rebase: bump the github-dependencies group across 1 directory with 9 updates

Bumps the github-dependencies group with 8 updates in the / directory:

| Package | From | To |
| --- | --- | --- |
| [github.com/IBM/keyprotect-go-client](https://github.com/IBM/keyprotect-go-client) | `0.12.2` | `0.14.1` |
| [github.com/aws/aws-sdk-go](https://github.com/aws/aws-sdk-go) | `1.53.14` | `1.54.6` |
| [github.com/aws/aws-sdk-go-v2/service/sts](https://github.com/aws/aws-sdk-go-v2) | `1.28.1` | `1.29.1` |
| [github.com/hashicorp/vault/api](https://github.com/hashicorp/vault) | `1.12.0` | `1.14.0` |
| [github.com/kubernetes-csi/csi-lib-utils](https://github.com/kubernetes-csi/csi-lib-utils) | `0.17.0` | `0.18.1` |
| [github.com/onsi/ginkgo/v2](https://github.com/onsi/ginkgo) | `2.17.1` | `2.19.0` |
| [github.com/prometheus/client_golang](https://github.com/prometheus/client_golang) | `1.18.0` | `1.19.1` |
| [github.com/Azure/azure-sdk-for-go/sdk/azidentity](https://github.com/Azure/azure-sdk-for-go) | `1.6.0` | `1.7.0` |

Updates `github.com/IBM/keyprotect-go-client` from 0.12.2 to 0.14.1
- [Release notes](https://github.com/IBM/keyprotect-go-client/releases)
- [Changelog](https://github.com/IBM/keyprotect-go-client/blob/master/CHANGELOG.md)
- [Commits](https://github.com/IBM/keyprotect-go-client/compare/v0.12.2...v0.14.1)

Updates `github.com/aws/aws-sdk-go` from 1.53.14 to 1.54.6
- [Release notes](https://github.com/aws/aws-sdk-go/releases)
- [Commits](https://github.com/aws/aws-sdk-go/compare/v1.53.14...v1.54.6)

Updates `github.com/aws/aws-sdk-go-v2/service/sts` from 1.28.1 to 1.29.1
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/service/ecr/v1.28.1...service/s3/v1.29.1)

Updates `github.com/hashicorp/vault/api` from 1.12.0 to 1.14.0
- [Release notes](https://github.com/hashicorp/vault/releases)
- [Changelog](https://github.com/hashicorp/vault/blob/main/CHANGELOG.md)
- [Commits](https://github.com/hashicorp/vault/compare/v1.12.0...v1.14.0)

Updates `github.com/kubernetes-csi/csi-lib-utils` from 0.17.0 to 0.18.1
- [Release notes](https://github.com/kubernetes-csi/csi-lib-utils/releases)
- [Commits](https://github.com/kubernetes-csi/csi-lib-utils/compare/v0.17.0...v0.18.1)

Updates `github.com/onsi/ginkgo/v2` from 2.17.1 to 2.19.0
- [Release notes](https://github.com/onsi/ginkgo/releases)
- [Changelog](https://github.com/onsi/ginkgo/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/ginkgo/compare/v2.17.1...v2.19.0)

Updates `github.com/onsi/gomega` from 1.32.0 to 1.33.1
- [Release notes](https://github.com/onsi/gomega/releases)
- [Changelog](https://github.com/onsi/gomega/blob/master/CHANGELOG.md)
- [Commits](https://github.com/onsi/gomega/compare/v1.32.0...v1.33.1)

Updates `github.com/prometheus/client_golang` from 1.18.0 to 1.19.1
- [Release notes](https://github.com/prometheus/client_golang/releases)
- [Changelog](https://github.com/prometheus/client_golang/blob/main/CHANGELOG.md)
- [Commits](https://github.com/prometheus/client_golang/compare/v1.18.0...v1.19.1)

Updates `github.com/Azure/azure-sdk-for-go/sdk/azidentity` from 1.6.0 to 1.7.0
- [Release notes](https://github.com/Azure/azure-sdk-for-go/releases)
- [Changelog](https://github.com/Azure/azure-sdk-for-go/blob/main/documentation/release.md)
- [Commits](https://github.com/Azure/azure-sdk-for-go/compare/sdk/azcore/v1.6.0...sdk/azcore/v1.7.0)

---
updated-dependencies:
- dependency-name: github.com/IBM/keyprotect-go-client
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-dependencies
- dependency-name: github.com/aws/aws-sdk-go
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-dependencies
- dependency-name: github.com/aws/aws-sdk-go-v2/service/sts
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-dependencies
- dependency-name: github.com/hashicorp/vault/api
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-dependencies
- dependency-name: github.com/kubernetes-csi/csi-lib-utils
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-dependencies
- dependency-name: github.com/onsi/ginkgo/v2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-dependencies
- dependency-name: github.com/onsi/gomega
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-dependencies
- dependency-name: github.com/prometheus/client_golang
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-dependencies
- dependency-name: github.com/Azure/azure-sdk-for-go/sdk/azidentity
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: github-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
This commit is contained in:
dependabot[bot] 2024-06-24 20:58:34 +00:00 committed by mergify[bot]
parent 29dde7abc2
commit 171ba6a65d
193 changed files with 6071 additions and 2336 deletions

39
go.mod
View File

@ -3,9 +3,9 @@ module github.com/ceph/ceph-csi
go 1.22.0
require (
github.com/IBM/keyprotect-go-client v0.12.2
github.com/aws/aws-sdk-go v1.53.14
github.com/aws/aws-sdk-go-v2/service/sts v1.28.1
github.com/IBM/keyprotect-go-client v0.14.1
github.com/aws/aws-sdk-go v1.54.6
github.com/aws/aws-sdk-go-v2/service/sts v1.29.1
github.com/ceph/ceph-csi/api v0.0.0-00010101000000-000000000000
github.com/ceph/go-ceph v0.28.0
github.com/container-storage-interface/spec v1.9.0
@ -16,14 +16,14 @@ require (
github.com/google/uuid v1.6.0
github.com/grpc-ecosystem/go-grpc-middleware v1.4.0
github.com/grpc-ecosystem/go-grpc-prometheus v1.2.0 // indirect
github.com/hashicorp/vault/api v1.12.0
github.com/kubernetes-csi/csi-lib-utils v0.17.0
github.com/hashicorp/vault/api v1.14.0
github.com/kubernetes-csi/csi-lib-utils v0.18.1
github.com/kubernetes-csi/external-snapshotter/client/v7 v7.0.0
github.com/libopenstorage/secrets v0.0.0-20231011182615-5f4b25ceede1
github.com/onsi/ginkgo/v2 v2.17.1
github.com/onsi/gomega v1.32.0
github.com/onsi/ginkgo/v2 v2.19.0
github.com/onsi/gomega v1.33.1
github.com/pkg/xattr v0.4.9
github.com/prometheus/client_golang v1.18.0
github.com/prometheus/client_golang v1.19.1
github.com/stretchr/testify v1.9.0
golang.org/x/crypto v0.24.0
golang.org/x/net v0.26.0
@ -46,7 +46,7 @@ require (
)
require (
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.1.0
)
@ -60,12 +60,12 @@ require (
github.com/ansel1/merry/v2 v2.0.1 // indirect
github.com/antlr/antlr4/runtime/Go/antlr/v4 v4.0.0-20230305170008-8188dc5388df // indirect
github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a // indirect
github.com/aws/aws-sdk-go-v2 v1.25.2 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.2 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.2 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.2 // indirect
github.com/aws/smithy-go v1.20.1 // indirect
github.com/aws/aws-sdk-go-v2 v1.30.0 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14 // indirect
github.com/aws/smithy-go v1.20.2 // indirect
github.com/beorn7/perks v1.0.1 // indirect
github.com/blang/semver/v4 v4.0.0 // indirect
github.com/cenkalti/backoff/v3 v3.2.2 // indirect
@ -82,13 +82,13 @@ require (
github.com/fsnotify/fsnotify v1.7.0 // indirect
github.com/gemalto/flume v0.13.0 // indirect
github.com/ghodss/yaml v1.0.1-0.20190212211648-25d852aebe32 // indirect
github.com/go-jose/go-jose/v3 v3.0.3 // indirect
github.com/go-jose/go-jose/v4 v4.0.1 // indirect
github.com/go-logr/logr v1.4.1 // indirect
github.com/go-logr/stdr v1.2.2 // indirect
github.com/go-openapi/jsonpointer v0.19.6 // indirect
github.com/go-openapi/jsonreference v0.20.2 // indirect
github.com/go-openapi/swag v0.22.3 // indirect
github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 // indirect
github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang-jwt/jwt/v5 v5.2.1 // indirect
github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da // indirect
@ -96,7 +96,7 @@ require (
github.com/google/gnostic-models v0.6.8 // indirect
github.com/google/go-cmp v0.6.0 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 // indirect
github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 // indirect
github.com/gorilla/websocket v1.5.0 // indirect
github.com/grpc-ecosystem/grpc-gateway/v2 v2.16.0 // indirect
github.com/hashicorp/errwrap v1.1.0 // indirect
@ -119,7 +119,6 @@ require (
github.com/mailru/easyjson v0.7.7 // indirect
github.com/mattn/go-colorable v0.1.13 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 // indirect
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d // indirect
github.com/mitchellh/go-homedir v1.1.0 // indirect
github.com/mitchellh/mapstructure v1.5.0 // indirect
@ -136,7 +135,7 @@ require (
github.com/pkg/errors v0.9.1 // indirect
github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
github.com/prometheus/client_model v0.5.0 // indirect
github.com/prometheus/common v0.45.0 // indirect
github.com/prometheus/common v0.48.0 // indirect
github.com/prometheus/procfs v0.12.0 // indirect
github.com/ryanuber/go-glob v1.0.0 // indirect
github.com/sirupsen/logrus v1.9.0 // indirect

76
go.sum
View File

@ -761,8 +761,8 @@ git.sr.ht/~sbinet/gg v0.3.1/go.mod h1:KGYtlADtqsqANL9ueOFkWymvzUvLMQllU5Ixo+8v3p
github.com/Azure/azure-sdk-for-go v62.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9moKnB4QOLf1HestfXbmab5FXxiDBjc=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1 h1:E+OJmp2tPvt1W+amx48v1eqbjDYsgN+RzP4q16yV5eM=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.11.1/go.mod h1:a6xsAQUZg+VsS3TJ05SRp524Hs4pZ/AeFSr5ENf0Yjo=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0 h1:U2rTu3Ef+7w9FHKIAXM6ZyqF3UOWJZ12zIm8zECAFfg=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.6.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0 h1:tfLQ34V6F7tVSwoTf/4lH5sE0o6eCJuNDTmH09nDpbc=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.7.0/go.mod h1:9kIvujWAA58nmPmWB1m23fyWic1kYZMxD9CxaWn4Qpg=
github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0 h1:jBQA3cKT4L2rWMpgE7Yt3Hwh2aUj8KXjIGLxjHeYNNo=
github.com/Azure/azure-sdk-for-go/sdk/internal v1.8.0/go.mod h1:4OG6tQ9EOP/MT0NMjDlRzWoVFxfu9rN9B2X+tlSVktg=
github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets v1.1.0 h1:h4Zxgmi9oyZL2l8jeg1iRTqPloHktywWcu0nlJmo1tA=
@ -786,8 +786,8 @@ github.com/AzureAD/microsoft-authentication-library-for-go v1.2.2/go.mod h1:wP83
github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
github.com/BurntSushi/xgb v0.0.0-20160522181843-27f122750802/go.mod h1:IVnqGOEym/WlBOVXweHU+Q+/VP0lqqI8lqeDx9IjBqo=
github.com/IBM/keyprotect-go-client v0.5.1/go.mod h1:5TwDM/4FRJq1ZOlwQL1xFahLWQ3TveR88VmL1u3njyI=
github.com/IBM/keyprotect-go-client v0.12.2 h1:Cjxcqin9Pl0xz3MnxdiVd4v/eIa79xL3hQpSbwOr/DQ=
github.com/IBM/keyprotect-go-client v0.12.2/go.mod h1:yr8h2noNgU8vcbs+vhqoXp3Lmv73PI0zAc6VMgFvWwM=
github.com/IBM/keyprotect-go-client v0.14.1 h1:FSBJ3l6GKCuB3CoQPvVy94lOzYTKpjov8WdSDt5Ercs=
github.com/IBM/keyprotect-go-client v0.14.1/go.mod h1:cAt714Vnwnd03mmkBHHSJlDNRVthdRmJB6RePd4/B8Q=
github.com/JohnCGriffin/overflow v0.0.0-20211019200055-46fa312c352c/go.mod h1:X0CRv0ky0k6m906ixxpzmDRLvX58TFUKS2eePweuyxk=
github.com/Microsoft/go-winio v0.6.0 h1:slsWYD/zyx7lCXoZVlvQrj0hPTM1HI4+v1sIda2yDvg=
github.com/Microsoft/go-winio v0.6.0/go.mod h1:cTAf44im0RAYeL23bpB+fzCyDH2MJiz2BO69KH/soAE=
@ -834,22 +834,22 @@ github.com/armon/go-socks5 v0.0.0-20160902184237-e75332964ef5/go.mod h1:wHh0iHkY
github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a h1:idn718Q4B6AGu/h5Sxe66HYVdqdGu2l9Iebqhi/AEoA=
github.com/asaskevich/govalidator v0.0.0-20190424111038-f61b66f89f4a/go.mod h1:lB+ZfQJz7igIIfQNfa7Ml4HSf2uFQQRzpGGRXenZAgY=
github.com/aws/aws-sdk-go v1.44.164/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
github.com/aws/aws-sdk-go v1.53.14 h1:SzhkC2Pzag0iRW8WBb80RzKdGXDydJR9LAMs2GyKJ2M=
github.com/aws/aws-sdk-go v1.53.14/go.mod h1:LF8svs817+Nz+DmiMQKTO3ubZ/6IaTpq3TjupRn3Eqk=
github.com/aws/aws-sdk-go-v2 v1.25.2 h1:/uiG1avJRgLGiQM9X3qJM8+Qa6KRGK5rRPuXE0HUM+w=
github.com/aws/aws-sdk-go-v2 v1.25.2/go.mod h1:Evoc5AsmtveRt1komDwIsjHFyrP5tDuF1D1U+6z6pNo=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.2 h1:bNo4LagzUKbjdxE0tIcR9pMzLR2U/Tgie1Hq1HQ3iH8=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.2/go.mod h1:wRQv0nN6v9wDXuWThpovGQjqF1HFdcgWjporw14lS8k=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.2 h1:EtOU5jsPdIQNP+6Q2C5e3d65NKT1PeCiQk+9OdzO12Q=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.2/go.mod h1:tyF5sKccmDz0Bv4NrstEr+/9YkSPJHrcO7UsUKf7pWM=
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1 h1:EyBZibRTVAs6ECHZOw5/wlylS9OcTzwyjeQMudmREjE=
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.1/go.mod h1:JKpmtYhhPs7D97NL/ltqz7yCkERFW5dOlHyVl66ZYF8=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.2 h1:5ffmXjPtwRExp1zc7gENLgCPyHFbhEPwVTkTiH9niSk=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.2/go.mod h1:Ru7vg1iQ7cR4i7SZ/JTLYN9kaXtbL69UdgG0OQWQxW0=
github.com/aws/aws-sdk-go-v2/service/sts v1.28.1 h1:3I2cBEYgKhrWlwyZgfpSO2BpaMY1LHPqXYk/QGlu2ew=
github.com/aws/aws-sdk-go-v2/service/sts v1.28.1/go.mod h1:uQ7YYKZt3adCRrdCBREm1CD3efFLOUNH77MrUCvx5oA=
github.com/aws/smithy-go v1.20.1 h1:4SZlSlMr36UEqC7XOyRVb27XMeZubNcBNN+9IgEPIQw=
github.com/aws/smithy-go v1.20.1/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
github.com/aws/aws-sdk-go v1.54.6 h1:HEYUib3yTt8E6vxjMWM3yAq5b+qjj/6aKA62mkgux9g=
github.com/aws/aws-sdk-go v1.54.6/go.mod h1:eRwEWoyTWFMVYVQzKMNHWP5/RV4xIUGMQfXQHfHkpNU=
github.com/aws/aws-sdk-go-v2 v1.30.0 h1:6qAwtzlfcTtcL8NHtbDQAqgM5s6NDipQTkPxyH/6kAA=
github.com/aws/aws-sdk-go-v2 v1.30.0/go.mod h1:ffIFB97e2yNsv4aTSGkqtHnppsIJzw7G7BReUZ3jCXM=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12 h1:SJ04WXGTwnHlWIODtC5kJzKbeuHt+OUNOgKg7nfnUGw=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.3.12/go.mod h1:FkpvXhA92gb3GE9LD6Og0pHHycTxW7xGpnEh5E7Opwo=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12 h1:hb5KgeYfObi5MHkSSZMEudnIvX30iB+E21evI4r6BnQ=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.6.12/go.mod h1:CroKe/eWJdyfy9Vx4rljP5wTUjNJfb+fPz1uMYUhEGM=
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2 h1:Ji0DY1xUsUr3I8cHps0G+XM3WWU16lP6yG8qu1GAZAs=
github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.11.2/go.mod h1:5CsjAbs3NlGQyZNFACh+zztPDI7fU6eW9QsxjfnuBKg=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14 h1:zSDPny/pVnkqABXYRicYuPf9z2bTqfH13HT3v6UheIk=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.11.14/go.mod h1:3TTcI5JSzda1nw/pkVC9dhgLre0SNBFj2lYS4GctXKI=
github.com/aws/aws-sdk-go-v2/service/sts v1.29.1 h1:myX5CxqXE0QMZNja6FA1/FSE3Vu1rVmeUmpJMMzeZg0=
github.com/aws/aws-sdk-go-v2/service/sts v1.29.1/go.mod h1:N2mQiucsO0VwK9CYuS4/c2n6Smeh1v47Rz3dWCPFLdE=
github.com/aws/smithy-go v1.20.2 h1:tbp628ireGtzcHDDmLT/6ADHidqnwgF57XOXZe6tp4Q=
github.com/aws/smithy-go v1.20.2/go.mod h1:krry+ya/rV9RDcV/Q16kpu6ypI4K2czasz0NC3qS14E=
github.com/benbjohnson/clock v1.1.0/go.mod h1:J11/hYXuz8f4ySSvYwY0FKfm+ezbsZBKZxNJlLklBHA=
github.com/beorn7/perks v0.0.0-20180321164747-3a771d992973/go.mod h1:Dwedo/Wpr24TaqPxmxbtue+5NUziq4I4S80YR8gNf3Q=
github.com/beorn7/perks v1.0.0/go.mod h1:KWe93zE9D1o94FZ5RNwFwVgaQK1VOXiVxmqh+CedLV8=
@ -1000,8 +1000,8 @@ github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9
github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
github.com/go-jose/go-jose/v3 v3.0.0/go.mod h1:RNkWWRld676jZEYoV3+XK8L2ZnNSvIsxFMht0mSX+u8=
github.com/go-jose/go-jose/v3 v3.0.3 h1:fFKWeig/irsp7XD2zBxvnmA/XaRWp5V3CBsZXJF7G7k=
github.com/go-jose/go-jose/v3 v3.0.3/go.mod h1:5b+7YgP7ZICgJDBdfjZaIt+H/9L9T/YQrVfLAMboGkQ=
github.com/go-jose/go-jose/v4 v4.0.1 h1:QVEPDE3OluqXBQZDcnNvQrInro2h0e4eqNbnZSWqS6U=
github.com/go-jose/go-jose/v4 v4.0.1/go.mod h1:WVf9LFMHh/QVrmqrOfqun0C45tMe3RoiKJMPvgWwLfY=
github.com/go-kit/kit v0.8.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
github.com/go-kit/kit v0.9.0/go.mod h1:xBxKIO96dXMWWy0MnWVtmwkA9/13aqxPnvrjFYMA2as=
github.com/go-kit/log v0.1.0/go.mod h1:zbhenjAZHb184qTLMA9ZjW7ThYL0H2mk7Q6pNt4vbaY=
@ -1043,8 +1043,9 @@ github.com/go-pdf/fpdf v0.5.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhO
github.com/go-pdf/fpdf v0.6.0/go.mod h1:HzcnA+A23uwogo0tp9yU+l3V+KXhiESpt1PMayhOh5M=
github.com/go-stack/stack v1.8.0/go.mod h1:v0f6uXyyMGvRgIKkXu+yp6POWl0qKG85gN/melR3HDY=
github.com/go-task/slim-sprig v0.0.0-20210107165309-348f09dbbbc0/go.mod h1:fyg7847qk6SyHyPtNmDHnmrv/HOrqktSC+C9fM+CJOE=
github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572 h1:tfuBGBXKqDEevZMzYi5KSi8KkcZtzBcTgAUUtapy0OI=
github.com/go-task/slim-sprig v0.0.0-20230315185526-52ccab3ef572/go.mod h1:9Pwr4B2jHnOSGXyyzV8ROjYa2ojvAY6HCGYYfMoC3Ls=
github.com/go-task/slim-sprig/v3 v3.0.0 h1:sUs3vkvUymDpBKi3qH1YSqBQk9+9D/8M2mN1vB6EwHI=
github.com/go-task/slim-sprig/v3 v3.0.0/go.mod h1:W848ghGpv3Qj3dhTPRyJypKRiqCdHZiAzKg9hl15HA8=
github.com/go-test/deep v1.0.2/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
github.com/go-test/deep v1.0.8 h1:TDsG77qcSprGbC6vTN8OuXp5g+J+b5Pcguhf7Zt61VM=
github.com/go-test/deep v1.0.8/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
@ -1165,8 +1166,9 @@ github.com/google/pprof v0.0.0-20210226084205-cbba55b83ad5/go.mod h1:kpwsk12EmLe
github.com/google/pprof v0.0.0-20210407192527-94a9f03dee38/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
github.com/google/pprof v0.0.0-20210601050228-01bbb1931b22/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
github.com/google/pprof v0.0.0-20210609004039-a478d1d731e9/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1 h1:K6RDEckDVWvDI9JAJYCmNdQXq6neHJOYx3V6jnqNEec=
github.com/google/pprof v0.0.0-20210720184732-4bb14d4b1be1/go.mod h1:kpwsk12EmLew5upagYY7GY0pfYCcupk39gWOCRROcvE=
github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6 h1:k7nVchz72niMH6YLQNvHSdIE7iqsQxK1P41mySCvssg=
github.com/google/pprof v0.0.0-20240424215950-a892ee059fd6/go.mod h1:kf6iHlnVGwgKolg33glAes7Yg/8iWP8ukqeldJSO7jw=
github.com/google/renameio v0.1.0/go.mod h1:KWCgfxg9yswjAJkECMjeO8J8rahYeXnNhOm40UhjYkI=
github.com/google/s2a-go v0.1.0/go.mod h1:OJpEgntRZo8ugHpF9hkoLJbS5dSI20XZeXJ9JVywLlM=
github.com/google/s2a-go v0.1.3/go.mod h1:Ej+mSEMGRnqRzjc7VtF+jdBwYG5fuJfiZ8ELkjEwM0A=
@ -1268,8 +1270,8 @@ github.com/hashicorp/mdns v1.0.0/go.mod h1:tL+uN++7HEJ6SQLQ2/p+z2pH24WQKWjBPkE0m
github.com/hashicorp/memberlist v0.1.3/go.mod h1:ajVTdAv/9Im8oMAAj5G31PhhMCZJV2pPBoIllUwCN7I=
github.com/hashicorp/serf v0.8.2/go.mod h1:6hOLApaqBFA1NXqRQAsxw9QxuDEvNxSQRwA/JwenrHc=
github.com/hashicorp/vault/api v1.10.0/go.mod h1:jo5Y/ET+hNyz+JnKDt8XLAdKs+AM0G5W0Vp1IrFI8N8=
github.com/hashicorp/vault/api v1.12.0 h1:meCpJSesvzQyao8FCOgk2fGdoADAnbDu2WPJN1lDLJ4=
github.com/hashicorp/vault/api v1.12.0/go.mod h1:si+lJCYO7oGkIoNPAN8j3azBLTn9SjMGS+jFaHd1Cck=
github.com/hashicorp/vault/api v1.14.0 h1:Ah3CFLixD5jmjusOgm8grfN9M0d+Y8fVR2SW0K6pJLU=
github.com/hashicorp/vault/api v1.14.0/go.mod h1:pV9YLxBGSz+cItFDd8Ii4G17waWOQ32zVjMWHe/cOqk=
github.com/hashicorp/vault/api/auth/approle v0.5.0 h1:a1TK6VGwYqSAfkmX4y4dJ4WBxMU5dStIZqScW4EPXR8=
github.com/hashicorp/vault/api/auth/approle v0.5.0/go.mod h1:CHOQIA1AZACfjTzHggmyfiOZ+xCSKNRFqe48FTCzH0k=
github.com/hashicorp/vault/api/auth/kubernetes v0.5.0 h1:CXO0fD7M3iCGovP/UApeHhPcH4paDFKcu7AjEXi94rI=
@ -1333,8 +1335,8 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
github.com/kubernetes-csi/csi-lib-utils v0.17.0 h1:xEpJ3WYgMyyYF6fvcKHh4cDRtknuTkBS9rG8bYoLTCU=
github.com/kubernetes-csi/csi-lib-utils v0.17.0/go.mod h1:2Ba5/aQgUjbpqyC2uCcFwMF3rnPVs5jhZXm8jAzcT9Q=
github.com/kubernetes-csi/csi-lib-utils v0.18.1 h1:vpg1kbQ6lFVCz7mY71zcqVE7W0GAQXXBoFfHvbW3gdw=
github.com/kubernetes-csi/csi-lib-utils v0.18.1/go.mod h1:PIcn27zmbY0KBue4JDdZVfDF56tjcS3jKroZPi+pMoY=
github.com/kubernetes-csi/external-snapshotter/client/v4 v4.0.0/go.mod h1:YBCo4DoEeDndqvAn6eeu0vWM7QdXmHEeI9cFWplmBys=
github.com/kubernetes-csi/external-snapshotter/client/v7 v7.0.0 h1:j3YK74myEQRxR/srciTpOrm221SAvz6J5OVWbyfeXFo=
github.com/kubernetes-csi/external-snapshotter/client/v7 v7.0.0/go.mod h1:FlyYFe32mPxKEPaRXKNxfX576d1AoCzstYDoOOnyMA4=
@ -1375,8 +1377,6 @@ github.com/mattn/go-sqlite3 v1.14.14/go.mod h1:NyWgC/yNuGj7Q9rpYnZvas74GogHl5/Z4
github.com/mattn/go-sqlite3 v1.14.15/go.mod h1:2eHXhiwb8IkHr+BDWZGa96P6+rkvnG63S2DGjv9HUNg=
github.com/matttproud/golang_protobuf_extensions v1.0.1/go.mod h1:D8He9yQNgCq6Z5Ld7szi9bcBfOoFv/3dc6xSMkL2PC0=
github.com/matttproud/golang_protobuf_extensions v1.0.4/go.mod h1:BSXmuO+STAnVfrANrmjBb36TMTDstsz7MSK+HVaYKv4=
github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0 h1:jWpvCLoY8Z/e3VKvlsiIGKtc+UG6U5vzxaoagmhXfyg=
github.com/matttproud/golang_protobuf_extensions/v2 v2.0.0/go.mod h1:QUyp042oQthUoa9bqDv0ER0wrtXnBruoNd7aNjkbP+k=
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d h1:5PJl274Y63IEHC+7izoQE9x6ikvDFZS2mDVS3drnohI=
github.com/mgutz/ansi v0.0.0-20200706080929-d51e80ef957d/go.mod h1:01TrycV0kFyexm33Z7vhZRXopbI8J3TDReVlkTgMUxE=
github.com/miekg/dns v1.0.14/go.mod h1:W1PPwlIAgtquWBMBEV9nkV9Cazfe8ScdGz/Lj7v3Nrg=
@ -1442,8 +1442,8 @@ github.com/onsi/ginkgo/v2 v2.11.0/go.mod h1:ZhrRA5XmEE3x3rhlzamx/JJvujdZoJ2uvgI7
github.com/onsi/ginkgo/v2 v2.13.0/go.mod h1:TE309ZR8s5FsKKpuB1YAQYBzCaAfUgatB/xlT/ETL/o=
github.com/onsi/ginkgo/v2 v2.13.2/go.mod h1:XStQ8QcGwLyF4HdfcZB8SFOS/MWCgDuXMSBe6zrvLgM=
github.com/onsi/ginkgo/v2 v2.15.0/go.mod h1:HlxMHtYF57y6Dpf+mc5529KKmSq9h2FpCF+/ZkwUxKM=
github.com/onsi/ginkgo/v2 v2.17.1 h1:V++EzdbhI4ZV4ev0UTIj0PzhzOcReJFyJaLjtSF55M8=
github.com/onsi/ginkgo/v2 v2.17.1/go.mod h1:llBI3WDLL9Z6taip6f33H76YcWtJv+7R3HigUjbIBOs=
github.com/onsi/ginkgo/v2 v2.19.0 h1:9Cnnf7UHo57Hy3k6/m5k3dRfGTMXGvxhHFvkDTCTpvA=
github.com/onsi/ginkgo/v2 v2.19.0/go.mod h1:rlwLi9PilAFJ8jCg9UE1QP6VBpd6/xj3SRC0d6TU0To=
github.com/onsi/gomega v1.4.2/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
@ -1465,8 +1465,8 @@ github.com/onsi/gomega v1.27.10/go.mod h1:RsS8tutOdbdgzbPtzzATp12yT7kM5I5aElG3ev
github.com/onsi/gomega v1.29.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
github.com/onsi/gomega v1.30.0/go.mod h1:9sxs+SwGrKI0+PWe4Fxa9tFQQBG5xSsSbMXOI8PPpoQ=
github.com/onsi/gomega v1.31.0/go.mod h1:DW9aCi7U6Yi40wNVAvT6kzFnEVEI5n3DloYBiKiT6zk=
github.com/onsi/gomega v1.32.0 h1:JRYU78fJ1LPxlckP6Txi/EYqJvjtMrDC04/MM5XRHPk=
github.com/onsi/gomega v1.32.0/go.mod h1:a4x4gW6Pz2yK1MAmvluYme5lvYTn61afQ2ETw/8n4Lg=
github.com/onsi/gomega v1.33.1 h1:dsYjIxxSR755MDmKVsaFQTE22ChNBcuuTWgkUDSubOk=
github.com/onsi/gomega v1.33.1/go.mod h1:U4R44UsT+9eLIaYRB2a5qajjtQYn0hauxvRm16AVYg0=
github.com/opencontainers/go-digest v1.0.0 h1:apOUWs51W5PlhuyGyz9FCeeBIOUDA/6nW8Oi/yOhh5U=
github.com/opencontainers/go-digest v1.0.0/go.mod h1:0JzlMkj0TRzQZfJkVvzbP0HBR3IKzErnv2BNG4W4MAM=
github.com/opencontainers/selinux v1.11.0 h1:+5Zbo97w3Lbmb3PeqQtpmTkMwsW5nRI3YaLpt7tQ7oU=
@ -1522,8 +1522,8 @@ github.com/prometheus/client_golang v1.12.1/go.mod h1:3Z9XVyYiZYEO+YQWt3RD2R3jrb
github.com/prometheus/client_golang v1.14.0/go.mod h1:8vpkKitgIVNcqrRBWh1C4TIUQgYNtG/XQE4E/Zae36Y=
github.com/prometheus/client_golang v1.15.1/go.mod h1:e9yaBhRPU2pPNsZwE+JdQl0KEt1N9XgF6zxWmaC0xOk=
github.com/prometheus/client_golang v1.16.0/go.mod h1:Zsulrv/L9oM40tJ7T815tM89lFEugiJ9HzIqaAx4LKc=
github.com/prometheus/client_golang v1.18.0 h1:HzFfmkOzH5Q8L8G+kSJKUx5dtG87sewO+FoDDqP5Tbk=
github.com/prometheus/client_golang v1.18.0/go.mod h1:T+GXkCk5wSJyOqMIzVgvvjFDlkOQntgjkJWKrN5txjA=
github.com/prometheus/client_golang v1.19.1 h1:wZWJDwK+NameRJuPGDhlnFgx8e8HN3XHQeLaYJFJBOE=
github.com/prometheus/client_golang v1.19.1/go.mod h1:mP78NwGzrVks5S2H6ab8+ZZGJLZUq1hoULYBAYBw1Ho=
github.com/prometheus/client_model v0.0.0-20180712105110-5c3871d89910/go.mod h1:MbSGuTsp3dbXC40dX6PRTWyKYBIrTGTE9sqQNg2J8bo=
github.com/prometheus/client_model v0.0.0-20190129233127-fd36f4220a90/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
@ -1542,8 +1542,8 @@ github.com/prometheus/common v0.32.1/go.mod h1:vu+V0TpY+O6vW9J44gczi3Ap/oXXR10b+
github.com/prometheus/common v0.37.0/go.mod h1:phzohg0JFMnBEFGxTDbfu3QyL5GI8gTQJFhYO5B3mfA=
github.com/prometheus/common v0.42.0/go.mod h1:xBwqVerjNdUDjgODMpudtOMwlOwf2SaTr1yjz4b7Zbc=
github.com/prometheus/common v0.44.0/go.mod h1:ofAIvZbQ1e/nugmZGz4/qCb9Ap1VoSTIO7x0VV9VvuY=
github.com/prometheus/common v0.45.0 h1:2BGz0eBc2hdMDLnO/8n0jeB3oPrt2D08CekT0lneoxM=
github.com/prometheus/common v0.45.0/go.mod h1:YJmSTw9BoKxJplESWWxlbyttQR4uaEcGyv9MZjVOJsY=
github.com/prometheus/common v0.48.0 h1:QO8U2CdOzSn1BBsmXJXduaaW+dY/5QLjfB8svtSzKKE=
github.com/prometheus/common v0.48.0/go.mod h1:0/KsvlIEfPQCQ5I2iNSAWKPZziNCvRs5EC6ILDTlAPc=
github.com/prometheus/procfs v0.0.0-20180725123919-05ee40e3a273/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
github.com/prometheus/procfs v0.0.0-20181005140218-185b4288413d/go.mod h1:c3At6R/oaqEKCNdg8wHV1ftS6bRYblBhIjjI8uT2IGk=
github.com/prometheus/procfs v0.0.0-20190507164030-5867b95ac084/go.mod h1:TjEm7ze935MbeOT/UhFTIMYKhuLP4wbCsTZCD3I8kEA=

View File

@ -1,5 +1,29 @@
# Release History
## 1.7.0 (2024-06-20)
### Features Added
* `AzurePipelinesCredential` authenticates an Azure Pipelines service connection with
workload identity federation
### Breaking Changes
> These changes affect only code written against a beta version such as v1.7.0-beta.1
* Removed the persistent token caching API. It will return in v1.8.0-beta.1
## 1.7.0-beta.1 (2024-06-10)
### Features Added
* Restored `AzurePipelinesCredential` and persistent token caching API
## Breaking Changes
> These changes affect only code written against a beta version such as v1.6.0-beta.4
* Values which `NewAzurePipelinesCredential` read from environment variables in
prior versions are now parameters
* Renamed `AzurePipelinesServiceConnectionCredentialOptions` to `AzurePipelinesCredentialOptions`
### Bugs Fixed
* Managed identity bug fixes
## 1.6.0 (2024-06-10)
### Features Added

View File

@ -140,6 +140,7 @@ client := armresources.NewResourceGroupsClient("subscription ID", chain, nil)
|Credential|Usage
|-|-
|[AzurePipelinesCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#AzurePipelinesCredential)|Authenticate an Azure Pipelines [service connection](https://learn.microsoft.com/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml)
|[ClientAssertionCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ClientAssertionCredential)|Authenticate a service principal with a signed client assertion
|[ClientCertificateCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ClientCertificateCredential)|Authenticate a service principal with a certificate
|[ClientSecretCredential](https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/azidentity#ClientSecretCredential)|Authenticate a service principal with a secret

View File

@ -57,6 +57,7 @@ The following table indicates the state of in-memory and persistent caching in e
|--------------------------------|---------------------------------------------------------------------|--------------------------|
| `AzureCLICredential` | Not Supported | Not Supported |
| `AzureDeveloperCLICredential` | Not Supported | Not Supported |
| `AzurePipelinesCredential` | Supported | Supported |
| `ClientAssertionCredential` | Supported | Supported |
| `ClientCertificateCredential` | Supported | Supported |
| `ClientSecretCredential` | Supported | Supported |

View File

@ -10,6 +10,7 @@ This troubleshooting guide covers failure investigation techniques, common error
- [Enable and configure logging](#enable-and-configure-logging)
- [Troubleshoot AzureCLICredential authentication issues](#troubleshoot-azureclicredential-authentication-issues)
- [Troubleshoot AzureDeveloperCLICredential authentication issues](#troubleshoot-azuredeveloperclicredential-authentication-issues)
- [Troubleshoot AzurePipelinesCredential authentication issues](#troubleshoot-azurepipelinescredential-authentication-issues)
- [Troubleshoot ClientCertificateCredential authentication issues](#troubleshoot-clientcertificatecredential-authentication-issues)
- [Troubleshoot ClientSecretCredential authentication issues](#troubleshoot-clientsecretcredential-authentication-issues)
- [Troubleshoot DefaultAzureCredential authentication issues](#troubleshoot-defaultazurecredential-authentication-issues)
@ -226,6 +227,15 @@ azd auth token --output json --scope https://management.core.windows.net/.defaul
|---|---|---|
|no client ID/tenant ID/token file specified|Incomplete configuration|In most cases these values are provided via environment variables set by Azure Workload Identity.<ul><li>If your application runs on Azure Kubernetes Servide (AKS) or a cluster that has deployed the Azure Workload Identity admission webhook, check pod labels and service account configuration. See the [AKS documentation](https://learn.microsoft.com/azure/aks/workload-identity-deploy-cluster#disable-workload-identity) and [Azure Workload Identity troubleshooting guide](https://azure.github.io/azure-workload-identity/docs/troubleshooting.html) for more details.<li>If your application isn't running on AKS or your cluster hasn't deployed the Workload Identity admission webhook, set these values in `WorkloadIdentityCredentialOptions`
<a id="apc"></a>
## Troubleshoot AzurePipelinesCredential authentication issues
| Error Message |Description| Mitigation |
|---|---|---|
| AADSTS900023: Specified tenant identifier 'some tenant ID' is neither a valid DNS name, nor a valid external domain.|The `tenantID` argument to `NewAzurePipelinesCredential` is incorrect| Verify the tenant ID. It must identify the tenant of the user-assigned managed identity or service principal configured for the service connection.|
| No service connection found with identifier |The `serviceConnectionID` argument to `NewAzurePipelinesCredential` is incorrect| Verify the service connection ID. This parameter refers to the `resourceId` of the Azure Service Connection. It can also be found in the query string of the service connection's configuration in Azure DevOps. [Azure Pipelines documentation](https://learn.microsoft.com/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml) has more information about service connections.|
|302 (Found) response from OIDC endpoint|The `systemAccessToken` argument to `NewAzurePipelinesCredential` is incorrect|Check pipeline configuration. This value comes from the predefined variable `System.AccessToken` [as described in Azure Pipelines documentation](https://learn.microsoft.com/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#systemaccesstoken).|
## Get additional help
Additional information on ways to reach out for support can be found in [SUPPORT.md](https://github.com/Azure/azure-sdk-for-go/blob/main/SUPPORT.md).

View File

@ -19,21 +19,20 @@ import (
const (
credNameAzurePipelines = "AzurePipelinesCredential"
oidcAPIVersion = "7.1"
systemAccessToken = "SYSTEM_ACCESSTOKEN"
systemOIDCRequestURI = "SYSTEM_OIDCREQUESTURI"
)
// azurePipelinesCredential authenticates with workload identity federation in an Azure Pipeline. See
// AzurePipelinesCredential authenticates with workload identity federation in an Azure Pipeline. See
// [Azure Pipelines documentation] for more information.
//
// [Azure Pipelines documentation]: https://learn.microsoft.com/azure/devops/pipelines/library/connect-to-azure?view=azure-devops#create-an-azure-resource-manager-service-connection-that-uses-workload-identity-federation
type azurePipelinesCredential struct {
type AzurePipelinesCredential struct {
connectionID, oidcURI, systemAccessToken string
cred *ClientAssertionCredential
}
// azurePipelinesCredentialOptions contains optional parameters for AzurePipelinesCredential.
type azurePipelinesCredentialOptions struct {
// AzurePipelinesCredentialOptions contains optional parameters for AzurePipelinesCredential.
type AzurePipelinesCredentialOptions struct {
azcore.ClientOptions
// AdditionallyAllowedTenants specifies additional tenants for which the credential may acquire tokens.
@ -48,28 +47,39 @@ type azurePipelinesCredentialOptions struct {
DisableInstanceDiscovery bool
}
// newAzurePipelinesCredential is the constructor for AzurePipelinesCredential. In addition to its required arguments,
// it reads a security token for the running build, which is required to authenticate the service connection, from the
// environment variable SYSTEM_ACCESSTOKEN. See the [Azure Pipelines documentation] for an example showing how to set
// this variable in build job YAML.
// NewAzurePipelinesCredential is the constructor for AzurePipelinesCredential.
//
// - tenantID: tenant ID of the service principal federated with the service connection
// - clientID: client ID of that service principal
// - serviceConnectionID: ID of the service connection to authenticate
// - systemAccessToken: security token for the running build. See [Azure Pipelines documentation] for
// an example showing how to get this value.
//
// [Azure Pipelines documentation]: https://learn.microsoft.com/azure/devops/pipelines/build/variables?view=azure-devops&tabs=yaml#systemaccesstoken
func newAzurePipelinesCredential(tenantID, clientID, serviceConnectionID string, options *azurePipelinesCredentialOptions) (*azurePipelinesCredential, error) {
if options == nil {
options = &azurePipelinesCredentialOptions{}
func NewAzurePipelinesCredential(tenantID, clientID, serviceConnectionID, systemAccessToken string, options *AzurePipelinesCredentialOptions) (*AzurePipelinesCredential, error) {
if !validTenantID(tenantID) {
return nil, errInvalidTenantID
}
if clientID == "" {
return nil, errors.New("no client ID specified")
}
if serviceConnectionID == "" {
return nil, errors.New("no service connection ID specified")
}
if systemAccessToken == "" {
return nil, errors.New("no system access token specified")
}
u := os.Getenv(systemOIDCRequestURI)
if u == "" {
return nil, fmt.Errorf("no value for environment variable %s. This should be set by Azure Pipelines", systemOIDCRequestURI)
}
sat := os.Getenv(systemAccessToken)
if sat == "" {
return nil, errors.New("no value for environment variable " + systemAccessToken)
}
a := azurePipelinesCredential{
a := AzurePipelinesCredential{
connectionID: serviceConnectionID,
oidcURI: u,
systemAccessToken: sat,
systemAccessToken: systemAccessToken,
}
if options == nil {
options = &AzurePipelinesCredentialOptions{}
}
caco := ClientAssertionCredentialOptions{
AdditionallyAllowedTenants: options.AdditionallyAllowedTenants,
@ -86,7 +96,7 @@ func newAzurePipelinesCredential(tenantID, clientID, serviceConnectionID string,
}
// GetToken requests an access token from Microsoft Entra ID. Azure SDK clients call this method automatically.
func (a *azurePipelinesCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
func (a *AzurePipelinesCredential) GetToken(ctx context.Context, opts policy.TokenRequestOptions) (azcore.AccessToken, error) {
var err error
ctx, endSpan := runtime.StartSpan(ctx, credNameAzurePipelines+"."+traceOpGetToken, a.cred.client.azClient.Tracer(), nil)
defer func() { endSpan(err) }()
@ -94,7 +104,7 @@ func (a *azurePipelinesCredential) GetToken(ctx context.Context, opts policy.Tok
return tk, err
}
func (a *azurePipelinesCredential) getAssertion(ctx context.Context) (string, error) {
func (a *AzurePipelinesCredential) getAssertion(ctx context.Context) (string, error) {
url := a.oidcURI + "?api-version=" + oidcAPIVersion + "&serviceConnectionId=" + a.connectionID
url, err := runtime.EncodeQueryParams(url)
if err != nil {

View File

@ -83,6 +83,8 @@ func (e *AuthenticationFailedError) Error() string {
anchor = "azure-cli"
case credNameAzureDeveloperCLI:
anchor = "azd"
case credNameAzurePipelines:
anchor = "apc"
case credNameCert:
anchor = "client-cert"
case credNameSecret:

View File

@ -14,5 +14,5 @@ const (
module = "github.com/Azure/azure-sdk-for-go/sdk/" + component
// Version is the semantic version (see http://semver.org) of this module.
version = "v1.6.0"
version = "v1.7.0"
)

View File

@ -1,6 +1,6 @@
language: go
dist: bionic
dist: jammy
go:
- 1.17.x
@ -13,7 +13,6 @@ env:
before_install:
- sudo apt-get update
- pyenv global 3.8
before_script:
- GO111MODULE=off go get -u github.com/haya14busa/goverage
@ -27,6 +26,9 @@ script:
- $GOPATH/bin/goverage -v -race -coverprofile=cover.out $(go list ./... | grep -v '/vendor|/scripts')
- go tool cover -func=cover.out
- go tool cover -html=cover.out -o=cover.html
# these steps are to make sure that node will properly install for semantic release.
- nvm install node
- npm install -g npm
# To enable semantic-release, uncomment these sections.
before_deploy:

View File

@ -11,6 +11,10 @@ please open a [Github Issue](https://github.com/IBM/keyprotect-go-client/issues)
For your pull request to be merged, it must meet the criteria of a "correct patch", and also
be fully reviewed and approved by two Maintainer level contributors.
The PR should be named with the proper prefix to satisfy the semantic release.
- `fix(build):` for patch version bump (0.0.x)
- `feat(build):` for minor version bump (0.x.0)
- `perf(build):` for major version bump (x.0.0)
A correct patch is defined as the following:

View File

@ -61,14 +61,14 @@ type PolicyData struct {
// Attributes contains the details of an instance policy
type Attributes struct {
AllowedNetwork *string `json:"allowed_network,omitempty"`
AllowedIP IPAddresses `json:"allowed_ip,omitempty"`
CreateRootKey *bool `json:"create_root_key,omitempty"`
CreateStandardKey *bool `json:"create_standard_key,omitempty"`
ImportRootKey *bool `json:"import_root_key,omitempty"`
ImportStandardKey *bool `json:"import_standard_key,omitempty"`
EnforceToken *bool `json:"enforce_token,omitempty"`
IntervalMonth *int `json:"interval_month,omitempty"`
AllowedNetwork *string `json:"allowed_network,omitempty"`
AllowedIP *IPAddresses `json:"allowed_ip,omitempty"`
CreateRootKey *bool `json:"create_root_key,omitempty"`
CreateStandardKey *bool `json:"create_standard_key,omitempty"`
ImportRootKey *bool `json:"import_root_key,omitempty"`
ImportStandardKey *bool `json:"import_standard_key,omitempty"`
EnforceToken *bool `json:"enforce_token,omitempty"`
IntervalMonth *int `json:"interval_month,omitempty"`
}
// IPAddresses ...
@ -313,7 +313,8 @@ func (c *Client) SetAllowedIPInstancePolicy(ctx context.Context, enable bool, al
// The IP address validation is performed by the key protect service.
if enable && len(allowedIPs) != 0 {
policy.PolicyData.Attributes = &Attributes{}
policy.PolicyData.Attributes.AllowedIP = allowedIPs
ips := IPAddresses(allowedIPs)
policy.PolicyData.Attributes.AllowedIP = &ips
} else if enable && len(allowedIPs) == 0 {
return fmt.Errorf("Please provide at least 1 IP subnet specified with CIDR notation")
} else if !enable && len(allowedIPs) != 0 {
@ -445,17 +446,21 @@ type AllowedNetworkPolicyData struct {
// AllowedIPPolicyData defines the attribute input for the Allowed IP instance policy
type AllowedIPPolicyData struct {
Enabled bool
IPAddresses IPAddresses
IPAddresses *IPAddresses
}
// KeyAccessInstancePolicyData defines the attribute input for the Key Create Import Access instance policy
type KeyCreateImportAccessInstancePolicy struct {
Enabled bool
CreateRootKey bool
CreateStandardKey bool
ImportRootKey bool
ImportStandardKey bool
EnforceToken bool
Enabled bool
Attributes *KeyCreateImportAccessInstancePolicyAttributes
}
type KeyCreateImportAccessInstancePolicyAttributes struct {
CreateRootKey *bool
CreateStandardKey *bool
ImportRootKey *bool
ImportStandardKey *bool
EnforceToken *bool
}
type RotationPolicyData struct {
@ -492,6 +497,7 @@ func (c *Client) SetInstancePolicies(ctx context.Context, policies MultiplePolic
PolicyType: AllowedNetwork,
PolicyData: PolicyData{
Enabled: &(policies.AllowedNetwork.Enabled),
// due to legacy reasons, the allowed_network policy requires attribute to always be specified
Attributes: &Attributes{
AllowedNetwork: &(policies.AllowedNetwork.Network),
},
@ -527,16 +533,19 @@ func (c *Client) SetInstancePolicies(ctx context.Context, policies MultiplePolic
policy := InstancePolicy{
PolicyType: KeyCreateImportAccess,
PolicyData: PolicyData{
Enabled: &(policies.KeyCreateImportAccess.Enabled),
Attributes: &Attributes{},
Enabled: &(policies.KeyCreateImportAccess.Enabled),
},
}
policy.PolicyData.Attributes.CreateRootKey = &policies.KeyCreateImportAccess.CreateRootKey
policy.PolicyData.Attributes.CreateStandardKey = &policies.KeyCreateImportAccess.CreateStandardKey
policy.PolicyData.Attributes.ImportRootKey = &policies.KeyCreateImportAccess.ImportRootKey
policy.PolicyData.Attributes.ImportStandardKey = &policies.KeyCreateImportAccess.ImportStandardKey
policy.PolicyData.Attributes.EnforceToken = &policies.KeyCreateImportAccess.EnforceToken
if attr := policies.KeyCreateImportAccess.Attributes; attr != nil {
policy.PolicyData.Attributes = &Attributes{
CreateRootKey: attr.CreateRootKey,
CreateStandardKey: attr.CreateStandardKey,
ImportRootKey: attr.ImportRootKey,
ImportStandardKey: attr.ImportStandardKey,
EnforceToken: attr.EnforceToken,
}
}
resPolicies = append(resPolicies, policy)
}

View File

@ -9,7 +9,7 @@ import (
)
const (
path = "key_rings"
keyRingPath = "key_rings"
)
type KeyRing struct {
@ -28,7 +28,7 @@ type KeyRings struct {
// https://cloud.ibm.com/docs/key-protect?topic=key-protect-managing-key-rings#create-key-ring-api
func (c *Client) CreateKeyRing(ctx context.Context, id string) error {
req, err := c.newRequest("POST", fmt.Sprintf(path+"/%s", id), nil)
req, err := c.newRequest("POST", fmt.Sprintf(keyRingPath+"/%s", id), nil)
if err != nil {
return err
}
@ -46,7 +46,7 @@ func (c *Client) CreateKeyRing(ctx context.Context, id string) error {
// https://cloud.ibm.com/docs/key-protect?topic=key-protect-managing-key-rings#list-key-ring-api
func (c *Client) GetKeyRings(ctx context.Context) (*KeyRings, error) {
rings := KeyRings{}
req, err := c.newRequest("GET", path, nil)
req, err := c.newRequest("GET", keyRingPath, nil)
if err != nil {
return nil, err
}
@ -73,7 +73,7 @@ func WithForce(force bool) DeleteKeyRingQueryOption {
// For information please refer to the link below:
// https://cloud.ibm.com/docs/key-protect?topic=key-protect-managing-key-rings#delete-key-ring-api
func (c *Client) DeleteKeyRing(ctx context.Context, id string, opts ...DeleteKeyRingQueryOption) error {
req, err := c.newRequest("DELETE", fmt.Sprintf(path+"/%s", id), nil)
req, err := c.newRequest("DELETE", fmt.Sprintf(keyRingPath+"/%s", id), nil)
for _, opt := range opts {
opt(req)
}

View File

@ -0,0 +1,164 @@
package kp
import (
"context"
"fmt"
"time"
)
const (
kmipAdapterPath = "kmip_adapters"
kmipAdapterType = "application/vnd.ibm.kms.kmip_adapter+json"
)
type KMIPAdapter struct {
ID string `json:"id,omitempty"`
Profile string `json:"profile,omitempty"`
ProfileData map[string]string `json:"profile_data,omitempty"`
Name string `json:"name,omitempty"`
Description string `json:"description"`
CreatedBy string `json:"created_by,omitempty"`
CreatedAt *time.Time `json:"created_at,omitempty"`
UpdatedBy string `json:"updated_by,omitempty"`
UpdatedAt *time.Time `json:"updated_at,omitempty"`
}
type KMIPAdapters struct {
Metadata CollectionMetadata `json:"metadata"`
Adapters []KMIPAdapter `json:"resources"`
}
const (
KMIP_Profile_Native = "native_1.0"
)
// CreateKMIPAdapter method creates a KMIP Adapter with the specified profile.
func (c *Client) CreateKMIPAdapter(ctx context.Context, profileOpt CreateKMIPAdapterProfile, options ...CreateKMIPAdapterOption) (*KMIPAdapter, error) {
newAdapter := &KMIPAdapter{}
profileOpt(newAdapter)
for _, opt := range options {
opt(newAdapter)
}
req, err := c.newRequest("POST", kmipAdapterPath, wrapKMIPAdapter(*newAdapter))
if err != nil {
return nil, err
}
create_resp := &KMIPAdapters{}
_, err = c.do(ctx, req, create_resp)
if err != nil {
return nil, err
}
return unwrapKMIPAdapterResp(create_resp), nil
}
// Functions to be passed into the CreateKMIPAdapter() method to specify specific fields.
type CreateKMIPAdapterOption func(*KMIPAdapter)
type CreateKMIPAdapterProfile func(*KMIPAdapter)
func WithKMIPAdapterName(name string) CreateKMIPAdapterOption {
return func(adapter *KMIPAdapter) {
adapter.Name = name
}
}
func WithKMIPAdapterDescription(description string) CreateKMIPAdapterOption {
return func(adapter *KMIPAdapter) {
adapter.Description = description
}
}
func WithNativeProfile(crkID string) CreateKMIPAdapterProfile {
return func(adapter *KMIPAdapter) {
adapter.Profile = KMIP_Profile_Native
adapter.ProfileData = map[string]string{
"crk_id": crkID,
}
}
}
type ListKmipAdaptersOptions struct {
Limit *uint32
Offset *uint32
TotalCount *bool
CrkID *string
}
// GetKMIPAdapters method lists KMIP Adapters associated with a specific KP instance.
func (c *Client) GetKMIPAdapters(ctx context.Context, listOpts *ListKmipAdaptersOptions) (*KMIPAdapters, error) {
adapters := KMIPAdapters{}
req, err := c.newRequest("GET", kmipAdapterPath, nil)
if err != nil {
return nil, err
}
if listOpts != nil {
values := req.URL.Query()
if listOpts.Limit != nil {
values.Set("limit", fmt.Sprint(*listOpts.Limit))
}
if listOpts.Offset != nil {
values.Set("offset", fmt.Sprint(*listOpts.Offset))
}
if listOpts.TotalCount != nil {
values.Set("totalCount", fmt.Sprint(*listOpts.TotalCount))
}
if listOpts.CrkID != nil {
values.Set("crk_id", *listOpts.CrkID)
}
req.URL.RawQuery = values.Encode()
}
_, err = c.do(ctx, req, &adapters)
if err != nil {
return nil, err
}
return &adapters, nil
}
// GetKMIPAdapter method retrieves a single KMIP Adapter by name or ID.
func (c *Client) GetKMIPAdapter(ctx context.Context, nameOrID string) (*KMIPAdapter, error) {
adapters := KMIPAdapters{}
req, err := c.newRequest("GET", fmt.Sprintf("%s/%s", kmipAdapterPath, nameOrID), nil)
if err != nil {
return nil, err
}
_, err = c.do(ctx, req, &adapters)
if err != nil {
return nil, err
}
return unwrapKMIPAdapterResp(&adapters), nil
}
// DeletesKMIPAdapter method deletes a single KMIP Adapter by name or ID.
func (c *Client) DeleteKMIPAdapter(ctx context.Context, nameOrID string) error {
req, err := c.newRequest("DELETE", fmt.Sprintf("%s/%s", kmipAdapterPath, nameOrID), nil)
if err != nil {
return err
}
_, err = c.do(ctx, req, nil)
if err != nil {
return err
}
return nil
}
func wrapKMIPAdapter(adapter KMIPAdapter) KMIPAdapters {
return KMIPAdapters{
Metadata: CollectionMetadata{
CollectionType: kmipAdapterType,
CollectionTotal: 1,
},
Adapters: []KMIPAdapter{adapter},
}
}
func unwrapKMIPAdapterResp(resp *KMIPAdapters) *KMIPAdapter {
return &resp.Adapters[0]
}

View File

@ -0,0 +1,136 @@
package kp
import (
"context"
"fmt"
"time"
)
const (
kmipClientCertSubPath = "certificates"
kmipClientCertType = "application/vnd.ibm.kms.kmip_client_certificate+json"
)
type KMIPClientCertificate struct {
ID string `json:"id,omitempty"`
Name string `json:"name,omitempty"`
Certificate string `json:"certificate,omitempty"`
CreatedBy string `json:"created_by,omitempty"`
CreatedAt *time.Time `json:"created_at,omitempty"`
}
type KMIPClientCertificates struct {
Metadata CollectionMetadata `json:"metadata"`
Certificates []KMIPClientCertificate `json:"resources"`
}
// CreateKMIPClientCertificate registers/creates a KMIP PEM format certificate
// for use with a specific KMIP adapter.
// cert_payload is the string representation of
// the certificate to be associated with the KMIP Adapter in PEM format.
// It should explicitly have the BEGIN CERTIFICATE and END CERTIFICATE tags.
// Regex: ^\s*-----BEGIN CERTIFICATE-----[A-Za-z0-9+\/\=\r\n]+-----END CERTIFICATE-----\s*$
func (c *Client) CreateKMIPClientCertificate(ctx context.Context, adapter_nameOrID, cert_payload string, opts ...CreateKMIPClientCertOption) (*KMIPClientCertificate, error) {
newCert := &KMIPClientCertificate{
Certificate: cert_payload,
}
for _, opt := range opts {
opt(newCert)
}
req, err := c.newRequest("POST", fmt.Sprintf("%s/%s/%s", kmipAdapterPath, adapter_nameOrID, kmipClientCertSubPath), wrapKMIPClientCert(*newCert))
if err != nil {
return nil, err
}
certResp := &KMIPClientCertificates{}
_, err = c.do(ctx, req, certResp)
if err != nil {
return nil, err
}
return unwrapKMIPClientCert(certResp), nil
}
type CreateKMIPClientCertOption func(*KMIPClientCertificate)
func WithKMIPClientCertName(name string) CreateKMIPClientCertOption {
return func(cert *KMIPClientCertificate) {
cert.Name = name
}
}
// GetKMIPClientCertificates lists all certificates associated with a KMIP adapter
func (c *Client) GetKMIPClientCertificates(ctx context.Context, adapter_nameOrID string, listOpts *ListOptions) (*KMIPClientCertificates, error) {
certs := KMIPClientCertificates{}
req, err := c.newRequest("GET", fmt.Sprintf("%s/%s/%s", kmipAdapterPath, adapter_nameOrID, kmipClientCertSubPath), nil)
if err != nil {
return nil, err
}
if listOpts != nil {
values := req.URL.Query()
if listOpts.Limit != nil {
values.Set("limit", fmt.Sprint(*listOpts.Limit))
}
if listOpts.Offset != nil {
values.Set("offset", fmt.Sprint(*listOpts.Offset))
}
if listOpts.TotalCount != nil {
values.Set("totalCount", fmt.Sprint(*listOpts.TotalCount))
}
req.URL.RawQuery = values.Encode()
}
_, err = c.do(ctx, req, &certs)
if err != nil {
return nil, err
}
return &certs, nil
}
// GetKMIPClientCertificate gets a single certificate associated with a KMIP adapter
func (c *Client) GetKMIPClientCertificate(ctx context.Context, adapter_nameOrID, cert_nameOrID string) (*KMIPClientCertificate, error) {
certs := &KMIPClientCertificates{}
req, err := c.newRequest("GET", fmt.Sprintf("%s/%s/%s/%s",
kmipAdapterPath, adapter_nameOrID, kmipClientCertSubPath, cert_nameOrID), nil)
if err != nil {
return nil, err
}
_, err = c.do(ctx, req, certs)
if err != nil {
return nil, err
}
return unwrapKMIPClientCert(certs), nil
}
// DeleteKMIPClientCertificate deletes a single certificate
func (c *Client) DeleteKMIPClientCertificate(ctx context.Context, adapter_nameOrID, cert_nameOrID string) error {
req, err := c.newRequest("DELETE", fmt.Sprintf("%s/%s/%s/%s",
kmipAdapterPath, adapter_nameOrID, kmipClientCertSubPath, cert_nameOrID), nil)
if err != nil {
return err
}
_, err = c.do(ctx, req, nil)
if err != nil {
return err
}
return nil
}
func wrapKMIPClientCert(cert KMIPClientCertificate) KMIPClientCertificates {
return KMIPClientCertificates{
Metadata: CollectionMetadata{
CollectionType: kmipClientCertType,
CollectionTotal: 1,
},
Certificates: []KMIPClientCertificate{cert},
}
}
func unwrapKMIPClientCert(certs *KMIPClientCertificates) *KMIPClientCertificate {
return &certs.Certificates[0]
}

View File

@ -0,0 +1,122 @@
package kp
import (
"context"
"fmt"
"strconv"
"strings"
"time"
)
const (
kmipObjectSubPath = "kmip_objects"
kmipObjectType = "application/vnd.ibm.kms.kmip_object+json"
)
type KMIPObject struct {
ID string `json:"id,omitempty"`
KMIPObjectType int `json:"kmip_object_type,omitempty"`
ObjectState int `json:"state,omitempty"`
CreatedByCertID string `json:"created_by_kmip_client_cert_id,omitempty"`
CreatedBy string `json:"created_by,omitempty"`
CreatedAt *time.Time `json:"created_at,omitempty"`
UpdatedByCertID string `json:"updated_by_kmip_client_cert_id,omitempty"`
UpdatedBy string `json:"updated_by,omitempty"`
UpdatedAt *time.Time `json:"updated_at,omitempty"`
DestroyedByCertID string `json:"destroyed_by_kmip_client_cert_id,omitempty"`
DestroyedBy string `json:"destroyed_by,omitempty"`
DestroyedAt *time.Time `json:"destroyed_at,omitempty"`
}
type KMIPObjects struct {
Metadata CollectionMetadata `json:"metadata"`
Objects []KMIPObject `json:"resources"`
}
type ListKmipObjectsOptions struct {
Limit *uint32
Offset *uint32
TotalCount *bool
ObjectStateFilter *[]int32
}
func (c *Client) GetKMIPObjects(ctx context.Context, adapter_id string, listOpts *ListKmipObjectsOptions) (*KMIPObjects, error) {
objects := KMIPObjects{}
req, err := c.newRequest("GET", fmt.Sprintf("%s/%s/%s", kmipAdapterPath, adapter_id, kmipObjectSubPath), nil)
if err != nil {
return nil, err
}
if listOpts != nil {
values := req.URL.Query()
if listOpts.Limit != nil {
values.Set("limit", fmt.Sprint(*listOpts.Limit))
}
if listOpts.Offset != nil {
values.Set("offset", fmt.Sprint(*listOpts.Offset))
}
if listOpts.TotalCount != nil {
values.Set("totalCount", fmt.Sprint(*listOpts.TotalCount))
}
if listOpts.ObjectStateFilter != nil {
var stateStrs []string
for _, i := range *listOpts.ObjectStateFilter {
stateStrs = append(stateStrs, strconv.FormatInt(int64(i), 10))
}
values.Set("state", strings.Join(stateStrs, ","))
}
req.URL.RawQuery = values.Encode()
}
_, err = c.do(ctx, req, &objects)
if err != nil {
return nil, err
}
return &objects, nil
}
func (c *Client) GetKMIPObject(ctx context.Context, adapter_id, object_id string) (*KMIPObject, error) {
objects := &KMIPObjects{}
req, err := c.newRequest("GET", fmt.Sprintf("%s/%s/%s/%s",
kmipAdapterPath, adapter_id, kmipObjectSubPath, object_id), nil)
if err != nil {
return nil, err
}
_, err = c.do(ctx, req, objects)
if err != nil {
return nil, err
}
return unwrapKMIPObject(objects), nil
}
func (c *Client) DeleteKMIPObject(ctx context.Context, adapter_id, object_id string) error {
req, err := c.newRequest("DELETE", fmt.Sprintf("%s/%s/%s/%s",
kmipAdapterPath, adapter_id, kmipObjectSubPath, object_id), nil)
if err != nil {
return err
}
_, err = c.do(ctx, req, nil)
if err != nil {
return err
}
return nil
}
func wrapKMIPObject(object KMIPObject) KMIPObjects {
return KMIPObjects{
Metadata: CollectionMetadata{
CollectionType: kmipObjectType,
CollectionTotal: 1,
},
Objects: []KMIPObject{object},
}
}
func unwrapKMIPObject(objects *KMIPObjects) *KMIPObject {
return &objects.Objects[0]
}

View File

@ -23,7 +23,6 @@ import (
"errors"
"fmt"
"io"
"io/ioutil"
"net/http"
"net/url"
"strings"
@ -276,7 +275,7 @@ func (c *Client) do(ctx context.Context, req *http.Request, res interface{}) (*h
}
defer response.Body.Close()
resBody, err := ioutil.ReadAll(response.Body)
resBody, err := io.ReadAll(response.Body)
redact := []string{c.Config.APIKey, req.Header.Get("authorization")}
c.Dump(req, response, []byte{}, resBody, c.Logger, redact)
if err != nil {
@ -515,3 +514,17 @@ func redact(s string, redactStrings []string) string {
func noredact(s string, redactStrings []string) string {
return s
}
// Collection Metadata is generic and can be shared between multiple resource types
type CollectionMetadata struct {
CollectionType string `json:"collectionType"`
CollectionTotal int `json:"collectionTotal"`
TotalCount int `json:"totalCount,omitempty"`
}
// ListsOptions struct to add the query parameters for list functions. Extensible.
type ListOptions struct {
Limit *uint32
Offset *uint32
TotalCount *bool
}

View File

@ -0,0 +1,18 @@
package aws
// AccountIDEndpointMode controls how a resolved AWS account ID is handled for endpoint routing.
type AccountIDEndpointMode string
const (
// AccountIDEndpointModeUnset indicates the AWS account ID will not be used for endpoint routing
AccountIDEndpointModeUnset AccountIDEndpointMode = ""
// AccountIDEndpointModePreferred indicates the AWS account ID will be used for endpoint routing if present
AccountIDEndpointModePreferred = "preferred"
// AccountIDEndpointModeRequired indicates an error will be returned if the AWS account ID is not resolved from identity
AccountIDEndpointModeRequired = "required"
// AccountIDEndpointModeDisabled indicates the AWS account ID will be ignored during endpoint routing
AccountIDEndpointModeDisabled = "disabled"
)

View File

@ -162,6 +162,9 @@ type Config struct {
// This variable is sourced from environment variable AWS_REQUEST_MIN_COMPRESSION_SIZE_BYTES or
// the shared config profile attribute request_min_compression_size_bytes
RequestMinCompressSizeBytes int64
// Controls how a resolved AWS account ID is handled for endpoint routing.
AccountIDEndpointMode AccountIDEndpointMode
}
// NewConfig returns a new Config pointer that can be chained with builder

View File

@ -90,6 +90,9 @@ type Credentials struct {
// The time the credentials will expire at. Should be ignored if CanExpire
// is false.
Expires time.Time
// The ID of the account for the credentials.
AccountID string
}
// Expired returns if the credentials have expired.

View File

@ -70,6 +70,10 @@ func GetUseFIPSEndpoint(options ...interface{}) (value FIPSEndpointState, found
// The SDK will automatically resolve these endpoints per API client using an
// internal endpoint resolvers. If you'd like to provide custom endpoint
// resolving behavior you can implement the EndpointResolver interface.
//
// Deprecated: This structure was used with the global [EndpointResolver]
// interface, which has been deprecated in favor of service-specific endpoint
// resolution. See the deprecation docs on that interface for more information.
type Endpoint struct {
// The base URL endpoint the SDK API clients will use to make API calls to.
// The SDK will suffix URI path and query elements to this endpoint.
@ -124,6 +128,8 @@ type Endpoint struct {
}
// EndpointSource is the endpoint source type.
//
// Deprecated: The global [Endpoint] structure is deprecated.
type EndpointSource int
const (
@ -161,19 +167,25 @@ func (e *EndpointNotFoundError) Unwrap() error {
// API clients will fallback to attempting to resolve the endpoint using its
// internal default endpoint resolver.
//
// Deprecated: See EndpointResolverWithOptions
// Deprecated: The global endpoint resolution interface is deprecated. The API
// for endpoint resolution is now unique to each service and is set via the
// EndpointResolverV2 field on service client options. Setting a value for
// EndpointResolver on aws.Config or service client options will prevent you
// from using any endpoint-related service features released after the
// introduction of EndpointResolverV2. You may also encounter broken or
// unexpected behavior when using the old global interface with services that
// use many endpoint-related customizations such as S3.
type EndpointResolver interface {
ResolveEndpoint(service, region string) (Endpoint, error)
}
// EndpointResolverFunc wraps a function to satisfy the EndpointResolver interface.
//
// Deprecated: See EndpointResolverWithOptionsFunc
// Deprecated: The global endpoint resolution interface is deprecated. See
// deprecation docs on [EndpointResolver].
type EndpointResolverFunc func(service, region string) (Endpoint, error)
// ResolveEndpoint calls the wrapped function and returns the results.
//
// Deprecated: See EndpointResolverWithOptions.ResolveEndpoint
func (e EndpointResolverFunc) ResolveEndpoint(service, region string) (Endpoint, error) {
return e(service, region)
}
@ -184,11 +196,17 @@ func (e EndpointResolverFunc) ResolveEndpoint(service, region string) (Endpoint,
// available. If the EndpointResolverWithOptions returns an EndpointNotFoundError error,
// API clients will fallback to attempting to resolve the endpoint using its
// internal default endpoint resolver.
//
// Deprecated: The global endpoint resolution interface is deprecated. See
// deprecation docs on [EndpointResolver].
type EndpointResolverWithOptions interface {
ResolveEndpoint(service, region string, options ...interface{}) (Endpoint, error)
}
// EndpointResolverWithOptionsFunc wraps a function to satisfy the EndpointResolverWithOptions interface.
//
// Deprecated: The global endpoint resolution interface is deprecated. See
// deprecation docs on [EndpointResolver].
type EndpointResolverWithOptionsFunc func(service, region string, options ...interface{}) (Endpoint, error)
// ResolveEndpoint calls the wrapped function and returns the results.

View File

@ -3,4 +3,4 @@
package aws
// goModuleVersion is the tagged release for this module
const goModuleVersion = "1.25.2"
const goModuleVersion = "1.30.0"

View File

@ -112,6 +112,8 @@ type MetricData struct {
ResolveEndpointStartTime time.Time
ResolveEndpointEndTime time.Time
EndpointResolutionDuration time.Duration
GetIdentityStartTime time.Time
GetIdentityEndTime time.Time
InThroughput float64
OutThroughput float64
RetryCount int
@ -122,6 +124,7 @@ type MetricData struct {
OperationName string
PartitionID string
Region string
UserAgent string
RequestContentLength int64
Stream StreamMetrics
Attempts []AttemptMetrics
@ -144,8 +147,6 @@ type AttemptMetrics struct {
ConnRequestedTime time.Time
ConnObtainedTime time.Time
ConcurrencyAcquireDuration time.Duration
CredentialFetchStartTime time.Time
CredentialFetchEndTime time.Time
SignStartTime time.Time
SignEndTime time.Time
SigningDuration time.Duration

View File

@ -5,6 +5,7 @@ import (
"fmt"
"os"
"runtime"
"sort"
"strings"
"github.com/aws/aws-sdk-go-v2/aws"
@ -30,6 +31,7 @@ const (
FrameworkMetadata
AdditionalMetadata
ApplicationIdentifier
FeatureMetadata2
)
func (k SDKAgentKeyType) string() string {
@ -50,6 +52,8 @@ func (k SDKAgentKeyType) string() string {
return "lib"
case ApplicationIdentifier:
return "app"
case FeatureMetadata2:
return "m"
case AdditionalMetadata:
fallthrough
default:
@ -64,9 +68,29 @@ var validChars = map[rune]bool{
'-': true, '.': true, '^': true, '_': true, '`': true, '|': true, '~': true,
}
// UserAgentFeature enumerates tracked SDK features.
type UserAgentFeature string
// Enumerates UserAgentFeature.
const (
UserAgentFeatureResourceModel UserAgentFeature = "A" // n/a (we don't generate separate resource types)
UserAgentFeatureWaiter = "B"
UserAgentFeaturePaginator = "C"
UserAgentFeatureRetryModeLegacy = "D" // n/a (equivalent to standard)
UserAgentFeatureRetryModeStandard = "E"
UserAgentFeatureRetryModeAdaptive = "F"
UserAgentFeatureS3Transfer = "G"
UserAgentFeatureS3CryptoV1N = "H" // n/a (crypto client is external)
UserAgentFeatureS3CryptoV2 = "I" // n/a
UserAgentFeatureS3ExpressBucket = "J"
UserAgentFeatureS3AccessGrants = "K" // not yet implemented
UserAgentFeatureGZIPRequestCompression = "L"
)
// RequestUserAgent is a build middleware that set the User-Agent for the request.
type RequestUserAgent struct {
sdkAgent, userAgent *smithyhttp.UserAgentBuilder
features map[UserAgentFeature]struct{}
}
// NewRequestUserAgent returns a new requestUserAgent which will set the User-Agent and X-Amz-User-Agent for the
@ -87,6 +111,7 @@ func NewRequestUserAgent() *RequestUserAgent {
r := &RequestUserAgent{
sdkAgent: sdkAgent,
userAgent: userAgent,
features: map[UserAgentFeature]struct{}{},
}
addSDKMetadata(r)
@ -191,6 +216,12 @@ func (u *RequestUserAgent) AddUserAgentKeyValue(key, value string) {
u.userAgent.AddKeyValue(strings.Map(rules, key), strings.Map(rules, value))
}
// AddUserAgentFeature adds the feature ID to the tracking list to be emitted
// in the final User-Agent string.
func (u *RequestUserAgent) AddUserAgentFeature(feature UserAgentFeature) {
u.features[feature] = struct{}{}
}
// AddSDKAgentKey adds the component identified by name to the User-Agent string.
func (u *RequestUserAgent) AddSDKAgentKey(keyType SDKAgentKeyType, key string) {
// TODO: should target sdkAgent
@ -227,6 +258,9 @@ func (u *RequestUserAgent) HandleBuild(ctx context.Context, in middleware.BuildI
func (u *RequestUserAgent) addHTTPUserAgent(request *smithyhttp.Request) {
const userAgent = "User-Agent"
updateHTTPHeader(request, userAgent, u.userAgent.Build())
if len(u.features) > 0 {
updateHTTPHeader(request, userAgent, buildFeatureMetrics(u.features))
}
}
func (u *RequestUserAgent) addHTTPSDKAgent(request *smithyhttp.Request) {
@ -259,3 +293,13 @@ func rules(r rune) rune {
return '-'
}
}
func buildFeatureMetrics(features map[UserAgentFeature]struct{}) string {
fs := make([]string, 0, len(features))
for f := range features {
fs = append(fs, string(f))
}
sort.Strings(fs)
return fmt.Sprintf("%s/%s", FeatureMetadata2.string(), strings.Join(fs, ","))
}

View File

@ -0,0 +1,20 @@
package ratelimit
import "context"
// None implements a no-op rate limiter which effectively disables client-side
// rate limiting (also known as "retry quotas").
//
// GetToken does nothing and always returns a nil error. The returned
// token-release function does nothing, and always returns a nil error.
//
// AddTokens does nothing and always returns a nil error.
var None = &none{}
type none struct{}
func (*none) GetToken(ctx context.Context, cost uint) (func() error, error) {
return func() error { return nil }, nil
}
func (*none) AddTokens(v uint) error { return nil }

View File

@ -2,12 +2,15 @@ package retry
import (
"context"
"errors"
"fmt"
"github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics"
"strconv"
"strings"
"time"
"github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics"
internalcontext "github.com/aws/aws-sdk-go-v2/internal/context"
"github.com/aws/aws-sdk-go-v2/aws"
awsmiddle "github.com/aws/aws-sdk-go-v2/aws/middleware"
"github.com/aws/aws-sdk-go-v2/internal/sdk"
@ -39,6 +42,10 @@ type Attempt struct {
requestCloner RequestCloner
}
// define the threshold at which we will consider certain kind of errors to be probably
// caused by clock skew
const skewThreshold = 4 * time.Minute
// NewAttemptMiddleware returns a new Attempt retry middleware.
func NewAttemptMiddleware(retryer aws.Retryer, requestCloner RequestCloner, optFns ...func(*Attempt)) *Attempt {
m := &Attempt{
@ -86,6 +93,9 @@ func (r *Attempt) HandleFinalize(ctx context.Context, in smithymiddle.FinalizeIn
AttemptClockSkew: attemptClockSkew,
})
// Setting clock skew to be used on other context (like signing)
ctx = internalcontext.SetAttemptSkewContext(ctx, attemptClockSkew)
var attemptResult AttemptResult
out, attemptResult, releaseRetryToken, err = r.handleAttempt(attemptCtx, attemptInput, releaseRetryToken, next)
attemptClockSkew, _ = awsmiddle.GetAttemptSkew(attemptResult.ResponseMetadata)
@ -185,6 +195,8 @@ func (r *Attempt) handleAttempt(
return out, attemptResult, nopRelease, err
}
err = wrapAsClockSkew(ctx, err)
//------------------------------
// Is Retryable and Should Retry
//------------------------------
@ -247,6 +259,37 @@ func (r *Attempt) handleAttempt(
return out, attemptResult, releaseRetryToken, err
}
// errors that, if detected when we know there's a clock skew,
// can be retried and have a high chance of success
var possibleSkewCodes = map[string]struct{}{
"InvalidSignatureException": {},
"SignatureDoesNotMatch": {},
"AuthFailure": {},
}
var definiteSkewCodes = map[string]struct{}{
"RequestExpired": {},
"RequestInTheFuture": {},
"RequestTimeTooSkewed": {},
}
// wrapAsClockSkew checks if this error could be related to a clock skew
// error and if so, wrap the error.
func wrapAsClockSkew(ctx context.Context, err error) error {
var v interface{ ErrorCode() string }
if !errors.As(err, &v) {
return err
}
if _, ok := definiteSkewCodes[v.ErrorCode()]; ok {
return &retryableClockSkewError{Err: err}
}
_, isPossibleSkewCode := possibleSkewCodes[v.ErrorCode()]
if skew := internalcontext.GetAttemptSkewContext(ctx); skew > skewThreshold && isPossibleSkewCode {
return &retryableClockSkewError{Err: err}
}
return err
}
// MetricsHeader attaches SDK request metric header for retries to the transport
type MetricsHeader struct{}

View File

@ -2,6 +2,7 @@ package retry
import (
"errors"
"fmt"
"net"
"net/url"
"strings"
@ -199,3 +200,23 @@ func (r RetryableErrorCode) IsErrorRetryable(err error) aws.Ternary {
return aws.TrueTernary
}
// retryableClockSkewError marks errors that can be caused by clock skew
// (difference between server time and client time).
// This is returned when there's certain confidence that adjusting the client time
// could allow a retry to succeed
type retryableClockSkewError struct{ Err error }
func (e *retryableClockSkewError) Error() string {
return fmt.Sprintf("Probable clock skew error: %v", e.Err)
}
// Unwrap returns the wrapped error.
func (e *retryableClockSkewError) Unwrap() error {
return e.Err
}
// RetryableError allows the retryer to retry this request
func (e *retryableClockSkewError) RetryableError() bool {
return true
}

View File

@ -123,6 +123,17 @@ type StandardOptions struct {
// Provides the rate limiting strategy for rate limiting attempt retries
// across all attempts the retryer is being used with.
//
// A RateLimiter operates as a token bucket with a set capacity, where
// attempt failures events consume tokens. A retry attempt that attempts to
// consume more tokens than what's available results in operation failure.
// The default implementation is parameterized as follows:
// - a capacity of 500 (DefaultRetryRateTokens)
// - a retry caused by a timeout costs 10 tokens (DefaultRetryCost)
// - a retry caused by other errors costs 5 tokens (DefaultRetryTimeoutCost)
// - an operation that succeeds on the 1st attempt adds 1 token (DefaultNoRetryIncrement)
//
// You can disable rate limiting by setting this field to ratelimit.None.
RateLimiter RateLimiter
// The cost to deduct from the RateLimiter's token bucket per retry.

View File

@ -38,7 +38,6 @@ var RequiredSignedHeaders = Rules{
"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Algorithm": struct{}{},
"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key": struct{}{},
"X-Amz-Copy-Source-Server-Side-Encryption-Customer-Key-Md5": struct{}{},
"X-Amz-Expected-Bucket-Owner": struct{}{},
"X-Amz-Grant-Full-control": struct{}{},
"X-Amz-Grant-Read": struct{}{},
"X-Amz-Grant-Read-Acp": struct{}{},

View File

@ -11,7 +11,6 @@ import (
"github.com/aws/aws-sdk-go-v2/aws"
awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware"
"github.com/aws/aws-sdk-go-v2/aws/middleware/private/metrics"
v4Internal "github.com/aws/aws-sdk-go-v2/aws/signer/internal/v4"
internalauth "github.com/aws/aws-sdk-go-v2/internal/auth"
"github.com/aws/aws-sdk-go-v2/internal/sdk"
@ -301,22 +300,7 @@ func (s *SignHTTPRequestMiddleware) HandleFinalize(ctx context.Context, in middl
return out, metadata, &SigningError{Err: fmt.Errorf("computed payload hash missing from context")}
}
mctx := metrics.Context(ctx)
if mctx != nil {
if attempt, err := mctx.Data().LatestAttempt(); err == nil {
attempt.CredentialFetchStartTime = sdk.NowTime()
}
}
credentials, err := s.credentialsProvider.Retrieve(ctx)
if mctx != nil {
if attempt, err := mctx.Data().LatestAttempt(); err == nil {
attempt.CredentialFetchEndTime = sdk.NowTime()
}
}
if err != nil {
return out, metadata, &SigningError{Err: fmt.Errorf("failed to retrieve credentials: %w", err)}
}
@ -337,20 +321,7 @@ func (s *SignHTTPRequestMiddleware) HandleFinalize(ctx context.Context, in middl
})
}
if mctx != nil {
if attempt, err := mctx.Data().LatestAttempt(); err == nil {
attempt.SignStartTime = sdk.NowTime()
}
}
err = s.signer.SignHTTP(ctx, credentials, req.Request, payloadHash, signingName, signingRegion, sdk.NowTime(), signerOptions...)
if mctx != nil {
if attempt, err := mctx.Data().LatestAttempt(); err == nil {
attempt.SignEndTime = sdk.NowTime()
}
}
if err != nil {
return out, metadata, &SigningError{Err: fmt.Errorf("failed to sign http request, %w", err)}
}

View File

@ -1,48 +1,41 @@
// Package v4 implements signing for AWS V4 signer
// Package v4 implements the AWS signature version 4 algorithm (commonly known
// as SigV4).
//
// Provides request signing for request that need to be signed with
// AWS V4 Signatures.
// For more information about SigV4, see [Signing AWS API requests] in the IAM
// user guide.
//
// # Standalone Signer
// While this implementation CAN work in an external context, it is developed
// primarily for SDK use and you may encounter fringe behaviors around header
// canonicalization.
//
// Generally using the signer outside of the SDK should not require any additional
// # Pre-escaping a request URI
//
// The signer does this by taking advantage of the URL.EscapedPath method. If your request URI requires
// AWS v4 signature validation requires that the canonical string's URI path
// component must be the escaped form of the HTTP request's path.
//
// additional escaping you many need to use the URL.Opaque to define what the raw URI should be sent
// to the service as.
// The Go HTTP client will perform escaping automatically on the HTTP request.
// This may cause signature validation errors because the request differs from
// the URI path or query from which the signature was generated.
//
// The signer will first check the URL.Opaque field, and use its value if set.
// The signer does require the URL.Opaque field to be set in the form of:
// Because of this, we recommend that you explicitly escape the request when
// using this signer outside of the SDK to prevent possible signature mismatch.
// This can be done by setting URL.Opaque on the request. The signer will
// prefer that value, falling back to the return of URL.EscapedPath if unset.
//
// When setting URL.Opaque you must do so in the form of:
//
// "//<hostname>/<path>"
//
// // e.g.
// "//example.com/some/path"
//
// The leading "//" and hostname are required or the URL.Opaque escaping will
// not work correctly.
// The leading "//" and hostname are required or the escaping will not work
// correctly.
//
// If URL.Opaque is not set the signer will fallback to the URL.EscapedPath()
// method and using the returned value.
// The TestStandaloneSign unit test provides a complete example of using the
// signer outside of the SDK and pre-escaping the URI path.
//
// AWS v4 signature validation requires that the canonical string's URI path
// element must be the URI escaped form of the HTTP request's path.
// http://docs.aws.amazon.com/general/latest/gr/sigv4-create-canonical-request.html
//
// The Go HTTP client will perform escaping automatically on the request. Some
// of these escaping may cause signature validation errors because the HTTP
// request differs from the URI path or query that the signature was generated.
// https://golang.org/pkg/net/url/#URL.EscapedPath
//
// Because of this, it is recommended that when using the signer outside of the
// SDK that explicitly escaping the request prior to being signed is preferable,
// and will help prevent signature validation errors. This can be done by setting
// the URL.Opaque or URL.RawPath. The SDK will use URL.Opaque first and then
// call URL.EscapedPath() if Opaque is not set.
//
// Test `TestStandaloneSign` provides a complete example of using the signer
// outside of the SDK and pre-escaping the URI path.
// [Signing AWS API requests]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-signing.html
package v4
import (
@ -402,6 +395,12 @@ func buildQuery(r v4Internal.Rule, header http.Header) (url.Values, http.Header)
query := url.Values{}
unsignedHeaders := http.Header{}
for k, h := range header {
// literally just this header has this constraint for some stupid reason,
// see #2508
if k == "X-Amz-Expected-Bucket-Owner" {
k = "x-amz-expected-bucket-owner"
}
if r.IsValid(k) {
query[k] = h
} else {

View File

@ -5,6 +5,7 @@ import (
"fmt"
v4 "github.com/aws/aws-sdk-go-v2/aws/signer/v4"
internalcontext "github.com/aws/aws-sdk-go-v2/internal/context"
"github.com/aws/aws-sdk-go-v2/internal/sdk"
"github.com/aws/smithy-go"
"github.com/aws/smithy-go/auth"
@ -39,7 +40,10 @@ func (v *V4SignerAdapter) SignRequest(ctx context.Context, r *smithyhttp.Request
}
hash := v4.GetPayloadHash(ctx)
err := v.Signer.SignHTTP(ctx, ca.Credentials, r.Request, hash, name, region, sdk.NowTime(), func(o *v4.SignerOptions) {
signingTime := sdk.NowTime()
skew := internalcontext.GetAttemptSkewContext(ctx)
signingTime = signingTime.Add(skew)
err := v.Signer.SignHTTP(ctx, ca.Credentials, r.Request, hash, name, region, signingTime, func(o *v4.SignerOptions) {
o.DisableURIPathEscaping, _ = smithyhttp.GetDisableDoubleEncoding(&props)
o.Logger = v.Logger

View File

@ -1,3 +1,43 @@
# v1.3.12 (2024-06-19)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.3.11 (2024-06-18)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.3.10 (2024-06-17)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.3.9 (2024-06-07)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.3.8 (2024-06-03)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.3.7 (2024-05-16)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.3.6 (2024-05-15)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.3.5 (2024-03-29)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.3.4 (2024-03-18)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.3.3 (2024-03-07)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.3.2 (2024-02-23)
* **Dependency Update**: Updated to the latest SDK module versions

View File

@ -3,4 +3,4 @@
package configsources
// goModuleVersion is the tagged release for this module
const goModuleVersion = "1.3.2"
const goModuleVersion = "1.3.12"

View File

@ -0,0 +1,52 @@
package context
import (
"context"
"time"
"github.com/aws/smithy-go/middleware"
)
type s3BackendKey struct{}
type checksumInputAlgorithmKey struct{}
type clockSkew struct{}
const (
// S3BackendS3Express identifies the S3Express backend
S3BackendS3Express = "S3Express"
)
// SetS3Backend stores the resolved endpoint backend within the request
// context, which is required for a variety of custom S3 behaviors.
func SetS3Backend(ctx context.Context, typ string) context.Context {
return middleware.WithStackValue(ctx, s3BackendKey{}, typ)
}
// GetS3Backend retrieves the stored endpoint backend within the context.
func GetS3Backend(ctx context.Context) string {
v, _ := middleware.GetStackValue(ctx, s3BackendKey{}).(string)
return v
}
// SetChecksumInputAlgorithm sets the request checksum algorithm on the
// context.
func SetChecksumInputAlgorithm(ctx context.Context, value string) context.Context {
return middleware.WithStackValue(ctx, checksumInputAlgorithmKey{}, value)
}
// GetChecksumInputAlgorithm returns the checksum algorithm from the context.
func GetChecksumInputAlgorithm(ctx context.Context) string {
v, _ := middleware.GetStackValue(ctx, checksumInputAlgorithmKey{}).(string)
return v
}
// SetAttemptSkewContext sets the clock skew value on the context
func SetAttemptSkewContext(ctx context.Context, v time.Duration) context.Context {
return middleware.WithStackValue(ctx, clockSkew{}, v)
}
// GetAttemptSkewContext gets the clock skew value from the context
func GetAttemptSkewContext(ctx context.Context) time.Duration {
x, _ := middleware.GetStackValue(ctx, clockSkew{}).(time.Duration)
return x
}

View File

@ -12,11 +12,12 @@ type Partition struct {
// PartitionConfig provides the endpoint metadata for an AWS region or partition.
type PartitionConfig struct {
Name string `json:"name"`
DnsSuffix string `json:"dnsSuffix"`
DualStackDnsSuffix string `json:"dualStackDnsSuffix"`
SupportsFIPS bool `json:"supportsFIPS"`
SupportsDualStack bool `json:"supportsDualStack"`
Name string `json:"name"`
DnsSuffix string `json:"dnsSuffix"`
DualStackDnsSuffix string `json:"dualStackDnsSuffix"`
SupportsFIPS bool `json:"supportsFIPS"`
SupportsDualStack bool `json:"supportsDualStack"`
ImplicitGlobalRegion string `json:"implicitGlobalRegion"`
}
type RegionOverrides struct {

View File

@ -13,11 +13,12 @@ var partitions = []Partition{
ID: "aws",
RegionRegex: "^(us|eu|ap|sa|ca|me|af|il)\\-\\w+\\-\\d+$",
DefaultConfig: PartitionConfig{
Name: "aws",
DnsSuffix: "amazonaws.com",
DualStackDnsSuffix: "api.aws",
SupportsFIPS: true,
SupportsDualStack: true,
Name: "aws",
DnsSuffix: "amazonaws.com",
DualStackDnsSuffix: "api.aws",
SupportsFIPS: true,
SupportsDualStack: true,
ImplicitGlobalRegion: "us-east-1",
},
Regions: map[string]RegionOverrides{
"af-south-1": {
@ -111,6 +112,13 @@ var partitions = []Partition{
SupportsFIPS: nil,
SupportsDualStack: nil,
},
"ca-west-1": {
Name: nil,
DnsSuffix: nil,
DualStackDnsSuffix: nil,
SupportsFIPS: nil,
SupportsDualStack: nil,
},
"eu-central-1": {
Name: nil,
DnsSuffix: nil,
@ -229,11 +237,12 @@ var partitions = []Partition{
ID: "aws-cn",
RegionRegex: "^cn\\-\\w+\\-\\d+$",
DefaultConfig: PartitionConfig{
Name: "aws-cn",
DnsSuffix: "amazonaws.com.cn",
DualStackDnsSuffix: "api.amazonwebservices.com.cn",
SupportsFIPS: true,
SupportsDualStack: true,
Name: "aws-cn",
DnsSuffix: "amazonaws.com.cn",
DualStackDnsSuffix: "api.amazonwebservices.com.cn",
SupportsFIPS: true,
SupportsDualStack: true,
ImplicitGlobalRegion: "cn-northwest-1",
},
Regions: map[string]RegionOverrides{
"aws-cn-global": {
@ -263,11 +272,12 @@ var partitions = []Partition{
ID: "aws-us-gov",
RegionRegex: "^us\\-gov\\-\\w+\\-\\d+$",
DefaultConfig: PartitionConfig{
Name: "aws-us-gov",
DnsSuffix: "amazonaws.com",
DualStackDnsSuffix: "api.aws",
SupportsFIPS: true,
SupportsDualStack: true,
Name: "aws-us-gov",
DnsSuffix: "amazonaws.com",
DualStackDnsSuffix: "api.aws",
SupportsFIPS: true,
SupportsDualStack: true,
ImplicitGlobalRegion: "us-gov-west-1",
},
Regions: map[string]RegionOverrides{
"aws-us-gov-global": {
@ -297,11 +307,12 @@ var partitions = []Partition{
ID: "aws-iso",
RegionRegex: "^us\\-iso\\-\\w+\\-\\d+$",
DefaultConfig: PartitionConfig{
Name: "aws-iso",
DnsSuffix: "c2s.ic.gov",
DualStackDnsSuffix: "c2s.ic.gov",
SupportsFIPS: true,
SupportsDualStack: false,
Name: "aws-iso",
DnsSuffix: "c2s.ic.gov",
DualStackDnsSuffix: "c2s.ic.gov",
SupportsFIPS: true,
SupportsDualStack: false,
ImplicitGlobalRegion: "us-iso-east-1",
},
Regions: map[string]RegionOverrides{
"aws-iso-global": {
@ -331,11 +342,12 @@ var partitions = []Partition{
ID: "aws-iso-b",
RegionRegex: "^us\\-isob\\-\\w+\\-\\d+$",
DefaultConfig: PartitionConfig{
Name: "aws-iso-b",
DnsSuffix: "sc2s.sgov.gov",
DualStackDnsSuffix: "sc2s.sgov.gov",
SupportsFIPS: true,
SupportsDualStack: false,
Name: "aws-iso-b",
DnsSuffix: "sc2s.sgov.gov",
DualStackDnsSuffix: "sc2s.sgov.gov",
SupportsFIPS: true,
SupportsDualStack: false,
ImplicitGlobalRegion: "us-isob-east-1",
},
Regions: map[string]RegionOverrides{
"aws-iso-b-global": {
@ -358,23 +370,33 @@ var partitions = []Partition{
ID: "aws-iso-e",
RegionRegex: "^eu\\-isoe\\-\\w+\\-\\d+$",
DefaultConfig: PartitionConfig{
Name: "aws-iso-e",
DnsSuffix: "cloud.adc-e.uk",
DualStackDnsSuffix: "cloud.adc-e.uk",
SupportsFIPS: true,
SupportsDualStack: false,
Name: "aws-iso-e",
DnsSuffix: "cloud.adc-e.uk",
DualStackDnsSuffix: "cloud.adc-e.uk",
SupportsFIPS: true,
SupportsDualStack: false,
ImplicitGlobalRegion: "eu-isoe-west-1",
},
Regions: map[string]RegionOverrides{
"eu-isoe-west-1": {
Name: nil,
DnsSuffix: nil,
DualStackDnsSuffix: nil,
SupportsFIPS: nil,
SupportsDualStack: nil,
},
},
Regions: map[string]RegionOverrides{},
},
{
ID: "aws-iso-f",
RegionRegex: "^us\\-isof\\-\\w+\\-\\d+$",
DefaultConfig: PartitionConfig{
Name: "aws-iso-f",
DnsSuffix: "csp.hci.ic.gov",
DualStackDnsSuffix: "csp.hci.ic.gov",
SupportsFIPS: true,
SupportsDualStack: false,
Name: "aws-iso-f",
DnsSuffix: "csp.hci.ic.gov",
DualStackDnsSuffix: "csp.hci.ic.gov",
SupportsFIPS: true,
SupportsDualStack: false,
ImplicitGlobalRegion: "us-isof-south-1",
},
Regions: map[string]RegionOverrides{},
},

View File

@ -198,7 +198,11 @@
"supportsFIPS" : true
},
"regionRegex" : "^eu\\-isoe\\-\\w+\\-\\d+$",
"regions" : { }
"regions" : {
"eu-isoe-west-1" : {
"description" : "EU ISOE West"
}
}
}, {
"id" : "aws-iso-f",
"outputs" : {

View File

@ -1,3 +1,44 @@
# v2.6.12 (2024-06-19)
* **Dependency Update**: Updated to the latest SDK module versions
# v2.6.11 (2024-06-18)
* **Dependency Update**: Updated to the latest SDK module versions
# v2.6.10 (2024-06-17)
* **Dependency Update**: Updated to the latest SDK module versions
# v2.6.9 (2024-06-07)
* **Dependency Update**: Updated to the latest SDK module versions
# v2.6.8 (2024-06-03)
* **Dependency Update**: Updated to the latest SDK module versions
# v2.6.7 (2024-05-16)
* **Dependency Update**: Updated to the latest SDK module versions
# v2.6.6 (2024-05-15)
* **Dependency Update**: Updated to the latest SDK module versions
# v2.6.5 (2024-03-29)
* **Dependency Update**: Updated to the latest SDK module versions
# v2.6.4 (2024-03-18)
* **Dependency Update**: Updated to the latest SDK module versions
# v2.6.3 (2024-03-07)
* **Bug Fix**: Remove dependency on go-cmp.
* **Dependency Update**: Updated to the latest SDK module versions
# v2.6.2 (2024-02-23)
* **Dependency Update**: Updated to the latest SDK module versions

View File

@ -3,4 +3,4 @@
package endpoints
// goModuleVersion is the tagged release for this module
const goModuleVersion = "2.6.2"
const goModuleVersion = "2.6.12"

View File

@ -0,0 +1,42 @@
package middleware
import (
"context"
"sync/atomic"
"time"
internalcontext "github.com/aws/aws-sdk-go-v2/internal/context"
"github.com/aws/smithy-go/middleware"
)
// AddTimeOffsetMiddleware sets a value representing clock skew on the request context.
// This can be read by other operations (such as signing) to correct the date value they send
// on the request
type AddTimeOffsetMiddleware struct {
Offset *atomic.Int64
}
// ID the identifier for AddTimeOffsetMiddleware
func (m *AddTimeOffsetMiddleware) ID() string { return "AddTimeOffsetMiddleware" }
// HandleBuild sets a value for attemptSkew on the request context if one is set on the client.
func (m AddTimeOffsetMiddleware) HandleBuild(ctx context.Context, in middleware.BuildInput, next middleware.BuildHandler) (
out middleware.BuildOutput, metadata middleware.Metadata, err error,
) {
if m.Offset != nil {
offset := time.Duration(m.Offset.Load())
ctx = internalcontext.SetAttemptSkewContext(ctx, offset)
}
return next.HandleBuild(ctx, in)
}
// HandleDeserialize gets the clock skew context from the context, and if set, sets it on the pointer
// held by AddTimeOffsetMiddleware
func (m *AddTimeOffsetMiddleware) HandleDeserialize(ctx context.Context, in middleware.DeserializeInput, next middleware.DeserializeHandler) (
out middleware.DeserializeOutput, metadata middleware.Metadata, err error,
) {
if v := internalcontext.GetAttemptSkewContext(ctx); v != 0 {
m.Offset.Store(v.Nanoseconds())
}
return next.HandleDeserialize(ctx, in)
}

View File

@ -1,3 +1,7 @@
# v1.11.2 (2024-03-29)
* No change notes available for this release.
# v1.11.1 (2024-02-21)
* No change notes available for this release.

View File

@ -3,4 +3,4 @@
package acceptencoding
// goModuleVersion is the tagged release for this module
const goModuleVersion = "1.11.1"
const goModuleVersion = "1.11.2"

View File

@ -1,3 +1,52 @@
# v1.11.14 (2024-06-19)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.11.13 (2024-06-18)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.11.12 (2024-06-17)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.11.11 (2024-06-07)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.11.10 (2024-06-03)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.11.9 (2024-05-16)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.11.8 (2024-05-15)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.11.7 (2024-03-29)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.11.6 (2024-03-18)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.11.5 (2024-03-07)
* **Bug Fix**: Remove dependency on go-cmp.
* **Dependency Update**: Updated to the latest SDK module versions
# v1.11.4 (2024-03-05)
* **Bug Fix**: Restore typo'd API `AddAsIsInternalPresigingMiddleware` as an alias for backwards compatibility.
# v1.11.3 (2024-03-04)
* **Bug Fix**: Correct a typo in internal AddAsIsPresigningMiddleware API.
# v1.11.2 (2024-02-23)
* **Dependency Update**: Updated to the latest SDK module versions

View File

@ -27,13 +27,21 @@ func GetIsPresigning(ctx context.Context) bool {
type isPresigningKey struct{}
// AddAsIsPresigingMiddleware adds a middleware to the head of the stack that
// AddAsIsPresigningMiddleware adds a middleware to the head of the stack that
// will update the stack's context to be flagged as being invoked for the
// purpose of presigning.
func AddAsIsPresigingMiddleware(stack *middleware.Stack) error {
func AddAsIsPresigningMiddleware(stack *middleware.Stack) error {
return stack.Initialize.Add(asIsPresigningMiddleware{}, middleware.Before)
}
// AddAsIsPresigingMiddleware is an alias for backwards compatibility.
//
// Deprecated: This API was released with a typo. Use
// [AddAsIsPresigningMiddleware] instead.
func AddAsIsPresigingMiddleware(stack *middleware.Stack) error {
return AddAsIsPresigningMiddleware(stack)
}
type asIsPresigningMiddleware struct{}
func (asIsPresigningMiddleware) ID() string { return "AsIsPresigningMiddleware" }

View File

@ -3,4 +3,4 @@
package presignedurl
// goModuleVersion is the tagged release for this module
const goModuleVersion = "1.11.2"
const goModuleVersion = "1.11.14"

View File

@ -1,3 +1,63 @@
# v1.29.1 (2024-06-19)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.29.0 (2024-06-18)
* **Feature**: Track usage of various AWS SDK features in user-agent string.
* **Dependency Update**: Updated to the latest SDK module versions
# v1.28.13 (2024-06-17)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.28.12 (2024-06-07)
* **Bug Fix**: Add clock skew correction on all service clients
* **Dependency Update**: Updated to the latest SDK module versions
# v1.28.11 (2024-06-03)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.28.10 (2024-05-23)
* No change notes available for this release.
# v1.28.9 (2024-05-16)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.28.8 (2024-05-15)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.28.7 (2024-05-08)
* **Bug Fix**: GoDoc improvement
# v1.28.6 (2024-03-29)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.28.5 (2024-03-18)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.28.4 (2024-03-07)
* **Bug Fix**: Remove dependency on go-cmp.
* **Dependency Update**: Updated to the latest SDK module versions
# v1.28.3 (2024-03-05)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.28.2 (2024-03-04)
* **Bug Fix**: Update internal/presigned-url dependency for corrected API name.
* **Dependency Update**: Updated to the latest SDK module versions
# v1.28.1 (2024-02-23)
* **Bug Fix**: Move all common, SDK-side middleware stack ops into the service client module to prevent cross-module compatibility issues in the future.

View File

@ -15,15 +15,18 @@ import (
internalauth "github.com/aws/aws-sdk-go-v2/internal/auth"
internalauthsmithy "github.com/aws/aws-sdk-go-v2/internal/auth/smithy"
internalConfig "github.com/aws/aws-sdk-go-v2/internal/configsources"
internalmiddleware "github.com/aws/aws-sdk-go-v2/internal/middleware"
acceptencodingcust "github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding"
presignedurlcust "github.com/aws/aws-sdk-go-v2/service/internal/presigned-url"
smithy "github.com/aws/smithy-go"
smithyauth "github.com/aws/smithy-go/auth"
smithydocument "github.com/aws/smithy-go/document"
"github.com/aws/smithy-go/logging"
"github.com/aws/smithy-go/middleware"
smithyhttp "github.com/aws/smithy-go/transport/http"
"net"
"net/http"
"sync/atomic"
"time"
)
@ -34,6 +37,9 @@ const ServiceAPIVersion = "2011-06-15"
// Service.
type Client struct {
options Options
// Difference between the time reported by the server and the client
timeOffset *atomic.Int64
}
// New returns an initialized Client based on the functional options. Provide
@ -72,6 +78,8 @@ func New(options Options, optFns ...func(*Options)) *Client {
options: options,
}
initializeTimeOffsetResolver(client)
return client
}
@ -233,15 +241,16 @@ func setResolvedDefaultsMode(o *Options) {
// NewFromConfig returns a new client from the provided config.
func NewFromConfig(cfg aws.Config, optFns ...func(*Options)) *Client {
opts := Options{
Region: cfg.Region,
DefaultsMode: cfg.DefaultsMode,
RuntimeEnvironment: cfg.RuntimeEnvironment,
HTTPClient: cfg.HTTPClient,
Credentials: cfg.Credentials,
APIOptions: cfg.APIOptions,
Logger: cfg.Logger,
ClientLogMode: cfg.ClientLogMode,
AppID: cfg.AppID,
Region: cfg.Region,
DefaultsMode: cfg.DefaultsMode,
RuntimeEnvironment: cfg.RuntimeEnvironment,
HTTPClient: cfg.HTTPClient,
Credentials: cfg.Credentials,
APIOptions: cfg.APIOptions,
Logger: cfg.Logger,
ClientLogMode: cfg.ClientLogMode,
AppID: cfg.AppID,
AccountIDEndpointMode: cfg.AccountIDEndpointMode,
}
resolveAWSRetryerProvider(cfg, &opts)
resolveAWSRetryMaxAttempts(cfg, &opts)
@ -445,6 +454,30 @@ func addContentSHA256Header(stack *middleware.Stack) error {
return stack.Finalize.Insert(&v4.ContentSHA256Header{}, (*v4.ComputePayloadSHA256)(nil).ID(), middleware.After)
}
func addIsWaiterUserAgent(o *Options) {
o.APIOptions = append(o.APIOptions, func(stack *middleware.Stack) error {
ua, err := getOrAddRequestUserAgent(stack)
if err != nil {
return err
}
ua.AddUserAgentFeature(awsmiddleware.UserAgentFeatureWaiter)
return nil
})
}
func addIsPaginatorUserAgent(o *Options) {
o.APIOptions = append(o.APIOptions, func(stack *middleware.Stack) error {
ua, err := getOrAddRequestUserAgent(stack)
if err != nil {
return err
}
ua.AddUserAgentFeature(awsmiddleware.UserAgentFeaturePaginator)
return nil
})
}
func addRetry(stack *middleware.Stack, o Options) error {
attempt := retry.NewAttemptMiddleware(o.Retryer, smithyhttp.RequestCloner, func(m *retry.Attempt) {
m.LogAttempts = o.ClientLogMode.IsRetries()
@ -488,6 +521,63 @@ func resolveUseFIPSEndpoint(cfg aws.Config, o *Options) error {
return nil
}
func resolveAccountID(identity smithyauth.Identity, mode aws.AccountIDEndpointMode) *string {
if mode == aws.AccountIDEndpointModeDisabled {
return nil
}
if ca, ok := identity.(*internalauthsmithy.CredentialsAdapter); ok && ca.Credentials.AccountID != "" {
return aws.String(ca.Credentials.AccountID)
}
return nil
}
func addTimeOffsetBuild(stack *middleware.Stack, c *Client) error {
mw := internalmiddleware.AddTimeOffsetMiddleware{Offset: c.timeOffset}
if err := stack.Build.Add(&mw, middleware.After); err != nil {
return err
}
return stack.Deserialize.Insert(&mw, "RecordResponseTiming", middleware.Before)
}
func initializeTimeOffsetResolver(c *Client) {
c.timeOffset = new(atomic.Int64)
}
func checkAccountID(identity smithyauth.Identity, mode aws.AccountIDEndpointMode) error {
switch mode {
case aws.AccountIDEndpointModeUnset:
case aws.AccountIDEndpointModePreferred:
case aws.AccountIDEndpointModeDisabled:
case aws.AccountIDEndpointModeRequired:
if ca, ok := identity.(*internalauthsmithy.CredentialsAdapter); !ok {
return fmt.Errorf("accountID is required but not set")
} else if ca.Credentials.AccountID == "" {
return fmt.Errorf("accountID is required but not set")
}
// default check in case invalid mode is configured through request config
default:
return fmt.Errorf("invalid accountID endpoint mode %s, must be preferred/required/disabled", mode)
}
return nil
}
func addUserAgentRetryMode(stack *middleware.Stack, options Options) error {
ua, err := getOrAddRequestUserAgent(stack)
if err != nil {
return err
}
switch options.Retryer.(type) {
case *retry.Standard:
ua.AddUserAgentFeature(awsmiddleware.UserAgentFeatureRetryModeStandard)
case *retry.AdaptiveMode:
ua.AddUserAgentFeature(awsmiddleware.UserAgentFeatureRetryModeAdaptive)
}
return nil
}
func addRecursionDetection(stack *middleware.Stack) error {
return stack.Build.Add(&awsmiddleware.RecursionDetection{}, middleware.After)
}
@ -643,7 +733,7 @@ func (c presignConverter) convertToPresignMiddleware(stack *middleware.Stack, op
if err != nil {
return err
}
err = presignedurlcust.AddAsIsPresigingMiddleware(stack)
err = presignedurlcust.AddAsIsPresigningMiddleware(stack)
if err != nil {
return err
}

View File

@ -16,69 +16,99 @@ import (
// Amazon Web Services resources. These temporary credentials consist of an access
// key ID, a secret access key, and a security token. Typically, you use AssumeRole
// within your account or for cross-account access. For a comparison of AssumeRole
// with other API operations that produce temporary credentials, see Requesting
// Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
// in the IAM User Guide. Permissions The temporary security credentials created by
// AssumeRole can be used to make API calls to any Amazon Web Services service
// with the following exception: You cannot call the Amazon Web Services STS
// GetFederationToken or GetSessionToken API operations. (Optional) You can pass
// inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policy Amazon
// Resource Names (ARNs) to use as managed session policies. The plaintext that you
// use for both inline and managed session policies can't exceed 2,048 characters.
// Passing policies to this operation returns new temporary credentials. The
// resulting session's permissions are the intersection of the role's
// identity-based policy and the session policies. You can use the role's temporary
// credentials in subsequent Amazon Web Services API calls to access resources in
// the account that owns the role. You cannot use session policies to grant more
// permissions than those allowed by the identity-based policy of the role that is
// being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. When you create a role, you create two policies: a role
// trust policy that specifies who can assume the role, and a permissions policy
// that specifies what can be done with the role. You specify the trusted principal
// that is allowed to assume the role in the role trust policy. To assume a role
// from a different account, your Amazon Web Services account must be trusted by
// the role. The trust relationship is defined in the role's trust policy when the
// role is created. That trust policy states which accounts are allowed to delegate
// that access to users in the account. A user who wants to access a role in a
// different account must also have permissions that are delegated from the account
// administrator. The administrator must attach a policy that allows the user to
// call AssumeRole for the ARN of the role in the other account. To allow a user
// to assume a role in the same account, you can do either of the following:
// with other API operations that produce temporary credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the
// IAM User Guide.
//
// # Permissions
//
// The temporary security credentials created by AssumeRole can be used to make
// API calls to any Amazon Web Services service with the following exception: You
// cannot call the Amazon Web Services STS GetFederationToken or GetSessionToken
// API operations.
//
// (Optional) You can pass inline or managed [session policies] to this operation. You can pass a
// single JSON policy document to use as an inline session policy. You can also
// specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed
// session policies. The plaintext that you use for both inline and managed session
// policies can't exceed 2,048 characters. Passing policies to this operation
// returns new temporary credentials. The resulting session's permissions are the
// intersection of the role's identity-based policy and the session policies. You
// can use the role's temporary credentials in subsequent Amazon Web Services API
// calls to access resources in the account that owns the role. You cannot use
// session policies to grant more permissions than those allowed by the
// identity-based policy of the role that is being assumed. For more information,
// see [Session Policies]in the IAM User Guide.
//
// When you create a role, you create two policies: a role trust policy that
// specifies who can assume the role, and a permissions policy that specifies what
// can be done with the role. You specify the trusted principal that is allowed to
// assume the role in the role trust policy.
//
// To assume a role from a different account, your Amazon Web Services account
// must be trusted by the role. The trust relationship is defined in the role's
// trust policy when the role is created. That trust policy states which accounts
// are allowed to delegate that access to users in the account.
//
// A user who wants to access a role in a different account must also have
// permissions that are delegated from the account administrator. The administrator
// must attach a policy that allows the user to call AssumeRole for the ARN of the
// role in the other account.
//
// To allow a user to assume a role in the same account, you can do either of the
// following:
//
// - Attach a policy to the user that allows the user to call AssumeRole (as long
// as the role's trust policy trusts the account).
//
// - Add the user as a principal directly in the role's trust policy.
//
// You can do either because the roles trust policy acts as an IAM resource-based
// policy. When a resource-based policy grants access to a principal in the same
// account, no additional identity-based policy is required. For more information
// about trust policies and resource-based policies, see IAM Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)
// in the IAM User Guide. Tags (Optional) You can pass tag key-value pairs to your
// session. These tags are called session tags. For more information about session
// tags, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
// in the IAM User Guide. An administrator must grant you the permissions necessary
// to pass session tags. The administrator can also create granular permissions to
// allow you to pass only specific session tags. For more information, see
// Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
// in the IAM User Guide. You can set the session tags as transitive. Transitive
// tags persist during role chaining. For more information, see Chaining Roles
// with Session Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
// in the IAM User Guide. Using MFA with AssumeRole (Optional) You can include
// multi-factor authentication (MFA) information when you call AssumeRole . This is
// useful for cross-account scenarios to ensure that the user that assumes the role
// has been authenticated with an Amazon Web Services MFA device. In that scenario,
// the trust policy of the role being assumed includes a condition that tests for
// MFA authentication. If the caller does not include valid MFA information, the
// request to assume the role is denied. The condition in a trust policy that tests
// for MFA authentication might look like the following example. "Condition":
// {"Bool": {"aws:MultiFactorAuthPresent": true}} For more information, see
// Configuring MFA-Protected API Access (https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html)
// in the IAM User Guide guide. To use MFA with AssumeRole , you pass values for
// the SerialNumber and TokenCode parameters. The SerialNumber value identifies
// the user's hardware or virtual MFA device. The TokenCode is the time-based
// one-time password (TOTP) that the MFA device produces.
// about trust policies and resource-based policies, see [IAM Policies]in the IAM User Guide.
//
// # Tags
//
// (Optional) You can pass tag key-value pairs to your session. These tags are
// called session tags. For more information about session tags, see [Passing Session Tags in STS]in the IAM
// User Guide.
//
// An administrator must grant you the permissions necessary to pass session tags.
// The administrator can also create granular permissions to allow you to pass only
// specific session tags. For more information, see [Tutorial: Using Tags for Attribute-Based Access Control]in the IAM User Guide.
//
// You can set the session tags as transitive. Transitive tags persist during role
// chaining. For more information, see [Chaining Roles with Session Tags]in the IAM User Guide.
//
// # Using MFA with AssumeRole
//
// (Optional) You can include multi-factor authentication (MFA) information when
// you call AssumeRole . This is useful for cross-account scenarios to ensure that
// the user that assumes the role has been authenticated with an Amazon Web
// Services MFA device. In that scenario, the trust policy of the role being
// assumed includes a condition that tests for MFA authentication. If the caller
// does not include valid MFA information, the request to assume the role is
// denied. The condition in a trust policy that tests for MFA authentication might
// look like the following example.
//
// "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}
//
// For more information, see [Configuring MFA-Protected API Access] in the IAM User Guide guide.
//
// To use MFA with AssumeRole , you pass values for the SerialNumber and TokenCode
// parameters. The SerialNumber value identifies the user's hardware or virtual
// MFA device. The TokenCode is the time-based one-time password (TOTP) that the
// MFA device produces.
//
// [Configuring MFA-Protected API Access]: https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
// [Chaining Roles with Session Tags]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
// [session policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
// [IAM Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
// [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
// [Tutorial: Using Tags for Attribute-Based Access Control]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
func (c *Client) AssumeRole(ctx context.Context, params *AssumeRoleInput, optFns ...func(*Options)) (*AssumeRoleOutput, error) {
if params == nil {
params = &AssumeRoleInput{}
@ -101,17 +131,19 @@ type AssumeRoleInput struct {
// This member is required.
RoleArn *string
// An identifier for the assumed role session. Use the role session name to
// uniquely identify a session when the same role is assumed by different
// principals or for different reasons. In cross-account scenarios, the role
// session name is visible to, and can be logged by the account that owns the role.
// The role session name is also used in the ARN of the assumed role principal.
// This means that subsequent cross-account API requests that use the temporary
// security credentials will expose the role session name to the external account
// in their CloudTrail logs. The regex used to validate this parameter is a string
// of characters consisting of upper- and lower-case alphanumeric characters with
// no spaces. You can also include underscores or any of the following characters:
// =,.@-
// An identifier for the assumed role session.
//
// Use the role session name to uniquely identify a session when the same role is
// assumed by different principals or for different reasons. In cross-account
// scenarios, the role session name is visible to, and can be logged by the account
// that owns the role. The role session name is also used in the ARN of the assumed
// role principal. This means that subsequent cross-account API requests that use
// the temporary security credentials will expose the role session name to the
// external account in their CloudTrail logs.
//
// The regex used to validate this parameter is a string of characters consisting
// of upper- and lower-case alphanumeric characters with no spaces. You can also
// include underscores or any of the following characters: =,.@-
//
// This member is required.
RoleSessionName *string
@ -122,23 +154,27 @@ type AssumeRoleInput struct {
// hours. If you specify a value higher than this setting or the administrator
// setting (whichever is lower), the operation fails. For example, if you specify a
// session duration of 12 hours, but your administrator set the maximum session
// duration to 6 hours, your operation fails. Role chaining limits your Amazon Web
// Services CLI or Amazon Web Services API role session to a maximum of one hour.
// When you use the AssumeRole API operation to assume a role, you can specify the
// duration of your role session with the DurationSeconds parameter. You can
// specify a parameter value of up to 43200 seconds (12 hours), depending on the
// maximum session duration setting for your role. However, if you assume a role
// using role chaining and provide a DurationSeconds parameter value greater than
// one hour, the operation fails. To learn how to view the maximum value for your
// role, see View the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
// in the IAM User Guide. By default, the value is set to 3600 seconds. The
// DurationSeconds parameter is separate from the duration of a console session
// that you might request using the returned credentials. The request to the
// federation endpoint for a console sign-in token takes a SessionDuration
// duration to 6 hours, your operation fails.
//
// Role chaining limits your Amazon Web Services CLI or Amazon Web Services API
// role session to a maximum of one hour. When you use the AssumeRole API
// operation to assume a role, you can specify the duration of your role session
// with the DurationSeconds parameter. You can specify a parameter value of up to
// 43200 seconds (12 hours), depending on the maximum session duration setting for
// your role. However, if you assume a role using role chaining and provide a
// DurationSeconds parameter value greater than one hour, the operation fails. To
// learn how to view the maximum value for your role, see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide.
//
// By default, the value is set to 3600 seconds.
//
// The DurationSeconds parameter is separate from the duration of a console
// session that you might request using the returned credentials. The request to
// the federation endpoint for a console sign-in token takes a SessionDuration
// parameter that specifies the maximum length of the console session. For more
// information, see Creating a URL that Enables Federated Users to Access the
// Amazon Web Services Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
// in the IAM User Guide.
// information, see [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]in the IAM User Guide.
//
// [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
// [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
DurationSeconds *int32
// A unique identifier that might be required when you assume a role in another
@ -149,63 +185,79 @@ type AssumeRoleInput struct {
// the administrator of the trusting account might send an external ID to the
// administrator of the trusted account. That way, only someone with the ID can
// assume the role, rather than everyone in the account. For more information about
// the external ID, see How to Use an External ID When Granting Access to Your
// Amazon Web Services Resources to a Third Party (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html)
// in the IAM User Guide. The regex used to validate this parameter is a string of
// characters consisting of upper- and lower-case alphanumeric characters with no
// spaces. You can also include underscores or any of the following characters:
// =,.@:/-
// the external ID, see [How to Use an External ID When Granting Access to Your Amazon Web Services Resources to a Third Party]in the IAM User Guide.
//
// The regex used to validate this parameter is a string of characters consisting
// of upper- and lower-case alphanumeric characters with no spaces. You can also
// include underscores or any of the following characters: =,.@:/-
//
// [How to Use an External ID When Granting Access to Your Amazon Web Services Resources to a Third Party]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
ExternalId *string
// An IAM policy in JSON format that you want to use as an inline session policy.
//
// This parameter is optional. Passing policies to this operation returns new
// temporary credentials. The resulting session's permissions are the intersection
// of the role's identity-based policy and the session policies. You can use the
// role's temporary credentials in subsequent Amazon Web Services API calls to
// access resources in the account that owns the role. You cannot use session
// policies to grant more permissions than those allowed by the identity-based
// policy of the role that is being assumed. For more information, see Session
// Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. The plaintext that you use for both inline and managed
// session policies can't exceed 2,048 characters. The JSON policy characters can
// be any ASCII character from the space character to the end of the valid
// character list (\u0020 through \u00FF). It can also include the tab (\u0009),
// linefeed (\u000A), and carriage return (\u000D) characters. An Amazon Web
// Services conversion compresses the passed inline session policy, managed policy
// ARNs, and session tags into a packed binary format that has a separate limit.
// Your request can fail for this limit even if your plaintext meets the other
// requirements. The PackedPolicySize response element indicates by percentage how
// close the policies and tags for your request are to the upper size limit.
// policy of the role that is being assumed. For more information, see [Session Policies]in the IAM
// User Guide.
//
// The plaintext that you use for both inline and managed session policies can't
// exceed 2,048 characters. The JSON policy characters can be any ASCII character
// from the space character to the end of the valid character list (\u0020 through
// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
// return (\u000D) characters.
//
// An Amazon Web Services conversion compresses the passed inline session policy,
// managed policy ARNs, and session tags into a packed binary format that has a
// separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates
// by percentage how close the policies and tags for your request are to the upper
// size limit.
//
// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
Policy *string
// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
// use as managed session policies. The policies must exist in the same account as
// the role. This parameter is optional. You can provide up to 10 managed policy
// ARNs. However, the plaintext that you use for both inline and managed session
// policies can't exceed 2,048 characters. For more information about ARNs, see
// Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
// in the Amazon Web Services General Reference. An Amazon Web Services conversion
// compresses the passed inline session policy, managed policy ARNs, and session
// tags into a packed binary format that has a separate limit. Your request can
// fail for this limit even if your plaintext meets the other requirements. The
// PackedPolicySize response element indicates by percentage how close the policies
// and tags for your request are to the upper size limit. Passing policies to this
// operation returns new temporary credentials. The resulting session's permissions
// are the intersection of the role's identity-based policy and the session
// policies. You can use the role's temporary credentials in subsequent Amazon Web
// Services API calls to access resources in the account that owns the role. You
// cannot use session policies to grant more permissions than those allowed by the
// identity-based policy of the role that is being assumed. For more information,
// see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide.
// the role.
//
// This parameter is optional. You can provide up to 10 managed policy ARNs.
// However, the plaintext that you use for both inline and managed session policies
// can't exceed 2,048 characters. For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]in the
// Amazon Web Services General Reference.
//
// An Amazon Web Services conversion compresses the passed inline session policy,
// managed policy ARNs, and session tags into a packed binary format that has a
// separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates
// by percentage how close the policies and tags for your request are to the upper
// size limit.
//
// Passing policies to this operation returns new temporary credentials. The
// resulting session's permissions are the intersection of the role's
// identity-based policy and the session policies. You can use the role's temporary
// credentials in subsequent Amazon Web Services API calls to access resources in
// the account that owns the role. You cannot use session policies to grant more
// permissions than those allowed by the identity-based policy of the role that is
// being assumed. For more information, see [Session Policies]in the IAM User Guide.
//
// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
// [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
PolicyArns []types.PolicyDescriptorType
// A list of previously acquired trusted context assertions in the format of a
// JSON array. The trusted context assertion is signed and encrypted by Amazon Web
// Services STS. The following is an example of a ProvidedContext value that
// includes a single trusted context assertion and the ARN of the context provider
// from which the trusted context assertion was generated.
// [{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"}]
// Services STS.
//
// The following is an example of a ProvidedContext value that includes a single
// trusted context assertion and the ARN of the context provider from which the
// trusted context assertion was generated.
//
// [{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"}]
ProvidedContexts []types.ProvidedContext
// The identification number of the MFA device that is associated with the user
@ -213,79 +265,97 @@ type AssumeRoleInput struct {
// the role being assumed includes a condition that requires MFA authentication.
// The value is either the serial number for a hardware device (such as
// GAHT12345678 ) or an Amazon Resource Name (ARN) for a virtual device (such as
// arn:aws:iam::123456789012:mfa/user ). The regex used to validate this parameter
// is a string of characters consisting of upper- and lower-case alphanumeric
// characters with no spaces. You can also include underscores or any of the
// following characters: =,.@-
// arn:aws:iam::123456789012:mfa/user ).
//
// The regex used to validate this parameter is a string of characters consisting
// of upper- and lower-case alphanumeric characters with no spaces. You can also
// include underscores or any of the following characters: =,.@-
SerialNumber *string
// The source identity specified by the principal that is calling the AssumeRole
// operation. You can require users to specify a source identity when they assume a
// role. You do this by using the sts:SourceIdentity condition key in a role trust
// policy. You can use source identity information in CloudTrail logs to determine
// who took actions with a role. You can use the aws:SourceIdentity condition key
// to further control access to Amazon Web Services resources based on the value of
// source identity. For more information about using source identity, see Monitor
// and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
// in the IAM User Guide. The regex used to validate this parameter is a string of
// characters consisting of upper- and lower-case alphanumeric characters with no
// spaces. You can also include underscores or any of the following characters:
// =,.@-. You cannot use a value that begins with the text aws: . This prefix is
// reserved for Amazon Web Services internal use.
// operation.
//
// You can require users to specify a source identity when they assume a role. You
// do this by using the sts:SourceIdentity condition key in a role trust policy.
// You can use source identity information in CloudTrail logs to determine who took
// actions with a role. You can use the aws:SourceIdentity condition key to
// further control access to Amazon Web Services resources based on the value of
// source identity. For more information about using source identity, see [Monitor and control actions taken with assumed roles]in the
// IAM User Guide.
//
// The regex used to validate this parameter is a string of characters consisting
// of upper- and lower-case alphanumeric characters with no spaces. You can also
// include underscores or any of the following characters: =,.@-. You cannot use a
// value that begins with the text aws: . This prefix is reserved for Amazon Web
// Services internal use.
//
// [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
SourceIdentity *string
// A list of session tags that you want to pass. Each session tag consists of a
// key name and an associated value. For more information about session tags, see
// Tagging Amazon Web Services STS Sessions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
// in the IAM User Guide. This parameter is optional. You can pass up to 50 session
// tags. The plaintext session tag keys cant exceed 128 characters, and the values
// cant exceed 256 characters. For these and additional limits, see IAM and STS
// Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
// in the IAM User Guide. An Amazon Web Services conversion compresses the passed
// inline session policy, managed policy ARNs, and session tags into a packed
// binary format that has a separate limit. Your request can fail for this limit
// even if your plaintext meets the other requirements. The PackedPolicySize
// response element indicates by percentage how close the policies and tags for
// your request are to the upper size limit. You can pass a session tag with the
// same key as a tag that is already attached to the role. When you do, session
// tags override a role tag with the same key. Tag keyvalue pairs are not case
// sensitive, but case is preserved. This means that you cannot have separate
// Department and department tag keys. Assume that the role has the Department =
// Marketing tag and you pass the department = engineering session tag. Department
// and department are not saved as separate tags, and the session tag passed in
// the request takes precedence over the role tag. Additionally, if you used
// temporary credentials to perform this operation, the new session inherits any
// transitive session tags from the calling session. If you pass a session tag with
// the same key as an inherited tag, the operation fails. To view the inherited
// tags for a session, see the CloudTrail logs. For more information, see Viewing
// Session Tags in CloudTrail (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_ctlogs)
// key name and an associated value. For more information about session tags, see [Tagging Amazon Web Services STS Sessions]
// in the IAM User Guide.
//
// This parameter is optional. You can pass up to 50 session tags. The plaintext
// session tag keys cant exceed 128 characters, and the values cant exceed 256
// characters. For these and additional limits, see [IAM and STS Character Limits]in the IAM User Guide.
//
// An Amazon Web Services conversion compresses the passed inline session policy,
// managed policy ARNs, and session tags into a packed binary format that has a
// separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates
// by percentage how close the policies and tags for your request are to the upper
// size limit.
//
// You can pass a session tag with the same key as a tag that is already attached
// to the role. When you do, session tags override a role tag with the same key.
//
// Tag keyvalue pairs are not case sensitive, but case is preserved. This means
// that you cannot have separate Department and department tag keys. Assume that
// the role has the Department = Marketing tag and you pass the department =
// engineering session tag. Department and department are not saved as separate
// tags, and the session tag passed in the request takes precedence over the role
// tag.
//
// Additionally, if you used temporary credentials to perform this operation, the
// new session inherits any transitive session tags from the calling session. If
// you pass a session tag with the same key as an inherited tag, the operation
// fails. To view the inherited tags for a session, see the CloudTrail logs. For
// more information, see [Viewing Session Tags in CloudTrail]in the IAM User Guide.
//
// [Tagging Amazon Web Services STS Sessions]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
// [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
// [Viewing Session Tags in CloudTrail]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_ctlogs
Tags []types.Tag
// The value provided by the MFA device, if the trust policy of the role being
// assumed requires MFA. (In other words, if the policy includes a condition that
// tests for MFA). If the role being assumed requires MFA and if the TokenCode
// value is missing or expired, the AssumeRole call returns an "access denied"
// error. The format for this parameter, as described by its regex pattern, is a
// sequence of six numeric digits.
// error.
//
// The format for this parameter, as described by its regex pattern, is a sequence
// of six numeric digits.
TokenCode *string
// A list of keys for session tags that you want to set as transitive. If you set
// a tag key as transitive, the corresponding key and value passes to subsequent
// sessions in a role chain. For more information, see Chaining Roles with Session
// Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
// in the IAM User Guide. This parameter is optional. When you set session tags as
// transitive, the session policy and session tags packed binary limit is not
// affected. If you choose not to specify a transitive tag key, then no tags are
// passed from this session to any subsequent sessions.
// sessions in a role chain. For more information, see [Chaining Roles with Session Tags]in the IAM User Guide.
//
// This parameter is optional. When you set session tags as transitive, the
// session policy and session tags packed binary limit is not affected.
//
// If you choose not to specify a transitive tag key, then no tags are passed from
// this session to any subsequent sessions.
//
// [Chaining Roles with Session Tags]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
TransitiveTagKeys []string
noSmithyDocumentSerde
}
// Contains the response to a successful AssumeRole request, including temporary
// Amazon Web Services credentials that can be used to make Amazon Web Services
// requests.
// Contains the response to a successful AssumeRole request, including temporary Amazon Web
// Services credentials that can be used to make Amazon Web Services requests.
type AssumeRoleOutput struct {
// The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers
@ -296,9 +366,10 @@ type AssumeRoleOutput struct {
AssumedRoleUser *types.AssumedRoleUser
// The temporary security credentials, which include an access key ID, a secret
// access key, and a security (or session) token. The size of the security token
// that STS API operations return is not fixed. We strongly recommend that you make
// no assumptions about the maximum size.
// access key, and a security (or session) token.
//
// The size of the security token that STS API operations return is not fixed. We
// strongly recommend that you make no assumptions about the maximum size.
Credentials *types.Credentials
// A percentage value that indicates the packed size of the session policies and
@ -308,17 +379,21 @@ type AssumeRoleOutput struct {
PackedPolicySize *int32
// The source identity specified by the principal that is calling the AssumeRole
// operation. You can require users to specify a source identity when they assume a
// role. You do this by using the sts:SourceIdentity condition key in a role trust
// policy. You can use source identity information in CloudTrail logs to determine
// who took actions with a role. You can use the aws:SourceIdentity condition key
// to further control access to Amazon Web Services resources based on the value of
// source identity. For more information about using source identity, see Monitor
// and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
// in the IAM User Guide. The regex used to validate this parameter is a string of
// characters consisting of upper- and lower-case alphanumeric characters with no
// spaces. You can also include underscores or any of the following characters:
// =,.@-
// operation.
//
// You can require users to specify a source identity when they assume a role. You
// do this by using the sts:SourceIdentity condition key in a role trust policy.
// You can use source identity information in CloudTrail logs to determine who took
// actions with a role. You can use the aws:SourceIdentity condition key to
// further control access to Amazon Web Services resources based on the value of
// source identity. For more information about using source identity, see [Monitor and control actions taken with assumed roles]in the
// IAM User Guide.
//
// The regex used to validate this parameter is a string of characters consisting
// of upper- and lower-case alphanumeric characters with no spaces. You can also
// include underscores or any of the following characters: =,.@-
//
// [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
SourceIdentity *string
// Metadata pertaining to the operation's result.
@ -382,6 +457,12 @@ func (c *Client) addOperationAssumeRoleMiddlewares(stack *middleware.Stack, opti
if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
return err
}
if err = addTimeOffsetBuild(stack, c); err != nil {
return err
}
if err = addUserAgentRetryMode(stack, options); err != nil {
return err
}
if err = addOpAssumeRoleValidationMiddleware(stack); err != nil {
return err
}

View File

@ -16,92 +16,132 @@ import (
// mechanism for tying an enterprise identity store or directory to role-based
// Amazon Web Services access without user-specific credentials or configuration.
// For a comparison of AssumeRoleWithSAML with the other API operations that
// produce temporary credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
// in the IAM User Guide. The temporary security credentials returned by this
// operation consist of an access key ID, a secret access key, and a security
// token. Applications can use these temporary security credentials to sign calls
// to Amazon Web Services services. Session Duration By default, the temporary
// security credentials created by AssumeRoleWithSAML last for one hour. However,
// you can use the optional DurationSeconds parameter to specify the duration of
// your session. Your role session lasts for the duration that you specify, or
// until the time specified in the SAML authentication response's
// SessionNotOnOrAfter value, whichever is shorter. You can provide a
// DurationSeconds value from 900 seconds (15 minutes) up to the maximum session
// duration setting for the role. This setting can have a value from 1 hour to 12
// hours. To learn how to view the maximum value for your role, see View the
// Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
// in the IAM User Guide. The maximum session duration limit applies when you use
// the AssumeRole* API operations or the assume-role* CLI commands. However the
// limit does not apply when you use those operations to create a console URL. For
// more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
// in the IAM User Guide. Role chaining (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining)
// limits your CLI or Amazon Web Services API role session to a maximum of one
// produce temporary credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the IAM User Guide.
//
// The temporary security credentials returned by this operation consist of an
// access key ID, a secret access key, and a security token. Applications can use
// these temporary security credentials to sign calls to Amazon Web Services
// services.
//
// # Session Duration
//
// By default, the temporary security credentials created by AssumeRoleWithSAML
// last for one hour. However, you can use the optional DurationSeconds parameter
// to specify the duration of your session. Your role session lasts for the
// duration that you specify, or until the time specified in the SAML
// authentication response's SessionNotOnOrAfter value, whichever is shorter. You
// can provide a DurationSeconds value from 900 seconds (15 minutes) up to the
// maximum session duration setting for the role. This setting can have a value
// from 1 hour to 12 hours. To learn how to view the maximum value for your role,
// see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide. The maximum session duration limit applies when you
// use the AssumeRole* API operations or the assume-role* CLI commands. However
// the limit does not apply when you use those operations to create a console URL.
// For more information, see [Using IAM Roles]in the IAM User Guide.
//
// [Role chaining]limits your CLI or Amazon Web Services API role session to a maximum of one
// hour. When you use the AssumeRole API operation to assume a role, you can
// specify the duration of your role session with the DurationSeconds parameter.
// You can specify a parameter value of up to 43200 seconds (12 hours), depending
// on the maximum session duration setting for your role. However, if you assume a
// role using role chaining and provide a DurationSeconds parameter value greater
// than one hour, the operation fails. Permissions The temporary security
// credentials created by AssumeRoleWithSAML can be used to make API calls to any
// Amazon Web Services service with the following exception: you cannot call the
// STS GetFederationToken or GetSessionToken API operations. (Optional) You can
// pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policy Amazon
// Resource Names (ARNs) to use as managed session policies. The plaintext that you
// use for both inline and managed session policies can't exceed 2,048 characters.
// Passing policies to this operation returns new temporary credentials. The
// resulting session's permissions are the intersection of the role's
// identity-based policy and the session policies. You can use the role's temporary
// credentials in subsequent Amazon Web Services API calls to access resources in
// the account that owns the role. You cannot use session policies to grant more
// permissions than those allowed by the identity-based policy of the role that is
// being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. Calling AssumeRoleWithSAML does not require the use of
// Amazon Web Services security credentials. The identity of the caller is
// validated by using keys in the metadata document that is uploaded for the SAML
// provider entity for your identity provider. Calling AssumeRoleWithSAML can
// result in an entry in your CloudTrail logs. The entry includes the value in the
// NameID element of the SAML assertion. We recommend that you use a NameIDType
// that is not associated with any personally identifiable information (PII). For
// example, you could instead use the persistent identifier (
// urn:oasis:names:tc:SAML:2.0:nameid-format:persistent ). Tags (Optional) You can
// configure your IdP to pass attributes into your SAML assertion as session tags.
// Each session tag consists of a key name and an associated value. For more
// information about session tags, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
// in the IAM User Guide. You can pass up to 50 session tags. The plaintext session
// tag keys cant exceed 128 characters and the values cant exceed 256 characters.
// For these and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
// in the IAM User Guide. An Amazon Web Services conversion compresses the passed
// inline session policy, managed policy ARNs, and session tags into a packed
// binary format that has a separate limit. Your request can fail for this limit
// even if your plaintext meets the other requirements. The PackedPolicySize
// response element indicates by percentage how close the policies and tags for
// your request are to the upper size limit. You can pass a session tag with the
// same key as a tag that is attached to the role. When you do, session tags
// override the role's tags with the same key. An administrator must grant you the
// permissions necessary to pass session tags. The administrator can also create
// granular permissions to allow you to pass only specific session tags. For more
// information, see Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
// in the IAM User Guide. You can set the session tags as transitive. Transitive
// tags persist during role chaining. For more information, see Chaining Roles
// with Session Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
// in the IAM User Guide. SAML Configuration Before your application can call
// AssumeRoleWithSAML , you must configure your SAML identity provider (IdP) to
// issue the claims required by Amazon Web Services. Additionally, you must use
// Identity and Access Management (IAM) to create a SAML provider entity in your
// Amazon Web Services account that represents your identity provider. You must
// also create an IAM role that specifies this SAML provider in its trust policy.
// than one hour, the operation fails.
//
// # Permissions
//
// The temporary security credentials created by AssumeRoleWithSAML can be used to
// make API calls to any Amazon Web Services service with the following exception:
// you cannot call the STS GetFederationToken or GetSessionToken API operations.
//
// (Optional) You can pass inline or managed [session policies] to this operation. You can pass a
// single JSON policy document to use as an inline session policy. You can also
// specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed
// session policies. The plaintext that you use for both inline and managed session
// policies can't exceed 2,048 characters. Passing policies to this operation
// returns new temporary credentials. The resulting session's permissions are the
// intersection of the role's identity-based policy and the session policies. You
// can use the role's temporary credentials in subsequent Amazon Web Services API
// calls to access resources in the account that owns the role. You cannot use
// session policies to grant more permissions than those allowed by the
// identity-based policy of the role that is being assumed. For more information,
// see [Session Policies]in the IAM User Guide.
//
// Calling AssumeRoleWithSAML does not require the use of Amazon Web Services
// security credentials. The identity of the caller is validated by using keys in
// the metadata document that is uploaded for the SAML provider entity for your
// identity provider.
//
// Calling AssumeRoleWithSAML can result in an entry in your CloudTrail logs. The
// entry includes the value in the NameID element of the SAML assertion. We
// recommend that you use a NameIDType that is not associated with any personally
// identifiable information (PII). For example, you could instead use the
// persistent identifier ( urn:oasis:names:tc:SAML:2.0:nameid-format:persistent ).
//
// # Tags
//
// (Optional) You can configure your IdP to pass attributes into your SAML
// assertion as session tags. Each session tag consists of a key name and an
// associated value. For more information about session tags, see [Passing Session Tags in STS]in the IAM User
// Guide.
//
// You can pass up to 50 session tags. The plaintext session tag keys cant exceed
// 128 characters and the values cant exceed 256 characters. For these and
// additional limits, see [IAM and STS Character Limits]in the IAM User Guide.
//
// An Amazon Web Services conversion compresses the passed inline session policy,
// managed policy ARNs, and session tags into a packed binary format that has a
// separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates
// by percentage how close the policies and tags for your request are to the upper
// size limit.
//
// You can pass a session tag with the same key as a tag that is attached to the
// role. When you do, session tags override the role's tags with the same key.
//
// An administrator must grant you the permissions necessary to pass session tags.
// The administrator can also create granular permissions to allow you to pass only
// specific session tags. For more information, see [Tutorial: Using Tags for Attribute-Based Access Control]in the IAM User Guide.
//
// You can set the session tags as transitive. Transitive tags persist during role
// chaining. For more information, see [Chaining Roles with Session Tags]in the IAM User Guide.
//
// # SAML Configuration
//
// Before your application can call AssumeRoleWithSAML , you must configure your
// SAML identity provider (IdP) to issue the claims required by Amazon Web
// Services. Additionally, you must use Identity and Access Management (IAM) to
// create a SAML provider entity in your Amazon Web Services account that
// represents your identity provider. You must also create an IAM role that
// specifies this SAML provider in its trust policy.
//
// For more information, see the following resources:
// - About SAML 2.0-based Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html)
// in the IAM User Guide.
// - Creating SAML Identity Providers (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)
// in the IAM User Guide.
// - Configuring a Relying Party and Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html)
// in the IAM User Guide.
// - Creating a Role for SAML 2.0 Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html)
// in the IAM User Guide.
//
// [About SAML 2.0-based Federation]
// - in the IAM User Guide.
//
// [Creating SAML Identity Providers]
// - in the IAM User Guide.
//
// [Configuring a Relying Party and Claims]
// - in the IAM User Guide.
//
// [Creating a Role for SAML 2.0 Federation]
// - in the IAM User Guide.
//
// [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
// [Creating a Role for SAML 2.0 Federation]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
// [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
// [Creating SAML Identity Providers]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
// [session policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
// [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
// [Tutorial: Using Tags for Attribute-Based Access Control]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
// [Configuring a Relying Party and Claims]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html
// [Role chaining]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining
// [Using IAM Roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
// [About SAML 2.0-based Federation]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
// [Chaining Roles with Session Tags]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
func (c *Client) AssumeRoleWithSAML(ctx context.Context, params *AssumeRoleWithSAMLInput, optFns ...func(*Options)) (*AssumeRoleWithSAMLOutput, error) {
if params == nil {
params = &AssumeRoleWithSAMLInput{}
@ -130,9 +170,11 @@ type AssumeRoleWithSAMLInput struct {
// This member is required.
RoleArn *string
// The base64 encoded SAML authentication response provided by the IdP. For more
// information, see Configuring a Relying Party and Adding Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html)
// in the IAM User Guide.
// The base64 encoded SAML authentication response provided by the IdP.
//
// For more information, see [Configuring a Relying Party and Adding Claims] in the IAM User Guide.
//
// [Configuring a Relying Party and Adding Claims]: https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html
//
// This member is required.
SAMLAssertion *string
@ -146,92 +188,114 @@ type AssumeRoleWithSAMLInput struct {
// than this setting, the operation fails. For example, if you specify a session
// duration of 12 hours, but your administrator set the maximum session duration to
// 6 hours, your operation fails. To learn how to view the maximum value for your
// role, see View the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
// in the IAM User Guide. By default, the value is set to 3600 seconds. The
// DurationSeconds parameter is separate from the duration of a console session
// that you might request using the returned credentials. The request to the
// federation endpoint for a console sign-in token takes a SessionDuration
// role, see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide.
//
// By default, the value is set to 3600 seconds.
//
// The DurationSeconds parameter is separate from the duration of a console
// session that you might request using the returned credentials. The request to
// the federation endpoint for a console sign-in token takes a SessionDuration
// parameter that specifies the maximum length of the console session. For more
// information, see Creating a URL that Enables Federated Users to Access the
// Amazon Web Services Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
// in the IAM User Guide.
// information, see [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]in the IAM User Guide.
//
// [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
// [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
DurationSeconds *int32
// An IAM policy in JSON format that you want to use as an inline session policy.
//
// This parameter is optional. Passing policies to this operation returns new
// temporary credentials. The resulting session's permissions are the intersection
// of the role's identity-based policy and the session policies. You can use the
// role's temporary credentials in subsequent Amazon Web Services API calls to
// access resources in the account that owns the role. You cannot use session
// policies to grant more permissions than those allowed by the identity-based
// policy of the role that is being assumed. For more information, see Session
// Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. The plaintext that you use for both inline and managed
// session policies can't exceed 2,048 characters. The JSON policy characters can
// be any ASCII character from the space character to the end of the valid
// character list (\u0020 through \u00FF). It can also include the tab (\u0009),
// linefeed (\u000A), and carriage return (\u000D) characters. An Amazon Web
// Services conversion compresses the passed inline session policy, managed policy
// ARNs, and session tags into a packed binary format that has a separate limit.
// Your request can fail for this limit even if your plaintext meets the other
// requirements. The PackedPolicySize response element indicates by percentage how
// close the policies and tags for your request are to the upper size limit.
// policy of the role that is being assumed. For more information, see [Session Policies]in the IAM
// User Guide.
//
// The plaintext that you use for both inline and managed session policies can't
// exceed 2,048 characters. The JSON policy characters can be any ASCII character
// from the space character to the end of the valid character list (\u0020 through
// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
// return (\u000D) characters.
//
// An Amazon Web Services conversion compresses the passed inline session policy,
// managed policy ARNs, and session tags into a packed binary format that has a
// separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates
// by percentage how close the policies and tags for your request are to the upper
// size limit.
//
// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
Policy *string
// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
// use as managed session policies. The policies must exist in the same account as
// the role. This parameter is optional. You can provide up to 10 managed policy
// ARNs. However, the plaintext that you use for both inline and managed session
// policies can't exceed 2,048 characters. For more information about ARNs, see
// Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
// in the Amazon Web Services General Reference. An Amazon Web Services conversion
// compresses the passed inline session policy, managed policy ARNs, and session
// tags into a packed binary format that has a separate limit. Your request can
// fail for this limit even if your plaintext meets the other requirements. The
// PackedPolicySize response element indicates by percentage how close the policies
// and tags for your request are to the upper size limit. Passing policies to this
// operation returns new temporary credentials. The resulting session's permissions
// are the intersection of the role's identity-based policy and the session
// policies. You can use the role's temporary credentials in subsequent Amazon Web
// Services API calls to access resources in the account that owns the role. You
// cannot use session policies to grant more permissions than those allowed by the
// identity-based policy of the role that is being assumed. For more information,
// see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide.
// the role.
//
// This parameter is optional. You can provide up to 10 managed policy ARNs.
// However, the plaintext that you use for both inline and managed session policies
// can't exceed 2,048 characters. For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]in the
// Amazon Web Services General Reference.
//
// An Amazon Web Services conversion compresses the passed inline session policy,
// managed policy ARNs, and session tags into a packed binary format that has a
// separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates
// by percentage how close the policies and tags for your request are to the upper
// size limit.
//
// Passing policies to this operation returns new temporary credentials. The
// resulting session's permissions are the intersection of the role's
// identity-based policy and the session policies. You can use the role's temporary
// credentials in subsequent Amazon Web Services API calls to access resources in
// the account that owns the role. You cannot use session policies to grant more
// permissions than those allowed by the identity-based policy of the role that is
// being assumed. For more information, see [Session Policies]in the IAM User Guide.
//
// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
// [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
PolicyArns []types.PolicyDescriptorType
noSmithyDocumentSerde
}
// Contains the response to a successful AssumeRoleWithSAML request, including
// temporary Amazon Web Services credentials that can be used to make Amazon Web
// Services requests.
// Contains the response to a successful AssumeRoleWithSAML request, including temporary Amazon Web
// Services credentials that can be used to make Amazon Web Services requests.
type AssumeRoleWithSAMLOutput struct {
// The identifiers for the temporary security credentials that the operation
// returns.
AssumedRoleUser *types.AssumedRoleUser
// The value of the Recipient attribute of the SubjectConfirmationData element of
// The value of the Recipient attribute of the SubjectConfirmationData element of
// the SAML assertion.
Audience *string
// The temporary security credentials, which include an access key ID, a secret
// access key, and a security (or session) token. The size of the security token
// that STS API operations return is not fixed. We strongly recommend that you make
// no assumptions about the maximum size.
// access key, and a security (or session) token.
//
// The size of the security token that STS API operations return is not fixed. We
// strongly recommend that you make no assumptions about the maximum size.
Credentials *types.Credentials
// The value of the Issuer element of the SAML assertion.
Issuer *string
// A hash value based on the concatenation of the following:
//
// - The Issuer response value.
//
// - The Amazon Web Services account ID.
//
// - The friendly name (the last part of the ARN) of the SAML provider in IAM.
//
// The combination of NameQualifier and Subject can be used to uniquely identify a
// user. The following pseudocode shows how the hash value is calculated: BASE64 (
// SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) )
// user.
//
// The following pseudocode shows how the hash value is calculated:
//
// BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) )
NameQualifier *string
// A percentage value that indicates the packed size of the session policies and
@ -240,31 +304,36 @@ type AssumeRoleWithSAMLOutput struct {
// allowed space.
PackedPolicySize *int32
// The value in the SourceIdentity attribute in the SAML assertion. You can
// require users to set a source identity value when they assume a role. You do
// this by using the sts:SourceIdentity condition key in a role trust policy. That
// way, actions that are taken with the role are associated with that user. After
// the source identity is set, the value cannot be changed. It is present in the
// request for all actions that are taken by the role and persists across chained
// role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining)
// sessions. You can configure your SAML identity provider to use an attribute
// associated with your users, like user name or email, as the source identity when
// calling AssumeRoleWithSAML . You do this by adding an attribute to the SAML
// assertion. For more information about using source identity, see Monitor and
// control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
// in the IAM User Guide. The regex used to validate this parameter is a string of
// characters consisting of upper- and lower-case alphanumeric characters with no
// spaces. You can also include underscores or any of the following characters:
// =,.@-
// The value in the SourceIdentity attribute in the SAML assertion.
//
// You can require users to set a source identity value when they assume a role.
// You do this by using the sts:SourceIdentity condition key in a role trust
// policy. That way, actions that are taken with the role are associated with that
// user. After the source identity is set, the value cannot be changed. It is
// present in the request for all actions that are taken by the role and persists
// across [chained role]sessions. You can configure your SAML identity provider to use an
// attribute associated with your users, like user name or email, as the source
// identity when calling AssumeRoleWithSAML . You do this by adding an attribute to
// the SAML assertion. For more information about using source identity, see [Monitor and control actions taken with assumed roles]in
// the IAM User Guide.
//
// The regex used to validate this parameter is a string of characters consisting
// of upper- and lower-case alphanumeric characters with no spaces. You can also
// include underscores or any of the following characters: =,.@-
//
// [chained role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining
// [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
SourceIdentity *string
// The value of the NameID element in the Subject element of the SAML assertion.
Subject *string
// The format of the name ID, as defined by the Format attribute in the NameID
// The format of the name ID, as defined by the Format attribute in the NameID
// element of the SAML assertion. Typical examples of the format are transient or
// persistent . If the format includes the prefix
// urn:oasis:names:tc:SAML:2.0:nameid-format , that prefix is removed. For example,
// persistent .
//
// If the format includes the prefix urn:oasis:names:tc:SAML:2.0:nameid-format ,
// that prefix is removed. For example,
// urn:oasis:names:tc:SAML:2.0:nameid-format:transient is returned as transient .
// If the format includes any other prefix, the format is returned with no
// modifications.
@ -328,6 +397,12 @@ func (c *Client) addOperationAssumeRoleWithSAMLMiddlewares(stack *middleware.Sta
if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
return err
}
if err = addTimeOffsetBuild(stack, c); err != nil {
return err
}
if err = addUserAgentRetryMode(stack, options); err != nil {
return err
}
if err = addOpAssumeRoleWithSAMLValidationMiddleware(stack); err != nil {
return err
}

View File

@ -14,105 +14,143 @@ import (
// Returns a set of temporary security credentials for users who have been
// authenticated in a mobile or web application with a web identity provider.
// Example providers include the OAuth 2.0 providers Login with Amazon and
// Facebook, or any OpenID Connect-compatible identity provider such as Google or
// Amazon Cognito federated identities (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html)
// . For mobile applications, we recommend that you use Amazon Cognito. You can use
// Amazon Cognito with the Amazon Web Services SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/)
// and the Amazon Web Services SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/)
// to uniquely identify a user. You can also supply the user with a consistent
// identity throughout the lifetime of an application. To learn more about Amazon
// Cognito, see Amazon Cognito identity pools (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html)
// in Amazon Cognito Developer Guide. Calling AssumeRoleWithWebIdentity does not
// require the use of Amazon Web Services security credentials. Therefore, you can
// distribute an application (for example, on mobile devices) that requests
// temporary security credentials without including long-term Amazon Web Services
// credentials in the application. You also don't need to deploy server-based proxy
// services that use long-term Amazon Web Services credentials. Instead, the
// identity of the caller is validated by using a token from the web identity
// provider. For a comparison of AssumeRoleWithWebIdentity with the other API
// operations that produce temporary credentials, see Requesting Temporary
// Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
// in the IAM User Guide. The temporary security credentials returned by this API
// consist of an access key ID, a secret access key, and a security token.
// Applications can use these temporary security credentials to sign calls to
// Amazon Web Services service API operations. Session Duration By default, the
// temporary security credentials created by AssumeRoleWithWebIdentity last for
// one hour. However, you can use the optional DurationSeconds parameter to
// specify the duration of your session. You can provide a value from 900 seconds
// (15 minutes) up to the maximum session duration setting for the role. This
// setting can have a value from 1 hour to 12 hours. To learn how to view the
// maximum value for your role, see View the Maximum Session Duration Setting for
// a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
// in the IAM User Guide. The maximum session duration limit applies when you use
// the AssumeRole* API operations or the assume-role* CLI commands. However the
// limit does not apply when you use those operations to create a console URL. For
// more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
// in the IAM User Guide. Permissions The temporary security credentials created by
// AssumeRoleWithWebIdentity can be used to make API calls to any Amazon Web
// Services service with the following exception: you cannot call the STS
// GetFederationToken or GetSessionToken API operations. (Optional) You can pass
// inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policy Amazon
// Resource Names (ARNs) to use as managed session policies. The plaintext that you
// use for both inline and managed session policies can't exceed 2,048 characters.
// Passing policies to this operation returns new temporary credentials. The
// resulting session's permissions are the intersection of the role's
// identity-based policy and the session policies. You can use the role's temporary
// credentials in subsequent Amazon Web Services API calls to access resources in
// the account that owns the role. You cannot use session policies to grant more
// permissions than those allowed by the identity-based policy of the role that is
// being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. Tags (Optional) You can configure your IdP to pass
// attributes into your web identity token as session tags. Each session tag
// consists of a key name and an associated value. For more information about
// session tags, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
// in the IAM User Guide. You can pass up to 50 session tags. The plaintext session
// tag keys cant exceed 128 characters and the values cant exceed 256 characters.
// For these and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
// in the IAM User Guide. An Amazon Web Services conversion compresses the passed
// inline session policy, managed policy ARNs, and session tags into a packed
// binary format that has a separate limit. Your request can fail for this limit
// even if your plaintext meets the other requirements. The PackedPolicySize
// response element indicates by percentage how close the policies and tags for
// your request are to the upper size limit. You can pass a session tag with the
// same key as a tag that is attached to the role. When you do, the session tag
// overrides the role tag with the same key. An administrator must grant you the
// permissions necessary to pass session tags. The administrator can also create
// granular permissions to allow you to pass only specific session tags. For more
// information, see Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
// in the IAM User Guide. You can set the session tags as transitive. Transitive
// tags persist during role chaining. For more information, see Chaining Roles
// with Session Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
// in the IAM User Guide. Identities Before your application can call
// AssumeRoleWithWebIdentity , you must have an identity token from a supported
// identity provider and create a role that the application can assume. The role
// that your application assumes must trust the identity provider that is
// associated with the identity token. In other words, the identity provider must
// be specified in the role's trust policy. Calling AssumeRoleWithWebIdentity can
// result in an entry in your CloudTrail logs. The entry includes the Subject (http://openid.net/specs/openid-connect-core-1_0.html#Claims)
// of the provided web identity token. We recommend that you avoid using any
// personally identifiable information (PII) in this field. For example, you could
// instead use a GUID or a pairwise identifier, as suggested in the OIDC
// specification (http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes)
// . For more information about how to use web identity federation and the
// Facebook, or any OpenID Connect-compatible identity provider such as Google or [Amazon Cognito federated identities].
//
// For mobile applications, we recommend that you use Amazon Cognito. You can use
// Amazon Cognito with the [Amazon Web Services SDK for iOS Developer Guide]and the [Amazon Web Services SDK for Android Developer Guide] to uniquely identify a user. You can also
// supply the user with a consistent identity throughout the lifetime of an
// application.
//
// To learn more about Amazon Cognito, see [Amazon Cognito identity pools] in Amazon Cognito Developer Guide.
//
// Calling AssumeRoleWithWebIdentity does not require the use of Amazon Web
// Services security credentials. Therefore, you can distribute an application (for
// example, on mobile devices) that requests temporary security credentials without
// including long-term Amazon Web Services credentials in the application. You also
// don't need to deploy server-based proxy services that use long-term Amazon Web
// Services credentials. Instead, the identity of the caller is validated by using
// a token from the web identity provider. For a comparison of
// AssumeRoleWithWebIdentity with the other API operations that produce temporary
// credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the IAM User Guide.
//
// The temporary security credentials returned by this API consist of an access
// key ID, a secret access key, and a security token. Applications can use these
// temporary security credentials to sign calls to Amazon Web Services service API
// operations.
//
// # Session Duration
//
// By default, the temporary security credentials created by
// AssumeRoleWithWebIdentity last for one hour. However, you can use the optional
// DurationSeconds parameter to specify the duration of your session. You can
// provide a value from 900 seconds (15 minutes) up to the maximum session duration
// setting for the role. This setting can have a value from 1 hour to 12 hours. To
// learn how to view the maximum value for your role, see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide.
// The maximum session duration limit applies when you use the AssumeRole* API
// operations or the assume-role* CLI commands. However the limit does not apply
// when you use those operations to create a console URL. For more information, see
// [Using IAM Roles]in the IAM User Guide.
//
// # Permissions
//
// The temporary security credentials created by AssumeRoleWithWebIdentity can be
// used to make API calls to any Amazon Web Services service with the following
// exception: you cannot call the STS GetFederationToken or GetSessionToken API
// operations.
//
// (Optional) You can pass inline or managed [session policies] to this operation. You can pass a
// single JSON policy document to use as an inline session policy. You can also
// specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed
// session policies. The plaintext that you use for both inline and managed session
// policies can't exceed 2,048 characters. Passing policies to this operation
// returns new temporary credentials. The resulting session's permissions are the
// intersection of the role's identity-based policy and the session policies. You
// can use the role's temporary credentials in subsequent Amazon Web Services API
// calls to access resources in the account that owns the role. You cannot use
// session policies to grant more permissions than those allowed by the
// identity-based policy of the role that is being assumed. For more information,
// see [Session Policies]in the IAM User Guide.
//
// # Tags
//
// (Optional) You can configure your IdP to pass attributes into your web identity
// token as session tags. Each session tag consists of a key name and an associated
// value. For more information about session tags, see [Passing Session Tags in STS]in the IAM User Guide.
//
// You can pass up to 50 session tags. The plaintext session tag keys cant exceed
// 128 characters and the values cant exceed 256 characters. For these and
// additional limits, see [IAM and STS Character Limits]in the IAM User Guide.
//
// An Amazon Web Services conversion compresses the passed inline session policy,
// managed policy ARNs, and session tags into a packed binary format that has a
// separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates
// by percentage how close the policies and tags for your request are to the upper
// size limit.
//
// You can pass a session tag with the same key as a tag that is attached to the
// role. When you do, the session tag overrides the role tag with the same key.
//
// An administrator must grant you the permissions necessary to pass session tags.
// The administrator can also create granular permissions to allow you to pass only
// specific session tags. For more information, see [Tutorial: Using Tags for Attribute-Based Access Control]in the IAM User Guide.
//
// You can set the session tags as transitive. Transitive tags persist during role
// chaining. For more information, see [Chaining Roles with Session Tags]in the IAM User Guide.
//
// # Identities
//
// Before your application can call AssumeRoleWithWebIdentity , you must have an
// identity token from a supported identity provider and create a role that the
// application can assume. The role that your application assumes must trust the
// identity provider that is associated with the identity token. In other words,
// the identity provider must be specified in the role's trust policy.
//
// Calling AssumeRoleWithWebIdentity can result in an entry in your CloudTrail
// logs. The entry includes the [Subject]of the provided web identity token. We recommend
// that you avoid using any personally identifiable information (PII) in this
// field. For example, you could instead use a GUID or a pairwise identifier, as [suggested in the OIDC specification].
//
// For more information about how to use web identity federation and the
// AssumeRoleWithWebIdentity API, see the following resources:
// - Using Web Identity Federation API Operations for Mobile Apps (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html)
// and Federation Through a Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity)
// .
// - Web Identity Federation Playground (https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/)
// . Walk through the process of authenticating through Login with Amazon,
//
// [Using Web Identity Federation API Operations for Mobile Apps]
// - and [Federation Through a Web-based Identity Provider].
//
// [Web Identity Federation Playground]
// - . Walk through the process of authenticating through Login with Amazon,
// Facebook, or Google, getting temporary security credentials, and then using
// those credentials to make a request to Amazon Web Services.
// - Amazon Web Services SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/)
// and Amazon Web Services SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/)
// . These toolkits contain sample apps that show how to invoke the identity
// providers. The toolkits then show how to use the information from these
//
// [Amazon Web Services SDK for iOS Developer Guide]
// - and [Amazon Web Services SDK for Android Developer Guide]. These toolkits contain sample apps that show how to invoke the
// identity providers. The toolkits then show how to use the information from these
// providers to get and use temporary security credentials.
// - Web Identity Federation with Mobile Applications (http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications)
// . This article discusses web identity federation and shows an example of how to
// use web identity federation to get access to content in Amazon S3.
//
// [Web Identity Federation with Mobile Applications]
// - . This article discusses web identity federation and shows an example of
// how to use web identity federation to get access to content in Amazon S3.
//
// [Amazon Web Services SDK for iOS Developer Guide]: http://aws.amazon.com/sdkforios/
// [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
// [Web Identity Federation Playground]: https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/
// [Amazon Web Services SDK for Android Developer Guide]: http://aws.amazon.com/sdkforandroid/
// [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
// [session policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
// [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
// [Subject]: http://openid.net/specs/openid-connect-core-1_0.html#Claims
// [Tutorial: Using Tags for Attribute-Based Access Control]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
// [Amazon Cognito identity pools]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html
// [Federation Through a Web-based Identity Provider]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
// [Using IAM Roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
// [Amazon Cognito federated identities]: https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html
// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
// [Chaining Roles with Session Tags]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
// [Web Identity Federation with Mobile Applications]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
// [Using Web Identity Federation API Operations for Mobile Apps]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
// [suggested in the OIDC specification]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
func (c *Client) AssumeRoleWithWebIdentity(ctx context.Context, params *AssumeRoleWithWebIdentityInput, optFns ...func(*Options)) (*AssumeRoleWithWebIdentityOutput, error) {
if params == nil {
params = &AssumeRoleWithWebIdentityInput{}
@ -139,10 +177,11 @@ type AssumeRoleWithWebIdentityInput struct {
// identifier that is associated with the user who is using your application. That
// way, the temporary security credentials that your application will use are
// associated with that user. This session name is included as part of the ARN and
// assumed role ID in the AssumedRoleUser response element. The regex used to
// validate this parameter is a string of characters consisting of upper- and
// lower-case alphanumeric characters with no spaces. You can also include
// underscores or any of the following characters: =,.@-
// assumed role ID in the AssumedRoleUser response element.
//
// The regex used to validate this parameter is a string of characters consisting
// of upper- and lower-case alphanumeric characters with no spaces. You can also
// include underscores or any of the following characters: =,.@-
//
// This member is required.
RoleSessionName *string
@ -162,73 +201,90 @@ type AssumeRoleWithWebIdentityInput struct {
// higher than this setting, the operation fails. For example, if you specify a
// session duration of 12 hours, but your administrator set the maximum session
// duration to 6 hours, your operation fails. To learn how to view the maximum
// value for your role, see View the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
// in the IAM User Guide. By default, the value is set to 3600 seconds. The
// DurationSeconds parameter is separate from the duration of a console session
// that you might request using the returned credentials. The request to the
// federation endpoint for a console sign-in token takes a SessionDuration
// value for your role, see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide.
//
// By default, the value is set to 3600 seconds.
//
// The DurationSeconds parameter is separate from the duration of a console
// session that you might request using the returned credentials. The request to
// the federation endpoint for a console sign-in token takes a SessionDuration
// parameter that specifies the maximum length of the console session. For more
// information, see Creating a URL that Enables Federated Users to Access the
// Amazon Web Services Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
// in the IAM User Guide.
// information, see [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]in the IAM User Guide.
//
// [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
// [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
DurationSeconds *int32
// An IAM policy in JSON format that you want to use as an inline session policy.
//
// This parameter is optional. Passing policies to this operation returns new
// temporary credentials. The resulting session's permissions are the intersection
// of the role's identity-based policy and the session policies. You can use the
// role's temporary credentials in subsequent Amazon Web Services API calls to
// access resources in the account that owns the role. You cannot use session
// policies to grant more permissions than those allowed by the identity-based
// policy of the role that is being assumed. For more information, see Session
// Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. The plaintext that you use for both inline and managed
// session policies can't exceed 2,048 characters. The JSON policy characters can
// be any ASCII character from the space character to the end of the valid
// character list (\u0020 through \u00FF). It can also include the tab (\u0009),
// linefeed (\u000A), and carriage return (\u000D) characters. An Amazon Web
// Services conversion compresses the passed inline session policy, managed policy
// ARNs, and session tags into a packed binary format that has a separate limit.
// Your request can fail for this limit even if your plaintext meets the other
// requirements. The PackedPolicySize response element indicates by percentage how
// close the policies and tags for your request are to the upper size limit.
// policy of the role that is being assumed. For more information, see [Session Policies]in the IAM
// User Guide.
//
// The plaintext that you use for both inline and managed session policies can't
// exceed 2,048 characters. The JSON policy characters can be any ASCII character
// from the space character to the end of the valid character list (\u0020 through
// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
// return (\u000D) characters.
//
// An Amazon Web Services conversion compresses the passed inline session policy,
// managed policy ARNs, and session tags into a packed binary format that has a
// separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates
// by percentage how close the policies and tags for your request are to the upper
// size limit.
//
// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
Policy *string
// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
// use as managed session policies. The policies must exist in the same account as
// the role. This parameter is optional. You can provide up to 10 managed policy
// ARNs. However, the plaintext that you use for both inline and managed session
// policies can't exceed 2,048 characters. For more information about ARNs, see
// Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
// in the Amazon Web Services General Reference. An Amazon Web Services conversion
// compresses the passed inline session policy, managed policy ARNs, and session
// tags into a packed binary format that has a separate limit. Your request can
// fail for this limit even if your plaintext meets the other requirements. The
// PackedPolicySize response element indicates by percentage how close the policies
// and tags for your request are to the upper size limit. Passing policies to this
// operation returns new temporary credentials. The resulting session's permissions
// are the intersection of the role's identity-based policy and the session
// policies. You can use the role's temporary credentials in subsequent Amazon Web
// Services API calls to access resources in the account that owns the role. You
// cannot use session policies to grant more permissions than those allowed by the
// identity-based policy of the role that is being assumed. For more information,
// see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide.
// the role.
//
// This parameter is optional. You can provide up to 10 managed policy ARNs.
// However, the plaintext that you use for both inline and managed session policies
// can't exceed 2,048 characters. For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]in the
// Amazon Web Services General Reference.
//
// An Amazon Web Services conversion compresses the passed inline session policy,
// managed policy ARNs, and session tags into a packed binary format that has a
// separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates
// by percentage how close the policies and tags for your request are to the upper
// size limit.
//
// Passing policies to this operation returns new temporary credentials. The
// resulting session's permissions are the intersection of the role's
// identity-based policy and the session policies. You can use the role's temporary
// credentials in subsequent Amazon Web Services API calls to access resources in
// the account that owns the role. You cannot use session policies to grant more
// permissions than those allowed by the identity-based policy of the role that is
// being assumed. For more information, see [Session Policies]in the IAM User Guide.
//
// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
// [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
PolicyArns []types.PolicyDescriptorType
// The fully qualified host component of the domain name of the OAuth 2.0 identity
// provider. Do not specify this value for an OpenID Connect identity provider.
//
// Currently www.amazon.com and graph.facebook.com are the only supported identity
// providers for OAuth 2.0 access tokens. Do not include URL schemes and port
// numbers. Do not specify this value for OpenID Connect ID tokens.
// numbers.
//
// Do not specify this value for OpenID Connect ID tokens.
ProviderId *string
noSmithyDocumentSerde
}
// Contains the response to a successful AssumeRoleWithWebIdentity request,
// including temporary Amazon Web Services credentials that can be used to make
// Amazon Web Services requests.
// Contains the response to a successful AssumeRoleWithWebIdentity request, including temporary Amazon Web
// Services credentials that can be used to make Amazon Web Services requests.
type AssumeRoleWithWebIdentityOutput struct {
// The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers
@ -244,9 +300,10 @@ type AssumeRoleWithWebIdentityOutput struct {
Audience *string
// The temporary security credentials, which include an access key ID, a secret
// access key, and a security token. The size of the security token that STS API
// operations return is not fixed. We strongly recommend that you make no
// assumptions about the maximum size.
// access key, and a security token.
//
// The size of the security token that STS API operations return is not fixed. We
// strongly recommend that you make no assumptions about the maximum size.
Credentials *types.Credentials
// A percentage value that indicates the packed size of the session policies and
@ -255,30 +312,34 @@ type AssumeRoleWithWebIdentityOutput struct {
// allowed space.
PackedPolicySize *int32
// The issuing authority of the web identity token presented. For OpenID Connect
// The issuing authority of the web identity token presented. For OpenID Connect
// ID tokens, this contains the value of the iss field. For OAuth 2.0 access
// tokens, this contains the value of the ProviderId parameter that was passed in
// the AssumeRoleWithWebIdentity request.
Provider *string
// The value of the source identity that is returned in the JSON web token (JWT)
// from the identity provider. You can require users to set a source identity value
// when they assume a role. You do this by using the sts:SourceIdentity condition
// key in a role trust policy. That way, actions that are taken with the role are
// associated with that user. After the source identity is set, the value cannot be
// changed. It is present in the request for all actions that are taken by the role
// and persists across chained role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining)
// sessions. You can configure your identity provider to use an attribute
// from the identity provider.
//
// You can require users to set a source identity value when they assume a role.
// You do this by using the sts:SourceIdentity condition key in a role trust
// policy. That way, actions that are taken with the role are associated with that
// user. After the source identity is set, the value cannot be changed. It is
// present in the request for all actions that are taken by the role and persists
// across [chained role]sessions. You can configure your identity provider to use an attribute
// associated with your users, like user name or email, as the source identity when
// calling AssumeRoleWithWebIdentity . You do this by adding a claim to the JSON
// web token. To learn more about OIDC tokens and claims, see Using Tokens with
// User Pools (https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html)
// in the Amazon Cognito Developer Guide. For more information about using source
// identity, see Monitor and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
// in the IAM User Guide. The regex used to validate this parameter is a string of
// characters consisting of upper- and lower-case alphanumeric characters with no
// spaces. You can also include underscores or any of the following characters:
// =,.@-
// web token. To learn more about OIDC tokens and claims, see [Using Tokens with User Pools]in the Amazon
// Cognito Developer Guide. For more information about using source identity, see [Monitor and control actions taken with assumed roles]
// in the IAM User Guide.
//
// The regex used to validate this parameter is a string of characters consisting
// of upper- and lower-case alphanumeric characters with no spaces. You can also
// include underscores or any of the following characters: =,.@-
//
// [chained role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining
// [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
// [Using Tokens with User Pools]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html
SourceIdentity *string
// The unique user identifier that is returned by the identity provider. This
@ -347,6 +408,12 @@ func (c *Client) addOperationAssumeRoleWithWebIdentityMiddlewares(stack *middlew
if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
return err
}
if err = addTimeOffsetBuild(stack, c); err != nil {
return err
}
if err = addUserAgentRetryMode(stack, options); err != nil {
return err
}
if err = addOpAssumeRoleWithWebIdentityValidationMiddleware(stack); err != nil {
return err
}

View File

@ -11,28 +11,39 @@ import (
)
// Decodes additional information about the authorization status of a request from
// an encoded message returned in response to an Amazon Web Services request. For
// example, if a user is not authorized to perform an operation that he or she has
// requested, the request returns a Client.UnauthorizedOperation response (an HTTP
// 403 response). Some Amazon Web Services operations additionally return an
// encoded message that can provide details about this authorization failure. Only
// certain Amazon Web Services operations return an encoded authorization message.
// The documentation for an individual operation indicates whether that operation
// returns an encoded message in addition to returning an HTTP code. The message is
// encoded because the details of the authorization status can contain privileged
// information that the user who requested the operation should not see. To decode
// an authorization status message, a user must be granted permissions through an
// IAM policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)
// to request the DecodeAuthorizationMessage ( sts:DecodeAuthorizationMessage )
// action. The decoded message includes the following type of information:
// an encoded message returned in response to an Amazon Web Services request.
//
// For example, if a user is not authorized to perform an operation that he or she
// has requested, the request returns a Client.UnauthorizedOperation response (an
// HTTP 403 response). Some Amazon Web Services operations additionally return an
// encoded message that can provide details about this authorization failure.
//
// Only certain Amazon Web Services operations return an encoded authorization
// message. The documentation for an individual operation indicates whether that
// operation returns an encoded message in addition to returning an HTTP code.
//
// The message is encoded because the details of the authorization status can
// contain privileged information that the user who requested the operation should
// not see. To decode an authorization status message, a user must be granted
// permissions through an IAM [policy]to request the DecodeAuthorizationMessage (
// sts:DecodeAuthorizationMessage ) action.
//
// The decoded message includes the following type of information:
//
// - Whether the request was denied due to an explicit deny or due to the
// absence of an explicit allow. For more information, see Determining Whether a
// Request is Allowed or Denied (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow)
// in the IAM User Guide.
// absence of an explicit allow. For more information, see [Determining Whether a Request is Allowed or Denied]in the IAM User
// Guide.
//
// - The principal who made the request.
//
// - The requested action.
//
// - The requested resource.
//
// - The values of condition keys in the context of the user's request.
//
// [Determining Whether a Request is Allowed or Denied]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow
// [policy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
func (c *Client) DecodeAuthorizationMessage(ctx context.Context, params *DecodeAuthorizationMessageInput, optFns ...func(*Options)) (*DecodeAuthorizationMessageOutput, error) {
if params == nil {
params = &DecodeAuthorizationMessageInput{}
@ -127,6 +138,12 @@ func (c *Client) addOperationDecodeAuthorizationMessageMiddlewares(stack *middle
if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
return err
}
if err = addTimeOffsetBuild(stack, c); err != nil {
return err
}
if err = addUserAgentRetryMode(stack, options); err != nil {
return err
}
if err = addOpDecodeAuthorizationMessageValidationMiddleware(stack); err != nil {
return err
}

View File

@ -10,23 +10,31 @@ import (
smithyhttp "github.com/aws/smithy-go/transport/http"
)
// Returns the account identifier for the specified access key ID. Access keys
// consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE ) and
// a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY ).
// For more information about access keys, see Managing Access Keys for IAM Users (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)
// in the IAM User Guide. When you pass an access key ID to this operation, it
// returns the ID of the Amazon Web Services account to which the keys belong.
// Access key IDs beginning with AKIA are long-term credentials for an IAM user or
// the Amazon Web Services account root user. Access key IDs beginning with ASIA
// are temporary credentials that are created using STS operations. If the account
// in the response belongs to you, you can sign in as the root user and review your
// root user access keys. Then, you can pull a credentials report (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html)
// to learn which IAM user owns the keys. To learn who requested the temporary
// credentials for an ASIA access key, view the STS events in your CloudTrail logs (https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html)
// in the IAM User Guide. This operation does not indicate the state of the access
// key. The key might be active, inactive, or deleted. Active keys might not have
// permissions to perform an operation. Providing a deleted access key might return
// an error that the key doesn't exist.
// Returns the account identifier for the specified access key ID.
//
// Access keys consist of two parts: an access key ID (for example,
// AKIAIOSFODNN7EXAMPLE ) and a secret access key (for example,
// wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY ). For more information about access
// keys, see [Managing Access Keys for IAM Users]in the IAM User Guide.
//
// When you pass an access key ID to this operation, it returns the ID of the
// Amazon Web Services account to which the keys belong. Access key IDs beginning
// with AKIA are long-term credentials for an IAM user or the Amazon Web Services
// account root user. Access key IDs beginning with ASIA are temporary credentials
// that are created using STS operations. If the account in the response belongs to
// you, you can sign in as the root user and review your root user access keys.
// Then, you can pull a [credentials report]to learn which IAM user owns the keys. To learn who
// requested the temporary credentials for an ASIA access key, view the STS events
// in your [CloudTrail logs]in the IAM User Guide.
//
// This operation does not indicate the state of the access key. The key might be
// active, inactive, or deleted. Active keys might not have permissions to perform
// an operation. Providing a deleted access key might return an error that the key
// doesn't exist.
//
// [credentials report]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html
// [CloudTrail logs]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html
// [Managing Access Keys for IAM Users]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
func (c *Client) GetAccessKeyInfo(ctx context.Context, params *GetAccessKeyInfoInput, optFns ...func(*Options)) (*GetAccessKeyInfoOutput, error) {
if params == nil {
params = &GetAccessKeyInfoInput{}
@ -44,9 +52,10 @@ func (c *Client) GetAccessKeyInfo(ctx context.Context, params *GetAccessKeyInfoI
type GetAccessKeyInfoInput struct {
// The identifier of an access key. This parameter allows (through its regex
// pattern) a string of characters that can consist of any upper- or lowercase
// letter or digit.
// The identifier of an access key.
//
// This parameter allows (through its regex pattern) a string of characters that
// can consist of any upper- or lowercase letter or digit.
//
// This member is required.
AccessKeyId *string
@ -120,6 +129,12 @@ func (c *Client) addOperationGetAccessKeyInfoMiddlewares(stack *middleware.Stack
if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
return err
}
if err = addTimeOffsetBuild(stack, c); err != nil {
return err
}
if err = addUserAgentRetryMode(stack, options); err != nil {
return err
}
if err = addOpGetAccessKeyInfoValidationMiddleware(stack); err != nil {
return err
}

View File

@ -12,13 +12,15 @@ import (
)
// Returns details about the IAM user or role whose credentials are used to call
// the operation. No permissions are required to perform this operation. If an
// administrator attaches a policy to your identity that explicitly denies access
// to the sts:GetCallerIdentity action, you can still perform this operation.
// Permissions are not required because the same information is returned when
// access is denied. To view an example response, see I Am Not Authorized to
// Perform: iam:DeleteVirtualMFADevice (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa)
// in the IAM User Guide.
// the operation.
//
// No permissions are required to perform this operation. If an administrator
// attaches a policy to your identity that explicitly denies access to the
// sts:GetCallerIdentity action, you can still perform this operation. Permissions
// are not required because the same information is returned when access is denied.
// To view an example response, see [I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice]in the IAM User Guide.
//
// [I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa
func (c *Client) GetCallerIdentity(ctx context.Context, params *GetCallerIdentityInput, optFns ...func(*Options)) (*GetCallerIdentityOutput, error) {
if params == nil {
params = &GetCallerIdentityInput{}
@ -38,8 +40,8 @@ type GetCallerIdentityInput struct {
noSmithyDocumentSerde
}
// Contains the response to a successful GetCallerIdentity request, including
// information about the entity making the request.
// Contains the response to a successful GetCallerIdentity request, including information about the
// entity making the request.
type GetCallerIdentityOutput struct {
// The Amazon Web Services account ID number of the account that owns or contains
@ -51,8 +53,10 @@ type GetCallerIdentityOutput struct {
// The unique identifier of the calling entity. The exact value depends on the
// type of entity that is making the call. The values returned are those listed in
// the aws:userid column in the Principal table (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable)
// found on the Policy Variables reference page in the IAM User Guide.
// the aws:userid column in the [Principal table]found on the Policy Variables reference page in
// the IAM User Guide.
//
// [Principal table]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable
UserId *string
// Metadata pertaining to the operation's result.
@ -116,6 +120,12 @@ func (c *Client) addOperationGetCallerIdentityMiddlewares(stack *middleware.Stac
if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
return err
}
if err = addTimeOffsetBuild(stack, c); err != nil {
return err
}
if err = addUserAgentRetryMode(stack, options); err != nil {
return err
}
if err = stack.Initialize.Add(newServiceMetadataMiddleware_opGetCallerIdentity(options.Region), middleware.Before); err != nil {
return err
}

View File

@ -14,74 +14,100 @@ import (
// Returns a set of temporary security credentials (consisting of an access key
// ID, a secret access key, and a security token) for a user. A typical use is in a
// proxy application that gets temporary security credentials on behalf of
// distributed applications inside a corporate network. You must call the
// GetFederationToken operation using the long-term security credentials of an IAM
// user. As a result, this call is appropriate in contexts where those credentials
// can be safeguarded, usually in a server-based application. For a comparison of
// GetFederationToken with the other API operations that produce temporary
// credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
// in the IAM User Guide. Although it is possible to call GetFederationToken using
// the security credentials of an Amazon Web Services account root user rather than
// an IAM user that you create for the purpose of a proxy application, we do not
// recommend it. For more information, see Safeguard your root user credentials
// and don't use them for everyday tasks (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)
// in the IAM User Guide. You can create a mobile-based or browser-based app that
// can authenticate users using a web identity provider like Login with Amazon,
// Facebook, Google, or an OpenID Connect-compatible identity provider. In this
// case, we recommend that you use Amazon Cognito (http://aws.amazon.com/cognito/)
// or AssumeRoleWithWebIdentity . For more information, see Federation Through a
// Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity)
// in the IAM User Guide. Session duration The temporary credentials are valid for
// the specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600
// seconds (36 hours). The default session duration is 43,200 seconds (12 hours).
// Temporary credentials obtained by using the root user credentials have a maximum
// duration of 3,600 seconds (1 hour). Permissions You can use the temporary
// credentials created by GetFederationToken in any Amazon Web Services service
// with the following exceptions:
// distributed applications inside a corporate network.
//
// You must call the GetFederationToken operation using the long-term security
// credentials of an IAM user. As a result, this call is appropriate in contexts
// where those credentials can be safeguarded, usually in a server-based
// application. For a comparison of GetFederationToken with the other API
// operations that produce temporary credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the IAM User Guide.
//
// Although it is possible to call GetFederationToken using the security
// credentials of an Amazon Web Services account root user rather than an IAM user
// that you create for the purpose of a proxy application, we do not recommend it.
// For more information, see [Safeguard your root user credentials and don't use them for everyday tasks]in the IAM User Guide.
//
// You can create a mobile-based or browser-based app that can authenticate users
// using a web identity provider like Login with Amazon, Facebook, Google, or an
// OpenID Connect-compatible identity provider. In this case, we recommend that you
// use [Amazon Cognito]or AssumeRoleWithWebIdentity . For more information, see [Federation Through a Web-based Identity Provider] in the IAM User
// Guide.
//
// # Session duration
//
// The temporary credentials are valid for the specified duration, from 900
// seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default
// session duration is 43,200 seconds (12 hours). Temporary credentials obtained by
// using the root user credentials have a maximum duration of 3,600 seconds (1
// hour).
//
// # Permissions
//
// You can use the temporary credentials created by GetFederationToken in any
// Amazon Web Services service with the following exceptions:
//
// - You cannot call any IAM operations using the CLI or the Amazon Web Services
// API. This limitation does not apply to console sessions.
//
// - You cannot call any STS operations except GetCallerIdentity .
//
// You can use temporary credentials for single sign-on (SSO) to the console. You
// must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policy Amazon
// Resource Names (ARNs) to use as managed session policies. The plaintext that you
// use for both inline and managed session policies can't exceed 2,048 characters.
// You can use temporary credentials for single sign-on (SSO) to the console.
//
// You must pass an inline or managed [session policy] to this operation. You can pass a single
// JSON policy document to use as an inline session policy. You can also specify up
// to 10 managed policy Amazon Resource Names (ARNs) to use as managed session
// policies. The plaintext that you use for both inline and managed session
// policies can't exceed 2,048 characters.
//
// Though the session policy parameters are optional, if you do not pass a policy,
// then the resulting federated user session has no permissions. When you pass
// session policies, the session permissions are the intersection of the IAM user
// policies and the session policies that you pass. This gives you a way to further
// restrict the permissions for a federated user. You cannot use session policies
// to grant more permissions than those that are defined in the permissions policy
// of the IAM user. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. For information about using GetFederationToken to create
// temporary security credentials, see GetFederationToken—Federation Through a
// Custom Identity Broker (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken)
// . You can use the credentials to access a resource that has a resource-based
// of the IAM user. For more information, see [Session Policies]in the IAM User Guide. For
// information about using GetFederationToken to create temporary security
// credentials, see [GetFederationToken—Federation Through a Custom Identity Broker].
//
// You can use the credentials to access a resource that has a resource-based
// policy. If that policy specifically references the federated user session in the
// Principal element of the policy, the session has the permissions allowed by the
// policy. These permissions are granted in addition to the permissions granted by
// the session policies. Tags (Optional) You can pass tag key-value pairs to your
// session. These are called session tags. For more information about session tags,
// see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
// in the IAM User Guide. You can create a mobile-based or browser-based app that
// can authenticate users using a web identity provider like Login with Amazon,
// Facebook, Google, or an OpenID Connect-compatible identity provider. In this
// case, we recommend that you use Amazon Cognito (http://aws.amazon.com/cognito/)
// or AssumeRoleWithWebIdentity . For more information, see Federation Through a
// Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity)
// in the IAM User Guide. An administrator must grant you the permissions necessary
// to pass session tags. The administrator can also create granular permissions to
// allow you to pass only specific session tags. For more information, see
// Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
// in the IAM User Guide. Tag keyvalue pairs are not case sensitive, but case is
// preserved. This means that you cannot have separate Department and department
// tag keys. Assume that the user that you are federating has the Department =
// Marketing tag and you pass the department = engineering session tag. Department
// and department are not saved as separate tags, and the session tag passed in
// the request takes precedence over the user tag.
// the session policies.
//
// # Tags
//
// (Optional) You can pass tag key-value pairs to your session. These are called
// session tags. For more information about session tags, see [Passing Session Tags in STS]in the IAM User
// Guide.
//
// You can create a mobile-based or browser-based app that can authenticate users
// using a web identity provider like Login with Amazon, Facebook, Google, or an
// OpenID Connect-compatible identity provider. In this case, we recommend that you
// use [Amazon Cognito]or AssumeRoleWithWebIdentity . For more information, see [Federation Through a Web-based Identity Provider] in the IAM User
// Guide.
//
// An administrator must grant you the permissions necessary to pass session tags.
// The administrator can also create granular permissions to allow you to pass only
// specific session tags. For more information, see [Tutorial: Using Tags for Attribute-Based Access Control]in the IAM User Guide.
//
// Tag keyvalue pairs are not case sensitive, but case is preserved. This means
// that you cannot have separate Department and department tag keys. Assume that
// the user that you are federating has the Department = Marketing tag and you
// pass the department = engineering session tag. Department and department are
// not saved as separate tags, and the session tag passed in the request takes
// precedence over the user tag.
//
// [Federation Through a Web-based Identity Provider]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
// [session policy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
// [Amazon Cognito]: http://aws.amazon.com/cognito/
// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
// [GetFederationToken—Federation Through a Custom Identity Broker]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken
// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
// [Safeguard your root user credentials and don't use them for everyday tasks]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
// [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
// [Tutorial: Using Tags for Attribute-Based Access Control]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
func (c *Client) GetFederationToken(ctx context.Context, params *GetFederationTokenInput, optFns ...func(*Options)) (*GetFederationTokenOutput, error) {
if params == nil {
params = &GetFederationTokenInput{}
@ -102,10 +128,11 @@ type GetFederationTokenInput struct {
// The name of the federated user. The name is used as an identifier for the
// temporary security credentials (such as Bob ). For example, you can reference
// the federated user name in a resource-based policy, such as in an Amazon S3
// bucket policy. The regex used to validate this parameter is a string of
// characters consisting of upper- and lower-case alphanumeric characters with no
// spaces. You can also include underscores or any of the following characters:
// =,.@-
// bucket policy.
//
// The regex used to validate this parameter is a string of characters consisting
// of upper- and lower-case alphanumeric characters with no spaces. You can also
// include underscores or any of the following characters: =,.@-
//
// This member is required.
Name *string
@ -119,99 +146,127 @@ type GetFederationTokenInput struct {
DurationSeconds *int32
// An IAM policy in JSON format that you want to use as an inline session policy.
// You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policy Amazon
// Resource Names (ARNs) to use as managed session policies. This parameter is
// optional. However, if you do not pass any session policies, then the resulting
// federated user session has no permissions. When you pass session policies, the
// session permissions are the intersection of the IAM user policies and the
// session policies that you pass. This gives you a way to further restrict the
// permissions for a federated user. You cannot use session policies to grant more
// permissions than those that are defined in the permissions policy of the IAM
// user. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. The resulting credentials can be used to access a
// resource that has a resource-based policy. If that policy specifically
// references the federated user session in the Principal element of the policy,
// the session has the permissions allowed by the policy. These permissions are
// granted in addition to the permissions that are granted by the session policies.
//
// You must pass an inline or managed [session policy] to this operation. You can pass a single
// JSON policy document to use as an inline session policy. You can also specify up
// to 10 managed policy Amazon Resource Names (ARNs) to use as managed session
// policies.
//
// This parameter is optional. However, if you do not pass any session policies,
// then the resulting federated user session has no permissions.
//
// When you pass session policies, the session permissions are the intersection of
// the IAM user policies and the session policies that you pass. This gives you a
// way to further restrict the permissions for a federated user. You cannot use
// session policies to grant more permissions than those that are defined in the
// permissions policy of the IAM user. For more information, see [Session Policies]in the IAM User
// Guide.
//
// The resulting credentials can be used to access a resource that has a
// resource-based policy. If that policy specifically references the federated user
// session in the Principal element of the policy, the session has the permissions
// allowed by the policy. These permissions are granted in addition to the
// permissions that are granted by the session policies.
//
// The plaintext that you use for both inline and managed session policies can't
// exceed 2,048 characters. The JSON policy characters can be any ASCII character
// from the space character to the end of the valid character list (\u0020 through
// \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
// return (\u000D) characters. An Amazon Web Services conversion compresses the
// passed inline session policy, managed policy ARNs, and session tags into a
// packed binary format that has a separate limit. Your request can fail for this
// limit even if your plaintext meets the other requirements. The PackedPolicySize
// response element indicates by percentage how close the policies and tags for
// your request are to the upper size limit.
Policy *string
// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
// use as a managed session policy. The policies must exist in the same account as
// the IAM user that is requesting federated access. You must pass an inline or
// managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policy Amazon
// Resource Names (ARNs) to use as managed session policies. The plaintext that you
// use for both inline and managed session policies can't exceed 2,048 characters.
// You can provide up to 10 managed policy ARNs. For more information about ARNs,
// see Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
// in the Amazon Web Services General Reference. This parameter is optional.
// However, if you do not pass any session policies, then the resulting federated
// user session has no permissions. When you pass session policies, the session
// permissions are the intersection of the IAM user policies and the session
// policies that you pass. This gives you a way to further restrict the permissions
// for a federated user. You cannot use session policies to grant more permissions
// than those that are defined in the permissions policy of the IAM user. For more
// information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. The resulting credentials can be used to access a
// resource that has a resource-based policy. If that policy specifically
// references the federated user session in the Principal element of the policy,
// the session has the permissions allowed by the policy. These permissions are
// granted in addition to the permissions that are granted by the session policies.
// return (\u000D) characters.
//
// An Amazon Web Services conversion compresses the passed inline session policy,
// managed policy ARNs, and session tags into a packed binary format that has a
// separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates
// by percentage how close the policies and tags for your request are to the upper
// size limit.
//
// [session policy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
Policy *string
// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
// use as a managed session policy. The policies must exist in the same account as
// the IAM user that is requesting federated access.
//
// You must pass an inline or managed [session policy] to this operation. You can pass a single
// JSON policy document to use as an inline session policy. You can also specify up
// to 10 managed policy Amazon Resource Names (ARNs) to use as managed session
// policies. The plaintext that you use for both inline and managed session
// policies can't exceed 2,048 characters. You can provide up to 10 managed policy
// ARNs. For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]in the Amazon Web Services General
// Reference.
//
// This parameter is optional. However, if you do not pass any session policies,
// then the resulting federated user session has no permissions.
//
// When you pass session policies, the session permissions are the intersection of
// the IAM user policies and the session policies that you pass. This gives you a
// way to further restrict the permissions for a federated user. You cannot use
// session policies to grant more permissions than those that are defined in the
// permissions policy of the IAM user. For more information, see [Session Policies]in the IAM User
// Guide.
//
// The resulting credentials can be used to access a resource that has a
// resource-based policy. If that policy specifically references the federated user
// session in the Principal element of the policy, the session has the permissions
// allowed by the policy. These permissions are granted in addition to the
// permissions that are granted by the session policies.
//
// An Amazon Web Services conversion compresses the passed inline session policy,
// managed policy ARNs, and session tags into a packed binary format that has a
// separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates
// by percentage how close the policies and tags for your request are to the upper
// size limit.
//
// [session policy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
// [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
PolicyArns []types.PolicyDescriptorType
// A list of session tags. Each session tag consists of a key name and an
// associated value. For more information about session tags, see Passing Session
// Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
// in the IAM User Guide. This parameter is optional. You can pass up to 50 session
// tags. The plaintext session tag keys cant exceed 128 characters and the values
// cant exceed 256 characters. For these and additional limits, see IAM and STS
// Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
// in the IAM User Guide. An Amazon Web Services conversion compresses the passed
// inline session policy, managed policy ARNs, and session tags into a packed
// binary format that has a separate limit. Your request can fail for this limit
// even if your plaintext meets the other requirements. The PackedPolicySize
// response element indicates by percentage how close the policies and tags for
// your request are to the upper size limit. You can pass a session tag with the
// same key as a tag that is already attached to the user you are federating. When
// you do, session tags override a user tag with the same key. Tag keyvalue pairs
// are not case sensitive, but case is preserved. This means that you cannot have
// separate Department and department tag keys. Assume that the role has the
// Department = Marketing tag and you pass the department = engineering session
// tag. Department and department are not saved as separate tags, and the session
// tag passed in the request takes precedence over the role tag.
// associated value. For more information about session tags, see [Passing Session Tags in STS]in the IAM User
// Guide.
//
// This parameter is optional. You can pass up to 50 session tags. The plaintext
// session tag keys cant exceed 128 characters and the values cant exceed 256
// characters. For these and additional limits, see [IAM and STS Character Limits]in the IAM User Guide.
//
// An Amazon Web Services conversion compresses the passed inline session policy,
// managed policy ARNs, and session tags into a packed binary format that has a
// separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates
// by percentage how close the policies and tags for your request are to the upper
// size limit.
//
// You can pass a session tag with the same key as a tag that is already attached
// to the user you are federating. When you do, session tags override a user tag
// with the same key.
//
// Tag keyvalue pairs are not case sensitive, but case is preserved. This means
// that you cannot have separate Department and department tag keys. Assume that
// the role has the Department = Marketing tag and you pass the department =
// engineering session tag. Department and department are not saved as separate
// tags, and the session tag passed in the request takes precedence over the role
// tag.
//
// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
// [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
Tags []types.Tag
noSmithyDocumentSerde
}
// Contains the response to a successful GetFederationToken request, including
// temporary Amazon Web Services credentials that can be used to make Amazon Web
// Services requests.
// Contains the response to a successful GetFederationToken request, including temporary Amazon Web
// Services credentials that can be used to make Amazon Web Services requests.
type GetFederationTokenOutput struct {
// The temporary security credentials, which include an access key ID, a secret
// access key, and a security (or session) token. The size of the security token
// that STS API operations return is not fixed. We strongly recommend that you make
// no assumptions about the maximum size.
// access key, and a security (or session) token.
//
// The size of the security token that STS API operations return is not fixed. We
// strongly recommend that you make no assumptions about the maximum size.
Credentials *types.Credentials
// Identifiers for the federated user associated with the credentials (such as
@ -287,6 +342,12 @@ func (c *Client) addOperationGetFederationTokenMiddlewares(stack *middleware.Sta
if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
return err
}
if err = addTimeOffsetBuild(stack, c); err != nil {
return err
}
if err = addUserAgentRetryMode(stack, options); err != nil {
return err
}
if err = addOpGetFederationTokenValidationMiddleware(stack); err != nil {
return err
}

View File

@ -15,43 +15,58 @@ import (
// IAM user. The credentials consist of an access key ID, a secret access key, and
// a security token. Typically, you use GetSessionToken if you want to use MFA to
// protect programmatic calls to specific Amazon Web Services API operations like
// Amazon EC2 StopInstances . MFA-enabled IAM users must call GetSessionToken and
// submit an MFA code that is associated with their MFA device. Using the temporary
// security credentials that the call returns, IAM users can then make programmatic
// calls to API operations that require MFA authentication. An incorrect MFA code
// causes the API to return an access denied error. For a comparison of
// GetSessionToken with the other API operations that produce temporary
// credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
// and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
// in the IAM User Guide. No permissions are required for users to perform this
// operation. The purpose of the sts:GetSessionToken operation is to authenticate
// the user using MFA. You cannot use policies to control authentication
// operations. For more information, see Permissions for GetSessionToken (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html)
// in the IAM User Guide. Session Duration The GetSessionToken operation must be
// called by using the long-term Amazon Web Services security credentials of an IAM
// user. Credentials that are created by IAM users are valid for the duration that
// you specify. This duration can range from 900 seconds (15 minutes) up to a
// maximum of 129,600 seconds (36 hours), with a default of 43,200 seconds (12
// hours). Credentials based on account credentials can range from 900 seconds (15
// minutes) up to 3,600 seconds (1 hour), with a default of 1 hour. Permissions The
// temporary security credentials created by GetSessionToken can be used to make
// API calls to any Amazon Web Services service with the following exceptions:
// Amazon EC2 StopInstances .
//
// MFA-enabled IAM users must call GetSessionToken and submit an MFA code that is
// associated with their MFA device. Using the temporary security credentials that
// the call returns, IAM users can then make programmatic calls to API operations
// that require MFA authentication. An incorrect MFA code causes the API to return
// an access denied error. For a comparison of GetSessionToken with the other API
// operations that produce temporary credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the IAM User Guide.
//
// No permissions are required for users to perform this operation. The purpose of
// the sts:GetSessionToken operation is to authenticate the user using MFA. You
// cannot use policies to control authentication operations. For more information,
// see [Permissions for GetSessionToken]in the IAM User Guide.
//
// # Session Duration
//
// The GetSessionToken operation must be called by using the long-term Amazon Web
// Services security credentials of an IAM user. Credentials that are created by
// IAM users are valid for the duration that you specify. This duration can range
// from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours),
// with a default of 43,200 seconds (12 hours). Credentials based on account
// credentials can range from 900 seconds (15 minutes) up to 3,600 seconds (1
// hour), with a default of 1 hour.
//
// # Permissions
//
// The temporary security credentials created by GetSessionToken can be used to
// make API calls to any Amazon Web Services service with the following exceptions:
//
// - You cannot call any IAM API operations unless MFA authentication
// information is included in the request.
//
// - You cannot call any STS API except AssumeRole or GetCallerIdentity .
//
// The credentials that GetSessionToken returns are based on permissions
// associated with the IAM user whose credentials were used to call the operation.
// The temporary credentials have the same permissions as the IAM user. Although it
// is possible to call GetSessionToken using the security credentials of an Amazon
// Web Services account root user rather than an IAM user, we do not recommend it.
// If GetSessionToken is called using root user credentials, the temporary
// credentials have root user permissions. For more information, see Safeguard
// your root user credentials and don't use them for everyday tasks (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials)
// in the IAM User Guide For more information about using GetSessionToken to
// create temporary credentials, see Temporary Credentials for Users in Untrusted
// Environments (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken)
// in the IAM User Guide.
// The temporary credentials have the same permissions as the IAM user.
//
// Although it is possible to call GetSessionToken using the security credentials
// of an Amazon Web Services account root user rather than an IAM user, we do not
// recommend it. If GetSessionToken is called using root user credentials, the
// temporary credentials have root user permissions. For more information, see [Safeguard your root user credentials and don't use them for everyday tasks]in
// the IAM User Guide
//
// For more information about using GetSessionToken to create temporary
// credentials, see [Temporary Credentials for Users in Untrusted Environments]in the IAM User Guide.
//
// [Permissions for GetSessionToken]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html
// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
// [Temporary Credentials for Users in Untrusted Environments]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken
// [Safeguard your root user credentials and don't use them for everyday tasks]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#lock-away-credentials
// [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
func (c *Client) GetSessionToken(ctx context.Context, params *GetSessionTokenInput, optFns ...func(*Options)) (*GetSessionTokenOutput, error) {
if params == nil {
params = &GetSessionTokenInput{}
@ -83,10 +98,11 @@ type GetSessionTokenInput struct {
// number for a hardware device (such as GAHT12345678 ) or an Amazon Resource Name
// (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user ). You
// can find the device for an IAM user by going to the Amazon Web Services
// Management Console and viewing the user's security credentials. The regex used
// to validate this parameter is a string of characters consisting of upper- and
// lower-case alphanumeric characters with no spaces. You can also include
// underscores or any of the following characters: =,.@:/-
// Management Console and viewing the user's security credentials.
//
// The regex used to validate this parameter is a string of characters consisting
// of upper- and lower-case alphanumeric characters with no spaces. You can also
// include underscores or any of the following characters: =,.@:/-
SerialNumber *string
// The value provided by the MFA device, if MFA is required. If any policy
@ -94,22 +110,24 @@ type GetSessionTokenInput struct {
// authentication is required, the user must provide a code when requesting a set
// of temporary security credentials. A user who fails to provide the code receives
// an "access denied" response when requesting resources that require MFA
// authentication. The format for this parameter, as described by its regex
// pattern, is a sequence of six numeric digits.
// authentication.
//
// The format for this parameter, as described by its regex pattern, is a sequence
// of six numeric digits.
TokenCode *string
noSmithyDocumentSerde
}
// Contains the response to a successful GetSessionToken request, including
// temporary Amazon Web Services credentials that can be used to make Amazon Web
// Services requests.
// Contains the response to a successful GetSessionToken request, including temporary Amazon Web
// Services credentials that can be used to make Amazon Web Services requests.
type GetSessionTokenOutput struct {
// The temporary security credentials, which include an access key ID, a secret
// access key, and a security (or session) token. The size of the security token
// that STS API operations return is not fixed. We strongly recommend that you make
// no assumptions about the maximum size.
// access key, and a security (or session) token.
//
// The size of the security token that STS API operations return is not fixed. We
// strongly recommend that you make no assumptions about the maximum size.
Credentials *types.Credentials
// Metadata pertaining to the operation's result.
@ -173,6 +191,12 @@ func (c *Client) addOperationGetSessionTokenMiddlewares(stack *middleware.Stack,
if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
return err
}
if err = addTimeOffsetBuild(stack, c); err != nil {
return err
}
if err = addUserAgentRetryMode(stack, options); err != nil {
return err
}
if err = stack.Initialize.Add(newServiceMetadataMiddleware_opGetSessionToken(options.Region), middleware.Before); err != nil {
return err
}

View File

@ -12,7 +12,7 @@ import (
smithyhttp "github.com/aws/smithy-go/transport/http"
)
func bindAuthParamsRegion(params *AuthResolverParameters, _ interface{}, options Options) {
func bindAuthParamsRegion(_ interface{}, params *AuthResolverParameters, _ interface{}, options Options) {
params.Region = options.Region
}
@ -90,12 +90,12 @@ type AuthResolverParameters struct {
Region string
}
func bindAuthResolverParams(operation string, input interface{}, options Options) *AuthResolverParameters {
func bindAuthResolverParams(ctx context.Context, operation string, input interface{}, options Options) *AuthResolverParameters {
params := &AuthResolverParameters{
Operation: operation,
}
bindAuthParamsRegion(params, input, options)
bindAuthParamsRegion(ctx, params, input, options)
return params
}
@ -157,7 +157,7 @@ func (*resolveAuthSchemeMiddleware) ID() string {
func (m *resolveAuthSchemeMiddleware) HandleFinalize(ctx context.Context, in middleware.FinalizeInput, next middleware.FinalizeHandler) (
out middleware.FinalizeOutput, metadata middleware.Metadata, err error,
) {
params := bindAuthResolverParams(m.operation, getOperationInput(ctx), m.options)
params := bindAuthResolverParams(ctx, m.operation, getOperationInput(ctx), m.options)
options, err := m.options.AuthSchemeResolver.ResolveAuthSchemes(ctx, params)
if err != nil {
return out, metadata, fmt.Errorf("resolve auth scheme: %w", err)

View File

@ -20,8 +20,17 @@ import (
"io"
"strconv"
"strings"
"time"
)
func deserializeS3Expires(v string) (*time.Time, error) {
t, err := smithytime.ParseHTTPDate(v)
if err != nil {
return nil, nil
}
return &t, nil
}
type awsAwsquery_deserializeOpAssumeRole struct {
}

View File

@ -3,9 +3,11 @@
// Package sts provides the API client, operations, and parameter types for AWS
// Security Token Service.
//
// Security Token Service Security Token Service (STS) enables you to request
// temporary, limited-privilege credentials for users. This guide provides
// descriptions of the STS API. For more information about using this service, see
// Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)
// .
// # Security Token Service
//
// Security Token Service (STS) enables you to request temporary,
// limited-privilege credentials for users. This guide provides descriptions of the
// STS API. For more information about using this service, see [Temporary Security Credentials].
//
// [Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html
package sts

View File

@ -1045,7 +1045,7 @@ type endpointParamsBinder interface {
bindEndpointParams(*EndpointParameters)
}
func bindEndpointParams(input interface{}, options Options) *EndpointParameters {
func bindEndpointParams(ctx context.Context, input interface{}, options Options) *EndpointParameters {
params := &EndpointParameters{}
params.Region = bindRegion(options.Region)
@ -1075,6 +1075,10 @@ func (m *resolveEndpointV2Middleware) HandleFinalize(ctx context.Context, in mid
return next.HandleFinalize(ctx, in)
}
if err := checkAccountID(getIdentity(ctx), m.options.AccountIDEndpointMode); err != nil {
return out, metadata, fmt.Errorf("invalid accountID set: %w", err)
}
req, ok := in.Request.(*smithyhttp.Request)
if !ok {
return out, metadata, fmt.Errorf("unknown transport type %T", in.Request)
@ -1084,7 +1088,7 @@ func (m *resolveEndpointV2Middleware) HandleFinalize(ctx context.Context, in mid
return out, metadata, fmt.Errorf("expected endpoint resolver to not be nil")
}
params := bindEndpointParams(getOperationInput(ctx), m.options)
params := bindEndpointParams(ctx, getOperationInput(ctx), m.options)
endpt, err := m.options.EndpointResolverV2.ResolveEndpoint(ctx, *params)
if err != nil {
return out, metadata, fmt.Errorf("failed to resolve service endpoint, %w", err)

View File

@ -5,8 +5,7 @@
"github.com/aws/aws-sdk-go-v2/internal/endpoints/v2": "v2.0.0-00010101000000-000000000000",
"github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding": "v1.0.5",
"github.com/aws/aws-sdk-go-v2/service/internal/presigned-url": "v1.0.7",
"github.com/aws/smithy-go": "v1.4.0",
"github.com/google/go-cmp": "v0.5.4"
"github.com/aws/smithy-go": "v1.4.0"
},
"files": [
"api_client.go",

View File

@ -3,4 +3,4 @@
package sts
// goModuleVersion is the tagged release for this module
const goModuleVersion = "1.28.1"
const goModuleVersion = "1.29.1"

View File

@ -24,6 +24,9 @@ type Options struct {
// modify this list for per operation behavior.
APIOptions []func(*middleware.Stack) error
// Indicates how aws account ID is applied in endpoint2.0 routing
AccountIDEndpointMode aws.AccountIDEndpointMode
// The optional application specific identifier appended to the User-Agent header.
AppID string
@ -50,8 +53,10 @@ type Options struct {
// Deprecated: Deprecated: EndpointResolver and WithEndpointResolver. Providing a
// value for this field will likely prevent you from using any endpoint-related
// service features released after the introduction of EndpointResolverV2 and
// BaseEndpoint. To migrate an EndpointResolver implementation that uses a custom
// endpoint, set the client option BaseEndpoint instead.
// BaseEndpoint.
//
// To migrate an EndpointResolver implementation that uses a custom endpoint, set
// the client option BaseEndpoint instead.
EndpointResolver EndpointResolver
// Resolves the endpoint used for a particular service operation. This should be
@ -70,17 +75,20 @@ type Options struct {
// RetryMaxAttempts specifies the maximum number attempts an API client will call
// an operation that fails with a retryable error. A value of 0 is ignored, and
// will not be used to configure the API client created default retryer, or modify
// per operation call's retry max attempts. If specified in an operation call's
// functional options with a value that is different than the constructed client's
// Options, the Client's Retryer will be wrapped to use the operation's specific
// RetryMaxAttempts value.
// per operation call's retry max attempts.
//
// If specified in an operation call's functional options with a value that is
// different than the constructed client's Options, the Client's Retryer will be
// wrapped to use the operation's specific RetryMaxAttempts value.
RetryMaxAttempts int
// RetryMode specifies the retry mode the API client will be created with, if
// Retryer option is not also specified. When creating a new API Clients this
// member will only be used if the Retryer Options member is nil. This value will
// be ignored if Retryer is not nil. Currently does not support per operation call
// overrides, may in the future.
// Retryer option is not also specified.
//
// When creating a new API Clients this member will only be used if the Retryer
// Options member is nil. This value will be ignored if Retryer is not nil.
//
// Currently does not support per operation call overrides, may in the future.
RetryMode aws.RetryMode
// Retryer guides how HTTP requests should be retried in case of recoverable
@ -97,8 +105,9 @@ type Options struct {
// The initial DefaultsMode used when the client options were constructed. If the
// DefaultsMode was set to aws.DefaultsModeAuto this will store what the resolved
// value was at that point in time. Currently does not support per operation call
// overrides, may in the future.
// value was at that point in time.
//
// Currently does not support per operation call overrides, may in the future.
resolvedDefaultsMode aws.DefaultsMode
// The HTTP client to invoke API calls with. Defaults to client's default HTTP
@ -143,6 +152,7 @@ func WithAPIOptions(optFns ...func(*middleware.Stack) error) func(*Options) {
// Deprecated: EndpointResolver and WithEndpointResolver. Providing a value for
// this field will likely prevent you from using any endpoint-related service
// features released after the introduction of EndpointResolverV2 and BaseEndpoint.
//
// To migrate an EndpointResolver implementation that uses a custom endpoint, set
// the client option BaseEndpoint instead.
func WithEndpointResolver(v EndpointResolver) func(*Options) {

View File

@ -65,9 +65,10 @@ func (e *IDPCommunicationErrorException) ErrorCode() string {
func (e *IDPCommunicationErrorException) ErrorFault() smithy.ErrorFault { return smithy.FaultClient }
// The identity provider (IdP) reported that authentication failed. This might be
// because the claim is invalid. If this error is returned for the
// AssumeRoleWithWebIdentity operation, it can also mean that the claim has expired
// or has been explicitly revoked.
// because the claim is invalid.
//
// If this error is returned for the AssumeRoleWithWebIdentity operation, it can
// also mean that the claim has expired or has been explicitly revoked.
type IDPRejectedClaimException struct {
Message *string
@ -183,11 +184,13 @@ func (e *MalformedPolicyDocumentException) ErrorFault() smithy.ErrorFault { retu
// compresses the session policy document, session policy ARNs, and session tags
// into a packed binary format that has a separate limit. The error message
// indicates by percentage how close the policies and tags are to the upper size
// limit. For more information, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
// in the IAM User Guide. You could receive this error even though you meet other
// defined session policy and session tag limits. For more information, see IAM
// and STS Entity Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length)
// in the IAM User Guide.
// limit. For more information, see [Passing Session Tags in STS]in the IAM User Guide.
//
// You could receive this error even though you meet other defined session policy
// and session tag limits. For more information, see [IAM and STS Entity Character Limits]in the IAM User Guide.
//
// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
// [IAM and STS Entity Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length
type PackedPolicyTooLargeException struct {
Message *string
@ -215,9 +218,10 @@ func (e *PackedPolicyTooLargeException) ErrorFault() smithy.ErrorFault { return
// STS is not activated in the requested region for the account that is being
// asked to generate credentials. The account administrator must use the IAM
// console to activate STS in that region. For more information, see Activating
// and Deactivating Amazon Web Services STS in an Amazon Web Services Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
// in the IAM User Guide.
// console to activate STS in that region. For more information, see [Activating and Deactivating Amazon Web Services STS in an Amazon Web Services Region]in the IAM
// User Guide.
//
// [Activating and Deactivating Amazon Web Services STS in an Amazon Web Services Region]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html
type RegionDisabledException struct {
Message *string

View File

@ -11,10 +11,11 @@ import (
// returns.
type AssumedRoleUser struct {
// The ARN of the temporary security credentials that are returned from the
// AssumeRole action. For more information about ARNs and how to use them in
// policies, see IAM Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
// in the IAM User Guide.
// The ARN of the temporary security credentials that are returned from the AssumeRole
// action. For more information about ARNs and how to use them in policies, see [IAM Identifiers]in
// the IAM User Guide.
//
// [IAM Identifiers]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html
//
// This member is required.
Arn *string
@ -61,8 +62,9 @@ type FederatedUser struct {
// The ARN that specifies the federated user that is associated with the
// credentials. For more information about ARNs and how to use them in policies,
// see IAM Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
// in the IAM User Guide.
// see [IAM Identifiers]in the IAM User Guide.
//
// [IAM Identifiers]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html
//
// This member is required.
Arn *string
@ -81,9 +83,10 @@ type FederatedUser struct {
type PolicyDescriptorType struct {
// The Amazon Resource Name (ARN) of the IAM managed policy to use as a session
// policy for the role. For more information about ARNs, see Amazon Resource Names
// (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
// in the Amazon Web Services General Reference.
// policy for the role. For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]in the Amazon Web
// Services General Reference.
//
// [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
Arn *string
noSmithyDocumentSerde
@ -107,23 +110,30 @@ type ProvidedContext struct {
// You can pass custom key-value pair attributes when you assume a role or
// federate a user. These are called session tags. You can then use the session
// tags to control access to resources. For more information, see Tagging Amazon
// Web Services STS Sessions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
// in the IAM User Guide.
// tags to control access to resources. For more information, see [Tagging Amazon Web Services STS Sessions]in the IAM User
// Guide.
//
// [Tagging Amazon Web Services STS Sessions]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
type Tag struct {
// The key for a session tag. You can pass up to 50 session tags. The plain text
// session tag keys cant exceed 128 characters. For these and additional limits,
// see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
// in the IAM User Guide.
// The key for a session tag.
//
// You can pass up to 50 session tags. The plain text session tag keys cant
// exceed 128 characters. For these and additional limits, see [IAM and STS Character Limits]in the IAM User
// Guide.
//
// [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
//
// This member is required.
Key *string
// The value for a session tag. You can pass up to 50 session tags. The plain text
// session tag values cant exceed 256 characters. For these and additional limits,
// see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
// in the IAM User Guide.
// The value for a session tag.
//
// You can pass up to 50 session tags. The plain text session tag values cant
// exceed 256 characters. For these and additional limits, see [IAM and STS Character Limits]in the IAM User
// Guide.
//
// [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
//
// This member is required.
Value *string

View File

@ -1079,6 +1079,9 @@ var awsPartition = partition{
endpointKey{
Region: "ap-southeast-2",
}: endpoint{},
endpointKey{
Region: "ca-central-1",
}: endpoint{},
endpointKey{
Region: "eu-central-1",
}: endpoint{},
@ -1091,6 +1094,9 @@ var awsPartition = partition{
endpointKey{
Region: "eu-west-3",
}: endpoint{},
endpointKey{
Region: "sa-east-1",
}: endpoint{},
endpointKey{
Region: "us-east-1",
}: endpoint{},
@ -4583,91 +4589,6 @@ var awsPartition = partition{
}: endpoint{},
},
},
"backupstorage": service{
Endpoints: serviceEndpoints{
endpointKey{
Region: "af-south-1",
}: endpoint{},
endpointKey{
Region: "ap-east-1",
}: endpoint{},
endpointKey{
Region: "ap-northeast-1",
}: endpoint{},
endpointKey{
Region: "ap-northeast-2",
}: endpoint{},
endpointKey{
Region: "ap-northeast-3",
}: endpoint{},
endpointKey{
Region: "ap-south-1",
}: endpoint{},
endpointKey{
Region: "ap-south-2",
}: endpoint{},
endpointKey{
Region: "ap-southeast-1",
}: endpoint{},
endpointKey{
Region: "ap-southeast-2",
}: endpoint{},
endpointKey{
Region: "ap-southeast-3",
}: endpoint{},
endpointKey{
Region: "ap-southeast-4",
}: endpoint{},
endpointKey{
Region: "ca-central-1",
}: endpoint{},
endpointKey{
Region: "eu-central-1",
}: endpoint{},
endpointKey{
Region: "eu-central-2",
}: endpoint{},
endpointKey{
Region: "eu-north-1",
}: endpoint{},
endpointKey{
Region: "eu-south-1",
}: endpoint{},
endpointKey{
Region: "eu-south-2",
}: endpoint{},
endpointKey{
Region: "eu-west-1",
}: endpoint{},
endpointKey{
Region: "eu-west-2",
}: endpoint{},
endpointKey{
Region: "eu-west-3",
}: endpoint{},
endpointKey{
Region: "me-central-1",
}: endpoint{},
endpointKey{
Region: "me-south-1",
}: endpoint{},
endpointKey{
Region: "sa-east-1",
}: endpoint{},
endpointKey{
Region: "us-east-1",
}: endpoint{},
endpointKey{
Region: "us-east-2",
}: endpoint{},
endpointKey{
Region: "us-west-1",
}: endpoint{},
endpointKey{
Region: "us-west-2",
}: endpoint{},
},
},
"batch": service{
Defaults: endpointDefaults{
defaultKey{}: endpoint{},
@ -4873,6 +4794,14 @@ var awsPartition = partition{
Region: "ap-southeast-2",
},
},
endpointKey{
Region: "bedrock-ca-central-1",
}: endpoint{
Hostname: "bedrock.ca-central-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "ca-central-1",
},
},
endpointKey{
Region: "bedrock-eu-central-1",
}: endpoint{
@ -4889,6 +4818,14 @@ var awsPartition = partition{
Region: "eu-west-1",
},
},
endpointKey{
Region: "bedrock-eu-west-2",
}: endpoint{
Hostname: "bedrock.eu-west-2.amazonaws.com",
CredentialScope: credentialScope{
Region: "eu-west-2",
},
},
endpointKey{
Region: "bedrock-eu-west-3",
}: endpoint{
@ -4897,6 +4834,14 @@ var awsPartition = partition{
Region: "eu-west-3",
},
},
endpointKey{
Region: "bedrock-fips-ca-central-1",
}: endpoint{
Hostname: "bedrock-fips.ca-central-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "ca-central-1",
},
},
endpointKey{
Region: "bedrock-fips-us-east-1",
}: endpoint{
@ -4945,6 +4890,14 @@ var awsPartition = partition{
Region: "ap-southeast-2",
},
},
endpointKey{
Region: "bedrock-runtime-ca-central-1",
}: endpoint{
Hostname: "bedrock-runtime.ca-central-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "ca-central-1",
},
},
endpointKey{
Region: "bedrock-runtime-eu-central-1",
}: endpoint{
@ -4961,6 +4914,14 @@ var awsPartition = partition{
Region: "eu-west-1",
},
},
endpointKey{
Region: "bedrock-runtime-eu-west-2",
}: endpoint{
Hostname: "bedrock-runtime.eu-west-2.amazonaws.com",
CredentialScope: credentialScope{
Region: "eu-west-2",
},
},
endpointKey{
Region: "bedrock-runtime-eu-west-3",
}: endpoint{
@ -4969,6 +4930,14 @@ var awsPartition = partition{
Region: "eu-west-3",
},
},
endpointKey{
Region: "bedrock-runtime-fips-ca-central-1",
}: endpoint{
Hostname: "bedrock-runtime-fips.ca-central-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "ca-central-1",
},
},
endpointKey{
Region: "bedrock-runtime-fips-us-east-1",
}: endpoint{
@ -4985,6 +4954,14 @@ var awsPartition = partition{
Region: "us-west-2",
},
},
endpointKey{
Region: "bedrock-runtime-sa-east-1",
}: endpoint{
Hostname: "bedrock-runtime.sa-east-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "sa-east-1",
},
},
endpointKey{
Region: "bedrock-runtime-us-east-1",
}: endpoint{
@ -5001,6 +4978,14 @@ var awsPartition = partition{
Region: "us-west-2",
},
},
endpointKey{
Region: "bedrock-sa-east-1",
}: endpoint{
Hostname: "bedrock.sa-east-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "sa-east-1",
},
},
endpointKey{
Region: "bedrock-us-east-1",
}: endpoint{
@ -5017,15 +5002,24 @@ var awsPartition = partition{
Region: "us-west-2",
},
},
endpointKey{
Region: "ca-central-1",
}: endpoint{},
endpointKey{
Region: "eu-central-1",
}: endpoint{},
endpointKey{
Region: "eu-west-1",
}: endpoint{},
endpointKey{
Region: "eu-west-2",
}: endpoint{},
endpointKey{
Region: "eu-west-3",
}: endpoint{},
endpointKey{
Region: "sa-east-1",
}: endpoint{},
endpointKey{
Region: "us-east-1",
}: endpoint{},
@ -5083,6 +5077,12 @@ var awsPartition = partition{
},
"cases": service{
Endpoints: serviceEndpoints{
endpointKey{
Region: "ap-northeast-1",
}: endpoint{},
endpointKey{
Region: "ap-northeast-2",
}: endpoint{},
endpointKey{
Region: "ap-southeast-1",
}: endpoint{},
@ -5297,69 +5297,157 @@ var awsPartition = partition{
endpointKey{
Region: "af-south-1",
}: endpoint{},
endpointKey{
Region: "af-south-1",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{
Region: "ap-east-1",
}: endpoint{},
endpointKey{
Region: "ap-east-1",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{
Region: "ap-northeast-1",
}: endpoint{},
endpointKey{
Region: "ap-northeast-1",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{
Region: "ap-northeast-2",
}: endpoint{},
endpointKey{
Region: "ap-northeast-2",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{
Region: "ap-northeast-3",
}: endpoint{},
endpointKey{
Region: "ap-northeast-3",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{
Region: "ap-south-1",
}: endpoint{},
endpointKey{
Region: "ap-south-1",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{
Region: "ap-southeast-1",
}: endpoint{},
endpointKey{
Region: "ap-southeast-1",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{
Region: "ap-southeast-2",
}: endpoint{},
endpointKey{
Region: "ap-southeast-2",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{
Region: "ca-central-1",
}: endpoint{},
endpointKey{
Region: "ca-central-1",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{
Region: "eu-central-1",
}: endpoint{},
endpointKey{
Region: "eu-central-1",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{
Region: "eu-north-1",
}: endpoint{},
endpointKey{
Region: "eu-north-1",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{
Region: "eu-south-1",
}: endpoint{},
endpointKey{
Region: "eu-south-1",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{
Region: "eu-west-1",
}: endpoint{},
endpointKey{
Region: "eu-west-1",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{
Region: "eu-west-2",
}: endpoint{},
endpointKey{
Region: "eu-west-2",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{
Region: "eu-west-3",
}: endpoint{},
endpointKey{
Region: "eu-west-3",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{
Region: "il-central-1",
}: endpoint{},
endpointKey{
Region: "il-central-1",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{
Region: "me-south-1",
}: endpoint{},
endpointKey{
Region: "me-south-1",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{
Region: "sa-east-1",
}: endpoint{},
endpointKey{
Region: "sa-east-1",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{
Region: "us-east-1",
}: endpoint{},
endpointKey{
Region: "us-east-1",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{
Region: "us-east-2",
}: endpoint{},
endpointKey{
Region: "us-east-2",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{
Region: "us-west-1",
}: endpoint{},
endpointKey{
Region: "us-west-1",
Variant: dualStackVariant,
}: endpoint{},
endpointKey{
Region: "us-west-2",
}: endpoint{},
endpointKey{
Region: "us-west-2",
Variant: dualStackVariant,
}: endpoint{},
},
},
"cloudcontrolapi": service{
@ -9264,9 +9352,21 @@ var awsPartition = partition{
endpointKey{
Region: "ca-central-1",
}: endpoint{},
endpointKey{
Region: "ca-central-1",
Variant: fipsVariant,
}: endpoint{
Hostname: "directconnect-fips.ca-central-1.amazonaws.com",
},
endpointKey{
Region: "ca-west-1",
}: endpoint{},
endpointKey{
Region: "ca-west-1",
Variant: fipsVariant,
}: endpoint{
Hostname: "directconnect-fips.ca-west-1.amazonaws.com",
},
endpointKey{
Region: "eu-central-1",
}: endpoint{},
@ -9291,6 +9391,24 @@ var awsPartition = partition{
endpointKey{
Region: "eu-west-3",
}: endpoint{},
endpointKey{
Region: "fips-ca-central-1",
}: endpoint{
Hostname: "directconnect-fips.ca-central-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "ca-central-1",
},
Deprecated: boxedTrue,
},
endpointKey{
Region: "fips-ca-west-1",
}: endpoint{
Hostname: "directconnect-fips.ca-west-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "ca-west-1",
},
Deprecated: boxedTrue,
},
endpointKey{
Region: "fips-us-east-1",
}: endpoint{
@ -15561,6 +15679,9 @@ var awsPartition = partition{
endpointKey{
Region: "ca-central-1",
}: endpoint{},
endpointKey{
Region: "ca-west-1",
}: endpoint{},
endpointKey{
Region: "eu-central-1",
}: endpoint{},
@ -17465,12 +17586,27 @@ var awsPartition = partition{
endpointKey{
Region: "ca-central-1",
}: endpoint{},
endpointKey{
Region: "ca-central-1",
Variant: fipsVariant,
}: endpoint{
Hostname: "kendra-fips.ca-central-1.amazonaws.com",
},
endpointKey{
Region: "eu-west-1",
}: endpoint{},
endpointKey{
Region: "eu-west-2",
}: endpoint{},
endpointKey{
Region: "fips-ca-central-1",
}: endpoint{
Hostname: "kendra-fips.ca-central-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "ca-central-1",
},
Deprecated: boxedTrue,
},
endpointKey{
Region: "fips-us-east-1",
}: endpoint{
@ -21684,6 +21820,9 @@ var awsPartition = partition{
endpointKey{
Region: "ca-central-1",
}: endpoint{},
endpointKey{
Region: "ca-west-1",
}: endpoint{},
endpointKey{
Region: "eu-central-1",
}: endpoint{},
@ -25241,6 +25380,9 @@ var awsPartition = partition{
},
Deprecated: boxedTrue,
},
endpointKey{
Region: "me-central-1",
}: endpoint{},
endpointKey{
Region: "sa-east-1",
}: endpoint{},
@ -31870,6 +32012,24 @@ var awsPartition = partition{
},
Deprecated: boxedTrue,
},
endpointKey{
Region: "ca-west-1",
}: endpoint{},
endpointKey{
Region: "ca-west-1",
Variant: fipsVariant,
}: endpoint{
Hostname: "storagegateway-fips.ca-west-1.amazonaws.com",
},
endpointKey{
Region: "ca-west-1-fips",
}: endpoint{
Hostname: "storagegateway-fips.ca-west-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "ca-west-1",
},
Deprecated: boxedTrue,
},
endpointKey{
Region: "eu-central-1",
}: endpoint{},
@ -33793,6 +33953,9 @@ var awsPartition = partition{
endpointKey{
Region: "eu-west-2",
}: endpoint{},
endpointKey{
Region: "eu-west-3",
}: endpoint{},
endpointKey{
Region: "sa-east-1",
}: endpoint{},
@ -33802,6 +33965,9 @@ var awsPartition = partition{
endpointKey{
Region: "us-east-2",
}: endpoint{},
endpointKey{
Region: "us-west-1",
}: endpoint{},
endpointKey{
Region: "us-west-2",
}: endpoint{},
@ -36138,16 +36304,6 @@ var awscnPartition = partition{
}: endpoint{},
},
},
"backupstorage": service{
Endpoints: serviceEndpoints{
endpointKey{
Region: "cn-north-1",
}: endpoint{},
endpointKey{
Region: "cn-northwest-1",
}: endpoint{},
},
},
"batch": service{
Endpoints: serviceEndpoints{
endpointKey{
@ -38917,16 +39073,6 @@ var awsusgovPartition = partition{
}: endpoint{},
},
},
"backupstorage": service{
Endpoints: serviceEndpoints{
endpointKey{
Region: "us-gov-east-1",
}: endpoint{},
endpointKey{
Region: "us-gov-west-1",
}: endpoint{},
},
},
"batch": service{
Defaults: endpointDefaults{
defaultKey{}: endpoint{},
@ -38977,6 +39123,22 @@ var awsusgovPartition = partition{
},
"bedrock": service{
Endpoints: serviceEndpoints{
endpointKey{
Region: "bedrock-fips-us-gov-west-1",
}: endpoint{
Hostname: "bedrock-fips.us-gov-west-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "us-gov-west-1",
},
},
endpointKey{
Region: "bedrock-runtime-fips-us-gov-west-1",
}: endpoint{
Hostname: "bedrock-runtime-fips.us-gov-west-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "us-gov-west-1",
},
},
endpointKey{
Region: "bedrock-runtime-us-gov-west-1",
}: endpoint{
@ -41821,6 +41983,62 @@ var awsusgovPartition = partition{
}: endpoint{},
},
},
"kinesisvideo": service{
Endpoints: serviceEndpoints{
endpointKey{
Region: "fips-us-gov-east-1",
}: endpoint{
Hostname: "kinesisvideo-fips.us-gov-east-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "us-gov-east-1",
},
Deprecated: boxedTrue,
},
endpointKey{
Region: "fips-us-gov-west-1",
}: endpoint{
Hostname: "kinesisvideo-fips.us-gov-west-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "us-gov-west-1",
},
Deprecated: boxedTrue,
},
endpointKey{
Region: "us-gov-east-1",
}: endpoint{
Hostname: "kinesisvideo-fips.us-gov-east-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "us-gov-east-1",
},
},
endpointKey{
Region: "us-gov-east-1",
Variant: fipsVariant,
}: endpoint{
Hostname: "kinesisvideo-fips.us-gov-east-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "us-gov-east-1",
},
},
endpointKey{
Region: "us-gov-west-1",
}: endpoint{
Hostname: "kinesisvideo-fips.us-gov-west-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "us-gov-west-1",
},
},
endpointKey{
Region: "us-gov-west-1",
Variant: fipsVariant,
}: endpoint{
Hostname: "kinesisvideo-fips.us-gov-west-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "us-gov-west-1",
},
},
},
},
"kms": service{
Endpoints: serviceEndpoints{
endpointKey{
@ -43562,6 +43780,46 @@ var awsusgovPartition = partition{
},
},
},
"securitylake": service{
Endpoints: serviceEndpoints{
endpointKey{
Region: "us-gov-east-1",
}: endpoint{},
endpointKey{
Region: "us-gov-east-1",
Variant: fipsVariant,
}: endpoint{
Hostname: "securitylake.us-gov-east-1.amazonaws.com",
},
endpointKey{
Region: "us-gov-east-1-fips",
}: endpoint{
Hostname: "securitylake.us-gov-east-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "us-gov-east-1",
},
Deprecated: boxedTrue,
},
endpointKey{
Region: "us-gov-west-1",
}: endpoint{},
endpointKey{
Region: "us-gov-west-1",
Variant: fipsVariant,
}: endpoint{
Hostname: "securitylake.us-gov-west-1.amazonaws.com",
},
endpointKey{
Region: "us-gov-west-1-fips",
}: endpoint{
Hostname: "securitylake.us-gov-west-1.amazonaws.com",
CredentialScope: credentialScope{
Region: "us-gov-west-1",
},
Deprecated: boxedTrue,
},
},
},
"serverlessrepo": service{
Defaults: endpointDefaults{
defaultKey{}: endpoint{
@ -45743,42 +46001,12 @@ var awsisoPartition = partition{
},
"ram": service{
Endpoints: serviceEndpoints{
endpointKey{
Region: "fips-us-iso-east-1",
}: endpoint{
Hostname: "ram-fips.us-iso-east-1.c2s.ic.gov",
CredentialScope: credentialScope{
Region: "us-iso-east-1",
},
Deprecated: boxedTrue,
},
endpointKey{
Region: "fips-us-iso-west-1",
}: endpoint{
Hostname: "ram-fips.us-iso-west-1.c2s.ic.gov",
CredentialScope: credentialScope{
Region: "us-iso-west-1",
},
Deprecated: boxedTrue,
},
endpointKey{
Region: "us-iso-east-1",
}: endpoint{},
endpointKey{
Region: "us-iso-east-1",
Variant: fipsVariant,
}: endpoint{
Hostname: "ram-fips.us-iso-east-1.c2s.ic.gov",
},
endpointKey{
Region: "us-iso-west-1",
}: endpoint{},
endpointKey{
Region: "us-iso-west-1",
Variant: fipsVariant,
}: endpoint{
Hostname: "ram-fips.us-iso-west-1.c2s.ic.gov",
},
},
},
"rbin": service{
@ -45823,37 +46051,10 @@ var awsisoPartition = partition{
},
"rds": service{
Endpoints: serviceEndpoints{
endpointKey{
Region: "rds-fips.us-iso-east-1",
}: endpoint{
Hostname: "rds-fips.us-iso-east-1.c2s.ic.gov",
CredentialScope: credentialScope{
Region: "us-iso-east-1",
},
Deprecated: boxedTrue,
},
endpointKey{
Region: "rds-fips.us-iso-west-1",
}: endpoint{
Hostname: "rds-fips.us-iso-west-1.c2s.ic.gov",
CredentialScope: credentialScope{
Region: "us-iso-west-1",
},
Deprecated: boxedTrue,
},
endpointKey{
Region: "rds.us-iso-east-1",
}: endpoint{
CredentialScope: credentialScope{
Region: "us-iso-east-1",
},
Deprecated: boxedTrue,
},
endpointKey{
Region: "rds.us-iso-east-1",
Variant: fipsVariant,
}: endpoint{
Hostname: "rds-fips.us-iso-east-1.c2s.ic.gov",
Hostname: "rds.us-iso-east-1.c2s.ic.gov",
CredentialScope: credentialScope{
Region: "us-iso-east-1",
},
@ -45862,16 +46063,7 @@ var awsisoPartition = partition{
endpointKey{
Region: "rds.us-iso-west-1",
}: endpoint{
CredentialScope: credentialScope{
Region: "us-iso-west-1",
},
Deprecated: boxedTrue,
},
endpointKey{
Region: "rds.us-iso-west-1",
Variant: fipsVariant,
}: endpoint{
Hostname: "rds-fips.us-iso-west-1.c2s.ic.gov",
Hostname: "rds.us-iso-west-1.c2s.ic.gov",
CredentialScope: credentialScope{
Region: "us-iso-west-1",
},
@ -45884,12 +46076,12 @@ var awsisoPartition = partition{
Region: "us-iso-east-1",
Variant: fipsVariant,
}: endpoint{
Hostname: "rds-fips.us-iso-east-1.c2s.ic.gov",
Hostname: "rds.us-iso-east-1.c2s.ic.gov",
},
endpointKey{
Region: "us-iso-east-1-fips",
}: endpoint{
Hostname: "rds-fips.us-iso-east-1.c2s.ic.gov",
Hostname: "rds.us-iso-east-1.c2s.ic.gov",
CredentialScope: credentialScope{
Region: "us-iso-east-1",
},
@ -45902,12 +46094,12 @@ var awsisoPartition = partition{
Region: "us-iso-west-1",
Variant: fipsVariant,
}: endpoint{
Hostname: "rds-fips.us-iso-west-1.c2s.ic.gov",
Hostname: "rds.us-iso-west-1.c2s.ic.gov",
},
endpointKey{
Region: "us-iso-west-1-fips",
}: endpoint{
Hostname: "rds-fips.us-iso-west-1.c2s.ic.gov",
Hostname: "rds.us-iso-west-1.c2s.ic.gov",
CredentialScope: credentialScope{
Region: "us-iso-west-1",
},
@ -46866,24 +47058,9 @@ var awsisobPartition = partition{
},
"ram": service{
Endpoints: serviceEndpoints{
endpointKey{
Region: "fips-us-isob-east-1",
}: endpoint{
Hostname: "ram-fips.us-isob-east-1.sc2s.sgov.gov",
CredentialScope: credentialScope{
Region: "us-isob-east-1",
},
Deprecated: boxedTrue,
},
endpointKey{
Region: "us-isob-east-1",
}: endpoint{},
endpointKey{
Region: "us-isob-east-1",
Variant: fipsVariant,
}: endpoint{
Hostname: "ram-fips.us-isob-east-1.sc2s.sgov.gov",
},
},
},
"rbin": service{
@ -46910,28 +47087,10 @@ var awsisobPartition = partition{
},
"rds": service{
Endpoints: serviceEndpoints{
endpointKey{
Region: "rds-fips.us-isob-east-1",
}: endpoint{
Hostname: "rds-fips.us-isob-east-1.sc2s.sgov.gov",
CredentialScope: credentialScope{
Region: "us-isob-east-1",
},
Deprecated: boxedTrue,
},
endpointKey{
Region: "rds.us-isob-east-1",
}: endpoint{
CredentialScope: credentialScope{
Region: "us-isob-east-1",
},
Deprecated: boxedTrue,
},
endpointKey{
Region: "rds.us-isob-east-1",
Variant: fipsVariant,
}: endpoint{
Hostname: "rds-fips.us-isob-east-1.sc2s.sgov.gov",
Hostname: "rds.us-isob-east-1.sc2s.sgov.gov",
CredentialScope: credentialScope{
Region: "us-isob-east-1",
},
@ -46944,12 +47103,12 @@ var awsisobPartition = partition{
Region: "us-isob-east-1",
Variant: fipsVariant,
}: endpoint{
Hostname: "rds-fips.us-isob-east-1.sc2s.sgov.gov",
Hostname: "rds.us-isob-east-1.sc2s.sgov.gov",
},
endpointKey{
Region: "us-isob-east-1-fips",
}: endpoint{
Hostname: "rds-fips.us-isob-east-1.sc2s.sgov.gov",
Hostname: "rds.us-isob-east-1.sc2s.sgov.gov",
CredentialScope: credentialScope{
Region: "us-isob-east-1",
},

View File

@ -5,4 +5,4 @@ package aws
const SDKName = "aws-sdk-go"
// SDKVersion is the version of this SDK
const SDKVersion = "1.53.14"
const SDKVersion = "1.54.6"

View File

@ -807,6 +807,7 @@ func (c *KMS) CreateCustomKeyStoreRequest(input *CreateCustomKeyStoreInput) (req
// for Amazon VPC endpoint service connectivity for an external key store.
//
// - XksProxyInvalidResponseException
//
// KMS cannot interpret the response it received from the external key store
// proxy. The problem might be a poorly constructed response, but it could also
// be a transient network issue. If you see this error repeatedly, report it
@ -1107,11 +1108,15 @@ func (c *KMS) CreateKeyRequest(input *CreateKeyInput) (req *request.Request, out
// Asymmetric KMS keys contain an RSA key pair, Elliptic Curve (ECC) key pair,
// or an SM2 key pair (China Regions only). The private key in an asymmetric
// KMS key never leaves KMS unencrypted. However, you can use the GetPublicKey
// operation to download the public key so it can be used outside of KMS. KMS
// keys with RSA or SM2 key pairs can be used to encrypt or decrypt data or
// sign and verify messages (but not both). KMS keys with ECC key pairs can
// be used only to sign and verify messages. For information about asymmetric
// KMS keys, see Asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html)
// operation to download the public key so it can be used outside of KMS. Each
// KMS key can have only one key usage. KMS keys with RSA key pairs can be used
// to encrypt and decrypt data or sign and verify messages (but not both). KMS
// keys with NIST-recommended ECC key pairs can be used to sign and verify messages
// or derive shared secrets (but not both). KMS keys with ECC_SECG_P256K1 can
// be used only to sign and verify messages. KMS keys with SM2 key pairs (China
// Regions only) can be used to either encrypt and decrypt data, sign and verify
// messages, or derive shared secrets (you must choose one key usage type).
// For information about asymmetric KMS keys, see Asymmetric KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/symmetric-asymmetric.html)
// in the Key Management Service Developer Guide.
//
// # HMAC KMS key
@ -1554,7 +1559,8 @@ func (c *KMS) DecryptRequest(input *DecryptInput) (req *request.Request, output
// For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation.
//
// To find the encryption or signing algorithms supported for a particular KMS
@ -2068,6 +2074,219 @@ func (c *KMS) DeleteImportedKeyMaterialWithContext(ctx aws.Context, input *Delet
return out, req.Send()
}
const opDeriveSharedSecret = "DeriveSharedSecret"
// DeriveSharedSecretRequest generates a "aws/request.Request" representing the
// client's request for the DeriveSharedSecret operation. The "output" return
// value will be populated with the request's response once the request completes
// successfully.
//
// Use "Send" method on the returned Request to send the API call to the service.
// the "output" return value is not valid until after Send returns without error.
//
// See DeriveSharedSecret for more information on using the DeriveSharedSecret
// API call, and error handling.
//
// This method is useful when you want to inject custom logic or configuration
// into the SDK's request lifecycle. Such as custom headers, or retry logic.
//
// // Example sending a request using the DeriveSharedSecretRequest method.
// req, resp := client.DeriveSharedSecretRequest(params)
//
// err := req.Send()
// if err == nil { // resp is now filled
// fmt.Println(resp)
// }
//
// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeriveSharedSecret
func (c *KMS) DeriveSharedSecretRequest(input *DeriveSharedSecretInput) (req *request.Request, output *DeriveSharedSecretOutput) {
op := &request.Operation{
Name: opDeriveSharedSecret,
HTTPMethod: "POST",
HTTPPath: "/",
}
if input == nil {
input = &DeriveSharedSecretInput{}
}
output = &DeriveSharedSecretOutput{}
req = c.newRequest(op, input, output)
return
}
// DeriveSharedSecret API operation for AWS Key Management Service.
//
// Derives a shared secret using a key agreement algorithm.
//
// You must use an asymmetric NIST-recommended elliptic curve (ECC) or SM2 (China
// Regions only) KMS key pair with a KeyUsage value of KEY_AGREEMENT to call
// DeriveSharedSecret.
//
// DeriveSharedSecret uses the Elliptic Curve Cryptography Cofactor Diffie-Hellman
// Primitive (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Ar3.pdf#page=60)
// (ECDH) to establish a key agreement between two peers by deriving a shared
// secret from their elliptic curve public-private key pairs. You can use the
// raw shared secret that DeriveSharedSecret returns to derive a symmetric key
// that can encrypt and decrypt data that is sent between the two peers, or
// that can generate and verify HMACs. KMS recommends that you follow NIST recommendations
// for key derivation (https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-56Cr2.pdf)
// when using the raw shared secret to derive a symmetric key.
//
// The following workflow demonstrates how to establish key agreement over an
// insecure communication channel using DeriveSharedSecret.
//
// Alice calls CreateKey to create an asymmetric KMS key pair with a KeyUsage
// value of KEY_AGREEMENT.
//
// The asymmetric KMS key must use a NIST-recommended elliptic curve (ECC) or
// SM2 (China Regions only) key spec.
//
// Bob creates an elliptic curve key pair.
//
// Bob can call CreateKey to create an asymmetric KMS key pair or generate a
// key pair outside of KMS. Bob's key pair must use the same NIST-recommended
// elliptic curve (ECC) or SM2 (China Regions ony) curve as Alice.
//
// Alice and Bob exchange their public keys through an insecure communication
// channel (like the internet).
//
// Use GetPublicKey to download the public key of your asymmetric KMS key pair.
//
// KMS strongly recommends verifying that the public key you receive came from
// the expected party before using it to derive a shared secret.
//
// Alice calls DeriveSharedSecret.
//
// KMS uses the private key from the KMS key pair generated in Step 1, Bob's
// public key, and the Elliptic Curve Cryptography Cofactor Diffie-Hellman Primitive
// to derive the shared secret. The private key in your KMS key pair never leaves
// KMS unencrypted. DeriveSharedSecret returns the raw shared secret.
//
// Bob uses the Elliptic Curve Cryptography Cofactor Diffie-Hellman Primitive
// to calculate the same raw secret using his private key and Alice's public
// key.
//
// To derive a shared secret you must provide a key agreement algorithm, the
// private key of the caller's asymmetric NIST-recommended elliptic curve or
// SM2 (China Regions only) KMS key pair, and the public key from your peer's
// NIST-recommended elliptic curve or SM2 (China Regions only) key pair. The
// public key can be from another asymmetric KMS key pair or from a key pair
// generated outside of KMS, but both key pairs must be on the same elliptic
// curve.
//
// The KMS key that you use for this operation must be in a compatible key state.
// For details, see Key states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
// in the Key Management Service Developer Guide.
//
// Cross-account use: Yes. To perform this operation with a KMS key in a different
// Amazon Web Services account, specify the key ARN or alias ARN in the value
// of the KeyId parameter.
//
// Required permissions: kms:DeriveSharedSecret (https://docs.aws.amazon.com/kms/latest/developerguide/kms-api-permissions-reference.html)
// (key policy)
//
// Related operations:
//
// - CreateKey
//
// - GetPublicKey
//
// - DescribeKey
//
// Eventual consistency: The KMS API follows an eventual consistency model.
// For more information, see KMS eventual consistency (https://docs.aws.amazon.com/kms/latest/developerguide/programming-eventual-consistency.html).
//
// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
// with awserr.Error's Code and Message methods to get detailed information about
// the error.
//
// See the AWS API reference guide for AWS Key Management Service's
// API operation DeriveSharedSecret for usage and error information.
//
// Returned Error Types:
//
// - NotFoundException
// The request was rejected because the specified entity or resource could not
// be found.
//
// - DisabledException
// The request was rejected because the specified KMS key is not enabled.
//
// - KeyUnavailableException
// The request was rejected because the specified KMS key was not available.
// You can retry the request.
//
// - DependencyTimeoutException
// The system timed out while trying to fulfill the request. You can retry the
// request.
//
// - InvalidGrantTokenException
// The request was rejected because the specified grant token is not valid.
//
// - InvalidKeyUsageException
// The request was rejected for one of the following reasons:
//
// - The KeyUsage value of the KMS key is incompatible with the API operation.
//
// - The encryption algorithm or signing algorithm specified for the operation
// is incompatible with the type of key material in the KMS key (KeySpec).
//
// For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation.
//
// To find the encryption or signing algorithms supported for a particular KMS
// key, use the DescribeKey operation.
//
// - InternalException
// The request was rejected because an internal exception occurred. The request
// can be retried.
//
// - InvalidStateException
// The request was rejected because the state of the specified resource is not
// valid for this request.
//
// This exceptions means one of the following:
//
// - The key state of the KMS key is not compatible with the operation. To
// find the key state, use the DescribeKey operation. For more information
// about which key states are compatible with each KMS operation, see Key
// states of KMS keys (https://docs.aws.amazon.com/kms/latest/developerguide/key-state.html)
// in the Key Management Service Developer Guide .
//
// - For cryptographic operations on KMS keys in custom key stores, this
// exception represents a general failure with many possible causes. To identify
// the cause, see the error message that accompanies the exception.
//
// - DryRunOperationException
// The request was rejected because the DryRun parameter was specified.
//
// See also, https://docs.aws.amazon.com/goto/WebAPI/kms-2014-11-01/DeriveSharedSecret
func (c *KMS) DeriveSharedSecret(input *DeriveSharedSecretInput) (*DeriveSharedSecretOutput, error) {
req, out := c.DeriveSharedSecretRequest(input)
return out, req.Send()
}
// DeriveSharedSecretWithContext is the same as DeriveSharedSecret with the addition of
// the ability to pass a context and additional request options.
//
// See DeriveSharedSecret for details on how to use this API operation.
//
// The context must be non-nil and will be used for request cancellation. If
// the context is nil a panic will occur. In the future the SDK may create
// sub-contexts for http.Requests. See https://golang.org/pkg/context/
// for more information on using Contexts.
func (c *KMS) DeriveSharedSecretWithContext(ctx aws.Context, input *DeriveSharedSecretInput, opts ...request.Option) (*DeriveSharedSecretOutput, error) {
req, out := c.DeriveSharedSecretRequest(input)
req.SetContext(ctx)
req.ApplyOptions(opts...)
return out, req.Send()
}
const opDescribeCustomKeyStores = "DescribeCustomKeyStores"
// DescribeCustomKeyStoresRequest generates a "aws/request.Request" representing the
@ -3326,7 +3545,8 @@ func (c *KMS) EncryptRequest(input *EncryptInput) (req *request.Request, output
// For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation.
//
// To find the encryption or signing algorithms supported for a particular KMS
@ -3554,7 +3774,8 @@ func (c *KMS) GenerateDataKeyRequest(input *GenerateDataKeyInput) (req *request.
// For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation.
//
// To find the encryption or signing algorithms supported for a particular KMS
@ -3772,7 +3993,8 @@ func (c *KMS) GenerateDataKeyPairRequest(input *GenerateDataKeyPairInput) (req *
// For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation.
//
// To find the encryption or signing algorithms supported for a particular KMS
@ -3969,7 +4191,8 @@ func (c *KMS) GenerateDataKeyPairWithoutPlaintextRequest(input *GenerateDataKeyP
// For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation.
//
// To find the encryption or signing algorithms supported for a particular KMS
@ -4178,7 +4401,8 @@ func (c *KMS) GenerateDataKeyWithoutPlaintextRequest(input *GenerateDataKeyWitho
// For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation.
//
// To find the encryption or signing algorithms supported for a particular KMS
@ -4343,7 +4567,8 @@ func (c *KMS) GenerateMacRequest(input *GenerateMacInput) (req *request.Request,
// For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation.
//
// To find the encryption or signing algorithms supported for a particular KMS
@ -4911,9 +5136,9 @@ func (c *KMS) GetParametersForImportRequest(input *GetParametersForImportInput)
// GetParametersForImport returns the items that you need to import your key
// material.
//
// - The public key (or "wrapping key") of an asymmetric key pair that KMS
// generates. You will use this public key to encrypt ("wrap") your key material
// while it's in transit to KMS.
// - The public key (or "wrapping key") of an RSA key pair that KMS generates.
// You will use this public key to encrypt ("wrap") your key material while
// it's in transit to KMS.
//
// - A import token that ensures that KMS can decrypt your key material and
// associate it with the correct KMS key.
@ -5089,7 +5314,8 @@ func (c *KMS) GetPublicKeyRequest(input *GetPublicKeyInput) (req *request.Reques
// The type of key material in the public key, such as RSA_4096 or ECC_NIST_P521.
//
// - KeyUsage (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-KeyUsage):
// Whether the key is used for encryption or signing.
// Whether the key is used for encryption, signing, or deriving a shared
// secret.
//
// - EncryptionAlgorithms (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-EncryptionAlgorithms)
// or SigningAlgorithms (https://docs.aws.amazon.com/kms/latest/APIReference/API_GetPublicKey.html#KMS-GetPublicKey-response-SigningAlgorithms):
@ -5170,7 +5396,8 @@ func (c *KMS) GetPublicKeyRequest(input *GetPublicKeyInput) (req *request.Reques
// For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation.
//
// To find the encryption or signing algorithms supported for a particular KMS
@ -7082,7 +7309,8 @@ func (c *KMS) ReEncryptRequest(input *ReEncryptInput) (req *request.Request, out
// For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation.
//
// To find the encryption or signing algorithms supported for a particular KMS
@ -8134,7 +8362,8 @@ func (c *KMS) SignRequest(input *SignInput) (req *request.Request, output *SignO
// For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation.
//
// To find the encryption or signing algorithms supported for a particular KMS
@ -8939,6 +9168,7 @@ func (c *KMS) UpdateCustomKeyStoreRequest(input *UpdateCustomKeyStoreInput) (req
// for Amazon VPC endpoint service connectivity for an external key store.
//
// - XksProxyInvalidResponseException
//
// KMS cannot interpret the response it received from the external key store
// proxy. The problem might be a poorly constructed response, but it could also
// be a transient network issue. If you see this error repeatedly, report it
@ -9412,7 +9642,8 @@ func (c *KMS) VerifyRequest(input *VerifyInput) (req *request.Request, output *V
// For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation.
//
// To find the encryption or signing algorithms supported for a particular KMS
@ -9576,7 +9807,8 @@ func (c *KMS) VerifyMacRequest(input *VerifyMacInput) (req *request.Request, out
// For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation.
//
// To find the encryption or signing algorithms supported for a particular KMS
@ -11140,15 +11372,18 @@ type CreateKeyInput struct {
//
// * HMAC keys (symmetric) HMAC_224 HMAC_256 HMAC_384 HMAC_512
//
// * Asymmetric RSA key pairs RSA_2048 RSA_3072 RSA_4096
// * Asymmetric RSA key pairs (encryption and decryption -or- signing and
// verification) RSA_2048 RSA_3072 RSA_4096
//
// * Asymmetric NIST-recommended elliptic curve key pairs ECC_NIST_P256 (secp256r1)
// ECC_NIST_P384 (secp384r1) ECC_NIST_P521 (secp521r1)
// * Asymmetric NIST-recommended elliptic curve key pairs (signing and verification
// -or- deriving shared secrets) ECC_NIST_P256 (secp256r1) ECC_NIST_P384
// (secp384r1) ECC_NIST_P521 (secp521r1)
//
// * Other asymmetric elliptic curve key pairs ECC_SECG_P256K1 (secp256k1),
// commonly used for cryptocurrencies.
// * Other asymmetric elliptic curve key pairs (signing and verification)
// ECC_SECG_P256K1 (secp256k1), commonly used for cryptocurrencies.
//
// * SM2 key pairs (China Regions only) SM2
// * SM2 key pairs (encryption and decryption -or- signing and verification
// -or- deriving shared secrets) SM2 (China Regions only)
KeySpec *string `type:"string" enum:"KeySpec"`
// Determines the cryptographic operations (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#cryptographic-operations)
@ -11163,13 +11398,16 @@ type CreateKeyInput struct {
//
// * For HMAC KMS keys (symmetric), specify GENERATE_VERIFY_MAC.
//
// * For asymmetric KMS keys with RSA key material, specify ENCRYPT_DECRYPT
// * For asymmetric KMS keys with RSA key pairs, specify ENCRYPT_DECRYPT
// or SIGN_VERIFY.
//
// * For asymmetric KMS keys with ECC key material, specify SIGN_VERIFY.
// * For asymmetric KMS keys with NIST-recommended elliptic curve key pairs,
// specify SIGN_VERIFY or KEY_AGREEMENT.
//
// * For asymmetric KMS keys with SM2 key material (China Regions only),
// specify ENCRYPT_DECRYPT or SIGN_VERIFY.
// * For asymmetric KMS keys with ECC_SECG_P256K1 key pairs specify SIGN_VERIFY.
//
// * For asymmetric KMS keys with SM2 key pairs (China Regions only), specify
// ENCRYPT_DECRYPT, SIGN_VERIFY, or KEY_AGREEMENT.
KeyUsage *string `type:"string" enum:"KeyUsageType"`
// Creates a multi-Region primary key that you can replicate into other Amazon
@ -12555,6 +12793,282 @@ func (s *DependencyTimeoutException) RequestID() string {
return s.RespMetadata.RequestID
}
type DeriveSharedSecretInput struct {
_ struct{} `type:"structure"`
// Checks if your request will succeed. DryRun is an optional parameter.
//
// To learn more about how to use this parameter, see Testing your KMS API calls
// (https://docs.aws.amazon.com/kms/latest/developerguide/programming-dryrun.html)
// in the Key Management Service Developer Guide.
DryRun *bool `type:"boolean"`
// A list of grant tokens.
//
// Use a grant token when your permission to call this operation comes from
// a new grant that has not yet achieved eventual consistency. For more information,
// see Grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grants.html#grant_token)
// and Using a grant token (https://docs.aws.amazon.com/kms/latest/developerguide/grant-manage.html#using-grant-token)
// in the Key Management Service Developer Guide.
GrantTokens []*string `type:"list"`
// Specifies the key agreement algorithm used to derive the shared secret. The
// only valid value is ECDH.
//
// KeyAgreementAlgorithm is a required field
KeyAgreementAlgorithm *string `type:"string" required:"true" enum:"KeyAgreementAlgorithmSpec"`
// Identifies an asymmetric NIST-recommended ECC or SM2 (China Regions only)
// KMS key. KMS uses the private key in the specified key pair to derive the
// shared secret. The key usage of the KMS key must be KEY_AGREEMENT. To find
// the KeyUsage of a KMS key, use the DescribeKey operation.
//
// To specify a KMS key, use its key ID, key ARN, alias name, or alias ARN.
// When using an alias name, prefix it with "alias/". To specify a KMS key in
// a different Amazon Web Services account, you must use the key ARN or alias
// ARN.
//
// For example:
//
// * Key ID: 1234abcd-12ab-34cd-56ef-1234567890ab
//
// * Key ARN: arn:aws:kms:us-east-2:111122223333:key/1234abcd-12ab-34cd-56ef-1234567890ab
//
// * Alias name: alias/ExampleAlias
//
// * Alias ARN: arn:aws:kms:us-east-2:111122223333:alias/ExampleAlias
//
// To get the key ID and key ARN for a KMS key, use ListKeys or DescribeKey.
// To get the alias name and alias ARN, use ListAliases.
//
// KeyId is a required field
KeyId *string `min:"1" type:"string" required:"true"`
// Specifies the public key in your peer's NIST-recommended elliptic curve (ECC)
// or SM2 (China Regions only) key pair.
//
// The public key must be a DER-encoded X.509 public key, also known as SubjectPublicKeyInfo
// (SPKI), as defined in RFC 5280 (https://tools.ietf.org/html/rfc5280).
//
// GetPublicKey returns the public key of an asymmetric KMS key pair in the
// required DER-encoded format.
//
// If you use Amazon Web Services CLI version 1 (https://docs.aws.amazon.com/cli/v1/userguide/cli-chap-welcome.html),
// you must provide the DER-encoded X.509 public key in a file. Otherwise, the
// Amazon Web Services CLI Base64-encodes the public key a second time, resulting
// in a ValidationException.
//
// You can specify the public key as binary data in a file using fileb (fileb://<path-to-file>)
// or in-line using a Base64 encoded string.
// PublicKey is automatically base64 encoded/decoded by the SDK.
//
// PublicKey is a required field
PublicKey []byte `min:"1" type:"blob" required:"true"`
// A signed attestation document (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/nitro-enclave-how.html#term-attestdoc)
// from an Amazon Web Services Nitro enclave and the encryption algorithm to
// use with the enclave's public key. The only valid encryption algorithm is
// RSAES_OAEP_SHA_256.
//
// This parameter only supports attestation documents for Amazon Web Services
// Nitro Enclaves. To call DeriveSharedSecret for an Amazon Web Services Nitro
// Enclaves, use the Amazon Web Services Nitro Enclaves SDK (https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk)
// to generate the attestation document and then use the Recipient parameter
// from any Amazon Web Services SDK to provide the attestation document for
// the enclave.
//
// When you use this parameter, instead of returning a plaintext copy of the
// shared secret, KMS encrypts the plaintext shared secret under the public
// key in the attestation document, and returns the resulting ciphertext in
// the CiphertextForRecipient field in the response. This ciphertext can be
// decrypted only with the private key in the enclave. The CiphertextBlob field
// in the response contains the encrypted shared secret derived from the KMS
// key specified by the KeyId parameter and public key specified by the PublicKey
// parameter. The SharedSecret field in the response is null or empty.
//
// For information about the interaction between KMS and Amazon Web Services
// Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses KMS (https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html)
// in the Key Management Service Developer Guide.
Recipient *RecipientInfo `type:"structure"`
}
// String returns the string representation.
//
// API parameter values that are decorated as "sensitive" in the API will not
// be included in the string output. The member name will be present, but the
// value will be replaced with "sensitive".
func (s DeriveSharedSecretInput) String() string {
return awsutil.Prettify(s)
}
// GoString returns the string representation.
//
// API parameter values that are decorated as "sensitive" in the API will not
// be included in the string output. The member name will be present, but the
// value will be replaced with "sensitive".
func (s DeriveSharedSecretInput) GoString() string {
return s.String()
}
// Validate inspects the fields of the type to determine if they are valid.
func (s *DeriveSharedSecretInput) Validate() error {
invalidParams := request.ErrInvalidParams{Context: "DeriveSharedSecretInput"}
if s.KeyAgreementAlgorithm == nil {
invalidParams.Add(request.NewErrParamRequired("KeyAgreementAlgorithm"))
}
if s.KeyId == nil {
invalidParams.Add(request.NewErrParamRequired("KeyId"))
}
if s.KeyId != nil && len(*s.KeyId) < 1 {
invalidParams.Add(request.NewErrParamMinLen("KeyId", 1))
}
if s.PublicKey == nil {
invalidParams.Add(request.NewErrParamRequired("PublicKey"))
}
if s.PublicKey != nil && len(s.PublicKey) < 1 {
invalidParams.Add(request.NewErrParamMinLen("PublicKey", 1))
}
if s.Recipient != nil {
if err := s.Recipient.Validate(); err != nil {
invalidParams.AddNested("Recipient", err.(request.ErrInvalidParams))
}
}
if invalidParams.Len() > 0 {
return invalidParams
}
return nil
}
// SetDryRun sets the DryRun field's value.
func (s *DeriveSharedSecretInput) SetDryRun(v bool) *DeriveSharedSecretInput {
s.DryRun = &v
return s
}
// SetGrantTokens sets the GrantTokens field's value.
func (s *DeriveSharedSecretInput) SetGrantTokens(v []*string) *DeriveSharedSecretInput {
s.GrantTokens = v
return s
}
// SetKeyAgreementAlgorithm sets the KeyAgreementAlgorithm field's value.
func (s *DeriveSharedSecretInput) SetKeyAgreementAlgorithm(v string) *DeriveSharedSecretInput {
s.KeyAgreementAlgorithm = &v
return s
}
// SetKeyId sets the KeyId field's value.
func (s *DeriveSharedSecretInput) SetKeyId(v string) *DeriveSharedSecretInput {
s.KeyId = &v
return s
}
// SetPublicKey sets the PublicKey field's value.
func (s *DeriveSharedSecretInput) SetPublicKey(v []byte) *DeriveSharedSecretInput {
s.PublicKey = v
return s
}
// SetRecipient sets the Recipient field's value.
func (s *DeriveSharedSecretInput) SetRecipient(v *RecipientInfo) *DeriveSharedSecretInput {
s.Recipient = v
return s
}
type DeriveSharedSecretOutput struct {
_ struct{} `type:"structure"`
// The plaintext shared secret encrypted with the public key in the attestation
// document.
//
// This field is included in the response only when the Recipient parameter
// in the request includes a valid attestation document from an Amazon Web Services
// Nitro enclave. For information about the interaction between KMS and Amazon
// Web Services Nitro Enclaves, see How Amazon Web Services Nitro Enclaves uses
// KMS (https://docs.aws.amazon.com/kms/latest/developerguide/services-nitro-enclaves.html)
// in the Key Management Service Developer Guide.
// CiphertextForRecipient is automatically base64 encoded/decoded by the SDK.
CiphertextForRecipient []byte `min:"1" type:"blob"`
// Identifies the key agreement algorithm used to derive the shared secret.
KeyAgreementAlgorithm *string `type:"string" enum:"KeyAgreementAlgorithmSpec"`
// Identifies the KMS key used to derive the shared secret.
KeyId *string `min:"1" type:"string"`
// The source of the key material for the specified KMS key.
//
// When this value is AWS_KMS, KMS created the key material. When this value
// is EXTERNAL, the key material was imported or the KMS key doesn't have any
// key material.
//
// The only valid values for DeriveSharedSecret are AWS_KMS and EXTERNAL. DeriveSharedSecret
// does not support KMS keys with a KeyOrigin value of AWS_CLOUDHSM or EXTERNAL_KEY_STORE.
KeyOrigin *string `type:"string" enum:"OriginType"`
// The raw secret derived from the specified key agreement algorithm, private
// key in the asymmetric KMS key, and your peer's public key.
//
// If the response includes the CiphertextForRecipient field, the SharedSecret
// field is null or empty.
//
// SharedSecret is a sensitive parameter and its value will be
// replaced with "sensitive" in string returned by DeriveSharedSecretOutput's
// String and GoString methods.
//
// SharedSecret is automatically base64 encoded/decoded by the SDK.
SharedSecret []byte `min:"1" type:"blob" sensitive:"true"`
}
// String returns the string representation.
//
// API parameter values that are decorated as "sensitive" in the API will not
// be included in the string output. The member name will be present, but the
// value will be replaced with "sensitive".
func (s DeriveSharedSecretOutput) String() string {
return awsutil.Prettify(s)
}
// GoString returns the string representation.
//
// API parameter values that are decorated as "sensitive" in the API will not
// be included in the string output. The member name will be present, but the
// value will be replaced with "sensitive".
func (s DeriveSharedSecretOutput) GoString() string {
return s.String()
}
// SetCiphertextForRecipient sets the CiphertextForRecipient field's value.
func (s *DeriveSharedSecretOutput) SetCiphertextForRecipient(v []byte) *DeriveSharedSecretOutput {
s.CiphertextForRecipient = v
return s
}
// SetKeyAgreementAlgorithm sets the KeyAgreementAlgorithm field's value.
func (s *DeriveSharedSecretOutput) SetKeyAgreementAlgorithm(v string) *DeriveSharedSecretOutput {
s.KeyAgreementAlgorithm = &v
return s
}
// SetKeyId sets the KeyId field's value.
func (s *DeriveSharedSecretOutput) SetKeyId(v string) *DeriveSharedSecretOutput {
s.KeyId = &v
return s
}
// SetKeyOrigin sets the KeyOrigin field's value.
func (s *DeriveSharedSecretOutput) SetKeyOrigin(v string) *DeriveSharedSecretOutput {
s.KeyOrigin = &v
return s
}
// SetSharedSecret sets the SharedSecret field's value.
func (s *DeriveSharedSecretOutput) SetSharedSecret(v []byte) *DeriveSharedSecretOutput {
s.SharedSecret = v
return s
}
type DescribeCustomKeyStoresInput struct {
_ struct{} `type:"structure"`
@ -14006,9 +14520,11 @@ type GenerateDataKeyPairInput struct {
// RSAES_OAEP_SHA_256.
//
// This parameter only supports attestation documents for Amazon Web Services
// Nitro Enclaves. To include this parameter, use the Amazon Web Services Nitro
// Enclaves SDK (https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk)
// or any Amazon Web Services SDK.
// Nitro Enclaves. To call DeriveSharedSecret for an Amazon Web Services Nitro
// Enclaves, use the Amazon Web Services Nitro Enclaves SDK (https://docs.aws.amazon.com/enclaves/latest/user/developing-applications.html#sdk)
// to generate the attestation document and then use the Recipient parameter
// from any Amazon Web Services SDK to provide the attestation document for
// the enclave.
//
// When you use this parameter, instead of returning a plaintext copy of the
// private data key, KMS encrypts the plaintext private data key under the public
@ -15199,25 +15715,19 @@ type GetParametersForImportInput struct {
// KeyId is a required field
KeyId *string `min:"1" type:"string" required:"true"`
// The algorithm you will use with the asymmetric public key (PublicKey) in
// the response to protect your key material during import. For more information,
// see Select a wrapping algorithm (kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm)
// The algorithm you will use with the RSA public key (PublicKey) in the response
// to protect your key material during import. For more information, see Select
// a wrapping algorithm (kms/latest/developerguide/importing-keys-get-public-key-and-token.html#select-wrapping-algorithm)
// in the Key Management Service Developer Guide.
//
// For RSA_AES wrapping algorithms, you encrypt your key material with an AES
// key that you generate, then encrypt your AES key with the RSA public key
// from KMS. For RSAES wrapping algorithms, you encrypt your key material directly
// with the RSA public key from KMS. For SM2PKE wrapping algorithms, you encrypt
// your key material directly with the SM2 public key from KMS.
// with the RSA public key from KMS.
//
// The wrapping algorithms that you can use depend on the type of key material
// that you are importing. To import an RSA private key, you must use an RSA_AES
// wrapping algorithm, except in China Regions, where you must use the SM2PKE
// wrapping algorithm to import an RSA private key.
//
// The SM2PKE wrapping algorithm is available only in China Regions. The RSA_AES_KEY_WRAP_SHA_256
// and RSA_AES_KEY_WRAP_SHA_1 wrapping algorithms are not supported in China
// Regions.
// wrapping algorithm.
//
// * RSA_AES_KEY_WRAP_SHA_256 — Supported for wrapping RSA and ECC key
// material.
@ -15237,24 +15747,19 @@ type GetParametersForImportInput struct {
// * RSAES_PKCS1_V1_5 (Deprecated) — As of October 10, 2023, KMS does not
// support the RSAES_PKCS1_V1_5 wrapping algorithm.
//
// * SM2PKE (China Regions only) — supported for wrapping RSA, ECC, and
// SM2 key material.
//
// WrappingAlgorithm is a required field
WrappingAlgorithm *string `type:"string" required:"true" enum:"AlgorithmSpec"`
// The type of public key to return in the response. You will use this wrapping
// The type of RSA public key to return in the response. You will use this wrapping
// key with the specified wrapping algorithm to protect your key material during
// import.
//
// Use the longest wrapping key that is practical.
// Use the longest RSA wrapping key that is practical.
//
// You cannot use an RSA_2048 public key to directly wrap an ECC_NIST_P521 private
// key. Instead, use an RSA_AES wrapping algorithm or choose a longer RSA public
// key.
//
// The SM2 wrapping key spec is available only in China Regions.
//
// WrappingKeySpec is a required field
WrappingKeySpec *string `type:"string" required:"true" enum:"WrappingKeySpec"`
}
@ -15490,6 +15995,10 @@ type GetPublicKeyOutput struct {
// is ENCRYPT_DECRYPT.
EncryptionAlgorithms []*string `type:"list" enum:"EncryptionAlgorithmSpec"`
// The key agreement algorithm used to derive a shared secret. This field is
// present only when the KMS key has a KeyUsage value of KEY_AGREEMENT.
KeyAgreementAlgorithms []*string `type:"list" enum:"KeyAgreementAlgorithmSpec"`
// The Amazon Resource Name (key ARN (https://docs.aws.amazon.com/kms/latest/developerguide/concepts.html#key-id-key-ARN))
// of the asymmetric KMS key from which the public key was downloaded.
KeyId *string `min:"1" type:"string"`
@ -15497,11 +16006,11 @@ type GetPublicKeyOutput struct {
// The type of the of the public key that was downloaded.
KeySpec *string `type:"string" enum:"KeySpec"`
// The permitted use of the public key. Valid values are ENCRYPT_DECRYPT or
// SIGN_VERIFY.
// The permitted use of the public key. Valid values for asymmetric key pairs
// are ENCRYPT_DECRYPT, SIGN_VERIFY, and KEY_AGREEMENT.
//
// This information is critical. If a public key with SIGN_VERIFY key usage
// encrypts data outside of KMS, the ciphertext cannot be decrypted.
// This information is critical. For example, if a public key with SIGN_VERIFY
// key usage encrypts data outside of KMS, the ciphertext cannot be decrypted.
KeyUsage *string `type:"string" enum:"KeyUsageType"`
// The exported public key.
@ -15550,6 +16059,12 @@ func (s *GetPublicKeyOutput) SetEncryptionAlgorithms(v []*string) *GetPublicKeyO
return s
}
// SetKeyAgreementAlgorithms sets the KeyAgreementAlgorithms field's value.
func (s *GetPublicKeyOutput) SetKeyAgreementAlgorithms(v []*string) *GetPublicKeyOutput {
s.KeyAgreementAlgorithms = v
return s
}
// SetKeyId sets the KeyId field's value.
func (s *GetPublicKeyOutput) SetKeyId(v string) *GetPublicKeyOutput {
s.KeyId = &v
@ -16603,7 +17118,8 @@ func (s *InvalidImportTokenException) RequestID() string {
// For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation.
//
// To find the encryption or signing algorithms supported for a particular KMS
@ -17052,6 +17568,9 @@ type KeyMetadata struct {
// only when Origin is EXTERNAL, otherwise this value is omitted.
ExpirationModel *string `type:"string" enum:"ExpirationModelType"`
// The key agreement algorithm used to derive a shared secret.
KeyAgreementAlgorithms []*string `type:"list" enum:"KeyAgreementAlgorithmSpec"`
// The globally unique identifier for the KMS key.
//
// KeyId is a required field
@ -17232,6 +17751,12 @@ func (s *KeyMetadata) SetExpirationModel(v string) *KeyMetadata {
return s
}
// SetKeyAgreementAlgorithms sets the KeyAgreementAlgorithms field's value.
func (s *KeyMetadata) SetKeyAgreementAlgorithms(v []*string) *KeyMetadata {
s.KeyAgreementAlgorithms = v
return s
}
// SetKeyId sets the KeyId field's value.
func (s *KeyMetadata) SetKeyId(v string) *KeyMetadata {
s.KeyId = &v
@ -23034,6 +23559,9 @@ const (
// GrantOperationVerifyMac is a GrantOperation enum value
GrantOperationVerifyMac = "VerifyMac"
// GrantOperationDeriveSharedSecret is a GrantOperation enum value
GrantOperationDeriveSharedSecret = "DeriveSharedSecret"
)
// GrantOperation_Values returns all elements of the GrantOperation enum
@ -23055,6 +23583,19 @@ func GrantOperation_Values() []string {
GrantOperationGenerateDataKeyPairWithoutPlaintext,
GrantOperationGenerateMac,
GrantOperationVerifyMac,
GrantOperationDeriveSharedSecret,
}
}
const (
// KeyAgreementAlgorithmSpecEcdh is a KeyAgreementAlgorithmSpec enum value
KeyAgreementAlgorithmSpecEcdh = "ECDH"
)
// KeyAgreementAlgorithmSpec_Values returns all elements of the KeyAgreementAlgorithmSpec enum
func KeyAgreementAlgorithmSpec_Values() []string {
return []string{
KeyAgreementAlgorithmSpecEcdh,
}
}
@ -23195,6 +23736,9 @@ const (
// KeyUsageTypeGenerateVerifyMac is a KeyUsageType enum value
KeyUsageTypeGenerateVerifyMac = "GENERATE_VERIFY_MAC"
// KeyUsageTypeKeyAgreement is a KeyUsageType enum value
KeyUsageTypeKeyAgreement = "KEY_AGREEMENT"
)
// KeyUsageType_Values returns all elements of the KeyUsageType enum
@ -23203,6 +23747,7 @@ func KeyUsageType_Values() []string {
KeyUsageTypeSignVerify,
KeyUsageTypeEncryptDecrypt,
KeyUsageTypeGenerateVerifyMac,
KeyUsageTypeKeyAgreement,
}
}

View File

@ -279,7 +279,8 @@ const (
// For encrypting, decrypting, re-encrypting, and generating data keys, the
// KeyUsage must be ENCRYPT_DECRYPT. For signing and verifying messages, the
// KeyUsage must be SIGN_VERIFY. For generating and verifying message authentication
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. To find the KeyUsage
// codes (MACs), the KeyUsage must be GENERATE_VERIFY_MAC. For deriving key
// agreement secrets, the KeyUsage must be KEY_AGREEMENT. To find the KeyUsage
// of a KMS key, use the DescribeKey operation.
//
// To find the encryption or signing algorithms supported for a particular KMS
@ -424,6 +425,7 @@ const (
// ErrCodeXksProxyInvalidResponseException for service response error code
// "XksProxyInvalidResponseException".
//
//
// KMS cannot interpret the response it received from the external key store
// proxy. The problem might be a poorly constructed response, but it could also
// be a transient network issue. If you see this error repeatedly, report it

View File

@ -1,3 +1,7 @@
# Release (2024-03-29)
* No change notes available for this release.
# Release (2024-02-21)
## Module Highlights

View File

@ -3,4 +3,4 @@
package smithy
// goModuleVersion is the tagged release for this module
const goModuleVersion = "1.20.1"
const goModuleVersion = "1.20.2"

View File

@ -1,133 +0,0 @@
/*-
* Copyright 2016 Zbigniew Mandziejewicz
* Copyright 2016 Square, Inc.
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
package jwt
import (
"fmt"
"strings"
jose "github.com/go-jose/go-jose/v3"
"github.com/go-jose/go-jose/v3/json"
)
// JSONWebToken represents a JSON Web Token (as specified in RFC7519).
type JSONWebToken struct {
payload func(k interface{}) ([]byte, error)
unverifiedPayload func() []byte
Headers []jose.Header
}
type NestedJSONWebToken struct {
enc *jose.JSONWebEncryption
Headers []jose.Header
}
// Claims deserializes a JSONWebToken into dest using the provided key.
func (t *JSONWebToken) Claims(key interface{}, dest ...interface{}) error {
b, err := t.payload(key)
if err != nil {
return err
}
for _, d := range dest {
if err := json.Unmarshal(b, d); err != nil {
return err
}
}
return nil
}
// UnsafeClaimsWithoutVerification deserializes the claims of a
// JSONWebToken into the dests. For signed JWTs, the claims are not
// verified. This function won't work for encrypted JWTs.
func (t *JSONWebToken) UnsafeClaimsWithoutVerification(dest ...interface{}) error {
if t.unverifiedPayload == nil {
return fmt.Errorf("go-jose/go-jose: Cannot get unverified claims")
}
claims := t.unverifiedPayload()
for _, d := range dest {
if err := json.Unmarshal(claims, d); err != nil {
return err
}
}
return nil
}
func (t *NestedJSONWebToken) Decrypt(decryptionKey interface{}) (*JSONWebToken, error) {
b, err := t.enc.Decrypt(decryptionKey)
if err != nil {
return nil, err
}
sig, err := ParseSigned(string(b))
if err != nil {
return nil, err
}
return sig, nil
}
// ParseSigned parses token from JWS form.
func ParseSigned(s string) (*JSONWebToken, error) {
sig, err := jose.ParseSigned(s)
if err != nil {
return nil, err
}
headers := make([]jose.Header, len(sig.Signatures))
for i, signature := range sig.Signatures {
headers[i] = signature.Header
}
return &JSONWebToken{
payload: sig.Verify,
unverifiedPayload: sig.UnsafePayloadWithoutVerification,
Headers: headers,
}, nil
}
// ParseEncrypted parses token from JWE form.
func ParseEncrypted(s string) (*JSONWebToken, error) {
enc, err := jose.ParseEncrypted(s)
if err != nil {
return nil, err
}
return &JSONWebToken{
payload: enc.Decrypt,
Headers: []jose.Header{enc.Header},
}, nil
}
// ParseSignedAndEncrypted parses signed-then-encrypted token from JWE form.
func ParseSignedAndEncrypted(s string) (*NestedJSONWebToken, error) {
enc, err := jose.ParseEncrypted(s)
if err != nil {
return nil, err
}
contentType, _ := enc.Header.ExtraHeaders[jose.HeaderContentType].(string)
if strings.ToUpper(contentType) != "JWT" {
return nil, ErrInvalidContentType
}
return &NestedJSONWebToken{
enc: enc,
Headers: []jose.Header{enc.Header},
}, nil
}

View File

@ -45,12 +45,6 @@ token".
[1]: https://i.blackhat.com/BH-US-23/Presentations/US-23-Tervoort-Three-New-Attacks-Against-JSON-Web-Tokens.pdf
# v3.0.3
## Fixed
- Limit decompression output size to prevent a DoS. Backport from v4.0.1.
# v3.0.2
## Fixed

View File

@ -1,17 +1,9 @@
# Go JOSE
### Versions
[Version 4](https://github.com/go-jose/go-jose)
([branch](https://github.com/go-jose/go-jose/),
[doc](https://pkg.go.dev/github.com/go-jose/go-jose/v4), [releases](https://github.com/go-jose/go-jose/releases)) is the current stable version:
import "github.com/go-jose/go-jose/v4"
The old [square/go-jose](https://github.com/square/go-jose) repo contains the prior v1 and v2 versions, which
are deprecated.
### Summary
[![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v4.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v4)
[![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v4/jwt.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v4/jwt)
[![license](https://img.shields.io/badge/license-apache_2.0-blue.svg?style=flat)](https://raw.githubusercontent.com/go-jose/go-jose/master/LICENSE)
[![test](https://img.shields.io/github/checks-status/go-jose/go-jose/v4)](https://github.com/go-jose/go-jose/actions)
Package jose aims to provide an implementation of the Javascript Object Signing
and Encryption set of standards. This includes support for JSON Web Encryption,
@ -43,6 +35,20 @@ of [case-insensitive matching](https://www.ietf.org/mail-archive/web/json/curren
This is to avoid differences in interpretation of messages between go-jose and
libraries in other languages.
### Versions
[Version 4](https://github.com/go-jose/go-jose)
([branch](https://github.com/go-jose/go-jose/tree/main),
[doc](https://pkg.go.dev/github.com/go-jose/go-jose/v4), [releases](https://github.com/go-jose/go-jose/releases)) is the current stable version:
import "github.com/go-jose/go-jose/v4"
The old [square/go-jose](https://github.com/square/go-jose) repo contains the prior v1 and v2 versions, which
are still useable but not actively developed anymore.
Version 3, in this repo, is still receiving security fixes but not functionality
updates.
### Supported algorithms
See below for a table of supported algorithms. Algorithm identifiers match
@ -98,11 +104,11 @@ allows attaching a key id.
## Examples
[![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v3.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v3)
[![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v3/jwt.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v3/jwt)
[![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v4.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v4)
[![godoc](https://pkg.go.dev/badge/github.com/go-jose/go-jose/v4/jwt.svg)](https://pkg.go.dev/github.com/go-jose/go-jose/v4/jwt)
Examples can be found in the Godoc
reference for this package. The
[`jose-util`](https://github.com/go-jose/go-jose/tree/v3/jose-util)
[`jose-util`](https://github.com/go-jose/go-jose/tree/v4/jose-util)
subdirectory also contains a small command-line utility which might be useful
as an example as well.

View File

@ -29,8 +29,8 @@ import (
"fmt"
"math/big"
josecipher "github.com/go-jose/go-jose/v3/cipher"
"github.com/go-jose/go-jose/v3/json"
josecipher "github.com/go-jose/go-jose/v4/cipher"
"github.com/go-jose/go-jose/v4/json"
)
// A generic RSA-based encrypter/verifier

View File

@ -22,7 +22,7 @@ import (
"errors"
"fmt"
"github.com/go-jose/go-jose/v3/json"
"github.com/go-jose/go-jose/v4/json"
)
// Encrypter represents an encrypter which produces an encrypted JWE object.

View File

@ -27,7 +27,7 @@ import (
"strings"
"unicode"
"github.com/go-jose/go-jose/v3/json"
"github.com/go-jose/go-jose/v4/json"
)
// Helper function to serialize known-good objects.
@ -106,10 +106,7 @@ func inflate(input []byte) ([]byte, error) {
output := new(bytes.Buffer)
reader := flate.NewReader(bytes.NewBuffer(input))
maxCompressedSize := 10 * int64(len(input))
if maxCompressedSize < 250000 {
maxCompressedSize = 250000
}
maxCompressedSize := max(250_000, 10*int64(len(input)))
limit := maxCompressedSize + 1
n, err := io.CopyN(output, reader, limit)
@ -167,7 +164,7 @@ func (b *byteBuffer) UnmarshalJSON(data []byte) error {
return nil
}
decoded, err := base64URLDecode(encoded)
decoded, err := base64.RawURLEncoding.DecodeString(encoded)
if err != nil {
return err
}
@ -197,12 +194,6 @@ func (b byteBuffer) toInt() int {
return int(b.bigInt().Int64())
}
// base64URLDecode is implemented as defined in https://www.rfc-editor.org/rfc/rfc7515.html#appendix-C
func base64URLDecode(value string) ([]byte, error) {
value = strings.TrimRight(value, "=")
return base64.RawURLEncoding.DecodeString(value)
}
func base64EncodeLen(sl []byte) int {
return base64.RawURLEncoding.EncodedLen(len(sl))
}

View File

@ -18,10 +18,11 @@ package jose
import (
"encoding/base64"
"errors"
"fmt"
"strings"
"github.com/go-jose/go-jose/v3/json"
"github.com/go-jose/go-jose/v4/json"
)
// rawJSONWebEncryption represents a raw JWE JSON object. Used for parsing/serializing.
@ -104,29 +105,75 @@ func (obj JSONWebEncryption) computeAuthData() []byte {
return output
}
// ParseEncrypted parses an encrypted message in compact or JWE JSON Serialization format.
func ParseEncrypted(input string) (*JSONWebEncryption, error) {
input = stripWhitespace(input)
if strings.HasPrefix(input, "{") {
return parseEncryptedFull(input)
func containsKeyAlgorithm(haystack []KeyAlgorithm, needle KeyAlgorithm) bool {
for _, algorithm := range haystack {
if algorithm == needle {
return true
}
}
return parseEncryptedCompact(input)
return false
}
// parseEncryptedFull parses a message in compact format.
func parseEncryptedFull(input string) (*JSONWebEncryption, error) {
func containsContentEncryption(haystack []ContentEncryption, needle ContentEncryption) bool {
for _, algorithm := range haystack {
if algorithm == needle {
return true
}
}
return false
}
// ParseEncrypted parses an encrypted message in JWE Compact or JWE JSON Serialization.
//
// https://datatracker.ietf.org/doc/html/rfc7516#section-3.1
// https://datatracker.ietf.org/doc/html/rfc7516#section-3.2
//
// The keyAlgorithms and contentEncryption parameters are used to validate the "alg" and "enc"
// header parameters respectively. They must be nonempty, and each "alg" or "enc" header in
// parsed data must contain a value that is present in the corresponding parameter. That
// includes the protected and unprotected headers as well as all recipients. To accept
// multiple algorithms, pass a slice of all the algorithms you want to accept.
func ParseEncrypted(input string,
keyEncryptionAlgorithms []KeyAlgorithm,
contentEncryption []ContentEncryption,
) (*JSONWebEncryption, error) {
input = stripWhitespace(input)
if strings.HasPrefix(input, "{") {
return ParseEncryptedJSON(input, keyEncryptionAlgorithms, contentEncryption)
}
return ParseEncryptedCompact(input, keyEncryptionAlgorithms, contentEncryption)
}
// ParseEncryptedJSON parses a message in JWE JSON Serialization.
//
// https://datatracker.ietf.org/doc/html/rfc7516#section-3.2
func ParseEncryptedJSON(
input string,
keyEncryptionAlgorithms []KeyAlgorithm,
contentEncryption []ContentEncryption,
) (*JSONWebEncryption, error) {
var parsed rawJSONWebEncryption
err := json.Unmarshal([]byte(input), &parsed)
if err != nil {
return nil, err
}
return parsed.sanitized()
return parsed.sanitized(keyEncryptionAlgorithms, contentEncryption)
}
// sanitized produces a cleaned-up JWE object from the raw JSON.
func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
func (parsed *rawJSONWebEncryption) sanitized(
keyEncryptionAlgorithms []KeyAlgorithm,
contentEncryption []ContentEncryption,
) (*JSONWebEncryption, error) {
if len(keyEncryptionAlgorithms) == 0 {
return nil, errors.New("go-jose/go-jose: no key algorithms provided")
}
if len(contentEncryption) == 0 {
return nil, errors.New("go-jose/go-jose: no content encryption algorithms provided")
}
obj := &JSONWebEncryption{
original: parsed,
unprotected: parsed.Unprotected,
@ -170,7 +217,7 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
} else {
obj.recipients = make([]recipientInfo, len(parsed.Recipients))
for r := range parsed.Recipients {
encryptedKey, err := base64URLDecode(parsed.Recipients[r].EncryptedKey)
encryptedKey, err := base64.RawURLEncoding.DecodeString(parsed.Recipients[r].EncryptedKey)
if err != nil {
return nil, err
}
@ -185,10 +232,31 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
}
}
for _, recipient := range obj.recipients {
for i, recipient := range obj.recipients {
headers := obj.mergedHeaders(&recipient)
if headers.getAlgorithm() == "" || headers.getEncryption() == "" {
return nil, fmt.Errorf("go-jose/go-jose: message is missing alg/enc headers")
if headers.getAlgorithm() == "" {
return nil, fmt.Errorf(`go-jose/go-jose: recipient %d: missing header "alg"`, i)
}
if headers.getEncryption() == "" {
return nil, fmt.Errorf(`go-jose/go-jose: recipient %d: missing header "enc"`, i)
}
err := validateAlgEnc(headers, keyEncryptionAlgorithms, contentEncryption)
if err != nil {
return nil, fmt.Errorf("go-jose/go-jose: recipient %d: %s", i, err)
}
}
if obj.protected != nil {
err := validateAlgEnc(*obj.protected, keyEncryptionAlgorithms, contentEncryption)
if err != nil {
return nil, fmt.Errorf("go-jose/go-jose: protected header: %s", err)
}
}
if obj.unprotected != nil {
err := validateAlgEnc(*obj.unprotected, keyEncryptionAlgorithms, contentEncryption)
if err != nil {
return nil, fmt.Errorf("go-jose/go-jose: unprotected header: %s", err)
}
}
@ -200,34 +268,52 @@ func (parsed *rawJSONWebEncryption) sanitized() (*JSONWebEncryption, error) {
return obj, nil
}
// parseEncryptedCompact parses a message in compact format.
func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
func validateAlgEnc(headers rawHeader, keyAlgorithms []KeyAlgorithm, contentEncryption []ContentEncryption) error {
alg := headers.getAlgorithm()
enc := headers.getEncryption()
if alg != "" && !containsKeyAlgorithm(keyAlgorithms, alg) {
return fmt.Errorf("unexpected key algorithm %q; expected %q", alg, keyAlgorithms)
}
if alg != "" && !containsContentEncryption(contentEncryption, enc) {
return fmt.Errorf("unexpected content encryption algorithm %q; expected %q", enc, contentEncryption)
}
return nil
}
// ParseEncryptedCompact parses a message in JWE Compact Serialization.
//
// https://datatracker.ietf.org/doc/html/rfc7516#section-3.1
func ParseEncryptedCompact(
input string,
keyAlgorithms []KeyAlgorithm,
contentEncryption []ContentEncryption,
) (*JSONWebEncryption, error) {
parts := strings.Split(input, ".")
if len(parts) != 5 {
return nil, fmt.Errorf("go-jose/go-jose: compact JWE format must have five parts")
}
rawProtected, err := base64URLDecode(parts[0])
rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
if err != nil {
return nil, err
}
encryptedKey, err := base64URLDecode(parts[1])
encryptedKey, err := base64.RawURLEncoding.DecodeString(parts[1])
if err != nil {
return nil, err
}
iv, err := base64URLDecode(parts[2])
iv, err := base64.RawURLEncoding.DecodeString(parts[2])
if err != nil {
return nil, err
}
ciphertext, err := base64URLDecode(parts[3])
ciphertext, err := base64.RawURLEncoding.DecodeString(parts[3])
if err != nil {
return nil, err
}
tag, err := base64URLDecode(parts[4])
tag, err := base64.RawURLEncoding.DecodeString(parts[4])
if err != nil {
return nil, err
}
@ -240,7 +326,7 @@ func parseEncryptedCompact(input string) (*JSONWebEncryption, error) {
Tag: newBuffer(tag),
}
return raw.sanitized()
return raw.sanitized(keyAlgorithms, contentEncryption)
}
// CompactSerialize serializes an object using the compact serialization format.

View File

@ -35,7 +35,7 @@ import (
"reflect"
"strings"
"github.com/go-jose/go-jose/v3/json"
"github.com/go-jose/go-jose/v4/json"
)
// rawJSONWebKey represents a public or private key in JWK format, used for parsing/serializing.
@ -266,7 +266,7 @@ func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
// x5t parameters are base64url-encoded SHA thumbprints
// See RFC 7517, Section 4.8, https://tools.ietf.org/html/rfc7517#section-4.8
x5tSHA1bytes, err := base64URLDecode(raw.X5tSHA1)
x5tSHA1bytes, err := base64.RawURLEncoding.DecodeString(raw.X5tSHA1)
if err != nil {
return errors.New("go-jose/go-jose: invalid JWK, x5t header has invalid encoding")
}
@ -286,7 +286,7 @@ func (k *JSONWebKey) UnmarshalJSON(data []byte) (err error) {
k.CertificateThumbprintSHA1 = x5tSHA1bytes
x5tSHA256bytes, err := base64URLDecode(raw.X5tSHA256)
x5tSHA256bytes, err := base64.RawURLEncoding.DecodeString(raw.X5tSHA256)
if err != nil {
return errors.New("go-jose/go-jose: invalid JWK, x5t#S256 header has invalid encoding")
}

View File

@ -23,7 +23,7 @@ import (
"fmt"
"strings"
"github.com/go-jose/go-jose/v3/json"
"github.com/go-jose/go-jose/v4/json"
)
// rawJSONWebSignature represents a raw JWS JSON object. Used for parsing/serializing.
@ -75,22 +75,41 @@ type Signature struct {
original *rawSignatureInfo
}
// ParseSigned parses a signed message in compact or JWS JSON Serialization format.
func ParseSigned(signature string) (*JSONWebSignature, error) {
// ParseSigned parses a signed message in JWS Compact or JWS JSON Serialization.
//
// https://datatracker.ietf.org/doc/html/rfc7515#section-7
func ParseSigned(
signature string,
signatureAlgorithms []SignatureAlgorithm,
) (*JSONWebSignature, error) {
signature = stripWhitespace(signature)
if strings.HasPrefix(signature, "{") {
return parseSignedFull(signature)
return ParseSignedJSON(signature, signatureAlgorithms)
}
return parseSignedCompact(signature, nil)
return parseSignedCompact(signature, nil, signatureAlgorithms)
}
// ParseSignedCompact parses a message in JWS Compact Serialization.
//
// https://datatracker.ietf.org/doc/html/rfc7515#section-7.1
func ParseSignedCompact(
signature string,
signatureAlgorithms []SignatureAlgorithm,
) (*JSONWebSignature, error) {
return parseSignedCompact(signature, nil, signatureAlgorithms)
}
// ParseDetached parses a signed message in compact serialization format with detached payload.
func ParseDetached(signature string, payload []byte) (*JSONWebSignature, error) {
func ParseDetached(
signature string,
payload []byte,
signatureAlgorithms []SignatureAlgorithm,
) (*JSONWebSignature, error) {
if payload == nil {
return nil, errors.New("go-jose/go-jose: nil payload")
}
return parseSignedCompact(stripWhitespace(signature), payload)
return parseSignedCompact(stripWhitespace(signature), payload, signatureAlgorithms)
}
// Get a header value
@ -137,19 +156,36 @@ func (obj JSONWebSignature) computeAuthData(payload []byte, signature *Signature
return authData.Bytes(), nil
}
// parseSignedFull parses a message in full format.
func parseSignedFull(input string) (*JSONWebSignature, error) {
// ParseSignedJSON parses a message in JWS JSON Serialization.
//
// https://datatracker.ietf.org/doc/html/rfc7515#section-7.2
func ParseSignedJSON(
input string,
signatureAlgorithms []SignatureAlgorithm,
) (*JSONWebSignature, error) {
var parsed rawJSONWebSignature
err := json.Unmarshal([]byte(input), &parsed)
if err != nil {
return nil, err
}
return parsed.sanitized()
return parsed.sanitized(signatureAlgorithms)
}
func containsSignatureAlgorithm(haystack []SignatureAlgorithm, needle SignatureAlgorithm) bool {
for _, algorithm := range haystack {
if algorithm == needle {
return true
}
}
return false
}
// sanitized produces a cleaned-up JWS object from the raw JSON.
func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
func (parsed *rawJSONWebSignature) sanitized(signatureAlgorithms []SignatureAlgorithm) (*JSONWebSignature, error) {
if len(signatureAlgorithms) == 0 {
return nil, errors.New("go-jose/go-jose: no signature algorithms specified")
}
if parsed.Payload == nil {
return nil, fmt.Errorf("go-jose/go-jose: missing payload in JWS message")
}
@ -198,6 +234,12 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
return nil, err
}
alg := SignatureAlgorithm(signature.Header.Algorithm)
if !containsSignatureAlgorithm(signatureAlgorithms, alg) {
return nil, fmt.Errorf("go-jose/go-jose: unexpected signature algorithm %q; expected %q",
alg, signatureAlgorithms)
}
if signature.header != nil {
signature.Unprotected, err = signature.header.sanitized()
if err != nil {
@ -241,6 +283,12 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
return nil, err
}
alg := SignatureAlgorithm(obj.Signatures[i].Header.Algorithm)
if !containsSignatureAlgorithm(signatureAlgorithms, alg) {
return nil, fmt.Errorf("go-jose/go-jose: unexpected signature algorithm %q; expected %q",
alg, signatureAlgorithms)
}
if obj.Signatures[i].header != nil {
obj.Signatures[i].Unprotected, err = obj.Signatures[i].header.sanitized()
if err != nil {
@ -274,7 +322,11 @@ func (parsed *rawJSONWebSignature) sanitized() (*JSONWebSignature, error) {
}
// parseSignedCompact parses a message in compact format.
func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error) {
func parseSignedCompact(
input string,
payload []byte,
signatureAlgorithms []SignatureAlgorithm,
) (*JSONWebSignature, error) {
parts := strings.Split(input, ".")
if len(parts) != 3 {
return nil, fmt.Errorf("go-jose/go-jose: compact JWS format must have three parts")
@ -284,19 +336,19 @@ func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error)
return nil, fmt.Errorf("go-jose/go-jose: payload is not detached")
}
rawProtected, err := base64URLDecode(parts[0])
rawProtected, err := base64.RawURLEncoding.DecodeString(parts[0])
if err != nil {
return nil, err
}
if payload == nil {
payload, err = base64URLDecode(parts[1])
payload, err = base64.RawURLEncoding.DecodeString(parts[1])
if err != nil {
return nil, err
}
}
signature, err := base64URLDecode(parts[2])
signature, err := base64.RawURLEncoding.DecodeString(parts[2])
if err != nil {
return nil, err
}
@ -306,7 +358,7 @@ func parseSignedCompact(input string, payload []byte) (*JSONWebSignature, error)
Protected: newBuffer(rawProtected),
Signature: newBuffer(signature),
}
return raw.sanitized()
return raw.sanitized(signatureAlgorithms)
}
func (obj JSONWebSignature) compactSerialize(detached bool) (string, error) {

View File

@ -21,13 +21,13 @@ import (
"bytes"
"reflect"
"github.com/go-jose/go-jose/v3/json"
"github.com/go-jose/go-jose/v4/json"
"github.com/go-jose/go-jose/v3"
"github.com/go-jose/go-jose/v4"
)
// Builder is a utility for making JSON Web Tokens. Calls can be chained, and
// errors are accumulated until the final call to CompactSerialize/FullSerialize.
// errors are accumulated until the final call to Serialize.
type Builder interface {
// Claims encodes claims into JWE/JWS form. Multiple calls will merge claims
// into single JSON object. If you are passing private claims, make sure to set
@ -36,15 +36,13 @@ type Builder interface {
Claims(i interface{}) Builder
// Token builds a JSONWebToken from provided data.
Token() (*JSONWebToken, error)
// FullSerialize serializes a token using the JWS/JWE JSON Serialization format.
FullSerialize() (string, error)
// CompactSerialize serializes a token using the compact serialization format.
CompactSerialize() (string, error)
// Serialize serializes a token.
Serialize() (string, error)
}
// NestedBuilder is a utility for making Signed-Then-Encrypted JSON Web Tokens.
// Calls can be chained, and errors are accumulated until final call to
// CompactSerialize/FullSerialize.
// Serialize.
type NestedBuilder interface {
// Claims encodes claims into JWE/JWS form. Multiple calls will merge claims
// into single JSON object. If you are passing private claims, make sure to set
@ -53,10 +51,8 @@ type NestedBuilder interface {
Claims(i interface{}) NestedBuilder
// Token builds a NestedJSONWebToken from provided data.
Token() (*NestedJSONWebToken, error)
// FullSerialize serializes a token using the JSON Serialization format.
FullSerialize() (string, error)
// CompactSerialize serializes a token using the compact serialization format.
CompactSerialize() (string, error)
// Serialize serializes a token.
Serialize() (string, error)
}
type builder struct {
@ -194,7 +190,7 @@ func (b *signedBuilder) Token() (*JSONWebToken, error) {
return b.builder.token(sig.Verify, h)
}
func (b *signedBuilder) CompactSerialize() (string, error) {
func (b *signedBuilder) Serialize() (string, error) {
sig, err := b.sign()
if err != nil {
return "", err
@ -203,15 +199,6 @@ func (b *signedBuilder) CompactSerialize() (string, error) {
return sig.CompactSerialize()
}
func (b *signedBuilder) FullSerialize() (string, error) {
sig, err := b.sign()
if err != nil {
return "", err
}
return sig.FullSerialize(), nil
}
func (b *signedBuilder) sign() (*jose.JSONWebSignature, error) {
if b.err != nil {
return nil, b.err
@ -232,7 +219,7 @@ func (b *encryptedBuilder) Claims(i interface{}) Builder {
}
}
func (b *encryptedBuilder) CompactSerialize() (string, error) {
func (b *encryptedBuilder) Serialize() (string, error) {
enc, err := b.encrypt()
if err != nil {
return "", err
@ -241,15 +228,6 @@ func (b *encryptedBuilder) CompactSerialize() (string, error) {
return enc.CompactSerialize()
}
func (b *encryptedBuilder) FullSerialize() (string, error) {
enc, err := b.encrypt()
if err != nil {
return "", err
}
return enc.FullSerialize(), nil
}
func (b *encryptedBuilder) Token() (*JSONWebToken, error) {
enc, err := b.encrypt()
if err != nil {
@ -280,6 +258,8 @@ func (b *nestedBuilder) Claims(i interface{}) NestedBuilder {
}
}
// Token produced a token suitable for serialization. It cannot be decrypted
// without serializing and then deserializing.
func (b *nestedBuilder) Token() (*NestedJSONWebToken, error) {
enc, err := b.signAndEncrypt()
if err != nil {
@ -287,12 +267,13 @@ func (b *nestedBuilder) Token() (*NestedJSONWebToken, error) {
}
return &NestedJSONWebToken{
enc: enc,
Headers: []jose.Header{enc.Header},
allowedSignatureAlgorithms: nil,
enc: enc,
Headers: []jose.Header{enc.Header},
}, nil
}
func (b *nestedBuilder) CompactSerialize() (string, error) {
func (b *nestedBuilder) Serialize() (string, error) {
enc, err := b.signAndEncrypt()
if err != nil {
return "", err

Some files were not shown because too many files have changed in this diff Show More