
  1742  	s.TokenCode = &v
  1743  	return s
  1744  }
  1745  
  1746  // SetTransitiveTagKeys sets the TransitiveTagKeys field's value.
  1747  func (s *AssumeRoleInput) SetTransitiveTagKeys(v []*string) *AssumeRoleInput {
  1748  	s.TransitiveTagKeys = v
  1749  	return s
  1750  }
  1751  
  1752  // Contains the response to a successful AssumeRole request, including temporary
  1753  // Amazon Web Services credentials that can be used to make Amazon Web Services
  1754  // requests.
  1755  type AssumeRoleOutput struct {
  1756  	_ struct{} `type:"structure"`
  1757  
  1758  	// The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers
  1759  	// that you can use to refer to the resulting temporary security credentials.
  1760  	// For example, you can reference these credentials as a principal in a resource-based
  1761  	// policy by using the ARN or assumed role ID. The ARN and ID include the RoleSessionName
  1762  	// that you specified when you called AssumeRole.
  1763  	AssumedRoleUser *AssumedRoleUser `type:"structure"`
  1764  
  1765  	// The temporary security credentials, which include an access key ID, a secret
  1766  	// access key, and a security (or session) token.
  1767  	//
  1768  	// The size of the security token that STS API operations return is not fixed.
  1769  	// We strongly recommend that you make no assumptions about the maximum size.
  1770  	Credentials *Credentials `type:"structure"`
  1771  
  1772  	// A percentage value that indicates the packed size of the session policies
  1773  	// and session tags combined passed in the request. The request fails if the
  1774  	// packed size is greater than 100 percent, which means the policies and tags
  1775  	// exceeded the allowed space.
  1776  	PackedPolicySize *int64 `type:"integer"`
  1777  
  1778  	// The source identity specified by the principal that is calling the AssumeRole
  1779  	// operation.
  1780  	//
  1781  	// You can require users to specify a source identity when they assume a role.
  1782  	// You do this by using the sts:SourceIdentity condition key in a role trust
  1783  	// policy. You can use source identity information in CloudTrail logs to determine
  1784  	// who took actions with a role. You can use the aws:SourceIdentity condition
  1785  	// key to further control access to Amazon Web Services resources based on the
  1786  	// value of source identity. For more information about using source identity,
  1787  	// see Monitor and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
  1788  	// in the IAM User Guide.
  1789  	//
  1790  	// The regex used to validate this parameter is a string of characters consisting
  1791  	// of upper- and lower-case alphanumeric characters with no spaces. You can
  1792  	// also include underscores or any of the following characters: =,.@-
  1793  	SourceIdentity *string `min:"2" type:"string"`
  1794  }
  1795  
  1796  // String returns the string representation.
  1797  //
  1798  // API parameter values that are decorated as "sensitive" in the API will not
  1799  // be included in the string output. The member name will be present, but the
  1800  // value will be replaced with "sensitive".
  1801  func (s AssumeRoleOutput) String() string {
  1802  	return awsutil.Prettify(s)
  1803  }
  1804  
  1805  // GoString returns the string representation.
  1806  //
  1807  // API parameter values that are decorated as "sensitive" in the API will not
  1808  // be included in the string output. The member name will be present, but the
  1809  // value will be replaced with "sensitive".
  1810  func (s AssumeRoleOutput) GoString() string {
  1811  	return s.String()
  1812  }
  1813  
  1814  // SetAssumedRoleUser sets the AssumedRoleUser field's value.
  1815  func (s *AssumeRoleOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleOutput {
  1816  	s.AssumedRoleUser = v
  1817  	return s
  1818  }
  1819  
  1820  // SetCredentials sets the Credentials field's value.
  1821  func (s *AssumeRoleOutput) SetCredentials(v *Credentials) *AssumeRoleOutput {
  1822  	s.Credentials = v
  1823  	return s
  1824  }
  1825  
  1826  // SetPackedPolicySize sets the PackedPolicySize field's value.
  1827  func (s *AssumeRoleOutput) SetPackedPolicySize(v int64) *AssumeRoleOutput {
  1828  	s.PackedPolicySize = &v
  1829  	return s
  1830  }
  1831  
  1832  // SetSourceIdentity sets the SourceIdentity field's value.
  1833  func (s *AssumeRoleOutput) SetSourceIdentity(v string) *AssumeRoleOutput {
  1834  	s.SourceIdentity = &v
  1835  	return s
  1836  }
  1837  
  1838  type AssumeRoleWithSAMLInput struct {
  1839  	_ struct{} `type:"structure"`
  1840  
  1841  	// The duration, in seconds, of the role session. Your role session lasts for
  1842  	// the duration that you specify for the DurationSeconds parameter, or until
  1843  	// the time specified in the SAML authentication response's SessionNotOnOrAfter
  1844  	// value, whichever is shorter. You can provide a DurationSeconds value from
  1845  	// 900 seconds (15 minutes) up to the maximum session duration setting for the
  1846  	// role. This setting can have a value from 1 hour to 12 hours. If you specify
  1847  	// a value higher than this setting, the operation fails. For example, if you
  1848  	// specify a session duration of 12 hours, but your administrator set the maximum
  1849  	// session duration to 6 hours, your operation fails. To learn how to view the
  1850  	// maximum value for your role, see View the Maximum Session Duration Setting
  1851  	// for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
  1852  	// in the IAM User Guide.
  1853  	//
  1854  	// By default, the value is set to 3600 seconds.
  1855  	//
  1856  	// The DurationSeconds parameter is separate from the duration of a console
  1857  	// session that you might request using the returned credentials. The request
  1858  	// to the federation endpoint for a console sign-in token takes a SessionDuration
  1859  	// parameter that specifies the maximum length of the console session. For more
  1860  	// information, see Creating a URL that Enables Federated Users to Access the
  1861  	// Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
  1862  	// in the IAM User Guide.
  1863  	DurationSeconds *int64 `min:"900" type:"integer"`
  1864  
  1865  	// An IAM policy in JSON format that you want to use as an inline session policy.
  1866  	//
  1867  	// This parameter is optional. Passing policies to this operation returns new
  1868  	// temporary credentials. The resulting session's permissions are the intersection
  1869  	// of the role's identity-based policy and the session policies. You can use
  1870  	// the role's temporary credentials in subsequent Amazon Web Services API calls
  1871  	// to access resources in the account that owns the role. You cannot use session
  1872  	// policies to grant more permissions than those allowed by the identity-based
  1873  	// policy of the role that is being assumed. For more information, see Session
  1874  	// Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
  1875  	// in the IAM User Guide.
  1876  	//
  1877  	// The plaintext that you use for both inline and managed session policies can't
  1878  	// exceed 2,048 characters. The JSON policy characters can be any ASCII character
  1879  	// from the space character to the end of the valid character list (\u0020 through
  1880  	// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
  1881  	// return (\u000D) characters.
  1882  	//
  1883  	// An Amazon Web Services conversion compresses the passed session policies
  1884  	// and session tags into a packed binary format that has a separate limit. Your
  1885  	// request can fail for this limit even if your plaintext meets the other requirements.
  1886  	// The PackedPolicySize response element indicates by percentage how close the
  1887  	// policies and tags for your request are to the upper size limit.
  1888  	Policy *string `min:"1" type:"string"`
  1889  
  1890  	// The Amazon Resource Names (ARNs) of the IAM managed policies that you want
  1891  	// to use as managed session policies. The policies must exist in the same account
  1892  	// as the role.
  1893  	//
  1894  	// This parameter is optional. You can provide up to 10 managed policy ARNs.
  1895  	// However, the plaintext that you use for both inline and managed session policies
  1896  	// can't exceed 2,048 characters. For more information about ARNs, see Amazon
  1897  	// Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
  1898  	// in the Amazon Web Services General Reference.
  1899  	//
  1900  	// An Amazon Web Services conversion compresses the passed session policies
  1901  	// and session tags into a packed binary format that has a separate limit. Your
  1902  	// request can fail for this limit even if your plaintext meets the other requirements.
  1903  	// The PackedPolicySize response element indicates by percentage how close the
  1904  	// policies and tags for your request are to the upper size limit.
  1905  	//
  1906  	// Passing policies to this operation returns new temporary credentials. The
  1907  	// resulting session's permissions are the intersection of the role's identity-based
  1908  	// policy and the session policies. You can use the role's temporary credentials
  1909  	// in subsequent Amazon Web Services API calls to access resources in the account
  1910  	// that owns the role. You cannot use session policies to grant more permissions
  1911  	// than those allowed by the identity-based policy of the role that is being
  1912  	// assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
  1913  	// in the IAM User Guide.
  1914  	PolicyArns []*PolicyDescriptorType `type:"list"`
  1915  
  1916  	// The Amazon Resource Name (ARN) of the SAML provider in IAM that describes
  1917  	// the IdP.
  1918  	//
  1919  	// PrincipalArn is a required field
  1920  	PrincipalArn *string `min:"20" type:"string" required:"true"`
  1921  
  1922  	// The Amazon Resource Name (ARN) of the role that the caller is assuming.
  1923  	//
  1924  	// RoleArn is a required field
  1925  	RoleArn *string `min:"20" type:"string" required:"true"`
  1926  
  1927  	// The base64 encoded SAML authentication response provided by the IdP.
  1928  	//
  1929  	// For more information, see Configuring a Relying Party and Adding Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html)
  1930  	// in the IAM User Guide.
  1931  	//
  1932  	// SAMLAssertion is a required field
  1933  	SAMLAssertion *string `min:"4" type:"string" required:"true"`
  1934  }
  1935  
  1936  // String returns the string representation.
  1937  //
  1938  // API parameter values that are decorated as "sensitive" in the API will not
  1939  // be included in the string output. The member name will be present, but the
  1940  // value will be replaced with "sensitive".
  1941  func (s AssumeRoleWithSAMLInput) String() string {
  1942  	return awsutil.Prettify(s)
  1943  }
  1944  
  1945  // GoString returns the string representation.
  1946  //
  1947  // API parameter values that are decorated as "sensitive" in the API will not
  1948  // be included in the string output. The member name will be present, but the
  1949  // value will be replaced with "sensitive".
  1950  func (s AssumeRoleWithSAMLInput) GoString() string {
  1951  	return s.String()
  1952  }
  1953  
  1954  // Validate inspects the fields of the type to determine if they are valid.
  1955  func (s *AssumeRoleWithSAMLInput) Validate() error {
  1956  	invalidParams := request.ErrInvalidParams{Context: "AssumeRoleWithSAMLInput"}
  1957  	if s.DurationSeconds != nil && *s.DurationSeconds < 900 {
  1958  		invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900))
  1959  	}
  1960  	if s.Policy != nil && len(*s.Policy) < 1 {
  1961  		invalidParams.Add(request.NewErrParamMinLen("Policy", 1))
  1962  	}
  1963  	if s.PrincipalArn == nil {
  1964  		invalidParams.Add(request.NewErrParamRequired("PrincipalArn"))
  1965  	}
  1966  	if s.PrincipalArn != nil && len(*s.PrincipalArn) < 20 {
  1967  		invalidParams.Add(request.NewErrParamMinLen("PrincipalArn", 20))
  1968  	}
  1969  	if s.RoleArn == nil {
  1970  		invalidParams.Add(request.NewErrParamRequired("RoleArn"))
  1971  	}
  1972  	if s.RoleArn != nil && len(*s.RoleArn) < 20 {
  1973  		invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20))
  1974  	}
  1975  	if s.SAMLAssertion == nil {
  1976  		invalidParams.Add(request.NewErrParamRequired("SAMLAssertion"))
  1977  	}
  1978  	if s.SAMLAssertion != nil && len(*s.SAMLAssertion) < 4 {
  1979  		invalidParams.Add(request.NewErrParamMinLen("SAMLAssertion", 4))
  1980  	}
  1981  	if s.PolicyArns != nil {
  1982  		for i, v := range s.PolicyArns {
  1983  			if v == nil {
  1984  				continue
  1985  			}
  1986  			if err := v.Validate(); err != nil {
  1987  				invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams))
  1988  			}
  1989  		}
  1990  	}
  1991  
  1992  	if invalidParams.Len() > 0 {
  1993  		return invalidParams
  1994  	}
  1995  	return nil
  1996  }
  1997  
  1998  // SetDurationSeconds sets the DurationSeconds field's value.
  1999  func (s *AssumeRoleWithSAMLInput) SetDurationSeconds(v int64) *AssumeRoleWithSAMLInput {
  2000  	s.DurationSeconds = &v
  2001  	return s
  2002  }
  2003  
  2004  // SetPolicy sets the Policy field's value.
  2005  func (s *AssumeRoleWithSAMLInput) SetPolicy(v string) *AssumeRoleWithSAMLInput {
  2006  	s.Policy = &v
  2007  	return s
  2008  }
  2009  
  2010  // SetPolicyArns sets the PolicyArns field's value.
  2011  func (s *AssumeRoleWithSAMLInput) SetPolicyArns(v []*PolicyDescriptorType) *AssumeRoleWithSAMLInput {
  2012  	s.PolicyArns = v
  2013  	return s
  2014  }
  2015  
  2016  // SetPrincipalArn sets the PrincipalArn field's value.
  2017  func (s *AssumeRoleWithSAMLInput) SetPrincipalArn(v string) *AssumeRoleWithSAMLInput {
  2018  	s.PrincipalArn = &v
  2019  	return s
  2020  }
  2021  
  2022  // SetRoleArn sets the RoleArn field's value.
  2023  func (s *AssumeRoleWithSAMLInput) SetRoleArn(v string) *AssumeRoleWithSAMLInput {
  2024  	s.RoleArn = &v
  2025  	return s
  2026  }
  2027  
  2028  // SetSAMLAssertion sets the SAMLAssertion field's value.
  2029  func (s *AssumeRoleWithSAMLInput) SetSAMLAssertion(v string) *AssumeRoleWithSAMLInput {
  2030  	s.SAMLAssertion = &v
  2031  	return s
  2032  }
  2033  
  2034  // Contains the response to a successful AssumeRoleWithSAML request, including
  2035  // temporary Amazon Web Services credentials that can be used to make Amazon
  2036  // Web Services requests.
  2037  type AssumeRoleWithSAMLOutput struct {
  2038  	_ struct{} `type:"structure"`
  2039  
  2040  	// The identifiers for the temporary security credentials that the operation
  2041  	// returns.
  2042  	AssumedRoleUser *AssumedRoleUser `type:"structure"`
  2043  
  2044  	// The value of the Recipient attribute of the SubjectConfirmationData element
  2045  	// of the SAML assertion.
  2046  	Audience *string `type:"string"`
  2047  
  2048  	// The temporary security credentials, which include an access key ID, a secret
  2049  	// access key, and a security (or session) token.
  2050  	//
  2051  	// The size of the security token that STS API operations return is not fixed.
  2052  	// We strongly recommend that you make no assumptions about the maximum size.
  2053  	Credentials *Credentials `type:"structure"`
  2054  
  2055  	// The value of the Issuer element of the SAML assertion.
  2056  	Issuer *string `type:"string"`
  2057  
  2058  	// A hash value based on the concatenation of the following:
  2059  	//
  2060  	//    * The Issuer response value.
  2061  	//
  2062  	//    * The Amazon Web Services account ID.
  2063  	//
  2064  	//    * The friendly name (the last part of the ARN) of the SAML provider in
  2065  	//    IAM.
  2066  	//
  2067  	// The combination of NameQualifier and Subject can be used to uniquely identify
  2068  	// a federated user.
  2069  	//
  2070  	// The following pseudocode shows how the hash value is calculated:
  2071  	//
  2072  	// BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP"
  2073  	// ) )
  2074  	NameQualifier *string `type:"string"`
  2075  
  2076  	// A percentage value that indicates the packed size of the session policies
  2077  	// and session tags combined passed in the request. The request fails if the
  2078  	// packed size is greater than 100 percent, which means the policies and tags
  2079  	// exceeded the allowed space.
  2080  	PackedPolicySize *int64 `type:"integer"`
  2081  
  2082  	// The value in the SourceIdentity attribute in the SAML assertion.
  2083  	//
  2084  	// You can require users to set a source identity value when they assume a role.
  2085  	// You do this by using the sts:SourceIdentity condition key in a role trust
  2086  	// policy. That way, actions that are taken with the role are associated with
  2087  	// that user. After the source identity is set, the value cannot be changed.
  2088  	// It is present in the request for all actions that are taken by the role and
  2089  	// persists across chained role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining)
  2090  	// sessions. You can configure your SAML identity provider to use an attribute
  2091  	// associated with your users, like user name or email, as the source identity
  2092  	// when calling AssumeRoleWithSAML. You do this by adding an attribute to the
  2093  	// SAML assertion. For more information about using source identity, see Monitor
  2094  	// and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
  2095  	// in the IAM User Guide.
  2096  	//
  2097  	// The regex used to validate this parameter is a string of characters consisting
  2098  	// of upper- and lower-case alphanumeric characters with no spaces. You can
  2099  	// also include underscores or any of the following characters: =,.@-
  2100  	SourceIdentity *string `min:"2" type:"string"`
  2101  
  2102  	// The value of the NameID element in the Subject element of the SAML assertion.
  2103  	Subject *string `type:"string"`
  2104  
  2105  	// The format of the name ID, as defined by the Format attribute in the NameID
  2106  	// element of the SAML assertion. Typical examples of the format are transient
  2107  	// or persistent.
  2108  	//
  2109  	// If the format includes the prefix urn:oasis:names:tc:SAML:2.0:nameid-format,
  2110  	// that prefix is removed. For example, urn:oasis:names:tc:SAML:2.0:nameid-format:transient
  2111  	// is returned as transient. If the format includes any other prefix, the format
  2112  	// is returned with no modifications.
  2113  	SubjectType *string `type:"string"`
  2114  }
  2115  
  2116  // String returns the string representation.
  2117  //
  2118  // API parameter values that are decorated as "sensitive" in the API will not
  2119  // be included in the string output. The member name will be present, but the
  2120  // value will be replaced with "sensitive".
  2121  func (s AssumeRoleWithSAMLOutput) String() string {
  2122  	return awsutil.Prettify(s)
  2123  }
  2124  
  2125  // GoString returns the string representation.
  2126  //
  2127  // API parameter values that are decorated as "sensitive" in the API will not
  2128  // be included in the string output. The member name will be present, but the
  2129  // value will be replaced with "sensitive".
  2130  func (s AssumeRoleWithSAMLOutput) GoString() string {
  2131  	return s.String()
  2132  }
  2133  
  2134  // SetAssumedRoleUser sets the AssumedRoleUser field's value.
  2135  func (s *AssumeRoleWithSAMLOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleWithSAMLOutput {
  2136  	s.AssumedRoleUser = v
  2137  	return s
  2138  }
  2139  
  2140  // SetAudience sets the Audience field's value.
  2141  func (s *AssumeRoleWithSAMLOutput) SetAudience(v string) *AssumeRoleWithSAMLOutput {
  2142  	s.Audience = &v
  2143  	return s
  2144  }
  2145  
  2146  // SetCredentials sets the Credentials field's value.
  2147  func (s *AssumeRoleWithSAMLOutput) SetCredentials(v *Credentials) *AssumeRoleWithSAMLOutput {
  2148  	s.Credentials = v
  2149  	return s
  2150  }
  2151  
  2152  // SetIssuer sets the Issuer field's value.
  2153  func (s *AssumeRoleWithSAMLOutput) SetIssuer(v string) *AssumeRoleWithSAMLOutput {
  2154  	s.Issuer = &v
  2155  	return s
  2156  }
  2157  
  2158  // SetNameQualifier sets the NameQualifier field's value.
  2159  func (s *AssumeRoleWithSAMLOutput) SetNameQualifier(v string) *AssumeRoleWithSAMLOutput {
  2160  	s.NameQualifier = &v
  2161  	return s
  2162  }
  2163  
  2164  // SetPackedPolicySize sets the PackedPolicySize field's value.
  2165  func (s *AssumeRoleWithSAMLOutput) SetPackedPolicySize(v int64) *AssumeRoleWithSAMLOutput {
  2166  	s.PackedPolicySize = &v
  2167  	return s
  2168  }
  2169  
  2170  // SetSourceIdentity sets the SourceIdentity field's value.
  2171  func (s *AssumeRoleWithSAMLOutput) SetSourceIdentity(v string) *AssumeRoleWithSAMLOutput {
  2172  	s.SourceIdentity = &v
  2173  	return s
  2174  }
  2175  
  2176  // SetSubject sets the Subject field's value.
  2177  func (s *AssumeRoleWithSAMLOutput) SetSubject(v string) *AssumeRoleWithSAMLOutput {
  2178  	s.Subject = &v
  2179  	return s
  2180  }
  2181  
  2182  // SetSubjectType sets the SubjectType field's value.
  2183  func (s *AssumeRoleWithSAMLOutput) SetSubjectType(v string) *AssumeRoleWithSAMLOutput {
  2184  	s.SubjectType = &v
  2185  	return s
  2186  }
  2187  
  2188  type AssumeRoleWithWebIdentityInput struct {
  2189  	_ struct{} `type:"structure"`
  2190  
  2191  	// The duration, in seconds, of the role session. The value can range from 900
  2192  	// seconds (15 minutes) up to the maximum session duration setting for the role.
  2193  	// This setting can have a value from 1 hour to 12 hours. If you specify a value
  2194  	// higher than this setting, the operation fails. For example, if you specify
  2195  	// a session duration of 12 hours, but your administrator set the maximum session
  2196  	// duration to 6 hours, your operation fails. To learn how to view the maximum
  2197  	// value for your role, see View the Maximum Session Duration Setting for a
  2198  	// Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
  2199  	// in the IAM User Guide.
  2200  	//
  2201  	// By default, the value is set to 3600 seconds.
  2202  	//
  2203  	// The DurationSeconds parameter is separate from the duration of a console
  2204  	// session that you might request using the returned credentials. The request
  2205  	// to the federation endpoint for a console sign-in token takes a SessionDuration
  2206  	// parameter that specifies the maximum length of the console session. For more
  2207  	// information, see Creating a URL that Enables Federated Users to Access the
  2208  	// Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
  2209  	// in the IAM User Guide.
  2210  	DurationSeconds *int64 `min:"900" type:"integer"`
  2211  
  2212  	// An IAM policy in JSON format that you want to use as an inline session policy.
  2213  	//
  2214  	// This parameter is optional. Passing policies to this operation returns new
  2215  	// temporary credentials. The resulting session's permissions are the intersection
  2216  	// of the role's identity-based policy and the session policies. You can use
  2217  	// the role's temporary credentials in subsequent Amazon Web Services API calls
  2218  	// to access resources in the account that owns the role. You cannot use session
  2219  	// policies to grant more permissions than those allowed by the identity-based
  2220  	// policy of the role that is being assumed. For more information, see Session
  2221  	// Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
  2222  	// in the IAM User Guide.
  2223  	//
  2224  	// The plaintext that you use for both inline and managed session policies can't
  2225  	// exceed 2,048 characters. The JSON policy characters can be any ASCII character
  2226  	// from the space character to the end of the valid character list (\u0020 through
  2227  	// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
  2228  	// return (\u000D) characters.
  2229  	//
  2230  	// An Amazon Web Services conversion compresses the passed session policies
  2231  	// and session tags into a packed binary format that has a separate limit. Your
  2232  	// request can fail for this limit even if your plaintext meets the other requirements.
  2233  	// The PackedPolicySize response element indicates by percentage how close the
  2234  	// policies and tags for your request are to the upper size limit.
  2235  	Policy *string `min:"1" type:"string"`
  2236  
  2237  	// The Amazon Resource Names (ARNs) of the IAM managed policies that you want
  2238  	// to use as managed session policies. The policies must exist in the same account
  2239  	// as the role.
  2240  	//
  2241  	// This parameter is optional. You can provide up to 10 managed policy ARNs.
  2242  	// However, the plaintext that you use for both inline and managed session policies
  2243  	// can't exceed 2,048 characters. For more information about ARNs, see Amazon
  2244  	// Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
  2245  	// in the Amazon Web Services General Reference.
  2246  	//
  2247  	// An Amazon Web Services conversion compresses the passed session policies
  2248  	// and session tags into a packed binary format that has a separate limit. Your
  2249  	// request can fail for this limit even if your plaintext meets the other requirements.
  2250  	// The PackedPolicySize response element indicates by percentage how close the
  2251  	// policies and tags for your request are to the upper size limit.
  2252  	//
  2253  	// Passing policies to this operation returns new temporary credentials. The
  2254  	// resulting session's permissions are the intersection of the role's identity-based
  2255  	// policy and the session policies. You can use the role's temporary credentials
  2256  	// in subsequent Amazon Web Services API calls to access resources in the account
  2257  	// that owns the role. You cannot use session policies to grant more permissions
  2258  	// than those allowed by the identity-based policy of the role that is being
  2259  	// assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
  2260  	// in the IAM User Guide.
  2261  	PolicyArns []*PolicyDescriptorType `type:"list"`
  2262  
  2263  	// The fully qualified host component of the domain name of the identity provider.
  2264  	//
  2265  	// Specify this value only for OAuth 2.0 access tokens. Currently www.amazon.com
  2266  	// and graph.facebook.com are the only supported identity providers for OAuth
  2267  	// 2.0 access tokens. Do not include URL schemes and port numbers.
  2268  	//
  2269  	// Do not specify this value for OpenID Connect ID tokens.
  2270  	ProviderId *string `min:"4" type:"string"`
  2271  
  2272  	// The Amazon Resource Name (ARN) of the role that the caller is assuming.
  2273  	//
  2274  	// RoleArn is a required field
  2275  	RoleArn *string `min:"20" type:"string" required:"true"`
  2276  
  2277  	// An identifier for the assumed role session. Typically, you pass the name
  2278  	// or identifier that is associated with the user who is using your application.
  2279  	// That way, the temporary security credentials that your application will use
  2280  	// are associated with that user. This session name is included as part of the
  2281  	// ARN and assumed role ID in the AssumedRoleUser response element.
  2282  	//
  2283  	// The regex used to validate this parameter is a string of characters consisting
  2284  	// of upper- and lower-case alphanumeric characters with no spaces. You can
  2285  	// also include underscores or any of the following characters: =,.@-
  2286  	//
  2287  	// RoleSessionName is a required field
  2288  	RoleSessionName *string `min:"2" type:"string" required:"true"`
  2289  
  2290  	// The OAuth 2.0 access token or OpenID Connect ID token that is provided by
  2291  	// the identity provider. Your application must get this token by authenticating
  2292  	// the user who is using your application with a web identity provider before
  2293  	// the application makes an AssumeRoleWithWebIdentity call.
  2294  	//
  2295  	// WebIdentityToken is a required field
  2296  	WebIdentityToken *string `min:"4" type:"string" required:"true"`
  2297  }
  2298  
  2299  // String returns the string representation.
  2300  //
  2301  // API parameter values that are decorated as "sensitive" in the API will not
  2302  // be included in the string output. The member name will be present, but the
  2303  // value will be replaced with "sensitive".
  2304  func (s AssumeRoleWithWebIdentityInput) String() string {
  2305  	return awsutil.Prettify(s)
  2306  }
  2307  
  2308  // GoString returns the string representation.
  2309  //
  2310  // API parameter values that are decorated as "sensitive" in the API will not
  2311  // be included in the string output. The member name will be present, but the
  2312  // value will be replaced with "sensitive".
  2313  func (s AssumeRoleWithWebIdentityInput) GoString() string {
  2314  	return s.String()
  2315  }
  2316  
  2317  // Validate inspects the fields of the type to determine if they are valid.
  2318  func (s *AssumeRoleWithWebIdentityInput) Validate() error {
  2319  	invalidParams := request.ErrInvalidParams{Context: "AssumeRoleWithWebIdentityInput"}
  2320  	if s.DurationSeconds != nil && *s.DurationSeconds < 900 {
  2321  		invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900))
  2322  	}
  2323  	if s.Policy != nil && len(*s.Policy) < 1 {
  2324  		invalidParams.Add(request.NewErrParamMinLen("Policy", 1))
  2325  	}
  2326  	if s.ProviderId != nil && len(*s.ProviderId) < 4 {
  2327  		invalidParams.Add(request.NewErrParamMinLen("ProviderId", 4))
  2328  	}
  2329  	if s.RoleArn == nil {
  2330  		invalidParams.Add(request.NewErrParamRequired("RoleArn"))
  2331  	}
  2332  	if s.RoleArn != nil && len(*s.RoleArn) < 20 {
  2333  		invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20))
  2334  	}
  2335  	if s.RoleSessionName == nil {
  2336  		invalidParams.Add(request.NewErrParamRequired("RoleSessionName"))
  2337  	}
  2338  	if s.RoleSessionName != nil && len(*s.RoleSessionName) < 2 {
  2339  		invalidParams.Add(request.NewErrParamMinLen("RoleSessionName", 2))
  2340  	}
  2341  	if s.WebIdentityToken == nil {
  2342  		invalidParams.Add(request.NewErrParamRequired("WebIdentityToken"))
  2343  	}
  2344  	if s.WebIdentityToken != nil && len(*s.WebIdentityToken) < 4 {
  2345  		invalidParams.Add(request.NewErrParamMinLen("WebIdentityToken", 4))
  2346  	}
  2347  	if s.PolicyArns != nil {
  2348  		for i, v := range s.PolicyArns {
  2349  			if v == nil {
  2350  				continue
  2351  			}
  2352  			if err := v.Validate(); err != nil {
  2353  				invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams))
  2354  			}
  2355  		}
  2356  	}
  2357  
  2358  	if invalidParams.Len() > 0 {
  2359  		return invalidParams
  2360  	}
  2361  	return nil
  2362  }
  2363  
  2364  // SetDurationSeconds sets the DurationSeconds field's value.
  2365  func (s *AssumeRoleWithWebIdentityInput) SetDurationSeconds(v int64) *AssumeRoleWithWebIdentityInput {
  2366  	s.DurationSeconds = &v
  2367  	return s
  2368  }
  2369  
  2370  // SetPolicy sets the Policy field's value.
  2371  func (s *AssumeRoleWithWebIdentityInput) SetPolicy(v string) *AssumeRoleWithWebIdentityInput {
  2372  	s.Policy = &v
  2373  	return s
  2374  }
  2375  
  2376  // SetPolicyArns sets the PolicyArns field's value.
  2377  func (s *AssumeRoleWithWebIdentityInput) SetPolicyArns(v []*PolicyDescriptorType) *AssumeRoleWithWebIdentityInput {
  2378  	s.PolicyArns = v
  2379  	return s
  2380  }
  2381  
  2382  // SetProviderId sets the ProviderId field's value.
  2383  func (s *AssumeRoleWithWebIdentityInput) SetProviderId(v string) *AssumeRoleWithWebIdentityInput {
  2384  	s.ProviderId = &v
  2385  	return s
  2386  }
  2387  
  2388  // SetRoleArn sets the RoleArn field's value.
  2389  func (s *AssumeRoleWithWebIdentityInput) SetRoleArn(v string) *AssumeRoleWithWebIdentityInput {
  2390  	s.RoleArn = &v
  2391  	return s
  2392  }
  2393  
  2394  // SetRoleSessionName sets the RoleSessionName field's value.
  2395  func (s *AssumeRoleWithWebIdentityInput) SetRoleSessionName(v string) *AssumeRoleWithWebIdentityInput {
  2396  	s.RoleSessionName = &v
  2397  	return s
  2398  }
  2399  
  2400  // SetWebIdentityToken sets the WebIdentityToken field's value.
  2401  func (s *AssumeRoleWithWebIdentityInput) SetWebIdentityToken(v string) *AssumeRoleWithWebIdentityInput {
  2402  	s.WebIdentityToken = &v
  2403  	return s
  2404  }
  2405  
  2406  // Contains the response to a successful AssumeRoleWithWebIdentity request,
  2407  // including temporary Amazon Web Services credentials that can be used to make
  2408  // Amazon Web Services requests.
  2409  type AssumeRoleWithWebIdentityOutput struct {
  2410  	_ struct{} `type:"structure"`
  2411  
  2412  	// The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers
  2413  	// that you can use to refer to the resulting temporary security credentials.
  2414  	// For example, you can reference these credentials as a principal in a resource-based
  2415  	// policy by using the ARN or assumed role ID. The ARN and ID include the RoleSessionName
  2416  	// that you specified when you called AssumeRole.
  2417  	AssumedRoleUser *AssumedRoleUser `type:"structure"`
  2418  
  2419  	// The intended audience (also known as client ID) of the web identity token.
  2420  	// This is traditionally the client identifier issued to the application that
  2421  	// requested the web identity token.
  2422  	Audience *string `type:"string"`
  2423  
  2424  	// The temporary security credentials, which include an access key ID, a secret
  2425  	// access key, and a security token.
  2426  	//
  2427  	// The size of the security token that STS API operations return is not fixed.
  2428  	// We strongly recommend that you make no assumptions about the maximum size.
  2429  	Credentials *Credentials `type:"structure"`
  2430  
  2431  	// A percentage value that indicates the packed size of the session policies
  2432  	// and session tags combined passed in the request. The request fails if the
  2433  	// packed size is greater than 100 percent, which means the policies and tags
  2434  	// exceeded the allowed space.
  2435  	PackedPolicySize *int64 `type:"integer"`
  2436  
  2437  	// The issuing authority of the web identity token presented. For OpenID Connect
  2438  	// ID tokens, this contains the value of the iss field. For OAuth 2.0 access
  2439  	// tokens, this contains the value of the ProviderId parameter that was passed
  2440  	// in the AssumeRoleWithWebIdentity request.
  2441  	Provider *string `type:"string"`
  2442  
  2443  	// The value of the source identity that is returned in the JSON web token (JWT)
  2444  	// from the identity provider.
  2445  	//
  2446  	// You can require users to set a source identity value when they assume a role.
  2447  	// You do this by using the sts:SourceIdentity condition key in a role trust
  2448  	// policy. That way, actions that are taken with the role are associated with
  2449  	// that user. After the source identity is set, the value cannot be changed.
  2450  	// It is present in the request for all actions that are taken by the role and
  2451  	// persists across chained role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining)
  2452  	// sessions. You can configure your identity provider to use an attribute associated
  2453  	// with your users, like user name or email, as the source identity when calling
  2454  	// AssumeRoleWithWebIdentity. You do this by adding a claim to the JSON web
  2455  	// token. To learn more about OIDC tokens and claims, see Using Tokens with
  2456  	// User Pools (https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html)
  2457  	// in the Amazon Cognito Developer Guide. For more information about using source
  2458  	// identity, see Monitor and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
  2459  	// in the IAM User Guide.
  2460  	//
  2461  	// The regex used to validate this parameter is a string of characters consisting
  2462  	// of upper- and lower-case alphanumeric characters with no spaces. You can
  2463  	// also include underscores or any of the following characters: =,.@-
  2464  	SourceIdentity *string `min:"2" type:"string"`
  2465  
  2466  	// The unique user identifier that is returned by the identity provider. This
  2467  	// identifier is associated with the WebIdentityToken that was submitted with
  2468  	// the AssumeRoleWithWebIdentity call. The identifier is typically unique to
  2469  	// the user and the application that acquired the WebIdentityToken (pairwise
  2470  	// identifier). For OpenID Connect ID tokens, this field contains the value
  2471  	// returned by the identity provider as the token's sub (Subject) claim.
  2472  	SubjectFromWebIdentityToken *string `min:"6" type:"string"`
  2473  }
  2474  
  2475  // String returns the string representation.
  2476  //
  2477  // API parameter values that are decorated as "sensitive" in the API will not
  2478  // be included in the string output. The member name will be present, but the
  2479  // value will be replaced with "sensitive".
  2480  func (s AssumeRoleWithWebIdentityOutput) String() string {
  2481  	return awsutil.Prettify(s)
  2482  }
  2483  
  2484  // GoString returns the string representation.
  2485  //
  2486  // API parameter values that are decorated as "sensitive" in the API will not
  2487  // be included in the string output. The member name will be present, but the
  2488  // value will be replaced with "sensitive".
  2489  func (s AssumeRoleWithWebIdentityOutput) GoString() string {
  2490  	return s.String()
  2491  }
  2492  
  2493  // SetAssumedRoleUser sets the AssumedRoleUser field's value.
  2494  func (s *AssumeRoleWithWebIdentityOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleWithWebIdentityOutput {
  2495  	s.AssumedRoleUser = v
  2496  	return s
  2497  }
  2498  
  2499  // SetAudience sets the Audience field's value.
  2500  func (s *AssumeRoleWithWebIdentityOutput) SetAudience(v string) *AssumeRoleWithWebIdentityOutput {
  2501  	s.Audience = &v
  2502  	return s
  2503  }
  2504  
  2505  // SetCredentials sets the Credentials field's value.
  2506  func (s *AssumeRoleWithWebIdentityOutput) SetCredentials(v *Credentials) *AssumeRoleWithWebIdentityOutput {
  2507  	s.Credentials = v
  2508  	return s
  2509  }
  2510  
  2511  // SetPackedPolicySize sets the PackedPolicySize field's value.
  2512  func (s *AssumeRoleWithWebIdentityOutput) SetPackedPolicySize(v int64) *AssumeRoleWithWebIdentityOutput {
  2513  	s.PackedPolicySize = &v
  2514  	return s
  2515  }
  2516  
  2517  // SetProvider sets the Provider field's value.
  2518  func (s *AssumeRoleWithWebIdentityOutput) SetProvider(v string) *AssumeRoleWithWebIdentityOutput {
  2519  	s.Provider = &v
  2520  	return s
  2521  }
  2522  
  2523  // SetSourceIdentity sets the SourceIdentity field's value.
  2524  func (s *AssumeRoleWithWebIdentityOutput) SetSourceIdentity(v string) *AssumeRoleWithWebIdentityOutput {
  2525  	s.SourceIdentity = &v
  2526  	return s
  2527  }
  2528  
  2529  // SetSubjectFromWebIdentityToken sets the SubjectFromWebIdentityToken field's value.
  2530  func (s *AssumeRoleWithWebIdentityOutput) SetSubjectFromWebIdentityToken(v string) *AssumeRoleWithWebIdentityOutput {
  2531  	s.SubjectFromWebIdentityToken = &v
  2532  	return s
  2533  }
  2534  
  2535  // The identifiers for the temporary security credentials that the operation
  2536  // returns.
  2537  type AssumedRoleUser struct {
  2538  	_ struct{} `type:"structure"`
  2539  
  2540  	// The ARN of the temporary security credentials that are returned from the
  2541  	// AssumeRole action. For more information about ARNs and how to use them in
  2542  	// policies, see IAM Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
  2543  	// in the IAM User Guide.
  2544  	//
  2545  	// Arn is a required field
  2546  	Arn *string `min:"20" type:"string" required:"true"`
  2547  
  2548  	// A unique identifier that contains the role ID and the role session name of
  2549  	// the role that is being assumed. The role ID is generated by Amazon Web Services
  2550  	// when the role is created.
  2551  	//
  2552  	// AssumedRoleId is a required field
  2553  	AssumedRoleId *string `min:"2" type:"string" required:"true"`
  2554  }
  2555  
  2556  // String returns the string representation.
  2557  //
  2558  // API parameter values that are decorated as "sensitive" in the API will not
  2559  // be included in the string output. The member name will be present, but the
  2560  // value will be replaced with "sensitive".
  2561  func (s AssumedRoleUser) String() string {
  2562  	return awsutil.Prettify(s)
  2563  }
  2564  
  2565  // GoString returns the string representation.
  2566  //
  2567  // API parameter values that are decorated as "sensitive" in the API will not
  2568  // be included in the string output. The member name will be present, but the
  2569  // value will be replaced with "sensitive".
  2570  func (s AssumedRoleUser) GoString() string {
  2571  	return s.String()
  2572  }
  2573  
  2574  // SetArn sets the Arn field's value.
  2575  func (s *AssumedRoleUser) SetArn(v string) *AssumedRoleUser {
  2576  	s.Arn = &v
  2577  	return s
  2578  }
  2579  
  2580  // SetAssumedRoleId sets the AssumedRoleId field's value.
  2581  func (s *AssumedRoleUser) SetAssumedRoleId(v string) *AssumedRoleUser {
  2582  	s.AssumedRoleId = &v
  2583  	return s
  2584  }
  2585  
  2586  // Amazon Web Services credentials for API authentication.
  2587  type Credentials struct {
  2588  	_ struct{} `type:"structure"`
  2589  
  2590  	// The access key ID that identifies the temporary security credentials.
  2591  	//
  2592  	// AccessKeyId is a required field
  2593  	AccessKeyId *string `min:"16" type:"string" required:"true"`
  2594  
  2595  	// The date on which the current credentials expire.
  2596  	//
  2597  	// Expiration is a required field
  2598  	Expiration *time.Time `type:"timestamp" required:"true"`
  2599  
  2600  	// The secret access key that can be used to sign requests.
  2601  	//
  2602  	// SecretAccessKey is a required field
  2603  	SecretAccessKey *string `type:"string" required:"true"`
  2604  
  2605  	// The token that users must pass to the service API to use the temporary credentials.
  2606  	//
  2607  	// SessionToken is a required field
  2608  	SessionToken *string `type:"string" required:"true"`
  2609  }
  2610  
  2611  // String returns the string representation.
  2612  //
  2613  // API parameter values that are decorated as "sensitive" in the API will not
  2614  // be included in the string output. The member name will be present, but the
  2615  // value will be replaced with "sensitive".
  2616  func (s Credentials) String() string {
  2617  	return awsutil.Prettify(s)
  2618  }
  2619  
  2620  // GoString returns the string representation.
  2621  //
  2622  // API parameter values that are decorated as "sensitive" in the API will not
  2623  // be included in the string output. The member name will be present, but the
  2624  // value will be replaced with "sensitive".
  2625  func (s Credentials) GoString() string {
  2626  	return s.String()
  2627  }
  2628  
  2629  // SetAccessKeyId sets the AccessKeyId field's value.
  2630  func (s *Credentials) SetAccessKeyId(v string) *Credentials {
  2631  	s.AccessKeyId = &v
  2632  	return s
  2633  }
  2634  
  2635  // SetExpiration sets the Expiration field's value.
  2636  func (s *Credentials) SetExpiration(v time.Time) *Credentials {
  2637  	s.Expiration = &v
  2638  	return s
  2639  }
  2640  
  2641  // SetSecretAccessKey sets the SecretAccessKey field's value.
  2642  func (s *Credentials) SetSecretAccessKey(v string) *Credentials {
  2643  	s.SecretAccessKey = &v
  2644  	return s
  2645  }
  2646  
  2647  // SetSessionToken sets the SessionToken field's value.
  2648  func (s *Credentials) SetSessionToken(v string) *Credentials {
  2649  	s.SessionToken = &v
  2650  	return s
  2651  }
  2652  
  2653  type DecodeAuthorizationMessageInput struct {
  2654  	_ struct{} `type:"structure"`
  2655  
  2656  	// The encoded message that was returned with the response.
  2657  	//
  2658  	// EncodedMessage is a required field
  2659  	EncodedMessage *string `min:"1" type:"string" required:"true"`
  2660  }
  2661  
  2662  // String returns the string representation.
  2663  //
  2664  // API parameter values that are decorated as "sensitive" in the API will not
  2665  // be included in the string output. The member name will be present, but the
  2666  // value will be replaced with "sensitive".
  2667  func (s DecodeAuthorizationMessageInput) String() string {
  2668  	return awsutil.Prettify(s)
  2669  }
  2670  
  2671  // GoString returns the string representation.
  2672  //
  2673  // API parameter values that are decorated as "sensitive" in the API will not
  2674  // be included in the string output. The member name will be present, but the
  2675  // value will be replaced with "sensitive".
  2676  func (s DecodeAuthorizationMessageInput) GoString() string {
  2677  	return s.String()
  2678  }
  2679  
  2680  // Validate inspects the fields of the type to determine if they are valid.
  2681  func (s *DecodeAuthorizationMessageInput) Validate() error {
  2682  	invalidParams := request.ErrInvalidParams{Context: "DecodeAuthorizationMessageInput"}
  2683  	if s.EncodedMessage == nil {
  2684  		invalidParams.Add(request.NewErrParamRequired("EncodedMessage"))
  2685  	}
  2686  	if s.EncodedMessage != nil && len(*s.EncodedMessage) < 1 {
  2687  		invalidParams.Add(request.NewErrParamMinLen("EncodedMessage", 1))
  2688  	}
  2689  
  2690  	if invalidParams.Len() > 0 {
  2691  		return invalidParams
  2692  	}
  2693  	return nil
  2694  }
  2695  
  2696  // SetEncodedMessage sets the EncodedMessage field's value.
  2697  func (s *DecodeAuthorizationMessageInput) SetEncodedMessage(v string) *DecodeAuthorizationMessageInput {
  2698  	s.EncodedMessage = &v
  2699  	return s
  2700  }
  2701  
  2702  // A document that contains additional information about the authorization status
  2703  // of a request from an encoded message that is returned in response to an Amazon
  2704  // Web Services request.
  2705  type DecodeAuthorizationMessageOutput struct {
  2706  	_ struct{} `type:"structure"`
  2707  
  2708  	// An XML document that contains the decoded message.
  2709  	DecodedMessage *string `type:"string"`
  2710  }
  2711  
  2712  // String returns the string representation.
  2713  //
  2714  // API parameter values that are decorated as "sensitive" in the API will not
  2715  // be included in the string output. The member name will be present, but the
  2716  // value will be replaced with "sensitive".
  2717  func (s DecodeAuthorizationMessageOutput) String() string {
  2718  	return awsutil.Prettify(s)
  2719  }
  2720  
  2721  // GoString returns the string representation.
  2722  //
  2723  // API parameter values that are decorated as "sensitive" in the API will not
  2724  // be included in the string output. The member name will be present, but the
  2725  // value will be replaced with "sensitive".
  2726  func (s DecodeAuthorizationMessageOutput) GoString() string {
  2727  	return s.String()
  2728  }
  2729  
  2730  // SetDecodedMessage sets the DecodedMessage field's value.
  2731  func (s *DecodeAuthorizationMessageOutput) SetDecodedMessage(v string) *DecodeAuthorizationMessageOutput {
  2732  	s.DecodedMessage = &v
  2733  	return s
  2734  }
  2735  
  2736  // Identifiers for the federated user that is associated with the credentials.
  2737  type FederatedUser struct {
  2738  	_ struct{} `type:"structure"`
  2739  
  2740  	// The ARN that specifies the federated user that is associated with the credentials.
  2741  	// For more information about ARNs and how to use them in policies, see IAM
  2742  	// Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
  2743  	// in the IAM User Guide.
  2744  	//
  2745  	// Arn is a required field
  2746  	Arn *string `min:"20" type:"string" required:"true"`
  2747  
  2748  	// The string that identifies the federated user associated with the credentials,
  2749  	// similar to the unique ID of an IAM user.
  2750  	//
  2751  	// FederatedUserId is a required field
  2752  	FederatedUserId *string `min:"2" type:"string" required:"true"`
  2753  }
  2754  
  2755  // String returns the string representation.
  2756  //
  2757  // API parameter values that are decorated as "sensitive" in the API will not
  2758  // be included in the string output. The member name will be present, but the
  2759  // value will be replaced with "sensitive".
  2760  func (s FederatedUser) String() string {
  2761  	return awsutil.Prettify(s)
  2762  }
  2763  
  2764  // GoString returns the string representation.
  2765  //
  2766  // API parameter values that are decorated as "sensitive" in the API will not
  2767  // be included in the string output. The member name will be present, but the
  2768  // value will be replaced with "sensitive".
  2769  func (s FederatedUser) GoString() string {
  2770  	return s.String()
  2771  }
  2772  
  2773  // SetArn sets the Arn field's value.
  2774  func (s *FederatedUser) SetArn(v string) *FederatedUser {
  2775  	s.Arn = &v
  2776  	return s
  2777  }
  2778  
  2779  // SetFederatedUserId sets the FederatedUserId field's value.
  2780  func (s *FederatedUser) SetFederatedUserId(v string) *FederatedUser {
  2781  	s.FederatedUserId = &v
  2782  	return s
  2783  }
  2784  
  2785  type GetAccessKeyInfoInput struct {
  2786  	_ struct{} `type:"structure"`
  2787  
  2788  	// The identifier of an access key.
  2789  	//
  2790  	// This parameter allows (through its regex pattern) a string of characters
  2791  	// that can consist of any upper- or lowercase letter or digit.
  2792  	//
  2793  	// AccessKeyId is a required field
  2794  	AccessKeyId *string `min:"16" type:"string" required:"true"`
  2795  }
  2796  
  2797  // String returns the string representation.
  2798  //
  2799  // API parameter values that are decorated as "sensitive" in the API will not
  2800  // be included in the string output. The member name will be present, but the
  2801  // value will be replaced with "sensitive".
  2802  func (s GetAccessKeyInfoInput) String() string {
  2803  	return awsutil.Prettify(s)
  2804  }
  2805  
  2806  // GoString returns the string representation.
  2807  //
  2808  // API parameter values that are decorated as "sensitive" in the API will not
  2809  // be included in the string output. The member name will be present, but the
  2810  // value will be replaced with "sensitive".
  2811  func (s GetAccessKeyInfoInput) GoString() string {
  2812  	return s.String()
  2813  }
  2814  
  2815  // Validate inspects the fields of the type to determine if they are valid.
  2816  func (s *GetAccessKeyInfoInput) Validate() error {
  2817  	invalidParams := request.ErrInvalidParams{Context: "GetAccessKeyInfoInput"}
  2818  	if s.AccessKeyId == nil {
  2819  		invalidParams.Add(request.NewErrParamRequired("AccessKeyId"))
  2820  	}
  2821  	if s.AccessKeyId != nil && len(*s.AccessKeyId) < 16 {
  2822  		invalidParams.Add(request.NewErrParamMinLen("AccessKeyId", 16))
  2823  	}
  2824  
  2825  	if invalidParams.Len() > 0 {
  2826  		return invalidParams
  2827  	}
  2828  	return nil
  2829  }
  2830  
  2831  // SetAccessKeyId sets the AccessKeyId field's value.
  2832  func (s *GetAccessKeyInfoInput) SetAccessKeyId(v string) *GetAccessKeyInfoInput {
  2833  	s.AccessKeyId = &v
  2834  	return s
  2835  }
  2836  
  2837  type GetAccessKeyInfoOutput struct {
  2838  	_ struct{} `type:"structure"`
  2839  
  2840  	// The number used to identify the Amazon Web Services account.
  2841  	Account *string `type:"string"`
  2842  }
  2843  
  2844  // String returns the string representation.
  2845  //
  2846  // API parameter values that are decorated as "sensitive" in the API will not
  2847  // be included in the string output. The member name will be present, but the
  2848  // value will be replaced with "sensitive".
  2849  func (s GetAccessKeyInfoOutput) String() string {
  2850  	return awsutil.Prettify(s)
  2851  }
  2852  
  2853  // GoString returns the string representation.
  2854  //
  2855  // API parameter values that are decorated as "sensitive" in the API will not
  2856  // be included in the string output. The member name will be present, but the
  2857  // value will be replaced with "sensitive".
  2858  func (s GetAccessKeyInfoOutput) GoString() string {
  2859  	return s.String()
  2860  }
  2861  
  2862  // SetAccount sets the Account field's value.
  2863  func (s *GetAccessKeyInfoOutput) SetAccount(v string) *GetAccessKeyInfoOutput {
  2864  	s.Account = &v
  2865  	return s
  2866  }
  2867  
  2868  type GetCallerIdentityInput struct {
  2869  	_ struct{} `type:"structure"`
  2870  }
  2871  
  2872  // String returns the string representation.
  2873  //
  2874  // API parameter values that are decorated as "sensitive" in the API will not
  2875  // be included in the string output. The member name will be present, but the
  2876  // value will be replaced with "sensitive".
  2877  func (s GetCallerIdentityInput) String() string {
  2878  	return awsutil.Prettify(s)
  2879  }
  2880  
  2881  // GoString returns the string representation.
  2882  //
  2883  // API parameter values that are decorated as "sensitive" in the API will not
  2884  // be included in the string output. The member name will be present, but the
  2885  // value will be replaced with "sensitive".
  2886  func (s GetCallerIdentityInput) GoString() string {
  2887  	return s.String()
  2888  }
  2889  
  2890  // Contains the response to a successful GetCallerIdentity request, including
  2891  // information about the entity making the request.
  2892  type GetCallerIdentityOutput struct {
  2893  	_ struct{} `type:"structure"`
  2894  
  2895  	// The Amazon Web Services account ID number of the account that owns or contains
  2896  	// the calling entity.
  2897  	Account *string `type:"string"`
  2898  
  2899  	// The Amazon Web Services ARN associated with the calling entity.
  2900  	Arn *string `min:"20" type:"string"`
  2901  
  2902  	// The unique identifier of the calling entity. The exact value depends on the
  2903  	// type of entity that is making the call. The values returned are those listed
  2904  	// in the aws:userid column in the Principal table (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable)
  2905  	// found on the Policy Variables reference page in the IAM User Guide.
  2906  	UserId *string `type:"string"`
  2907  }
  2908  
  2909  // String returns the string representation.
  2910  //
  2911  // API parameter values that are decorated as "sensitive" in the API will not
  2912  // be included in the string output. The member name will be present, but the
  2913  // value will be replaced with "sensitive".
  2914  func (s GetCallerIdentityOutput) String() string {
  2915  	return awsutil.Prettify(s)
  2916  }
  2917  
  2918  // GoString returns the string representation.
  2919  //
  2920  // API parameter values that are decorated as "sensitive" in the API will not
  2921  // be included in the string output. The member name will be present, but the
  2922  // value will be replaced with "sensitive".
  2923  func (s GetCallerIdentityOutput) GoString() string {
  2924  	return s.String()
  2925  }
  2926  
  2927  // SetAccount sets the Account field's value.
  2928  func (s *GetCallerIdentityOutput) SetAccount(v string) *GetCallerIdentityOutput {
  2929  	s.Account = &v
  2930  	return s
  2931  }
  2932  
  2933  // SetArn sets the Arn field's value.
  2934  func (s *GetCallerIdentityOutput) SetArn(v string) *GetCallerIdentityOutput {
  2935  	s.Arn = &v
  2936  	return s
  2937  }
  2938  
  2939  // SetUserId sets the UserId field's value.
  2940  func (s *GetCallerIdentityOutput) SetUserId(v string) *GetCallerIdentityOutput {
  2941  	s.UserId = &v
  2942  	return s
  2943  }
  2944  
  2945  type GetFederationTokenInput struct {
  2946  	_ struct{} `type:"structure"`
  2947  
  2948  	// The duration, in seconds, that the session should last. Acceptable durations
  2949  	// for federation sessions range from 900 seconds (15 minutes) to 129,600 seconds
  2950  	// (36 hours), with 43,200 seconds (12 hours) as the default. Sessions obtained
  2951  	// using Amazon Web Services account root user credentials are restricted to
  2952  	// a maximum of 3,600 seconds (one hour). If the specified duration is longer
  2953  	// than one hour, the session obtained by using root user credentials defaults
  2954  	// to one hour.
  2955  	DurationSeconds *int64 `min:"900" type:"integer"`
  2956  
  2957  	// The name of the federated user. The name is used as an identifier for the
  2958  	// temporary security credentials (such as Bob). For example, you can reference
  2959  	// the federated user name in a resource-based policy, such as in an Amazon
  2960  	// S3 bucket policy.
  2961  	//
  2962  	// The regex used to validate this parameter is a string of characters consisting
  2963  	// of upper- and lower-case alphanumeric characters with no spaces. You can
  2964  	// also include underscores or any of the following characters: =,.@-
  2965  	//
  2966  	// Name is a required field
  2967  	Name *string `min:"2" type:"string" required:"true"`
  2968  
  2969  	// An IAM policy in JSON format that you want to use as an inline session policy.
  2970  	//
  2971  	// You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
  2972  	// to this operation. You can pass a single JSON policy document to use as an
  2973  	// inline session policy. You can also specify up to 10 managed policies to
  2974  	// use as managed session policies.
  2975  	//
  2976  	// This parameter is optional. However, if you do not pass any session policies,
  2977  	// then the resulting federated user session has no permissions.
  2978  	//
  2979  	// When you pass session policies, the session permissions are the intersection
  2980  	// of the IAM user policies and the session policies that you pass. This gives
  2981  	// you a way to further restrict the permissions for a federated user. You cannot
  2982  	// use session policies to grant more permissions than those that are defined
  2983  	// in the permissions policy of the IAM user. For more information, see Session
  2984  	// Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
  2985  	// in the IAM User Guide.
  2986  	//
  2987  	// The resulting credentials can be used to access a resource that has a resource-based
  2988  	// policy. If that policy specifically references the federated user session
  2989  	// in the Principal element of the policy, the session has the permissions allowed
  2990  	// by the policy. These permissions are granted in addition to the permissions
  2991  	// that are granted by the session policies.
  2992  	//
  2993  	// The plaintext that you use for both inline and managed session policies can't
  2994  	// exceed 2,048 characters. The JSON policy characters can be any ASCII character
  2995  	// from the space character to the end of the valid character list (\u0020 through
  2996  	// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
  2997  	// return (\u000D) characters.
  2998  	//
  2999  	// An Amazon Web Services conversion compresses the passed session policies
  3000  	// and session tags into a packed binary format that has a separate limit. Your
  3001  	// request can fail for this limit even if your plaintext meets the other requirements.
  3002  	// The PackedPolicySize response element indicates by percentage how close the
  3003  	// policies and tags for your request are to the upper size limit.
  3004  	Policy *string `min:"1" type:"string"`
  3005  
  3006  	// The Amazon Resource Names (ARNs) of the IAM managed policies that you want
  3007  	// to use as a managed session policy. The policies must exist in the same account
  3008  	// as the IAM user that is requesting federated access.
  3009  	//
  3010  	// You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
  3011  	// to this operation. You can pass a single JSON policy document to use as an
  3012  	// inline session policy. You can also specify up to 10 managed policies to
  3013  	// use as managed session policies. The plaintext that you use for both inline
  3014  	// and managed session policies can't exceed 2,048 characters. You can provide
  3015  	// up to 10 managed policy ARNs. For more information about ARNs, see Amazon
  3016  	// Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
  3017  	// in the Amazon Web Services General Reference.
  3018  	//
  3019  	// This parameter is optional. However, if you do not pass any session policies,
  3020  	// then the resulting federated user session has no permissions.
  3021  	//
  3022  	// When you pass session policies, the session permissions are the intersection
  3023  	// of the IAM user policies and the session policies that you pass. This gives
  3024  	// you a way to further restrict the permissions for a federated user. You cannot
  3025  	// use session policies to grant more permissions than those that are defined
  3026  	// in the permissions policy of the IAM user. For more information, see Session
  3027  	// Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
  3028  	// in the IAM User Guide.
  3029  	//
  3030  	// The resulting credentials can be used to access a resource that has a resource-based
  3031  	// policy. If that policy specifically references the federated user session
  3032  	// in the Principal element of the policy, the session has the permissions allowed
  3033  	// by the policy. These permissions are granted in addition to the permissions
  3034  	// that are granted by the session policies.
  3035  	//
  3036  	// An Amazon Web Services conversion compresses the passed session policies
  3037  	// and session tags into a packed binary format that has a separate limit. Your
  3038  	// request can fail for this limit even if your plaintext meets the other requirements.
  3039  	// The PackedPolicySize response element indicates by percentage how close the
  3040  	// policies and tags for your request are to the upper size limit.
  3041  	PolicyArns []*PolicyDescriptorType `type:"list"`
  3042  
  3043  	// A list of session tags. Each session tag consists of a key name and an associated
  3044  	// value. For more information about session tags, see Passing Session Tags
  3045  	// in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
  3046  	// in the IAM User Guide.
  3047  	//
  3048  	// This parameter is optional. You can pass up to 50 session tags. The plaintext
  3049  	// session tag keys can’t exceed 128 characters and the values can’t exceed
  3050  	// 256 characters. For these and additional limits, see IAM and STS Character
  3051  	// Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
  3052  	// in the IAM User Guide.
  3053  	//
  3054  	// An Amazon Web Services conversion compresses the passed session policies
  3055  	// and session tags into a packed binary format that has a separate limit. Your
  3056  	// request can fail for this limit even if your plaintext meets the other requirements.
  3057  	// The PackedPolicySize response element indicates by percentage how close the
  3058  	// policies and tags for your request are to the upper size limit.
  3059  	//
  3060  	// You can pass a session tag with the same key as a tag that is already attached
  3061  	// to the user you are federating. When you do, session tags override a user
  3062  	// tag with the same key.
  3063  	//
  3064  	// Tag key–value pairs are not case sensitive, but case is preserved. This
  3065  	// means that you cannot have separate Department and department tag keys. Assume
  3066  	// that the role has the Department=Marketing tag and you pass the department=engineering
  3067  	// session tag. Department and department are not saved as separate tags, and
  3068  	// the session tag passed in the request takes precedence over the role tag.
  3069  	Tags []*Tag `type:"list"`
  3070  }
  3071  
  3072  // String returns the string representation.
  3073  //
  3074  // API parameter values that are decorated as "sensitive" in the API will not
  3075  // be included in the string output. The member name will be present, but the
  3076  // value will be replaced with "sensitive".
  3077  func (s GetFederationTokenInput) String() string {
  3078  	return awsutil.Prettify(s)
  3079  }
  3080  
  3081  // GoString returns the string representation.
  3082  //
  3083  // API parameter values that are decorated as "sensitive" in the API will not
  3084  // be included in the string output. The member name will be present, but the
  3085  // value will be replaced with "sensitive".
  3086  func (s GetFederationTokenInput) GoString() string {
  3087  	return s.String()
  3088  }
  3089  
  3090  // Validate inspects the fields of the type to determine if they are valid.
  3091  func (s *GetFederationTokenInput) Validate() error {
  3092  	invalidParams := request.ErrInvalidParams{Context: "GetFederationTokenInput"}
  3093  	if s.DurationSeconds != nil && *s.DurationSeconds < 900 {
  3094  		invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900))
  3095  	}
  3096  	if s.Name == nil {
  3097  		invalidParams.Add(request.NewErrParamRequired("Name"))
  3098  	}
  3099  	if s.Name != nil && len(*s.Name) < 2 {
  3100  		invalidParams.Add(request.NewErrParamMinLen("Name", 2))
  3101  	}
  3102  	if s.Policy != nil && len(*s.Policy) < 1 {
  3103  		invalidParams.Add(request.NewErrParamMinLen("Policy", 1))
  3104  	}
  3105  	if s.PolicyArns != nil {
  3106  		for i, v := range s.PolicyArns {
  3107  			if v == nil {
  3108  				continue
  3109  			}
  3110  			if err := v.Validate(); err != nil {
  3111  				invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams))
  3112  			}
  3113  		}
  3114  	}
  3115  	if s.Tags != nil {
  3116  		for i, v := range s.Tags {
  3117  			if v == nil {
  3118  				continue
  3119  			}
  3120  			if err := v.Validate(); err != nil {
  3121  				invalidParams.AddNested(fmt.Sprintf("%s[%v]", "Tags", i), err.(request.ErrInvalidParams))
  3122  			}
  3123  		}
  3124  	}
  3125  
  3126  	if invalidParams.Len() > 0 {
  3127  		return invalidParams
  3128  	}
  3129  	return nil
  3130  }
  3131  
  3132  // SetDurationSeconds sets the DurationSeconds field's value.
  3133  func (s *GetFederationTokenInput) SetDurationSeconds(v int64) *GetFederationTokenInput {
  3134  	s.DurationSeconds = &v
  3135  	return s
  3136  }
  3137  
  3138  // SetName sets the Name field's value.
  3139  func (s *GetFederationTokenInput) SetName(v string) *GetFederationTokenInput {
  3140  	s.Name = &v
  3141  	return s
  3142  }
  3143  
  3144  // SetPolicy sets the Policy field's value.
  3145  func (s *GetFederationTokenInput) SetPolicy(v string) *GetFederationTokenInput {
  3146  	s.Policy = &v
  3147  	return s
  3148  }
  3149  
  3150  // SetPolicyArns sets the PolicyArns field's value.
  3151  func (s *GetFederationTokenInput) SetPolicyArns(v []*PolicyDescriptorType) *GetFederationTokenInput {
  3152  	s.PolicyArns = v
  3153  	return s
  3154  }
  3155  
  3156  // SetTags sets the Tags field's value.
  3157  func (s *GetFederationTokenInput) SetTags(v []*Tag) *GetFederationTokenInput {
  3158  	s.Tags = v
  3159  	return s
  3160  }
  3161  
  3162  // Contains the response to a successful GetFederationToken request, including
  3163  // temporary Amazon Web Services credentials that can be used to make Amazon
  3164  // Web Services requests.
  3165  type GetFederationTokenOutput struct {
  3166  	_ struct{} `type:"structure"`
  3167  
  3168  	// The temporary security credentials, which include an access key ID, a secret
  3169  	// access key, and a security (or session) token.
  3170  	//
  3171  	// The size of the security token that STS API operations return is not fixed.
  3172  	// We strongly recommend that you make no assumptions about the maximum size.
  3173  	Credentials *Credentials `type:"structure"`
  3174  
  3175  	// Identifiers for the federated user associated with the credentials (such
  3176  	// as arn:aws:sts::123456789012:federated-user/Bob or 123456789012:Bob). You
  3177  	// can use the federated user's ARN in your resource-based policies, such as
  3178  	// an Amazon S3 bucket policy.
  3179  	FederatedUser *FederatedUser `type:"structure"`
  3180  
  3181  	// A percentage value that indicates the packed size of the session policies
  3182  	// and session tags combined passed in the request. The request fails if the
  3183  	// packed size is greater than 100 percent, which means the policies and tags
  3184  	// exceeded the allowed space.
  3185  	PackedPolicySize *int64 `type:"integer"`
  3186  }
  3187  
  3188  // String returns the string representation.
  3189  //
  3190  // API parameter values that are decorated as "sensitive" in the API will not
  3191  // be included in the string output. The member name will be present, but the
  3192  // value will be replaced with "sensitive".
  3193  func (s GetFederationTokenOutput) String() string {
  3194  	return awsutil.Prettify(s)
  3195  }
  3196  
  3197  // GoString returns the string representation.
  3198  //
  3199  // API parameter values that are decorated as "sensitive" in the API will not
  3200  // be included in the string output. The member name will be present, but the
  3201  // value will be replaced with "sensitive".
  3202  func (s GetFederationTokenOutput) GoString() string {
  3203  	return s.String()
  3204  }
  3205  
  3206  // SetCredentials sets the Credentials field's value.
  3207  func (s *GetFederationTokenOutput) SetCredentials(v *Credentials) *GetFederationTokenOutput {
  3208  	s.Credentials = v
  3209  	return s
  3210  }
  3211  
  3212  // SetFederatedUser sets the FederatedUser field's value.
  3213  func (s *GetFederationTokenOutput) SetFederatedUser(v *FederatedUser) *GetFederationTokenOutput {
  3214  	s.FederatedUser = v
  3215  	return s
  3216  }
  3217  
  3218  // SetPackedPolicySize sets the PackedPolicySize field's value.
  3219  func (s *GetFederationTokenOutput) SetPackedPolicySize(v int64) *GetFederationTokenOutput {
  3220  	s.PackedPolicySize = &v
  3221  	return s
  3222  }
  3223  
  3224  type GetSessionTokenInput struct {
  3225  	_ struct{} `type:"structure"`
  3226  
  3227  	// The duration, in seconds, that the credentials should remain valid. Acceptable
  3228  	// durations for IAM user sessions range from 900 seconds (15 minutes) to 129,600
  3229  	// seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions
  3230  	// for Amazon Web Services account owners are restricted to a maximum of 3,600
  3231  	// seconds (one hour). If the duration is longer than one hour, the session
  3232  	// for Amazon Web Services account owners defaults to one hour.
  3233  	DurationSeconds *int64 `min:"900" type:"integer"`
  3234  
  3235  	// The identification number of the MFA device that is associated with the IAM
  3236  	// user who is making the GetSessionToken call. Specify this value if the IAM
  3237  	// user has a policy that requires MFA authentication. The value is either the
  3238  	// serial number for a hardware device (such as GAHT12345678) or an Amazon Resource
  3239  	// Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user).
  3240  	// You can find the device for an IAM user by going to the Management Console
  3241  	// and viewing the user's security credentials.
  3242  	//
  3243  	// The regex used to validate this parameter is a string of characters consisting
  3244  	// of upper- and lower-case alphanumeric characters with no spaces. You can
  3245  	// also include underscores or any of the following characters: =,.@:/-
  3246  	SerialNumber *string `min:"9" type:"string"`
  3247  
  3248  	// The value provided by the MFA device, if MFA is required. If any policy requires
  3249  	// the IAM user to submit an MFA code, specify this value. If MFA authentication
  3250  	// is required, the user must provide a code when requesting a set of temporary
  3251  	// security credentials. A user who fails to provide the code receives an "access
  3252  	// denied" response when requesting resources that require MFA authentication.
  3253  	//
  3254  	// The format for this parameter, as described by its regex pattern, is a sequence
  3255  	// of six numeric digits.
  3256  	TokenCode *string `min:"6" type:"string"`
  3257  }
  3258  
  3259  // String returns the string representation.
  3260  //
  3261  // API parameter values that are decorated as "sensitive" in the API will not
  3262  // be included in the string output. The member name will be present, but the
  3263  // value will be replaced with "sensitive".
  3264  func (s GetSessionTokenInput) String() string {
  3265  	return awsutil.Prettify(s)
  3266  }
  3267  
  3268  // GoString returns the string representation.
  3269  //
  3270  // API parameter values that are decorated as "sensitive" in the API will not
  3271  // be included in the string output. The member name will be present, but the
  3272  // value will be replaced with "sensitive".
  3273  func (s GetSessionTokenInput) GoString() string {
  3274  	return s.String()
  3275  }
  3276  
  3277  // Validate inspects the fields of the type to determine if they are valid.
  3278  func (s *GetSessionTokenInput) Validate() error {
  3279  	invalidParams := request.ErrInvalidParams{Context: "GetSessionTokenInput"}
  3280  	if s.DurationSeconds != nil && *s.DurationSeconds < 900 {
  3281  		invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900))
  3282  	}
  3283  	if s.SerialNumber != nil && len(*s.SerialNumber) < 9 {
  3284  		invalidParams.Add(request.NewErrParamMinLen("SerialNumber", 9))
  3285  	}
  3286  	if s.TokenCode != nil && len(*s.TokenCode) < 6 {
  3287  		invalidParams.Add(request.NewErrParamMinLen("TokenCode", 6))
  3288  	}
  3289  
  3290  	if invalidParams.Len() > 0 {
  3291  		return invalidParams
  3292  	}
  3293  	return nil
  3294  }
  3295  
  3296  // SetDurationSeconds sets the DurationSeconds field's value.
  3297  func (s *GetSessionTokenInput) SetDurationSeconds(v int64) *GetSessionTokenInput {
  3298  	s.DurationSeconds = &v
  3299  	return s
  3300  }
  3301  
  3302  // SetSerialNumber sets the SerialNumber field's value.
  3303  func (s *GetSessionTokenInput) SetSerialNumber(v string) *GetSessionTokenInput {
  3304  	s.SerialNumber = &v
  3305  	return s
  3306  }
  3307  
  3308  // SetTokenCode sets the TokenCode field's value.
  3309  func (s *GetSessionTokenInput) SetTokenCode(v string) *GetSessionTokenInput {
  3310  	s.TokenCode = &v
  3311  	return s
  3312  }
  3313  
  3314  // Contains the response to a successful GetSessionToken request, including
  3315  // temporary Amazon Web Services credentials that can be used to make Amazon
  3316  // Web Services requests.
  3317  type GetSessionTokenOutput struct {
  3318  	_ struct{} `type:"structure"`
  3319  
  3320  	// The temporary security credentials, which include an access key ID, a secret
  3321  	// access key, and a security (or session) token.
  3322  	//
  3323  	// The size of the security token that STS API operations return is not fixed.
  3324  	// We strongly recommend that you make no assumptions about the maximum size.
  3325  	Credentials *Credentials `type:"structure"`
  3326  }
  3327  
  3328  // String returns the string representation.
  3329  //
  3330  // API parameter values that are decorated as "sensitive" in the API will not
  3331  // be included in the string output. The member name will be present, but the
  3332  // value will be replaced with "sensitive".
  3333  func (s GetSessionTokenOutput) String() string {
  3334  	return awsutil.Prettify(s)
  3335  }
  3336  
  3337  // GoString returns the string representation.
  3338  //
  3339  // API parameter values that are decorated as "sensitive" in the API will not
  3340  // be included in the string output. The member name will be present, but the
  3341  // value will be replaced with "sensitive".
  3342  func (s GetSessionTokenOutput) GoString() string {
  3343  	return s.String()
  3344  }
  3345  
  3346  // SetCredentials sets the Credentials field's value.
  3347  func (s *GetSessionTokenOutput) SetCredentials(v *Credentials) *GetSessionTokenOutput {
  3348  	s.Credentials = v
  3349  	return s
  3350  }
  3351  
  3352  // A reference to the IAM managed policy that is passed as a session policy
  3353  // for a role session or a federated user session.
  3354  type PolicyDescriptorType struct {
  3355  	_ struct{} `type:"structure"`
  3356  
  3357  	// The Amazon Resource Name (ARN) of the IAM managed policy to use as a session
  3358  	// policy for the role. For more information about ARNs, see Amazon Resource
  3359  	// Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
  3360  	// in the Amazon Web Services General Reference.
  3361  	Arn *string `locationName:"arn" min:"20" type:"string"`
  3362  }
  3363  
  3364  // String returns the string representation.
  3365  //
  3366  // API parameter values that are decorated as "sensitive" in the API will not
  3367  // be included in the string output. The member name will be present, but the
  3368  // value will be replaced with "sensitive".
  3369  func (s PolicyDescriptorType) String() string {
  3370  	return awsutil.Prettify(s)
  3371  }
  3372  
  3373  // GoString returns the string representation.
  3374  //
  3375  // API parameter values that are decorated as "sensitive" in the API will not
  3376  // be included in the string output. The member name will be present, but the
  3377  // value will be replaced with "sensitive".
  3378  func (s PolicyDescriptorType) GoString() string {
  3379  	return s.String()
  3380  }
  3381  
  3382  // Validate inspects the fields of the type to determine if they are valid.
  3383  func (s *PolicyDescriptorType) Validate() error {
  3384  	invalidParams := request.ErrInvalidParams{Context: "PolicyDescriptorType"}
  3385  	if s.Arn != nil && len(*s.Arn) < 20 {
  3386  		invalidParams.Add(request.NewErrParamMinLen("Arn", 20))
  3387  	}
  3388  
  3389  	if invalidParams.Len() > 0 {
  3390  		return invalidParams
  3391  	}
  3392  	return nil
  3393  }
  3394  
  3395  // SetArn sets the Arn field's value.
  3396  func (s *PolicyDescriptorType) SetArn(v string) *PolicyDescriptorType {
  3397  	s.Arn = &v
  3398  	return s
  3399  }
  3400  
  3401  // You can pass custom key-value pair attributes when you assume a role or federate
  3402  // a user. These are called session tags. You can then use the session tags
  3403  // to control access to resources. For more information, see Tagging STS Sessions
  3404  // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) in
  3405  // the IAM User Guide.
  3406  type Tag struct {
  3407  	_ struct{} `type:"structure"`
  3408  
  3409  	// The key for a session tag.
  3410  	//
  3411  	// You can pass up to 50 session tags. The plain text session tag keys can’t
  3412  	// exceed 128 characters. For these and additional limits, see IAM and STS Character
  3413  	// Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
  3414  	// in the IAM User Guide.
  3415  	//
  3416  	// Key is a required field
  3417  	Key *string `min:"1" type:"string" required:"true"`
  3418  
  3419  	// The value for a session tag.
  3420  	//
  3421  	// You can pass up to 50 session tags. The plain text session tag values can’t
  3422  	// exceed 256 characters. For these and additional limits, see IAM and STS Character
  3423  	// Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
  3424  	// in the IAM User Guide.
  3425  	//
  3426  	// Value is a required field
  3427  	Value *string `type:"string" required:"true"`
  3428  }
  3429  
  3430  // String returns the string representation.
  3431  //
  3432  // API parameter values that are decorated as "sensitive" in the API will not
  3433  // be included in the string output. The member name will be present, but the
  3434  // value will be replaced with "sensitive".
  3435  func (s Tag) String() string {
  3436  	return awsutil.Prettify(s)
  3437  }
  3438  
  3439  // GoString returns the string representation.
  3440  //
  3441  // API parameter values that are decorated as "sensitive" in the API will not
  3442  // be included in the string output. The member name will be present, but the
  3443  // value will be replaced with "sensitive".
  3444  func (s Tag) GoString() string {
  3445  	return s.String()
  3446  }
  3447  
  3448  // Validate inspects the fields of the type to determine if they are valid.
  3449  func (s *Tag) Validate() error {
  3450  	invalidParams := request.ErrInvalidParams{Context: "Tag"}
  3451  	if s.Key == nil {
  3452  		invalidParams.Add(request.NewErrParamRequired("Key"))
  3453  	}
  3454  	if s.Key != nil && len(*s.Key) < 1 {
  3455  		invalidParams.Add(request.NewErrParamMinLen("Key", 1))
  3456  	}
  3457  	if s.Value == nil {
  3458  		invalidParams.Add(request.NewErrParamRequired("Value"))
  3459  	}
  3460  
  3461  	if invalidParams.Len() > 0 {
  3462  		return invalidParams
  3463  	}
  3464  	return nil
  3465  }
  3466  
  3467  // SetKey sets the Key field's value.
  3468  func (s *Tag) SetKey(v string) *Tag {
  3469  	s.Key = &v
  3470  	return s
  3471  }
  3472  
  3473  // SetValue sets the Value field's value.
  3474  func (s *Tag) SetValue(v string) *Tag {
  3475  	s.Value = &v
  3476  	return s
  3477  }