rebase: bump the github-dependencies group across 1 directory with 9 updates

Bumps the github-dependencies group with 8 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [github.com/IBM/keyprotect-go-client](https://github.com/IBM/keyprotect-go-client) | `0.12.2` | `0.14.1` |
| [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) | `1.53.14` | `1.54.6` |
| [github.com/aws/aws-sdk-go-v2/service/sts](https://github.com/aws/aws-sdk-go-v2) | `1.28.1` | `1.29.1` |
| [github.com/hashicorp/vault/api](https://github.com/hashicorp/vault) | `1.12.0` | `1.14.0` |
| [github.com/kubernetes-csi/csi-lib-utils](https://github.com/kubernetes-csi/csi-lib-utils) | `0.17.0` | `0.18.1` |
| [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) | `2.17.1` | `2.19.0` |
| [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) | `1.18.0` | `1.19.1` |
| [github.com/Azure/azure-sdk-for-go/sdk/azidentity](https://github.com/Azure/azure-sdk-for-go) | `1.6.0` | `1.7.0` |

Updates `github.com/IBM/keyprotect-go-client` from 0.12.2 to 0.14.1
- [Release notes](https://github.com/IBM/keyprotect-go-client/releases)
- [Changelog](https://github.com/IBM/keyprotect-go-client/blob/master/CHANGELOG.md)
- [Commits](https://github.com/IBM/keyprotect-go-client/compare/v0.12.2...v0.14.1)

Updates `github.com/aws/aws-sdk-go` from 1.53.14 to 1.54.6
- [Release notes](https://github.com/aws/aws-sdk-go/releases)
- [Commits](https://github.com/aws/aws-sdk-go/compare/v1.53.14...v1.54.6)

Updates `github.com/aws/aws-sdk-go-v2/service/sts` from 1.28.1 to 1.29.1
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ecr/v1.28.1...service/s3/v1.29.1)

Updates `github.com/hashicorp/vault/api` from 1.12.0 to 1.14.0
- [Release notes](https://github.com/hashicorp/vault/releases)
- [Changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG.md)
- [Commits](https://github.com/hashicorp/vault/compare/v1.12.0...v1.14.0)

Updates `github.com/kubernetes-csi/csi-lib-utils` from 0.17.0 to 0.18.1
- [Release notes](https://github.com/kubernetes-csi/csi-lib-utils/releases)
- [Commits](https://github.com/kubernetes-csi/csi-lib-utils/compare/v0.17.0...v0.18.1)

Updates `github.com/onsi/ginkgo/v2` from 2.17.1 to 2.19.0
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.17.1...v2.19.0)

Updates `github.com/onsi/gomega` from 1.32.0 to 1.33.1
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.32.0...v1.33.1)

Updates `github.com/prometheus/client_golang` from 1.18.0 to 1.19.1
- [Release notes](https://github.com/prometheus/client_golang/releases)
- [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prometheus/client_golang/compare/v1.18.0...v1.19.1)

Updates `github.com/Azure/azure-sdk-for-go/sdk/azidentity` from 1.6.0 to 1.7.0
- [Release notes](https://github.com/Azure/azure-sdk-for-go/releases)
- [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md)
- [Commits](https://github.com/Azure/azure-sdk-for-go/compare/sdk/azcore/v1.6.0...sdk/azcore/v1.7.0)

---
updated-dependencies:
- dependency-name: github.com/IBM/keyprotect-go-client
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-dependencies
- dependency-name: github.com/aws/aws-sdk-go
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-dependencies
- dependency-name: github.com/aws/aws-sdk-go-v2/service/sts
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-dependencies
- dependency-name: github.com/hashicorp/vault/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-dependencies
- dependency-name: github.com/kubernetes-csi/csi-lib-utils
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-dependencies
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-dependencies
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-dependencies
- dependency-name: github.com/prometheus/client_golang
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-dependencies
- dependency-name: github.com/Azure/azure-sdk-for-go/sdk/azidentity
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
This commit is contained in:
dependabot[bot] 2024-06-24 20:58:34 +00:00 committed by mergify[bot]
parent 29dde7abc2
commit 171ba6a65d
193 changed files with 6071 additions and 2336 deletions

39
go.mod
View File

@ -3,9 +3,9 @@ module github.com/ceph/ceph-csi
go 1.22.0 go 1.22.0
require ( require (
github.com/IBM/keyprotect-go-client v0.12.2 github.com/IBM/keyprotect-go-client v0.14.1
github.com/aws/aws-sdk-go v1.53.14 github.com/aws/aws-sdk-go v1.54.6
github.com/aws/aws-sdk-go-v2/service/sts v1.28.1 github.com/aws/aws-sdk-go-v2/service/sts v1.29.1
github.com/ceph/ceph-csi/api v0.0.0-00010101000000-000000000000 github.com/ceph/ceph-csi/api v0.0.0-00010101000000-000000000000
github.com/ceph/go-ceph v0.28.0 github.com/ceph/go-ceph v0.28.0
github.com/container-storage-interface/spec v1.9.0 github.com/container-storage-interface/spec v1.9.0
@ -16,14 +16,14 @@ require (
github.com/google/uuid v1.6.0 github.com/google/uuid v1.6.0
github.com/grpc-ecosystem/go-grpc-middleware v1.4.0 github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
github.com/hashicorp/vault/api v1.12.0 github.com/hashicorp/vault/api v1.14.0
github.com/kubernetes-csi/csi-lib-utils v0.17.0 github.com/kubernetes-csi/csi-lib-utils v0.18.1
github.com/kubernetes-csi/external-snapshotter/client/v7 v7.0.0 github.com/kubernetes-csi/external-snapshotter/client/v7 v7.0.0
github.com/libopenstorage/secrets v0.0.0-20231011182615-5f4b25ceede1 github.com/libopenstorage/secrets v0.0.0-20231011182615-5f4b25ceede1
github.com/onsi/ginkgo/v2 v2.17.1 github.com/onsi/ginkgo/v2 v2.19.0
github.com/onsi/gomega v1.32.0 github.com/onsi/gomega v1.33.1
github.com/pkg/xattr v0.4.9 github.com/pkg/xattr v0.4.9
github.com/prometheus/client_golang v1.18.0 github.com/prometheus/client_golang v1.19.1
github.com/stretchr/testify v1.9.0 github.com/stretchr/testify v1.9.0
golang.org/x/crypto v0.24.0 golang.org/x/crypto v0.24.0
golang.org/x/net v0.26.0 golang.org/x/net v0.26.0
@ -46,7 +46,7 @@ require (
) )
require ( require (
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.1.0 github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.1.0
) )
@ -60,12 +60,12 @@ require (
github.com/ansel1/merry/v2 v2.0.1 // indirect github.com/ansel1/merry/v2 v2.0.1 // indirect
github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect
github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a // indirect github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a // indirect
github.com/aws/aws-sdk-go-v2 v1.25.2 // indirect github.com/aws/aws-sdk-go-v2 v1.30.0 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.2 // indirect github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.2 // indirect github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 // indirect github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.2 // indirect github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14 // indirect
github.com/aws/smithy-go v1.20.1 // indirect github.com/aws/smithy-go v1.20.2 // indirect
github.com/beorn7/perks v1.0.1 // indirect github.com/beorn7/perks v1.0.1 // indirect
github.com/blang/semver/v4 v4.0.0 // indirect github.com/blang/semver/v4 v4.0.0 // indirect
github.com/cenkalti/backoff/v3 v3.2.2 // indirect github.com/cenkalti/backoff/v3 v3.2.2 // indirect
@ -82,13 +82,13 @@ require (
github.com/fsnotify/fsnotify v1.7.0 // indirect github.com/fsnotify/fsnotify v1.7.0 // indirect
github.com/gemalto/flume v0.13.0 // indirect github.com/gemalto/flume v0.13.0 // indirect
github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32 // indirect github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32 // indirect
github.com/go-jose/go-jose/v3 v3.0.3 // indirect github.com/go-jose/go-jose/v4 v4.0.1 // indirect
github.com/go-logr/logr v1.4.1 // indirect github.com/go-logr/logr v1.4.1 // indirect
github.com/go-logr/stdr v1.2.2 // indirect github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-openapi/jsonpointer v0.19.6 // indirect github.com/go-openapi/jsonpointer v0.19.6 // indirect
github.com/go-openapi/jsonreference v0.20.2 // indirect github.com/go-openapi/jsonreference v0.20.2 // indirect
github.com/go-openapi/swag v0.22.3 // indirect github.com/go-openapi/swag v0.22.3 // indirect
github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
github.com/gogo/protobuf v1.3.2 // indirect github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang-jwt/jwt/v5 v5.2.1 // indirect github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
@ -96,7 +96,7 @@ require (
github.com/google/gnostic-models v0.6.8 // indirect github.com/google/gnostic-models v0.6.8 // indirect
github.com/google/go-cmp v0.6.0 // indirect github.com/google/go-cmp v0.6.0 // indirect
github.com/google/gofuzz v1.2.0 // indirect github.com/google/gofuzz v1.2.0 // indirect
github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 // indirect
github.com/gorilla/websocket v1.5.0 // indirect github.com/gorilla/websocket v1.5.0 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect
github.com/hashicorp/errwrap v1.1.0 // indirect github.com/hashicorp/errwrap v1.1.0 // indirect
@ -119,7 +119,6 @@ require (
github.com/mailru/easyjson v0.7.7 // indirect github.com/mailru/easyjson v0.7.7 // indirect
github.com/mattn/go-colorable v0.1.13 // indirect github.com/mattn/go-colorable v0.1.13 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect github.com/mattn/go-isatty v0.0.20 // indirect
github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect github.com/mitchellh/go-homedir v1.1.0 // indirect
github.com/mitchellh/mapstructure v1.5.0 // indirect github.com/mitchellh/mapstructure v1.5.0 // indirect
@ -136,7 +135,7 @@ require (
github.com/pkg/errors v0.9.1 // indirect github.com/pkg/errors v0.9.1 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/prometheus/client_model v0.5.0 // indirect github.com/prometheus/client_model v0.5.0 // indirect
github.com/prometheus/common v0.45.0 // indirect github.com/prometheus/common v0.48.0 // indirect
github.com/prometheus/procfs v0.12.0 // indirect github.com/prometheus/procfs v0.12.0 // indirect
github.com/ryanuber/go-glob v1.0.0 // indirect github.com/ryanuber/go-glob v1.0.0 // indirect
github.com/sirupsen/logrus v1.9.0 // indirect github.com/sirupsen/logrus v1.9.0 // indirect

76
go.sum
View File

@ -761,8 +761,8 @@ git.sr.ht/~sbinet/gg v0.3.1/go.mod h1:KGYtlADtqsqANL9ueOFkWymvzUvLMQllU5Ixo+8v3p
github.com/Azure/azure-sdk-for-go v62.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc= github.com/Azure/azure-sdk-for-go v62.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 h1:E+OJmp2tPvt1W+amx48v1eqbjDYsgN+RzP4q16yV5eM= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 h1:E+OJmp2tPvt1W+amx48v1eqbjDYsgN+RzP4q16yV5eM=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1/go.mod h1:a6xsAQUZg+VsS3TJ05SRp524Hs4pZ/AeFSr5ENf0Yjo= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1/go.mod h1:a6xsAQUZg+VsS3TJ05SRp524Hs4pZ/AeFSr5ENf0Yjo=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 h1:U2rTu3Ef+7w9FHKIAXM6ZyqF3UOWJZ12zIm8zECAFfg= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 h1:tfLQ34V6F7tVSwoTf/4lH5sE0o6eCJuNDTmH09nDpbc=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg=
github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0 h1:jBQA3cKT4L2rWMpgE7Yt3Hwh2aUj8KXjIGLxjHeYNNo= github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0 h1:jBQA3cKT4L2rWMpgE7Yt3Hwh2aUj8KXjIGLxjHeYNNo=
github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0/go.mod h1:4OG6tQ9EOP/MT0NMjDlRzWoVFxfu9rN9B2X+tlSVktg= github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0/go.mod h1:4OG6tQ9EOP/MT0NMjDlRzWoVFxfu9rN9B2X+tlSVktg=
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.1.0 h1:h4Zxgmi9oyZL2l8jeg1iRTqPloHktywWcu0nlJmo1tA= github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.1.0 h1:h4Zxgmi9oyZL2l8jeg1iRTqPloHktywWcu0nlJmo1tA=
@ -786,8 +786,8 @@ github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2/go.mod h1:wP83
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo= github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
github.com/IBM/keyprotect-go-client v0.5.1/go.mod h1:5TwDM/4FRJq1ZOlwQL1xFahLWQ3TveR88VmL1u3njyI= github.com/IBM/keyprotect-go-client v0.5.1/go.mod h1:5TwDM/4FRJq1ZOlwQL1xFahLWQ3TveR88VmL1u3njyI=
github.com/IBM/keyprotect-go-client v0.12.2 h1:Cjxcqin9Pl0xz3MnxdiVd4v/eIa79xL3hQpSbwOr/DQ= github.com/IBM/keyprotect-go-client v0.14.1 h1:FSBJ3l6GKCuB3CoQPvVy94lOzYTKpjov8WdSDt5Ercs=
github.com/IBM/keyprotect-go-client v0.12.2/go.mod h1:yr8h2noNgU8vcbs+vhqoXp3Lmv73PI0zAc6VMgFvWwM= github.com/IBM/keyprotect-go-client v0.14.1/go.mod h1:cAt714Vnwnd03mmkBHHSJlDNRVthdRmJB6RePd4/B8Q=
github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c/go.mod h1:X0CRv0ky0k6m906ixxpzmDRLvX58TFUKS2eePweuyxk= github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c/go.mod h1:X0CRv0ky0k6m906ixxpzmDRLvX58TFUKS2eePweuyxk=
github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2yDvg= github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2yDvg=
github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE= github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE=
@ -834,22 +834,22 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkY
github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a h1:idn718Q4B6AGu/h5Sxe66HYVdqdGu2l9Iebqhi/AEoA= github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a h1:idn718Q4B6AGu/h5Sxe66HYVdqdGu2l9Iebqhi/AEoA=
github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY= github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
github.com/aws/aws-sdk-go v1.44.164/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= github.com/aws/aws-sdk-go v1.44.164/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
github.com/aws/aws-sdk-go v1.53.14 h1:SzhkC2Pzag0iRW8WBb80RzKdGXDydJR9LAMs2GyKJ2M= github.com/aws/aws-sdk-go v1.54.6 h1:HEYUib3yTt8E6vxjMWM3yAq5b+qjj/6aKA62mkgux9g=
github.com/aws/aws-sdk-go v1.53.14/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk= github.com/aws/aws-sdk-go v1.54.6/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
github.com/aws/aws-sdk-go-v2 v1.25.2 h1:/uiG1avJRgLGiQM9X3qJM8+Qa6KRGK5rRPuXE0HUM+w= github.com/aws/aws-sdk-go-v2 v1.30.0 h1:6qAwtzlfcTtcL8NHtbDQAqgM5s6NDipQTkPxyH/6kAA=
github.com/aws/aws-sdk-go-v2 v1.25.2/go.mod h1:Evoc5AsmtveRt1komDwIsjHFyrP5tDuF1D1U+6z6pNo= github.com/aws/aws-sdk-go-v2 v1.30.0/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.2 h1:bNo4LagzUKbjdxE0tIcR9pMzLR2U/Tgie1Hq1HQ3iH8= github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12 h1:SJ04WXGTwnHlWIODtC5kJzKbeuHt+OUNOgKg7nfnUGw=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.2/go.mod h1:wRQv0nN6v9wDXuWThpovGQjqF1HFdcgWjporw14lS8k= github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12/go.mod h1:FkpvXhA92gb3GE9LD6Og0pHHycTxW7xGpnEh5E7Opwo=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.2 h1:EtOU5jsPdIQNP+6Q2C5e3d65NKT1PeCiQk+9OdzO12Q= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12 h1:hb5KgeYfObi5MHkSSZMEudnIvX30iB+E21evI4r6BnQ=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.2/go.mod h1:tyF5sKccmDz0Bv4NrstEr+/9YkSPJHrcO7UsUKf7pWM= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12/go.mod h1:CroKe/eWJdyfy9Vx4rljP5wTUjNJfb+fPz1uMYUhEGM=
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 h1:EyBZibRTVAs6ECHZOw5/wlylS9OcTzwyjeQMudmREjE= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs=
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1/go.mod h1:JKpmtYhhPs7D97NL/ltqz7yCkERFW5dOlHyVl66ZYF8= github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.2 h1:5ffmXjPtwRExp1zc7gENLgCPyHFbhEPwVTkTiH9niSk= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14 h1:zSDPny/pVnkqABXYRicYuPf9z2bTqfH13HT3v6UheIk=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.2/go.mod h1:Ru7vg1iQ7cR4i7SZ/JTLYN9kaXtbL69UdgG0OQWQxW0= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14/go.mod h1:3TTcI5JSzda1nw/pkVC9dhgLre0SNBFj2lYS4GctXKI=
github.com/aws/aws-sdk-go-v2/service/sts v1.28.1 h1:3I2cBEYgKhrWlwyZgfpSO2BpaMY1LHPqXYk/QGlu2ew= github.com/aws/aws-sdk-go-v2/service/sts v1.29.1 h1:myX5CxqXE0QMZNja6FA1/FSE3Vu1rVmeUmpJMMzeZg0=
github.com/aws/aws-sdk-go-v2/service/sts v1.28.1/go.mod h1:uQ7YYKZt3adCRrdCBREm1CD3efFLOUNH77MrUCvx5oA= github.com/aws/aws-sdk-go-v2/service/sts v1.29.1/go.mod h1:N2mQiucsO0VwK9CYuS4/c2n6Smeh1v47Rz3dWCPFLdE=
github.com/aws/smithy-go v1.20.1 h1:4SZlSlMr36UEqC7XOyRVb27XMeZubNcBNN+9IgEPIQw= github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q=
github.com/aws/smithy-go v1.20.1/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E= github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA= github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q= github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8= github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
@ -1000,8 +1000,8 @@ github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9
github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8= github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8= github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k= github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U=
github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ= github.com/go-jose/go-jose/v4 v4.0.1/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as= github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY= github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
@ -1043,8 +1043,9 @@ github.com/go-pdf/fpdf v0.5.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhO
github.com/go-pdf/fpdf v0.6.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhOh5M= github.com/go-pdf/fpdf v0.6.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhOh5M=
github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY= github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE= github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls= github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA= github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
github.com/go-test/deep v1.0.8 h1:TDsG77qcSprGbC6vTN8OuXp5g+J+b5Pcguhf7Zt61VM= github.com/go-test/deep v1.0.8 h1:TDsG77qcSprGbC6vTN8OuXp5g+J+b5Pcguhf7Zt61VM=
github.com/go-test/deep v1.0.8/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE= github.com/go-test/deep v1.0.8/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
@ -1165,8 +1166,9 @@ github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLe
github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec=
github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE= github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg=
github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw=
github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI= github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
github.com/google/s2a-go v0.1.0/go.mod h1:OJpEgntRZo8ugHpF9hkoLJbS5dSI20XZeXJ9JVywLlM= github.com/google/s2a-go v0.1.0/go.mod h1:OJpEgntRZo8ugHpF9hkoLJbS5dSI20XZeXJ9JVywLlM=
github.com/google/s2a-go v0.1.3/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A= github.com/google/s2a-go v0.1.3/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A=
@ -1268,8 +1270,8 @@ github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0m
github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I= github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc= github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
github.com/hashicorp/vault/api v1.10.0/go.mod h1:jo5Y/ET+hNyz+JnKDt8XLAdKs+AM0G5W0Vp1IrFI8N8= github.com/hashicorp/vault/api v1.10.0/go.mod h1:jo5Y/ET+hNyz+JnKDt8XLAdKs+AM0G5W0Vp1IrFI8N8=
github.com/hashicorp/vault/api v1.12.0 h1:meCpJSesvzQyao8FCOgk2fGdoADAnbDu2WPJN1lDLJ4= github.com/hashicorp/vault/api v1.14.0 h1:Ah3CFLixD5jmjusOgm8grfN9M0d+Y8fVR2SW0K6pJLU=
github.com/hashicorp/vault/api v1.12.0/go.mod h1:si+lJCYO7oGkIoNPAN8j3azBLTn9SjMGS+jFaHd1Cck= github.com/hashicorp/vault/api v1.14.0/go.mod h1:pV9YLxBGSz+cItFDd8Ii4G17waWOQ32zVjMWHe/cOqk=
github.com/hashicorp/vault/api/auth/approle v0.5.0 h1:a1TK6VGwYqSAfkmX4y4dJ4WBxMU5dStIZqScW4EPXR8= github.com/hashicorp/vault/api/auth/approle v0.5.0 h1:a1TK6VGwYqSAfkmX4y4dJ4WBxMU5dStIZqScW4EPXR8=
github.com/hashicorp/vault/api/auth/approle v0.5.0/go.mod h1:CHOQIA1AZACfjTzHggmyfiOZ+xCSKNRFqe48FTCzH0k= github.com/hashicorp/vault/api/auth/approle v0.5.0/go.mod h1:CHOQIA1AZACfjTzHggmyfiOZ+xCSKNRFqe48FTCzH0k=
github.com/hashicorp/vault/api/auth/kubernetes v0.5.0 h1:CXO0fD7M3iCGovP/UApeHhPcH4paDFKcu7AjEXi94rI= github.com/hashicorp/vault/api/auth/kubernetes v0.5.0 h1:CXO0fD7M3iCGovP/UApeHhPcH4paDFKcu7AjEXi94rI=
@ -1333,8 +1335,8 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI= github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
github.com/kubernetes-csi/csi-lib-utils v0.17.0 h1:xEpJ3WYgMyyYF6fvcKHh4cDRtknuTkBS9rG8bYoLTCU= github.com/kubernetes-csi/csi-lib-utils v0.18.1 h1:vpg1kbQ6lFVCz7mY71zcqVE7W0GAQXXBoFfHvbW3gdw=
github.com/kubernetes-csi/csi-lib-utils v0.17.0/go.mod h1:2Ba5/aQgUjbpqyC2uCcFwMF3rnPVs5jhZXm8jAzcT9Q= github.com/kubernetes-csi/csi-lib-utils v0.18.1/go.mod h1:PIcn27zmbY0KBue4JDdZVfDF56tjcS3jKroZPi+pMoY=
github.com/kubernetes-csi/external-snapshotter/client/v4 v4.0.0/go.mod h1:YBCo4DoEeDndqvAn6eeu0vWM7QdXmHEeI9cFWplmBys= github.com/kubernetes-csi/external-snapshotter/client/v4 v4.0.0/go.mod h1:YBCo4DoEeDndqvAn6eeu0vWM7QdXmHEeI9cFWplmBys=
github.com/kubernetes-csi/external-snapshotter/client/v7 v7.0.0 h1:j3YK74myEQRxR/srciTpOrm221SAvz6J5OVWbyfeXFo= github.com/kubernetes-csi/external-snapshotter/client/v7 v7.0.0 h1:j3YK74myEQRxR/srciTpOrm221SAvz6J5OVWbyfeXFo=
github.com/kubernetes-csi/external-snapshotter/client/v7 v7.0.0/go.mod h1:FlyYFe32mPxKEPaRXKNxfX576d1AoCzstYDoOOnyMA4= github.com/kubernetes-csi/external-snapshotter/client/v7 v7.0.0/go.mod h1:FlyYFe32mPxKEPaRXKNxfX576d1AoCzstYDoOOnyMA4=
@ -1375,8 +1377,6 @@ github.com/mattn/go-sqlite3 v1.14.14/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4
github.com/mattn/go-sqlite3 v1.14.15/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg= github.com/mattn/go-sqlite3 v1.14.15/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0= github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4= github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg=
github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k=
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d h1:5PJl274Y63IEHC+7izoQE9x6ikvDFZS2mDVS3drnohI= github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d h1:5PJl274Y63IEHC+7izoQE9x6ikvDFZS2mDVS3drnohI=
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE= github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg= github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
@ -1442,8 +1442,8 @@ github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7
github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o= github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o=
github.com/onsi/ginkgo/v2 v2.13.2/go.mod h1:XStQ8QcGwLyF4HdfcZB8SFOS/MWCgDuXMSBe6zrvLgM= github.com/onsi/ginkgo/v2 v2.13.2/go.mod h1:XStQ8QcGwLyF4HdfcZB8SFOS/MWCgDuXMSBe6zrvLgM=
github.com/onsi/ginkgo/v2 v2.15.0/go.mod h1:HlxMHtYF57y6Dpf+mc5529KKmSq9h2FpCF+/ZkwUxKM= github.com/onsi/ginkgo/v2 v2.15.0/go.mod h1:HlxMHtYF57y6Dpf+mc5529KKmSq9h2FpCF+/ZkwUxKM=
github.com/onsi/ginkgo/v2 v2.17.1 h1:V++EzdbhI4ZV4ev0UTIj0PzhzOcReJFyJaLjtSF55M8= github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA=
github.com/onsi/ginkgo/v2 v2.17.1/go.mod h1:llBI3WDLL9Z6taip6f33H76YcWtJv+7R3HigUjbIBOs= github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To=
github.com/onsi/gomega v1.4.2/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY= github.com/onsi/gomega v1.4.2/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY= github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo= github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
@ -1465,8 +1465,8 @@ github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3ev
github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ= github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
github.com/onsi/gomega v1.31.0/go.mod h1:DW9aCi7U6Yi40wNVAvT6kzFnEVEI5n3DloYBiKiT6zk= github.com/onsi/gomega v1.31.0/go.mod h1:DW9aCi7U6Yi40wNVAvT6kzFnEVEI5n3DloYBiKiT6zk=
github.com/onsi/gomega v1.32.0 h1:JRYU78fJ1LPxlckP6Txi/EYqJvjtMrDC04/MM5XRHPk= github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk=
github.com/onsi/gomega v1.32.0/go.mod h1:a4x4gW6Pz2yK1MAmvluYme5lvYTn61afQ2ETw/8n4Lg= github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0=
github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U= github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM= github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaLpt7tQ7oU= github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaLpt7tQ7oU=
@ -1522,8 +1522,8 @@ github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrb
github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y= github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y=
github.com/prometheus/client_golang v1.15.1/go.mod h1:e9yaBhRPU2pPNsZwE+JdQl0KEt1N9XgF6zxWmaC0xOk= github.com/prometheus/client_golang v1.15.1/go.mod h1:e9yaBhRPU2pPNsZwE+JdQl0KEt1N9XgF6zxWmaC0xOk=
github.com/prometheus/client_golang v1.16.0/go.mod h1:Zsulrv/L9oM40tJ7T815tM89lFEugiJ9HzIqaAx4LKc= github.com/prometheus/client_golang v1.16.0/go.mod h1:Zsulrv/L9oM40tJ7T815tM89lFEugiJ9HzIqaAx4LKc=
github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk= github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE=
github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA= github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho=
github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo= github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA= github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
@ -1542,8 +1542,8 @@ github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+
github.com/prometheus/common v0.37.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA= github.com/prometheus/common v0.37.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA=
github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc= github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc=
github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY= github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY=
github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM= github.com/prometheus/common v0.48.0 h1:QO8U2CdOzSn1BBsmXJXduaaW+dY/5QLjfB8svtSzKKE=
github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY= github.com/prometheus/common v0.48.0/go.mod h1:0/KsvlIEfPQCQ5I2iNSAWKPZziNCvRs5EC6ILDTlAPc=
github.com/prometheus/procfs v0.0.0-20180725123919-05ee40e3a273/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20180725123919-05ee40e3a273/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk= github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA= github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=

View File

@ -1,5 +1,29 @@
# Release History # Release History
## 1.7.0 (2024-06-20)
### Features Added
* `AzurePipelinesCredential` authenticates an Azure Pipelines service connection with
workload identity federation
### Breaking Changes
> These changes affect only code written against a beta version such as v1.7.0-beta.1
* Removed the persistent token caching API. It will return in v1.8.0-beta.1
## 1.7.0-beta.1 (2024-06-10)
### Features Added
* Restored `AzurePipelinesCredential` and persistent token caching API
## Breaking Changes
> These changes affect only code written against a beta version such as v1.6.0-beta.4
* Values which `NewAzurePipelinesCredential` read from environment variables in
prior versions are now parameters
* Renamed `AzurePipelinesServiceConnectionCredentialOptions` to `AzurePipelinesCredentialOptions`
### Bugs Fixed
* Managed identity bug fixes
## 1.6.0 (2024-06-10) ## 1.6.0 (2024-06-10)
### Features Added ### Features Added

View File

@ -140,6 +140,7 @@ client := armresources.NewResourceGroupsClient("subscription ID", chain, nil)
|Credential|Usage |Credential|Usage
|-|- |-|-
|[AzurePipelinesCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#AzurePipelinesCredential)|Authenticate an Azure Pipelines [service connection](https://learn.microsoft.com/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml)
|[ClientAssertionCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ClientAssertionCredential)|Authenticate a service principal with a signed client assertion |[ClientAssertionCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ClientAssertionCredential)|Authenticate a service principal with a signed client assertion
|[ClientCertificateCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ClientCertificateCredential)|Authenticate a service principal with a certificate |[ClientCertificateCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ClientCertificateCredential)|Authenticate a service principal with a certificate
|[ClientSecretCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ClientSecretCredential)|Authenticate a service principal with a secret |[ClientSecretCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ClientSecretCredential)|Authenticate a service principal with a secret

View File

@ -57,6 +57,7 @@ The following table indicates the state of in-memory and persistent caching in e
|--------------------------------|---------------------------------------------------------------------|--------------------------| |--------------------------------|---------------------------------------------------------------------|--------------------------|
| `AzureCLICredential` | Not Supported | Not Supported | | `AzureCLICredential` | Not Supported | Not Supported |
| `AzureDeveloperCLICredential` | Not Supported | Not Supported | | `AzureDeveloperCLICredential` | Not Supported | Not Supported |
| `AzurePipelinesCredential` | Supported | Supported |
| `ClientAssertionCredential` | Supported | Supported | | `ClientAssertionCredential` | Supported | Supported |
| `ClientCertificateCredential` | Supported | Supported | | `ClientCertificateCredential` | Supported | Supported |
| `ClientSecretCredential` | Supported | Supported | | `ClientSecretCredential` | Supported | Supported |

View File

@ -10,6 +10,7 @@ This troubleshooting guide covers failure investigation techniques, common error
- [Enable and configure logging](#enable-and-configure-logging) - [Enable and configure logging](#enable-and-configure-logging)
- [Troubleshoot AzureCLICredential authentication issues](#troubleshoot-azureclicredential-authentication-issues) - [Troubleshoot AzureCLICredential authentication issues](#troubleshoot-azureclicredential-authentication-issues)
- [Troubleshoot AzureDeveloperCLICredential authentication issues](#troubleshoot-azuredeveloperclicredential-authentication-issues) - [Troubleshoot AzureDeveloperCLICredential authentication issues](#troubleshoot-azuredeveloperclicredential-authentication-issues)
- [Troubleshoot AzurePipelinesCredential authentication issues](#troubleshoot-azurepipelinescredential-authentication-issues)
- [Troubleshoot ClientCertificateCredential authentication issues](#troubleshoot-clientcertificatecredential-authentication-issues) - [Troubleshoot ClientCertificateCredential authentication issues](#troubleshoot-clientcertificatecredential-authentication-issues)
- [Troubleshoot ClientSecretCredential authentication issues](#troubleshoot-clientsecretcredential-authentication-issues) - [Troubleshoot ClientSecretCredential authentication issues](#troubleshoot-clientsecretcredential-authentication-issues)
- [Troubleshoot DefaultAzureCredential authentication issues](#troubleshoot-defaultazurecredential-authentication-issues) - [Troubleshoot DefaultAzureCredential authentication issues](#troubleshoot-defaultazurecredential-authentication-issues)
@ -226,6 +227,15 @@ azd auth token --output json --scope https://management.core.windows.net/.defaul
|---|---|---| |---|---|---|
|no client ID/tenant ID/token file specified|Incomplete configuration|In most cases these values are provided via environment variables set by Azure Workload Identity.<ul><li>If your application runs on Azure Kubernetes Servide (AKS) or a cluster that has deployed the Azure Workload Identity admission webhook, check pod labels and service account configuration. See the [AKS documentation](https://learn.microsoft.com/azure/aks/workload-identity-deploy-cluster#disable-workload-identity) and [Azure Workload Identity troubleshooting guide](https://azure.github.io/azure-workload-identity/docs/troubleshooting.html) for more details.<li>If your application isn't running on AKS or your cluster hasn't deployed the Workload Identity admission webhook, set these values in `WorkloadIdentityCredentialOptions` |no client ID/tenant ID/token file specified|Incomplete configuration|In most cases these values are provided via environment variables set by Azure Workload Identity.<ul><li>If your application runs on Azure Kubernetes Servide (AKS) or a cluster that has deployed the Azure Workload Identity admission webhook, check pod labels and service account configuration. See the [AKS documentation](https://learn.microsoft.com/azure/aks/workload-identity-deploy-cluster#disable-workload-identity) and [Azure Workload Identity troubleshooting guide](https://azure.github.io/azure-workload-identity/docs/troubleshooting.html) for more details.<li>If your application isn't running on AKS or your cluster hasn't deployed the Workload Identity admission webhook, set these values in `WorkloadIdentityCredentialOptions`
<a id="apc"></a>
## Troubleshoot AzurePipelinesCredential authentication issues
| Error Message |Description| Mitigation |
|---|---|---|
| AADSTS900023: Specified tenant identifier 'some tenant ID' is neither a valid DNS name, nor a valid external domain.|The `tenantID` argument to `NewAzurePipelinesCredential` is incorrect| Verify the tenant ID. It must identify the tenant of the user-assigned managed identity or service principal configured for the service connection.|
| No service connection found with identifier |The `serviceConnectionID` argument to `NewAzurePipelinesCredential` is incorrect| Verify the service connection ID. This parameter refers to the `resourceId` of the Azure Service Connection. It can also be found in the query string of the service connection's configuration in Azure DevOps. [Azure Pipelines documentation](https://learn.microsoft.com/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml) has more information about service connections.|
|302 (Found) response from OIDC endpoint|The `systemAccessToken` argument to `NewAzurePipelinesCredential` is incorrect|Check pipeline configuration. This value comes from the predefined variable `System.AccessToken` [as described in Azure Pipelines documentation](https://learn.microsoft.com/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#systemaccesstoken).|
## Get additional help ## Get additional help
Additional information on ways to reach out for support can be found in [SUPPORT.md](https://github.com/Azure/azure-sdk-for-go/blob/main/SUPPORT.md). Additional information on ways to reach out for support can be found in [SUPPORT.md](https://github.com/Azure/azure-sdk-for-go/blob/main/SUPPORT.md).

View File

@ -19,21 +19,20 @@ import (
const ( const (
credNameAzurePipelines = "AzurePipelinesCredential" credNameAzurePipelines = "AzurePipelinesCredential"
oidcAPIVersion = "7.1" oidcAPIVersion = "7.1"
systemAccessToken = "SYSTEM_ACCESSTOKEN"
systemOIDCRequestURI = "SYSTEM_OIDCREQUESTURI" systemOIDCRequestURI = "SYSTEM_OIDCREQUESTURI"
) )
// azurePipelinesCredential authenticates with workload identity federation in an Azure Pipeline. See // AzurePipelinesCredential authenticates with workload identity federation in an Azure Pipeline. See
// [Azure Pipelines documentation] for more information. // [Azure Pipelines documentation] for more information.
// //
// [Azure Pipelines documentation]: https://learn.microsoft.com/azure/devops/pipelines/library/connect-to-azure?view=azure-devops#create-an-azure-resource-manager-service-connection-that-uses-workload-identity-federation // [Azure Pipelines documentation]: https://learn.microsoft.com/azure/devops/pipelines/library/connect-to-azure?view=azure-devops#create-an-azure-resource-manager-service-connection-that-uses-workload-identity-federation
type azurePipelinesCredential struct { type AzurePipelinesCredential struct {
connectionID, oidcURI, systemAccessToken string connectionID, oidcURI, systemAccessToken string
cred *ClientAssertionCredential cred *ClientAssertionCredential
} }
// azurePipelinesCredentialOptions contains optional parameters for AzurePipelinesCredential. // AzurePipelinesCredentialOptions contains optional parameters for AzurePipelinesCredential.
type azurePipelinesCredentialOptions struct { type AzurePipelinesCredentialOptions struct {
azcore.ClientOptions azcore.ClientOptions
// AdditionallyAllowedTenants specifies additional tenants for which the credential may acquire tokens. // AdditionallyAllowedTenants specifies additional tenants for which the credential may acquire tokens.
@ -48,28 +47,39 @@ type azurePipelinesCredentialOptions struct {
DisableInstanceDiscovery bool DisableInstanceDiscovery bool
} }
// newAzurePipelinesCredential is the constructor for AzurePipelinesCredential. In addition to its required arguments, // NewAzurePipelinesCredential is the constructor for AzurePipelinesCredential.
// it reads a security token for the running build, which is required to authenticate the service connection, from the //
// environment variable SYSTEM_ACCESSTOKEN. See the [Azure Pipelines documentation] for an example showing how to set // - tenantID: tenant ID of the service principal federated with the service connection
// this variable in build job YAML. // - clientID: client ID of that service principal
// - serviceConnectionID: ID of the service connection to authenticate
// - systemAccessToken: security token for the running build. See [Azure Pipelines documentation] for
// an example showing how to get this value.
// //
// [Azure Pipelines documentation]: https://learn.microsoft.com/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#systemaccesstoken // [Azure Pipelines documentation]: https://learn.microsoft.com/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#systemaccesstoken
func newAzurePipelinesCredential(tenantID, clientID, serviceConnectionID string, options *azurePipelinesCredentialOptions) (*azurePipelinesCredential, error) { func NewAzurePipelinesCredential(tenantID, clientID, serviceConnectionID, systemAccessToken string, options *AzurePipelinesCredentialOptions) (*AzurePipelinesCredential, error) {
if options == nil { if !validTenantID(tenantID) {
options = &azurePipelinesCredentialOptions{} return nil, errInvalidTenantID
}
if clientID == "" {
return nil, errors.New("no client ID specified")
}
if serviceConnectionID == "" {
return nil, errors.New("no service connection ID specified")
}
if systemAccessToken == "" {
return nil, errors.New("no system access token specified")
} }
u := os.Getenv(systemOIDCRequestURI) u := os.Getenv(systemOIDCRequestURI)
if u == "" { if u == "" {
return nil, fmt.Errorf("no value for environment variable %s. This should be set by Azure Pipelines", systemOIDCRequestURI) return nil, fmt.Errorf("no value for environment variable %s. This should be set by Azure Pipelines", systemOIDCRequestURI)
} }
sat := os.Getenv(systemAccessToken) a := AzurePipelinesCredential{
if sat == "" {
return nil, errors.New("no value for environment variable " + systemAccessToken)
}
a := azurePipelinesCredential{
connectionID: serviceConnectionID, connectionID: serviceConnectionID,
oidcURI: u, oidcURI: u,
systemAccessToken: sat, systemAccessToken: systemAccessToken,
}
if options == nil {
options = &AzurePipelinesCredentialOptions{}
} }
caco := ClientAssertionCredentialOptions{ caco := ClientAssertionCredentialOptions{
AdditionallyAllowedTenants: options.AdditionallyAllowedTenants, AdditionallyAllowedTenants: options.AdditionallyAllowedTenants,
@ -86,7 +96,7 @@ func newAzurePipelinesCredential(tenantID, clientID, serviceConnectionID string,
} }
// GetToken requests an access token from Microsoft Entra ID. Azure SDK clients call this method automatically. // GetToken requests an access token from Microsoft Entra ID. Azure SDK clients call this method automatically.
func (a *azurePipelinesCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) { func (a *AzurePipelinesCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
var err error var err error
ctx, endSpan := runtime.StartSpan(ctx, credNameAzurePipelines+"."+traceOpGetToken, a.cred.client.azClient.Tracer(), nil) ctx, endSpan := runtime.StartSpan(ctx, credNameAzurePipelines+"."+traceOpGetToken, a.cred.client.azClient.Tracer(), nil)
defer func() { endSpan(err) }() defer func() { endSpan(err) }()
@ -94,7 +104,7 @@ func (a *azurePipelinesCredential) GetToken(ctx context.Context, opts policy.Tok
return tk, err return tk, err
} }
func (a *azurePipelinesCredential) getAssertion(ctx context.Context) (string, error) { func (a *AzurePipelinesCredential) getAssertion(ctx context.Context) (string, error) {
url := a.oidcURI + "?api-version=" + oidcAPIVersion + "&serviceConnectionId=" + a.connectionID url := a.oidcURI + "?api-version=" + oidcAPIVersion + "&serviceConnectionId=" + a.connectionID
url, err := runtime.EncodeQueryParams(url) url, err := runtime.EncodeQueryParams(url)
if err != nil { if err != nil {

View File

@ -83,6 +83,8 @@ func (e *AuthenticationFailedError) Error() string {
anchor = "azure-cli" anchor = "azure-cli"
case credNameAzureDeveloperCLI: case credNameAzureDeveloperCLI:
anchor = "azd" anchor = "azd"
case credNameAzurePipelines:
anchor = "apc"
case credNameCert: case credNameCert:
anchor = "client-cert" anchor = "client-cert"
case credNameSecret: case credNameSecret:

View File

@ -14,5 +14,5 @@ const (
module = "github.com/Azure/azure-sdk-for-go/sdk/" + component module = "github.com/Azure/azure-sdk-for-go/sdk/" + component
// Version is the semantic version (see http://semver.org) of this module. // Version is the semantic version (see http://semver.org) of this module.
version = "v1.6.0" version = "v1.7.0"
) )

View File

@ -1,6 +1,6 @@
language: go language: go
dist: bionic dist: jammy
go: go:
- 1.17.x - 1.17.x
@ -13,7 +13,6 @@ env:
before_install: before_install:
- sudo apt-get update - sudo apt-get update
- pyenv global 3.8
before_script: before_script:
- GO111MODULE=off go get -u github.com/haya14busa/goverage - GO111MODULE=off go get -u github.com/haya14busa/goverage
@ -27,6 +26,9 @@ script:
- $GOPATH/bin/goverage -v -race -coverprofile=cover.out $(go list ./... | grep -v '/vendor|/scripts') - $GOPATH/bin/goverage -v -race -coverprofile=cover.out $(go list ./... | grep -v '/vendor|/scripts')
- go tool cover -func=cover.out - go tool cover -func=cover.out
- go tool cover -html=cover.out -o=cover.html - go tool cover -html=cover.out -o=cover.html
# these steps are to make sure that node will properly install for semantic release.
- nvm install node
- npm install -g npm
# To enable semantic-release, uncomment these sections. # To enable semantic-release, uncomment these sections.
before_deploy: before_deploy:

View File

@ -11,6 +11,10 @@ please open a [Github Issue](https://github.com/IBM/keyprotect-go-client/issues)
For your pull request to be merged, it must meet the criteria of a "correct patch", and also For your pull request to be merged, it must meet the criteria of a "correct patch", and also
be fully reviewed and approved by two Maintainer level contributors. be fully reviewed and approved by two Maintainer level contributors.
The PR should be named with the proper prefix to satisfy the semantic release.
- `fix(build):` for patch version bump (0.0.x)
- `feat(build):` for minor version bump (0.x.0)
- `perf(build):` for major version bump (x.0.0)
A correct patch is defined as the following: A correct patch is defined as the following:

View File

@ -62,7 +62,7 @@ type PolicyData struct {
// Attributes contains the details of an instance policy // Attributes contains the details of an instance policy
type Attributes struct { type Attributes struct {
AllowedNetwork *string `json:"allowed_network,omitempty"` AllowedNetwork *string `json:"allowed_network,omitempty"`
AllowedIP IPAddresses `json:"allowed_ip,omitempty"` AllowedIP *IPAddresses `json:"allowed_ip,omitempty"`
CreateRootKey *bool `json:"create_root_key,omitempty"` CreateRootKey *bool `json:"create_root_key,omitempty"`
CreateStandardKey *bool `json:"create_standard_key,omitempty"` CreateStandardKey *bool `json:"create_standard_key,omitempty"`
ImportRootKey *bool `json:"import_root_key,omitempty"` ImportRootKey *bool `json:"import_root_key,omitempty"`
@ -313,7 +313,8 @@ func (c *Client) SetAllowedIPInstancePolicy(ctx context.Context, enable bool, al
// The IP address validation is performed by the key protect service. // The IP address validation is performed by the key protect service.
if enable && len(allowedIPs) != 0 { if enable && len(allowedIPs) != 0 {
policy.PolicyData.Attributes = &Attributes{} policy.PolicyData.Attributes = &Attributes{}
policy.PolicyData.Attributes.AllowedIP = allowedIPs ips := IPAddresses(allowedIPs)
policy.PolicyData.Attributes.AllowedIP = &ips
} else if enable && len(allowedIPs) == 0 { } else if enable && len(allowedIPs) == 0 {
return fmt.Errorf("Please provide at least 1 IP subnet specified with CIDR notation") return fmt.Errorf("Please provide at least 1 IP subnet specified with CIDR notation")
} else if !enable && len(allowedIPs) != 0 { } else if !enable && len(allowedIPs) != 0 {
@ -445,17 +446,21 @@ type AllowedNetworkPolicyData struct {
// AllowedIPPolicyData defines the attribute input for the Allowed IP instance policy // AllowedIPPolicyData defines the attribute input for the Allowed IP instance policy
type AllowedIPPolicyData struct { type AllowedIPPolicyData struct {
Enabled bool Enabled bool
IPAddresses IPAddresses IPAddresses *IPAddresses
} }
// KeyAccessInstancePolicyData defines the attribute input for the Key Create Import Access instance policy // KeyAccessInstancePolicyData defines the attribute input for the Key Create Import Access instance policy
type KeyCreateImportAccessInstancePolicy struct { type KeyCreateImportAccessInstancePolicy struct {
Enabled bool Enabled bool
CreateRootKey bool Attributes *KeyCreateImportAccessInstancePolicyAttributes
CreateStandardKey bool }
ImportRootKey bool
ImportStandardKey bool type KeyCreateImportAccessInstancePolicyAttributes struct {
EnforceToken bool CreateRootKey *bool
CreateStandardKey *bool
ImportRootKey *bool
ImportStandardKey *bool
EnforceToken *bool
} }
type RotationPolicyData struct { type RotationPolicyData struct {
@ -492,6 +497,7 @@ func (c *Client) SetInstancePolicies(ctx context.Context, policies MultiplePolic
PolicyType: AllowedNetwork, PolicyType: AllowedNetwork,
PolicyData: PolicyData{ PolicyData: PolicyData{
Enabled: &(policies.AllowedNetwork.Enabled), Enabled: &(policies.AllowedNetwork.Enabled),
// due to legacy reasons, the allowed_network policy requires attribute to always be specified
Attributes: &Attributes{ Attributes: &Attributes{
AllowedNetwork: &(policies.AllowedNetwork.Network), AllowedNetwork: &(policies.AllowedNetwork.Network),
}, },
@ -528,15 +534,18 @@ func (c *Client) SetInstancePolicies(ctx context.Context, policies MultiplePolic
PolicyType: KeyCreateImportAccess, PolicyType: KeyCreateImportAccess,
PolicyData: PolicyData{ PolicyData: PolicyData{
Enabled: &(policies.KeyCreateImportAccess.Enabled), Enabled: &(policies.KeyCreateImportAccess.Enabled),
Attributes: &Attributes{},
}, },
} }
policy.PolicyData.Attributes.CreateRootKey = &policies.KeyCreateImportAccess.CreateRootKey if attr := policies.KeyCreateImportAccess.Attributes; attr != nil {
policy.PolicyData.Attributes.CreateStandardKey = &policies.KeyCreateImportAccess.CreateStandardKey policy.PolicyData.Attributes = &Attributes{
policy.PolicyData.Attributes.ImportRootKey = &policies.KeyCreateImportAccess.ImportRootKey CreateRootKey: attr.CreateRootKey,
policy.PolicyData.Attributes.ImportStandardKey = &policies.KeyCreateImportAccess.ImportStandardKey CreateStandardKey: attr.CreateStandardKey,
policy.PolicyData.Attributes.EnforceToken = &policies.KeyCreateImportAccess.EnforceToken ImportRootKey: attr.ImportRootKey,
ImportStandardKey: attr.ImportStandardKey,
EnforceToken: attr.EnforceToken,
}
}
resPolicies = append(resPolicies, policy) resPolicies = append(resPolicies, policy)
} }

View File

@ -9,7 +9,7 @@ import (
) )
const ( const (
path = "key_rings" keyRingPath = "key_rings"
) )
type KeyRing struct { type KeyRing struct {
@ -28,7 +28,7 @@ type KeyRings struct {
// https://cloud.ibm.com/docs/key-protect?topic=key-protect-managing-key-rings#create-key-ring-api // https://cloud.ibm.com/docs/key-protect?topic=key-protect-managing-key-rings#create-key-ring-api
func (c *Client) CreateKeyRing(ctx context.Context, id string) error { func (c *Client) CreateKeyRing(ctx context.Context, id string) error {
req, err := c.newRequest("POST", fmt.Sprintf(path+"/%s", id), nil) req, err := c.newRequest("POST", fmt.Sprintf(keyRingPath+"/%s", id), nil)
if err != nil { if err != nil {
return err return err
} }
@ -46,7 +46,7 @@ func (c *Client) CreateKeyRing(ctx context.Context, id string) error {
// https://cloud.ibm.com/docs/key-protect?topic=key-protect-managing-key-rings#list-key-ring-api // https://cloud.ibm.com/docs/key-protect?topic=key-protect-managing-key-rings#list-key-ring-api
func (c *Client) GetKeyRings(ctx context.Context) (*KeyRings, error) { func (c *Client) GetKeyRings(ctx context.Context) (*KeyRings, error) {
rings := KeyRings{} rings := KeyRings{}
req, err := c.newRequest("GET", path, nil) req, err := c.newRequest("GET", keyRingPath, nil)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -73,7 +73,7 @@ func WithForce(force bool) DeleteKeyRingQueryOption {
// For information please refer to the link below: // For information please refer to the link below:
// https://cloud.ibm.com/docs/key-protect?topic=key-protect-managing-key-rings#delete-key-ring-api // https://cloud.ibm.com/docs/key-protect?topic=key-protect-managing-key-rings#delete-key-ring-api
func (c *Client) DeleteKeyRing(ctx context.Context, id string, opts ...DeleteKeyRingQueryOption) error { func (c *Client) DeleteKeyRing(ctx context.Context, id string, opts ...DeleteKeyRingQueryOption) error {
req, err := c.newRequest("DELETE", fmt.Sprintf(path+"/%s", id), nil) req, err := c.newRequest("DELETE", fmt.Sprintf(keyRingPath+"/%s", id), nil)
for _, opt := range opts { for _, opt := range opts {
opt(req) opt(req)
} }

View File

@ -0,0 +1,164 @@
package kp
import (
"context"
"fmt"
"time"
)
const (
kmipAdapterPath = "kmip_adapters"
kmipAdapterType = "application/vnd.ibm.kms.kmip_adapter+json"
)
type KMIPAdapter struct {
ID string `json:"id,omitempty"`
Profile string `json:"profile,omitempty"`
ProfileData map[string]string `json:"profile_data,omitempty"`
Name string `json:"name,omitempty"`
Description string `json:"description"`
CreatedBy string `json:"created_by,omitempty"`
CreatedAt *time.Time `json:"created_at,omitempty"`
UpdatedBy string `json:"updated_by,omitempty"`
UpdatedAt *time.Time `json:"updated_at,omitempty"`
}
type KMIPAdapters struct {
Metadata CollectionMetadata `json:"metadata"`
Adapters []KMIPAdapter `json:"resources"`
}
const (
KMIP_Profile_Native = "native_1.0"
)
// CreateKMIPAdapter method creates a KMIP Adapter with the specified profile.
func (c *Client) CreateKMIPAdapter(ctx context.Context, profileOpt CreateKMIPAdapterProfile, options ...CreateKMIPAdapterOption) (*KMIPAdapter, error) {
newAdapter := &KMIPAdapter{}
profileOpt(newAdapter)
for _, opt := range options {
opt(newAdapter)
}
req, err := c.newRequest("POST", kmipAdapterPath, wrapKMIPAdapter(*newAdapter))
if err != nil {
return nil, err
}
create_resp := &KMIPAdapters{}
_, err = c.do(ctx, req, create_resp)
if err != nil {
return nil, err
}
return unwrapKMIPAdapterResp(create_resp), nil
}
// Functions to be passed into the CreateKMIPAdapter() method to specify specific fields.
type CreateKMIPAdapterOption func(*KMIPAdapter)
type CreateKMIPAdapterProfile func(*KMIPAdapter)
func WithKMIPAdapterName(name string) CreateKMIPAdapterOption {
return func(adapter *KMIPAdapter) {
adapter.Name = name
}
}
func WithKMIPAdapterDescription(description string) CreateKMIPAdapterOption {
return func(adapter *KMIPAdapter) {
adapter.Description = description
}
}
func WithNativeProfile(crkID string) CreateKMIPAdapterProfile {
return func(adapter *KMIPAdapter) {
adapter.Profile = KMIP_Profile_Native
adapter.ProfileData = map[string]string{
"crk_id": crkID,
}
}
}
type ListKmipAdaptersOptions struct {
Limit *uint32
Offset *uint32
TotalCount *bool
CrkID *string
}
// GetKMIPAdapters method lists KMIP Adapters associated with a specific KP instance.
func (c *Client) GetKMIPAdapters(ctx context.Context, listOpts *ListKmipAdaptersOptions) (*KMIPAdapters, error) {
adapters := KMIPAdapters{}
req, err := c.newRequest("GET", kmipAdapterPath, nil)
if err != nil {
return nil, err
}
if listOpts != nil {
values := req.URL.Query()
if listOpts.Limit != nil {
values.Set("limit", fmt.Sprint(*listOpts.Limit))
}
if listOpts.Offset != nil {
values.Set("offset", fmt.Sprint(*listOpts.Offset))
}
if listOpts.TotalCount != nil {
values.Set("totalCount", fmt.Sprint(*listOpts.TotalCount))
}
if listOpts.CrkID != nil {
values.Set("crk_id", *listOpts.CrkID)
}
req.URL.RawQuery = values.Encode()
}
_, err = c.do(ctx, req, &adapters)
if err != nil {
return nil, err
}
return &adapters, nil
}
// GetKMIPAdapter method retrieves a single KMIP Adapter by name or ID.
func (c *Client) GetKMIPAdapter(ctx context.Context, nameOrID string) (*KMIPAdapter, error) {
adapters := KMIPAdapters{}
req, err := c.newRequest("GET", fmt.Sprintf("%s/%s", kmipAdapterPath, nameOrID), nil)
if err != nil {
return nil, err
}
_, err = c.do(ctx, req, &adapters)
if err != nil {
return nil, err
}
return unwrapKMIPAdapterResp(&adapters), nil
}
// DeletesKMIPAdapter method deletes a single KMIP Adapter by name or ID.
func (c *Client) DeleteKMIPAdapter(ctx context.Context, nameOrID string) error {
req, err := c.newRequest("DELETE", fmt.Sprintf("%s/%s", kmipAdapterPath, nameOrID), nil)
if err != nil {
return err
}
_, err = c.do(ctx, req, nil)
if err != nil {
return err
}
return nil
}
func wrapKMIPAdapter(adapter KMIPAdapter) KMIPAdapters {
return KMIPAdapters{
Metadata: CollectionMetadata{
CollectionType: kmipAdapterType,
CollectionTotal: 1,
},
Adapters: []KMIPAdapter{adapter},
}
}
func unwrapKMIPAdapterResp(resp *KMIPAdapters) *KMIPAdapter {
return &resp.Adapters[0]
}

View File

@ -0,0 +1,136 @@
package kp
import (
"context"
"fmt"
"time"
)
const (
kmipClientCertSubPath = "certificates"
kmipClientCertType = "application/vnd.ibm.kms.kmip_client_certificate+json"
)
type KMIPClientCertificate struct {
ID string `json:"id,omitempty"`
Name string `json:"name,omitempty"`
Certificate string `json:"certificate,omitempty"`
CreatedBy string `json:"created_by,omitempty"`
CreatedAt *time.Time `json:"created_at,omitempty"`
}
type KMIPClientCertificates struct {
Metadata CollectionMetadata `json:"metadata"`
Certificates []KMIPClientCertificate `json:"resources"`
}
// CreateKMIPClientCertificate registers/creates a KMIP PEM format certificate
// for use with a specific KMIP adapter.
// cert_payload is the string representation of
// the certificate to be associated with the KMIP Adapter in PEM format.
// It should explicitly have the BEGIN CERTIFICATE and END CERTIFICATE tags.
// Regex: ^\s*-----BEGIN CERTIFICATE-----[A-Za-z0-9+\/\=\r\n]+-----END CERTIFICATE-----\s*$
func (c *Client) CreateKMIPClientCertificate(ctx context.Context, adapter_nameOrID, cert_payload string, opts ...CreateKMIPClientCertOption) (*KMIPClientCertificate, error) {
newCert := &KMIPClientCertificate{
Certificate: cert_payload,
}
for _, opt := range opts {
opt(newCert)
}
req, err := c.newRequest("POST", fmt.Sprintf("%s/%s/%s", kmipAdapterPath, adapter_nameOrID, kmipClientCertSubPath), wrapKMIPClientCert(*newCert))
if err != nil {
return nil, err
}
certResp := &KMIPClientCertificates{}
_, err = c.do(ctx, req, certResp)
if err != nil {
return nil, err
}
return unwrapKMIPClientCert(certResp), nil
}
type CreateKMIPClientCertOption func(*KMIPClientCertificate)
func WithKMIPClientCertName(name string) CreateKMIPClientCertOption {
return func(cert *KMIPClientCertificate) {
cert.Name = name
}
}
// GetKMIPClientCertificates lists all certificates associated with a KMIP adapter
func (c *Client) GetKMIPClientCertificates(ctx context.Context, adapter_nameOrID string, listOpts *ListOptions) (*KMIPClientCertificates, error) {
certs := KMIPClientCertificates{}
req, err := c.newRequest("GET", fmt.Sprintf("%s/%s/%s", kmipAdapterPath, adapter_nameOrID, kmipClientCertSubPath), nil)
if err != nil {
return nil, err
}
if listOpts != nil {
values := req.URL.Query()
if listOpts.Limit != nil {
values.Set("limit", fmt.Sprint(*listOpts.Limit))
}
if listOpts.Offset != nil {
values.Set("offset", fmt.Sprint(*listOpts.Offset))
}
if listOpts.TotalCount != nil {
values.Set("totalCount", fmt.Sprint(*listOpts.TotalCount))
}
req.URL.RawQuery = values.Encode()
}
_, err = c.do(ctx, req, &certs)
if err != nil {
return nil, err
}
return &certs, nil
}
// GetKMIPClientCertificate gets a single certificate associated with a KMIP adapter
func (c *Client) GetKMIPClientCertificate(ctx context.Context, adapter_nameOrID, cert_nameOrID string) (*KMIPClientCertificate, error) {
certs := &KMIPClientCertificates{}
req, err := c.newRequest("GET", fmt.Sprintf("%s/%s/%s/%s",
kmipAdapterPath, adapter_nameOrID, kmipClientCertSubPath, cert_nameOrID), nil)
if err != nil {
return nil, err
}
_, err = c.do(ctx, req, certs)
if err != nil {
return nil, err
}
return unwrapKMIPClientCert(certs), nil
}
// DeleteKMIPClientCertificate deletes a single certificate
func (c *Client) DeleteKMIPClientCertificate(ctx context.Context, adapter_nameOrID, cert_nameOrID string) error {
req, err := c.newRequest("DELETE", fmt.Sprintf("%s/%s/%s/%s",
kmipAdapterPath, adapter_nameOrID, kmipClientCertSubPath, cert_nameOrID), nil)
if err != nil {
return err
}
_, err = c.do(ctx, req, nil)
if err != nil {
return err
}
return nil
}
func wrapKMIPClientCert(cert KMIPClientCertificate) KMIPClientCertificates {
return KMIPClientCertificates{
Metadata: CollectionMetadata{
CollectionType: kmipClientCertType,
CollectionTotal: 1,
},
Certificates: []KMIPClientCertificate{cert},
}
}
func unwrapKMIPClientCert(certs *KMIPClientCertificates) *KMIPClientCertificate {
return &certs.Certificates[0]
}

View File

@ -0,0 +1,122 @@
package kp
import (
"context"
"fmt"
"strconv"
"strings"
"time"
)
const (
kmipObjectSubPath = "kmip_objects"
kmipObjectType = "application/vnd.ibm.kms.kmip_object+json"
)
type KMIPObject struct {
ID string `json:"id,omitempty"`
KMIPObjectType int `json:"kmip_object_type,omitempty"`
ObjectState int `json:"state,omitempty"`
CreatedByCertID string `json:"created_by_kmip_client_cert_id,omitempty"`
CreatedBy string `json:"created_by,omitempty"`
CreatedAt *time.Time `json:"created_at,omitempty"`
UpdatedByCertID string `json:"updated_by_kmip_client_cert_id,omitempty"`
UpdatedBy string `json:"updated_by,omitempty"`
UpdatedAt *time.Time `json:"updated_at,omitempty"`
DestroyedByCertID string `json:"destroyed_by_kmip_client_cert_id,omitempty"`
DestroyedBy string `json:"destroyed_by,omitempty"`
DestroyedAt *time.Time `json:"destroyed_at,omitempty"`
}
type KMIPObjects struct {
Metadata CollectionMetadata `json:"metadata"`
Objects []KMIPObject `json:"resources"`
}
type ListKmipObjectsOptions struct {
Limit *uint32
Offset *uint32
TotalCount *bool
ObjectStateFilter *[]int32
}
func (c *Client) GetKMIPObjects(ctx context.Context, adapter_id string, listOpts *ListKmipObjectsOptions) (*KMIPObjects, error) {
objects := KMIPObjects{}
req, err := c.newRequest("GET", fmt.Sprintf("%s/%s/%s", kmipAdapterPath, adapter_id, kmipObjectSubPath), nil)
if err != nil {
return nil, err
}
if listOpts != nil {
values := req.URL.Query()
if listOpts.Limit != nil {
values.Set("limit", fmt.Sprint(*listOpts.Limit))
}
if listOpts.Offset != nil {
values.Set("offset", fmt.Sprint(*listOpts.Offset))
}
if listOpts.TotalCount != nil {
values.Set("totalCount", fmt.Sprint(*listOpts.TotalCount))
}
if listOpts.ObjectStateFilter != nil {
var stateStrs []string
for _, i := range *listOpts.ObjectStateFilter {
stateStrs = append(stateStrs, strconv.FormatInt(int64(i), 10))
}
values.Set("state", strings.Join(stateStrs, ","))
}
req.URL.RawQuery = values.Encode()
}
_, err = c.do(ctx, req, &objects)
if err != nil {
return nil, err
}
return &objects, nil
}
func (c *Client) GetKMIPObject(ctx context.Context, adapter_id, object_id string) (*KMIPObject, error) {
objects := &KMIPObjects{}
req, err := c.newRequest("GET", fmt.Sprintf("%s/%s/%s/%s",
kmipAdapterPath, adapter_id, kmipObjectSubPath, object_id), nil)
if err != nil {
return nil, err
}
_, err = c.do(ctx, req, objects)
if err != nil {
return nil, err
}
return unwrapKMIPObject(objects), nil
}
func (c *Client) DeleteKMIPObject(ctx context.Context, adapter_id, object_id string) error {
req, err := c.newRequest("DELETE", fmt.Sprintf("%s/%s/%s/%s",
kmipAdapterPath, adapter_id, kmipObjectSubPath, object_id), nil)
if err != nil {
return err
}
_, err = c.do(ctx, req, nil)
if err != nil {
return err
}
return nil
}
func wrapKMIPObject(object KMIPObject) KMIPObjects {
return KMIPObjects{
Metadata: CollectionMetadata{
CollectionType: kmipObjectType,
CollectionTotal: 1,
},
Objects: []KMIPObject{object},
}
}
func unwrapKMIPObject(objects *KMIPObjects) *KMIPObject {
return &objects.Objects[0]
}

View File

@ -23,7 +23,6 @@ import (
"errors" "errors"
"fmt" "fmt"
"io" "io"
"io/ioutil"
"net/http" "net/http"
"net/url" "net/url"
"strings" "strings"
@ -276,7 +275,7 @@ func (c *Client) do(ctx context.Context, req *http.Request, res interface{}) (*h
} }
defer response.Body.Close() defer response.Body.Close()
resBody, err := ioutil.ReadAll(response.Body) resBody, err := io.ReadAll(response.Body)
redact := []string{c.Config.APIKey, req.Header.Get("authorization")} redact := []string{c.Config.APIKey, req.Header.Get("authorization")}
c.Dump(req, response, []byte{}, resBody, c.Logger, redact) c.Dump(req, response, []byte{}, resBody, c.Logger, redact)
if err != nil { if err != nil {
@ -515,3 +514,17 @@ func redact(s string, redactStrings []string) string {
func noredact(s string, redactStrings []string) string { func noredact(s string, redactStrings []string) string {
return s return s
} }
// Collection Metadata is generic and can be shared between multiple resource types
type CollectionMetadata struct {
CollectionType string `json:"collectionType"`
CollectionTotal int `json:"collectionTotal"`
TotalCount int `json:"totalCount,omitempty"`
}
// ListsOptions struct to add the query parameters for list functions. Extensible.
type ListOptions struct {
Limit *uint32
Offset *uint32
TotalCount *bool
}

View File

@ -0,0 +1,18 @@
package aws
// AccountIDEndpointMode controls how a resolved AWS account ID is handled for endpoint routing.
type AccountIDEndpointMode string
const (
// AccountIDEndpointModeUnset indicates the AWS account ID will not be used for endpoint routing
AccountIDEndpointModeUnset AccountIDEndpointMode = ""
// AccountIDEndpointModePreferred indicates the AWS account ID will be used for endpoint routing if present
AccountIDEndpointModePreferred = "preferred"
// AccountIDEndpointModeRequired indicates an error will be returned if the AWS account ID is not resolved from identity
AccountIDEndpointModeRequired = "required"
// AccountIDEndpointModeDisabled indicates the AWS account ID will be ignored during endpoint routing
AccountIDEndpointModeDisabled = "disabled"
)

View File

@ -162,6 +162,9 @@ type Config struct {
// This variable is sourced from environment variable AWS_REQUEST_MIN_COMPRESSION_SIZE_BYTES or // This variable is sourced from environment variable AWS_REQUEST_MIN_COMPRESSION_SIZE_BYTES or
// the shared config profile attribute request_min_compression_size_bytes // the shared config profile attribute request_min_compression_size_bytes
RequestMinCompressSizeBytes int64 RequestMinCompressSizeBytes int64
// Controls how a resolved AWS account ID is handled for endpoint routing.
AccountIDEndpointMode AccountIDEndpointMode
} }
// NewConfig returns a new Config pointer that can be chained with builder // NewConfig returns a new Config pointer that can be chained with builder

View File

@ -90,6 +90,9 @@ type Credentials struct {
// The time the credentials will expire at. Should be ignored if CanExpire // The time the credentials will expire at. Should be ignored if CanExpire
// is false. // is false.
Expires time.Time Expires time.Time
// The ID of the account for the credentials.
AccountID string
} }
// Expired returns if the credentials have expired. // Expired returns if the credentials have expired.

View File

@ -70,6 +70,10 @@ func GetUseFIPSEndpoint(options ...interface{}) (value FIPSEndpointState, found
// The SDK will automatically resolve these endpoints per API client using an // The SDK will automatically resolve these endpoints per API client using an
// internal endpoint resolvers. If you'd like to provide custom endpoint // internal endpoint resolvers. If you'd like to provide custom endpoint
// resolving behavior you can implement the EndpointResolver interface. // resolving behavior you can implement the EndpointResolver interface.
//
// Deprecated: This structure was used with the global [EndpointResolver]
// interface, which has been deprecated in favor of service-specific endpoint
// resolution. See the deprecation docs on that interface for more information.
type Endpoint struct { type Endpoint struct {
// The base URL endpoint the SDK API clients will use to make API calls to. // The base URL endpoint the SDK API clients will use to make API calls to.
// The SDK will suffix URI path and query elements to this endpoint. // The SDK will suffix URI path and query elements to this endpoint.
@ -124,6 +128,8 @@ type Endpoint struct {
} }
// EndpointSource is the endpoint source type. // EndpointSource is the endpoint source type.
//
// Deprecated: The global [Endpoint] structure is deprecated.
type EndpointSource int type EndpointSource int
const ( const (
@ -161,19 +167,25 @@ func (e *EndpointNotFoundError) Unwrap() error {
// API clients will fallback to attempting to resolve the endpoint using its // API clients will fallback to attempting to resolve the endpoint using its
// internal default endpoint resolver. // internal default endpoint resolver.
// //
// Deprecated: See EndpointResolverWithOptions // Deprecated: The global endpoint resolution interface is deprecated. The API
// for endpoint resolution is now unique to each service and is set via the
// EndpointResolverV2 field on service client options. Setting a value for
// EndpointResolver on aws.Config or service client options will prevent you
// from using any endpoint-related service features released after the
// introduction of EndpointResolverV2. You may also encounter broken or
// unexpected behavior when using the old global interface with services that
// use many endpoint-related customizations such as S3.
type EndpointResolver interface { type EndpointResolver interface {
ResolveEndpoint(service, region string) (Endpoint, error) ResolveEndpoint(service, region string) (Endpoint, error)
} }
// EndpointResolverFunc wraps a function to satisfy the EndpointResolver interface. // EndpointResolverFunc wraps a function to satisfy the EndpointResolver interface.
// //
// Deprecated: See EndpointResolverWithOptionsFunc // Deprecated: The global endpoint resolution interface is deprecated. See
// deprecation docs on [EndpointResolver].
type EndpointResolverFunc func(service, region string) (Endpoint, error) type EndpointResolverFunc func(service, region string) (Endpoint, error)
// ResolveEndpoint calls the wrapped function and returns the results. // ResolveEndpoint calls the wrapped function and returns the results.
//
// Deprecated: See EndpointResolverWithOptions.ResolveEndpoint
func (e EndpointResolverFunc) ResolveEndpoint(service, region string) (Endpoint, error) { func (e EndpointResolverFunc) ResolveEndpoint(service, region string) (Endpoint, error) {
return e(service, region) return e(service, region)
} }
@ -184,11 +196,17 @@ func (e EndpointResolverFunc) ResolveEndpoint(service, region string) (Endpoint,
// available. If the EndpointResolverWithOptions returns an EndpointNotFoundError error, // available. If the EndpointResolverWithOptions returns an EndpointNotFoundError error,
// API clients will fallback to attempting to resolve the endpoint using its // API clients will fallback to attempting to resolve the endpoint using its
// internal default endpoint resolver. // internal default endpoint resolver.
//
// Deprecated: The global endpoint resolution interface is deprecated. See
// deprecation docs on [EndpointResolver].
type EndpointResolverWithOptions interface { type EndpointResolverWithOptions interface {
ResolveEndpoint(service, region string, options ...interface{}) (Endpoint, error) ResolveEndpoint(service, region string, options ...interface{}) (Endpoint, error)
} }
// EndpointResolverWithOptionsFunc wraps a function to satisfy the EndpointResolverWithOptions interface. // EndpointResolverWithOptionsFunc wraps a function to satisfy the EndpointResolverWithOptions interface.
//
// Deprecated: The global endpoint resolution interface is deprecated. See
// deprecation docs on [EndpointResolver].
type EndpointResolverWithOptionsFunc func(service, region string, options ...interface{}) (Endpoint, error) type EndpointResolverWithOptionsFunc func(service, region string, options ...interface{}) (Endpoint, error)
// ResolveEndpoint calls the wrapped function and returns the results. // ResolveEndpoint calls the wrapped function and returns the results.

View File

@ -3,4 +3,4 @@
package aws package aws
// goModuleVersion is the tagged release for this module // goModuleVersion is the tagged release for this module
const goModuleVersion = "1.25.2" const goModuleVersion = "1.30.0"

View File

@ -112,6 +112,8 @@ type MetricData struct {
ResolveEndpointStartTime time.Time ResolveEndpointStartTime time.Time
ResolveEndpointEndTime time.Time ResolveEndpointEndTime time.Time
EndpointResolutionDuration time.Duration EndpointResolutionDuration time.Duration
GetIdentityStartTime time.Time
GetIdentityEndTime time.Time
InThroughput float64 InThroughput float64
OutThroughput float64 OutThroughput float64
RetryCount int RetryCount int
@ -122,6 +124,7 @@ type MetricData struct {
OperationName string OperationName string
PartitionID string PartitionID string
Region string Region string
UserAgent string
RequestContentLength int64 RequestContentLength int64
Stream StreamMetrics Stream StreamMetrics
Attempts []AttemptMetrics Attempts []AttemptMetrics
@ -144,8 +147,6 @@ type AttemptMetrics struct {
ConnRequestedTime time.Time ConnRequestedTime time.Time
ConnObtainedTime time.Time ConnObtainedTime time.Time
ConcurrencyAcquireDuration time.Duration ConcurrencyAcquireDuration time.Duration
CredentialFetchStartTime time.Time
CredentialFetchEndTime time.Time
SignStartTime time.Time SignStartTime time.Time
SignEndTime time.Time SignEndTime time.Time
SigningDuration time.Duration SigningDuration time.Duration

View File

@ -5,6 +5,7 @@ import (
"fmt" "fmt"
"os" "os"
"runtime" "runtime"
"sort"
"strings" "strings"
"github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/aws"
@ -30,6 +31,7 @@ const (
FrameworkMetadata FrameworkMetadata
AdditionalMetadata AdditionalMetadata
ApplicationIdentifier ApplicationIdentifier
FeatureMetadata2
) )
func (k SDKAgentKeyType) string() string { func (k SDKAgentKeyType) string() string {
@ -50,6 +52,8 @@ func (k SDKAgentKeyType) string() string {
return "lib" return "lib"
case ApplicationIdentifier: case ApplicationIdentifier:
return "app" return "app"
case FeatureMetadata2:
return "m"
case AdditionalMetadata: case AdditionalMetadata:
fallthrough fallthrough
default: default:
@ -64,9 +68,29 @@ var validChars = map[rune]bool{
'-': true, '.': true, '^': true, '_': true, '`': true, '|': true, '~': true, '-': true, '.': true, '^': true, '_': true, '`': true, '|': true, '~': true,
} }
// UserAgentFeature enumerates tracked SDK features.
type UserAgentFeature string
// Enumerates UserAgentFeature.
const (
UserAgentFeatureResourceModel UserAgentFeature = "A" // n/a (we don't generate separate resource types)
UserAgentFeatureWaiter = "B"
UserAgentFeaturePaginator = "C"
UserAgentFeatureRetryModeLegacy = "D" // n/a (equivalent to standard)
UserAgentFeatureRetryModeStandard = "E"
UserAgentFeatureRetryModeAdaptive = "F"
UserAgentFeatureS3Transfer = "G"
UserAgentFeatureS3CryptoV1N = "H" // n/a (crypto client is external)
UserAgentFeatureS3CryptoV2 = "I" // n/a
UserAgentFeatureS3ExpressBucket = "J"
UserAgentFeatureS3AccessGrants = "K" // not yet implemented
UserAgentFeatureGZIPRequestCompression = "L"
)
// RequestUserAgent is a build middleware that set the User-Agent for the request. // RequestUserAgent is a build middleware that set the User-Agent for the request.
type RequestUserAgent struct { type RequestUserAgent struct {
sdkAgent, userAgent *smithyhttp.UserAgentBuilder sdkAgent, userAgent *smithyhttp.UserAgentBuilder
features map[UserAgentFeature]struct{}
} }
// NewRequestUserAgent returns a new requestUserAgent which will set the User-Agent and X-Amz-User-Agent for the // NewRequestUserAgent returns a new requestUserAgent which will set the User-Agent and X-Amz-User-Agent for the
@ -87,6 +111,7 @@ func NewRequestUserAgent() *RequestUserAgent {
r := &RequestUserAgent{ r := &RequestUserAgent{
sdkAgent: sdkAgent, sdkAgent: sdkAgent,
userAgent: userAgent, userAgent: userAgent,
features: map[UserAgentFeature]struct{}{},
} }
addSDKMetadata(r) addSDKMetadata(r)
@ -191,6 +216,12 @@ func (u *RequestUserAgent) AddUserAgentKeyValue(key, value string) {
u.userAgent.AddKeyValue(strings.Map(rules, key), strings.Map(rules, value)) u.userAgent.AddKeyValue(strings.Map(rules, key), strings.Map(rules, value))
} }
// AddUserAgentFeature adds the feature ID to the tracking list to be emitted
// in the final User-Agent string.
func (u *RequestUserAgent) AddUserAgentFeature(feature UserAgentFeature) {
u.features[feature] = struct{}{}
}
// AddSDKAgentKey adds the component identified by name to the User-Agent string. // AddSDKAgentKey adds the component identified by name to the User-Agent string.
func (u *RequestUserAgent) AddSDKAgentKey(keyType SDKAgentKeyType, key string) { func (u *RequestUserAgent) AddSDKAgentKey(keyType SDKAgentKeyType, key string) {
// TODO: should target sdkAgent // TODO: should target sdkAgent
@ -227,6 +258,9 @@ func (u *RequestUserAgent) HandleBuild(ctx context.Context, in middleware.BuildI
func (u *RequestUserAgent) addHTTPUserAgent(request *smithyhttp.Request) { func (u *RequestUserAgent) addHTTPUserAgent(request *smithyhttp.Request) {
const userAgent = "User-Agent" const userAgent = "User-Agent"
updateHTTPHeader(request, userAgent, u.userAgent.Build()) updateHTTPHeader(request, userAgent, u.userAgent.Build())
if len(u.features) > 0 {
updateHTTPHeader(request, userAgent, buildFeatureMetrics(u.features))
}
} }
func (u *RequestUserAgent) addHTTPSDKAgent(request *smithyhttp.Request) { func (u *RequestUserAgent) addHTTPSDKAgent(request *smithyhttp.Request) {
@ -259,3 +293,13 @@ func rules(r rune) rune {
return '-' return '-'
} }
} }
func buildFeatureMetrics(features map[UserAgentFeature]struct{}) string {
fs := make([]string, 0, len(features))
for f := range features {
fs = append(fs, string(f))
}
sort.Strings(fs)
return fmt.Sprintf("%s/%s", FeatureMetadata2.string(), strings.Join(fs, ","))
}

View File

@ -0,0 +1,20 @@
package ratelimit
import "context"
// None implements a no-op rate limiter which effectively disables client-side
// rate limiting (also known as "retry quotas").
//
// GetToken does nothing and always returns a nil error. The returned
// token-release function does nothing, and always returns a nil error.
//
// AddTokens does nothing and always returns a nil error.
var None = &none{}
type none struct{}
func (*none) GetToken(ctx context.Context, cost uint) (func() error, error) {
return func() error { return nil }, nil
}
func (*none) AddTokens(v uint) error { return nil }

View File

@ -2,12 +2,15 @@ package retry
import ( import (
"context" "context"
"errors"
"fmt" "fmt"
"github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics"
"strconv" "strconv"
"strings" "strings"
"time" "time"
"github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics"
internalcontext "github.com/aws/aws-sdk-go-v2/internal/context"
"github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/aws"
awsmiddle "github.com/aws/aws-sdk-go-v2/aws/middleware" awsmiddle "github.com/aws/aws-sdk-go-v2/aws/middleware"
"github.com/aws/aws-sdk-go-v2/internal/sdk" "github.com/aws/aws-sdk-go-v2/internal/sdk"
@ -39,6 +42,10 @@ type Attempt struct {
requestCloner RequestCloner requestCloner RequestCloner
} }
// define the threshold at which we will consider certain kind of errors to be probably
// caused by clock skew
const skewThreshold = 4 * time.Minute
// NewAttemptMiddleware returns a new Attempt retry middleware. // NewAttemptMiddleware returns a new Attempt retry middleware.
func NewAttemptMiddleware(retryer aws.Retryer, requestCloner RequestCloner, optFns ...func(*Attempt)) *Attempt { func NewAttemptMiddleware(retryer aws.Retryer, requestCloner RequestCloner, optFns ...func(*Attempt)) *Attempt {
m := &Attempt{ m := &Attempt{
@ -86,6 +93,9 @@ func (r *Attempt) HandleFinalize(ctx context.Context, in smithymiddle.FinalizeIn
AttemptClockSkew: attemptClockSkew, AttemptClockSkew: attemptClockSkew,
}) })
// Setting clock skew to be used on other context (like signing)
ctx = internalcontext.SetAttemptSkewContext(ctx, attemptClockSkew)
var attemptResult AttemptResult var attemptResult AttemptResult
out, attemptResult, releaseRetryToken, err = r.handleAttempt(attemptCtx, attemptInput, releaseRetryToken, next) out, attemptResult, releaseRetryToken, err = r.handleAttempt(attemptCtx, attemptInput, releaseRetryToken, next)
attemptClockSkew, _ = awsmiddle.GetAttemptSkew(attemptResult.ResponseMetadata) attemptClockSkew, _ = awsmiddle.GetAttemptSkew(attemptResult.ResponseMetadata)
@ -185,6 +195,8 @@ func (r *Attempt) handleAttempt(
return out, attemptResult, nopRelease, err return out, attemptResult, nopRelease, err
} }
err = wrapAsClockSkew(ctx, err)
//------------------------------ //------------------------------
// Is Retryable and Should Retry // Is Retryable and Should Retry
//------------------------------ //------------------------------
@ -247,6 +259,37 @@ func (r *Attempt) handleAttempt(
return out, attemptResult, releaseRetryToken, err return out, attemptResult, releaseRetryToken, err
} }
// errors that, if detected when we know there's a clock skew,
// can be retried and have a high chance of success
var possibleSkewCodes = map[string]struct{}{
"InvalidSignatureException": {},
"SignatureDoesNotMatch": {},
"AuthFailure": {},
}
var definiteSkewCodes = map[string]struct{}{
"RequestExpired": {},
"RequestInTheFuture": {},
"RequestTimeTooSkewed": {},
}
// wrapAsClockSkew checks if this error could be related to a clock skew
// error and if so, wrap the error.
func wrapAsClockSkew(ctx context.Context, err error) error {
var v interface{ ErrorCode() string }
if !errors.As(err, &v) {
return err
}
if _, ok := definiteSkewCodes[v.ErrorCode()]; ok {
return &retryableClockSkewError{Err: err}
}
_, isPossibleSkewCode := possibleSkewCodes[v.ErrorCode()]
if skew := internalcontext.GetAttemptSkewContext(ctx); skew > skewThreshold && isPossibleSkewCode {
return &retryableClockSkewError{Err: err}
}
return err
}
// MetricsHeader attaches SDK request metric header for retries to the transport // MetricsHeader attaches SDK request metric header for retries to the transport
type MetricsHeader struct{} type MetricsHeader struct{}

View File

@ -2,6 +2,7 @@ package retry
import ( import (
"errors" "errors"
"fmt"
"net" "net"
"net/url" "net/url"
"strings" "strings"
@ -199,3 +200,23 @@ func (r RetryableErrorCode) IsErrorRetryable(err error) aws.Ternary {
return aws.TrueTernary return aws.TrueTernary
} }
// retryableClockSkewError marks errors that can be caused by clock skew
// (difference between server time and client time).
// This is returned when there's certain confidence that adjusting the client time
// could allow a retry to succeed
type retryableClockSkewError struct{ Err error }
func (e *retryableClockSkewError) Error() string {
return fmt.Sprintf("Probable clock skew error: %v", e.Err)
}
// Unwrap returns the wrapped error.
func (e *retryableClockSkewError) Unwrap() error {
return e.Err
}
// RetryableError allows the retryer to retry this request
func (e *retryableClockSkewError) RetryableError() bool {
return true
}

View File

@ -123,6 +123,17 @@ type StandardOptions struct {
// Provides the rate limiting strategy for rate limiting attempt retries // Provides the rate limiting strategy for rate limiting attempt retries
// across all attempts the retryer is being used with. // across all attempts the retryer is being used with.
//
// A RateLimiter operates as a token bucket with a set capacity, where
// attempt failures events consume tokens. A retry attempt that attempts to
// consume more tokens than what's available results in operation failure.
// The default implementation is parameterized as follows:
// - a capacity of 500 (DefaultRetryRateTokens)
// - a retry caused by a timeout costs 10 tokens (DefaultRetryCost)
// - a retry caused by other errors costs 5 tokens (DefaultRetryTimeoutCost)
// - an operation that succeeds on the 1st attempt adds 1 token (DefaultNoRetryIncrement)
//
// You can disable rate limiting by setting this field to ratelimit.None.
RateLimiter RateLimiter RateLimiter RateLimiter
// The cost to deduct from the RateLimiter's token bucket per retry. // The cost to deduct from the RateLimiter's token bucket per retry.

View File

@ -38,7 +38,6 @@ var RequiredSignedHeaders = Rules{
"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Algorithm": struct{}{}, "X-Amz-Copy-Source-Server-Side-Encryption-Customer-Algorithm": struct{}{},
"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key": struct{}{}, "X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key": struct{}{},
"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key-Md5": struct{}{}, "X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key-Md5": struct{}{},
"X-Amz-Expected-Bucket-Owner": struct{}{},
"X-Amz-Grant-Full-control": struct{}{}, "X-Amz-Grant-Full-control": struct{}{},
"X-Amz-Grant-Read": struct{}{}, "X-Amz-Grant-Read": struct{}{},
"X-Amz-Grant-Read-Acp": struct{}{}, "X-Amz-Grant-Read-Acp": struct{}{},

View File

@ -11,7 +11,6 @@ import (
"github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/aws"
awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware" awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware"
"github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics"
v4Internal "github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4" v4Internal "github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4"
internalauth "github.com/aws/aws-sdk-go-v2/internal/auth" internalauth "github.com/aws/aws-sdk-go-v2/internal/auth"
"github.com/aws/aws-sdk-go-v2/internal/sdk" "github.com/aws/aws-sdk-go-v2/internal/sdk"
@ -301,22 +300,7 @@ func (s *SignHTTPRequestMiddleware) HandleFinalize(ctx context.Context, in middl
return out, metadata, &SigningError{Err: fmt.Errorf("computed payload hash missing from context")} return out, metadata, &SigningError{Err: fmt.Errorf("computed payload hash missing from context")}
} }
mctx := metrics.Context(ctx)
if mctx != nil {
if attempt, err := mctx.Data().LatestAttempt(); err == nil {
attempt.CredentialFetchStartTime = sdk.NowTime()
}
}
credentials, err := s.credentialsProvider.Retrieve(ctx) credentials, err := s.credentialsProvider.Retrieve(ctx)
if mctx != nil {
if attempt, err := mctx.Data().LatestAttempt(); err == nil {
attempt.CredentialFetchEndTime = sdk.NowTime()
}
}
if err != nil { if err != nil {
return out, metadata, &SigningError{Err: fmt.Errorf("failed to retrieve credentials: %w", err)} return out, metadata, &SigningError{Err: fmt.Errorf("failed to retrieve credentials: %w", err)}
} }
@ -337,20 +321,7 @@ func (s *SignHTTPRequestMiddleware) HandleFinalize(ctx context.Context, in middl
}) })
} }
if mctx != nil {
if attempt, err := mctx.Data().LatestAttempt(); err == nil {
attempt.SignStartTime = sdk.NowTime()
}
}
err = s.signer.SignHTTP(ctx, credentials, req.Request, payloadHash, signingName, signingRegion, sdk.NowTime(), signerOptions...) err = s.signer.SignHTTP(ctx, credentials, req.Request, payloadHash, signingName, signingRegion, sdk.NowTime(), signerOptions...)
if mctx != nil {
if attempt, err := mctx.Data().LatestAttempt(); err == nil {
attempt.SignEndTime = sdk.NowTime()
}
}
if err != nil { if err != nil {
return out, metadata, &SigningError{Err: fmt.Errorf("failed to sign http request, %w", err)} return out, metadata, &SigningError{Err: fmt.Errorf("failed to sign http request, %w", err)}
} }

View File

@ -1,48 +1,41 @@
// Package v4 implements signing for AWS V4 signer // Package v4 implements the AWS signature version 4 algorithm (commonly known
// as SigV4).
// //
// Provides request signing for request that need to be signed with // For more information about SigV4, see [Signing AWS API requests] in the IAM
// AWS V4 Signatures. // user guide.
// //
// # Standalone Signer // While this implementation CAN work in an external context, it is developed
// primarily for SDK use and you may encounter fringe behaviors around header
// canonicalization.
// //
// Generally using the signer outside of the SDK should not require any additional // # Pre-escaping a request URI
// //
// The signer does this by taking advantage of the URL.EscapedPath method. If your request URI requires // AWS v4 signature validation requires that the canonical string's URI path
// component must be the escaped form of the HTTP request's path.
// //
// additional escaping you many need to use the URL.Opaque to define what the raw URI should be sent // The Go HTTP client will perform escaping automatically on the HTTP request.
// to the service as. // This may cause signature validation errors because the request differs from
// the URI path or query from which the signature was generated.
// //
// The signer will first check the URL.Opaque field, and use its value if set. // Because of this, we recommend that you explicitly escape the request when
// The signer does require the URL.Opaque field to be set in the form of: // using this signer outside of the SDK to prevent possible signature mismatch.
// This can be done by setting URL.Opaque on the request. The signer will
// prefer that value, falling back to the return of URL.EscapedPath if unset.
//
// When setting URL.Opaque you must do so in the form of:
// //
// "//<hostname>/<path>" // "//<hostname>/<path>"
// //
// // e.g. // // e.g.
// "//example.com/some/path" // "//example.com/some/path"
// //
// The leading "//" and hostname are required or the URL.Opaque escaping will // The leading "//" and hostname are required or the escaping will not work
// not work correctly. // correctly.
// //
// If URL.Opaque is not set the signer will fallback to the URL.EscapedPath() // The TestStandaloneSign unit test provides a complete example of using the
// method and using the returned value. // signer outside of the SDK and pre-escaping the URI path.
// //
// AWS v4 signature validation requires that the canonical string's URI path // [Signing AWS API requests]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
// element must be the URI escaped form of the HTTP request's path.
// http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
//
// The Go HTTP client will perform escaping automatically on the request. Some
// of these escaping may cause signature validation errors because the HTTP
// request differs from the URI path or query that the signature was generated.
// https://golang.org/pkg/net/url/#URL.EscapedPath
//
// Because of this, it is recommended that when using the signer outside of the
// SDK that explicitly escaping the request prior to being signed is preferable,
// and will help prevent signature validation errors. This can be done by setting
// the URL.Opaque or URL.RawPath. The SDK will use URL.Opaque first and then
// call URL.EscapedPath() if Opaque is not set.
//
// Test `TestStandaloneSign` provides a complete example of using the signer
// outside of the SDK and pre-escaping the URI path.
package v4 package v4
import ( import (
@ -402,6 +395,12 @@ func buildQuery(r v4Internal.Rule, header http.Header) (url.Values, http.Header)
query := url.Values{} query := url.Values{}
unsignedHeaders := http.Header{} unsignedHeaders := http.Header{}
for k, h := range header { for k, h := range header {
// literally just this header has this constraint for some stupid reason,
// see #2508
if k == "X-Amz-Expected-Bucket-Owner" {
k = "x-amz-expected-bucket-owner"
}
if r.IsValid(k) { if r.IsValid(k) {
query[k] = h query[k] = h
} else { } else {

View File

@ -5,6 +5,7 @@ import (
"fmt" "fmt"
v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4" v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4"
internalcontext "github.com/aws/aws-sdk-go-v2/internal/context"
"github.com/aws/aws-sdk-go-v2/internal/sdk" "github.com/aws/aws-sdk-go-v2/internal/sdk"
"github.com/aws/smithy-go" "github.com/aws/smithy-go"
"github.com/aws/smithy-go/auth" "github.com/aws/smithy-go/auth"
@ -39,7 +40,10 @@ func (v *V4SignerAdapter) SignRequest(ctx context.Context, r *smithyhttp.Request
} }
hash := v4.GetPayloadHash(ctx) hash := v4.GetPayloadHash(ctx)
err := v.Signer.SignHTTP(ctx, ca.Credentials, r.Request, hash, name, region, sdk.NowTime(), func(o *v4.SignerOptions) { signingTime := sdk.NowTime()
skew := internalcontext.GetAttemptSkewContext(ctx)
signingTime = signingTime.Add(skew)
err := v.Signer.SignHTTP(ctx, ca.Credentials, r.Request, hash, name, region, signingTime, func(o *v4.SignerOptions) {
o.DisableURIPathEscaping, _ = smithyhttp.GetDisableDoubleEncoding(&props) o.DisableURIPathEscaping, _ = smithyhttp.GetDisableDoubleEncoding(&props)
o.Logger = v.Logger o.Logger = v.Logger

View File

@ -1,3 +1,43 @@
# v1.3.12 (2024-06-19)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.3.11 (2024-06-18)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.3.10 (2024-06-17)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.3.9 (2024-06-07)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.3.8 (2024-06-03)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.3.7 (2024-05-16)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.3.6 (2024-05-15)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.3.5 (2024-03-29)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.3.4 (2024-03-18)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.3.3 (2024-03-07)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.3.2 (2024-02-23) # v1.3.2 (2024-02-23)
* **Dependency Update**: Updated to the latest SDK module versions * **Dependency Update**: Updated to the latest SDK module versions

View File

@ -3,4 +3,4 @@
package configsources package configsources
// goModuleVersion is the tagged release for this module // goModuleVersion is the tagged release for this module
const goModuleVersion = "1.3.2" const goModuleVersion = "1.3.12"

View File

@ -0,0 +1,52 @@
package context
import (
"context"
"time"
"github.com/aws/smithy-go/middleware"
)
type s3BackendKey struct{}
type checksumInputAlgorithmKey struct{}
type clockSkew struct{}
const (
// S3BackendS3Express identifies the S3Express backend
S3BackendS3Express = "S3Express"
)
// SetS3Backend stores the resolved endpoint backend within the request
// context, which is required for a variety of custom S3 behaviors.
func SetS3Backend(ctx context.Context, typ string) context.Context {
return middleware.WithStackValue(ctx, s3BackendKey{}, typ)
}
// GetS3Backend retrieves the stored endpoint backend within the context.
func GetS3Backend(ctx context.Context) string {
v, _ := middleware.GetStackValue(ctx, s3BackendKey{}).(string)
return v
}
// SetChecksumInputAlgorithm sets the request checksum algorithm on the
// context.
func SetChecksumInputAlgorithm(ctx context.Context, value string) context.Context {
return middleware.WithStackValue(ctx, checksumInputAlgorithmKey{}, value)
}
// GetChecksumInputAlgorithm returns the checksum algorithm from the context.
func GetChecksumInputAlgorithm(ctx context.Context) string {
v, _ := middleware.GetStackValue(ctx, checksumInputAlgorithmKey{}).(string)
return v
}
// SetAttemptSkewContext sets the clock skew value on the context
func SetAttemptSkewContext(ctx context.Context, v time.Duration) context.Context {
return middleware.WithStackValue(ctx, clockSkew{}, v)
}
// GetAttemptSkewContext gets the clock skew value from the context
func GetAttemptSkewContext(ctx context.Context) time.Duration {
x, _ := middleware.GetStackValue(ctx, clockSkew{}).(time.Duration)
return x
}

View File

@ -17,6 +17,7 @@ type PartitionConfig struct {
DualStackDnsSuffix string `json:"dualStackDnsSuffix"` DualStackDnsSuffix string `json:"dualStackDnsSuffix"`
SupportsFIPS bool `json:"supportsFIPS"` SupportsFIPS bool `json:"supportsFIPS"`
SupportsDualStack bool `json:"supportsDualStack"` SupportsDualStack bool `json:"supportsDualStack"`
ImplicitGlobalRegion string `json:"implicitGlobalRegion"`
} }
type RegionOverrides struct { type RegionOverrides struct {

View File

@ -18,6 +18,7 @@ var partitions = []Partition{
DualStackDnsSuffix: "api.aws", DualStackDnsSuffix: "api.aws",
SupportsFIPS: true, SupportsFIPS: true,
SupportsDualStack: true, SupportsDualStack: true,
ImplicitGlobalRegion: "us-east-1",
}, },
Regions: map[string]RegionOverrides{ Regions: map[string]RegionOverrides{
"af-south-1": { "af-south-1": {
@ -111,6 +112,13 @@ var partitions = []Partition{
SupportsFIPS: nil, SupportsFIPS: nil,
SupportsDualStack: nil, SupportsDualStack: nil,
}, },
"ca-west-1": {
Name: nil,
DnsSuffix: nil,
DualStackDnsSuffix: nil,
SupportsFIPS: nil,
SupportsDualStack: nil,
},
"eu-central-1": { "eu-central-1": {
Name: nil, Name: nil,
DnsSuffix: nil, DnsSuffix: nil,
@ -234,6 +242,7 @@ var partitions = []Partition{
DualStackDnsSuffix: "api.amazonwebservices.com.cn", DualStackDnsSuffix: "api.amazonwebservices.com.cn",
SupportsFIPS: true, SupportsFIPS: true,
SupportsDualStack: true, SupportsDualStack: true,
ImplicitGlobalRegion: "cn-northwest-1",
}, },
Regions: map[string]RegionOverrides{ Regions: map[string]RegionOverrides{
"aws-cn-global": { "aws-cn-global": {
@ -268,6 +277,7 @@ var partitions = []Partition{
DualStackDnsSuffix: "api.aws", DualStackDnsSuffix: "api.aws",
SupportsFIPS: true, SupportsFIPS: true,
SupportsDualStack: true, SupportsDualStack: true,
ImplicitGlobalRegion: "us-gov-west-1",
}, },
Regions: map[string]RegionOverrides{ Regions: map[string]RegionOverrides{
"aws-us-gov-global": { "aws-us-gov-global": {
@ -302,6 +312,7 @@ var partitions = []Partition{
DualStackDnsSuffix: "c2s.ic.gov", DualStackDnsSuffix: "c2s.ic.gov",
SupportsFIPS: true, SupportsFIPS: true,
SupportsDualStack: false, SupportsDualStack: false,
ImplicitGlobalRegion: "us-iso-east-1",
}, },
Regions: map[string]RegionOverrides{ Regions: map[string]RegionOverrides{
"aws-iso-global": { "aws-iso-global": {
@ -336,6 +347,7 @@ var partitions = []Partition{
DualStackDnsSuffix: "sc2s.sgov.gov", DualStackDnsSuffix: "sc2s.sgov.gov",
SupportsFIPS: true, SupportsFIPS: true,
SupportsDualStack: false, SupportsDualStack: false,
ImplicitGlobalRegion: "us-isob-east-1",
}, },
Regions: map[string]RegionOverrides{ Regions: map[string]RegionOverrides{
"aws-iso-b-global": { "aws-iso-b-global": {
@ -363,8 +375,17 @@ var partitions = []Partition{
DualStackDnsSuffix: "cloud.adc-e.uk", DualStackDnsSuffix: "cloud.adc-e.uk",
SupportsFIPS: true, SupportsFIPS: true,
SupportsDualStack: false, SupportsDualStack: false,
ImplicitGlobalRegion: "eu-isoe-west-1",
},
Regions: map[string]RegionOverrides{
"eu-isoe-west-1": {
Name: nil,
DnsSuffix: nil,
DualStackDnsSuffix: nil,
SupportsFIPS: nil,
SupportsDualStack: nil,
},
}, },
Regions: map[string]RegionOverrides{},
}, },
{ {
ID: "aws-iso-f", ID: "aws-iso-f",
@ -375,6 +396,7 @@ var partitions = []Partition{
DualStackDnsSuffix: "csp.hci.ic.gov", DualStackDnsSuffix: "csp.hci.ic.gov",
SupportsFIPS: true, SupportsFIPS: true,
SupportsDualStack: false, SupportsDualStack: false,
ImplicitGlobalRegion: "us-isof-south-1",
}, },
Regions: map[string]RegionOverrides{}, Regions: map[string]RegionOverrides{},
}, },

View File

@ -198,7 +198,11 @@
"supportsFIPS" : true "supportsFIPS" : true
}, },
"regionRegex" : "^eu\\-isoe\\-\\w+\\-\\d+$", "regionRegex" : "^eu\\-isoe\\-\\w+\\-\\d+$",
"regions" : { } "regions" : {
"eu-isoe-west-1" : {
"description" : "EU ISOE West"
}
}
}, { }, {
"id" : "aws-iso-f", "id" : "aws-iso-f",
"outputs" : { "outputs" : {

View File

@ -1,3 +1,44 @@
# v2.6.12 (2024-06-19)
* **Dependency Update**: Updated to the latest SDK module versions
# v2.6.11 (2024-06-18)
* **Dependency Update**: Updated to the latest SDK module versions
# v2.6.10 (2024-06-17)
* **Dependency Update**: Updated to the latest SDK module versions
# v2.6.9 (2024-06-07)
* **Dependency Update**: Updated to the latest SDK module versions
# v2.6.8 (2024-06-03)
* **Dependency Update**: Updated to the latest SDK module versions
# v2.6.7 (2024-05-16)
* **Dependency Update**: Updated to the latest SDK module versions
# v2.6.6 (2024-05-15)
* **Dependency Update**: Updated to the latest SDK module versions
# v2.6.5 (2024-03-29)
* **Dependency Update**: Updated to the latest SDK module versions
# v2.6.4 (2024-03-18)
* **Dependency Update**: Updated to the latest SDK module versions
# v2.6.3 (2024-03-07)
* **Bug Fix**: Remove dependency on go-cmp.
* **Dependency Update**: Updated to the latest SDK module versions
# v2.6.2 (2024-02-23) # v2.6.2 (2024-02-23)
* **Dependency Update**: Updated to the latest SDK module versions * **Dependency Update**: Updated to the latest SDK module versions

View File

@ -3,4 +3,4 @@
package endpoints package endpoints
// goModuleVersion is the tagged release for this module // goModuleVersion is the tagged release for this module
const goModuleVersion = "2.6.2" const goModuleVersion = "2.6.12"

View File

@ -0,0 +1,42 @@
package middleware
import (
"context"
"sync/atomic"
"time"
internalcontext "github.com/aws/aws-sdk-go-v2/internal/context"
"github.com/aws/smithy-go/middleware"
)
// AddTimeOffsetMiddleware sets a value representing clock skew on the request context.
// This can be read by other operations (such as signing) to correct the date value they send
// on the request
type AddTimeOffsetMiddleware struct {
Offset *atomic.Int64
}
// ID the identifier for AddTimeOffsetMiddleware
func (m *AddTimeOffsetMiddleware) ID() string { return "AddTimeOffsetMiddleware" }
// HandleBuild sets a value for attemptSkew on the request context if one is set on the client.
func (m AddTimeOffsetMiddleware) HandleBuild(ctx context.Context, in middleware.BuildInput, next middleware.BuildHandler) (
out middleware.BuildOutput, metadata middleware.Metadata, err error,
) {
if m.Offset != nil {
offset := time.Duration(m.Offset.Load())
ctx = internalcontext.SetAttemptSkewContext(ctx, offset)
}
return next.HandleBuild(ctx, in)
}
// HandleDeserialize gets the clock skew context from the context, and if set, sets it on the pointer
// held by AddTimeOffsetMiddleware
func (m *AddTimeOffsetMiddleware) HandleDeserialize(ctx context.Context, in middleware.DeserializeInput, next middleware.DeserializeHandler) (
out middleware.DeserializeOutput, metadata middleware.Metadata, err error,
) {
if v := internalcontext.GetAttemptSkewContext(ctx); v != 0 {
m.Offset.Store(v.Nanoseconds())
}
return next.HandleDeserialize(ctx, in)
}

View File

@ -1,3 +1,7 @@
# v1.11.2 (2024-03-29)
* No change notes available for this release.
# v1.11.1 (2024-02-21) # v1.11.1 (2024-02-21)
* No change notes available for this release. * No change notes available for this release.

View File

@ -3,4 +3,4 @@
package acceptencoding package acceptencoding
// goModuleVersion is the tagged release for this module // goModuleVersion is the tagged release for this module
const goModuleVersion = "1.11.1" const goModuleVersion = "1.11.2"

View File

@ -1,3 +1,52 @@
# v1.11.14 (2024-06-19)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.11.13 (2024-06-18)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.11.12 (2024-06-17)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.11.11 (2024-06-07)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.11.10 (2024-06-03)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.11.9 (2024-05-16)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.11.8 (2024-05-15)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.11.7 (2024-03-29)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.11.6 (2024-03-18)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.11.5 (2024-03-07)
* **Bug Fix**: Remove dependency on go-cmp.
* **Dependency Update**: Updated to the latest SDK module versions
# v1.11.4 (2024-03-05)
* **Bug Fix**: Restore typo'd API `AddAsIsInternalPresigingMiddleware` as an alias for backwards compatibility.
# v1.11.3 (2024-03-04)
* **Bug Fix**: Correct a typo in internal AddAsIsPresigningMiddleware API.
# v1.11.2 (2024-02-23) # v1.11.2 (2024-02-23)
* **Dependency Update**: Updated to the latest SDK module versions * **Dependency Update**: Updated to the latest SDK module versions

View File

@ -27,13 +27,21 @@ func GetIsPresigning(ctx context.Context) bool {
type isPresigningKey struct{} type isPresigningKey struct{}
// AddAsIsPresigingMiddleware adds a middleware to the head of the stack that // AddAsIsPresigningMiddleware adds a middleware to the head of the stack that
// will update the stack's context to be flagged as being invoked for the // will update the stack's context to be flagged as being invoked for the
// purpose of presigning. // purpose of presigning.
func AddAsIsPresigingMiddleware(stack *middleware.Stack) error { func AddAsIsPresigningMiddleware(stack *middleware.Stack) error {
return stack.Initialize.Add(asIsPresigningMiddleware{}, middleware.Before) return stack.Initialize.Add(asIsPresigningMiddleware{}, middleware.Before)
} }
// AddAsIsPresigingMiddleware is an alias for backwards compatibility.
//
// Deprecated: This API was released with a typo. Use
// [AddAsIsPresigningMiddleware] instead.
func AddAsIsPresigingMiddleware(stack *middleware.Stack) error {
return AddAsIsPresigningMiddleware(stack)
}
type asIsPresigningMiddleware struct{} type asIsPresigningMiddleware struct{}
func (asIsPresigningMiddleware) ID() string { return "AsIsPresigningMiddleware" } func (asIsPresigningMiddleware) ID() string { return "AsIsPresigningMiddleware" }

View File

@ -3,4 +3,4 @@
package presignedurl package presignedurl
// goModuleVersion is the tagged release for this module // goModuleVersion is the tagged release for this module
const goModuleVersion = "1.11.2" const goModuleVersion = "1.11.14"

View File

@ -1,3 +1,63 @@
# v1.29.1 (2024-06-19)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.29.0 (2024-06-18)
* **Feature**: Track usage of various AWS SDK features in user-agent string.
* **Dependency Update**: Updated to the latest SDK module versions
# v1.28.13 (2024-06-17)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.28.12 (2024-06-07)
* **Bug Fix**: Add clock skew correction on all service clients
* **Dependency Update**: Updated to the latest SDK module versions
# v1.28.11 (2024-06-03)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.28.10 (2024-05-23)
* No change notes available for this release.
# v1.28.9 (2024-05-16)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.28.8 (2024-05-15)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.28.7 (2024-05-08)
* **Bug Fix**: GoDoc improvement
# v1.28.6 (2024-03-29)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.28.5 (2024-03-18)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.28.4 (2024-03-07)
* **Bug Fix**: Remove dependency on go-cmp.
* **Dependency Update**: Updated to the latest SDK module versions
# v1.28.3 (2024-03-05)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.28.2 (2024-03-04)
* **Bug Fix**: Update internal/presigned-url dependency for corrected API name.
* **Dependency Update**: Updated to the latest SDK module versions
# v1.28.1 (2024-02-23) # v1.28.1 (2024-02-23)
* **Bug Fix**: Move all common, SDK-side middleware stack ops into the service client module to prevent cross-module compatibility issues in the future. * **Bug Fix**: Move all common, SDK-side middleware stack ops into the service client module to prevent cross-module compatibility issues in the future.

View File

@ -15,15 +15,18 @@ import (
internalauth "github.com/aws/aws-sdk-go-v2/internal/auth" internalauth "github.com/aws/aws-sdk-go-v2/internal/auth"
internalauthsmithy "github.com/aws/aws-sdk-go-v2/internal/auth/smithy" internalauthsmithy "github.com/aws/aws-sdk-go-v2/internal/auth/smithy"
internalConfig "github.com/aws/aws-sdk-go-v2/internal/configsources" internalConfig "github.com/aws/aws-sdk-go-v2/internal/configsources"
internalmiddleware "github.com/aws/aws-sdk-go-v2/internal/middleware"
acceptencodingcust "github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding" acceptencodingcust "github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding"
presignedurlcust "github.com/aws/aws-sdk-go-v2/service/internal/presigned-url" presignedurlcust "github.com/aws/aws-sdk-go-v2/service/internal/presigned-url"
smithy "github.com/aws/smithy-go" smithy "github.com/aws/smithy-go"
smithyauth "github.com/aws/smithy-go/auth"
smithydocument "github.com/aws/smithy-go/document" smithydocument "github.com/aws/smithy-go/document"
"github.com/aws/smithy-go/logging" "github.com/aws/smithy-go/logging"
"github.com/aws/smithy-go/middleware" "github.com/aws/smithy-go/middleware"
smithyhttp "github.com/aws/smithy-go/transport/http" smithyhttp "github.com/aws/smithy-go/transport/http"
"net" "net"
"net/http" "net/http"
"sync/atomic"
"time" "time"
) )
@ -34,6 +37,9 @@ const ServiceAPIVersion = "2011-06-15"
// Service. // Service.
type Client struct { type Client struct {
options Options options Options
// Difference between the time reported by the server and the client
timeOffset *atomic.Int64
} }
// New returns an initialized Client based on the functional options. Provide // New returns an initialized Client based on the functional options. Provide
@ -72,6 +78,8 @@ func New(options Options, optFns ...func(*Options)) *Client {
options: options, options: options,
} }
initializeTimeOffsetResolver(client)
return client return client
} }
@ -242,6 +250,7 @@ func NewFromConfig(cfg aws.Config, optFns ...func(*Options)) *Client {
Logger: cfg.Logger, Logger: cfg.Logger,
ClientLogMode: cfg.ClientLogMode, ClientLogMode: cfg.ClientLogMode,
AppID: cfg.AppID, AppID: cfg.AppID,
AccountIDEndpointMode: cfg.AccountIDEndpointMode,
} }
resolveAWSRetryerProvider(cfg, &opts) resolveAWSRetryerProvider(cfg, &opts)
resolveAWSRetryMaxAttempts(cfg, &opts) resolveAWSRetryMaxAttempts(cfg, &opts)
@ -445,6 +454,30 @@ func addContentSHA256Header(stack *middleware.Stack) error {
return stack.Finalize.Insert(&v4.ContentSHA256Header{}, (*v4.ComputePayloadSHA256)(nil).ID(), middleware.After) return stack.Finalize.Insert(&v4.ContentSHA256Header{}, (*v4.ComputePayloadSHA256)(nil).ID(), middleware.After)
} }
func addIsWaiterUserAgent(o *Options) {
o.APIOptions = append(o.APIOptions, func(stack *middleware.Stack) error {
ua, err := getOrAddRequestUserAgent(stack)
if err != nil {
return err
}
ua.AddUserAgentFeature(awsmiddleware.UserAgentFeatureWaiter)
return nil
})
}
func addIsPaginatorUserAgent(o *Options) {
o.APIOptions = append(o.APIOptions, func(stack *middleware.Stack) error {
ua, err := getOrAddRequestUserAgent(stack)
if err != nil {
return err
}
ua.AddUserAgentFeature(awsmiddleware.UserAgentFeaturePaginator)
return nil
})
}
func addRetry(stack *middleware.Stack, o Options) error { func addRetry(stack *middleware.Stack, o Options) error {
attempt := retry.NewAttemptMiddleware(o.Retryer, smithyhttp.RequestCloner, func(m *retry.Attempt) { attempt := retry.NewAttemptMiddleware(o.Retryer, smithyhttp.RequestCloner, func(m *retry.Attempt) {
m.LogAttempts = o.ClientLogMode.IsRetries() m.LogAttempts = o.ClientLogMode.IsRetries()
@ -488,6 +521,63 @@ func resolveUseFIPSEndpoint(cfg aws.Config, o *Options) error {
return nil return nil
} }
func resolveAccountID(identity smithyauth.Identity, mode aws.AccountIDEndpointMode) *string {
if mode == aws.AccountIDEndpointModeDisabled {
return nil
}
if ca, ok := identity.(*internalauthsmithy.CredentialsAdapter); ok && ca.Credentials.AccountID != "" {
return aws.String(ca.Credentials.AccountID)
}
return nil
}
func addTimeOffsetBuild(stack *middleware.Stack, c *Client) error {
mw := internalmiddleware.AddTimeOffsetMiddleware{Offset: c.timeOffset}
if err := stack.Build.Add(&mw, middleware.After); err != nil {
return err
}
return stack.Deserialize.Insert(&mw, "RecordResponseTiming", middleware.Before)
}
func initializeTimeOffsetResolver(c *Client) {
c.timeOffset = new(atomic.Int64)
}
func checkAccountID(identity smithyauth.Identity, mode aws.AccountIDEndpointMode) error {
switch mode {
case aws.AccountIDEndpointModeUnset:
case aws.AccountIDEndpointModePreferred:
case aws.AccountIDEndpointModeDisabled:
case aws.AccountIDEndpointModeRequired:
if ca, ok := identity.(*internalauthsmithy.CredentialsAdapter); !ok {
return fmt.Errorf("accountID is required but not set")
} else if ca.Credentials.AccountID == "" {
return fmt.Errorf("accountID is required but not set")
}
// default check in case invalid mode is configured through request config
default:
return fmt.Errorf("invalid accountID endpoint mode %s, must be preferred/required/disabled", mode)
}
return nil
}
func addUserAgentRetryMode(stack *middleware.Stack, options Options) error {
ua, err := getOrAddRequestUserAgent(stack)
if err != nil {
return err
}
switch options.Retryer.(type) {
case *retry.Standard:
ua.AddUserAgentFeature(awsmiddleware.UserAgentFeatureRetryModeStandard)
case *retry.AdaptiveMode:
ua.AddUserAgentFeature(awsmiddleware.UserAgentFeatureRetryModeAdaptive)
}
return nil
}
func addRecursionDetection(stack *middleware.Stack) error { func addRecursionDetection(stack *middleware.Stack) error {
return stack.Build.Add(&awsmiddleware.RecursionDetection{}, middleware.After) return stack.Build.Add(&awsmiddleware.RecursionDetection{}, middleware.After)
} }
@ -643,7 +733,7 @@ func (c presignConverter) convertToPresignMiddleware(stack *middleware.Stack, op
if err != nil { if err != nil {
return err return err
} }
err = presignedurlcust.AddAsIsPresigingMiddleware(stack) err = presignedurlcust.AddAsIsPresigningMiddleware(stack)
if err != nil { if err != nil {
return err return err
} }

View File

@ -16,69 +16,99 @@ import (
// Amazon Web Services resources. These temporary credentials consist of an access // Amazon Web Services resources. These temporary credentials consist of an access
// key ID, a secret access key, and a security token. Typically, you use AssumeRole // key ID, a secret access key, and a security token. Typically, you use AssumeRole
// within your account or for cross-account access. For a comparison of AssumeRole // within your account or for cross-account access. For a comparison of AssumeRole
// with other API operations that produce temporary credentials, see Requesting // with other API operations that produce temporary credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the
// Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) // IAM User Guide.
// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) //
// in the IAM User Guide. Permissions The temporary security credentials created by // # Permissions
// AssumeRole can be used to make API calls to any Amazon Web Services service //
// with the following exception: You cannot call the Amazon Web Services STS // The temporary security credentials created by AssumeRole can be used to make
// GetFederationToken or GetSessionToken API operations. (Optional) You can pass // API calls to any Amazon Web Services service with the following exception: You
// inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // cannot call the Amazon Web Services STS GetFederationToken or GetSessionToken
// to this operation. You can pass a single JSON policy document to use as an // API operations.
// inline session policy. You can also specify up to 10 managed policy Amazon //
// Resource Names (ARNs) to use as managed session policies. The plaintext that you // (Optional) You can pass inline or managed [session policies] to this operation. You can pass a
// use for both inline and managed session policies can't exceed 2,048 characters. // single JSON policy document to use as an inline session policy. You can also
// Passing policies to this operation returns new temporary credentials. The // specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed
// resulting session's permissions are the intersection of the role's // session policies. The plaintext that you use for both inline and managed session
// identity-based policy and the session policies. You can use the role's temporary // policies can't exceed 2,048 characters. Passing policies to this operation
// credentials in subsequent Amazon Web Services API calls to access resources in // returns new temporary credentials. The resulting session's permissions are the
// the account that owns the role. You cannot use session policies to grant more // intersection of the role's identity-based policy and the session policies. You
// permissions than those allowed by the identity-based policy of the role that is // can use the role's temporary credentials in subsequent Amazon Web Services API
// being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // calls to access resources in the account that owns the role. You cannot use
// in the IAM User Guide. When you create a role, you create two policies: a role // session policies to grant more permissions than those allowed by the
// trust policy that specifies who can assume the role, and a permissions policy // identity-based policy of the role that is being assumed. For more information,
// that specifies what can be done with the role. You specify the trusted principal // see [Session Policies]in the IAM User Guide.
// that is allowed to assume the role in the role trust policy. To assume a role //
// from a different account, your Amazon Web Services account must be trusted by // When you create a role, you create two policies: a role trust policy that
// the role. The trust relationship is defined in the role's trust policy when the // specifies who can assume the role, and a permissions policy that specifies what
// role is created. That trust policy states which accounts are allowed to delegate // can be done with the role. You specify the trusted principal that is allowed to
// that access to users in the account. A user who wants to access a role in a // assume the role in the role trust policy.
// different account must also have permissions that are delegated from the account //
// administrator. The administrator must attach a policy that allows the user to // To assume a role from a different account, your Amazon Web Services account
// call AssumeRole for the ARN of the role in the other account. To allow a user // must be trusted by the role. The trust relationship is defined in the role's
// to assume a role in the same account, you can do either of the following: // trust policy when the role is created. That trust policy states which accounts
// are allowed to delegate that access to users in the account.
//
// A user who wants to access a role in a different account must also have
// permissions that are delegated from the account administrator. The administrator
// must attach a policy that allows the user to call AssumeRole for the ARN of the
// role in the other account.
//
// To allow a user to assume a role in the same account, you can do either of the
// following:
//
// - Attach a policy to the user that allows the user to call AssumeRole (as long // - Attach a policy to the user that allows the user to call AssumeRole (as long
// as the role's trust policy trusts the account). // as the role's trust policy trusts the account).
//
// - Add the user as a principal directly in the role's trust policy. // - Add the user as a principal directly in the role's trust policy.
// //
// You can do either because the roles trust policy acts as an IAM resource-based // You can do either because the roles trust policy acts as an IAM resource-based
// policy. When a resource-based policy grants access to a principal in the same // policy. When a resource-based policy grants access to a principal in the same
// account, no additional identity-based policy is required. For more information // account, no additional identity-based policy is required. For more information
// about trust policies and resource-based policies, see IAM Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) // about trust policies and resource-based policies, see [IAM Policies]in the IAM User Guide.
// in the IAM User Guide. Tags (Optional) You can pass tag key-value pairs to your //
// session. These tags are called session tags. For more information about session // # Tags
// tags, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) //
// in the IAM User Guide. An administrator must grant you the permissions necessary // (Optional) You can pass tag key-value pairs to your session. These tags are
// to pass session tags. The administrator can also create granular permissions to // called session tags. For more information about session tags, see [Passing Session Tags in STS]in the IAM
// allow you to pass only specific session tags. For more information, see // User Guide.
// Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) //
// in the IAM User Guide. You can set the session tags as transitive. Transitive // An administrator must grant you the permissions necessary to pass session tags.
// tags persist during role chaining. For more information, see Chaining Roles // The administrator can also create granular permissions to allow you to pass only
// with Session Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining) // specific session tags. For more information, see [Tutorial: Using Tags for Attribute-Based Access Control]in the IAM User Guide.
// in the IAM User Guide. Using MFA with AssumeRole (Optional) You can include //
// multi-factor authentication (MFA) information when you call AssumeRole . This is // You can set the session tags as transitive. Transitive tags persist during role
// useful for cross-account scenarios to ensure that the user that assumes the role // chaining. For more information, see [Chaining Roles with Session Tags]in the IAM User Guide.
// has been authenticated with an Amazon Web Services MFA device. In that scenario, //
// the trust policy of the role being assumed includes a condition that tests for // # Using MFA with AssumeRole
// MFA authentication. If the caller does not include valid MFA information, the //
// request to assume the role is denied. The condition in a trust policy that tests // (Optional) You can include multi-factor authentication (MFA) information when
// for MFA authentication might look like the following example. "Condition": // you call AssumeRole . This is useful for cross-account scenarios to ensure that
// {"Bool": {"aws:MultiFactorAuthPresent": true}} For more information, see // the user that assumes the role has been authenticated with an Amazon Web
// Configuring MFA-Protected API Access (https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html) // Services MFA device. In that scenario, the trust policy of the role being
// in the IAM User Guide guide. To use MFA with AssumeRole , you pass values for // assumed includes a condition that tests for MFA authentication. If the caller
// the SerialNumber and TokenCode parameters. The SerialNumber value identifies // does not include valid MFA information, the request to assume the role is
// the user's hardware or virtual MFA device. The TokenCode is the time-based // denied. The condition in a trust policy that tests for MFA authentication might
// one-time password (TOTP) that the MFA device produces. // look like the following example.
//
// "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}
//
// For more information, see [Configuring MFA-Protected API Access] in the IAM User Guide guide.
//
// To use MFA with AssumeRole , you pass values for the SerialNumber and TokenCode
// parameters. The SerialNumber value identifies the user's hardware or virtual
// MFA device. The TokenCode is the time-based one-time password (TOTP) that the
// MFA device produces.
//
// [Configuring MFA-Protected API Access]: https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
// [Chaining Roles with Session Tags]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
// [session policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
// [IAM Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
// [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
// [Tutorial: Using Tags for Attribute-Based Access Control]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
func (c *Client) AssumeRole(ctx context.Context, params *AssumeRoleInput, optFns ...func(*Options)) (*AssumeRoleOutput, error) { func (c *Client) AssumeRole(ctx context.Context, params *AssumeRoleInput, optFns ...func(*Options)) (*AssumeRoleOutput, error) {
if params == nil { if params == nil {
params = &AssumeRoleInput{} params = &AssumeRoleInput{}
@ -101,17 +131,19 @@ type AssumeRoleInput struct {
// This member is required. // This member is required.
RoleArn *string RoleArn *string
// An identifier for the assumed role session. Use the role session name to // An identifier for the assumed role session.
// uniquely identify a session when the same role is assumed by different //
// principals or for different reasons. In cross-account scenarios, the role // Use the role session name to uniquely identify a session when the same role is
// session name is visible to, and can be logged by the account that owns the role. // assumed by different principals or for different reasons. In cross-account
// The role session name is also used in the ARN of the assumed role principal. // scenarios, the role session name is visible to, and can be logged by the account
// This means that subsequent cross-account API requests that use the temporary // that owns the role. The role session name is also used in the ARN of the assumed
// security credentials will expose the role session name to the external account // role principal. This means that subsequent cross-account API requests that use
// in their CloudTrail logs. The regex used to validate this parameter is a string // the temporary security credentials will expose the role session name to the
// of characters consisting of upper- and lower-case alphanumeric characters with // external account in their CloudTrail logs.
// no spaces. You can also include underscores or any of the following characters: //
// =,.@- // The regex used to validate this parameter is a string of characters consisting
// of upper- and lower-case alphanumeric characters with no spaces. You can also
// include underscores or any of the following characters: =,.@-
// //
// This member is required. // This member is required.
RoleSessionName *string RoleSessionName *string
@ -122,23 +154,27 @@ type AssumeRoleInput struct {
// hours. If you specify a value higher than this setting or the administrator // hours. If you specify a value higher than this setting or the administrator
// setting (whichever is lower), the operation fails. For example, if you specify a // setting (whichever is lower), the operation fails. For example, if you specify a
// session duration of 12 hours, but your administrator set the maximum session // session duration of 12 hours, but your administrator set the maximum session
// duration to 6 hours, your operation fails. Role chaining limits your Amazon Web // duration to 6 hours, your operation fails.
// Services CLI or Amazon Web Services API role session to a maximum of one hour. //
// When you use the AssumeRole API operation to assume a role, you can specify the // Role chaining limits your Amazon Web Services CLI or Amazon Web Services API
// duration of your role session with the DurationSeconds parameter. You can // role session to a maximum of one hour. When you use the AssumeRole API
// specify a parameter value of up to 43200 seconds (12 hours), depending on the // operation to assume a role, you can specify the duration of your role session
// maximum session duration setting for your role. However, if you assume a role // with the DurationSeconds parameter. You can specify a parameter value of up to
// using role chaining and provide a DurationSeconds parameter value greater than // 43200 seconds (12 hours), depending on the maximum session duration setting for
// one hour, the operation fails. To learn how to view the maximum value for your // your role. However, if you assume a role using role chaining and provide a
// role, see View the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) // DurationSeconds parameter value greater than one hour, the operation fails. To
// in the IAM User Guide. By default, the value is set to 3600 seconds. The // learn how to view the maximum value for your role, see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide.
// DurationSeconds parameter is separate from the duration of a console session //
// that you might request using the returned credentials. The request to the // By default, the value is set to 3600 seconds.
// federation endpoint for a console sign-in token takes a SessionDuration //
// The DurationSeconds parameter is separate from the duration of a console
// session that you might request using the returned credentials. The request to
// the federation endpoint for a console sign-in token takes a SessionDuration
// parameter that specifies the maximum length of the console session. For more // parameter that specifies the maximum length of the console session. For more
// information, see Creating a URL that Enables Federated Users to Access the // information, see [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]in the IAM User Guide.
// Amazon Web Services Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) //
// in the IAM User Guide. // [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
// [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
DurationSeconds *int32 DurationSeconds *int32
// A unique identifier that might be required when you assume a role in another // A unique identifier that might be required when you assume a role in another
@ -149,62 +185,78 @@ type AssumeRoleInput struct {
// the administrator of the trusting account might send an external ID to the // the administrator of the trusting account might send an external ID to the
// administrator of the trusted account. That way, only someone with the ID can // administrator of the trusted account. That way, only someone with the ID can
// assume the role, rather than everyone in the account. For more information about // assume the role, rather than everyone in the account. For more information about
// the external ID, see How to Use an External ID When Granting Access to Your // the external ID, see [How to Use an External ID When Granting Access to Your Amazon Web Services Resources to a Third Party]in the IAM User Guide.
// Amazon Web Services Resources to a Third Party (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html) //
// in the IAM User Guide. The regex used to validate this parameter is a string of // The regex used to validate this parameter is a string of characters consisting
// characters consisting of upper- and lower-case alphanumeric characters with no // of upper- and lower-case alphanumeric characters with no spaces. You can also
// spaces. You can also include underscores or any of the following characters: // include underscores or any of the following characters: =,.@:/-
// =,.@:/- //
// [How to Use an External ID When Granting Access to Your Amazon Web Services Resources to a Third Party]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
ExternalId *string ExternalId *string
// An IAM policy in JSON format that you want to use as an inline session policy. // An IAM policy in JSON format that you want to use as an inline session policy.
//
// This parameter is optional. Passing policies to this operation returns new // This parameter is optional. Passing policies to this operation returns new
// temporary credentials. The resulting session's permissions are the intersection // temporary credentials. The resulting session's permissions are the intersection
// of the role's identity-based policy and the session policies. You can use the // of the role's identity-based policy and the session policies. You can use the
// role's temporary credentials in subsequent Amazon Web Services API calls to // role's temporary credentials in subsequent Amazon Web Services API calls to
// access resources in the account that owns the role. You cannot use session // access resources in the account that owns the role. You cannot use session
// policies to grant more permissions than those allowed by the identity-based // policies to grant more permissions than those allowed by the identity-based
// policy of the role that is being assumed. For more information, see Session // policy of the role that is being assumed. For more information, see [Session Policies]in the IAM
// Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // User Guide.
// in the IAM User Guide. The plaintext that you use for both inline and managed //
// session policies can't exceed 2,048 characters. The JSON policy characters can // The plaintext that you use for both inline and managed session policies can't
// be any ASCII character from the space character to the end of the valid // exceed 2,048 characters. The JSON policy characters can be any ASCII character
// character list (\u0020 through \u00FF). It can also include the tab (\u0009), // from the space character to the end of the valid character list (\u0020 through
// linefeed (\u000A), and carriage return (\u000D) characters. An Amazon Web // \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
// Services conversion compresses the passed inline session policy, managed policy // return (\u000D) characters.
// ARNs, and session tags into a packed binary format that has a separate limit. //
// Your request can fail for this limit even if your plaintext meets the other // An Amazon Web Services conversion compresses the passed inline session policy,
// requirements. The PackedPolicySize response element indicates by percentage how // managed policy ARNs, and session tags into a packed binary format that has a
// close the policies and tags for your request are to the upper size limit. // separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates
// by percentage how close the policies and tags for your request are to the upper
// size limit.
//
// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
Policy *string Policy *string
// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to // The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
// use as managed session policies. The policies must exist in the same account as // use as managed session policies. The policies must exist in the same account as
// the role. This parameter is optional. You can provide up to 10 managed policy // the role.
// ARNs. However, the plaintext that you use for both inline and managed session //
// policies can't exceed 2,048 characters. For more information about ARNs, see // This parameter is optional. You can provide up to 10 managed policy ARNs.
// Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) // However, the plaintext that you use for both inline and managed session policies
// in the Amazon Web Services General Reference. An Amazon Web Services conversion // can't exceed 2,048 characters. For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]in the
// compresses the passed inline session policy, managed policy ARNs, and session // Amazon Web Services General Reference.
// tags into a packed binary format that has a separate limit. Your request can //
// fail for this limit even if your plaintext meets the other requirements. The // An Amazon Web Services conversion compresses the passed inline session policy,
// PackedPolicySize response element indicates by percentage how close the policies // managed policy ARNs, and session tags into a packed binary format that has a
// and tags for your request are to the upper size limit. Passing policies to this // separate limit. Your request can fail for this limit even if your plaintext
// operation returns new temporary credentials. The resulting session's permissions // meets the other requirements. The PackedPolicySize response element indicates
// are the intersection of the role's identity-based policy and the session // by percentage how close the policies and tags for your request are to the upper
// policies. You can use the role's temporary credentials in subsequent Amazon Web // size limit.
// Services API calls to access resources in the account that owns the role. You //
// cannot use session policies to grant more permissions than those allowed by the // Passing policies to this operation returns new temporary credentials. The
// identity-based policy of the role that is being assumed. For more information, // resulting session's permissions are the intersection of the role's
// see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // identity-based policy and the session policies. You can use the role's temporary
// in the IAM User Guide. // credentials in subsequent Amazon Web Services API calls to access resources in
// the account that owns the role. You cannot use session policies to grant more
// permissions than those allowed by the identity-based policy of the role that is
// being assumed. For more information, see [Session Policies]in the IAM User Guide.
//
// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
// [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
PolicyArns []types.PolicyDescriptorType PolicyArns []types.PolicyDescriptorType
// A list of previously acquired trusted context assertions in the format of a // A list of previously acquired trusted context assertions in the format of a
// JSON array. The trusted context assertion is signed and encrypted by Amazon Web // JSON array. The trusted context assertion is signed and encrypted by Amazon Web
// Services STS. The following is an example of a ProvidedContext value that // Services STS.
// includes a single trusted context assertion and the ARN of the context provider //
// from which the trusted context assertion was generated. // The following is an example of a ProvidedContext value that includes a single
// trusted context assertion and the ARN of the context provider from which the
// trusted context assertion was generated.
//
// [{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"}] // [{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"}]
ProvidedContexts []types.ProvidedContext ProvidedContexts []types.ProvidedContext
@ -213,79 +265,97 @@ type AssumeRoleInput struct {
// the role being assumed includes a condition that requires MFA authentication. // the role being assumed includes a condition that requires MFA authentication.
// The value is either the serial number for a hardware device (such as // The value is either the serial number for a hardware device (such as
// GAHT12345678 ) or an Amazon Resource Name (ARN) for a virtual device (such as // GAHT12345678 ) or an Amazon Resource Name (ARN) for a virtual device (such as
// arn:aws:iam::123456789012:mfa/user ). The regex used to validate this parameter // arn:aws:iam::123456789012:mfa/user ).
// is a string of characters consisting of upper- and lower-case alphanumeric //
// characters with no spaces. You can also include underscores or any of the // The regex used to validate this parameter is a string of characters consisting
// following characters: =,.@- // of upper- and lower-case alphanumeric characters with no spaces. You can also
// include underscores or any of the following characters: =,.@-
SerialNumber *string SerialNumber *string
// The source identity specified by the principal that is calling the AssumeRole // The source identity specified by the principal that is calling the AssumeRole
// operation. You can require users to specify a source identity when they assume a // operation.
// role. You do this by using the sts:SourceIdentity condition key in a role trust //
// policy. You can use source identity information in CloudTrail logs to determine // You can require users to specify a source identity when they assume a role. You
// who took actions with a role. You can use the aws:SourceIdentity condition key // do this by using the sts:SourceIdentity condition key in a role trust policy.
// to further control access to Amazon Web Services resources based on the value of // You can use source identity information in CloudTrail logs to determine who took
// source identity. For more information about using source identity, see Monitor // actions with a role. You can use the aws:SourceIdentity condition key to
// and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) // further control access to Amazon Web Services resources based on the value of
// in the IAM User Guide. The regex used to validate this parameter is a string of // source identity. For more information about using source identity, see [Monitor and control actions taken with assumed roles]in the
// characters consisting of upper- and lower-case alphanumeric characters with no // IAM User Guide.
// spaces. You can also include underscores or any of the following characters: //
// =,.@-. You cannot use a value that begins with the text aws: . This prefix is // The regex used to validate this parameter is a string of characters consisting
// reserved for Amazon Web Services internal use. // of upper- and lower-case alphanumeric characters with no spaces. You can also
// include underscores or any of the following characters: =,.@-. You cannot use a
// value that begins with the text aws: . This prefix is reserved for Amazon Web
// Services internal use.
//
// [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
SourceIdentity *string SourceIdentity *string
// A list of session tags that you want to pass. Each session tag consists of a // A list of session tags that you want to pass. Each session tag consists of a
// key name and an associated value. For more information about session tags, see // key name and an associated value. For more information about session tags, see [Tagging Amazon Web Services STS Sessions]
// Tagging Amazon Web Services STS Sessions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
// in the IAM User Guide. This parameter is optional. You can pass up to 50 session
// tags. The plaintext session tag keys cant exceed 128 characters, and the values
// cant exceed 256 characters. For these and additional limits, see IAM and STS
// Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
// in the IAM User Guide. An Amazon Web Services conversion compresses the passed
// inline session policy, managed policy ARNs, and session tags into a packed
// binary format that has a separate limit. Your request can fail for this limit
// even if your plaintext meets the other requirements. The PackedPolicySize
// response element indicates by percentage how close the policies and tags for
// your request are to the upper size limit. You can pass a session tag with the
// same key as a tag that is already attached to the role. When you do, session
// tags override a role tag with the same key. Tag keyvalue pairs are not case
// sensitive, but case is preserved. This means that you cannot have separate
// Department and department tag keys. Assume that the role has the Department =
// Marketing tag and you pass the department = engineering session tag. Department
// and department are not saved as separate tags, and the session tag passed in
// the request takes precedence over the role tag. Additionally, if you used
// temporary credentials to perform this operation, the new session inherits any
// transitive session tags from the calling session. If you pass a session tag with
// the same key as an inherited tag, the operation fails. To view the inherited
// tags for a session, see the CloudTrail logs. For more information, see Viewing
// Session Tags in CloudTrail (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_ctlogs)
// in the IAM User Guide. // in the IAM User Guide.
//
// This parameter is optional. You can pass up to 50 session tags. The plaintext
// session tag keys cant exceed 128 characters, and the values cant exceed 256
// characters. For these and additional limits, see [IAM and STS Character Limits]in the IAM User Guide.
//
// An Amazon Web Services conversion compresses the passed inline session policy,
// managed policy ARNs, and session tags into a packed binary format that has a
// separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates
// by percentage how close the policies and tags for your request are to the upper
// size limit.
//
// You can pass a session tag with the same key as a tag that is already attached
// to the role. When you do, session tags override a role tag with the same key.
//
// Tag keyvalue pairs are not case sensitive, but case is preserved. This means
// that you cannot have separate Department and department tag keys. Assume that
// the role has the Department = Marketing tag and you pass the department =
// engineering session tag. Department and department are not saved as separate
// tags, and the session tag passed in the request takes precedence over the role
// tag.
//
// Additionally, if you used temporary credentials to perform this operation, the
// new session inherits any transitive session tags from the calling session. If
// you pass a session tag with the same key as an inherited tag, the operation
// fails. To view the inherited tags for a session, see the CloudTrail logs. For
// more information, see [Viewing Session Tags in CloudTrail]in the IAM User Guide.
//
// [Tagging Amazon Web Services STS Sessions]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
// [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
// [Viewing Session Tags in CloudTrail]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_ctlogs
Tags []types.Tag Tags []types.Tag
// The value provided by the MFA device, if the trust policy of the role being // The value provided by the MFA device, if the trust policy of the role being
// assumed requires MFA. (In other words, if the policy includes a condition that // assumed requires MFA. (In other words, if the policy includes a condition that
// tests for MFA). If the role being assumed requires MFA and if the TokenCode // tests for MFA). If the role being assumed requires MFA and if the TokenCode
// value is missing or expired, the AssumeRole call returns an "access denied" // value is missing or expired, the AssumeRole call returns an "access denied"
// error. The format for this parameter, as described by its regex pattern, is a // error.
// sequence of six numeric digits. //
// The format for this parameter, as described by its regex pattern, is a sequence
// of six numeric digits.
TokenCode *string TokenCode *string
// A list of keys for session tags that you want to set as transitive. If you set // A list of keys for session tags that you want to set as transitive. If you set
// a tag key as transitive, the corresponding key and value passes to subsequent // a tag key as transitive, the corresponding key and value passes to subsequent
// sessions in a role chain. For more information, see Chaining Roles with Session // sessions in a role chain. For more information, see [Chaining Roles with Session Tags]in the IAM User Guide.
// Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining) //
// in the IAM User Guide. This parameter is optional. When you set session tags as // This parameter is optional. When you set session tags as transitive, the
// transitive, the session policy and session tags packed binary limit is not // session policy and session tags packed binary limit is not affected.
// affected. If you choose not to specify a transitive tag key, then no tags are //
// passed from this session to any subsequent sessions. // If you choose not to specify a transitive tag key, then no tags are passed from
// this session to any subsequent sessions.
//
// [Chaining Roles with Session Tags]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
TransitiveTagKeys []string TransitiveTagKeys []string
noSmithyDocumentSerde noSmithyDocumentSerde
} }
// Contains the response to a successful AssumeRole request, including temporary // Contains the response to a successful AssumeRole request, including temporary Amazon Web
// Amazon Web Services credentials that can be used to make Amazon Web Services // Services credentials that can be used to make Amazon Web Services requests.
// requests.
type AssumeRoleOutput struct { type AssumeRoleOutput struct {
// The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers // The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers
@ -296,9 +366,10 @@ type AssumeRoleOutput struct {
AssumedRoleUser *types.AssumedRoleUser AssumedRoleUser *types.AssumedRoleUser
// The temporary security credentials, which include an access key ID, a secret // The temporary security credentials, which include an access key ID, a secret
// access key, and a security (or session) token. The size of the security token // access key, and a security (or session) token.
// that STS API operations return is not fixed. We strongly recommend that you make //
// no assumptions about the maximum size. // The size of the security token that STS API operations return is not fixed. We
// strongly recommend that you make no assumptions about the maximum size.
Credentials *types.Credentials Credentials *types.Credentials
// A percentage value that indicates the packed size of the session policies and // A percentage value that indicates the packed size of the session policies and
@ -308,17 +379,21 @@ type AssumeRoleOutput struct {
PackedPolicySize *int32 PackedPolicySize *int32
// The source identity specified by the principal that is calling the AssumeRole // The source identity specified by the principal that is calling the AssumeRole
// operation. You can require users to specify a source identity when they assume a // operation.
// role. You do this by using the sts:SourceIdentity condition key in a role trust //
// policy. You can use source identity information in CloudTrail logs to determine // You can require users to specify a source identity when they assume a role. You
// who took actions with a role. You can use the aws:SourceIdentity condition key // do this by using the sts:SourceIdentity condition key in a role trust policy.
// to further control access to Amazon Web Services resources based on the value of // You can use source identity information in CloudTrail logs to determine who took
// source identity. For more information about using source identity, see Monitor // actions with a role. You can use the aws:SourceIdentity condition key to
// and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) // further control access to Amazon Web Services resources based on the value of
// in the IAM User Guide. The regex used to validate this parameter is a string of // source identity. For more information about using source identity, see [Monitor and control actions taken with assumed roles]in the
// characters consisting of upper- and lower-case alphanumeric characters with no // IAM User Guide.
// spaces. You can also include underscores or any of the following characters: //
// =,.@- // The regex used to validate this parameter is a string of characters consisting
// of upper- and lower-case alphanumeric characters with no spaces. You can also
// include underscores or any of the following characters: =,.@-
//
// [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
SourceIdentity *string SourceIdentity *string
// Metadata pertaining to the operation's result. // Metadata pertaining to the operation's result.
@ -382,6 +457,12 @@ func (c *Client) addOperationAssumeRoleMiddlewares(stack *middleware.Stack, opti
if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil { if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
return err return err
} }
if err = addTimeOffsetBuild(stack, c); err != nil {
return err
}
if err = addUserAgentRetryMode(stack, options); err != nil {
return err
}
if err = addOpAssumeRoleValidationMiddleware(stack); err != nil { if err = addOpAssumeRoleValidationMiddleware(stack); err != nil {
return err return err
} }

View File

@ -16,92 +16,132 @@ import (
// mechanism for tying an enterprise identity store or directory to role-based // mechanism for tying an enterprise identity store or directory to role-based
// Amazon Web Services access without user-specific credentials or configuration. // Amazon Web Services access without user-specific credentials or configuration.
// For a comparison of AssumeRoleWithSAML with the other API operations that // For a comparison of AssumeRoleWithSAML with the other API operations that
// produce temporary credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) // produce temporary credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the IAM User Guide.
// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) //
// in the IAM User Guide. The temporary security credentials returned by this // The temporary security credentials returned by this operation consist of an
// operation consist of an access key ID, a secret access key, and a security // access key ID, a secret access key, and a security token. Applications can use
// token. Applications can use these temporary security credentials to sign calls // these temporary security credentials to sign calls to Amazon Web Services
// to Amazon Web Services services. Session Duration By default, the temporary // services.
// security credentials created by AssumeRoleWithSAML last for one hour. However, //
// you can use the optional DurationSeconds parameter to specify the duration of // # Session Duration
// your session. Your role session lasts for the duration that you specify, or //
// until the time specified in the SAML authentication response's // By default, the temporary security credentials created by AssumeRoleWithSAML
// SessionNotOnOrAfter value, whichever is shorter. You can provide a // last for one hour. However, you can use the optional DurationSeconds parameter
// DurationSeconds value from 900 seconds (15 minutes) up to the maximum session // to specify the duration of your session. Your role session lasts for the
// duration setting for the role. This setting can have a value from 1 hour to 12 // duration that you specify, or until the time specified in the SAML
// hours. To learn how to view the maximum value for your role, see View the // authentication response's SessionNotOnOrAfter value, whichever is shorter. You
// Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) // can provide a DurationSeconds value from 900 seconds (15 minutes) up to the
// in the IAM User Guide. The maximum session duration limit applies when you use // maximum session duration setting for the role. This setting can have a value
// the AssumeRole* API operations or the assume-role* CLI commands. However the // from 1 hour to 12 hours. To learn how to view the maximum value for your role,
// limit does not apply when you use those operations to create a console URL. For // see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide. The maximum session duration limit applies when you
// more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) // use the AssumeRole* API operations or the assume-role* CLI commands. However
// in the IAM User Guide. Role chaining (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining) // the limit does not apply when you use those operations to create a console URL.
// limits your CLI or Amazon Web Services API role session to a maximum of one // For more information, see [Using IAM Roles]in the IAM User Guide.
//
// [Role chaining]limits your CLI or Amazon Web Services API role session to a maximum of one
// hour. When you use the AssumeRole API operation to assume a role, you can // hour. When you use the AssumeRole API operation to assume a role, you can
// specify the duration of your role session with the DurationSeconds parameter. // specify the duration of your role session with the DurationSeconds parameter.
// You can specify a parameter value of up to 43200 seconds (12 hours), depending // You can specify a parameter value of up to 43200 seconds (12 hours), depending
// on the maximum session duration setting for your role. However, if you assume a // on the maximum session duration setting for your role. However, if you assume a
// role using role chaining and provide a DurationSeconds parameter value greater // role using role chaining and provide a DurationSeconds parameter value greater
// than one hour, the operation fails. Permissions The temporary security // than one hour, the operation fails.
// credentials created by AssumeRoleWithSAML can be used to make API calls to any //
// Amazon Web Services service with the following exception: you cannot call the // # Permissions
// STS GetFederationToken or GetSessionToken API operations. (Optional) You can //
// pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // The temporary security credentials created by AssumeRoleWithSAML can be used to
// to this operation. You can pass a single JSON policy document to use as an // make API calls to any Amazon Web Services service with the following exception:
// inline session policy. You can also specify up to 10 managed policy Amazon // you cannot call the STS GetFederationToken or GetSessionToken API operations.
// Resource Names (ARNs) to use as managed session policies. The plaintext that you //
// use for both inline and managed session policies can't exceed 2,048 characters. // (Optional) You can pass inline or managed [session policies] to this operation. You can pass a
// Passing policies to this operation returns new temporary credentials. The // single JSON policy document to use as an inline session policy. You can also
// resulting session's permissions are the intersection of the role's // specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed
// identity-based policy and the session policies. You can use the role's temporary // session policies. The plaintext that you use for both inline and managed session
// credentials in subsequent Amazon Web Services API calls to access resources in // policies can't exceed 2,048 characters. Passing policies to this operation
// the account that owns the role. You cannot use session policies to grant more // returns new temporary credentials. The resulting session's permissions are the
// permissions than those allowed by the identity-based policy of the role that is // intersection of the role's identity-based policy and the session policies. You
// being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // can use the role's temporary credentials in subsequent Amazon Web Services API
// in the IAM User Guide. Calling AssumeRoleWithSAML does not require the use of // calls to access resources in the account that owns the role. You cannot use
// Amazon Web Services security credentials. The identity of the caller is // session policies to grant more permissions than those allowed by the
// validated by using keys in the metadata document that is uploaded for the SAML // identity-based policy of the role that is being assumed. For more information,
// provider entity for your identity provider. Calling AssumeRoleWithSAML can // see [Session Policies]in the IAM User Guide.
// result in an entry in your CloudTrail logs. The entry includes the value in the //
// NameID element of the SAML assertion. We recommend that you use a NameIDType // Calling AssumeRoleWithSAML does not require the use of Amazon Web Services
// that is not associated with any personally identifiable information (PII). For // security credentials. The identity of the caller is validated by using keys in
// example, you could instead use the persistent identifier ( // the metadata document that is uploaded for the SAML provider entity for your
// urn:oasis:names:tc:SAML:2.0:nameid-format:persistent ). Tags (Optional) You can // identity provider.
// configure your IdP to pass attributes into your SAML assertion as session tags. //
// Each session tag consists of a key name and an associated value. For more // Calling AssumeRoleWithSAML can result in an entry in your CloudTrail logs. The
// information about session tags, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) // entry includes the value in the NameID element of the SAML assertion. We
// in the IAM User Guide. You can pass up to 50 session tags. The plaintext session // recommend that you use a NameIDType that is not associated with any personally
// tag keys cant exceed 128 characters and the values cant exceed 256 characters. // identifiable information (PII). For example, you could instead use the
// For these and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) // persistent identifier ( urn:oasis:names:tc:SAML:2.0:nameid-format:persistent ).
// in the IAM User Guide. An Amazon Web Services conversion compresses the passed //
// inline session policy, managed policy ARNs, and session tags into a packed // # Tags
// binary format that has a separate limit. Your request can fail for this limit //
// even if your plaintext meets the other requirements. The PackedPolicySize // (Optional) You can configure your IdP to pass attributes into your SAML
// response element indicates by percentage how close the policies and tags for // assertion as session tags. Each session tag consists of a key name and an
// your request are to the upper size limit. You can pass a session tag with the // associated value. For more information about session tags, see [Passing Session Tags in STS]in the IAM User
// same key as a tag that is attached to the role. When you do, session tags // Guide.
// override the role's tags with the same key. An administrator must grant you the //
// permissions necessary to pass session tags. The administrator can also create // You can pass up to 50 session tags. The plaintext session tag keys cant exceed
// granular permissions to allow you to pass only specific session tags. For more // 128 characters and the values cant exceed 256 characters. For these and
// information, see Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) // additional limits, see [IAM and STS Character Limits]in the IAM User Guide.
// in the IAM User Guide. You can set the session tags as transitive. Transitive //
// tags persist during role chaining. For more information, see Chaining Roles // An Amazon Web Services conversion compresses the passed inline session policy,
// with Session Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining) // managed policy ARNs, and session tags into a packed binary format that has a
// in the IAM User Guide. SAML Configuration Before your application can call // separate limit. Your request can fail for this limit even if your plaintext
// AssumeRoleWithSAML , you must configure your SAML identity provider (IdP) to // meets the other requirements. The PackedPolicySize response element indicates
// issue the claims required by Amazon Web Services. Additionally, you must use // by percentage how close the policies and tags for your request are to the upper
// Identity and Access Management (IAM) to create a SAML provider entity in your // size limit.
// Amazon Web Services account that represents your identity provider. You must //
// also create an IAM role that specifies this SAML provider in its trust policy. // You can pass a session tag with the same key as a tag that is attached to the
// role. When you do, session tags override the role's tags with the same key.
//
// An administrator must grant you the permissions necessary to pass session tags.
// The administrator can also create granular permissions to allow you to pass only
// specific session tags. For more information, see [Tutorial: Using Tags for Attribute-Based Access Control]in the IAM User Guide.
//
// You can set the session tags as transitive. Transitive tags persist during role
// chaining. For more information, see [Chaining Roles with Session Tags]in the IAM User Guide.
//
// # SAML Configuration
//
// Before your application can call AssumeRoleWithSAML , you must configure your
// SAML identity provider (IdP) to issue the claims required by Amazon Web
// Services. Additionally, you must use Identity and Access Management (IAM) to
// create a SAML provider entity in your Amazon Web Services account that
// represents your identity provider. You must also create an IAM role that
// specifies this SAML provider in its trust policy.
//
// For more information, see the following resources: // For more information, see the following resources:
// - About SAML 2.0-based Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) //
// in the IAM User Guide. // [About SAML 2.0-based Federation]
// - Creating SAML Identity Providers (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html) // - in the IAM User Guide.
// in the IAM User Guide. //
// - Configuring a Relying Party and Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html) // [Creating SAML Identity Providers]
// in the IAM User Guide. // - in the IAM User Guide.
// - Creating a Role for SAML 2.0 Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html) //
// in the IAM User Guide. // [Configuring a Relying Party and Claims]
// - in the IAM User Guide.
//
// [Creating a Role for SAML 2.0 Federation]
// - in the IAM User Guide.
//
// [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
// [Creating a Role for SAML 2.0 Federation]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
// [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
// [Creating SAML Identity Providers]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
// [session policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
// [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
// [Tutorial: Using Tags for Attribute-Based Access Control]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
// [Configuring a Relying Party and Claims]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html
// [Role chaining]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining
// [Using IAM Roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
// [About SAML 2.0-based Federation]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
// [Chaining Roles with Session Tags]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
func (c *Client) AssumeRoleWithSAML(ctx context.Context, params *AssumeRoleWithSAMLInput, optFns ...func(*Options)) (*AssumeRoleWithSAMLOutput, error) { func (c *Client) AssumeRoleWithSAML(ctx context.Context, params *AssumeRoleWithSAMLInput, optFns ...func(*Options)) (*AssumeRoleWithSAMLOutput, error) {
if params == nil { if params == nil {
params = &AssumeRoleWithSAMLInput{} params = &AssumeRoleWithSAMLInput{}
@ -130,9 +170,11 @@ type AssumeRoleWithSAMLInput struct {
// This member is required. // This member is required.
RoleArn *string RoleArn *string
// The base64 encoded SAML authentication response provided by the IdP. For more // The base64 encoded SAML authentication response provided by the IdP.
// information, see Configuring a Relying Party and Adding Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html) //
// in the IAM User Guide. // For more information, see [Configuring a Relying Party and Adding Claims] in the IAM User Guide.
//
// [Configuring a Relying Party and Adding Claims]: https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html
// //
// This member is required. // This member is required.
SAMLAssertion *string SAMLAssertion *string
@ -146,66 +188,80 @@ type AssumeRoleWithSAMLInput struct {
// than this setting, the operation fails. For example, if you specify a session // than this setting, the operation fails. For example, if you specify a session
// duration of 12 hours, but your administrator set the maximum session duration to // duration of 12 hours, but your administrator set the maximum session duration to
// 6 hours, your operation fails. To learn how to view the maximum value for your // 6 hours, your operation fails. To learn how to view the maximum value for your
// role, see View the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) // role, see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide.
// in the IAM User Guide. By default, the value is set to 3600 seconds. The //
// DurationSeconds parameter is separate from the duration of a console session // By default, the value is set to 3600 seconds.
// that you might request using the returned credentials. The request to the //
// federation endpoint for a console sign-in token takes a SessionDuration // The DurationSeconds parameter is separate from the duration of a console
// session that you might request using the returned credentials. The request to
// the federation endpoint for a console sign-in token takes a SessionDuration
// parameter that specifies the maximum length of the console session. For more // parameter that specifies the maximum length of the console session. For more
// information, see Creating a URL that Enables Federated Users to Access the // information, see [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]in the IAM User Guide.
// Amazon Web Services Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) //
// in the IAM User Guide. // [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
// [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
DurationSeconds *int32 DurationSeconds *int32
// An IAM policy in JSON format that you want to use as an inline session policy. // An IAM policy in JSON format that you want to use as an inline session policy.
//
// This parameter is optional. Passing policies to this operation returns new // This parameter is optional. Passing policies to this operation returns new
// temporary credentials. The resulting session's permissions are the intersection // temporary credentials. The resulting session's permissions are the intersection
// of the role's identity-based policy and the session policies. You can use the // of the role's identity-based policy and the session policies. You can use the
// role's temporary credentials in subsequent Amazon Web Services API calls to // role's temporary credentials in subsequent Amazon Web Services API calls to
// access resources in the account that owns the role. You cannot use session // access resources in the account that owns the role. You cannot use session
// policies to grant more permissions than those allowed by the identity-based // policies to grant more permissions than those allowed by the identity-based
// policy of the role that is being assumed. For more information, see Session // policy of the role that is being assumed. For more information, see [Session Policies]in the IAM
// Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // User Guide.
// in the IAM User Guide. The plaintext that you use for both inline and managed //
// session policies can't exceed 2,048 characters. The JSON policy characters can // The plaintext that you use for both inline and managed session policies can't
// be any ASCII character from the space character to the end of the valid // exceed 2,048 characters. The JSON policy characters can be any ASCII character
// character list (\u0020 through \u00FF). It can also include the tab (\u0009), // from the space character to the end of the valid character list (\u0020 through
// linefeed (\u000A), and carriage return (\u000D) characters. An Amazon Web // \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
// Services conversion compresses the passed inline session policy, managed policy // return (\u000D) characters.
// ARNs, and session tags into a packed binary format that has a separate limit. //
// Your request can fail for this limit even if your plaintext meets the other // An Amazon Web Services conversion compresses the passed inline session policy,
// requirements. The PackedPolicySize response element indicates by percentage how // managed policy ARNs, and session tags into a packed binary format that has a
// close the policies and tags for your request are to the upper size limit. // separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates
// by percentage how close the policies and tags for your request are to the upper
// size limit.
//
// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
Policy *string Policy *string
// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to // The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
// use as managed session policies. The policies must exist in the same account as // use as managed session policies. The policies must exist in the same account as
// the role. This parameter is optional. You can provide up to 10 managed policy // the role.
// ARNs. However, the plaintext that you use for both inline and managed session //
// policies can't exceed 2,048 characters. For more information about ARNs, see // This parameter is optional. You can provide up to 10 managed policy ARNs.
// Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) // However, the plaintext that you use for both inline and managed session policies
// in the Amazon Web Services General Reference. An Amazon Web Services conversion // can't exceed 2,048 characters. For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]in the
// compresses the passed inline session policy, managed policy ARNs, and session // Amazon Web Services General Reference.
// tags into a packed binary format that has a separate limit. Your request can //
// fail for this limit even if your plaintext meets the other requirements. The // An Amazon Web Services conversion compresses the passed inline session policy,
// PackedPolicySize response element indicates by percentage how close the policies // managed policy ARNs, and session tags into a packed binary format that has a
// and tags for your request are to the upper size limit. Passing policies to this // separate limit. Your request can fail for this limit even if your plaintext
// operation returns new temporary credentials. The resulting session's permissions // meets the other requirements. The PackedPolicySize response element indicates
// are the intersection of the role's identity-based policy and the session // by percentage how close the policies and tags for your request are to the upper
// policies. You can use the role's temporary credentials in subsequent Amazon Web // size limit.
// Services API calls to access resources in the account that owns the role. You //
// cannot use session policies to grant more permissions than those allowed by the // Passing policies to this operation returns new temporary credentials. The
// identity-based policy of the role that is being assumed. For more information, // resulting session's permissions are the intersection of the role's
// see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // identity-based policy and the session policies. You can use the role's temporary
// in the IAM User Guide. // credentials in subsequent Amazon Web Services API calls to access resources in
// the account that owns the role. You cannot use session policies to grant more
// permissions than those allowed by the identity-based policy of the role that is
// being assumed. For more information, see [Session Policies]in the IAM User Guide.
//
// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
// [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
PolicyArns []types.PolicyDescriptorType PolicyArns []types.PolicyDescriptorType
noSmithyDocumentSerde noSmithyDocumentSerde
} }
// Contains the response to a successful AssumeRoleWithSAML request, including // Contains the response to a successful AssumeRoleWithSAML request, including temporary Amazon Web
// temporary Amazon Web Services credentials that can be used to make Amazon Web // Services credentials that can be used to make Amazon Web Services requests.
// Services requests.
type AssumeRoleWithSAMLOutput struct { type AssumeRoleWithSAMLOutput struct {
// The identifiers for the temporary security credentials that the operation // The identifiers for the temporary security credentials that the operation
@ -217,21 +273,29 @@ type AssumeRoleWithSAMLOutput struct {
Audience *string Audience *string
// The temporary security credentials, which include an access key ID, a secret // The temporary security credentials, which include an access key ID, a secret
// access key, and a security (or session) token. The size of the security token // access key, and a security (or session) token.
// that STS API operations return is not fixed. We strongly recommend that you make //
// no assumptions about the maximum size. // The size of the security token that STS API operations return is not fixed. We
// strongly recommend that you make no assumptions about the maximum size.
Credentials *types.Credentials Credentials *types.Credentials
// The value of the Issuer element of the SAML assertion. // The value of the Issuer element of the SAML assertion.
Issuer *string Issuer *string
// A hash value based on the concatenation of the following: // A hash value based on the concatenation of the following:
//
// - The Issuer response value. // - The Issuer response value.
//
// - The Amazon Web Services account ID. // - The Amazon Web Services account ID.
//
// - The friendly name (the last part of the ARN) of the SAML provider in IAM. // - The friendly name (the last part of the ARN) of the SAML provider in IAM.
//
// The combination of NameQualifier and Subject can be used to uniquely identify a // The combination of NameQualifier and Subject can be used to uniquely identify a
// user. The following pseudocode shows how the hash value is calculated: BASE64 ( // user.
// SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) ) //
// The following pseudocode shows how the hash value is calculated:
//
// BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) )
NameQualifier *string NameQualifier *string
// A percentage value that indicates the packed size of the session policies and // A percentage value that indicates the packed size of the session policies and
@ -240,22 +304,25 @@ type AssumeRoleWithSAMLOutput struct {
// allowed space. // allowed space.
PackedPolicySize *int32 PackedPolicySize *int32
// The value in the SourceIdentity attribute in the SAML assertion. You can // The value in the SourceIdentity attribute in the SAML assertion.
// require users to set a source identity value when they assume a role. You do //
// this by using the sts:SourceIdentity condition key in a role trust policy. That // You can require users to set a source identity value when they assume a role.
// way, actions that are taken with the role are associated with that user. After // You do this by using the sts:SourceIdentity condition key in a role trust
// the source identity is set, the value cannot be changed. It is present in the // policy. That way, actions that are taken with the role are associated with that
// request for all actions that are taken by the role and persists across chained // user. After the source identity is set, the value cannot be changed. It is
// role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining) // present in the request for all actions that are taken by the role and persists
// sessions. You can configure your SAML identity provider to use an attribute // across [chained role]sessions. You can configure your SAML identity provider to use an
// associated with your users, like user name or email, as the source identity when // attribute associated with your users, like user name or email, as the source
// calling AssumeRoleWithSAML . You do this by adding an attribute to the SAML // identity when calling AssumeRoleWithSAML . You do this by adding an attribute to
// assertion. For more information about using source identity, see Monitor and // the SAML assertion. For more information about using source identity, see [Monitor and control actions taken with assumed roles]in
// control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) // the IAM User Guide.
// in the IAM User Guide. The regex used to validate this parameter is a string of //
// characters consisting of upper- and lower-case alphanumeric characters with no // The regex used to validate this parameter is a string of characters consisting
// spaces. You can also include underscores or any of the following characters: // of upper- and lower-case alphanumeric characters with no spaces. You can also
// =,.@- // include underscores or any of the following characters: =,.@-
//
// [chained role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining
// [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
SourceIdentity *string SourceIdentity *string
// The value of the NameID element in the Subject element of the SAML assertion. // The value of the NameID element in the Subject element of the SAML assertion.
@ -263,8 +330,10 @@ type AssumeRoleWithSAMLOutput struct {
// The format of the name ID, as defined by the Format attribute in the NameID // The format of the name ID, as defined by the Format attribute in the NameID
// element of the SAML assertion. Typical examples of the format are transient or // element of the SAML assertion. Typical examples of the format are transient or
// persistent . If the format includes the prefix // persistent .
// urn:oasis:names:tc:SAML:2.0:nameid-format , that prefix is removed. For example, //
// If the format includes the prefix urn:oasis:names:tc:SAML:2.0:nameid-format ,
// that prefix is removed. For example,
// urn:oasis:names:tc:SAML:2.0:nameid-format:transient is returned as transient . // urn:oasis:names:tc:SAML:2.0:nameid-format:transient is returned as transient .
// If the format includes any other prefix, the format is returned with no // If the format includes any other prefix, the format is returned with no
// modifications. // modifications.
@ -328,6 +397,12 @@ func (c *Client) addOperationAssumeRoleWithSAMLMiddlewares(stack *middleware.Sta
if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil { if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
return err return err
} }
if err = addTimeOffsetBuild(stack, c); err != nil {
return err
}
if err = addUserAgentRetryMode(stack, options); err != nil {
return err
}
if err = addOpAssumeRoleWithSAMLValidationMiddleware(stack); err != nil { if err = addOpAssumeRoleWithSAMLValidationMiddleware(stack); err != nil {
return err return err
} }

View File

@ -14,105 +14,143 @@ import (
// Returns a set of temporary security credentials for users who have been // Returns a set of temporary security credentials for users who have been
// authenticated in a mobile or web application with a web identity provider. // authenticated in a mobile or web application with a web identity provider.
// Example providers include the OAuth 2.0 providers Login with Amazon and // Example providers include the OAuth 2.0 providers Login with Amazon and
// Facebook, or any OpenID Connect-compatible identity provider such as Google or // Facebook, or any OpenID Connect-compatible identity provider such as Google or [Amazon Cognito federated identities].
// Amazon Cognito federated identities (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html) //
// . For mobile applications, we recommend that you use Amazon Cognito. You can use // For mobile applications, we recommend that you use Amazon Cognito. You can use
// Amazon Cognito with the Amazon Web Services SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/) // Amazon Cognito with the [Amazon Web Services SDK for iOS Developer Guide]and the [Amazon Web Services SDK for Android Developer Guide] to uniquely identify a user. You can also
// and the Amazon Web Services SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/) // supply the user with a consistent identity throughout the lifetime of an
// to uniquely identify a user. You can also supply the user with a consistent // application.
// identity throughout the lifetime of an application. To learn more about Amazon //
// Cognito, see Amazon Cognito identity pools (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html) // To learn more about Amazon Cognito, see [Amazon Cognito identity pools] in Amazon Cognito Developer Guide.
// in Amazon Cognito Developer Guide. Calling AssumeRoleWithWebIdentity does not //
// require the use of Amazon Web Services security credentials. Therefore, you can // Calling AssumeRoleWithWebIdentity does not require the use of Amazon Web
// distribute an application (for example, on mobile devices) that requests // Services security credentials. Therefore, you can distribute an application (for
// temporary security credentials without including long-term Amazon Web Services // example, on mobile devices) that requests temporary security credentials without
// credentials in the application. You also don't need to deploy server-based proxy // including long-term Amazon Web Services credentials in the application. You also
// services that use long-term Amazon Web Services credentials. Instead, the // don't need to deploy server-based proxy services that use long-term Amazon Web
// identity of the caller is validated by using a token from the web identity // Services credentials. Instead, the identity of the caller is validated by using
// provider. For a comparison of AssumeRoleWithWebIdentity with the other API // a token from the web identity provider. For a comparison of
// operations that produce temporary credentials, see Requesting Temporary // AssumeRoleWithWebIdentity with the other API operations that produce temporary
// Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) // credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the IAM User Guide.
// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) //
// in the IAM User Guide. The temporary security credentials returned by this API // The temporary security credentials returned by this API consist of an access
// consist of an access key ID, a secret access key, and a security token. // key ID, a secret access key, and a security token. Applications can use these
// Applications can use these temporary security credentials to sign calls to // temporary security credentials to sign calls to Amazon Web Services service API
// Amazon Web Services service API operations. Session Duration By default, the // operations.
// temporary security credentials created by AssumeRoleWithWebIdentity last for //
// one hour. However, you can use the optional DurationSeconds parameter to // # Session Duration
// specify the duration of your session. You can provide a value from 900 seconds //
// (15 minutes) up to the maximum session duration setting for the role. This // By default, the temporary security credentials created by
// setting can have a value from 1 hour to 12 hours. To learn how to view the // AssumeRoleWithWebIdentity last for one hour. However, you can use the optional
// maximum value for your role, see View the Maximum Session Duration Setting for // DurationSeconds parameter to specify the duration of your session. You can
// a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) // provide a value from 900 seconds (15 minutes) up to the maximum session duration
// in the IAM User Guide. The maximum session duration limit applies when you use // setting for the role. This setting can have a value from 1 hour to 12 hours. To
// the AssumeRole* API operations or the assume-role* CLI commands. However the // learn how to view the maximum value for your role, see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide.
// limit does not apply when you use those operations to create a console URL. For // The maximum session duration limit applies when you use the AssumeRole* API
// more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) // operations or the assume-role* CLI commands. However the limit does not apply
// in the IAM User Guide. Permissions The temporary security credentials created by // when you use those operations to create a console URL. For more information, see
// AssumeRoleWithWebIdentity can be used to make API calls to any Amazon Web // [Using IAM Roles]in the IAM User Guide.
// Services service with the following exception: you cannot call the STS //
// GetFederationToken or GetSessionToken API operations. (Optional) You can pass // # Permissions
// inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) //
// to this operation. You can pass a single JSON policy document to use as an // The temporary security credentials created by AssumeRoleWithWebIdentity can be
// inline session policy. You can also specify up to 10 managed policy Amazon // used to make API calls to any Amazon Web Services service with the following
// Resource Names (ARNs) to use as managed session policies. The plaintext that you // exception: you cannot call the STS GetFederationToken or GetSessionToken API
// use for both inline and managed session policies can't exceed 2,048 characters. // operations.
// Passing policies to this operation returns new temporary credentials. The //
// resulting session's permissions are the intersection of the role's // (Optional) You can pass inline or managed [session policies] to this operation. You can pass a
// identity-based policy and the session policies. You can use the role's temporary // single JSON policy document to use as an inline session policy. You can also
// credentials in subsequent Amazon Web Services API calls to access resources in // specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed
// the account that owns the role. You cannot use session policies to grant more // session policies. The plaintext that you use for both inline and managed session
// permissions than those allowed by the identity-based policy of the role that is // policies can't exceed 2,048 characters. Passing policies to this operation
// being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // returns new temporary credentials. The resulting session's permissions are the
// in the IAM User Guide. Tags (Optional) You can configure your IdP to pass // intersection of the role's identity-based policy and the session policies. You
// attributes into your web identity token as session tags. Each session tag // can use the role's temporary credentials in subsequent Amazon Web Services API
// consists of a key name and an associated value. For more information about // calls to access resources in the account that owns the role. You cannot use
// session tags, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) // session policies to grant more permissions than those allowed by the
// in the IAM User Guide. You can pass up to 50 session tags. The plaintext session // identity-based policy of the role that is being assumed. For more information,
// tag keys cant exceed 128 characters and the values cant exceed 256 characters. // see [Session Policies]in the IAM User Guide.
// For these and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) //
// in the IAM User Guide. An Amazon Web Services conversion compresses the passed // # Tags
// inline session policy, managed policy ARNs, and session tags into a packed //
// binary format that has a separate limit. Your request can fail for this limit // (Optional) You can configure your IdP to pass attributes into your web identity
// even if your plaintext meets the other requirements. The PackedPolicySize // token as session tags. Each session tag consists of a key name and an associated
// response element indicates by percentage how close the policies and tags for // value. For more information about session tags, see [Passing Session Tags in STS]in the IAM User Guide.
// your request are to the upper size limit. You can pass a session tag with the //
// same key as a tag that is attached to the role. When you do, the session tag // You can pass up to 50 session tags. The plaintext session tag keys cant exceed
// overrides the role tag with the same key. An administrator must grant you the // 128 characters and the values cant exceed 256 characters. For these and
// permissions necessary to pass session tags. The administrator can also create // additional limits, see [IAM and STS Character Limits]in the IAM User Guide.
// granular permissions to allow you to pass only specific session tags. For more //
// information, see Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) // An Amazon Web Services conversion compresses the passed inline session policy,
// in the IAM User Guide. You can set the session tags as transitive. Transitive // managed policy ARNs, and session tags into a packed binary format that has a
// tags persist during role chaining. For more information, see Chaining Roles // separate limit. Your request can fail for this limit even if your plaintext
// with Session Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining) // meets the other requirements. The PackedPolicySize response element indicates
// in the IAM User Guide. Identities Before your application can call // by percentage how close the policies and tags for your request are to the upper
// AssumeRoleWithWebIdentity , you must have an identity token from a supported // size limit.
// identity provider and create a role that the application can assume. The role //
// that your application assumes must trust the identity provider that is // You can pass a session tag with the same key as a tag that is attached to the
// associated with the identity token. In other words, the identity provider must // role. When you do, the session tag overrides the role tag with the same key.
// be specified in the role's trust policy. Calling AssumeRoleWithWebIdentity can //
// result in an entry in your CloudTrail logs. The entry includes the Subject (http://openid.net/specs/openid-connect-core-1_0.html#Claims) // An administrator must grant you the permissions necessary to pass session tags.
// of the provided web identity token. We recommend that you avoid using any // The administrator can also create granular permissions to allow you to pass only
// personally identifiable information (PII) in this field. For example, you could // specific session tags. For more information, see [Tutorial: Using Tags for Attribute-Based Access Control]in the IAM User Guide.
// instead use a GUID or a pairwise identifier, as suggested in the OIDC //
// specification (http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes) // You can set the session tags as transitive. Transitive tags persist during role
// . For more information about how to use web identity federation and the // chaining. For more information, see [Chaining Roles with Session Tags]in the IAM User Guide.
//
// # Identities
//
// Before your application can call AssumeRoleWithWebIdentity , you must have an
// identity token from a supported identity provider and create a role that the
// application can assume. The role that your application assumes must trust the
// identity provider that is associated with the identity token. In other words,
// the identity provider must be specified in the role's trust policy.
//
// Calling AssumeRoleWithWebIdentity can result in an entry in your CloudTrail
// logs. The entry includes the [Subject]of the provided web identity token. We recommend
// that you avoid using any personally identifiable information (PII) in this
// field. For example, you could instead use a GUID or a pairwise identifier, as [suggested in the OIDC specification].
//
// For more information about how to use web identity federation and the
// AssumeRoleWithWebIdentity API, see the following resources: // AssumeRoleWithWebIdentity API, see the following resources:
// - Using Web Identity Federation API Operations for Mobile Apps (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html) //
// and Federation Through a Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity) // [Using Web Identity Federation API Operations for Mobile Apps]
// . // - and [Federation Through a Web-based Identity Provider].
// - Web Identity Federation Playground (https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/) //
// . Walk through the process of authenticating through Login with Amazon, // [Web Identity Federation Playground]
// - . Walk through the process of authenticating through Login with Amazon,
// Facebook, or Google, getting temporary security credentials, and then using // Facebook, or Google, getting temporary security credentials, and then using
// those credentials to make a request to Amazon Web Services. // those credentials to make a request to Amazon Web Services.
// - Amazon Web Services SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/) //
// and Amazon Web Services SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/) // [Amazon Web Services SDK for iOS Developer Guide]
// . These toolkits contain sample apps that show how to invoke the identity // - and [Amazon Web Services SDK for Android Developer Guide]. These toolkits contain sample apps that show how to invoke the
// providers. The toolkits then show how to use the information from these // identity providers. The toolkits then show how to use the information from these
// providers to get and use temporary security credentials. // providers to get and use temporary security credentials.
// - Web Identity Federation with Mobile Applications (http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications) //
// . This article discusses web identity federation and shows an example of how to // [Web Identity Federation with Mobile Applications]
// use web identity federation to get access to content in Amazon S3. // - . This article discusses web identity federation and shows an example of
// how to use web identity federation to get access to content in Amazon S3.
//
// [Amazon Web Services SDK for iOS Developer Guide]: http://aws.amazon.com/sdkforios/
// [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
// [Web Identity Federation Playground]: https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/
// [Amazon Web Services SDK for Android Developer Guide]: http://aws.amazon.com/sdkforandroid/
// [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
// [session policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
// [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
// [Subject]: http://openid.net/specs/openid-connect-core-1_0.html#Claims
// [Tutorial: Using Tags for Attribute-Based Access Control]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
// [Amazon Cognito identity pools]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html
// [Federation Through a Web-based Identity Provider]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
// [Using IAM Roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
// [Amazon Cognito federated identities]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html
// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
// [Chaining Roles with Session Tags]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
// [Web Identity Federation with Mobile Applications]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
// [Using Web Identity Federation API Operations for Mobile Apps]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
// [suggested in the OIDC specification]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
func (c *Client) AssumeRoleWithWebIdentity(ctx context.Context, params *AssumeRoleWithWebIdentityInput, optFns ...func(*Options)) (*AssumeRoleWithWebIdentityOutput, error) { func (c *Client) AssumeRoleWithWebIdentity(ctx context.Context, params *AssumeRoleWithWebIdentityInput, optFns ...func(*Options)) (*AssumeRoleWithWebIdentityOutput, error) {
if params == nil { if params == nil {
params = &AssumeRoleWithWebIdentityInput{} params = &AssumeRoleWithWebIdentityInput{}
@ -139,10 +177,11 @@ type AssumeRoleWithWebIdentityInput struct {
// identifier that is associated with the user who is using your application. That // identifier that is associated with the user who is using your application. That
// way, the temporary security credentials that your application will use are // way, the temporary security credentials that your application will use are
// associated with that user. This session name is included as part of the ARN and // associated with that user. This session name is included as part of the ARN and
// assumed role ID in the AssumedRoleUser response element. The regex used to // assumed role ID in the AssumedRoleUser response element.
// validate this parameter is a string of characters consisting of upper- and //
// lower-case alphanumeric characters with no spaces. You can also include // The regex used to validate this parameter is a string of characters consisting
// underscores or any of the following characters: =,.@- // of upper- and lower-case alphanumeric characters with no spaces. You can also
// include underscores or any of the following characters: =,.@-
// //
// This member is required. // This member is required.
RoleSessionName *string RoleSessionName *string
@ -162,73 +201,90 @@ type AssumeRoleWithWebIdentityInput struct {
// higher than this setting, the operation fails. For example, if you specify a // higher than this setting, the operation fails. For example, if you specify a
// session duration of 12 hours, but your administrator set the maximum session // session duration of 12 hours, but your administrator set the maximum session
// duration to 6 hours, your operation fails. To learn how to view the maximum // duration to 6 hours, your operation fails. To learn how to view the maximum
// value for your role, see View the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) // value for your role, see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide.
// in the IAM User Guide. By default, the value is set to 3600 seconds. The //
// DurationSeconds parameter is separate from the duration of a console session // By default, the value is set to 3600 seconds.
// that you might request using the returned credentials. The request to the //
// federation endpoint for a console sign-in token takes a SessionDuration // The DurationSeconds parameter is separate from the duration of a console
// session that you might request using the returned credentials. The request to
// the federation endpoint for a console sign-in token takes a SessionDuration
// parameter that specifies the maximum length of the console session. For more // parameter that specifies the maximum length of the console session. For more
// information, see Creating a URL that Enables Federated Users to Access the // information, see [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]in the IAM User Guide.
// Amazon Web Services Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) //
// in the IAM User Guide. // [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
// [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
DurationSeconds *int32 DurationSeconds *int32
// An IAM policy in JSON format that you want to use as an inline session policy. // An IAM policy in JSON format that you want to use as an inline session policy.
//
// This parameter is optional. Passing policies to this operation returns new // This parameter is optional. Passing policies to this operation returns new
// temporary credentials. The resulting session's permissions are the intersection // temporary credentials. The resulting session's permissions are the intersection
// of the role's identity-based policy and the session policies. You can use the // of the role's identity-based policy and the session policies. You can use the
// role's temporary credentials in subsequent Amazon Web Services API calls to // role's temporary credentials in subsequent Amazon Web Services API calls to
// access resources in the account that owns the role. You cannot use session // access resources in the account that owns the role. You cannot use session
// policies to grant more permissions than those allowed by the identity-based // policies to grant more permissions than those allowed by the identity-based
// policy of the role that is being assumed. For more information, see Session // policy of the role that is being assumed. For more information, see [Session Policies]in the IAM
// Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // User Guide.
// in the IAM User Guide. The plaintext that you use for both inline and managed //
// session policies can't exceed 2,048 characters. The JSON policy characters can // The plaintext that you use for both inline and managed session policies can't
// be any ASCII character from the space character to the end of the valid // exceed 2,048 characters. The JSON policy characters can be any ASCII character
// character list (\u0020 through \u00FF). It can also include the tab (\u0009), // from the space character to the end of the valid character list (\u0020 through
// linefeed (\u000A), and carriage return (\u000D) characters. An Amazon Web // \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
// Services conversion compresses the passed inline session policy, managed policy // return (\u000D) characters.
// ARNs, and session tags into a packed binary format that has a separate limit. //
// Your request can fail for this limit even if your plaintext meets the other // An Amazon Web Services conversion compresses the passed inline session policy,
// requirements. The PackedPolicySize response element indicates by percentage how // managed policy ARNs, and session tags into a packed binary format that has a
// close the policies and tags for your request are to the upper size limit. // separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates
// by percentage how close the policies and tags for your request are to the upper
// size limit.
//
// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
Policy *string Policy *string
// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to // The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
// use as managed session policies. The policies must exist in the same account as // use as managed session policies. The policies must exist in the same account as
// the role. This parameter is optional. You can provide up to 10 managed policy // the role.
// ARNs. However, the plaintext that you use for both inline and managed session //
// policies can't exceed 2,048 characters. For more information about ARNs, see // This parameter is optional. You can provide up to 10 managed policy ARNs.
// Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) // However, the plaintext that you use for both inline and managed session policies
// in the Amazon Web Services General Reference. An Amazon Web Services conversion // can't exceed 2,048 characters. For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]in the
// compresses the passed inline session policy, managed policy ARNs, and session // Amazon Web Services General Reference.
// tags into a packed binary format that has a separate limit. Your request can //
// fail for this limit even if your plaintext meets the other requirements. The // An Amazon Web Services conversion compresses the passed inline session policy,
// PackedPolicySize response element indicates by percentage how close the policies // managed policy ARNs, and session tags into a packed binary format that has a
// and tags for your request are to the upper size limit. Passing policies to this // separate limit. Your request can fail for this limit even if your plaintext
// operation returns new temporary credentials. The resulting session's permissions // meets the other requirements. The PackedPolicySize response element indicates
// are the intersection of the role's identity-based policy and the session // by percentage how close the policies and tags for your request are to the upper
// policies. You can use the role's temporary credentials in subsequent Amazon Web // size limit.
// Services API calls to access resources in the account that owns the role. You //
// cannot use session policies to grant more permissions than those allowed by the // Passing policies to this operation returns new temporary credentials. The
// identity-based policy of the role that is being assumed. For more information, // resulting session's permissions are the intersection of the role's
// see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // identity-based policy and the session policies. You can use the role's temporary
// in the IAM User Guide. // credentials in subsequent Amazon Web Services API calls to access resources in
// the account that owns the role. You cannot use session policies to grant more
// permissions than those allowed by the identity-based policy of the role that is
// being assumed. For more information, see [Session Policies]in the IAM User Guide.
//
// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
// [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
PolicyArns []types.PolicyDescriptorType PolicyArns []types.PolicyDescriptorType
// The fully qualified host component of the domain name of the OAuth 2.0 identity // The fully qualified host component of the domain name of the OAuth 2.0 identity
// provider. Do not specify this value for an OpenID Connect identity provider. // provider. Do not specify this value for an OpenID Connect identity provider.
//
// Currently www.amazon.com and graph.facebook.com are the only supported identity // Currently www.amazon.com and graph.facebook.com are the only supported identity
// providers for OAuth 2.0 access tokens. Do not include URL schemes and port // providers for OAuth 2.0 access tokens. Do not include URL schemes and port
// numbers. Do not specify this value for OpenID Connect ID tokens. // numbers.
//
// Do not specify this value for OpenID Connect ID tokens.
ProviderId *string ProviderId *string
noSmithyDocumentSerde noSmithyDocumentSerde
} }
// Contains the response to a successful AssumeRoleWithWebIdentity request, // Contains the response to a successful AssumeRoleWithWebIdentity request, including temporary Amazon Web
// including temporary Amazon Web Services credentials that can be used to make // Services credentials that can be used to make Amazon Web Services requests.
// Amazon Web Services requests.
type AssumeRoleWithWebIdentityOutput struct { type AssumeRoleWithWebIdentityOutput struct {
// The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers // The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers
@ -244,9 +300,10 @@ type AssumeRoleWithWebIdentityOutput struct {
Audience *string Audience *string
// The temporary security credentials, which include an access key ID, a secret // The temporary security credentials, which include an access key ID, a secret
// access key, and a security token. The size of the security token that STS API // access key, and a security token.
// operations return is not fixed. We strongly recommend that you make no //
// assumptions about the maximum size. // The size of the security token that STS API operations return is not fixed. We
// strongly recommend that you make no assumptions about the maximum size.
Credentials *types.Credentials Credentials *types.Credentials
// A percentage value that indicates the packed size of the session policies and // A percentage value that indicates the packed size of the session policies and
@ -262,23 +319,27 @@ type AssumeRoleWithWebIdentityOutput struct {
Provider *string Provider *string
// The value of the source identity that is returned in the JSON web token (JWT) // The value of the source identity that is returned in the JSON web token (JWT)
// from the identity provider. You can require users to set a source identity value // from the identity provider.
// when they assume a role. You do this by using the sts:SourceIdentity condition //
// key in a role trust policy. That way, actions that are taken with the role are // You can require users to set a source identity value when they assume a role.
// associated with that user. After the source identity is set, the value cannot be // You do this by using the sts:SourceIdentity condition key in a role trust
// changed. It is present in the request for all actions that are taken by the role // policy. That way, actions that are taken with the role are associated with that
// and persists across chained role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining) // user. After the source identity is set, the value cannot be changed. It is
// sessions. You can configure your identity provider to use an attribute // present in the request for all actions that are taken by the role and persists
// across [chained role]sessions. You can configure your identity provider to use an attribute
// associated with your users, like user name or email, as the source identity when // associated with your users, like user name or email, as the source identity when
// calling AssumeRoleWithWebIdentity . You do this by adding a claim to the JSON // calling AssumeRoleWithWebIdentity . You do this by adding a claim to the JSON
// web token. To learn more about OIDC tokens and claims, see Using Tokens with // web token. To learn more about OIDC tokens and claims, see [Using Tokens with User Pools]in the Amazon
// User Pools (https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html) // Cognito Developer Guide. For more information about using source identity, see [Monitor and control actions taken with assumed roles]
// in the Amazon Cognito Developer Guide. For more information about using source // in the IAM User Guide.
// identity, see Monitor and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) //
// in the IAM User Guide. The regex used to validate this parameter is a string of // The regex used to validate this parameter is a string of characters consisting
// characters consisting of upper- and lower-case alphanumeric characters with no // of upper- and lower-case alphanumeric characters with no spaces. You can also
// spaces. You can also include underscores or any of the following characters: // include underscores or any of the following characters: =,.@-
// =,.@- //
// [chained role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining
// [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
// [Using Tokens with User Pools]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html
SourceIdentity *string SourceIdentity *string
// The unique user identifier that is returned by the identity provider. This // The unique user identifier that is returned by the identity provider. This
@ -347,6 +408,12 @@ func (c *Client) addOperationAssumeRoleWithWebIdentityMiddlewares(stack *middlew
if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil { if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
return err return err
} }
if err = addTimeOffsetBuild(stack, c); err != nil {
return err
}
if err = addUserAgentRetryMode(stack, options); err != nil {
return err
}
if err = addOpAssumeRoleWithWebIdentityValidationMiddleware(stack); err != nil { if err = addOpAssumeRoleWithWebIdentityValidationMiddleware(stack); err != nil {
return err return err
} }

View File

@ -11,28 +11,39 @@ import (
) )
// Decodes additional information about the authorization status of a request from // Decodes additional information about the authorization status of a request from
// an encoded message returned in response to an Amazon Web Services request. For // an encoded message returned in response to an Amazon Web Services request.
// example, if a user is not authorized to perform an operation that he or she has //
// requested, the request returns a Client.UnauthorizedOperation response (an HTTP // For example, if a user is not authorized to perform an operation that he or she
// 403 response). Some Amazon Web Services operations additionally return an // has requested, the request returns a Client.UnauthorizedOperation response (an
// encoded message that can provide details about this authorization failure. Only // HTTP 403 response). Some Amazon Web Services operations additionally return an
// certain Amazon Web Services operations return an encoded authorization message. // encoded message that can provide details about this authorization failure.
// The documentation for an individual operation indicates whether that operation //
// returns an encoded message in addition to returning an HTTP code. The message is // Only certain Amazon Web Services operations return an encoded authorization
// encoded because the details of the authorization status can contain privileged // message. The documentation for an individual operation indicates whether that
// information that the user who requested the operation should not see. To decode // operation returns an encoded message in addition to returning an HTTP code.
// an authorization status message, a user must be granted permissions through an //
// IAM policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) // The message is encoded because the details of the authorization status can
// to request the DecodeAuthorizationMessage ( sts:DecodeAuthorizationMessage ) // contain privileged information that the user who requested the operation should
// action. The decoded message includes the following type of information: // not see. To decode an authorization status message, a user must be granted
// permissions through an IAM [policy]to request the DecodeAuthorizationMessage (
// sts:DecodeAuthorizationMessage ) action.
//
// The decoded message includes the following type of information:
//
// - Whether the request was denied due to an explicit deny or due to the // - Whether the request was denied due to an explicit deny or due to the
// absence of an explicit allow. For more information, see Determining Whether a // absence of an explicit allow. For more information, see [Determining Whether a Request is Allowed or Denied]in the IAM User
// Request is Allowed or Denied (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow) // Guide.
// in the IAM User Guide. //
// - The principal who made the request. // - The principal who made the request.
//
// - The requested action. // - The requested action.
//
// - The requested resource. // - The requested resource.
//
// - The values of condition keys in the context of the user's request. // - The values of condition keys in the context of the user's request.
//
// [Determining Whether a Request is Allowed or Denied]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow
// [policy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
func (c *Client) DecodeAuthorizationMessage(ctx context.Context, params *DecodeAuthorizationMessageInput, optFns ...func(*Options)) (*DecodeAuthorizationMessageOutput, error) { func (c *Client) DecodeAuthorizationMessage(ctx context.Context, params *DecodeAuthorizationMessageInput, optFns ...func(*Options)) (*DecodeAuthorizationMessageOutput, error) {
if params == nil { if params == nil {
params = &DecodeAuthorizationMessageInput{} params = &DecodeAuthorizationMessageInput{}
@ -127,6 +138,12 @@ func (c *Client) addOperationDecodeAuthorizationMessageMiddlewares(stack *middle
if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil { if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
return err return err
} }
if err = addTimeOffsetBuild(stack, c); err != nil {
return err
}
if err = addUserAgentRetryMode(stack, options); err != nil {
return err
}
if err = addOpDecodeAuthorizationMessageValidationMiddleware(stack); err != nil { if err = addOpDecodeAuthorizationMessageValidationMiddleware(stack); err != nil {
return err return err
} }

View File

@ -10,23 +10,31 @@ import (
smithyhttp "github.com/aws/smithy-go/transport/http" smithyhttp "github.com/aws/smithy-go/transport/http"
) )
// Returns the account identifier for the specified access key ID. Access keys // Returns the account identifier for the specified access key ID.
// consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE ) and //
// a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY ). // Access keys consist of two parts: an access key ID (for example,
// For more information about access keys, see Managing Access Keys for IAM Users (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) // AKIAIOSFODNN7EXAMPLE ) and a secret access key (for example,
// in the IAM User Guide. When you pass an access key ID to this operation, it // wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY ). For more information about access
// returns the ID of the Amazon Web Services account to which the keys belong. // keys, see [Managing Access Keys for IAM Users]in the IAM User Guide.
// Access key IDs beginning with AKIA are long-term credentials for an IAM user or //
// the Amazon Web Services account root user. Access key IDs beginning with ASIA // When you pass an access key ID to this operation, it returns the ID of the
// are temporary credentials that are created using STS operations. If the account // Amazon Web Services account to which the keys belong. Access key IDs beginning
// in the response belongs to you, you can sign in as the root user and review your // with AKIA are long-term credentials for an IAM user or the Amazon Web Services
// root user access keys. Then, you can pull a credentials report (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html) // account root user. Access key IDs beginning with ASIA are temporary credentials
// to learn which IAM user owns the keys. To learn who requested the temporary // that are created using STS operations. If the account in the response belongs to
// credentials for an ASIA access key, view the STS events in your CloudTrail logs (https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html) // you, you can sign in as the root user and review your root user access keys.
// in the IAM User Guide. This operation does not indicate the state of the access // Then, you can pull a [credentials report]to learn which IAM user owns the keys. To learn who
// key. The key might be active, inactive, or deleted. Active keys might not have // requested the temporary credentials for an ASIA access key, view the STS events
// permissions to perform an operation. Providing a deleted access key might return // in your [CloudTrail logs]in the IAM User Guide.
// an error that the key doesn't exist. //
// This operation does not indicate the state of the access key. The key might be
// active, inactive, or deleted. Active keys might not have permissions to perform
// an operation. Providing a deleted access key might return an error that the key
// doesn't exist.
//
// [credentials report]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html
// [CloudTrail logs]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html
// [Managing Access Keys for IAM Users]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
func (c *Client) GetAccessKeyInfo(ctx context.Context, params *GetAccessKeyInfoInput, optFns ...func(*Options)) (*GetAccessKeyInfoOutput, error) { func (c *Client) GetAccessKeyInfo(ctx context.Context, params *GetAccessKeyInfoInput, optFns ...func(*Options)) (*GetAccessKeyInfoOutput, error) {
if params == nil { if params == nil {
params = &GetAccessKeyInfoInput{} params = &GetAccessKeyInfoInput{}
@ -44,9 +52,10 @@ func (c *Client) GetAccessKeyInfo(ctx context.Context, params *GetAccessKeyInfoI
type GetAccessKeyInfoInput struct { type GetAccessKeyInfoInput struct {
// The identifier of an access key. This parameter allows (through its regex // The identifier of an access key.
// pattern) a string of characters that can consist of any upper- or lowercase //
// letter or digit. // This parameter allows (through its regex pattern) a string of characters that
// can consist of any upper- or lowercase letter or digit.
// //
// This member is required. // This member is required.
AccessKeyId *string AccessKeyId *string
@ -120,6 +129,12 @@ func (c *Client) addOperationGetAccessKeyInfoMiddlewares(stack *middleware.Stack
if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil { if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
return err return err
} }
if err = addTimeOffsetBuild(stack, c); err != nil {
return err
}
if err = addUserAgentRetryMode(stack, options); err != nil {
return err
}
if err = addOpGetAccessKeyInfoValidationMiddleware(stack); err != nil { if err = addOpGetAccessKeyInfoValidationMiddleware(stack); err != nil {
return err return err
} }

View File

@ -12,13 +12,15 @@ import (
) )
// Returns details about the IAM user or role whose credentials are used to call // Returns details about the IAM user or role whose credentials are used to call
// the operation. No permissions are required to perform this operation. If an // the operation.
// administrator attaches a policy to your identity that explicitly denies access //
// to the sts:GetCallerIdentity action, you can still perform this operation. // No permissions are required to perform this operation. If an administrator
// Permissions are not required because the same information is returned when // attaches a policy to your identity that explicitly denies access to the
// access is denied. To view an example response, see I Am Not Authorized to // sts:GetCallerIdentity action, you can still perform this operation. Permissions
// Perform: iam:DeleteVirtualMFADevice (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa) // are not required because the same information is returned when access is denied.
// in the IAM User Guide. // To view an example response, see [I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice]in the IAM User Guide.
//
// [I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa
func (c *Client) GetCallerIdentity(ctx context.Context, params *GetCallerIdentityInput, optFns ...func(*Options)) (*GetCallerIdentityOutput, error) { func (c *Client) GetCallerIdentity(ctx context.Context, params *GetCallerIdentityInput, optFns ...func(*Options)) (*GetCallerIdentityOutput, error) {
if params == nil { if params == nil {
params = &GetCallerIdentityInput{} params = &GetCallerIdentityInput{}
@ -38,8 +40,8 @@ type GetCallerIdentityInput struct {
noSmithyDocumentSerde noSmithyDocumentSerde
} }
// Contains the response to a successful GetCallerIdentity request, including // Contains the response to a successful GetCallerIdentity request, including information about the
// information about the entity making the request. // entity making the request.
type GetCallerIdentityOutput struct { type GetCallerIdentityOutput struct {
// The Amazon Web Services account ID number of the account that owns or contains // The Amazon Web Services account ID number of the account that owns or contains
@ -51,8 +53,10 @@ type GetCallerIdentityOutput struct {
// The unique identifier of the calling entity. The exact value depends on the // The unique identifier of the calling entity. The exact value depends on the
// type of entity that is making the call. The values returned are those listed in // type of entity that is making the call. The values returned are those listed in
// the aws:userid column in the Principal table (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable) // the aws:userid column in the [Principal table]found on the Policy Variables reference page in
// found on the Policy Variables reference page in the IAM User Guide. // the IAM User Guide.
//
// [Principal table]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable
UserId *string UserId *string
// Metadata pertaining to the operation's result. // Metadata pertaining to the operation's result.
@ -116,6 +120,12 @@ func (c *Client) addOperationGetCallerIdentityMiddlewares(stack *middleware.Stac
if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil { if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
return err return err
} }
if err = addTimeOffsetBuild(stack, c); err != nil {
return err
}
if err = addUserAgentRetryMode(stack, options); err != nil {
return err
}
if err = stack.Initialize.Add(newServiceMetadataMiddleware_opGetCallerIdentity(options.Region), middleware.Before); err != nil { if err = stack.Initialize.Add(newServiceMetadataMiddleware_opGetCallerIdentity(options.Region), middleware.Before); err != nil {
return err return err
} }

View File

@ -14,74 +14,100 @@ import (
// Returns a set of temporary security credentials (consisting of an access key // Returns a set of temporary security credentials (consisting of an access key
// ID, a secret access key, and a security token) for a user. A typical use is in a // ID, a secret access key, and a security token) for a user. A typical use is in a
// proxy application that gets temporary security credentials on behalf of // proxy application that gets temporary security credentials on behalf of
// distributed applications inside a corporate network. You must call the // distributed applications inside a corporate network.
// GetFederationToken operation using the long-term security credentials of an IAM //
// user. As a result, this call is appropriate in contexts where those credentials // You must call the GetFederationToken operation using the long-term security
// can be safeguarded, usually in a server-based application. For a comparison of // credentials of an IAM user. As a result, this call is appropriate in contexts
// GetFederationToken with the other API operations that produce temporary // where those credentials can be safeguarded, usually in a server-based
// credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) // application. For a comparison of GetFederationToken with the other API
// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) // operations that produce temporary credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the IAM User Guide.
// in the IAM User Guide. Although it is possible to call GetFederationToken using //
// the security credentials of an Amazon Web Services account root user rather than // Although it is possible to call GetFederationToken using the security
// an IAM user that you create for the purpose of a proxy application, we do not // credentials of an Amazon Web Services account root user rather than an IAM user
// recommend it. For more information, see Safeguard your root user credentials // that you create for the purpose of a proxy application, we do not recommend it.
// and don't use them for everyday tasks (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials) // For more information, see [Safeguard your root user credentials and don't use them for everyday tasks]in the IAM User Guide.
// in the IAM User Guide. You can create a mobile-based or browser-based app that //
// can authenticate users using a web identity provider like Login with Amazon, // You can create a mobile-based or browser-based app that can authenticate users
// Facebook, Google, or an OpenID Connect-compatible identity provider. In this // using a web identity provider like Login with Amazon, Facebook, Google, or an
// case, we recommend that you use Amazon Cognito (http://aws.amazon.com/cognito/) // OpenID Connect-compatible identity provider. In this case, we recommend that you
// or AssumeRoleWithWebIdentity . For more information, see Federation Through a // use [Amazon Cognito]or AssumeRoleWithWebIdentity . For more information, see [Federation Through a Web-based Identity Provider] in the IAM User
// Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity) // Guide.
// in the IAM User Guide. Session duration The temporary credentials are valid for //
// the specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600 // # Session duration
// seconds (36 hours). The default session duration is 43,200 seconds (12 hours). //
// Temporary credentials obtained by using the root user credentials have a maximum // The temporary credentials are valid for the specified duration, from 900
// duration of 3,600 seconds (1 hour). Permissions You can use the temporary // seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default
// credentials created by GetFederationToken in any Amazon Web Services service // session duration is 43,200 seconds (12 hours). Temporary credentials obtained by
// with the following exceptions: // using the root user credentials have a maximum duration of 3,600 seconds (1
// hour).
//
// # Permissions
//
// You can use the temporary credentials created by GetFederationToken in any
// Amazon Web Services service with the following exceptions:
//
// - You cannot call any IAM operations using the CLI or the Amazon Web Services // - You cannot call any IAM operations using the CLI or the Amazon Web Services
// API. This limitation does not apply to console sessions. // API. This limitation does not apply to console sessions.
//
// - You cannot call any STS operations except GetCallerIdentity . // - You cannot call any STS operations except GetCallerIdentity .
// //
// You can use temporary credentials for single sign-on (SSO) to the console. You // You can use temporary credentials for single sign-on (SSO) to the console.
// must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) //
// to this operation. You can pass a single JSON policy document to use as an // You must pass an inline or managed [session policy] to this operation. You can pass a single
// inline session policy. You can also specify up to 10 managed policy Amazon // JSON policy document to use as an inline session policy. You can also specify up
// Resource Names (ARNs) to use as managed session policies. The plaintext that you // to 10 managed policy Amazon Resource Names (ARNs) to use as managed session
// use for both inline and managed session policies can't exceed 2,048 characters. // policies. The plaintext that you use for both inline and managed session
// policies can't exceed 2,048 characters.
//
// Though the session policy parameters are optional, if you do not pass a policy, // Though the session policy parameters are optional, if you do not pass a policy,
// then the resulting federated user session has no permissions. When you pass // then the resulting federated user session has no permissions. When you pass
// session policies, the session permissions are the intersection of the IAM user // session policies, the session permissions are the intersection of the IAM user
// policies and the session policies that you pass. This gives you a way to further // policies and the session policies that you pass. This gives you a way to further
// restrict the permissions for a federated user. You cannot use session policies // restrict the permissions for a federated user. You cannot use session policies
// to grant more permissions than those that are defined in the permissions policy // to grant more permissions than those that are defined in the permissions policy
// of the IAM user. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // of the IAM user. For more information, see [Session Policies]in the IAM User Guide. For
// in the IAM User Guide. For information about using GetFederationToken to create // information about using GetFederationToken to create temporary security
// temporary security credentials, see GetFederationToken—Federation Through a // credentials, see [GetFederationToken—Federation Through a Custom Identity Broker].
// Custom Identity Broker (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken) //
// . You can use the credentials to access a resource that has a resource-based // You can use the credentials to access a resource that has a resource-based
// policy. If that policy specifically references the federated user session in the // policy. If that policy specifically references the federated user session in the
// Principal element of the policy, the session has the permissions allowed by the // Principal element of the policy, the session has the permissions allowed by the
// policy. These permissions are granted in addition to the permissions granted by // policy. These permissions are granted in addition to the permissions granted by
// the session policies. Tags (Optional) You can pass tag key-value pairs to your // the session policies.
// session. These are called session tags. For more information about session tags, //
// see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) // # Tags
// in the IAM User Guide. You can create a mobile-based or browser-based app that //
// can authenticate users using a web identity provider like Login with Amazon, // (Optional) You can pass tag key-value pairs to your session. These are called
// Facebook, Google, or an OpenID Connect-compatible identity provider. In this // session tags. For more information about session tags, see [Passing Session Tags in STS]in the IAM User
// case, we recommend that you use Amazon Cognito (http://aws.amazon.com/cognito/) // Guide.
// or AssumeRoleWithWebIdentity . For more information, see Federation Through a //
// Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity) // You can create a mobile-based or browser-based app that can authenticate users
// in the IAM User Guide. An administrator must grant you the permissions necessary // using a web identity provider like Login with Amazon, Facebook, Google, or an
// to pass session tags. The administrator can also create granular permissions to // OpenID Connect-compatible identity provider. In this case, we recommend that you
// allow you to pass only specific session tags. For more information, see // use [Amazon Cognito]or AssumeRoleWithWebIdentity . For more information, see [Federation Through a Web-based Identity Provider] in the IAM User
// Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) // Guide.
// in the IAM User Guide. Tag keyvalue pairs are not case sensitive, but case is //
// preserved. This means that you cannot have separate Department and department // An administrator must grant you the permissions necessary to pass session tags.
// tag keys. Assume that the user that you are federating has the Department = // The administrator can also create granular permissions to allow you to pass only
// Marketing tag and you pass the department = engineering session tag. Department // specific session tags. For more information, see [Tutorial: Using Tags for Attribute-Based Access Control]in the IAM User Guide.
// and department are not saved as separate tags, and the session tag passed in //
// the request takes precedence over the user tag. // Tag keyvalue pairs are not case sensitive, but case is preserved. This means
// that you cannot have separate Department and department tag keys. Assume that
// the user that you are federating has the Department = Marketing tag and you
// pass the department = engineering session tag. Department and department are
// not saved as separate tags, and the session tag passed in the request takes
// precedence over the user tag.
//
// [Federation Through a Web-based Identity Provider]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
// [session policy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
// [Amazon Cognito]: http://aws.amazon.com/cognito/
// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
// [GetFederationToken—Federation Through a Custom Identity Broker]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken
// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
// [Safeguard your root user credentials and don't use them for everyday tasks]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
// [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
// [Tutorial: Using Tags for Attribute-Based Access Control]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
func (c *Client) GetFederationToken(ctx context.Context, params *GetFederationTokenInput, optFns ...func(*Options)) (*GetFederationTokenOutput, error) { func (c *Client) GetFederationToken(ctx context.Context, params *GetFederationTokenInput, optFns ...func(*Options)) (*GetFederationTokenOutput, error) {
if params == nil { if params == nil {
params = &GetFederationTokenInput{} params = &GetFederationTokenInput{}
@ -102,10 +128,11 @@ type GetFederationTokenInput struct {
// The name of the federated user. The name is used as an identifier for the // The name of the federated user. The name is used as an identifier for the
// temporary security credentials (such as Bob ). For example, you can reference // temporary security credentials (such as Bob ). For example, you can reference
// the federated user name in a resource-based policy, such as in an Amazon S3 // the federated user name in a resource-based policy, such as in an Amazon S3
// bucket policy. The regex used to validate this parameter is a string of // bucket policy.
// characters consisting of upper- and lower-case alphanumeric characters with no //
// spaces. You can also include underscores or any of the following characters: // The regex used to validate this parameter is a string of characters consisting
// =,.@- // of upper- and lower-case alphanumeric characters with no spaces. You can also
// include underscores or any of the following characters: =,.@-
// //
// This member is required. // This member is required.
Name *string Name *string
@ -119,99 +146,127 @@ type GetFederationTokenInput struct {
DurationSeconds *int32 DurationSeconds *int32
// An IAM policy in JSON format that you want to use as an inline session policy. // An IAM policy in JSON format that you want to use as an inline session policy.
// You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) //
// to this operation. You can pass a single JSON policy document to use as an // You must pass an inline or managed [session policy] to this operation. You can pass a single
// inline session policy. You can also specify up to 10 managed policy Amazon // JSON policy document to use as an inline session policy. You can also specify up
// Resource Names (ARNs) to use as managed session policies. This parameter is // to 10 managed policy Amazon Resource Names (ARNs) to use as managed session
// optional. However, if you do not pass any session policies, then the resulting // policies.
// federated user session has no permissions. When you pass session policies, the //
// session permissions are the intersection of the IAM user policies and the // This parameter is optional. However, if you do not pass any session policies,
// session policies that you pass. This gives you a way to further restrict the // then the resulting federated user session has no permissions.
// permissions for a federated user. You cannot use session policies to grant more //
// permissions than those that are defined in the permissions policy of the IAM // When you pass session policies, the session permissions are the intersection of
// user. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // the IAM user policies and the session policies that you pass. This gives you a
// in the IAM User Guide. The resulting credentials can be used to access a // way to further restrict the permissions for a federated user. You cannot use
// resource that has a resource-based policy. If that policy specifically // session policies to grant more permissions than those that are defined in the
// references the federated user session in the Principal element of the policy, // permissions policy of the IAM user. For more information, see [Session Policies]in the IAM User
// the session has the permissions allowed by the policy. These permissions are // Guide.
// granted in addition to the permissions that are granted by the session policies. //
// The resulting credentials can be used to access a resource that has a
// resource-based policy. If that policy specifically references the federated user
// session in the Principal element of the policy, the session has the permissions
// allowed by the policy. These permissions are granted in addition to the
// permissions that are granted by the session policies.
//
// The plaintext that you use for both inline and managed session policies can't // The plaintext that you use for both inline and managed session policies can't
// exceed 2,048 characters. The JSON policy characters can be any ASCII character // exceed 2,048 characters. The JSON policy characters can be any ASCII character
// from the space character to the end of the valid character list (\u0020 through // from the space character to the end of the valid character list (\u0020 through
// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage // \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
// return (\u000D) characters. An Amazon Web Services conversion compresses the // return (\u000D) characters.
// passed inline session policy, managed policy ARNs, and session tags into a //
// packed binary format that has a separate limit. Your request can fail for this
// limit even if your plaintext meets the other requirements. The PackedPolicySize
// response element indicates by percentage how close the policies and tags for
// your request are to the upper size limit.
Policy *string
// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
// use as a managed session policy. The policies must exist in the same account as
// the IAM user that is requesting federated access. You must pass an inline or
// managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policy Amazon
// Resource Names (ARNs) to use as managed session policies. The plaintext that you
// use for both inline and managed session policies can't exceed 2,048 characters.
// You can provide up to 10 managed policy ARNs. For more information about ARNs,
// see Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
// in the Amazon Web Services General Reference. This parameter is optional.
// However, if you do not pass any session policies, then the resulting federated
// user session has no permissions. When you pass session policies, the session
// permissions are the intersection of the IAM user policies and the session
// policies that you pass. This gives you a way to further restrict the permissions
// for a federated user. You cannot use session policies to grant more permissions
// than those that are defined in the permissions policy of the IAM user. For more
// information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. The resulting credentials can be used to access a
// resource that has a resource-based policy. If that policy specifically
// references the federated user session in the Principal element of the policy,
// the session has the permissions allowed by the policy. These permissions are
// granted in addition to the permissions that are granted by the session policies.
// An Amazon Web Services conversion compresses the passed inline session policy, // An Amazon Web Services conversion compresses the passed inline session policy,
// managed policy ARNs, and session tags into a packed binary format that has a // managed policy ARNs, and session tags into a packed binary format that has a
// separate limit. Your request can fail for this limit even if your plaintext // separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates // meets the other requirements. The PackedPolicySize response element indicates
// by percentage how close the policies and tags for your request are to the upper // by percentage how close the policies and tags for your request are to the upper
// size limit. // size limit.
//
// [session policy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
Policy *string
// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
// use as a managed session policy. The policies must exist in the same account as
// the IAM user that is requesting federated access.
//
// You must pass an inline or managed [session policy] to this operation. You can pass a single
// JSON policy document to use as an inline session policy. You can also specify up
// to 10 managed policy Amazon Resource Names (ARNs) to use as managed session
// policies. The plaintext that you use for both inline and managed session
// policies can't exceed 2,048 characters. You can provide up to 10 managed policy
// ARNs. For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]in the Amazon Web Services General
// Reference.
//
// This parameter is optional. However, if you do not pass any session policies,
// then the resulting federated user session has no permissions.
//
// When you pass session policies, the session permissions are the intersection of
// the IAM user policies and the session policies that you pass. This gives you a
// way to further restrict the permissions for a federated user. You cannot use
// session policies to grant more permissions than those that are defined in the
// permissions policy of the IAM user. For more information, see [Session Policies]in the IAM User
// Guide.
//
// The resulting credentials can be used to access a resource that has a
// resource-based policy. If that policy specifically references the federated user
// session in the Principal element of the policy, the session has the permissions
// allowed by the policy. These permissions are granted in addition to the
// permissions that are granted by the session policies.
//
// An Amazon Web Services conversion compresses the passed inline session policy,
// managed policy ARNs, and session tags into a packed binary format that has a
// separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates
// by percentage how close the policies and tags for your request are to the upper
// size limit.
//
// [session policy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
// [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
PolicyArns []types.PolicyDescriptorType PolicyArns []types.PolicyDescriptorType
// A list of session tags. Each session tag consists of a key name and an // A list of session tags. Each session tag consists of a key name and an
// associated value. For more information about session tags, see Passing Session // associated value. For more information about session tags, see [Passing Session Tags in STS]in the IAM User
// Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) // Guide.
// in the IAM User Guide. This parameter is optional. You can pass up to 50 session //
// tags. The plaintext session tag keys cant exceed 128 characters and the values // This parameter is optional. You can pass up to 50 session tags. The plaintext
// cant exceed 256 characters. For these and additional limits, see IAM and STS // session tag keys cant exceed 128 characters and the values cant exceed 256
// Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) // characters. For these and additional limits, see [IAM and STS Character Limits]in the IAM User Guide.
// in the IAM User Guide. An Amazon Web Services conversion compresses the passed //
// inline session policy, managed policy ARNs, and session tags into a packed // An Amazon Web Services conversion compresses the passed inline session policy,
// binary format that has a separate limit. Your request can fail for this limit // managed policy ARNs, and session tags into a packed binary format that has a
// even if your plaintext meets the other requirements. The PackedPolicySize // separate limit. Your request can fail for this limit even if your plaintext
// response element indicates by percentage how close the policies and tags for // meets the other requirements. The PackedPolicySize response element indicates
// your request are to the upper size limit. You can pass a session tag with the // by percentage how close the policies and tags for your request are to the upper
// same key as a tag that is already attached to the user you are federating. When // size limit.
// you do, session tags override a user tag with the same key. Tag keyvalue pairs //
// are not case sensitive, but case is preserved. This means that you cannot have // You can pass a session tag with the same key as a tag that is already attached
// separate Department and department tag keys. Assume that the role has the // to the user you are federating. When you do, session tags override a user tag
// Department = Marketing tag and you pass the department = engineering session // with the same key.
// tag. Department and department are not saved as separate tags, and the session //
// tag passed in the request takes precedence over the role tag. // Tag keyvalue pairs are not case sensitive, but case is preserved. This means
// that you cannot have separate Department and department tag keys. Assume that
// the role has the Department = Marketing tag and you pass the department =
// engineering session tag. Department and department are not saved as separate
// tags, and the session tag passed in the request takes precedence over the role
// tag.
//
// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
// [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
Tags []types.Tag Tags []types.Tag
noSmithyDocumentSerde noSmithyDocumentSerde
} }
// Contains the response to a successful GetFederationToken request, including // Contains the response to a successful GetFederationToken request, including temporary Amazon Web
// temporary Amazon Web Services credentials that can be used to make Amazon Web // Services credentials that can be used to make Amazon Web Services requests.
// Services requests.
type GetFederationTokenOutput struct { type GetFederationTokenOutput struct {
// The temporary security credentials, which include an access key ID, a secret // The temporary security credentials, which include an access key ID, a secret
// access key, and a security (or session) token. The size of the security token // access key, and a security (or session) token.
// that STS API operations return is not fixed. We strongly recommend that you make //
// no assumptions about the maximum size. // The size of the security token that STS API operations return is not fixed. We
// strongly recommend that you make no assumptions about the maximum size.
Credentials *types.Credentials Credentials *types.Credentials
// Identifiers for the federated user associated with the credentials (such as // Identifiers for the federated user associated with the credentials (such as
@ -287,6 +342,12 @@ func (c *Client) addOperationGetFederationTokenMiddlewares(stack *middleware.Sta
if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil { if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
return err return err
} }
if err = addTimeOffsetBuild(stack, c); err != nil {
return err
}
if err = addUserAgentRetryMode(stack, options); err != nil {
return err
}
if err = addOpGetFederationTokenValidationMiddleware(stack); err != nil { if err = addOpGetFederationTokenValidationMiddleware(stack); err != nil {
return err return err
} }

View File

@ -15,43 +15,58 @@ import (
// IAM user. The credentials consist of an access key ID, a secret access key, and // IAM user. The credentials consist of an access key ID, a secret access key, and
// a security token. Typically, you use GetSessionToken if you want to use MFA to // a security token. Typically, you use GetSessionToken if you want to use MFA to
// protect programmatic calls to specific Amazon Web Services API operations like // protect programmatic calls to specific Amazon Web Services API operations like
// Amazon EC2 StopInstances . MFA-enabled IAM users must call GetSessionToken and // Amazon EC2 StopInstances .
// submit an MFA code that is associated with their MFA device. Using the temporary //
// security credentials that the call returns, IAM users can then make programmatic // MFA-enabled IAM users must call GetSessionToken and submit an MFA code that is
// calls to API operations that require MFA authentication. An incorrect MFA code // associated with their MFA device. Using the temporary security credentials that
// causes the API to return an access denied error. For a comparison of // the call returns, IAM users can then make programmatic calls to API operations
// GetSessionToken with the other API operations that produce temporary // that require MFA authentication. An incorrect MFA code causes the API to return
// credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) // an access denied error. For a comparison of GetSessionToken with the other API
// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) // operations that produce temporary credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the IAM User Guide.
// in the IAM User Guide. No permissions are required for users to perform this //
// operation. The purpose of the sts:GetSessionToken operation is to authenticate // No permissions are required for users to perform this operation. The purpose of
// the user using MFA. You cannot use policies to control authentication // the sts:GetSessionToken operation is to authenticate the user using MFA. You
// operations. For more information, see Permissions for GetSessionToken (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html) // cannot use policies to control authentication operations. For more information,
// in the IAM User Guide. Session Duration The GetSessionToken operation must be // see [Permissions for GetSessionToken]in the IAM User Guide.
// called by using the long-term Amazon Web Services security credentials of an IAM //
// user. Credentials that are created by IAM users are valid for the duration that // # Session Duration
// you specify. This duration can range from 900 seconds (15 minutes) up to a //
// maximum of 129,600 seconds (36 hours), with a default of 43,200 seconds (12 // The GetSessionToken operation must be called by using the long-term Amazon Web
// hours). Credentials based on account credentials can range from 900 seconds (15 // Services security credentials of an IAM user. Credentials that are created by
// minutes) up to 3,600 seconds (1 hour), with a default of 1 hour. Permissions The // IAM users are valid for the duration that you specify. This duration can range
// temporary security credentials created by GetSessionToken can be used to make // from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours),
// API calls to any Amazon Web Services service with the following exceptions: // with a default of 43,200 seconds (12 hours). Credentials based on account
// credentials can range from 900 seconds (15 minutes) up to 3,600 seconds (1
// hour), with a default of 1 hour.
//
// # Permissions
//
// The temporary security credentials created by GetSessionToken can be used to
// make API calls to any Amazon Web Services service with the following exceptions:
//
// - You cannot call any IAM API operations unless MFA authentication // - You cannot call any IAM API operations unless MFA authentication
// information is included in the request. // information is included in the request.
//
// - You cannot call any STS API except AssumeRole or GetCallerIdentity . // - You cannot call any STS API except AssumeRole or GetCallerIdentity .
// //
// The credentials that GetSessionToken returns are based on permissions // The credentials that GetSessionToken returns are based on permissions
// associated with the IAM user whose credentials were used to call the operation. // associated with the IAM user whose credentials were used to call the operation.
// The temporary credentials have the same permissions as the IAM user. Although it // The temporary credentials have the same permissions as the IAM user.
// is possible to call GetSessionToken using the security credentials of an Amazon //
// Web Services account root user rather than an IAM user, we do not recommend it. // Although it is possible to call GetSessionToken using the security credentials
// If GetSessionToken is called using root user credentials, the temporary // of an Amazon Web Services account root user rather than an IAM user, we do not
// credentials have root user permissions. For more information, see Safeguard // recommend it. If GetSessionToken is called using root user credentials, the
// your root user credentials and don't use them for everyday tasks (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials) // temporary credentials have root user permissions. For more information, see [Safeguard your root user credentials and don't use them for everyday tasks]in
// in the IAM User Guide For more information about using GetSessionToken to // the IAM User Guide
// create temporary credentials, see Temporary Credentials for Users in Untrusted //
// Environments (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken) // For more information about using GetSessionToken to create temporary
// in the IAM User Guide. // credentials, see [Temporary Credentials for Users in Untrusted Environments]in the IAM User Guide.
//
// [Permissions for GetSessionToken]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html
// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
// [Temporary Credentials for Users in Untrusted Environments]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken
// [Safeguard your root user credentials and don't use them for everyday tasks]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
// [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
func (c *Client) GetSessionToken(ctx context.Context, params *GetSessionTokenInput, optFns ...func(*Options)) (*GetSessionTokenOutput, error) { func (c *Client) GetSessionToken(ctx context.Context, params *GetSessionTokenInput, optFns ...func(*Options)) (*GetSessionTokenOutput, error) {
if params == nil { if params == nil {
params = &GetSessionTokenInput{} params = &GetSessionTokenInput{}
@ -83,10 +98,11 @@ type GetSessionTokenInput struct {
// number for a hardware device (such as GAHT12345678 ) or an Amazon Resource Name // number for a hardware device (such as GAHT12345678 ) or an Amazon Resource Name
// (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user ). You // (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user ). You
// can find the device for an IAM user by going to the Amazon Web Services // can find the device for an IAM user by going to the Amazon Web Services
// Management Console and viewing the user's security credentials. The regex used // Management Console and viewing the user's security credentials.
// to validate this parameter is a string of characters consisting of upper- and //
// lower-case alphanumeric characters with no spaces. You can also include // The regex used to validate this parameter is a string of characters consisting
// underscores or any of the following characters: =,.@:/- // of upper- and lower-case alphanumeric characters with no spaces. You can also
// include underscores or any of the following characters: =,.@:/-
SerialNumber *string SerialNumber *string
// The value provided by the MFA device, if MFA is required. If any policy // The value provided by the MFA device, if MFA is required. If any policy
@ -94,22 +110,24 @@ type GetSessionTokenInput struct {
// authentication is required, the user must provide a code when requesting a set // authentication is required, the user must provide a code when requesting a set
// of temporary security credentials. A user who fails to provide the code receives // of temporary security credentials. A user who fails to provide the code receives
// an "access denied" response when requesting resources that require MFA // an "access denied" response when requesting resources that require MFA
// authentication. The format for this parameter, as described by its regex // authentication.
// pattern, is a sequence of six numeric digits. //
// The format for this parameter, as described by its regex pattern, is a sequence
// of six numeric digits.
TokenCode *string TokenCode *string
noSmithyDocumentSerde noSmithyDocumentSerde
} }
// Contains the response to a successful GetSessionToken request, including // Contains the response to a successful GetSessionToken request, including temporary Amazon Web
// temporary Amazon Web Services credentials that can be used to make Amazon Web // Services credentials that can be used to make Amazon Web Services requests.
// Services requests.
type GetSessionTokenOutput struct { type GetSessionTokenOutput struct {
// The temporary security credentials, which include an access key ID, a secret // The temporary security credentials, which include an access key ID, a secret
// access key, and a security (or session) token. The size of the security token // access key, and a security (or session) token.
// that STS API operations return is not fixed. We strongly recommend that you make //
// no assumptions about the maximum size. // The size of the security token that STS API operations return is not fixed. We
// strongly recommend that you make no assumptions about the maximum size.
Credentials *types.Credentials Credentials *types.Credentials
// Metadata pertaining to the operation's result. // Metadata pertaining to the operation's result.
@ -173,6 +191,12 @@ func (c *Client) addOperationGetSessionTokenMiddlewares(stack *middleware.Stack,
if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil { if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
return err return err
} }
if err = addTimeOffsetBuild(stack, c); err != nil {
return err
}
if err = addUserAgentRetryMode(stack, options); err != nil {
return err
}
if err = stack.Initialize.Add(newServiceMetadataMiddleware_opGetSessionToken(options.Region), middleware.Before); err != nil { if err = stack.Initialize.Add(newServiceMetadataMiddleware_opGetSessionToken(options.Region), middleware.Before); err != nil {
return err return err
} }

View File

@ -12,7 +12,7 @@ import (
smithyhttp "github.com/aws/smithy-go/transport/http" smithyhttp "github.com/aws/smithy-go/transport/http"
) )
func bindAuthParamsRegion(params *AuthResolverParameters, _ interface{}, options Options) { func bindAuthParamsRegion(_ interface{}, params *AuthResolverParameters, _ interface{}, options Options) {
params.Region = options.Region params.Region = options.Region
} }
@ -90,12 +90,12 @@ type AuthResolverParameters struct {
Region string Region string
} }
func bindAuthResolverParams(operation string, input interface{}, options Options) *AuthResolverParameters { func bindAuthResolverParams(ctx context.Context, operation string, input interface{}, options Options) *AuthResolverParameters {
params := &AuthResolverParameters{ params := &AuthResolverParameters{
Operation: operation, Operation: operation,
} }
bindAuthParamsRegion(params, input, options) bindAuthParamsRegion(ctx, params, input, options)
return params return params
} }
@ -157,7 +157,7 @@ func (*resolveAuthSchemeMiddleware) ID() string {
func (m *resolveAuthSchemeMiddleware) HandleFinalize(ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) ( func (m *resolveAuthSchemeMiddleware) HandleFinalize(ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) (
out middleware.FinalizeOutput, metadata middleware.Metadata, err error, out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
) { ) {
params := bindAuthResolverParams(m.operation, getOperationInput(ctx), m.options) params := bindAuthResolverParams(ctx, m.operation, getOperationInput(ctx), m.options)
options, err := m.options.AuthSchemeResolver.ResolveAuthSchemes(ctx, params) options, err := m.options.AuthSchemeResolver.ResolveAuthSchemes(ctx, params)
if err != nil { if err != nil {
return out, metadata, fmt.Errorf("resolve auth scheme: %w", err) return out, metadata, fmt.Errorf("resolve auth scheme: %w", err)

View File

@ -20,8 +20,17 @@ import (
"io" "io"
"strconv" "strconv"
"strings" "strings"
"time"
) )
func deserializeS3Expires(v string) (*time.Time, error) {
t, err := smithytime.ParseHTTPDate(v)
if err != nil {
return nil, nil
}
return &t, nil
}
type awsAwsquery_deserializeOpAssumeRole struct { type awsAwsquery_deserializeOpAssumeRole struct {
} }

View File

@ -3,9 +3,11 @@
// Package sts provides the API client, operations, and parameter types for AWS // Package sts provides the API client, operations, and parameter types for AWS
// Security Token Service. // Security Token Service.
// //
// Security Token Service Security Token Service (STS) enables you to request // # Security Token Service
// temporary, limited-privilege credentials for users. This guide provides //
// descriptions of the STS API. For more information about using this service, see // Security Token Service (STS) enables you to request temporary,
// Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html) // limited-privilege credentials for users. This guide provides descriptions of the
// . // STS API. For more information about using this service, see [Temporary Security Credentials].
//
// [Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html
package sts package sts

View File

@ -1045,7 +1045,7 @@ type endpointParamsBinder interface {
bindEndpointParams(*EndpointParameters) bindEndpointParams(*EndpointParameters)
} }
func bindEndpointParams(input interface{}, options Options) *EndpointParameters { func bindEndpointParams(ctx context.Context, input interface{}, options Options) *EndpointParameters {
params := &EndpointParameters{} params := &EndpointParameters{}
params.Region = bindRegion(options.Region) params.Region = bindRegion(options.Region)
@ -1075,6 +1075,10 @@ func (m *resolveEndpointV2Middleware) HandleFinalize(ctx context.Context, in mid
return next.HandleFinalize(ctx, in) return next.HandleFinalize(ctx, in)
} }
if err := checkAccountID(getIdentity(ctx), m.options.AccountIDEndpointMode); err != nil {
return out, metadata, fmt.Errorf("invalid accountID set: %w", err)
}
req, ok := in.Request.(*smithyhttp.Request) req, ok := in.Request.(*smithyhttp.Request)
if !ok { if !ok {
return out, metadata, fmt.Errorf("unknown transport type %T", in.Request) return out, metadata, fmt.Errorf("unknown transport type %T", in.Request)
@ -1084,7 +1088,7 @@ func (m *resolveEndpointV2Middleware) HandleFinalize(ctx context.Context, in mid
return out, metadata, fmt.Errorf("expected endpoint resolver to not be nil") return out, metadata, fmt.Errorf("expected endpoint resolver to not be nil")
} }
params := bindEndpointParams(getOperationInput(ctx), m.options) params := bindEndpointParams(ctx, getOperationInput(ctx), m.options)
endpt, err := m.options.EndpointResolverV2.ResolveEndpoint(ctx, *params) endpt, err := m.options.EndpointResolverV2.ResolveEndpoint(ctx, *params)
if err != nil { if err != nil {
return out, metadata, fmt.Errorf("failed to resolve service endpoint, %w", err) return out, metadata, fmt.Errorf("failed to resolve service endpoint, %w", err)

View File

@ -5,8 +5,7 @@
"github.com/aws/aws-sdk-go-v2/internal/endpoints/v2": "v2.0.0-00010101000000-000000000000", "github.com/aws/aws-sdk-go-v2/internal/endpoints/v2": "v2.0.0-00010101000000-000000000000",
"github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding": "v1.0.5", "github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding": "v1.0.5",
"github.com/aws/aws-sdk-go-v2/service/internal/presigned-url": "v1.0.7", "github.com/aws/aws-sdk-go-v2/service/internal/presigned-url": "v1.0.7",
"github.com/aws/smithy-go": "v1.4.0", "github.com/aws/smithy-go": "v1.4.0"
"github.com/google/go-cmp": "v0.5.4"
}, },
"files": [ "files": [
"api_client.go", "api_client.go",

View File

@ -3,4 +3,4 @@
package sts package sts
// goModuleVersion is the tagged release for this module // goModuleVersion is the tagged release for this module
const goModuleVersion = "1.28.1" const goModuleVersion = "1.29.1"

View File

@ -24,6 +24,9 @@ type Options struct {
// modify this list for per operation behavior. // modify this list for per operation behavior.
APIOptions []func(*middleware.Stack) error APIOptions []func(*middleware.Stack) error
// Indicates how aws account ID is applied in endpoint2.0 routing
AccountIDEndpointMode aws.AccountIDEndpointMode
// The optional application specific identifier appended to the User-Agent header. // The optional application specific identifier appended to the User-Agent header.
AppID string AppID string
@ -50,8 +53,10 @@ type Options struct {
// Deprecated: Deprecated: EndpointResolver and WithEndpointResolver. Providing a // Deprecated: Deprecated: EndpointResolver and WithEndpointResolver. Providing a
// value for this field will likely prevent you from using any endpoint-related // value for this field will likely prevent you from using any endpoint-related
// service features released after the introduction of EndpointResolverV2 and // service features released after the introduction of EndpointResolverV2 and
// BaseEndpoint. To migrate an EndpointResolver implementation that uses a custom // BaseEndpoint.
// endpoint, set the client option BaseEndpoint instead. //
// To migrate an EndpointResolver implementation that uses a custom endpoint, set
// the client option BaseEndpoint instead.
EndpointResolver EndpointResolver EndpointResolver EndpointResolver
// Resolves the endpoint used for a particular service operation. This should be // Resolves the endpoint used for a particular service operation. This should be
@ -70,17 +75,20 @@ type Options struct {
// RetryMaxAttempts specifies the maximum number attempts an API client will call // RetryMaxAttempts specifies the maximum number attempts an API client will call
// an operation that fails with a retryable error. A value of 0 is ignored, and // an operation that fails with a retryable error. A value of 0 is ignored, and
// will not be used to configure the API client created default retryer, or modify // will not be used to configure the API client created default retryer, or modify
// per operation call's retry max attempts. If specified in an operation call's // per operation call's retry max attempts.
// functional options with a value that is different than the constructed client's //
// Options, the Client's Retryer will be wrapped to use the operation's specific // If specified in an operation call's functional options with a value that is
// RetryMaxAttempts value. // different than the constructed client's Options, the Client's Retryer will be
// wrapped to use the operation's specific RetryMaxAttempts value.
RetryMaxAttempts int RetryMaxAttempts int
// RetryMode specifies the retry mode the API client will be created with, if // RetryMode specifies the retry mode the API client will be created with, if
// Retryer option is not also specified. When creating a new API Clients this // Retryer option is not also specified.
// member will only be used if the Retryer Options member is nil. This value will //
// be ignored if Retryer is not nil. Currently does not support per operation call // When creating a new API Clients this member will only be used if the Retryer
// overrides, may in the future. // Options member is nil. This value will be ignored if Retryer is not nil.
//
// Currently does not support per operation call overrides, may in the future.
RetryMode aws.RetryMode RetryMode aws.RetryMode
// Retryer guides how HTTP requests should be retried in case of recoverable // Retryer guides how HTTP requests should be retried in case of recoverable
@ -97,8 +105,9 @@ type Options struct {
// The initial DefaultsMode used when the client options were constructed. If the // The initial DefaultsMode used when the client options were constructed. If the
// DefaultsMode was set to aws.DefaultsModeAuto this will store what the resolved // DefaultsMode was set to aws.DefaultsModeAuto this will store what the resolved
// value was at that point in time. Currently does not support per operation call // value was at that point in time.
// overrides, may in the future. //
// Currently does not support per operation call overrides, may in the future.
resolvedDefaultsMode aws.DefaultsMode resolvedDefaultsMode aws.DefaultsMode
// The HTTP client to invoke API calls with. Defaults to client's default HTTP // The HTTP client to invoke API calls with. Defaults to client's default HTTP
@ -143,6 +152,7 @@ func WithAPIOptions(optFns ...func(*middleware.Stack) error) func(*Options) {
// Deprecated: EndpointResolver and WithEndpointResolver. Providing a value for // Deprecated: EndpointResolver and WithEndpointResolver. Providing a value for
// this field will likely prevent you from using any endpoint-related service // this field will likely prevent you from using any endpoint-related service
// features released after the introduction of EndpointResolverV2 and BaseEndpoint. // features released after the introduction of EndpointResolverV2 and BaseEndpoint.
//
// To migrate an EndpointResolver implementation that uses a custom endpoint, set // To migrate an EndpointResolver implementation that uses a custom endpoint, set
// the client option BaseEndpoint instead. // the client option BaseEndpoint instead.
func WithEndpointResolver(v EndpointResolver) func(*Options) { func WithEndpointResolver(v EndpointResolver) func(*Options) {

View File

@ -65,9 +65,10 @@ func (e *IDPCommunicationErrorException) ErrorCode() string {
func (e *IDPCommunicationErrorException) ErrorFault() smithy.ErrorFault { return smithy.FaultClient } func (e *IDPCommunicationErrorException) ErrorFault() smithy.ErrorFault { return smithy.FaultClient }
// The identity provider (IdP) reported that authentication failed. This might be // The identity provider (IdP) reported that authentication failed. This might be
// because the claim is invalid. If this error is returned for the // because the claim is invalid.
// AssumeRoleWithWebIdentity operation, it can also mean that the claim has expired //
// or has been explicitly revoked. // If this error is returned for the AssumeRoleWithWebIdentity operation, it can
// also mean that the claim has expired or has been explicitly revoked.
type IDPRejectedClaimException struct { type IDPRejectedClaimException struct {
Message *string Message *string
@ -183,11 +184,13 @@ func (e *MalformedPolicyDocumentException) ErrorFault() smithy.ErrorFault { retu
// compresses the session policy document, session policy ARNs, and session tags // compresses the session policy document, session policy ARNs, and session tags
// into a packed binary format that has a separate limit. The error message // into a packed binary format that has a separate limit. The error message
// indicates by percentage how close the policies and tags are to the upper size // indicates by percentage how close the policies and tags are to the upper size
// limit. For more information, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) // limit. For more information, see [Passing Session Tags in STS]in the IAM User Guide.
// in the IAM User Guide. You could receive this error even though you meet other //
// defined session policy and session tag limits. For more information, see IAM // You could receive this error even though you meet other defined session policy
// and STS Entity Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length) // and session tag limits. For more information, see [IAM and STS Entity Character Limits]in the IAM User Guide.
// in the IAM User Guide. //
// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
// [IAM and STS Entity Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length
type PackedPolicyTooLargeException struct { type PackedPolicyTooLargeException struct {
Message *string Message *string
@ -215,9 +218,10 @@ func (e *PackedPolicyTooLargeException) ErrorFault() smithy.ErrorFault { return
// STS is not activated in the requested region for the account that is being // STS is not activated in the requested region for the account that is being
// asked to generate credentials. The account administrator must use the IAM // asked to generate credentials. The account administrator must use the IAM
// console to activate STS in that region. For more information, see Activating // console to activate STS in that region. For more information, see [Activating and Deactivating Amazon Web Services STS in an Amazon Web Services Region]in the IAM
// and Deactivating Amazon Web Services STS in an Amazon Web Services Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) // User Guide.
// in the IAM User Guide. //
// [Activating and Deactivating Amazon Web Services STS in an Amazon Web Services Region]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
type RegionDisabledException struct { type RegionDisabledException struct {
Message *string Message *string

View File

@ -11,10 +11,11 @@ import (
// returns. // returns.
type AssumedRoleUser struct { type AssumedRoleUser struct {
// The ARN of the temporary security credentials that are returned from the // The ARN of the temporary security credentials that are returned from the AssumeRole
// AssumeRole action. For more information about ARNs and how to use them in // action. For more information about ARNs and how to use them in policies, see [IAM Identifiers]in
// policies, see IAM Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) // the IAM User Guide.
// in the IAM User Guide. //
// [IAM Identifiers]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html
// //
// This member is required. // This member is required.
Arn *string Arn *string
@ -61,8 +62,9 @@ type FederatedUser struct {
// The ARN that specifies the federated user that is associated with the // The ARN that specifies the federated user that is associated with the
// credentials. For more information about ARNs and how to use them in policies, // credentials. For more information about ARNs and how to use them in policies,
// see IAM Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) // see [IAM Identifiers]in the IAM User Guide.
// in the IAM User Guide. //
// [IAM Identifiers]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html
// //
// This member is required. // This member is required.
Arn *string Arn *string
@ -81,9 +83,10 @@ type FederatedUser struct {
type PolicyDescriptorType struct { type PolicyDescriptorType struct {
// The Amazon Resource Name (ARN) of the IAM managed policy to use as a session // The Amazon Resource Name (ARN) of the IAM managed policy to use as a session
// policy for the role. For more information about ARNs, see Amazon Resource Names // policy for the role. For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]in the Amazon Web
// (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) // Services General Reference.
// in the Amazon Web Services General Reference. //
// [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
Arn *string Arn *string
noSmithyDocumentSerde noSmithyDocumentSerde
@ -107,23 +110,30 @@ type ProvidedContext struct {
// You can pass custom key-value pair attributes when you assume a role or // You can pass custom key-value pair attributes when you assume a role or
// federate a user. These are called session tags. You can then use the session // federate a user. These are called session tags. You can then use the session
// tags to control access to resources. For more information, see Tagging Amazon // tags to control access to resources. For more information, see [Tagging Amazon Web Services STS Sessions]in the IAM User
// Web Services STS Sessions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) // Guide.
// in the IAM User Guide. //
// [Tagging Amazon Web Services STS Sessions]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
type Tag struct { type Tag struct {
// The key for a session tag. You can pass up to 50 session tags. The plain text // The key for a session tag.
// session tag keys cant exceed 128 characters. For these and additional limits, //
// see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) // You can pass up to 50 session tags. The plain text session tag keys cant
// in the IAM User Guide. // exceed 128 characters. For these and additional limits, see [IAM and STS Character Limits]in the IAM User
// Guide.
//
// [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
// //
// This member is required. // This member is required.
Key *string Key *string
// The value for a session tag. You can pass up to 50 session tags. The plain text // The value for a session tag.
// session tag values cant exceed 256 characters. For these and additional limits, //
// see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) // You can pass up to 50 session tags. The plain text session tag values cant
// in the IAM User Guide. // exceed 256 characters. For these and additional limits, see [IAM and STS Character Limits]in the IAM User
// Guide.
//
// [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
// //
// This member is required. // This member is required.
Value *string Value *string

View File

@ -1079,6 +1079,9 @@ var awsPartition = partition{
endpointKey{ endpointKey{
Region: "ap-southeast-2", Region: "ap-southeast-2",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "ca-central-1",
}: endpoint{},
endpointKey{ endpointKey{
Region: "eu-central-1", Region: "eu-central-1",
}: endpoint{}, }: endpoint{},
@ -1091,6 +1094,9 @@ var awsPartition = partition{
endpointKey{ endpointKey{
Region: "eu-west-3", Region: "eu-west-3",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "sa-east-1",
}: endpoint{},
endpointKey{ endpointKey{
Region: "us-east-1", Region: "us-east-1",
}: endpoint{}, }: endpoint{},
@ -4583,91 +4589,6 @@ var awsPartition = partition{
}: endpoint{}, }: endpoint{},
}, },
}, },
"backupstorage": service{
Endpoints: serviceEndpoints{
endpointKey{
Region: "af-south-1",
}: endpoint{},
endpointKey{
Region: "ap-east-1",
}: endpoint{},
endpointKey{
Region: "ap-northeast-1",
}: endpoint{},
endpointKey{
Region: "ap-northeast-2",
}: endpoint{},
endpointKey{
Region: "ap-northeast-3",
}: endpoint{},
endpointKey{
Region: "ap-south-1",
}: endpoint{},
endpointKey{
Region: "ap-south-2",
}: endpoint{},
endpointKey{
Region: "ap-southeast-1",
}: endpoint{},
endpointKey{
Region: "ap-southeast-2",
}: endpoint{},
endpointKey{
Region: "ap-southeast-3",
}: endpoint{},
endpointKey{
Region: "ap-southeast-4",
}: endpoint{},
endpointKey{
Region: "ca-central-1",
}: endpoint{},
endpointKey{
Region: "eu-central-1",
}: endpoint{},
endpointKey{
Region: "eu-central-2",
}: endpoint{},
endpointKey{
Region: "eu-north-1",
}: endpoint{},
endpointKey{
Region: "eu-south-1",
}: endpoint{},
endpointKey{
Region: "eu-south-2",
}: endpoint{},
endpointKey{
Region: "eu-west-1",
}: endpoint{},
endpointKey{
Region: "eu-west-2",
}: endpoint{},
endpointKey{
Region: "eu-west-3",
}: endpoint{},
endpointKey{
Region: "me-central-1",
}: endpoint{},
endpointKey{
Region: "me-south-1",
}: endpoint{},
endpointKey{
Region: "sa-east-1",
}: endpoint{},
endpointKey{
Region: "us-east-1",
}: endpoint{},
endpointKey{
Region: "us-east-2",
}: endpoint{},
endpointKey{
Region: "us-west-1",
}: endpoint{},
endpointKey{
Region: "us-west-2",
}: endpoint{},
},
},
"batch": service{ "batch": service{
Defaults: endpointDefaults{ Defaults: endpointDefaults{
defaultKey{}: endpoint{}, defaultKey{}: endpoint{},
@ -4873,6 +4794,14 @@ var awsPartition = partition{
Region: "ap-southeast-2", Region: "ap-southeast-2",
}, },
}, },
endpointKey{
Region: "bedrock-ca-central-1",
}: endpoint{
Hostname: "bedrock.ca-central-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "ca-central-1",
},
},
endpointKey{ endpointKey{
Region: "bedrock-eu-central-1", Region: "bedrock-eu-central-1",
}: endpoint{ }: endpoint{
@ -4889,6 +4818,14 @@ var awsPartition = partition{
Region: "eu-west-1", Region: "eu-west-1",
}, },
}, },
endpointKey{
Region: "bedrock-eu-west-2",
}: endpoint{
Hostname: "bedrock.eu-west-2.amazonaws.com",
CredentialScope: credentialScope{
Region: "eu-west-2",
},
},
endpointKey{ endpointKey{
Region: "bedrock-eu-west-3", Region: "bedrock-eu-west-3",
}: endpoint{ }: endpoint{
@ -4897,6 +4834,14 @@ var awsPartition = partition{
Region: "eu-west-3", Region: "eu-west-3",
}, },
}, },
endpointKey{
Region: "bedrock-fips-ca-central-1",
}: endpoint{
Hostname: "bedrock-fips.ca-central-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "ca-central-1",
},
},
endpointKey{ endpointKey{
Region: "bedrock-fips-us-east-1", Region: "bedrock-fips-us-east-1",
}: endpoint{ }: endpoint{
@ -4945,6 +4890,14 @@ var awsPartition = partition{
Region: "ap-southeast-2", Region: "ap-southeast-2",
}, },
}, },
endpointKey{
Region: "bedrock-runtime-ca-central-1",
}: endpoint{
Hostname: "bedrock-runtime.ca-central-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "ca-central-1",
},
},
endpointKey{ endpointKey{
Region: "bedrock-runtime-eu-central-1", Region: "bedrock-runtime-eu-central-1",
}: endpoint{ }: endpoint{
@ -4961,6 +4914,14 @@ var awsPartition = partition{
Region: "eu-west-1", Region: "eu-west-1",
}, },
}, },
endpointKey{
Region: "bedrock-runtime-eu-west-2",
}: endpoint{
Hostname: "bedrock-runtime.eu-west-2.amazonaws.com",
CredentialScope: credentialScope{
Region: "eu-west-2",
},
},
endpointKey{ endpointKey{
Region: "bedrock-runtime-eu-west-3", Region: "bedrock-runtime-eu-west-3",
}: endpoint{ }: endpoint{
@ -4969,6 +4930,14 @@ var awsPartition = partition{
Region: "eu-west-3", Region: "eu-west-3",
}, },
}, },
endpointKey{
Region: "bedrock-runtime-fips-ca-central-1",
}: endpoint{
Hostname: "bedrock-runtime-fips.ca-central-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "ca-central-1",
},
},
endpointKey{ endpointKey{
Region: "bedrock-runtime-fips-us-east-1", Region: "bedrock-runtime-fips-us-east-1",
}: endpoint{ }: endpoint{
@ -4985,6 +4954,14 @@ var awsPartition = partition{
Region: "us-west-2", Region: "us-west-2",
}, },
}, },
endpointKey{
Region: "bedrock-runtime-sa-east-1",
}: endpoint{
Hostname: "bedrock-runtime.sa-east-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "sa-east-1",
},
},
endpointKey{ endpointKey{
Region: "bedrock-runtime-us-east-1", Region: "bedrock-runtime-us-east-1",
}: endpoint{ }: endpoint{
@ -5001,6 +4978,14 @@ var awsPartition = partition{
Region: "us-west-2", Region: "us-west-2",
}, },
}, },
endpointKey{
Region: "bedrock-sa-east-1",
}: endpoint{
Hostname: "bedrock.sa-east-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "sa-east-1",
},
},
endpointKey{ endpointKey{
Region: "bedrock-us-east-1", Region: "bedrock-us-east-1",
}: endpoint{ }: endpoint{
@ -5017,15 +5002,24 @@ var awsPartition = partition{
Region: "us-west-2", Region: "us-west-2",
}, },
}, },
endpointKey{
Region: "ca-central-1",
}: endpoint{},
endpointKey{ endpointKey{
Region: "eu-central-1", Region: "eu-central-1",
}: endpoint{}, }: endpoint{},
endpointKey{ endpointKey{
Region: "eu-west-1", Region: "eu-west-1",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "eu-west-2",
}: endpoint{},
endpointKey{ endpointKey{
Region: "eu-west-3", Region: "eu-west-3",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "sa-east-1",
}: endpoint{},
endpointKey{ endpointKey{
Region: "us-east-1", Region: "us-east-1",
}: endpoint{}, }: endpoint{},
@ -5083,6 +5077,12 @@ var awsPartition = partition{
}, },
"cases": service{ "cases": service{
Endpoints: serviceEndpoints{ Endpoints: serviceEndpoints{
endpointKey{
Region: "ap-northeast-1",
}: endpoint{},
endpointKey{
Region: "ap-northeast-2",
}: endpoint{},
endpointKey{ endpointKey{
Region: "ap-southeast-1", Region: "ap-southeast-1",
}: endpoint{}, }: endpoint{},
@ -5297,69 +5297,157 @@ var awsPartition = partition{
endpointKey{ endpointKey{
Region: "af-south-1", Region: "af-south-1",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "af-south-1",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{ endpointKey{
Region: "ap-east-1", Region: "ap-east-1",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "ap-east-1",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{ endpointKey{
Region: "ap-northeast-1", Region: "ap-northeast-1",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "ap-northeast-1",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{ endpointKey{
Region: "ap-northeast-2", Region: "ap-northeast-2",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "ap-northeast-2",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{ endpointKey{
Region: "ap-northeast-3", Region: "ap-northeast-3",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "ap-northeast-3",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{ endpointKey{
Region: "ap-south-1", Region: "ap-south-1",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "ap-south-1",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{ endpointKey{
Region: "ap-southeast-1", Region: "ap-southeast-1",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "ap-southeast-1",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{ endpointKey{
Region: "ap-southeast-2", Region: "ap-southeast-2",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "ap-southeast-2",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{ endpointKey{
Region: "ca-central-1", Region: "ca-central-1",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "ca-central-1",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{ endpointKey{
Region: "eu-central-1", Region: "eu-central-1",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "eu-central-1",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{ endpointKey{
Region: "eu-north-1", Region: "eu-north-1",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "eu-north-1",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{ endpointKey{
Region: "eu-south-1", Region: "eu-south-1",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "eu-south-1",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{ endpointKey{
Region: "eu-west-1", Region: "eu-west-1",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "eu-west-1",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{ endpointKey{
Region: "eu-west-2", Region: "eu-west-2",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "eu-west-2",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{ endpointKey{
Region: "eu-west-3", Region: "eu-west-3",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "eu-west-3",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{ endpointKey{
Region: "il-central-1", Region: "il-central-1",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "il-central-1",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{ endpointKey{
Region: "me-south-1", Region: "me-south-1",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "me-south-1",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{ endpointKey{
Region: "sa-east-1", Region: "sa-east-1",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "sa-east-1",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{ endpointKey{
Region: "us-east-1", Region: "us-east-1",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "us-east-1",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{ endpointKey{
Region: "us-east-2", Region: "us-east-2",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "us-east-2",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{ endpointKey{
Region: "us-west-1", Region: "us-west-1",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "us-west-1",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{ endpointKey{
Region: "us-west-2", Region: "us-west-2",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "us-west-2",
Variant: dualStackVariant,
}: endpoint{},
}, },
}, },
"cloudcontrolapi": service{ "cloudcontrolapi": service{
@ -9264,9 +9352,21 @@ var awsPartition = partition{
endpointKey{ endpointKey{
Region: "ca-central-1", Region: "ca-central-1",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "ca-central-1",
Variant: fipsVariant,
}: endpoint{
Hostname: "directconnect-fips.ca-central-1.amazonaws.com",
},
endpointKey{ endpointKey{
Region: "ca-west-1", Region: "ca-west-1",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "ca-west-1",
Variant: fipsVariant,
}: endpoint{
Hostname: "directconnect-fips.ca-west-1.amazonaws.com",
},
endpointKey{ endpointKey{
Region: "eu-central-1", Region: "eu-central-1",
}: endpoint{}, }: endpoint{},
@ -9291,6 +9391,24 @@ var awsPartition = partition{
endpointKey{ endpointKey{
Region: "eu-west-3", Region: "eu-west-3",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "fips-ca-central-1",
}: endpoint{
Hostname: "directconnect-fips.ca-central-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "ca-central-1",
},
Deprecated: boxedTrue,
},
endpointKey{
Region: "fips-ca-west-1",
}: endpoint{
Hostname: "directconnect-fips.ca-west-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "ca-west-1",
},
Deprecated: boxedTrue,
},
endpointKey{ endpointKey{
Region: "fips-us-east-1", Region: "fips-us-east-1",
}: endpoint{ }: endpoint{
@ -15561,6 +15679,9 @@ var awsPartition = partition{
endpointKey{ endpointKey{
Region: "ca-central-1", Region: "ca-central-1",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "ca-west-1",
}: endpoint{},
endpointKey{ endpointKey{
Region: "eu-central-1", Region: "eu-central-1",
}: endpoint{}, }: endpoint{},
@ -17465,12 +17586,27 @@ var awsPartition = partition{
endpointKey{ endpointKey{
Region: "ca-central-1", Region: "ca-central-1",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "ca-central-1",
Variant: fipsVariant,
}: endpoint{
Hostname: "kendra-fips.ca-central-1.amazonaws.com",
},
endpointKey{ endpointKey{
Region: "eu-west-1", Region: "eu-west-1",
}: endpoint{}, }: endpoint{},
endpointKey{ endpointKey{
Region: "eu-west-2", Region: "eu-west-2",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "fips-ca-central-1",
}: endpoint{
Hostname: "kendra-fips.ca-central-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "ca-central-1",
},
Deprecated: boxedTrue,
},
endpointKey{ endpointKey{
Region: "fips-us-east-1", Region: "fips-us-east-1",
}: endpoint{ }: endpoint{
@ -21684,6 +21820,9 @@ var awsPartition = partition{
endpointKey{ endpointKey{
Region: "ca-central-1", Region: "ca-central-1",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "ca-west-1",
}: endpoint{},
endpointKey{ endpointKey{
Region: "eu-central-1", Region: "eu-central-1",
}: endpoint{}, }: endpoint{},
@ -25241,6 +25380,9 @@ var awsPartition = partition{
}, },
Deprecated: boxedTrue, Deprecated: boxedTrue,
}, },
endpointKey{
Region: "me-central-1",
}: endpoint{},
endpointKey{ endpointKey{
Region: "sa-east-1", Region: "sa-east-1",
}: endpoint{}, }: endpoint{},
@ -31870,6 +32012,24 @@ var awsPartition = partition{
}, },
Deprecated: boxedTrue, Deprecated: boxedTrue,
}, },
endpointKey{
Region: "ca-west-1",
}: endpoint{},
endpointKey{
Region: "ca-west-1",
Variant: fipsVariant,
}: endpoint{
Hostname: "storagegateway-fips.ca-west-1.amazonaws.com",
},
endpointKey{
Region: "ca-west-1-fips",
}: endpoint{
Hostname: "storagegateway-fips.ca-west-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "ca-west-1",
},
Deprecated: boxedTrue,
},
endpointKey{ endpointKey{
Region: "eu-central-1", Region: "eu-central-1",
}: endpoint{}, }: endpoint{},
@ -33793,6 +33953,9 @@ var awsPartition = partition{
endpointKey{ endpointKey{
Region: "eu-west-2", Region: "eu-west-2",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "eu-west-3",
}: endpoint{},
endpointKey{ endpointKey{
Region: "sa-east-1", Region: "sa-east-1",
}: endpoint{}, }: endpoint{},
@ -33802,6 +33965,9 @@ var awsPartition = partition{
endpointKey{ endpointKey{
Region: "us-east-2", Region: "us-east-2",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "us-west-1",
}: endpoint{},
endpointKey{ endpointKey{
Region: "us-west-2", Region: "us-west-2",
}: endpoint{}, }: endpoint{},
@ -36138,16 +36304,6 @@ var awscnPartition = partition{
}: endpoint{}, }: endpoint{},
}, },
}, },
"backupstorage": service{
Endpoints: serviceEndpoints{
endpointKey{
Region: "cn-north-1",
}: endpoint{},
endpointKey{
Region: "cn-northwest-1",
}: endpoint{},
},
},
"batch": service{ "batch": service{
Endpoints: serviceEndpoints{ Endpoints: serviceEndpoints{
endpointKey{ endpointKey{
@ -38917,16 +39073,6 @@ var awsusgovPartition = partition{
}: endpoint{}, }: endpoint{},
}, },
}, },
"backupstorage": service{
Endpoints: serviceEndpoints{
endpointKey{
Region: "us-gov-east-1",
}: endpoint{},
endpointKey{
Region: "us-gov-west-1",
}: endpoint{},
},
},
"batch": service{ "batch": service{
Defaults: endpointDefaults{ Defaults: endpointDefaults{
defaultKey{}: endpoint{}, defaultKey{}: endpoint{},
@ -38977,6 +39123,22 @@ var awsusgovPartition = partition{
}, },
"bedrock": service{ "bedrock": service{
Endpoints: serviceEndpoints{ Endpoints: serviceEndpoints{
endpointKey{
Region: "bedrock-fips-us-gov-west-1",
}: endpoint{
Hostname: "bedrock-fips.us-gov-west-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "us-gov-west-1",
},
},
endpointKey{
Region: "bedrock-runtime-fips-us-gov-west-1",
}: endpoint{
Hostname: "bedrock-runtime-fips.us-gov-west-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "us-gov-west-1",
},
},
endpointKey{ endpointKey{
Region: "bedrock-runtime-us-gov-west-1", Region: "bedrock-runtime-us-gov-west-1",
}: endpoint{ }: endpoint{
@ -41821,6 +41983,62 @@ var awsusgovPartition = partition{
}: endpoint{}, }: endpoint{},
}, },
}, },
"kinesisvideo": service{
Endpoints: serviceEndpoints{
endpointKey{
Region: "fips-us-gov-east-1",
}: endpoint{
Hostname: "kinesisvideo-fips.us-gov-east-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "us-gov-east-1",
},
Deprecated: boxedTrue,
},
endpointKey{
Region: "fips-us-gov-west-1",
}: endpoint{
Hostname: "kinesisvideo-fips.us-gov-west-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "us-gov-west-1",
},
Deprecated: boxedTrue,
},
endpointKey{
Region: "us-gov-east-1",
}: endpoint{
Hostname: "kinesisvideo-fips.us-gov-east-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "us-gov-east-1",
},
},
endpointKey{
Region: "us-gov-east-1",
Variant: fipsVariant,
}: endpoint{
Hostname: "kinesisvideo-fips.us-gov-east-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "us-gov-east-1",
},
},
endpointKey{
Region: "us-gov-west-1",
}: endpoint{
Hostname: "kinesisvideo-fips.us-gov-west-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "us-gov-west-1",
},
},
endpointKey{
Region: "us-gov-west-1",
Variant: fipsVariant,
}: endpoint{
Hostname: "kinesisvideo-fips.us-gov-west-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "us-gov-west-1",
},
},
},
},
"kms": service{ "kms": service{
Endpoints: serviceEndpoints{ Endpoints: serviceEndpoints{
endpointKey{ endpointKey{
@ -43562,6 +43780,46 @@ var awsusgovPartition = partition{
}, },
}, },
}, },
"securitylake": service{
Endpoints: serviceEndpoints{
endpointKey{
Region: "us-gov-east-1",
}: endpoint{},
endpointKey{
Region: "us-gov-east-1",
Variant: fipsVariant,
}: endpoint{
Hostname: "securitylake.us-gov-east-1.amazonaws.com",
},
endpointKey{
Region: "us-gov-east-1-fips",
}: endpoint{
Hostname: "securitylake.us-gov-east-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "us-gov-east-1",
},
Deprecated: boxedTrue,
},
endpointKey{
Region: "us-gov-west-1",
}: endpoint{},
endpointKey{
Region: "us-gov-west-1",
Variant: fipsVariant,
}: endpoint{
Hostname: "securitylake.us-gov-west-1.amazonaws.com",
},
endpointKey{
Region: "us-gov-west-1-fips",
}: endpoint{
Hostname: "securitylake.us-gov-west-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "us-gov-west-1",
},
Deprecated: boxedTrue,
},
},
},
"serverlessrepo": service{ "serverlessrepo": service{
Defaults: endpointDefaults{ Defaults: endpointDefaults{
defaultKey{}: endpoint{ defaultKey{}: endpoint{
@ -45743,42 +46001,12 @@ var awsisoPartition = partition{
}, },
"ram": service{ "ram": service{
Endpoints: serviceEndpoints{ Endpoints: serviceEndpoints{
endpointKey{
Region: "fips-us-iso-east-1",
}: endpoint{
Hostname: "ram-fips.us-iso-east-1.c2s.ic.gov",
CredentialScope: credentialScope{
Region: "us-iso-east-1",
},
Deprecated: boxedTrue,
},
endpointKey{
Region: "fips-us-iso-west-1",
}: endpoint{
Hostname: "ram-fips.us-iso-west-1.c2s.ic.gov",
CredentialScope: credentialScope{
Region: "us-iso-west-1",
},
Deprecated: boxedTrue,
},
endpointKey{ endpointKey{
Region: "us-iso-east-1", Region: "us-iso-east-1",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "us-iso-east-1",
Variant: fipsVariant,
}: endpoint{
Hostname: "ram-fips.us-iso-east-1.c2s.ic.gov",
},
endpointKey{ endpointKey{
Region: "us-iso-west-1", Region: "us-iso-west-1",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "us-iso-west-1",
Variant: fipsVariant,
}: endpoint{
Hostname: "ram-fips.us-iso-west-1.c2s.ic.gov",
},
}, },
}, },
"rbin": service{ "rbin": service{
@ -45823,37 +46051,10 @@ var awsisoPartition = partition{
}, },
"rds": service{ "rds": service{
Endpoints: serviceEndpoints{ Endpoints: serviceEndpoints{
endpointKey{
Region: "rds-fips.us-iso-east-1",
}: endpoint{
Hostname: "rds-fips.us-iso-east-1.c2s.ic.gov",
CredentialScope: credentialScope{
Region: "us-iso-east-1",
},
Deprecated: boxedTrue,
},
endpointKey{
Region: "rds-fips.us-iso-west-1",
}: endpoint{
Hostname: "rds-fips.us-iso-west-1.c2s.ic.gov",
CredentialScope: credentialScope{
Region: "us-iso-west-1",
},
Deprecated: boxedTrue,
},
endpointKey{ endpointKey{
Region: "rds.us-iso-east-1", Region: "rds.us-iso-east-1",
}: endpoint{ }: endpoint{
CredentialScope: credentialScope{ Hostname: "rds.us-iso-east-1.c2s.ic.gov",
Region: "us-iso-east-1",
},
Deprecated: boxedTrue,
},
endpointKey{
Region: "rds.us-iso-east-1",
Variant: fipsVariant,
}: endpoint{
Hostname: "rds-fips.us-iso-east-1.c2s.ic.gov",
CredentialScope: credentialScope{ CredentialScope: credentialScope{
Region: "us-iso-east-1", Region: "us-iso-east-1",
}, },
@ -45862,16 +46063,7 @@ var awsisoPartition = partition{
endpointKey{ endpointKey{
Region: "rds.us-iso-west-1", Region: "rds.us-iso-west-1",
}: endpoint{ }: endpoint{
CredentialScope: credentialScope{ Hostname: "rds.us-iso-west-1.c2s.ic.gov",
Region: "us-iso-west-1",
},
Deprecated: boxedTrue,
},
endpointKey{
Region: "rds.us-iso-west-1",
Variant: fipsVariant,
}: endpoint{
Hostname: "rds-fips.us-iso-west-1.c2s.ic.gov",
CredentialScope: credentialScope{ CredentialScope: credentialScope{
Region: "us-iso-west-1", Region: "us-iso-west-1",
}, },
@ -45884,12 +46076,12 @@ var awsisoPartition = partition{
Region: "us-iso-east-1", Region: "us-iso-east-1",
Variant: fipsVariant, Variant: fipsVariant,
}: endpoint{ }: endpoint{
Hostname: "rds-fips.us-iso-east-1.c2s.ic.gov", Hostname: "rds.us-iso-east-1.c2s.ic.gov",
}, },
endpointKey{ endpointKey{
Region: "us-iso-east-1-fips", Region: "us-iso-east-1-fips",
}: endpoint{ }: endpoint{
Hostname: "rds-fips.us-iso-east-1.c2s.ic.gov", Hostname: "rds.us-iso-east-1.c2s.ic.gov",
CredentialScope: credentialScope{ CredentialScope: credentialScope{
Region: "us-iso-east-1", Region: "us-iso-east-1",
}, },
@ -45902,12 +46094,12 @@ var awsisoPartition = partition{
Region: "us-iso-west-1", Region: "us-iso-west-1",
Variant: fipsVariant, Variant: fipsVariant,
}: endpoint{ }: endpoint{
Hostname: "rds-fips.us-iso-west-1.c2s.ic.gov", Hostname: "rds.us-iso-west-1.c2s.ic.gov",
}, },
endpointKey{ endpointKey{
Region: "us-iso-west-1-fips", Region: "us-iso-west-1-fips",
}: endpoint{ }: endpoint{
Hostname: "rds-fips.us-iso-west-1.c2s.ic.gov", Hostname: "rds.us-iso-west-1.c2s.ic.gov",
CredentialScope: credentialScope{ CredentialScope: credentialScope{
Region: "us-iso-west-1", Region: "us-iso-west-1",
}, },
@ -46866,24 +47058,9 @@ var awsisobPartition = partition{
}, },
"ram": service{ "ram": service{
Endpoints: serviceEndpoints{ Endpoints: serviceEndpoints{
endpointKey{
Region: "fips-us-isob-east-1",
}: endpoint{
Hostname: "ram-fips.us-isob-east-1.sc2s.sgov.gov",
CredentialScope: credentialScope{
Region: "us-isob-east-1",
},
Deprecated: boxedTrue,
},
endpointKey{ endpointKey{
Region: "us-isob-east-1", Region: "us-isob-east-1",
}: endpoint{}, }: endpoint{},
endpointKey{
Region: "us-isob-east-1",
Variant: fipsVariant,
}: endpoint{
Hostname: "ram-fips.us-isob-east-1.sc2s.sgov.gov",
},
}, },
}, },
"rbin": service{ "rbin": service{
@ -46910,28 +47087,10 @@ var awsisobPartition = partition{
}, },
"rds": service{ "rds": service{
Endpoints: serviceEndpoints{ Endpoints: serviceEndpoints{
endpointKey{
Region: "rds-fips.us-isob-east-1",
}: endpoint{
Hostname: "rds-fips.us-isob-east-1.sc2s.sgov.gov",
CredentialScope: credentialScope{
Region: "us-isob-east-1",
},
Deprecated: boxedTrue,
},
endpointKey{ endpointKey{
Region: "rds.us-isob-east-1", Region: "rds.us-isob-east-1",
}: endpoint{ }: endpoint{
CredentialScope: credentialScope{ Hostname: "rds.us-isob-east-1.sc2s.sgov.gov",
Region: "us-isob-east-1",
},
Deprecated: boxedTrue,
},
endpointKey{
Region: "rds.us-isob-east-1",
Variant: fipsVariant,
}: endpoint{
Hostname: "rds-fips.us-isob-east-1.sc2s.sgov.gov",
CredentialScope: credentialScope{ CredentialScope: credentialScope{
Region: "us-isob-east-1", Region: "us-isob-east-1",
}, },
@ -46944,12 +47103,12 @@ var awsisobPartition = partition{
Region: "us-isob-east-1", Region: "us-isob-east-1",
Variant: fipsVariant, Variant: fipsVariant,
}: endpoint{ }: endpoint{
Hostname: "rds-fips.us-isob-east-1.sc2s.sgov.gov", Hostname: "rds.us-isob-east-1.sc2s.sgov.gov",
}, },
endpointKey{ endpointKey{
Region: "us-isob-east-1-fips", Region: "us-isob-east-1-fips",
}: endpoint{ }: endpoint{
Hostname: "rds-fips.us-isob-east-1.sc2s.sgov.gov", Hostname: "rds.us-isob-east-1.sc2s.sgov.gov",
CredentialScope: credentialScope{ CredentialScope: credentialScope{
Region: "us-isob-east-1", Region: "us-isob-east-1",
}, },

View File

@ -5,4 +5,4 @@ package aws
const SDKName = "aws-sdk-go" const SDKName = "aws-sdk-go"
// SDKVersion is the version of this SDK // SDKVersion is the version of this SDK
const SDKVersion = "1.53.14" const SDKVersion = "1.54.6"

View File

@ -807,6 +807,7 @@ func (c *KMS) CreateCustomKeyStoreRequest(input *CreateCustomKeyStoreInput) (req
// for Amazon VPC endpoint service connectivity for an external key store. // for Amazon VPC endpoint service connectivity for an external key store.
// //
// - XksProxyInvalidResponseException // - XksProxyInvalidResponseException
//
// KMS cannot interpret the response it received from the external key store // KMS cannot interpret the response it received from the external key store
// proxy. The problem might be a poorly constructed response, but it could also // proxy. The problem might be a poorly constructed response, but it could also
// be a transient network issue. If you see this error repeatedly, report it // be a transient network issue. If you see this error repeatedly, report it
@ -1107,11 +1108,15 @@ func (c *KMS) CreateKeyRequest(input *CreateKeyInput) (req *request.Request, out
// Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC) key pair, // Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC) key pair,
// or an SM2 key pair (China Regions only). The private key in an asymmetric // or an SM2 key pair (China Regions only). The private key in an asymmetric
// KMS key never leaves KMS unencrypted. However, you can use the GetPublicKey // KMS key never leaves KMS unencrypted. However, you can use the GetPublicKey
// operation to download the public key so it can be used outside of KMS. KMS // operation to download the public key so it can be used outside of KMS. Each
// keys with RSA or SM2 key pairs can be used to encrypt or decrypt data or // KMS key can have only one key usage. KMS keys with RSA key pairs can be used
// sign and verify messages (but not both). KMS keys with ECC key pairs can // to encrypt and decrypt data or sign and verify messages (but not both). KMS
// be used only to sign and verify messages. For information about asymmetric // keys with NIST-recommended ECC key pairs can be used to sign and verify messages
// KMS keys, see Asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html) // or derive shared secrets (but not both). KMS keys with ECC_SECG_P256K1 can
// be used only to sign and verify messages. KMS keys with SM2 key pairs (China
// Regions only) can be used to either encrypt and decrypt data, sign and verify
// messages, or derive shared secrets (you must choose one key usage type).
// For information about asymmetric KMS keys, see Asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html)
// in the Key Management Service Developer Guide. // in the Key Management Service Developer Guide.
// //
// # HMAC KMS key // # HMAC KMS key
@ -1554,7 +1559,8 @@ func (c *KMS) DecryptRequest(input *DecryptInput) (req *request.Request, output
// For encrypting, decrypting, re-encrypting, and generating data keys, the // For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the // KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication // KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage // codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation. // of a KMS key, use the DescribeKey operation.
// //
// To find the encryption or signing algorithms supported for a particular KMS // To find the encryption or signing algorithms supported for a particular KMS
@ -2068,6 +2074,219 @@ func (c *KMS) DeleteImportedKeyMaterialWithContext(ctx aws.Context, input *Delet
return out, req.Send() return out, req.Send()
} }
const opDeriveSharedSecret = "DeriveSharedSecret"
// DeriveSharedSecretRequest generates a "aws/request.Request" representing the
// client's request for the DeriveSharedSecret operation. The "output" return
// value will be populated with the request's response once the request completes
// successfully.
//
// Use "Send" method on the returned Request to send the API call to the service.
// the "output" return value is not valid until after Send returns without error.
//
// See DeriveSharedSecret for more information on using the DeriveSharedSecret
// API call, and error handling.
//
// This method is useful when you want to inject custom logic or configuration
// into the SDK's request lifecycle. Such as custom headers, or retry logic.
//
// // Example sending a request using the DeriveSharedSecretRequest method.
// req, resp := client.DeriveSharedSecretRequest(params)
//
// err := req.Send()
// if err == nil { // resp is now filled
// fmt.Println(resp)
// }
//
// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeriveSharedSecret
func (c *KMS) DeriveSharedSecretRequest(input *DeriveSharedSecretInput) (req *request.Request, output *DeriveSharedSecretOutput) {
op := &request.Operation{
Name: opDeriveSharedSecret,
HTTPMethod: "POST",
HTTPPath: "/",
}
if input == nil {
input = &DeriveSharedSecretInput{}
}
output = &DeriveSharedSecretOutput{}
req = c.newRequest(op, input, output)
return
}
// DeriveSharedSecret API operation for AWS Key Management Service.
//
// Derives a shared secret using a key agreement algorithm.
//
// You must use an asymmetric NIST-recommended elliptic curve (ECC) or SM2 (China
// Regions only) KMS key pair with a KeyUsage value of KEY_AGREEMENT to call
// DeriveSharedSecret.
//
// DeriveSharedSecret uses the Elliptic Curve Cryptography Cofactor Diffie-Hellman
// Primitive (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf#page=60)
// (ECDH) to establish a key agreement between two peers by deriving a shared
// secret from their elliptic curve public-private key pairs. You can use the
// raw shared secret that DeriveSharedSecret returns to derive a symmetric key
// that can encrypt and decrypt data that is sent between the two peers, or
// that can generate and verify HMACs. KMS recommends that you follow NIST recommendations
// for key derivation (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf)
// when using the raw shared secret to derive a symmetric key.
//
// The following workflow demonstrates how to establish key agreement over an
// insecure communication channel using DeriveSharedSecret.
//
// Alice calls CreateKey to create an asymmetric KMS key pair with a KeyUsage
// value of KEY_AGREEMENT.
//
// The asymmetric KMS key must use a NIST-recommended elliptic curve (ECC) or
// SM2 (China Regions only) key spec.
//
// Bob creates an elliptic curve key pair.
//
// Bob can call CreateKey to create an asymmetric KMS key pair or generate a
// key pair outside of KMS. Bob's key pair must use the same NIST-recommended
// elliptic curve (ECC) or SM2 (China Regions ony) curve as Alice.
//
// Alice and Bob exchange their public keys through an insecure communication
// channel (like the internet).
//
// Use GetPublicKey to download the public key of your asymmetric KMS key pair.
//
// KMS strongly recommends verifying that the public key you receive came from
// the expected party before using it to derive a shared secret.
//
// Alice calls DeriveSharedSecret.
//
// KMS uses the private key from the KMS key pair generated in Step 1, Bob's
// public key, and the Elliptic Curve Cryptography Cofactor Diffie-Hellman Primitive
// to derive the shared secret. The private key in your KMS key pair never leaves
// KMS unencrypted. DeriveSharedSecret returns the raw shared secret.
//
// Bob uses the Elliptic Curve Cryptography Cofactor Diffie-Hellman Primitive
// to calculate the same raw secret using his private key and Alice's public
// key.
//
// To derive a shared secret you must provide a key agreement algorithm, the
// private key of the caller's asymmetric NIST-recommended elliptic curve or
// SM2 (China Regions only) KMS key pair, and the public key from your peer's
// NIST-recommended elliptic curve or SM2 (China Regions only) key pair. The
// public key can be from another asymmetric KMS key pair or from a key pair
// generated outside of KMS, but both key pairs must be on the same elliptic
// curve.
//
// The KMS key that you use for this operation must be in a compatible key state.
// For details, see Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
// in the Key Management Service Developer Guide.
//
// Cross-account use: Yes. To perform this operation with a KMS key in a different
// Amazon Web Services account, specify the key ARN or alias ARN in the value
// of the KeyId parameter.
//
// Required permissions: kms:DeriveSharedSecret (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
// (key policy)
//
// Related operations:
//
// - CreateKey
//
// - GetPublicKey
//
// - DescribeKey
//
// Eventual consistency: The KMS API follows an eventual consistency model.
// For more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html).
//
// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
// with awserr.Error's Code and Message methods to get detailed information about
// the error.
//
// See the AWS API reference guide for AWS Key Management Service's
// API operation DeriveSharedSecret for usage and error information.
//
// Returned Error Types:
//
// - NotFoundException
// The request was rejected because the specified entity or resource could not
// be found.
//
// - DisabledException
// The request was rejected because the specified KMS key is not enabled.
//
// - KeyUnavailableException
// The request was rejected because the specified KMS key was not available.
// You can retry the request.
//
// - DependencyTimeoutException
// The system timed out while trying to fulfill the request. You can retry the
// request.
//
// - InvalidGrantTokenException
// The request was rejected because the specified grant token is not valid.
//
// - InvalidKeyUsageException
// The request was rejected for one of the following reasons:
//
// - The KeyUsage value of the KMS key is incompatible with the API operation.
//
// - The encryption algorithm or signing algorithm specified for the operation
// is incompatible with the type of key material in the KMS key (KeySpec).
//
// For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation.
//
// To find the encryption or signing algorithms supported for a particular KMS
// key, use the DescribeKey operation.
//
// - InternalException
// The request was rejected because an internal exception occurred. The request
// can be retried.
//
// - InvalidStateException
// The request was rejected because the state of the specified resource is not
// valid for this request.
//
// This exceptions means one of the following:
//
// - The key state of the KMS key is not compatible with the operation. To
// find the key state, use the DescribeKey operation. For more information
// about which key states are compatible with each KMS operation, see Key
// states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
// in the Key Management Service Developer Guide .
//
// - For cryptographic operations on KMS keys in custom key stores, this
// exception represents a general failure with many possible causes. To identify
// the cause, see the error message that accompanies the exception.
//
// - DryRunOperationException
// The request was rejected because the DryRun parameter was specified.
//
// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeriveSharedSecret
func (c *KMS) DeriveSharedSecret(input *DeriveSharedSecretInput) (*DeriveSharedSecretOutput, error) {
req, out := c.DeriveSharedSecretRequest(input)
return out, req.Send()
}
// DeriveSharedSecretWithContext is the same as DeriveSharedSecret with the addition of
// the ability to pass a context and additional request options.
//
// See DeriveSharedSecret for details on how to use this API operation.
//
// The context must be non-nil and will be used for request cancellation. If
// the context is nil a panic will occur. In the future the SDK may create
// sub-contexts for http.Requests. See https://golang.org/pkg/context/
// for more information on using Contexts.
func (c *KMS) DeriveSharedSecretWithContext(ctx aws.Context, input *DeriveSharedSecretInput, opts ...request.Option) (*DeriveSharedSecretOutput, error) {
req, out := c.DeriveSharedSecretRequest(input)
req.SetContext(ctx)
req.ApplyOptions(opts...)
return out, req.Send()
}
const opDescribeCustomKeyStores = "DescribeCustomKeyStores" const opDescribeCustomKeyStores = "DescribeCustomKeyStores"
// DescribeCustomKeyStoresRequest generates a "aws/request.Request" representing the // DescribeCustomKeyStoresRequest generates a "aws/request.Request" representing the
@ -3326,7 +3545,8 @@ func (c *KMS) EncryptRequest(input *EncryptInput) (req *request.Request, output
// For encrypting, decrypting, re-encrypting, and generating data keys, the // For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the // KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication // KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage // codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation. // of a KMS key, use the DescribeKey operation.
// //
// To find the encryption or signing algorithms supported for a particular KMS // To find the encryption or signing algorithms supported for a particular KMS
@ -3554,7 +3774,8 @@ func (c *KMS) GenerateDataKeyRequest(input *GenerateDataKeyInput) (req *request.
// For encrypting, decrypting, re-encrypting, and generating data keys, the // For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the // KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication // KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage // codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation. // of a KMS key, use the DescribeKey operation.
// //
// To find the encryption or signing algorithms supported for a particular KMS // To find the encryption or signing algorithms supported for a particular KMS
@ -3772,7 +3993,8 @@ func (c *KMS) GenerateDataKeyPairRequest(input *GenerateDataKeyPairInput) (req *
// For encrypting, decrypting, re-encrypting, and generating data keys, the // For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the // KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication // KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage // codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation. // of a KMS key, use the DescribeKey operation.
// //
// To find the encryption or signing algorithms supported for a particular KMS // To find the encryption or signing algorithms supported for a particular KMS
@ -3969,7 +4191,8 @@ func (c *KMS) GenerateDataKeyPairWithoutPlaintextRequest(input *GenerateDataKeyP
// For encrypting, decrypting, re-encrypting, and generating data keys, the // For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the // KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication // KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage // codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation. // of a KMS key, use the DescribeKey operation.
// //
// To find the encryption or signing algorithms supported for a particular KMS // To find the encryption or signing algorithms supported for a particular KMS
@ -4178,7 +4401,8 @@ func (c *KMS) GenerateDataKeyWithoutPlaintextRequest(input *GenerateDataKeyWitho
// For encrypting, decrypting, re-encrypting, and generating data keys, the // For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the // KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication // KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage // codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation. // of a KMS key, use the DescribeKey operation.
// //
// To find the encryption or signing algorithms supported for a particular KMS // To find the encryption or signing algorithms supported for a particular KMS
@ -4343,7 +4567,8 @@ func (c *KMS) GenerateMacRequest(input *GenerateMacInput) (req *request.Request,
// For encrypting, decrypting, re-encrypting, and generating data keys, the // For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the // KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication // KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage // codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation. // of a KMS key, use the DescribeKey operation.
// //
// To find the encryption or signing algorithms supported for a particular KMS // To find the encryption or signing algorithms supported for a particular KMS
@ -4911,9 +5136,9 @@ func (c *KMS) GetParametersForImportRequest(input *GetParametersForImportInput)
// GetParametersForImport returns the items that you need to import your key // GetParametersForImport returns the items that you need to import your key
// material. // material.
// //
// - The public key (or "wrapping key") of an asymmetric key pair that KMS // - The public key (or "wrapping key") of an RSA key pair that KMS generates.
// generates. You will use this public key to encrypt ("wrap") your key material // You will use this public key to encrypt ("wrap") your key material while
// while it's in transit to KMS. // it's in transit to KMS.
// //
// - A import token that ensures that KMS can decrypt your key material and // - A import token that ensures that KMS can decrypt your key material and
// associate it with the correct KMS key. // associate it with the correct KMS key.
@ -5089,7 +5314,8 @@ func (c *KMS) GetPublicKeyRequest(input *GetPublicKeyInput) (req *request.Reques
// The type of key material in the public key, such as RSA_4096 or ECC_NIST_P521. // The type of key material in the public key, such as RSA_4096 or ECC_NIST_P521.
// //
// - KeyUsage (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeyUsage): // - KeyUsage (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeyUsage):
// Whether the key is used for encryption or signing. // Whether the key is used for encryption, signing, or deriving a shared
// secret.
// //
// - EncryptionAlgorithms (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-EncryptionAlgorithms) // - EncryptionAlgorithms (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-EncryptionAlgorithms)
// or SigningAlgorithms (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-SigningAlgorithms): // or SigningAlgorithms (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-SigningAlgorithms):
@ -5170,7 +5396,8 @@ func (c *KMS) GetPublicKeyRequest(input *GetPublicKeyInput) (req *request.Reques
// For encrypting, decrypting, re-encrypting, and generating data keys, the // For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the // KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication // KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage // codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation. // of a KMS key, use the DescribeKey operation.
// //
// To find the encryption or signing algorithms supported for a particular KMS // To find the encryption or signing algorithms supported for a particular KMS
@ -7082,7 +7309,8 @@ func (c *KMS) ReEncryptRequest(input *ReEncryptInput) (req *request.Request, out
// For encrypting, decrypting, re-encrypting, and generating data keys, the // For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the // KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication // KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage // codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation. // of a KMS key, use the DescribeKey operation.
// //
// To find the encryption or signing algorithms supported for a particular KMS // To find the encryption or signing algorithms supported for a particular KMS
@ -8134,7 +8362,8 @@ func (c *KMS) SignRequest(input *SignInput) (req *request.Request, output *SignO
// For encrypting, decrypting, re-encrypting, and generating data keys, the // For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the // KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication // KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage // codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation. // of a KMS key, use the DescribeKey operation.
// //
// To find the encryption or signing algorithms supported for a particular KMS // To find the encryption or signing algorithms supported for a particular KMS
@ -8939,6 +9168,7 @@ func (c *KMS) UpdateCustomKeyStoreRequest(input *UpdateCustomKeyStoreInput) (req
// for Amazon VPC endpoint service connectivity for an external key store. // for Amazon VPC endpoint service connectivity for an external key store.
// //
// - XksProxyInvalidResponseException // - XksProxyInvalidResponseException
//
// KMS cannot interpret the response it received from the external key store // KMS cannot interpret the response it received from the external key store
// proxy. The problem might be a poorly constructed response, but it could also // proxy. The problem might be a poorly constructed response, but it could also
// be a transient network issue. If you see this error repeatedly, report it // be a transient network issue. If you see this error repeatedly, report it
@ -9412,7 +9642,8 @@ func (c *KMS) VerifyRequest(input *VerifyInput) (req *request.Request, output *V
// For encrypting, decrypting, re-encrypting, and generating data keys, the // For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the // KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication // KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage // codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation. // of a KMS key, use the DescribeKey operation.
// //
// To find the encryption or signing algorithms supported for a particular KMS // To find the encryption or signing algorithms supported for a particular KMS
@ -9576,7 +9807,8 @@ func (c *KMS) VerifyMacRequest(input *VerifyMacInput) (req *request.Request, out
// For encrypting, decrypting, re-encrypting, and generating data keys, the // For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the // KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication // KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage // codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation. // of a KMS key, use the DescribeKey operation.
// //
// To find the encryption or signing algorithms supported for a particular KMS // To find the encryption or signing algorithms supported for a particular KMS
@ -11140,15 +11372,18 @@ type CreateKeyInput struct {
// //
// * HMAC keys (symmetric) HMAC_224 HMAC_256 HMAC_384 HMAC_512 // * HMAC keys (symmetric) HMAC_224 HMAC_256 HMAC_384 HMAC_512
// //
// * Asymmetric RSA key pairs RSA_2048 RSA_3072 RSA_4096 // * Asymmetric RSA key pairs (encryption and decryption -or- signing and
// verification) RSA_2048 RSA_3072 RSA_4096
// //
// * Asymmetric NIST-recommended elliptic curve key pairs ECC_NIST_P256 (secp256r1) // * Asymmetric NIST-recommended elliptic curve key pairs (signing and verification
// ECC_NIST_P384 (secp384r1) ECC_NIST_P521 (secp521r1) // -or- deriving shared secrets) ECC_NIST_P256 (secp256r1) ECC_NIST_P384
// (secp384r1) ECC_NIST_P521 (secp521r1)
// //
// * Other asymmetric elliptic curve key pairs ECC_SECG_P256K1 (secp256k1), // * Other asymmetric elliptic curve key pairs (signing and verification)
// commonly used for cryptocurrencies. // ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies.
// //
// * SM2 key pairs (China Regions only) SM2 // * SM2 key pairs (encryption and decryption -or- signing and verification
// -or- deriving shared secrets) SM2 (China Regions only)
KeySpec *string `type:"string" enum:"KeySpec"` KeySpec *string `type:"string" enum:"KeySpec"`
// Determines the cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations) // Determines the cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations)
@ -11163,13 +11398,16 @@ type CreateKeyInput struct {
// //
// * For HMAC KMS keys (symmetric), specify GENERATE_VERIFY_MAC. // * For HMAC KMS keys (symmetric), specify GENERATE_VERIFY_MAC.
// //
// * For asymmetric KMS keys with RSA key material, specify ENCRYPT_DECRYPT // * For asymmetric KMS keys with RSA key pairs, specify ENCRYPT_DECRYPT
// or SIGN_VERIFY. // or SIGN_VERIFY.
// //
// * For asymmetric KMS keys with ECC key material, specify SIGN_VERIFY. // * For asymmetric KMS keys with NIST-recommended elliptic curve key pairs,
// specify SIGN_VERIFY or KEY_AGREEMENT.
// //
// * For asymmetric KMS keys with SM2 key material (China Regions only), // * For asymmetric KMS keys with ECC_SECG_P256K1 key pairs specify SIGN_VERIFY.
// specify ENCRYPT_DECRYPT or SIGN_VERIFY. //
// * For asymmetric KMS keys with SM2 key pairs (China Regions only), specify
// ENCRYPT_DECRYPT, SIGN_VERIFY, or KEY_AGREEMENT.
KeyUsage *string `type:"string" enum:"KeyUsageType"` KeyUsage *string `type:"string" enum:"KeyUsageType"`
// Creates a multi-Region primary key that you can replicate into other Amazon // Creates a multi-Region primary key that you can replicate into other Amazon
@ -12555,6 +12793,282 @@ func (s *DependencyTimeoutException) RequestID() string {
return s.RespMetadata.RequestID return s.RespMetadata.RequestID
} }
type DeriveSharedSecretInput struct {
_ struct{} `type:"structure"`
// Checks if your request will succeed. DryRun is an optional parameter.
//
// To learn more about how to use this parameter, see Testing your KMS API calls
// (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html)
// in the Key Management Service Developer Guide.
DryRun *bool `type:"boolean"`
// A list of grant tokens.
//
// Use a grant token when your permission to call this operation comes from
// a new grant that has not yet achieved eventual consistency. For more information,
// see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token)
// and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token)
// in the Key Management Service Developer Guide.
GrantTokens []*string `type:"list"`
// Specifies the key agreement algorithm used to derive the shared secret. The
// only valid value is ECDH.
//
// KeyAgreementAlgorithm is a required field
KeyAgreementAlgorithm *string `type:"string" required:"true" enum:"KeyAgreementAlgorithmSpec"`
// Identifies an asymmetric NIST-recommended ECC or SM2 (China Regions only)
// KMS key. KMS uses the private key in the specified key pair to derive the
// shared secret. The key usage of the KMS key must be KEY_AGREEMENT. To find
// the KeyUsage of a KMS key, use the DescribeKey operation.
//
// To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
// When using an alias name, prefix it with "alias/". To specify a KMS key in
// a different Amazon Web Services account, you must use the key ARN or alias
// ARN.
//
// For example:
//
// * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
//
// * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
//
// * Alias name: alias/ExampleAlias
//
// * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
//
// To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.
// To get the alias name and alias ARN, use ListAliases.
//
// KeyId is a required field
KeyId *string `min:"1" type:"string" required:"true"`
// Specifies the public key in your peer's NIST-recommended elliptic curve (ECC)
// or SM2 (China Regions only) key pair.
//
// The public key must be a DER-encoded X.509 public key, also known as SubjectPublicKeyInfo
// (SPKI), as defined in RFC 5280 (https://tools.ietf.org/html/rfc5280).
//
// GetPublicKey returns the public key of an asymmetric KMS key pair in the
// required DER-encoded format.
//
// If you use Amazon Web Services CLI version 1 (https://docs.aws.amazon.com/cli/v1/userguide/cli-chap-welcome.html),
// you must provide the DER-encoded X.509 public key in a file. Otherwise, the
// Amazon Web Services CLI Base64-encodes the public key a second time, resulting
// in a ValidationException.
//
// You can specify the public key as binary data in a file using fileb (fileb://<path-to-file>)
// or in-line using a Base64 encoded string.
// PublicKey is automatically base64 encoded/decoded by the SDK.
//
// PublicKey is a required field
PublicKey []byte `min:"1" type:"blob" required:"true"`
// A signed attestation document (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc)
// from an Amazon Web Services Nitro enclave and the encryption algorithm to
// use with the enclave's public key. The only valid encryption algorithm is
// RSAES_OAEP_SHA_256.
//
// This parameter only supports attestation documents for Amazon Web Services
// Nitro Enclaves. To call DeriveSharedSecret for an Amazon Web Services Nitro
// Enclaves, use the Amazon Web Services Nitro Enclaves SDK (https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk)
// to generate the attestation document and then use the Recipient parameter
// from any Amazon Web Services SDK to provide the attestation document for
// the enclave.
//
// When you use this parameter, instead of returning a plaintext copy of the
// shared secret, KMS encrypts the plaintext shared secret under the public
// key in the attestation document, and returns the resulting ciphertext in
// the CiphertextForRecipient field in the response. This ciphertext can be
// decrypted only with the private key in the enclave. The CiphertextBlob field
// in the response contains the encrypted shared secret derived from the KMS
// key specified by the KeyId parameter and public key specified by the PublicKey
// parameter. The SharedSecret field in the response is null or empty.
//
// For information about the interaction between KMS and Amazon Web Services
// Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS (https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html)
// in the Key Management Service Developer Guide.
Recipient *RecipientInfo `type:"structure"`
}
// String returns the string representation.
//
// API parameter values that are decorated as "sensitive" in the API will not
// be included in the string output. The member name will be present, but the
// value will be replaced with "sensitive".
func (s DeriveSharedSecretInput) String() string {
return awsutil.Prettify(s)
}
// GoString returns the string representation.
//
// API parameter values that are decorated as "sensitive" in the API will not
// be included in the string output. The member name will be present, but the
// value will be replaced with "sensitive".
func (s DeriveSharedSecretInput) GoString() string {
return s.String()
}
// Validate inspects the fields of the type to determine if they are valid.
func (s *DeriveSharedSecretInput) Validate() error {
invalidParams := request.ErrInvalidParams{Context: "DeriveSharedSecretInput"}
if s.KeyAgreementAlgorithm == nil {
invalidParams.Add(request.NewErrParamRequired("KeyAgreementAlgorithm"))
}
if s.KeyId == nil {
invalidParams.Add(request.NewErrParamRequired("KeyId"))
}
if s.KeyId != nil && len(*s.KeyId) < 1 {
invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
}
if s.PublicKey == nil {
invalidParams.Add(request.NewErrParamRequired("PublicKey"))
}
if s.PublicKey != nil && len(s.PublicKey) < 1 {
invalidParams.Add(request.NewErrParamMinLen("PublicKey", 1))
}
if s.Recipient != nil {
if err := s.Recipient.Validate(); err != nil {
invalidParams.AddNested("Recipient", err.(request.ErrInvalidParams))
}
}
if invalidParams.Len() > 0 {
return invalidParams
}
return nil
}
// SetDryRun sets the DryRun field's value.
func (s *DeriveSharedSecretInput) SetDryRun(v bool) *DeriveSharedSecretInput {
s.DryRun = &v
return s
}
// SetGrantTokens sets the GrantTokens field's value.
func (s *DeriveSharedSecretInput) SetGrantTokens(v []*string) *DeriveSharedSecretInput {
s.GrantTokens = v
return s
}
// SetKeyAgreementAlgorithm sets the KeyAgreementAlgorithm field's value.
func (s *DeriveSharedSecretInput) SetKeyAgreementAlgorithm(v string) *DeriveSharedSecretInput {
s.KeyAgreementAlgorithm = &v
return s
}
// SetKeyId sets the KeyId field's value.
func (s *DeriveSharedSecretInput) SetKeyId(v string) *DeriveSharedSecretInput {
s.KeyId = &v
return s
}
// SetPublicKey sets the PublicKey field's value.
func (s *DeriveSharedSecretInput) SetPublicKey(v []byte) *DeriveSharedSecretInput {
s.PublicKey = v
return s
}
// SetRecipient sets the Recipient field's value.
func (s *DeriveSharedSecretInput) SetRecipient(v *RecipientInfo) *DeriveSharedSecretInput {
s.Recipient = v
return s
}
type DeriveSharedSecretOutput struct {
_ struct{} `type:"structure"`
// The plaintext shared secret encrypted with the public key in the attestation
// document.
//
// This field is included in the response only when the Recipient parameter
// in the request includes a valid attestation document from an Amazon Web Services
// Nitro enclave. For information about the interaction between KMS and Amazon
// Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses
// KMS (https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html)
// in the Key Management Service Developer Guide.
// CiphertextForRecipient is automatically base64 encoded/decoded by the SDK.
CiphertextForRecipient []byte `min:"1" type:"blob"`
// Identifies the key agreement algorithm used to derive the shared secret.
KeyAgreementAlgorithm *string `type:"string" enum:"KeyAgreementAlgorithmSpec"`
// Identifies the KMS key used to derive the shared secret.
KeyId *string `min:"1" type:"string"`
// The source of the key material for the specified KMS key.
//
// When this value is AWS_KMS, KMS created the key material. When this value
// is EXTERNAL, the key material was imported or the KMS key doesn't have any
// key material.
//
// The only valid values for DeriveSharedSecret are AWS_KMS and EXTERNAL. DeriveSharedSecret
// does not support KMS keys with a KeyOrigin value of AWS_CLOUDHSM or EXTERNAL_KEY_STORE.
KeyOrigin *string `type:"string" enum:"OriginType"`
// The raw secret derived from the specified key agreement algorithm, private
// key in the asymmetric KMS key, and your peer's public key.
//
// If the response includes the CiphertextForRecipient field, the SharedSecret
// field is null or empty.
//
// SharedSecret is a sensitive parameter and its value will be
// replaced with "sensitive" in string returned by DeriveSharedSecretOutput's
// String and GoString methods.
//
// SharedSecret is automatically base64 encoded/decoded by the SDK.
SharedSecret []byte `min:"1" type:"blob" sensitive:"true"`
}
// String returns the string representation.
//
// API parameter values that are decorated as "sensitive" in the API will not
// be included in the string output. The member name will be present, but the
// value will be replaced with "sensitive".
func (s DeriveSharedSecretOutput) String() string {
return awsutil.Prettify(s)
}
// GoString returns the string representation.
//
// API parameter values that are decorated as "sensitive" in the API will not
// be included in the string output. The member name will be present, but the
// value will be replaced with "sensitive".
func (s DeriveSharedSecretOutput) GoString() string {
return s.String()
}
// SetCiphertextForRecipient sets the CiphertextForRecipient field's value.
func (s *DeriveSharedSecretOutput) SetCiphertextForRecipient(v []byte) *DeriveSharedSecretOutput {
s.CiphertextForRecipient = v
return s
}
// SetKeyAgreementAlgorithm sets the KeyAgreementAlgorithm field's value.
func (s *DeriveSharedSecretOutput) SetKeyAgreementAlgorithm(v string) *DeriveSharedSecretOutput {
s.KeyAgreementAlgorithm = &v
return s
}
// SetKeyId sets the KeyId field's value.
func (s *DeriveSharedSecretOutput) SetKeyId(v string) *DeriveSharedSecretOutput {
s.KeyId = &v
return s
}
// SetKeyOrigin sets the KeyOrigin field's value.
func (s *DeriveSharedSecretOutput) SetKeyOrigin(v string) *DeriveSharedSecretOutput {
s.KeyOrigin = &v
return s
}
// SetSharedSecret sets the SharedSecret field's value.
func (s *DeriveSharedSecretOutput) SetSharedSecret(v []byte) *DeriveSharedSecretOutput {
s.SharedSecret = v
return s
}
type DescribeCustomKeyStoresInput struct { type DescribeCustomKeyStoresInput struct {
_ struct{} `type:"structure"` _ struct{} `type:"structure"`
@ -14006,9 +14520,11 @@ type GenerateDataKeyPairInput struct {
// RSAES_OAEP_SHA_256. // RSAES_OAEP_SHA_256.
// //
// This parameter only supports attestation documents for Amazon Web Services // This parameter only supports attestation documents for Amazon Web Services
// Nitro Enclaves. To include this parameter, use the Amazon Web Services Nitro // Nitro Enclaves. To call DeriveSharedSecret for an Amazon Web Services Nitro
// Enclaves SDK (https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk) // Enclaves, use the Amazon Web Services Nitro Enclaves SDK (https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk)
// or any Amazon Web Services SDK. // to generate the attestation document and then use the Recipient parameter
// from any Amazon Web Services SDK to provide the attestation document for
// the enclave.
// //
// When you use this parameter, instead of returning a plaintext copy of the // When you use this parameter, instead of returning a plaintext copy of the
// private data key, KMS encrypts the plaintext private data key under the public // private data key, KMS encrypts the plaintext private data key under the public
@ -15199,25 +15715,19 @@ type GetParametersForImportInput struct {
// KeyId is a required field // KeyId is a required field
KeyId *string `min:"1" type:"string" required:"true"` KeyId *string `min:"1" type:"string" required:"true"`
// The algorithm you will use with the asymmetric public key (PublicKey) in // The algorithm you will use with the RSA public key (PublicKey) in the response
// the response to protect your key material during import. For more information, // to protect your key material during import. For more information, see Select
// see Select a wrapping algorithm (kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm) // a wrapping algorithm (kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm)
// in the Key Management Service Developer Guide. // in the Key Management Service Developer Guide.
// //
// For RSA_AES wrapping algorithms, you encrypt your key material with an AES // For RSA_AES wrapping algorithms, you encrypt your key material with an AES
// key that you generate, then encrypt your AES key with the RSA public key // key that you generate, then encrypt your AES key with the RSA public key
// from KMS. For RSAES wrapping algorithms, you encrypt your key material directly // from KMS. For RSAES wrapping algorithms, you encrypt your key material directly
// with the RSA public key from KMS. For SM2PKE wrapping algorithms, you encrypt // with the RSA public key from KMS.
// your key material directly with the SM2 public key from KMS.
// //
// The wrapping algorithms that you can use depend on the type of key material // The wrapping algorithms that you can use depend on the type of key material
// that you are importing. To import an RSA private key, you must use an RSA_AES // that you are importing. To import an RSA private key, you must use an RSA_AES
// wrapping algorithm, except in China Regions, where you must use the SM2PKE // wrapping algorithm.
// wrapping algorithm to import an RSA private key.
//
// The SM2PKE wrapping algorithm is available only in China Regions. The RSA_AES_KEY_WRAP_SHA_256
// and RSA_AES_KEY_WRAP_SHA_1 wrapping algorithms are not supported in China
// Regions.
// //
// * RSA_AES_KEY_WRAP_SHA_256 — Supported for wrapping RSA and ECC key // * RSA_AES_KEY_WRAP_SHA_256 — Supported for wrapping RSA and ECC key
// material. // material.
@ -15237,24 +15747,19 @@ type GetParametersForImportInput struct {
// * RSAES_PKCS1_V1_5 (Deprecated) — As of October 10, 2023, KMS does not // * RSAES_PKCS1_V1_5 (Deprecated) — As of October 10, 2023, KMS does not
// support the RSAES_PKCS1_V1_5 wrapping algorithm. // support the RSAES_PKCS1_V1_5 wrapping algorithm.
// //
// * SM2PKE (China Regions only) — supported for wrapping RSA, ECC, and
// SM2 key material.
//
// WrappingAlgorithm is a required field // WrappingAlgorithm is a required field
WrappingAlgorithm *string `type:"string" required:"true" enum:"AlgorithmSpec"` WrappingAlgorithm *string `type:"string" required:"true" enum:"AlgorithmSpec"`
// The type of public key to return in the response. You will use this wrapping // The type of RSA public key to return in the response. You will use this wrapping
// key with the specified wrapping algorithm to protect your key material during // key with the specified wrapping algorithm to protect your key material during
// import. // import.
// //
// Use the longest wrapping key that is practical. // Use the longest RSA wrapping key that is practical.
// //
// You cannot use an RSA_2048 public key to directly wrap an ECC_NIST_P521 private // You cannot use an RSA_2048 public key to directly wrap an ECC_NIST_P521 private
// key. Instead, use an RSA_AES wrapping algorithm or choose a longer RSA public // key. Instead, use an RSA_AES wrapping algorithm or choose a longer RSA public
// key. // key.
// //
// The SM2 wrapping key spec is available only in China Regions.
//
// WrappingKeySpec is a required field // WrappingKeySpec is a required field
WrappingKeySpec *string `type:"string" required:"true" enum:"WrappingKeySpec"` WrappingKeySpec *string `type:"string" required:"true" enum:"WrappingKeySpec"`
} }
@ -15490,6 +15995,10 @@ type GetPublicKeyOutput struct {
// is ENCRYPT_DECRYPT. // is ENCRYPT_DECRYPT.
EncryptionAlgorithms []*string `type:"list" enum:"EncryptionAlgorithmSpec"` EncryptionAlgorithms []*string `type:"list" enum:"EncryptionAlgorithmSpec"`
// The key agreement algorithm used to derive a shared secret. This field is
// present only when the KMS key has a KeyUsage value of KEY_AGREEMENT.
KeyAgreementAlgorithms []*string `type:"list" enum:"KeyAgreementAlgorithmSpec"`
// The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN)) // The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN))
// of the asymmetric KMS key from which the public key was downloaded. // of the asymmetric KMS key from which the public key was downloaded.
KeyId *string `min:"1" type:"string"` KeyId *string `min:"1" type:"string"`
@ -15497,11 +16006,11 @@ type GetPublicKeyOutput struct {
// The type of the of the public key that was downloaded. // The type of the of the public key that was downloaded.
KeySpec *string `type:"string" enum:"KeySpec"` KeySpec *string `type:"string" enum:"KeySpec"`
// The permitted use of the public key. Valid values are ENCRYPT_DECRYPT or // The permitted use of the public key. Valid values for asymmetric key pairs
// SIGN_VERIFY. // are ENCRYPT_DECRYPT, SIGN_VERIFY, and KEY_AGREEMENT.
// //
// This information is critical. If a public key with SIGN_VERIFY key usage // This information is critical. For example, if a public key with SIGN_VERIFY
// encrypts data outside of KMS, the ciphertext cannot be decrypted. // key usage encrypts data outside of KMS, the ciphertext cannot be decrypted.
KeyUsage *string `type:"string" enum:"KeyUsageType"` KeyUsage *string `type:"string" enum:"KeyUsageType"`
// The exported public key. // The exported public key.
@ -15550,6 +16059,12 @@ func (s *GetPublicKeyOutput) SetEncryptionAlgorithms(v []*string) *GetPublicKeyO
return s return s
} }
// SetKeyAgreementAlgorithms sets the KeyAgreementAlgorithms field's value.
func (s *GetPublicKeyOutput) SetKeyAgreementAlgorithms(v []*string) *GetPublicKeyOutput {
s.KeyAgreementAlgorithms = v
return s
}
// SetKeyId sets the KeyId field's value. // SetKeyId sets the KeyId field's value.
func (s *GetPublicKeyOutput) SetKeyId(v string) *GetPublicKeyOutput { func (s *GetPublicKeyOutput) SetKeyId(v string) *GetPublicKeyOutput {
s.KeyId = &v s.KeyId = &v
@ -16603,7 +17118,8 @@ func (s *InvalidImportTokenException) RequestID() string {
// For encrypting, decrypting, re-encrypting, and generating data keys, the // For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the // KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication // KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage // codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation. // of a KMS key, use the DescribeKey operation.
// //
// To find the encryption or signing algorithms supported for a particular KMS // To find the encryption or signing algorithms supported for a particular KMS
@ -17052,6 +17568,9 @@ type KeyMetadata struct {
// only when Origin is EXTERNAL, otherwise this value is omitted. // only when Origin is EXTERNAL, otherwise this value is omitted.
ExpirationModel *string `type:"string" enum:"ExpirationModelType"` ExpirationModel *string `type:"string" enum:"ExpirationModelType"`
// The key agreement algorithm used to derive a shared secret.
KeyAgreementAlgorithms []*string `type:"list" enum:"KeyAgreementAlgorithmSpec"`
// The globally unique identifier for the KMS key. // The globally unique identifier for the KMS key.
// //
// KeyId is a required field // KeyId is a required field
@ -17232,6 +17751,12 @@ func (s *KeyMetadata) SetExpirationModel(v string) *KeyMetadata {
return s return s
} }
// SetKeyAgreementAlgorithms sets the KeyAgreementAlgorithms field's value.
func (s *KeyMetadata) SetKeyAgreementAlgorithms(v []*string) *KeyMetadata {
s.KeyAgreementAlgorithms = v
return s
}
// SetKeyId sets the KeyId field's value. // SetKeyId sets the KeyId field's value.
func (s *KeyMetadata) SetKeyId(v string) *KeyMetadata { func (s *KeyMetadata) SetKeyId(v string) *KeyMetadata {
s.KeyId = &v s.KeyId = &v
@ -23034,6 +23559,9 @@ const (
// GrantOperationVerifyMac is a GrantOperation enum value // GrantOperationVerifyMac is a GrantOperation enum value
GrantOperationVerifyMac = "VerifyMac" GrantOperationVerifyMac = "VerifyMac"
// GrantOperationDeriveSharedSecret is a GrantOperation enum value
GrantOperationDeriveSharedSecret = "DeriveSharedSecret"
) )
// GrantOperation_Values returns all elements of the GrantOperation enum // GrantOperation_Values returns all elements of the GrantOperation enum
@ -23055,6 +23583,19 @@ func GrantOperation_Values() []string {
GrantOperationGenerateDataKeyPairWithoutPlaintext, GrantOperationGenerateDataKeyPairWithoutPlaintext,
GrantOperationGenerateMac, GrantOperationGenerateMac,
GrantOperationVerifyMac, GrantOperationVerifyMac,
GrantOperationDeriveSharedSecret,
}
}
const (
// KeyAgreementAlgorithmSpecEcdh is a KeyAgreementAlgorithmSpec enum value
KeyAgreementAlgorithmSpecEcdh = "ECDH"
)
// KeyAgreementAlgorithmSpec_Values returns all elements of the KeyAgreementAlgorithmSpec enum
func KeyAgreementAlgorithmSpec_Values() []string {
return []string{
KeyAgreementAlgorithmSpecEcdh,
} }
} }
@ -23195,6 +23736,9 @@ const (
// KeyUsageTypeGenerateVerifyMac is a KeyUsageType enum value // KeyUsageTypeGenerateVerifyMac is a KeyUsageType enum value
KeyUsageTypeGenerateVerifyMac = "GENERATE_VERIFY_MAC" KeyUsageTypeGenerateVerifyMac = "GENERATE_VERIFY_MAC"
// KeyUsageTypeKeyAgreement is a KeyUsageType enum value
KeyUsageTypeKeyAgreement = "KEY_AGREEMENT"
) )
// KeyUsageType_Values returns all elements of the KeyUsageType enum // KeyUsageType_Values returns all elements of the KeyUsageType enum
@ -23203,6 +23747,7 @@ func KeyUsageType_Values() []string {
KeyUsageTypeSignVerify, KeyUsageTypeSignVerify,
KeyUsageTypeEncryptDecrypt, KeyUsageTypeEncryptDecrypt,
KeyUsageTypeGenerateVerifyMac, KeyUsageTypeGenerateVerifyMac,
KeyUsageTypeKeyAgreement,
} }
} }

View File

@ -279,7 +279,8 @@ const (
// For encrypting, decrypting, re-encrypting, and generating data keys, the // For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the // KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication // KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage // codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation. // of a KMS key, use the DescribeKey operation.
// //
// To find the encryption or signing algorithms supported for a particular KMS // To find the encryption or signing algorithms supported for a particular KMS
@ -424,6 +425,7 @@ const (
// ErrCodeXksProxyInvalidResponseException for service response error code // ErrCodeXksProxyInvalidResponseException for service response error code
// "XksProxyInvalidResponseException". // "XksProxyInvalidResponseException".
// //
//
// KMS cannot interpret the response it received from the external key store // KMS cannot interpret the response it received from the external key store
// proxy. The problem might be a poorly constructed response, but it could also // proxy. The problem might be a poorly constructed response, but it could also
// be a transient network issue. If you see this error repeatedly, report it // be a transient network issue. If you see this error repeatedly, report it

View File

@ -1,3 +1,7 @@
# Release (2024-03-29)
* No change notes available for this release.
# Release (2024-02-21) # Release (2024-02-21)
## Module Highlights ## Module Highlights

View File

@ -3,4 +3,4 @@
package smithy package smithy
// goModuleVersion is the tagged release for this module // goModuleVersion is the tagged release for this module
const goModuleVersion = "1.20.1" const goModuleVersion = "1.20.2"

View File

@ -1,133 +0,0 @@
/*-
* Copyright 2016 Zbigniew Mandziejewicz
* Copyright 2016 Square, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package jwt
import (
"fmt"
"strings"
jose "github.com/go-jose/go-jose/v3"
"github.com/go-jose/go-jose/v3/json"
)
// JSONWebToken represents a JSON Web Token (as specified in RFC7519).
type JSONWebToken struct {
payload func(k interface{}) ([]byte, error)
unverifiedPayload func() []byte
Headers []jose.Header
}
type NestedJSONWebToken struct {
enc *jose.JSONWebEncryption
Headers []jose.Header
}
// Claims deserializes a JSONWebToken into dest using the provided key.
func (t *JSONWebToken) Claims(key interface{}, dest ...interface{}) error {
b, err := t.payload(key)
if err != nil {
return err
}
for _, d := range dest {
if err := json.Unmarshal(b, d); err != nil {
return err
}
}
return nil
}
// UnsafeClaimsWithoutVerification deserializes the claims of a
// JSONWebToken into the dests. For signed JWTs, the claims are not
// verified. This function won't work for encrypted JWTs.
func (t *JSONWebToken) UnsafeClaimsWithoutVerification(dest ...interface{}) error {
if t.unverifiedPayload == nil {
return fmt.Errorf("go-jose/go-jose: Cannot get unverified claims")
}
claims := t.unverifiedPayload()
for _, d := range dest {
if err := json.Unmarshal(claims, d); err != nil {
return err
}
}
return nil
}
func (t *NestedJSONWebToken) Decrypt(decryptionKey interface{}) (*JSONWebToken, error) {
b, err := t.enc.Decrypt(decryptionKey)
if err != nil {
return nil, err
}
sig, err := ParseSigned(string(b))
if err != nil {
return nil, err
}
return sig, nil
}
// ParseSigned parses token from JWS form.
func ParseSigned(s string) (*JSONWebToken, error) {
sig, err := jose.ParseSigned(s)
if err != nil {
return nil, err
}
headers := make([]jose.Header, len(sig.Signatures))
for i, signature := range sig.Signatures {
headers[i] = signature.Header
}
return &JSONWebToken{
payload: sig.Verify,
unverifiedPayload: sig.UnsafePayloadWithoutVerification,
Headers: headers,
}, nil
}
// ParseEncrypted parses token from JWE form.
func ParseEncrypted(s string) (*JSONWebToken, error) {
enc, err := jose.ParseEncrypted(s)
if err != nil {
return nil, err
}
return &JSONWebToken{
payload: enc.Decrypt,
Headers: []jose.Header{enc.Header},
}, nil
}
// ParseSignedAndEncrypted parses signed-then-encrypted token from JWE form.
func ParseSignedAndEncrypted(s string) (*NestedJSONWebToken, error) {
enc, err := jose.ParseEncrypted(s)
if err != nil {
return nil, err
}
contentType, _ := enc.Header.ExtraHeaders[jose.HeaderContentType].(string)
if strings.ToUpper(contentType) != "JWT" {
return nil, ErrInvalidContentType
}
return &NestedJSONWebToken{
enc: enc,
Headers: []jose.Header{enc.Header},
}, nil
}

View File

@ -45,12 +45,6 @@ token".
[1]: https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf [1]: https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf
# v3.0.3
## Fixed
- Limit decompression output size to prevent a DoS. Backport from v4.0.1.
# v3.0.2 # v3.0.2
## Fixed ## Fixed

View File

@ -1,17 +1,9 @@
# Go JOSE # Go JOSE
### Versions [![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v4.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v4)
[![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v4/jwt.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v4/jwt)
[Version 4](https://github.com/go-jose/go-jose) [![license](https://img.shields.io/badge/license-apache_2.0-blue.svg?style=flat)](https://raw.githubusercontent.com/go-jose/go-jose/master/LICENSE)
([branch](https://github.com/go-jose/go-jose/), [![test](https://img.shields.io/github/checks-status/go-jose/go-jose/v4)](https://github.com/go-jose/go-jose/actions)
[doc](https://pkg.go.dev/github.com/go-jose/go-jose/v4), [releases](https://github.com/go-jose/go-jose/releases)) is the current stable version:
import "github.com/go-jose/go-jose/v4"
The old [square/go-jose](https://github.com/square/go-jose) repo contains the prior v1 and v2 versions, which
are deprecated.
### Summary
Package jose aims to provide an implementation of the Javascript Object Signing Package jose aims to provide an implementation of the Javascript Object Signing
and Encryption set of standards. This includes support for JSON Web Encryption, and Encryption set of standards. This includes support for JSON Web Encryption,
@ -43,6 +35,20 @@ of [case-insensitive matching](https://www.ietf.org/mail-archive/web/json/curren
This is to avoid differences in interpretation of messages between go-jose and This is to avoid differences in interpretation of messages between go-jose and
libraries in other languages. libraries in other languages.
### Versions
[Version 4](https://github.com/go-jose/go-jose)
([branch](https://github.com/go-jose/go-jose/tree/main),
[doc](https://pkg.go.dev/github.com/go-jose/go-jose/v4), [releases](https://github.com/go-jose/go-jose/releases)) is the current stable version:
import "github.com/go-jose/go-jose/v4"
The old [square/go-jose](https://github.com/square/go-jose) repo contains the prior v1 and v2 versions, which
are still useable but not actively developed anymore.
Version 3, in this repo, is still receiving security fixes but not functionality
updates.
### Supported algorithms ### Supported algorithms
See below for a table of supported algorithms. Algorithm identifiers match See below for a table of supported algorithms. Algorithm identifiers match
@ -98,11 +104,11 @@ allows attaching a key id.
## Examples ## Examples
[![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v3.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v3) [![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v4.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v4)
[![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v3/jwt.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v3/jwt) [![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v4/jwt.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v4/jwt)
Examples can be found in the Godoc Examples can be found in the Godoc
reference for this package. The reference for this package. The
[`jose-util`](https://github.com/go-jose/go-jose/tree/v3/jose-util) [`jose-util`](https://github.com/go-jose/go-jose/tree/v4/jose-util)
subdirectory also contains a small command-line utility which might be useful subdirectory also contains a small command-line utility which might be useful
as an example as well. as an example as well.

View File

@ -29,8 +29,8 @@ import (
"fmt" "fmt"
"math/big" "math/big"
josecipher "github.com/go-jose/go-jose/v3/cipher" josecipher "github.com/go-jose/go-jose/v4/cipher"
"github.com/go-jose/go-jose/v3/json" "github.com/go-jose/go-jose/v4/json"
) )
// A generic RSA-based encrypter/verifier // A generic RSA-based encrypter/verifier

View File

@ -22,7 +22,7 @@ import (
"errors" "errors"
"fmt" "fmt"
"github.com/go-jose/go-jose/v3/json" "github.com/go-jose/go-jose/v4/json"
) )
// Encrypter represents an encrypter which produces an encrypted JWE object. // Encrypter represents an encrypter which produces an encrypted JWE object.

View File

@ -27,7 +27,7 @@ import (
"strings" "strings"
"unicode" "unicode"
"github.com/go-jose/go-jose/v3/json" "github.com/go-jose/go-jose/v4/json"
) )
// Helper function to serialize known-good objects. // Helper function to serialize known-good objects.
@ -106,10 +106,7 @@ func inflate(input []byte) ([]byte, error) {
output := new(bytes.Buffer) output := new(bytes.Buffer)
reader := flate.NewReader(bytes.NewBuffer(input)) reader := flate.NewReader(bytes.NewBuffer(input))
maxCompressedSize := 10 * int64(len(input)) maxCompressedSize := max(250_000, 10*int64(len(input)))
if maxCompressedSize < 250000 {
maxCompressedSize = 250000
}
limit := maxCompressedSize + 1 limit := maxCompressedSize + 1
n, err := io.CopyN(output, reader, limit) n, err := io.CopyN(output, reader, limit)
@ -167,7 +164,7 @@ func (b *byteBuffer) UnmarshalJSON(data []byte) error {
return nil return nil
} }
decoded, err := base64URLDecode(encoded) decoded, err := base64.RawURLEncoding.DecodeString(encoded)
if err != nil { if err != nil {
return err return err
} }
@ -197,12 +194,6 @@ func (b byteBuffer) toInt() int {
return int(b.bigInt().Int64()) return int(b.bigInt().Int64())
} }
// base64URLDecode is implemented as defined in https://www.rfc-editor.org/rfc/rfc7515.html#appendix-C
func base64URLDecode(value string) ([]byte, error) {
value = strings.TrimRight(value, "=")
return base64.RawURLEncoding.DecodeString(value)
}
func base64EncodeLen(sl []byte) int { func base64EncodeLen(sl []byte) int {
return base64.RawURLEncoding.EncodedLen(len(sl)) return base64.RawURLEncoding.EncodedLen(len(sl))
} }

View File

@ -18,10 +18,11 @@ package jose
import ( import (
"encoding/base64" "encoding/base64"
"errors"
"fmt" "fmt"
"strings" "strings"
"github.com/go-jose/go-jose/v3/json" "github.com/go-jose/go-jose/v4/json"
) )
// rawJSONWebEncryption represents a raw JWE JSON object. Used for parsing/serializing. // rawJSONWebEncryption represents a raw JWE JSON object. Used for parsing/serializing.
@ -104,29 +105,75 @@ func (obj JSONWebEncryption) computeAuthData() []byte {
return output return output
} }
// ParseEncrypted parses an encrypted message in compact or JWE JSON Serialization format. func containsKeyAlgorithm(haystack []KeyAlgorithm, needle KeyAlgorithm) bool {
func ParseEncrypted(input string) (*JSONWebEncryption, error) { for _, algorithm := range haystack {
if algorithm == needle {
return true
}
}
return false
}
func containsContentEncryption(haystack []ContentEncryption, needle ContentEncryption) bool {
for _, algorithm := range haystack {
if algorithm == needle {
return true
}
}
return false
}
// ParseEncrypted parses an encrypted message in JWE Compact or JWE JSON Serialization.
//
// https://datatracker.ietf.org/doc/html/rfc7516#section-3.1
// https://datatracker.ietf.org/doc/html/rfc7516#section-3.2
//
// The keyAlgorithms and contentEncryption parameters are used to validate the "alg" and "enc"
// header parameters respectively. They must be nonempty, and each "alg" or "enc" header in
// parsed data must contain a value that is present in the corresponding parameter. That
// includes the protected and unprotected headers as well as all recipients. To accept
// multiple algorithms, pass a slice of all the algorithms you want to accept.
func ParseEncrypted(input string,
keyEncryptionAlgorithms []KeyAlgorithm,
contentEncryption []ContentEncryption,
) (*JSONWebEncryption, error) {
input = stripWhitespace(input) input = stripWhitespace(input)
if strings.HasPrefix(input, "{") { if strings.HasPrefix(input, "{") {
return parseEncryptedFull(input) return ParseEncryptedJSON(input, keyEncryptionAlgorithms, contentEncryption)
} }
return parseEncryptedCompact(input) return ParseEncryptedCompact(input, keyEncryptionAlgorithms, contentEncryption)
} }
// parseEncryptedFull parses a message in compact format. // ParseEncryptedJSON parses a message in JWE JSON Serialization.
func parseEncryptedFull(input string) (*JSONWebEncryption, error) { //
// https://datatracker.ietf.org/doc/html/rfc7516#section-3.2
func ParseEncryptedJSON(
input string,
keyEncryptionAlgorithms []KeyAlgorithm,
contentEncryption []ContentEncryption,
) (*JSONWebEncryption, error) {
var parsed rawJSONWebEncryption var parsed rawJSONWebEncryption
err := json.Unmarshal([]byte(input), &parsed) err := json.Unmarshal([]byte(input), &parsed)
if err != nil { if err != nil {
return nil, err return nil, err
} }
return parsed.sanitized() return parsed.sanitized(keyEncryptionAlgorithms, contentEncryption)
} }
// sanitized produces a cleaned-up JWE object from the raw JSON. // sanitized produces a cleaned-up JWE object from the raw JSON.
func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) { func (parsed *rawJSONWebEncryption) sanitized(
keyEncryptionAlgorithms []KeyAlgorithm,
contentEncryption []ContentEncryption,
) (*JSONWebEncryption, error) {
if len(keyEncryptionAlgorithms) == 0 {
return nil, errors.New("go-jose/go-jose: no key algorithms provided")
}
if len(contentEncryption) == 0 {
return nil, errors.New("go-jose/go-jose: no content encryption algorithms provided")
}
obj := &JSONWebEncryption{ obj := &JSONWebEncryption{
original: parsed, original: parsed,
unprotected: parsed.Unprotected, unprotected: parsed.Unprotected,
@ -170,7 +217,7 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
} else { } else {
obj.recipients = make([]recipientInfo, len(parsed.Recipients)) obj.recipients = make([]recipientInfo, len(parsed.Recipients))
for r := range parsed.Recipients { for r := range parsed.Recipients {
encryptedKey, err := base64URLDecode(parsed.Recipients[r].EncryptedKey) encryptedKey, err := base64.RawURLEncoding.DecodeString(parsed.Recipients[r].EncryptedKey)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -185,10 +232,31 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
} }
} }
for _, recipient := range obj.recipients { for i, recipient := range obj.recipients {
headers := obj.mergedHeaders(&recipient) headers := obj.mergedHeaders(&recipient)
if headers.getAlgorithm() == "" || headers.getEncryption() == "" { if headers.getAlgorithm() == "" {
return nil, fmt.Errorf("go-jose/go-jose: message is missing alg/enc headers") return nil, fmt.Errorf(`go-jose/go-jose: recipient %d: missing header "alg"`, i)
}
if headers.getEncryption() == "" {
return nil, fmt.Errorf(`go-jose/go-jose: recipient %d: missing header "enc"`, i)
}
err := validateAlgEnc(headers, keyEncryptionAlgorithms, contentEncryption)
if err != nil {
return nil, fmt.Errorf("go-jose/go-jose: recipient %d: %s", i, err)
}
}
if obj.protected != nil {
err := validateAlgEnc(*obj.protected, keyEncryptionAlgorithms, contentEncryption)
if err != nil {
return nil, fmt.Errorf("go-jose/go-jose: protected header: %s", err)
}
}
if obj.unprotected != nil {
err := validateAlgEnc(*obj.unprotected, keyEncryptionAlgorithms, contentEncryption)
if err != nil {
return nil, fmt.Errorf("go-jose/go-jose: unprotected header: %s", err)
} }
} }
@ -200,34 +268,52 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
return obj, nil return obj, nil
} }
// parseEncryptedCompact parses a message in compact format. func validateAlgEnc(headers rawHeader, keyAlgorithms []KeyAlgorithm, contentEncryption []ContentEncryption) error {
func parseEncryptedCompact(input string) (*JSONWebEncryption, error) { alg := headers.getAlgorithm()
enc := headers.getEncryption()
if alg != "" && !containsKeyAlgorithm(keyAlgorithms, alg) {
return fmt.Errorf("unexpected key algorithm %q; expected %q", alg, keyAlgorithms)
}
if alg != "" && !containsContentEncryption(contentEncryption, enc) {
return fmt.Errorf("unexpected content encryption algorithm %q; expected %q", enc, contentEncryption)
}
return nil
}
// ParseEncryptedCompact parses a message in JWE Compact Serialization.
//
// https://datatracker.ietf.org/doc/html/rfc7516#section-3.1
func ParseEncryptedCompact(
input string,
keyAlgorithms []KeyAlgorithm,
contentEncryption []ContentEncryption,
) (*JSONWebEncryption, error) {
parts := strings.Split(input, ".") parts := strings.Split(input, ".")
if len(parts) != 5 { if len(parts) != 5 {
return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts") return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
} }
rawProtected, err := base64URLDecode(parts[0]) rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
if err != nil { if err != nil {
return nil, err return nil, err
} }
encryptedKey, err := base64URLDecode(parts[1]) encryptedKey, err := base64.RawURLEncoding.DecodeString(parts[1])
if err != nil { if err != nil {
return nil, err return nil, err
} }
iv, err := base64URLDecode(parts[2]) iv, err := base64.RawURLEncoding.DecodeString(parts[2])
if err != nil { if err != nil {
return nil, err return nil, err
} }
ciphertext, err := base64URLDecode(parts[3]) ciphertext, err := base64.RawURLEncoding.DecodeString(parts[3])
if err != nil { if err != nil {
return nil, err return nil, err
} }
tag, err := base64URLDecode(parts[4]) tag, err := base64.RawURLEncoding.DecodeString(parts[4])
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -240,7 +326,7 @@ func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
Tag: newBuffer(tag), Tag: newBuffer(tag),
} }
return raw.sanitized() return raw.sanitized(keyAlgorithms, contentEncryption)
} }
// CompactSerialize serializes an object using the compact serialization format. // CompactSerialize serializes an object using the compact serialization format.

View File

@ -35,7 +35,7 @@ import (
"reflect" "reflect"
"strings" "strings"
"github.com/go-jose/go-jose/v3/json" "github.com/go-jose/go-jose/v4/json"
) )
// rawJSONWebKey represents a public or private key in JWK format, used for parsing/serializing. // rawJSONWebKey represents a public or private key in JWK format, used for parsing/serializing.
@ -266,7 +266,7 @@ func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
// x5t parameters are base64url-encoded SHA thumbprints // x5t parameters are base64url-encoded SHA thumbprints
// See RFC 7517, Section 4.8, https://tools.ietf.org/html/rfc7517#section-4.8 // See RFC 7517, Section 4.8, https://tools.ietf.org/html/rfc7517#section-4.8
x5tSHA1bytes, err := base64URLDecode(raw.X5tSHA1) x5tSHA1bytes, err := base64.RawURLEncoding.DecodeString(raw.X5tSHA1)
if err != nil { if err != nil {
return errors.New("go-jose/go-jose: invalid JWK, x5t header has invalid encoding") return errors.New("go-jose/go-jose: invalid JWK, x5t header has invalid encoding")
} }
@ -286,7 +286,7 @@ func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
k.CertificateThumbprintSHA1 = x5tSHA1bytes k.CertificateThumbprintSHA1 = x5tSHA1bytes
x5tSHA256bytes, err := base64URLDecode(raw.X5tSHA256) x5tSHA256bytes, err := base64.RawURLEncoding.DecodeString(raw.X5tSHA256)
if err != nil { if err != nil {
return errors.New("go-jose/go-jose: invalid JWK, x5t#S256 header has invalid encoding") return errors.New("go-jose/go-jose: invalid JWK, x5t#S256 header has invalid encoding")
} }

View File

@ -23,7 +23,7 @@ import (
"fmt" "fmt"
"strings" "strings"
"github.com/go-jose/go-jose/v3/json" "github.com/go-jose/go-jose/v4/json"
) )
// rawJSONWebSignature represents a raw JWS JSON object. Used for parsing/serializing. // rawJSONWebSignature represents a raw JWS JSON object. Used for parsing/serializing.
@ -75,22 +75,41 @@ type Signature struct {
original *rawSignatureInfo original *rawSignatureInfo
} }
// ParseSigned parses a signed message in compact or JWS JSON Serialization format. // ParseSigned parses a signed message in JWS Compact or JWS JSON Serialization.
func ParseSigned(signature string) (*JSONWebSignature, error) { //
// https://datatracker.ietf.org/doc/html/rfc7515#section-7
func ParseSigned(
signature string,
signatureAlgorithms []SignatureAlgorithm,
) (*JSONWebSignature, error) {
signature = stripWhitespace(signature) signature = stripWhitespace(signature)
if strings.HasPrefix(signature, "{") { if strings.HasPrefix(signature, "{") {
return parseSignedFull(signature) return ParseSignedJSON(signature, signatureAlgorithms)
} }
return parseSignedCompact(signature, nil) return parseSignedCompact(signature, nil, signatureAlgorithms)
}
// ParseSignedCompact parses a message in JWS Compact Serialization.
//
// https://datatracker.ietf.org/doc/html/rfc7515#section-7.1
func ParseSignedCompact(
signature string,
signatureAlgorithms []SignatureAlgorithm,
) (*JSONWebSignature, error) {
return parseSignedCompact(signature, nil, signatureAlgorithms)
} }
// ParseDetached parses a signed message in compact serialization format with detached payload. // ParseDetached parses a signed message in compact serialization format with detached payload.
func ParseDetached(signature string, payload []byte) (*JSONWebSignature, error) { func ParseDetached(
signature string,
payload []byte,
signatureAlgorithms []SignatureAlgorithm,
) (*JSONWebSignature, error) {
if payload == nil { if payload == nil {
return nil, errors.New("go-jose/go-jose: nil payload") return nil, errors.New("go-jose/go-jose: nil payload")
} }
return parseSignedCompact(stripWhitespace(signature), payload) return parseSignedCompact(stripWhitespace(signature), payload, signatureAlgorithms)
} }
// Get a header value // Get a header value
@ -137,19 +156,36 @@ func (obj JSONWebSignature) computeAuthData(payload []byte, signature *Signature
return authData.Bytes(), nil return authData.Bytes(), nil
} }
// parseSignedFull parses a message in full format. // ParseSignedJSON parses a message in JWS JSON Serialization.
func parseSignedFull(input string) (*JSONWebSignature, error) { //
// https://datatracker.ietf.org/doc/html/rfc7515#section-7.2
func ParseSignedJSON(
input string,
signatureAlgorithms []SignatureAlgorithm,
) (*JSONWebSignature, error) {
var parsed rawJSONWebSignature var parsed rawJSONWebSignature
err := json.Unmarshal([]byte(input), &parsed) err := json.Unmarshal([]byte(input), &parsed)
if err != nil { if err != nil {
return nil, err return nil, err
} }
return parsed.sanitized() return parsed.sanitized(signatureAlgorithms)
}
func containsSignatureAlgorithm(haystack []SignatureAlgorithm, needle SignatureAlgorithm) bool {
for _, algorithm := range haystack {
if algorithm == needle {
return true
}
}
return false
} }
// sanitized produces a cleaned-up JWS object from the raw JSON. // sanitized produces a cleaned-up JWS object from the raw JSON.
func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) { func (parsed *rawJSONWebSignature) sanitized(signatureAlgorithms []SignatureAlgorithm) (*JSONWebSignature, error) {
if len(signatureAlgorithms) == 0 {
return nil, errors.New("go-jose/go-jose: no signature algorithms specified")
}
if parsed.Payload == nil { if parsed.Payload == nil {
return nil, fmt.Errorf("go-jose/go-jose: missing payload in JWS message") return nil, fmt.Errorf("go-jose/go-jose: missing payload in JWS message")
} }
@ -198,6 +234,12 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
return nil, err return nil, err
} }
alg := SignatureAlgorithm(signature.Header.Algorithm)
if !containsSignatureAlgorithm(signatureAlgorithms, alg) {
return nil, fmt.Errorf("go-jose/go-jose: unexpected signature algorithm %q; expected %q",
alg, signatureAlgorithms)
}
if signature.header != nil { if signature.header != nil {
signature.Unprotected, err = signature.header.sanitized() signature.Unprotected, err = signature.header.sanitized()
if err != nil { if err != nil {
@ -241,6 +283,12 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
return nil, err return nil, err
} }
alg := SignatureAlgorithm(obj.Signatures[i].Header.Algorithm)
if !containsSignatureAlgorithm(signatureAlgorithms, alg) {
return nil, fmt.Errorf("go-jose/go-jose: unexpected signature algorithm %q; expected %q",
alg, signatureAlgorithms)
}
if obj.Signatures[i].header != nil { if obj.Signatures[i].header != nil {
obj.Signatures[i].Unprotected, err = obj.Signatures[i].header.sanitized() obj.Signatures[i].Unprotected, err = obj.Signatures[i].header.sanitized()
if err != nil { if err != nil {
@ -274,7 +322,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
} }
// parseSignedCompact parses a message in compact format. // parseSignedCompact parses a message in compact format.
func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) { func parseSignedCompact(
input string,
payload []byte,
signatureAlgorithms []SignatureAlgorithm,
) (*JSONWebSignature, error) {
parts := strings.Split(input, ".") parts := strings.Split(input, ".")
if len(parts) != 3 { if len(parts) != 3 {
return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts") return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
@ -284,19 +336,19 @@ func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error)
return nil, fmt.Errorf("go-jose/go-jose: payload is not detached") return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
} }
rawProtected, err := base64URLDecode(parts[0]) rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
if err != nil { if err != nil {
return nil, err return nil, err
} }
if payload == nil { if payload == nil {
payload, err = base64URLDecode(parts[1]) payload, err = base64.RawURLEncoding.DecodeString(parts[1])
if err != nil { if err != nil {
return nil, err return nil, err
} }
} }
signature, err := base64URLDecode(parts[2]) signature, err := base64.RawURLEncoding.DecodeString(parts[2])
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -306,7 +358,7 @@ func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error)
Protected: newBuffer(rawProtected), Protected: newBuffer(rawProtected),
Signature: newBuffer(signature), Signature: newBuffer(signature),
} }
return raw.sanitized() return raw.sanitized(signatureAlgorithms)
} }
func (obj JSONWebSignature) compactSerialize(detached bool) (string, error) { func (obj JSONWebSignature) compactSerialize(detached bool) (string, error) {

View File

@ -21,13 +21,13 @@ import (
"bytes" "bytes"
"reflect" "reflect"
"github.com/go-jose/go-jose/v3/json" "github.com/go-jose/go-jose/v4/json"
"github.com/go-jose/go-jose/v3" "github.com/go-jose/go-jose/v4"
) )
// Builder is a utility for making JSON Web Tokens. Calls can be chained, and // Builder is a utility for making JSON Web Tokens. Calls can be chained, and
// errors are accumulated until the final call to CompactSerialize/FullSerialize. // errors are accumulated until the final call to Serialize.
type Builder interface { type Builder interface {
// Claims encodes claims into JWE/JWS form. Multiple calls will merge claims // Claims encodes claims into JWE/JWS form. Multiple calls will merge claims
// into single JSON object. If you are passing private claims, make sure to set // into single JSON object. If you are passing private claims, make sure to set
@ -36,15 +36,13 @@ type Builder interface {
Claims(i interface{}) Builder Claims(i interface{}) Builder
// Token builds a JSONWebToken from provided data. // Token builds a JSONWebToken from provided data.
Token() (*JSONWebToken, error) Token() (*JSONWebToken, error)
// FullSerialize serializes a token using the JWS/JWE JSON Serialization format. // Serialize serializes a token.
FullSerialize() (string, error) Serialize() (string, error)
// CompactSerialize serializes a token using the compact serialization format.
CompactSerialize() (string, error)
} }
// NestedBuilder is a utility for making Signed-Then-Encrypted JSON Web Tokens. // NestedBuilder is a utility for making Signed-Then-Encrypted JSON Web Tokens.
// Calls can be chained, and errors are accumulated until final call to // Calls can be chained, and errors are accumulated until final call to
// CompactSerialize/FullSerialize. // Serialize.
type NestedBuilder interface { type NestedBuilder interface {
// Claims encodes claims into JWE/JWS form. Multiple calls will merge claims // Claims encodes claims into JWE/JWS form. Multiple calls will merge claims
// into single JSON object. If you are passing private claims, make sure to set // into single JSON object. If you are passing private claims, make sure to set
@ -53,10 +51,8 @@ type NestedBuilder interface {
Claims(i interface{}) NestedBuilder Claims(i interface{}) NestedBuilder
// Token builds a NestedJSONWebToken from provided data. // Token builds a NestedJSONWebToken from provided data.
Token() (*NestedJSONWebToken, error) Token() (*NestedJSONWebToken, error)
// FullSerialize serializes a token using the JSON Serialization format. // Serialize serializes a token.
FullSerialize() (string, error) Serialize() (string, error)
// CompactSerialize serializes a token using the compact serialization format.
CompactSerialize() (string, error)
} }
type builder struct { type builder struct {
@ -194,7 +190,7 @@ func (b *signedBuilder) Token() (*JSONWebToken, error) {
return b.builder.token(sig.Verify, h) return b.builder.token(sig.Verify, h)
} }
func (b *signedBuilder) CompactSerialize() (string, error) { func (b *signedBuilder) Serialize() (string, error) {
sig, err := b.sign() sig, err := b.sign()
if err != nil { if err != nil {
return "", err return "", err
@ -203,15 +199,6 @@ func (b *signedBuilder) CompactSerialize() (string, error) {
return sig.CompactSerialize() return sig.CompactSerialize()
} }
func (b *signedBuilder) FullSerialize() (string, error) {
sig, err := b.sign()
if err != nil {
return "", err
}
return sig.FullSerialize(), nil
}
func (b *signedBuilder) sign() (*jose.JSONWebSignature, error) { func (b *signedBuilder) sign() (*jose.JSONWebSignature, error) {
if b.err != nil { if b.err != nil {
return nil, b.err return nil, b.err
@ -232,7 +219,7 @@ func (b *encryptedBuilder) Claims(i interface{}) Builder {
} }
} }
func (b *encryptedBuilder) CompactSerialize() (string, error) { func (b *encryptedBuilder) Serialize() (string, error) {
enc, err := b.encrypt() enc, err := b.encrypt()
if err != nil { if err != nil {
return "", err return "", err
@ -241,15 +228,6 @@ func (b *encryptedBuilder) CompactSerialize() (string, error) {
return enc.CompactSerialize() return enc.CompactSerialize()
} }
func (b *encryptedBuilder) FullSerialize() (string, error) {
enc, err := b.encrypt()
if err != nil {
return "", err
}
return enc.FullSerialize(), nil
}
func (b *encryptedBuilder) Token() (*JSONWebToken, error) { func (b *encryptedBuilder) Token() (*JSONWebToken, error) {
enc, err := b.encrypt() enc, err := b.encrypt()
if err != nil { if err != nil {
@ -280,6 +258,8 @@ func (b *nestedBuilder) Claims(i interface{}) NestedBuilder {
} }
} }
// Token produced a token suitable for serialization. It cannot be decrypted
// without serializing and then deserializing.
func (b *nestedBuilder) Token() (*NestedJSONWebToken, error) { func (b *nestedBuilder) Token() (*NestedJSONWebToken, error) {
enc, err := b.signAndEncrypt() enc, err := b.signAndEncrypt()
if err != nil { if err != nil {
@ -287,12 +267,13 @@ func (b *nestedBuilder) Token() (*NestedJSONWebToken, error) {
} }
return &NestedJSONWebToken{ return &NestedJSONWebToken{
allowedSignatureAlgorithms: nil,
enc: enc, enc: enc,
Headers: []jose.Header{enc.Header}, Headers: []jose.Header{enc.Header},
}, nil }, nil
} }
func (b *nestedBuilder) CompactSerialize() (string, error) { func (b *nestedBuilder) Serialize() (string, error) {
enc, err := b.signAndEncrypt() enc, err := b.signAndEncrypt()
if err != nil { if err != nil {
return "", err return "", err

Some files were not shown because too many files have changed in this diff Show More