rebase: bump github.com/aws/aws-sdk-go-v2/service/sts

Bumps [github.com/aws/aws-sdk-go-v2/service/sts](https://github.com/aws/aws-sdk-go-v2) from 1.18.6 to 1.18.10.
- [Release notes](https://github.com/aws/aws-sdk-go-v2/releases)
- [Changelog](https://github.com/aws/aws-sdk-go-v2/blob/main/CHANGELOG.md)
- [Commits](https://github.com/aws/aws-sdk-go-v2/compare/config/v1.18.6...config/v1.18.10)

---
updated-dependencies:
- dependency-name: github.com/aws/aws-sdk-go-v2/service/sts
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
This commit is contained in:
dependabot[bot] 2023-05-01 20:59:21 +00:00 committed by mergify[bot]
parent 1852e977f8
commit 7d4295b298
27 changed files with 518 additions and 488 deletions

10
go.mod
View File

@ -5,7 +5,7 @@ go 1.19
require ( require (
github.com/IBM/keyprotect-go-client v0.10.0 github.com/IBM/keyprotect-go-client v0.10.0
github.com/aws/aws-sdk-go v1.44.249 github.com/aws/aws-sdk-go v1.44.249
github.com/aws/aws-sdk-go-v2/service/sts v1.18.6 github.com/aws/aws-sdk-go-v2/service/sts v1.18.10
github.com/ceph/ceph-csi/api v0.0.0-00010101000000-000000000000 github.com/ceph/ceph-csi/api v0.0.0-00010101000000-000000000000
// TODO: API for managing subvolume metadata and snapshot metadata requires `ceph_ci_untested` build-tag // TODO: API for managing subvolume metadata and snapshot metadata requires `ceph_ci_untested` build-tag
github.com/ceph/go-ceph v0.21.0 github.com/ceph/go-ceph v0.21.0
@ -50,10 +50,10 @@ require (
require ( require (
github.com/ansel1/merry v1.6.2 // indirect github.com/ansel1/merry v1.6.2 // indirect
github.com/ansel1/merry/v2 v2.0.1 // indirect github.com/ansel1/merry/v2 v2.0.1 // indirect
github.com/aws/aws-sdk-go-v2 v1.17.6 // indirect github.com/aws/aws-sdk-go-v2 v1.18.0 // indirect
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.30 // indirect github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.33 // indirect
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.24 // indirect github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.27 // indirect
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.24 // indirect github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.27 // indirect
github.com/aws/smithy-go v1.13.5 // indirect github.com/aws/smithy-go v1.13.5 // indirect
github.com/beorn7/perks v1.0.1 // indirect github.com/beorn7/perks v1.0.1 // indirect
github.com/blang/semver/v4 v4.0.0 // indirect github.com/blang/semver/v4 v4.0.0 // indirect

20
go.sum
View File

@ -157,16 +157,16 @@ github.com/aws/aws-sdk-go v1.25.37/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpi
github.com/aws/aws-sdk-go v1.25.41/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo= github.com/aws/aws-sdk-go v1.25.41/go.mod h1:KmX6BPdI08NWTb3/sm4ZGu5ShLoqVDhKgpiN924inxo=
github.com/aws/aws-sdk-go v1.44.249 h1:UbUvh/oYHdAD3vZjNi316M0NIupJsrqAcJckVuhaCB8= github.com/aws/aws-sdk-go v1.44.249 h1:UbUvh/oYHdAD3vZjNi316M0NIupJsrqAcJckVuhaCB8=
github.com/aws/aws-sdk-go v1.44.249/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI= github.com/aws/aws-sdk-go v1.44.249/go.mod h1:aVsgQcEevwlmQ7qHE9I3h+dtQgpqhFB+i8Phjh7fkwI=
github.com/aws/aws-sdk-go-v2 v1.17.6 h1:Y773UK7OBqhzi5VDXMi1zVGsoj+CVHs2eaC2bDsLwi0= github.com/aws/aws-sdk-go-v2 v1.18.0 h1:882kkTpSFhdgYRKVZ/VCgf7sd0ru57p2JCxz4/oN5RY=
github.com/aws/aws-sdk-go-v2 v1.17.6/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw= github.com/aws/aws-sdk-go-v2 v1.18.0/go.mod h1:uzbQtefpm44goOPmdKyAlXSNcwlRgF3ePWVW6EtJvvw=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.30 h1:y+8n9AGDjikyXoMBTRaHHHSaFEB8267ykmvyPodJfys= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.33 h1:kG5eQilShqmJbv11XL1VpyDbaEJzWxd4zRiCG30GSn4=
github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.30/go.mod h1:LUBAO3zNXQjoONBKn/kR1y0Q4cj/D02Ts0uHYjcCQLM= github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.33/go.mod h1:7i0PF1ME/2eUPFcjkVIwq+DOygHEoK92t5cDqNgYbIw=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.24 h1:r+Kv+SEJquhAZXaJ7G4u44cIwXV3f8K+N482NNAzJZA= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.27 h1:vFQlirhuM8lLlpI7imKOMsjdQLuN9CPi+k44F/OFVsk=
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.24/go.mod h1:gAuCezX/gob6BSMbItsSlMb6WZGV7K2+fWOvk8xBSto= github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.27/go.mod h1:UrHnn3QV/d0pBZ6QBAEQcqFLf8FAzLmoUfPVIueOvoM=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.24 h1:c5qGfdbCHav6viBwiyDns3OXqhqAbGjfIB4uVu2ayhk= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.27 h1:0iKliEXAcCa2qVtRs7Ot5hItA2MsufrphbRFlz1Owxo=
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.24/go.mod h1:HMA4FZG6fyib+NDo5bpIxX1EhYjrAOveZJY2YR0xrNE= github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.27/go.mod h1:EOwBD4J4S5qYszS5/3DpkejfuK+Z5/1uzICfPaZLtqw=
github.com/aws/aws-sdk-go-v2/service/sts v1.18.6 h1:rIFn5J3yDoeuKCE9sESXqM5POTAhOP1du3bv/qTL+tE= github.com/aws/aws-sdk-go-v2/service/sts v1.18.10 h1:6UbNM/KJhMBfOI5+lpVcJ/8OA7cBSz0O6OX37SRKlSw=
github.com/aws/aws-sdk-go-v2/service/sts v1.18.6/go.mod h1:48WJ9l3dwP0GSHWGc5sFGGlCkuA82Mc2xnw+T6Q8aDw= github.com/aws/aws-sdk-go-v2/service/sts v1.18.10/go.mod h1:BgQOMsg8av8jset59jelyPW7NoZcZXLVpDsXunGDrk8=
github.com/aws/smithy-go v1.13.5 h1:hgz0X/DX0dGqTYpGALqXJoRKRj5oQ7150i5FdTePzO8= github.com/aws/smithy-go v1.13.5 h1:hgz0X/DX0dGqTYpGALqXJoRKRj5oQ7150i5FdTePzO8=
github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA= github.com/aws/smithy-go v1.13.5/go.mod h1:Tg+OJXh4MB2R/uN61Ko2f6hTZwB/ZYGOtib8J3gBHzA=
github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f/go.mod h1:AuiFmCCPBSrqvVMvuqFuk0qogytodnVFVSN5CeJB8Gc= github.com/baiyubin/aliyun-sts-go-sdk v0.0.0-20180326062324-cfa1a18b161f/go.mod h1:AuiFmCCPBSrqvVMvuqFuk0qogytodnVFVSN5CeJB8Gc=

View File

@ -3,4 +3,4 @@
package aws package aws
// goModuleVersion is the tagged release for this module // goModuleVersion is the tagged release for this module
const goModuleVersion = "1.17.6" const goModuleVersion = "1.18.0"

View File

@ -0,0 +1,94 @@
package middleware
import (
"context"
"fmt"
"github.com/aws/smithy-go/middleware"
smithyhttp "github.com/aws/smithy-go/transport/http"
"os"
)
const envAwsLambdaFunctionName = "AWS_LAMBDA_FUNCTION_NAME"
const envAmznTraceID = "_X_AMZN_TRACE_ID"
const amznTraceIDHeader = "X-Amzn-Trace-Id"
// AddRecursionDetection adds recursionDetection to the middleware stack
func AddRecursionDetection(stack *middleware.Stack) error {
return stack.Build.Add(&RecursionDetection{}, middleware.After)
}
// RecursionDetection detects Lambda environment and sets its X-Ray trace ID to request header if absent
// to avoid recursion invocation in Lambda
type RecursionDetection struct{}
// ID returns the middleware identifier
func (m *RecursionDetection) ID() string {
return "RecursionDetection"
}
// HandleBuild detects Lambda environment and adds its trace ID to request header if absent
func (m *RecursionDetection) HandleBuild(
ctx context.Context, in middleware.BuildInput, next middleware.BuildHandler,
) (
out middleware.BuildOutput, metadata middleware.Metadata, err error,
) {
req, ok := in.Request.(*smithyhttp.Request)
if !ok {
return out, metadata, fmt.Errorf("unknown request type %T", req)
}
_, hasLambdaEnv := os.LookupEnv(envAwsLambdaFunctionName)
xAmznTraceID, hasTraceID := os.LookupEnv(envAmznTraceID)
value := req.Header.Get(amznTraceIDHeader)
// only set the X-Amzn-Trace-Id header when it is not set initially, the
// current environment is Lambda and the _X_AMZN_TRACE_ID env variable exists
if value != "" || !hasLambdaEnv || !hasTraceID {
return next.HandleBuild(ctx, in)
}
req.Header.Set(amznTraceIDHeader, percentEncode(xAmznTraceID))
return next.HandleBuild(ctx, in)
}
func percentEncode(s string) string {
upperhex := "0123456789ABCDEF"
hexCount := 0
for i := 0; i < len(s); i++ {
c := s[i]
if shouldEncode(c) {
hexCount++
}
}
if hexCount == 0 {
return s
}
required := len(s) + 2*hexCount
t := make([]byte, required)
j := 0
for i := 0; i < len(s); i++ {
if c := s[i]; shouldEncode(c) {
t[j] = '%'
t[j+1] = upperhex[c>>4]
t[j+2] = upperhex[c&15]
j += 3
} else {
t[j] = c
j++
}
}
return string(t)
}
func shouldEncode(c byte) bool {
if 'a' <= c && c <= 'z' || 'A' <= c && c <= 'Z' || '0' <= c && c <= '9' {
return false
}
switch c {
case '-', '=', ';', ':', '+', '&', '[', ']', '{', '}', '"', '\'', ',':
return false
default:
return true
}
}

View File

@ -95,8 +95,13 @@ func (r RetryableConnectionError) IsErrorRetryable(err error) aws.Ternary {
var timeoutErr interface{ Timeout() bool } var timeoutErr interface{ Timeout() bool }
var urlErr *url.Error var urlErr *url.Error
var netOpErr *net.OpError var netOpErr *net.OpError
var dnsError *net.DNSError
switch { switch {
case errors.As(err, &dnsError):
// NXDOMAIN errors should not be retried
retryable = !dnsError.IsNotFound && dnsError.IsTemporary
case errors.As(err, &conErr) && conErr.ConnectionError(): case errors.As(err, &conErr) && conErr.ConnectionError():
retryable = true retryable = true

View File

@ -7,6 +7,7 @@ var IgnoredHeaders = Rules{
"Authorization": struct{}{}, "Authorization": struct{}{},
"User-Agent": struct{}{}, "User-Agent": struct{}{},
"X-Amzn-Trace-Id": struct{}{}, "X-Amzn-Trace-Id": struct{}{},
"Expect": struct{}{},
}, },
}, },
} }

View File

@ -1,3 +1,15 @@
# v1.1.33 (2023-04-24)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.1.32 (2023-04-07)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.1.31 (2023-03-21)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.1.30 (2023-03-10) # v1.1.30 (2023-03-10)
* **Dependency Update**: Updated to the latest SDK module versions * **Dependency Update**: Updated to the latest SDK module versions

View File

@ -3,4 +3,4 @@
package configsources package configsources
// goModuleVersion is the tagged release for this module // goModuleVersion is the tagged release for this module
const goModuleVersion = "1.1.30" const goModuleVersion = "1.1.33"

View File

@ -1,3 +1,15 @@
# v2.4.27 (2023-04-24)
* **Dependency Update**: Updated to the latest SDK module versions
# v2.4.26 (2023-04-07)
* **Dependency Update**: Updated to the latest SDK module versions
# v2.4.25 (2023-03-21)
* **Dependency Update**: Updated to the latest SDK module versions
# v2.4.24 (2023-03-10) # v2.4.24 (2023-03-10)
* **Dependency Update**: Updated to the latest SDK module versions * **Dependency Update**: Updated to the latest SDK module versions

View File

@ -3,4 +3,4 @@
package endpoints package endpoints
// goModuleVersion is the tagged release for this module // goModuleVersion is the tagged release for this module
const goModuleVersion = "2.4.24" const goModuleVersion = "2.4.27"

View File

@ -1,3 +1,15 @@
# v1.9.27 (2023-04-24)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.9.26 (2023-04-07)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.9.25 (2023-03-21)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.9.24 (2023-03-10) # v1.9.24 (2023-03-10)
* **Dependency Update**: Updated to the latest SDK module versions * **Dependency Update**: Updated to the latest SDK module versions

View File

@ -3,4 +3,4 @@
package presignedurl package presignedurl
// goModuleVersion is the tagged release for this module // goModuleVersion is the tagged release for this module
const goModuleVersion = "1.9.24" const goModuleVersion = "1.9.27"

View File

@ -1,3 +1,19 @@
# v1.18.10 (2023-04-24)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.18.9 (2023-04-10)
* No change notes available for this release.
# v1.18.8 (2023-04-07)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.18.7 (2023-03-21)
* **Dependency Update**: Updated to the latest SDK module versions
# v1.18.6 (2023-03-10) # v1.18.6 (2023-03-10)
* **Dependency Update**: Updated to the latest SDK module versions * **Dependency Update**: Updated to the latest SDK module versions

View File

@ -117,7 +117,7 @@ type Options struct {
Retryer aws.Retryer Retryer aws.Retryer
// The RuntimeEnvironment configuration, only populated if the DefaultsMode is set // The RuntimeEnvironment configuration, only populated if the DefaultsMode is set
// to DefaultsModeAuto and is initialized using config.LoadDefaultConfig. You // to DefaultsModeAuto and is initialized using config.LoadDefaultConfig . You
// should not populate this structure programmatically, or rely on the values here // should not populate this structure programmatically, or rely on the values here
// within your applications. // within your applications.
RuntimeEnvironment aws.RuntimeEnvironment RuntimeEnvironment aws.RuntimeEnvironment

View File

@ -16,16 +16,13 @@ import (
// key ID, a secret access key, and a security token. Typically, you use AssumeRole // key ID, a secret access key, and a security token. Typically, you use AssumeRole
// within your account or for cross-account access. For a comparison of AssumeRole // within your account or for cross-account access. For a comparison of AssumeRole
// with other API operations that produce temporary credentials, see Requesting // with other API operations that produce temporary credentials, see Requesting
// Temporary Security Credentials // Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) // and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
// and Comparing the Amazon Web Services STS API operations
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
// in the IAM User Guide. Permissions The temporary security credentials created by // in the IAM User Guide. Permissions The temporary security credentials created by
// AssumeRole can be used to make API calls to any Amazon Web Services service with // AssumeRole can be used to make API calls to any Amazon Web Services service
// the following exception: You cannot call the Amazon Web Services STS // with the following exception: You cannot call the Amazon Web Services STS
// GetFederationToken or GetSessionToken API operations. (Optional) You can pass // GetFederationToken or GetSessionToken API operations. (Optional) You can pass
// inline or managed session policies // inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an // to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policy Amazon // inline session policy. You can also specify up to 10 managed policy Amazon
// Resource Names (ARNs) to use as managed session policies. The plaintext that you // Resource Names (ARNs) to use as managed session policies. The plaintext that you
@ -36,8 +33,7 @@ import (
// credentials in subsequent Amazon Web Services API calls to access resources in // credentials in subsequent Amazon Web Services API calls to access resources in
// the account that owns the role. You cannot use session policies to grant more // the account that owns the role. You cannot use session policies to grant more
// permissions than those allowed by the identity-based policy of the role that is // permissions than those allowed by the identity-based policy of the role that is
// being assumed. For more information, see Session Policies // being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. When you create a role, you create two policies: A role // in the IAM User Guide. When you create a role, you create two policies: A role
// trust policy that specifies who can assume the role and a permissions policy // trust policy that specifies who can assume the role and a permissions policy
// that specifies what can be done with the role. You specify the trusted principal // that specifies what can be done with the role. You specify the trusted principal
@ -48,37 +44,29 @@ import (
// that access to users in the account. A user who wants to access a role in a // that access to users in the account. A user who wants to access a role in a
// different account must also have permissions that are delegated from the user // different account must also have permissions that are delegated from the user
// account administrator. The administrator must attach a policy that allows the // account administrator. The administrator must attach a policy that allows the
// user to call AssumeRole for the ARN of the role in the other account. To allow a // user to call AssumeRole for the ARN of the role in the other account. To allow
// user to assume a role in the same account, you can do either of the // a user to assume a role in the same account, you can do either of the following:
// following:
// //
// * Attach a policy to the user that allows the user to call // - Attach a policy to the user that allows the user to call AssumeRole (as long
// AssumeRole (as long as the role's trust policy trusts the account). // as the role's trust policy trusts the account).
// - Add the user as a principal directly in the role's trust policy.
// //
// * Add the // You can do either because the roles trust policy acts as an IAM resource-based
// user as a principal directly in the role's trust policy. // policy. When a resource-based policy grants access to a principal in the same
// // account, no additional identity-based policy is required. For more information
// You can do either // about trust policies and resource-based policies, see IAM Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)
// because the roles trust policy acts as an IAM resource-based policy. When a // in the IAM User Guide. Tags (Optional) You can pass tag key-value pairs to your
// resource-based policy grants access to a principal in the same account, no
// additional identity-based policy is required. For more information about trust
// policies and resource-based policies, see IAM Policies
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the
// IAM User Guide. Tags (Optional) You can pass tag key-value pairs to your
// session. These tags are called session tags. For more information about session // session. These tags are called session tags. For more information about session
// tags, see Passing Session Tags in STS // tags, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) in the // in the IAM User Guide. An administrator must grant you the permissions necessary
// IAM User Guide. An administrator must grant you the permissions necessary to // to pass session tags. The administrator can also create granular permissions to
// pass session tags. The administrator can also create granular permissions to
// allow you to pass only specific session tags. For more information, see // allow you to pass only specific session tags. For more information, see
// Tutorial: Using Tags for Attribute-Based Access Control // Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
// in the IAM User Guide. You can set the session tags as transitive. Transitive // in the IAM User Guide. You can set the session tags as transitive. Transitive
// tags persist during role chaining. For more information, see Chaining Roles with // tags persist during role chaining. For more information, see Chaining Roles
// Session Tags // with Session Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
// in the IAM User Guide. Using MFA with AssumeRole (Optional) You can include // in the IAM User Guide. Using MFA with AssumeRole (Optional) You can include
// multi-factor authentication (MFA) information when you call AssumeRole. This is // multi-factor authentication (MFA) information when you call AssumeRole . This is
// useful for cross-account scenarios to ensure that the user that assumes the role // useful for cross-account scenarios to ensure that the user that assumes the role
// has been authenticated with an Amazon Web Services MFA device. In that scenario, // has been authenticated with an Amazon Web Services MFA device. In that scenario,
// the trust policy of the role being assumed includes a condition that tests for // the trust policy of the role being assumed includes a condition that tests for
@ -86,12 +74,11 @@ import (
// request to assume the role is denied. The condition in a trust policy that tests // request to assume the role is denied. The condition in a trust policy that tests
// for MFA authentication might look like the following example. "Condition": // for MFA authentication might look like the following example. "Condition":
// {"Bool": {"aws:MultiFactorAuthPresent": true}} For more information, see // {"Bool": {"aws:MultiFactorAuthPresent": true}} For more information, see
// Configuring MFA-Protected API Access // Configuring MFA-Protected API Access (https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html) in the // in the IAM User Guide guide. To use MFA with AssumeRole , you pass values for
// IAM User Guide guide. To use MFA with AssumeRole, you pass values for the // the SerialNumber and TokenCode parameters. The SerialNumber value identifies
// SerialNumber and TokenCode parameters. The SerialNumber value identifies the // the user's hardware or virtual MFA device. The TokenCode is the time-based
// user's hardware or virtual MFA device. The TokenCode is the time-based one-time // one-time password (TOTP) that the MFA device produces.
// password (TOTP) that the MFA device produces.
func (c *Client) AssumeRole(ctx context.Context, params *AssumeRoleInput, optFns ...func(*Options)) (*AssumeRoleOutput, error) { func (c *Client) AssumeRole(ctx context.Context, params *AssumeRoleInput, optFns ...func(*Options)) (*AssumeRoleOutput, error) {
if params == nil { if params == nil {
params = &AssumeRoleInput{} params = &AssumeRoleInput{}
@ -143,16 +130,14 @@ type AssumeRoleInput struct {
// maximum session duration setting for your role. However, if you assume a role // maximum session duration setting for your role. However, if you assume a role
// using role chaining and provide a DurationSeconds parameter value greater than // using role chaining and provide a DurationSeconds parameter value greater than
// one hour, the operation fails. To learn how to view the maximum value for your // one hour, the operation fails. To learn how to view the maximum value for your
// role, see View the Maximum Session Duration Setting for a Role // role, see View the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
// in the IAM User Guide. By default, the value is set to 3600 seconds. The // in the IAM User Guide. By default, the value is set to 3600 seconds. The
// DurationSeconds parameter is separate from the duration of a console session // DurationSeconds parameter is separate from the duration of a console session
// that you might request using the returned credentials. The request to the // that you might request using the returned credentials. The request to the
// federation endpoint for a console sign-in token takes a SessionDuration // federation endpoint for a console sign-in token takes a SessionDuration
// parameter that specifies the maximum length of the console session. For more // parameter that specifies the maximum length of the console session. For more
// information, see Creating a URL that Enables Federated Users to Access the // information, see Creating a URL that Enables Federated Users to Access the
// Amazon Web Services Management Console // Amazon Web Services Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
// in the IAM User Guide. // in the IAM User Guide.
DurationSeconds *int32 DurationSeconds *int32
@ -165,8 +150,7 @@ type AssumeRoleInput struct {
// administrator of the trusted account. That way, only someone with the ID can // administrator of the trusted account. That way, only someone with the ID can
// assume the role, rather than everyone in the account. For more information about // assume the role, rather than everyone in the account. For more information about
// the external ID, see How to Use an External ID When Granting Access to Your // the external ID, see How to Use an External ID When Granting Access to Your
// Amazon Web Services Resources to a Third Party // Amazon Web Services Resources to a Third Party (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html)
// in the IAM User Guide. The regex used to validate this parameter is a string of // in the IAM User Guide. The regex used to validate this parameter is a string of
// characters consisting of upper- and lower-case alphanumeric characters with no // characters consisting of upper- and lower-case alphanumeric characters with no
// spaces. You can also include underscores or any of the following characters: // spaces. You can also include underscores or any of the following characters:
@ -181,8 +165,7 @@ type AssumeRoleInput struct {
// access resources in the account that owns the role. You cannot use session // access resources in the account that owns the role. You cannot use session
// policies to grant more permissions than those allowed by the identity-based // policies to grant more permissions than those allowed by the identity-based
// policy of the role that is being assumed. For more information, see Session // policy of the role that is being assumed. For more information, see Session
// Policies // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. The plaintext that you use for both inline and managed // in the IAM User Guide. The plaintext that you use for both inline and managed
// session policies can't exceed 2,048 characters. The JSON policy characters can // session policies can't exceed 2,048 characters. The JSON policy characters can
// be any ASCII character from the space character to the end of the valid // be any ASCII character from the space character to the end of the valid
@ -200,9 +183,8 @@ type AssumeRoleInput struct {
// the role. This parameter is optional. You can provide up to 10 managed policy // the role. This parameter is optional. You can provide up to 10 managed policy
// ARNs. However, the plaintext that you use for both inline and managed session // ARNs. However, the plaintext that you use for both inline and managed session
// policies can't exceed 2,048 characters. For more information about ARNs, see // policies can't exceed 2,048 characters. For more information about ARNs, see
// Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces // Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
// (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in // in the Amazon Web Services General Reference. An Amazon Web Services conversion
// the Amazon Web Services General Reference. An Amazon Web Services conversion
// compresses the passed inline session policy, managed policy ARNs, and session // compresses the passed inline session policy, managed policy ARNs, and session
// tags into a packed binary format that has a separate limit. Your request can // tags into a packed binary format that has a separate limit. Your request can
// fail for this limit even if your plaintext meets the other requirements. The // fail for this limit even if your plaintext meets the other requirements. The
@ -214,17 +196,16 @@ type AssumeRoleInput struct {
// Services API calls to access resources in the account that owns the role. You // Services API calls to access resources in the account that owns the role. You
// cannot use session policies to grant more permissions than those allowed by the // cannot use session policies to grant more permissions than those allowed by the
// identity-based policy of the role that is being assumed. For more information, // identity-based policy of the role that is being assumed. For more information,
// see Session Policies // see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. // in the IAM User Guide.
PolicyArns []types.PolicyDescriptorType PolicyArns []types.PolicyDescriptorType
// The identification number of the MFA device that is associated with the user who // The identification number of the MFA device that is associated with the user
// is making the AssumeRole call. Specify this value if the trust policy of the // who is making the AssumeRole call. Specify this value if the trust policy of
// role being assumed includes a condition that requires MFA authentication. The // the role being assumed includes a condition that requires MFA authentication.
// value is either the serial number for a hardware device (such as GAHT12345678) // The value is either the serial number for a hardware device (such as
// or an Amazon Resource Name (ARN) for a virtual device (such as // GAHT12345678 ) or an Amazon Resource Name (ARN) for a virtual device (such as
// arn:aws:iam::123456789012:mfa/user). The regex used to validate this parameter // arn:aws:iam::123456789012:mfa/user ). The regex used to validate this parameter
// is a string of characters consisting of upper- and lower-case alphanumeric // is a string of characters consisting of upper- and lower-case alphanumeric
// characters with no spaces. You can also include underscores or any of the // characters with no spaces. You can also include underscores or any of the
// following characters: =,.@- // following characters: =,.@-
@ -237,24 +218,21 @@ type AssumeRoleInput struct {
// who took actions with a role. You can use the aws:SourceIdentity condition key // who took actions with a role. You can use the aws:SourceIdentity condition key
// to further control access to Amazon Web Services resources based on the value of // to further control access to Amazon Web Services resources based on the value of
// source identity. For more information about using source identity, see Monitor // source identity. For more information about using source identity, see Monitor
// and control actions taken with assumed roles // and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
// in the IAM User Guide. The regex used to validate this parameter is a string of // in the IAM User Guide. The regex used to validate this parameter is a string of
// characters consisting of upper- and lower-case alphanumeric characters with no // characters consisting of upper- and lower-case alphanumeric characters with no
// spaces. You can also include underscores or any of the following characters: // spaces. You can also include underscores or any of the following characters:
// =,.@-. You cannot use a value that begins with the text aws:. This prefix is // =,.@-. You cannot use a value that begins with the text aws: . This prefix is
// reserved for Amazon Web Services internal use. // reserved for Amazon Web Services internal use.
SourceIdentity *string SourceIdentity *string
// A list of session tags that you want to pass. Each session tag consists of a key // A list of session tags that you want to pass. Each session tag consists of a
// name and an associated value. For more information about session tags, see // key name and an associated value. For more information about session tags, see
// Tagging Amazon Web Services STS Sessions // Tagging Amazon Web Services STS Sessions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) in the // in the IAM User Guide. This parameter is optional. You can pass up to 50 session
// IAM User Guide. This parameter is optional. You can pass up to 50 session tags. // tags. The plaintext session tag keys cant exceed 128 characters, and the values
// The plaintext session tag keys cant exceed 128 characters, and the values cant // cant exceed 256 characters. For these and additional limits, see IAM and STS
// exceed 256 characters. For these and additional limits, see IAM and STS // Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
// Character Limits
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
// in the IAM User Guide. An Amazon Web Services conversion compresses the passed // in the IAM User Guide. An Amazon Web Services conversion compresses the passed
// inline session policy, managed policy ARNs, and session tags into a packed // inline session policy, managed policy ARNs, and session tags into a packed
// binary format that has a separate limit. Your request can fail for this limit // binary format that has a separate limit. Your request can fail for this limit
@ -264,16 +242,15 @@ type AssumeRoleInput struct {
// same key as a tag that is already attached to the role. When you do, session // same key as a tag that is already attached to the role. When you do, session
// tags override a role tag with the same key. Tag keyvalue pairs are not case // tags override a role tag with the same key. Tag keyvalue pairs are not case
// sensitive, but case is preserved. This means that you cannot have separate // sensitive, but case is preserved. This means that you cannot have separate
// Department and department tag keys. Assume that the role has the // Department and department tag keys. Assume that the role has the Department =
// Department=Marketing tag and you pass the department=engineering session tag. // Marketing tag and you pass the department = engineering session tag. Department
// Department and department are not saved as separate tags, and the session tag // and department are not saved as separate tags, and the session tag passed in
// passed in the request takes precedence over the role tag. Additionally, if you // the request takes precedence over the role tag. Additionally, if you used
// used temporary credentials to perform this operation, the new session inherits // temporary credentials to perform this operation, the new session inherits any
// any transitive session tags from the calling session. If you pass a session tag // transitive session tags from the calling session. If you pass a session tag with
// with the same key as an inherited tag, the operation fails. To view the // the same key as an inherited tag, the operation fails. To view the inherited
// inherited tags for a session, see the CloudTrail logs. For more information, see // tags for a session, see the CloudTrail logs. For more information, see Viewing
// Viewing Session Tags in CloudTrail // Session Tags in CloudTrail (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_ctlogs)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_ctlogs)
// in the IAM User Guide. // in the IAM User Guide.
Tags []types.Tag Tags []types.Tag
@ -285,11 +262,10 @@ type AssumeRoleInput struct {
// sequence of six numeric digits. // sequence of six numeric digits.
TokenCode *string TokenCode *string
// A list of keys for session tags that you want to set as transitive. If you set a // A list of keys for session tags that you want to set as transitive. If you set
// tag key as transitive, the corresponding key and value passes to subsequent // a tag key as transitive, the corresponding key and value passes to subsequent
// sessions in a role chain. For more information, see Chaining Roles with Session // sessions in a role chain. For more information, see Chaining Roles with Session
// Tags // Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
// in the IAM User Guide. This parameter is optional. When you set session tags as // in the IAM User Guide. This parameter is optional. When you set session tags as
// transitive, the session policy and session tags packed binary limit is not // transitive, the session policy and session tags packed binary limit is not
// affected. If you choose not to specify a transitive tag key, then no tags are // affected. If you choose not to specify a transitive tag key, then no tags are
@ -308,7 +284,7 @@ type AssumeRoleOutput struct {
// that you can use to refer to the resulting temporary security credentials. For // that you can use to refer to the resulting temporary security credentials. For
// example, you can reference these credentials as a principal in a resource-based // example, you can reference these credentials as a principal in a resource-based
// policy by using the ARN or assumed role ID. The ARN and ID include the // policy by using the ARN or assumed role ID. The ARN and ID include the
// RoleSessionName that you specified when you called AssumeRole. // RoleSessionName that you specified when you called AssumeRole .
AssumedRoleUser *types.AssumedRoleUser AssumedRoleUser *types.AssumedRoleUser
// The temporary security credentials, which include an access key ID, a secret // The temporary security credentials, which include an access key ID, a secret
@ -330,8 +306,7 @@ type AssumeRoleOutput struct {
// who took actions with a role. You can use the aws:SourceIdentity condition key // who took actions with a role. You can use the aws:SourceIdentity condition key
// to further control access to Amazon Web Services resources based on the value of // to further control access to Amazon Web Services resources based on the value of
// source identity. For more information about using source identity, see Monitor // source identity. For more information about using source identity, see Monitor
// and control actions taken with assumed roles // and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
// in the IAM User Guide. The regex used to validate this parameter is a string of // in the IAM User Guide. The regex used to validate this parameter is a string of
// characters consisting of upper- and lower-case alphanumeric characters with no // characters consisting of upper- and lower-case alphanumeric characters with no
// spaces. You can also include underscores or any of the following characters: // spaces. You can also include underscores or any of the following characters:
@ -395,6 +370,9 @@ func (c *Client) addOperationAssumeRoleMiddlewares(stack *middleware.Stack, opti
if err = stack.Initialize.Add(newServiceMetadataMiddleware_opAssumeRole(options.Region), middleware.Before); err != nil { if err = stack.Initialize.Add(newServiceMetadataMiddleware_opAssumeRole(options.Region), middleware.Before); err != nil {
return err return err
} }
if err = awsmiddleware.AddRecursionDetection(stack); err != nil {
return err
}
if err = addRequestIDRetrieverMiddleware(stack); err != nil { if err = addRequestIDRetrieverMiddleware(stack); err != nil {
return err return err
} }

View File

@ -15,10 +15,8 @@ import (
// mechanism for tying an enterprise identity store or directory to role-based // mechanism for tying an enterprise identity store or directory to role-based
// Amazon Web Services access without user-specific credentials or configuration. // Amazon Web Services access without user-specific credentials or configuration.
// For a comparison of AssumeRoleWithSAML with the other API operations that // For a comparison of AssumeRoleWithSAML with the other API operations that
// produce temporary credentials, see Requesting Temporary Security Credentials // produce temporary credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) // and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
// and Comparing the Amazon Web Services STS API operations
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
// in the IAM User Guide. The temporary security credentials returned by this // in the IAM User Guide. The temporary security credentials returned by this
// operation consist of an access key ID, a secret access key, and a security // operation consist of an access key ID, a secret access key, and a security
// token. Applications can use these temporary security credentials to sign calls // token. Applications can use these temporary security credentials to sign calls
@ -31,15 +29,12 @@ import (
// DurationSeconds value from 900 seconds (15 minutes) up to the maximum session // DurationSeconds value from 900 seconds (15 minutes) up to the maximum session
// duration setting for the role. This setting can have a value from 1 hour to 12 // duration setting for the role. This setting can have a value from 1 hour to 12
// hours. To learn how to view the maximum value for your role, see View the // hours. To learn how to view the maximum value for your role, see View the
// Maximum Session Duration Setting for a Role // Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
// in the IAM User Guide. The maximum session duration limit applies when you use // in the IAM User Guide. The maximum session duration limit applies when you use
// the AssumeRole* API operations or the assume-role* CLI commands. However the // the AssumeRole* API operations or the assume-role* CLI commands. However the
// limit does not apply when you use those operations to create a console URL. For // limit does not apply when you use those operations to create a console URL. For
// more information, see Using IAM Roles // more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) in the IAM // in the IAM User Guide. Role chaining (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining)
// User Guide. Role chaining
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining)
// limits your CLI or Amazon Web Services API role session to a maximum of one // limits your CLI or Amazon Web Services API role session to a maximum of one
// hour. When you use the AssumeRole API operation to assume a role, you can // hour. When you use the AssumeRole API operation to assume a role, you can
// specify the duration of your role session with the DurationSeconds parameter. // specify the duration of your role session with the DurationSeconds parameter.
@ -50,8 +45,7 @@ import (
// credentials created by AssumeRoleWithSAML can be used to make API calls to any // credentials created by AssumeRoleWithSAML can be used to make API calls to any
// Amazon Web Services service with the following exception: you cannot call the // Amazon Web Services service with the following exception: you cannot call the
// STS GetFederationToken or GetSessionToken API operations. (Optional) You can // STS GetFederationToken or GetSessionToken API operations. (Optional) You can
// pass inline or managed session policies // pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an // to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policy Amazon // inline session policy. You can also specify up to 10 managed policy Amazon
// Resource Names (ARNs) to use as managed session policies. The plaintext that you // Resource Names (ARNs) to use as managed session policies. The plaintext that you
@ -62,8 +56,7 @@ import (
// credentials in subsequent Amazon Web Services API calls to access resources in // credentials in subsequent Amazon Web Services API calls to access resources in
// the account that owns the role. You cannot use session policies to grant more // the account that owns the role. You cannot use session policies to grant more
// permissions than those allowed by the identity-based policy of the role that is // permissions than those allowed by the identity-based policy of the role that is
// being assumed. For more information, see Session Policies // being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. Calling AssumeRoleWithSAML does not require the use of // in the IAM User Guide. Calling AssumeRoleWithSAML does not require the use of
// Amazon Web Services security credentials. The identity of the caller is // Amazon Web Services security credentials. The identity of the caller is
// validated by using keys in the metadata document that is uploaded for the SAML // validated by using keys in the metadata document that is uploaded for the SAML
@ -71,16 +64,14 @@ import (
// result in an entry in your CloudTrail logs. The entry includes the value in the // result in an entry in your CloudTrail logs. The entry includes the value in the
// NameID element of the SAML assertion. We recommend that you use a NameIDType // NameID element of the SAML assertion. We recommend that you use a NameIDType
// that is not associated with any personally identifiable information (PII). For // that is not associated with any personally identifiable information (PII). For
// example, you could instead use the persistent identifier // example, you could instead use the persistent identifier (
// (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent). Tags (Optional) You can // urn:oasis:names:tc:SAML:2.0:nameid-format:persistent ). Tags (Optional) You can
// configure your IdP to pass attributes into your SAML assertion as session tags. // configure your IdP to pass attributes into your SAML assertion as session tags.
// Each session tag consists of a key name and an associated value. For more // Each session tag consists of a key name and an associated value. For more
// information about session tags, see Passing Session Tags in STS // information about session tags, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) in the // in the IAM User Guide. You can pass up to 50 session tags. The plaintext session
// IAM User Guide. You can pass up to 50 session tags. The plaintext session tag // tag keys cant exceed 128 characters and the values cant exceed 256 characters.
// keys cant exceed 128 characters and the values cant exceed 256 characters. For // For these and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
// these and additional limits, see IAM and STS Character Limits
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
// in the IAM User Guide. An Amazon Web Services conversion compresses the passed // in the IAM User Guide. An Amazon Web Services conversion compresses the passed
// inline session policy, managed policy ARNs, and session tags into a packed // inline session policy, managed policy ARNs, and session tags into a packed
// binary format that has a separate limit. Your request can fail for this limit // binary format that has a separate limit. Your request can fail for this limit
@ -91,35 +82,24 @@ import (
// override the role's tags with the same key. An administrator must grant you the // override the role's tags with the same key. An administrator must grant you the
// permissions necessary to pass session tags. The administrator can also create // permissions necessary to pass session tags. The administrator can also create
// granular permissions to allow you to pass only specific session tags. For more // granular permissions to allow you to pass only specific session tags. For more
// information, see Tutorial: Using Tags for Attribute-Based Access Control // information, see Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
// in the IAM User Guide. You can set the session tags as transitive. Transitive // in the IAM User Guide. You can set the session tags as transitive. Transitive
// tags persist during role chaining. For more information, see Chaining Roles with // tags persist during role chaining. For more information, see Chaining Roles
// Session Tags // with Session Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
// in the IAM User Guide. SAML Configuration Before your application can call // in the IAM User Guide. SAML Configuration Before your application can call
// AssumeRoleWithSAML, you must configure your SAML identity provider (IdP) to // AssumeRoleWithSAML , you must configure your SAML identity provider (IdP) to
// issue the claims required by Amazon Web Services. Additionally, you must use // issue the claims required by Amazon Web Services. Additionally, you must use
// Identity and Access Management (IAM) to create a SAML provider entity in your // Identity and Access Management (IAM) to create a SAML provider entity in your
// Amazon Web Services account that represents your identity provider. You must // Amazon Web Services account that represents your identity provider. You must
// also create an IAM role that specifies this SAML provider in its trust policy. // also create an IAM role that specifies this SAML provider in its trust policy.
// For more information, see the following resources: // For more information, see the following resources:
// // - About SAML 2.0-based Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html)
// * About SAML 2.0-based
// Federation
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html)
// in the IAM User Guide. // in the IAM User Guide.
// // - Creating SAML Identity Providers (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)
// * Creating SAML Identity Providers
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)
// in the IAM User Guide. // in the IAM User Guide.
// // - Configuring a Relying Party and Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html)
// * Configuring a Relying Party and Claims
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html)
// in the IAM User Guide. // in the IAM User Guide.
// // - Creating a Role for SAML 2.0 Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html)
// * Creating a Role for SAML 2.0 Federation
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html)
// in the IAM User Guide. // in the IAM User Guide.
func (c *Client) AssumeRoleWithSAML(ctx context.Context, params *AssumeRoleWithSAMLInput, optFns ...func(*Options)) (*AssumeRoleWithSAMLOutput, error) { func (c *Client) AssumeRoleWithSAML(ctx context.Context, params *AssumeRoleWithSAMLInput, optFns ...func(*Options)) (*AssumeRoleWithSAMLOutput, error) {
if params == nil { if params == nil {
@ -150,8 +130,7 @@ type AssumeRoleWithSAMLInput struct {
RoleArn *string RoleArn *string
// The base64 encoded SAML authentication response provided by the IdP. For more // The base64 encoded SAML authentication response provided by the IdP. For more
// information, see Configuring a Relying Party and Adding Claims // information, see Configuring a Relying Party and Adding Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html)
// in the IAM User Guide. // in the IAM User Guide.
// //
// This member is required. // This member is required.
@ -166,16 +145,14 @@ type AssumeRoleWithSAMLInput struct {
// than this setting, the operation fails. For example, if you specify a session // than this setting, the operation fails. For example, if you specify a session
// duration of 12 hours, but your administrator set the maximum session duration to // duration of 12 hours, but your administrator set the maximum session duration to
// 6 hours, your operation fails. To learn how to view the maximum value for your // 6 hours, your operation fails. To learn how to view the maximum value for your
// role, see View the Maximum Session Duration Setting for a Role // role, see View the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
// in the IAM User Guide. By default, the value is set to 3600 seconds. The // in the IAM User Guide. By default, the value is set to 3600 seconds. The
// DurationSeconds parameter is separate from the duration of a console session // DurationSeconds parameter is separate from the duration of a console session
// that you might request using the returned credentials. The request to the // that you might request using the returned credentials. The request to the
// federation endpoint for a console sign-in token takes a SessionDuration // federation endpoint for a console sign-in token takes a SessionDuration
// parameter that specifies the maximum length of the console session. For more // parameter that specifies the maximum length of the console session. For more
// information, see Creating a URL that Enables Federated Users to Access the // information, see Creating a URL that Enables Federated Users to Access the
// Amazon Web Services Management Console // Amazon Web Services Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
// in the IAM User Guide. // in the IAM User Guide.
DurationSeconds *int32 DurationSeconds *int32
@ -187,8 +164,7 @@ type AssumeRoleWithSAMLInput struct {
// access resources in the account that owns the role. You cannot use session // access resources in the account that owns the role. You cannot use session
// policies to grant more permissions than those allowed by the identity-based // policies to grant more permissions than those allowed by the identity-based
// policy of the role that is being assumed. For more information, see Session // policy of the role that is being assumed. For more information, see Session
// Policies // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. The plaintext that you use for both inline and managed // in the IAM User Guide. The plaintext that you use for both inline and managed
// session policies can't exceed 2,048 characters. The JSON policy characters can // session policies can't exceed 2,048 characters. The JSON policy characters can
// be any ASCII character from the space character to the end of the valid // be any ASCII character from the space character to the end of the valid
@ -206,9 +182,8 @@ type AssumeRoleWithSAMLInput struct {
// the role. This parameter is optional. You can provide up to 10 managed policy // the role. This parameter is optional. You can provide up to 10 managed policy
// ARNs. However, the plaintext that you use for both inline and managed session // ARNs. However, the plaintext that you use for both inline and managed session
// policies can't exceed 2,048 characters. For more information about ARNs, see // policies can't exceed 2,048 characters. For more information about ARNs, see
// Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces // Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
// (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in // in the Amazon Web Services General Reference. An Amazon Web Services conversion
// the Amazon Web Services General Reference. An Amazon Web Services conversion
// compresses the passed inline session policy, managed policy ARNs, and session // compresses the passed inline session policy, managed policy ARNs, and session
// tags into a packed binary format that has a separate limit. Your request can // tags into a packed binary format that has a separate limit. Your request can
// fail for this limit even if your plaintext meets the other requirements. The // fail for this limit even if your plaintext meets the other requirements. The
@ -220,8 +195,7 @@ type AssumeRoleWithSAMLInput struct {
// Services API calls to access resources in the account that owns the role. You // Services API calls to access resources in the account that owns the role. You
// cannot use session policies to grant more permissions than those allowed by the // cannot use session policies to grant more permissions than those allowed by the
// identity-based policy of the role that is being assumed. For more information, // identity-based policy of the role that is being assumed. For more information,
// see Session Policies // see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. // in the IAM User Guide.
PolicyArns []types.PolicyDescriptorType PolicyArns []types.PolicyDescriptorType
@ -251,19 +225,12 @@ type AssumeRoleWithSAMLOutput struct {
Issuer *string Issuer *string
// A hash value based on the concatenation of the following: // A hash value based on the concatenation of the following:
// // - The Issuer response value.
// * The Issuer response // - The Amazon Web Services account ID.
// value. // - The friendly name (the last part of the ARN) of the SAML provider in IAM.
// // The combination of NameQualifier and Subject can be used to uniquely identify a
// * The Amazon Web Services account ID. // federated user. The following pseudocode shows how the hash value is calculated:
// // BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) )
// * The friendly name (the last
// part of the ARN) of the SAML provider in IAM.
//
// The combination of NameQualifier
// and Subject can be used to uniquely identify a federated user. The following
// pseudocode shows how the hash value is calculated: BASE64 ( SHA1 (
// "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) )
NameQualifier *string NameQualifier *string
// A percentage value that indicates the packed size of the session policies and // A percentage value that indicates the packed size of the session policies and
@ -272,20 +239,18 @@ type AssumeRoleWithSAMLOutput struct {
// allowed space. // allowed space.
PackedPolicySize *int32 PackedPolicySize *int32
// The value in the SourceIdentity attribute in the SAML assertion. You can require // The value in the SourceIdentity attribute in the SAML assertion. You can
// users to set a source identity value when they assume a role. You do this by // require users to set a source identity value when they assume a role. You do
// using the sts:SourceIdentity condition key in a role trust policy. That way, // this by using the sts:SourceIdentity condition key in a role trust policy. That
// actions that are taken with the role are associated with that user. After the // way, actions that are taken with the role are associated with that user. After
// source identity is set, the value cannot be changed. It is present in the // the source identity is set, the value cannot be changed. It is present in the
// request for all actions that are taken by the role and persists across chained // request for all actions that are taken by the role and persists across chained
// role // role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining)
// sessions. You can configure your SAML identity provider to use an attribute // sessions. You can configure your SAML identity provider to use an attribute
// associated with your users, like user name or email, as the source identity when // associated with your users, like user name or email, as the source identity when
// calling AssumeRoleWithSAML. You do this by adding an attribute to the SAML // calling AssumeRoleWithSAML . You do this by adding an attribute to the SAML
// assertion. For more information about using source identity, see Monitor and // assertion. For more information about using source identity, see Monitor and
// control actions taken with assumed roles // control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
// in the IAM User Guide. The regex used to validate this parameter is a string of // in the IAM User Guide. The regex used to validate this parameter is a string of
// characters consisting of upper- and lower-case alphanumeric characters with no // characters consisting of upper- and lower-case alphanumeric characters with no
// spaces. You can also include underscores or any of the following characters: // spaces. You can also include underscores or any of the following characters:
@ -297,10 +262,10 @@ type AssumeRoleWithSAMLOutput struct {
// The format of the name ID, as defined by the Format attribute in the NameID // The format of the name ID, as defined by the Format attribute in the NameID
// element of the SAML assertion. Typical examples of the format are transient or // element of the SAML assertion. Typical examples of the format are transient or
// persistent. If the format includes the prefix // persistent . If the format includes the prefix
// urn:oasis:names:tc:SAML:2.0:nameid-format, that prefix is removed. For example, // urn:oasis:names:tc:SAML:2.0:nameid-format , that prefix is removed. For example,
// urn:oasis:names:tc:SAML:2.0:nameid-format:transient is returned as transient. If // urn:oasis:names:tc:SAML:2.0:nameid-format:transient is returned as transient .
// the format includes any other prefix, the format is returned with no // If the format includes any other prefix, the format is returned with no
// modifications. // modifications.
SubjectType *string SubjectType *string
@ -355,6 +320,9 @@ func (c *Client) addOperationAssumeRoleWithSAMLMiddlewares(stack *middleware.Sta
if err = stack.Initialize.Add(newServiceMetadataMiddleware_opAssumeRoleWithSAML(options.Region), middleware.Before); err != nil { if err = stack.Initialize.Add(newServiceMetadataMiddleware_opAssumeRoleWithSAML(options.Region), middleware.Before); err != nil {
return err return err
} }
if err = awsmiddleware.AddRecursionDetection(stack); err != nil {
return err
}
if err = addRequestIDRetrieverMiddleware(stack); err != nil { if err = addRequestIDRetrieverMiddleware(stack); err != nil {
return err return err
} }

View File

@ -14,19 +14,15 @@ import (
// authenticated in a mobile or web application with a web identity provider. // authenticated in a mobile or web application with a web identity provider.
// Example providers include the OAuth 2.0 providers Login with Amazon and // Example providers include the OAuth 2.0 providers Login with Amazon and
// Facebook, or any OpenID Connect-compatible identity provider such as Google or // Facebook, or any OpenID Connect-compatible identity provider such as Google or
// Amazon Cognito federated identities // Amazon Cognito federated identities (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html)
// (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html). // . For mobile applications, we recommend that you use Amazon Cognito. You can use
// For mobile applications, we recommend that you use Amazon Cognito. You can use // Amazon Cognito with the Amazon Web Services SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/)
// Amazon Cognito with the Amazon Web Services SDK for iOS Developer Guide // and the Amazon Web Services SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/)
// (http://aws.amazon.com/sdkforios/) and the Amazon Web Services SDK for Android // to uniquely identify a user. You can also supply the user with a consistent
// Developer Guide (http://aws.amazon.com/sdkforandroid/) to uniquely identify a // identity throughout the lifetime of an application. To learn more about Amazon
// user. You can also supply the user with a consistent identity throughout the // Cognito, see Amazon Cognito Overview (https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840)
// lifetime of an application. To learn more about Amazon Cognito, see Amazon
// Cognito Overview
// (https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840)
// in Amazon Web Services SDK for Android Developer Guide and Amazon Cognito // in Amazon Web Services SDK for Android Developer Guide and Amazon Cognito
// Overview // Overview (https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664)
// (https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664)
// in the Amazon Web Services SDK for iOS Developer Guide. Calling // in the Amazon Web Services SDK for iOS Developer Guide. Calling
// AssumeRoleWithWebIdentity does not require the use of Amazon Web Services // AssumeRoleWithWebIdentity does not require the use of Amazon Web Services
// security credentials. Therefore, you can distribute an application (for example, // security credentials. Therefore, you can distribute an application (for example,
@ -36,32 +32,28 @@ import (
// Services credentials. Instead, the identity of the caller is validated by using // Services credentials. Instead, the identity of the caller is validated by using
// a token from the web identity provider. For a comparison of // a token from the web identity provider. For a comparison of
// AssumeRoleWithWebIdentity with the other API operations that produce temporary // AssumeRoleWithWebIdentity with the other API operations that produce temporary
// credentials, see Requesting Temporary Security Credentials // credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) // and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
// and Comparing the Amazon Web Services STS API operations
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
// in the IAM User Guide. The temporary security credentials returned by this API // in the IAM User Guide. The temporary security credentials returned by this API
// consist of an access key ID, a secret access key, and a security token. // consist of an access key ID, a secret access key, and a security token.
// Applications can use these temporary security credentials to sign calls to // Applications can use these temporary security credentials to sign calls to
// Amazon Web Services service API operations. Session Duration By default, the // Amazon Web Services service API operations. Session Duration By default, the
// temporary security credentials created by AssumeRoleWithWebIdentity last for one // temporary security credentials created by AssumeRoleWithWebIdentity last for
// hour. However, you can use the optional DurationSeconds parameter to specify the // one hour. However, you can use the optional DurationSeconds parameter to
// duration of your session. You can provide a value from 900 seconds (15 minutes) // specify the duration of your session. You can provide a value from 900 seconds
// up to the maximum session duration setting for the role. This setting can have a // (15 minutes) up to the maximum session duration setting for the role. This
// value from 1 hour to 12 hours. To learn how to view the maximum value for your // setting can have a value from 1 hour to 12 hours. To learn how to view the
// role, see View the Maximum Session Duration Setting for a Role // maximum value for your role, see View the Maximum Session Duration Setting for
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) // a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
// in the IAM User Guide. The maximum session duration limit applies when you use // in the IAM User Guide. The maximum session duration limit applies when you use
// the AssumeRole* API operations or the assume-role* CLI commands. However the // the AssumeRole* API operations or the assume-role* CLI commands. However the
// limit does not apply when you use those operations to create a console URL. For // limit does not apply when you use those operations to create a console URL. For
// more information, see Using IAM Roles // more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) in the IAM // in the IAM User Guide. Permissions The temporary security credentials created by
// User Guide. Permissions The temporary security credentials created by
// AssumeRoleWithWebIdentity can be used to make API calls to any Amazon Web // AssumeRoleWithWebIdentity can be used to make API calls to any Amazon Web
// Services service with the following exception: you cannot call the STS // Services service with the following exception: you cannot call the STS
// GetFederationToken or GetSessionToken API operations. (Optional) You can pass // GetFederationToken or GetSessionToken API operations. (Optional) You can pass
// inline or managed session policies // inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an // to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policy Amazon // inline session policy. You can also specify up to 10 managed policy Amazon
// Resource Names (ARNs) to use as managed session policies. The plaintext that you // Resource Names (ARNs) to use as managed session policies. The plaintext that you
@ -72,17 +64,14 @@ import (
// credentials in subsequent Amazon Web Services API calls to access resources in // credentials in subsequent Amazon Web Services API calls to access resources in
// the account that owns the role. You cannot use session policies to grant more // the account that owns the role. You cannot use session policies to grant more
// permissions than those allowed by the identity-based policy of the role that is // permissions than those allowed by the identity-based policy of the role that is
// being assumed. For more information, see Session Policies // being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. Tags (Optional) You can configure your IdP to pass // in the IAM User Guide. Tags (Optional) You can configure your IdP to pass
// attributes into your web identity token as session tags. Each session tag // attributes into your web identity token as session tags. Each session tag
// consists of a key name and an associated value. For more information about // consists of a key name and an associated value. For more information about
// session tags, see Passing Session Tags in STS // session tags, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) in the // in the IAM User Guide. You can pass up to 50 session tags. The plaintext session
// IAM User Guide. You can pass up to 50 session tags. The plaintext session tag // tag keys cant exceed 128 characters and the values cant exceed 256 characters.
// keys cant exceed 128 characters and the values cant exceed 256 characters. For // For these and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
// these and additional limits, see IAM and STS Character Limits
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
// in the IAM User Guide. An Amazon Web Services conversion compresses the passed // in the IAM User Guide. An Amazon Web Services conversion compresses the passed
// inline session policy, managed policy ARNs, and session tags into a packed // inline session policy, managed policy ARNs, and session tags into a packed
// binary format that has a separate limit. Your request can fail for this limit // binary format that has a separate limit. Your request can fail for this limit
@ -93,51 +82,37 @@ import (
// overrides the role tag with the same key. An administrator must grant you the // overrides the role tag with the same key. An administrator must grant you the
// permissions necessary to pass session tags. The administrator can also create // permissions necessary to pass session tags. The administrator can also create
// granular permissions to allow you to pass only specific session tags. For more // granular permissions to allow you to pass only specific session tags. For more
// information, see Tutorial: Using Tags for Attribute-Based Access Control // information, see Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
// in the IAM User Guide. You can set the session tags as transitive. Transitive // in the IAM User Guide. You can set the session tags as transitive. Transitive
// tags persist during role chaining. For more information, see Chaining Roles with // tags persist during role chaining. For more information, see Chaining Roles
// Session Tags // with Session Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
// in the IAM User Guide. Identities Before your application can call // in the IAM User Guide. Identities Before your application can call
// AssumeRoleWithWebIdentity, you must have an identity token from a supported // AssumeRoleWithWebIdentity , you must have an identity token from a supported
// identity provider and create a role that the application can assume. The role // identity provider and create a role that the application can assume. The role
// that your application assumes must trust the identity provider that is // that your application assumes must trust the identity provider that is
// associated with the identity token. In other words, the identity provider must // associated with the identity token. In other words, the identity provider must
// be specified in the role's trust policy. Calling AssumeRoleWithWebIdentity can // be specified in the role's trust policy. Calling AssumeRoleWithWebIdentity can
// result in an entry in your CloudTrail logs. The entry includes the Subject // result in an entry in your CloudTrail logs. The entry includes the Subject (http://openid.net/specs/openid-connect-core-1_0.html#Claims)
// (http://openid.net/specs/openid-connect-core-1_0.html#Claims) of the provided // of the provided web identity token. We recommend that you avoid using any
// web identity token. We recommend that you avoid using any personally // personally identifiable information (PII) in this field. For example, you could
// identifiable information (PII) in this field. For example, you could instead use // instead use a GUID or a pairwise identifier, as suggested in the OIDC
// a GUID or a pairwise identifier, as suggested in the OIDC specification // specification (http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes)
// (http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes). For more // . For more information about how to use web identity federation and the
// information about how to use web identity federation and the
// AssumeRoleWithWebIdentity API, see the following resources: // AssumeRoleWithWebIdentity API, see the following resources:
// // - Using Web Identity Federation API Operations for Mobile Apps (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html)
// * Using Web // and Federation Through a Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity)
// Identity Federation API Operations for Mobile Apps // .
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html) // - Web Identity Federation Playground (https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/)
// and Federation Through a Web-based Identity Provider // . Walk through the process of authenticating through Login with Amazon,
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity). // Facebook, or Google, getting temporary security credentials, and then using
// // those credentials to make a request to Amazon Web Services.
// * // - Amazon Web Services SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/)
// Web Identity Federation Playground // and Amazon Web Services SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/)
// (https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/). // . These toolkits contain sample apps that show how to invoke the identity
// Walk through the process of authenticating through Login with Amazon, Facebook,
// or Google, getting temporary security credentials, and then using those
// credentials to make a request to Amazon Web Services.
//
// * Amazon Web Services SDK
// for iOS Developer Guide (http://aws.amazon.com/sdkforios/) and Amazon Web
// Services SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/).
// These toolkits contain sample apps that show how to invoke the identity
// providers. The toolkits then show how to use the information from these // providers. The toolkits then show how to use the information from these
// providers to get and use temporary security credentials. // providers to get and use temporary security credentials.
// // - Web Identity Federation with Mobile Applications (http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications)
// * Web Identity // . This article discusses web identity federation and shows an example of how to
// Federation with Mobile Applications
// (http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications).
// This article discusses web identity federation and shows an example of how to
// use web identity federation to get access to content in Amazon S3. // use web identity federation to get access to content in Amazon S3.
func (c *Client) AssumeRoleWithWebIdentity(ctx context.Context, params *AssumeRoleWithWebIdentityInput, optFns ...func(*Options)) (*AssumeRoleWithWebIdentityOutput, error) { func (c *Client) AssumeRoleWithWebIdentity(ctx context.Context, params *AssumeRoleWithWebIdentityInput, optFns ...func(*Options)) (*AssumeRoleWithWebIdentityOutput, error) {
if params == nil { if params == nil {
@ -187,16 +162,14 @@ type AssumeRoleWithWebIdentityInput struct {
// higher than this setting, the operation fails. For example, if you specify a // higher than this setting, the operation fails. For example, if you specify a
// session duration of 12 hours, but your administrator set the maximum session // session duration of 12 hours, but your administrator set the maximum session
// duration to 6 hours, your operation fails. To learn how to view the maximum // duration to 6 hours, your operation fails. To learn how to view the maximum
// value for your role, see View the Maximum Session Duration Setting for a Role // value for your role, see View the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
// in the IAM User Guide. By default, the value is set to 3600 seconds. The // in the IAM User Guide. By default, the value is set to 3600 seconds. The
// DurationSeconds parameter is separate from the duration of a console session // DurationSeconds parameter is separate from the duration of a console session
// that you might request using the returned credentials. The request to the // that you might request using the returned credentials. The request to the
// federation endpoint for a console sign-in token takes a SessionDuration // federation endpoint for a console sign-in token takes a SessionDuration
// parameter that specifies the maximum length of the console session. For more // parameter that specifies the maximum length of the console session. For more
// information, see Creating a URL that Enables Federated Users to Access the // information, see Creating a URL that Enables Federated Users to Access the
// Amazon Web Services Management Console // Amazon Web Services Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
// in the IAM User Guide. // in the IAM User Guide.
DurationSeconds *int32 DurationSeconds *int32
@ -208,8 +181,7 @@ type AssumeRoleWithWebIdentityInput struct {
// access resources in the account that owns the role. You cannot use session // access resources in the account that owns the role. You cannot use session
// policies to grant more permissions than those allowed by the identity-based // policies to grant more permissions than those allowed by the identity-based
// policy of the role that is being assumed. For more information, see Session // policy of the role that is being assumed. For more information, see Session
// Policies // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. The plaintext that you use for both inline and managed // in the IAM User Guide. The plaintext that you use for both inline and managed
// session policies can't exceed 2,048 characters. The JSON policy characters can // session policies can't exceed 2,048 characters. The JSON policy characters can
// be any ASCII character from the space character to the end of the valid // be any ASCII character from the space character to the end of the valid
@ -227,9 +199,8 @@ type AssumeRoleWithWebIdentityInput struct {
// the role. This parameter is optional. You can provide up to 10 managed policy // the role. This parameter is optional. You can provide up to 10 managed policy
// ARNs. However, the plaintext that you use for both inline and managed session // ARNs. However, the plaintext that you use for both inline and managed session
// policies can't exceed 2,048 characters. For more information about ARNs, see // policies can't exceed 2,048 characters. For more information about ARNs, see
// Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces // Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
// (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in // in the Amazon Web Services General Reference. An Amazon Web Services conversion
// the Amazon Web Services General Reference. An Amazon Web Services conversion
// compresses the passed inline session policy, managed policy ARNs, and session // compresses the passed inline session policy, managed policy ARNs, and session
// tags into a packed binary format that has a separate limit. Your request can // tags into a packed binary format that has a separate limit. Your request can
// fail for this limit even if your plaintext meets the other requirements. The // fail for this limit even if your plaintext meets the other requirements. The
@ -241,8 +212,7 @@ type AssumeRoleWithWebIdentityInput struct {
// Services API calls to access resources in the account that owns the role. You // Services API calls to access resources in the account that owns the role. You
// cannot use session policies to grant more permissions than those allowed by the // cannot use session policies to grant more permissions than those allowed by the
// identity-based policy of the role that is being assumed. For more information, // identity-based policy of the role that is being assumed. For more information,
// see Session Policies // see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. // in the IAM User Guide.
PolicyArns []types.PolicyDescriptorType PolicyArns []types.PolicyDescriptorType
@ -265,7 +235,7 @@ type AssumeRoleWithWebIdentityOutput struct {
// that you can use to refer to the resulting temporary security credentials. For // that you can use to refer to the resulting temporary security credentials. For
// example, you can reference these credentials as a principal in a resource-based // example, you can reference these credentials as a principal in a resource-based
// policy by using the ARN or assumed role ID. The ARN and ID include the // policy by using the ARN or assumed role ID. The ARN and ID include the
// RoleSessionName that you specified when you called AssumeRole. // RoleSessionName that you specified when you called AssumeRole .
AssumedRoleUser *types.AssumedRoleUser AssumedRoleUser *types.AssumedRoleUser
// The intended audience (also known as client ID) of the web identity token. This // The intended audience (also known as client ID) of the web identity token. This
@ -285,10 +255,10 @@ type AssumeRoleWithWebIdentityOutput struct {
// allowed space. // allowed space.
PackedPolicySize *int32 PackedPolicySize *int32
// The issuing authority of the web identity token presented. For OpenID Connect ID // The issuing authority of the web identity token presented. For OpenID Connect
// tokens, this contains the value of the iss field. For OAuth 2.0 access tokens, // ID tokens, this contains the value of the iss field. For OAuth 2.0 access
// this contains the value of the ProviderId parameter that was passed in the // tokens, this contains the value of the ProviderId parameter that was passed in
// AssumeRoleWithWebIdentity request. // the AssumeRoleWithWebIdentity request.
Provider *string Provider *string
// The value of the source identity that is returned in the JSON web token (JWT) // The value of the source identity that is returned in the JSON web token (JWT)
@ -297,17 +267,14 @@ type AssumeRoleWithWebIdentityOutput struct {
// key in a role trust policy. That way, actions that are taken with the role are // key in a role trust policy. That way, actions that are taken with the role are
// associated with that user. After the source identity is set, the value cannot be // associated with that user. After the source identity is set, the value cannot be
// changed. It is present in the request for all actions that are taken by the role // changed. It is present in the request for all actions that are taken by the role
// and persists across chained role // and persists across chained role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining)
// sessions. You can configure your identity provider to use an attribute // sessions. You can configure your identity provider to use an attribute
// associated with your users, like user name or email, as the source identity when // associated with your users, like user name or email, as the source identity when
// calling AssumeRoleWithWebIdentity. You do this by adding a claim to the JSON web // calling AssumeRoleWithWebIdentity . You do this by adding a claim to the JSON
// token. To learn more about OIDC tokens and claims, see Using Tokens with User // web token. To learn more about OIDC tokens and claims, see Using Tokens with
// Pools // User Pools (https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html)
// (https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html)
// in the Amazon Cognito Developer Guide. For more information about using source // in the Amazon Cognito Developer Guide. For more information about using source
// identity, see Monitor and control actions taken with assumed roles // identity, see Monitor and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html)
// in the IAM User Guide. The regex used to validate this parameter is a string of // in the IAM User Guide. The regex used to validate this parameter is a string of
// characters consisting of upper- and lower-case alphanumeric characters with no // characters consisting of upper- and lower-case alphanumeric characters with no
// spaces. You can also include underscores or any of the following characters: // spaces. You can also include underscores or any of the following characters:
@ -373,6 +340,9 @@ func (c *Client) addOperationAssumeRoleWithWebIdentityMiddlewares(stack *middlew
if err = stack.Initialize.Add(newServiceMetadataMiddleware_opAssumeRoleWithWebIdentity(options.Region), middleware.Before); err != nil { if err = stack.Initialize.Add(newServiceMetadataMiddleware_opAssumeRoleWithWebIdentity(options.Region), middleware.Before); err != nil {
return err return err
} }
if err = awsmiddleware.AddRecursionDetection(stack); err != nil {
return err
}
if err = addRequestIDRetrieverMiddleware(stack); err != nil { if err = addRequestIDRetrieverMiddleware(stack); err != nil {
return err return err
} }

View File

@ -22,27 +22,17 @@ import (
// encoded because the details of the authorization status can contain privileged // encoded because the details of the authorization status can contain privileged
// information that the user who requested the operation should not see. To decode // information that the user who requested the operation should not see. To decode
// an authorization status message, a user must be granted permissions through an // an authorization status message, a user must be granted permissions through an
// IAM policy // IAM policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) to // to request the DecodeAuthorizationMessage ( sts:DecodeAuthorizationMessage )
// request the DecodeAuthorizationMessage (sts:DecodeAuthorizationMessage) action. // action. The decoded message includes the following type of information:
// The decoded message includes the following type of information: // - Whether the request was denied due to an explicit deny or due to the
// // absence of an explicit allow. For more information, see Determining Whether a
// * Whether the // Request is Allowed or Denied (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow)
// request was denied due to an explicit deny or due to the absence of an explicit
// allow. For more information, see Determining Whether a Request is Allowed or
// Denied
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow)
// in the IAM User Guide. // in the IAM User Guide.
// // - The principal who made the request.
// * The principal who made the request. // - The requested action.
// // - The requested resource.
// * The requested // - The values of condition keys in the context of the user's request.
// action.
//
// * The requested resource.
//
// * The values of condition keys in the
// context of the user's request.
func (c *Client) DecodeAuthorizationMessage(ctx context.Context, params *DecodeAuthorizationMessageInput, optFns ...func(*Options)) (*DecodeAuthorizationMessageOutput, error) { func (c *Client) DecodeAuthorizationMessage(ctx context.Context, params *DecodeAuthorizationMessageInput, optFns ...func(*Options)) (*DecodeAuthorizationMessageOutput, error) {
if params == nil { if params == nil {
params = &DecodeAuthorizationMessageInput{} params = &DecodeAuthorizationMessageInput{}
@ -133,6 +123,9 @@ func (c *Client) addOperationDecodeAuthorizationMessageMiddlewares(stack *middle
if err = stack.Initialize.Add(newServiceMetadataMiddleware_opDecodeAuthorizationMessage(options.Region), middleware.Before); err != nil { if err = stack.Initialize.Add(newServiceMetadataMiddleware_opDecodeAuthorizationMessage(options.Region), middleware.Before); err != nil {
return err return err
} }
if err = awsmiddleware.AddRecursionDetection(stack); err != nil {
return err
}
if err = addRequestIDRetrieverMiddleware(stack); err != nil { if err = addRequestIDRetrieverMiddleware(stack); err != nil {
return err return err
} }

View File

@ -11,21 +11,18 @@ import (
) )
// Returns the account identifier for the specified access key ID. Access keys // Returns the account identifier for the specified access key ID. Access keys
// consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a // consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE ) and
// secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). For // a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY ).
// more information about access keys, see Managing Access Keys for IAM Users // For more information about access keys, see Managing Access Keys for IAM Users (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)
// in the IAM User Guide. When you pass an access key ID to this operation, it // in the IAM User Guide. When you pass an access key ID to this operation, it
// returns the ID of the Amazon Web Services account to which the keys belong. // returns the ID of the Amazon Web Services account to which the keys belong.
// Access key IDs beginning with AKIA are long-term credentials for an IAM user or // Access key IDs beginning with AKIA are long-term credentials for an IAM user or
// the Amazon Web Services account root user. Access key IDs beginning with ASIA // the Amazon Web Services account root user. Access key IDs beginning with ASIA
// are temporary credentials that are created using STS operations. If the account // are temporary credentials that are created using STS operations. If the account
// in the response belongs to you, you can sign in as the root user and review your // in the response belongs to you, you can sign in as the root user and review your
// root user access keys. Then, you can pull a credentials report // root user access keys. Then, you can pull a credentials report (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html)
// to learn which IAM user owns the keys. To learn who requested the temporary // to learn which IAM user owns the keys. To learn who requested the temporary
// credentials for an ASIA access key, view the STS events in your CloudTrail logs // credentials for an ASIA access key, view the STS events in your CloudTrail logs (https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html)
// in the IAM User Guide. This operation does not indicate the state of the access // in the IAM User Guide. This operation does not indicate the state of the access
// key. The key might be active, inactive, or deleted. Active keys might not have // key. The key might be active, inactive, or deleted. Active keys might not have
// permissions to perform an operation. Providing a deleted access key might return // permissions to perform an operation. Providing a deleted access key might return
@ -119,6 +116,9 @@ func (c *Client) addOperationGetAccessKeyInfoMiddlewares(stack *middleware.Stack
if err = stack.Initialize.Add(newServiceMetadataMiddleware_opGetAccessKeyInfo(options.Region), middleware.Before); err != nil { if err = stack.Initialize.Add(newServiceMetadataMiddleware_opGetAccessKeyInfo(options.Region), middleware.Before); err != nil {
return err return err
} }
if err = awsmiddleware.AddRecursionDetection(stack); err != nil {
return err
}
if err = addRequestIDRetrieverMiddleware(stack); err != nil { if err = addRequestIDRetrieverMiddleware(stack); err != nil {
return err return err
} }

View File

@ -15,9 +15,8 @@ import (
// administrator adds a policy to your IAM user or role that explicitly denies // administrator adds a policy to your IAM user or role that explicitly denies
// access to the sts:GetCallerIdentity action, you can still perform this // access to the sts:GetCallerIdentity action, you can still perform this
// operation. Permissions are not required because the same information is returned // operation. Permissions are not required because the same information is returned
// when an IAM user or role is denied access. To view an example response, see I Am // when an IAM user or role is denied access. To view an example response, see I
// Not Authorized to Perform: iam:DeleteVirtualMFADevice // Am Not Authorized to Perform: iam:DeleteVirtualMFADevice (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa)
// in the IAM User Guide. // in the IAM User Guide.
func (c *Client) GetCallerIdentity(ctx context.Context, params *GetCallerIdentityInput, optFns ...func(*Options)) (*GetCallerIdentityOutput, error) { func (c *Client) GetCallerIdentity(ctx context.Context, params *GetCallerIdentityInput, optFns ...func(*Options)) (*GetCallerIdentityOutput, error) {
if params == nil { if params == nil {
@ -49,10 +48,9 @@ type GetCallerIdentityOutput struct {
// The Amazon Web Services ARN associated with the calling entity. // The Amazon Web Services ARN associated with the calling entity.
Arn *string Arn *string
// The unique identifier of the calling entity. The exact value depends on the type // The unique identifier of the calling entity. The exact value depends on the
// of entity that is making the call. The values returned are those listed in the // type of entity that is making the call. The values returned are those listed in
// aws:userid column in the Principal table // the aws:userid column in the Principal table (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable)
// found on the Policy Variables reference page in the IAM User Guide. // found on the Policy Variables reference page in the IAM User Guide.
UserId *string UserId *string
@ -110,6 +108,9 @@ func (c *Client) addOperationGetCallerIdentityMiddlewares(stack *middleware.Stac
if err = stack.Initialize.Add(newServiceMetadataMiddleware_opGetCallerIdentity(options.Region), middleware.Before); err != nil { if err = stack.Initialize.Add(newServiceMetadataMiddleware_opGetCallerIdentity(options.Region), middleware.Before); err != nil {
return err return err
} }
if err = awsmiddleware.AddRecursionDetection(stack); err != nil {
return err
}
if err = addRequestIDRetrieverMiddleware(stack); err != nil { if err = addRequestIDRetrieverMiddleware(stack); err != nil {
return err return err
} }

View File

@ -11,50 +11,41 @@ import (
smithyhttp "github.com/aws/smithy-go/transport/http" smithyhttp "github.com/aws/smithy-go/transport/http"
) )
// Returns a set of temporary security credentials (consisting of an access key ID, // Returns a set of temporary security credentials (consisting of an access key
// a secret access key, and a security token) for a federated user. A typical use // ID, a secret access key, and a security token) for a federated user. A typical
// is in a proxy application that gets temporary security credentials on behalf of // use is in a proxy application that gets temporary security credentials on behalf
// distributed applications inside a corporate network. You must call the // of distributed applications inside a corporate network. You must call the
// GetFederationToken operation using the long-term security credentials of an IAM // GetFederationToken operation using the long-term security credentials of an IAM
// user. As a result, this call is appropriate in contexts where those credentials // user. As a result, this call is appropriate in contexts where those credentials
// can be safely stored, usually in a server-based application. For a comparison of // can be safely stored, usually in a server-based application. For a comparison of
// GetFederationToken with the other API operations that produce temporary // GetFederationToken with the other API operations that produce temporary
// credentials, see Requesting Temporary Security Credentials // credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) // and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
// and Comparing the Amazon Web Services STS API operations
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
// in the IAM User Guide. You can create a mobile-based or browser-based app that // in the IAM User Guide. You can create a mobile-based or browser-based app that
// can authenticate users using a web identity provider like Login with Amazon, // can authenticate users using a web identity provider like Login with Amazon,
// Facebook, Google, or an OpenID Connect-compatible identity provider. In this // Facebook, Google, or an OpenID Connect-compatible identity provider. In this
// case, we recommend that you use Amazon Cognito (http://aws.amazon.com/cognito/) // case, we recommend that you use Amazon Cognito (http://aws.amazon.com/cognito/)
// or AssumeRoleWithWebIdentity. For more information, see Federation Through a // or AssumeRoleWithWebIdentity . For more information, see Federation Through a
// Web-based Identity Provider // Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity)
// in the IAM User Guide. You can also call GetFederationToken using the security // in the IAM User Guide. You can also call GetFederationToken using the security
// credentials of an Amazon Web Services account root user, but we do not recommend // credentials of an Amazon Web Services account root user, but we do not recommend
// it. Instead, we recommend that you create an IAM user for the purpose of the // it. Instead, we recommend that you create an IAM user for the purpose of the
// proxy application. Then attach a policy to the IAM user that limits federated // proxy application. Then attach a policy to the IAM user that limits federated
// users to only the actions and resources that they need to access. For more // users to only the actions and resources that they need to access. For more
// information, see IAM Best Practices // information, see IAM Best Practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the // in the IAM User Guide. Session duration The temporary credentials are valid for
// IAM User Guide. Session duration The temporary credentials are valid for the // the specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600
// specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600
// seconds (36 hours). The default session duration is 43,200 seconds (12 hours). // seconds (36 hours). The default session duration is 43,200 seconds (12 hours).
// Temporary credentials obtained by using the Amazon Web Services account root // Temporary credentials obtained by using the Amazon Web Services account root
// user credentials have a maximum duration of 3,600 seconds (1 hour). Permissions // user credentials have a maximum duration of 3,600 seconds (1 hour). Permissions
// You can use the temporary credentials created by GetFederationToken in any // You can use the temporary credentials created by GetFederationToken in any
// Amazon Web Services service with the following exceptions: // Amazon Web Services service with the following exceptions:
// - You cannot call any IAM operations using the CLI or the Amazon Web Services
// API. This limitation does not apply to console sessions.
// - You cannot call any STS operations except GetCallerIdentity .
// //
// * You cannot call // You can use temporary credentials for single sign-on (SSO) to the console. You
// any IAM operations using the CLI or the Amazon Web Services API. This limitation // must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// does not apply to console sessions.
//
// * You cannot call any STS operations except
// GetCallerIdentity.
//
// You can use temporary credentials for single sign-on (SSO)
// to the console. You must pass an inline or managed session policy
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an // to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policy Amazon // inline session policy. You can also specify up to 10 managed policy Amazon
// Resource Names (ARNs) to use as managed session policies. The plaintext that you // Resource Names (ARNs) to use as managed session policies. The plaintext that you
@ -65,38 +56,33 @@ import (
// policies and the session policies that you pass. This gives you a way to further // policies and the session policies that you pass. This gives you a way to further
// restrict the permissions for a federated user. You cannot use session policies // restrict the permissions for a federated user. You cannot use session policies
// to grant more permissions than those that are defined in the permissions policy // to grant more permissions than those that are defined in the permissions policy
// of the IAM user. For more information, see Session Policies // of the IAM user. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. For information about using GetFederationToken to create // in the IAM User Guide. For information about using GetFederationToken to create
// temporary security credentials, see GetFederationToken—Federation Through a // temporary security credentials, see GetFederationToken—Federation Through a
// Custom Identity Broker // Custom Identity Broker (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken). // . You can use the credentials to access a resource that has a resource-based
// You can use the credentials to access a resource that has a resource-based
// policy. If that policy specifically references the federated user session in the // policy. If that policy specifically references the federated user session in the
// Principal element of the policy, the session has the permissions allowed by the // Principal element of the policy, the session has the permissions allowed by the
// policy. These permissions are granted in addition to the permissions granted by // policy. These permissions are granted in addition to the permissions granted by
// the session policies. Tags (Optional) You can pass tag key-value pairs to your // the session policies. Tags (Optional) You can pass tag key-value pairs to your
// session. These are called session tags. For more information about session tags, // session. These are called session tags. For more information about session tags,
// see Passing Session Tags in STS // see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) in the // in the IAM User Guide. You can create a mobile-based or browser-based app that
// IAM User Guide. You can create a mobile-based or browser-based app that can // can authenticate users using a web identity provider like Login with Amazon,
// authenticate users using a web identity provider like Login with Amazon,
// Facebook, Google, or an OpenID Connect-compatible identity provider. In this // Facebook, Google, or an OpenID Connect-compatible identity provider. In this
// case, we recommend that you use Amazon Cognito (http://aws.amazon.com/cognito/) // case, we recommend that you use Amazon Cognito (http://aws.amazon.com/cognito/)
// or AssumeRoleWithWebIdentity. For more information, see Federation Through a // or AssumeRoleWithWebIdentity . For more information, see Federation Through a
// Web-based Identity Provider // Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity)
// in the IAM User Guide. An administrator must grant you the permissions necessary // in the IAM User Guide. An administrator must grant you the permissions necessary
// to pass session tags. The administrator can also create granular permissions to // to pass session tags. The administrator can also create granular permissions to
// allow you to pass only specific session tags. For more information, see // allow you to pass only specific session tags. For more information, see
// Tutorial: Using Tags for Attribute-Based Access Control // Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
// in the IAM User Guide. Tag keyvalue pairs are not case sensitive, but case is // in the IAM User Guide. Tag keyvalue pairs are not case sensitive, but case is
// preserved. This means that you cannot have separate Department and department // preserved. This means that you cannot have separate Department and department
// tag keys. Assume that the user that you are federating has the // tag keys. Assume that the user that you are federating has the Department =
// Department=Marketing tag and you pass the department=engineering session tag. // Marketing tag and you pass the department = engineering session tag. Department
// Department and department are not saved as separate tags, and the session tag // and department are not saved as separate tags, and the session tag passed in
// passed in the request takes precedence over the user tag. // the request takes precedence over the user tag.
func (c *Client) GetFederationToken(ctx context.Context, params *GetFederationTokenInput, optFns ...func(*Options)) (*GetFederationTokenOutput, error) { func (c *Client) GetFederationToken(ctx context.Context, params *GetFederationTokenInput, optFns ...func(*Options)) (*GetFederationTokenOutput, error) {
if params == nil { if params == nil {
params = &GetFederationTokenInput{} params = &GetFederationTokenInput{}
@ -115,26 +101,27 @@ func (c *Client) GetFederationToken(ctx context.Context, params *GetFederationTo
type GetFederationTokenInput struct { type GetFederationTokenInput struct {
// The name of the federated user. The name is used as an identifier for the // The name of the federated user. The name is used as an identifier for the
// temporary security credentials (such as Bob). For example, you can reference the // temporary security credentials (such as Bob ). For example, you can reference
// federated user name in a resource-based policy, such as in an Amazon S3 bucket // the federated user name in a resource-based policy, such as in an Amazon S3
// policy. The regex used to validate this parameter is a string of characters // bucket policy. The regex used to validate this parameter is a string of
// consisting of upper- and lower-case alphanumeric characters with no spaces. You // characters consisting of upper- and lower-case alphanumeric characters with no
// can also include underscores or any of the following characters: =,.@- // spaces. You can also include underscores or any of the following characters:
// =,.@-
// //
// This member is required. // This member is required.
Name *string Name *string
// The duration, in seconds, that the session should last. Acceptable durations for // The duration, in seconds, that the session should last. Acceptable durations
// federation sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 // for federation sessions range from 900 seconds (15 minutes) to 129,600 seconds
// hours), with 43,200 seconds (12 hours) as the default. Sessions obtained using // (36 hours), with 43,200 seconds (12 hours) as the default. Sessions obtained
// Amazon Web Services account root user credentials are restricted to a maximum of // using Amazon Web Services account root user credentials are restricted to a
// 3,600 seconds (one hour). If the specified duration is longer than one hour, the // maximum of 3,600 seconds (one hour). If the specified duration is longer than
// session obtained by using root user credentials defaults to one hour. // one hour, the session obtained by using root user credentials defaults to one
// hour.
DurationSeconds *int32 DurationSeconds *int32
// An IAM policy in JSON format that you want to use as an inline session policy. // An IAM policy in JSON format that you want to use as an inline session policy.
// You must pass an inline or managed session policy // You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an // to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policy Amazon // inline session policy. You can also specify up to 10 managed policy Amazon
// Resource Names (ARNs) to use as managed session policies. This parameter is // Resource Names (ARNs) to use as managed session policies. This parameter is
@ -144,8 +131,7 @@ type GetFederationTokenInput struct {
// session policies that you pass. This gives you a way to further restrict the // session policies that you pass. This gives you a way to further restrict the
// permissions for a federated user. You cannot use session policies to grant more // permissions for a federated user. You cannot use session policies to grant more
// permissions than those that are defined in the permissions policy of the IAM // permissions than those that are defined in the permissions policy of the IAM
// user. For more information, see Session Policies // user. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. The resulting credentials can be used to access a // in the IAM User Guide. The resulting credentials can be used to access a
// resource that has a resource-based policy. If that policy specifically // resource that has a resource-based policy. If that policy specifically
// references the federated user session in the Principal element of the policy, // references the federated user session in the Principal element of the policy,
@ -166,24 +152,21 @@ type GetFederationTokenInput struct {
// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to // The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
// use as a managed session policy. The policies must exist in the same account as // use as a managed session policy. The policies must exist in the same account as
// the IAM user that is requesting federated access. You must pass an inline or // the IAM user that is requesting federated access. You must pass an inline or
// managed session policy // managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an // to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policy Amazon // inline session policy. You can also specify up to 10 managed policy Amazon
// Resource Names (ARNs) to use as managed session policies. The plaintext that you // Resource Names (ARNs) to use as managed session policies. The plaintext that you
// use for both inline and managed session policies can't exceed 2,048 characters. // use for both inline and managed session policies can't exceed 2,048 characters.
// You can provide up to 10 managed policy ARNs. For more information about ARNs, // You can provide up to 10 managed policy ARNs. For more information about ARNs,
// see Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces // see Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
// (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in // in the Amazon Web Services General Reference. This parameter is optional.
// the Amazon Web Services General Reference. This parameter is optional. However, // However, if you do not pass any session policies, then the resulting federated
// if you do not pass any session policies, then the resulting federated user // user session has no permissions. When you pass session policies, the session
// session has no permissions. When you pass session policies, the session
// permissions are the intersection of the IAM user policies and the session // permissions are the intersection of the IAM user policies and the session
// policies that you pass. This gives you a way to further restrict the permissions // policies that you pass. This gives you a way to further restrict the permissions
// for a federated user. You cannot use session policies to grant more permissions // for a federated user. You cannot use session policies to grant more permissions
// than those that are defined in the permissions policy of the IAM user. For more // than those that are defined in the permissions policy of the IAM user. For more
// information, see Session Policies // information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. The resulting credentials can be used to access a // in the IAM User Guide. The resulting credentials can be used to access a
// resource that has a resource-based policy. If that policy specifically // resource that has a resource-based policy. If that policy specifically
// references the federated user session in the Principal element of the policy, // references the federated user session in the Principal element of the policy,
@ -192,20 +175,18 @@ type GetFederationTokenInput struct {
// An Amazon Web Services conversion compresses the passed inline session policy, // An Amazon Web Services conversion compresses the passed inline session policy,
// managed policy ARNs, and session tags into a packed binary format that has a // managed policy ARNs, and session tags into a packed binary format that has a
// separate limit. Your request can fail for this limit even if your plaintext // separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates by // meets the other requirements. The PackedPolicySize response element indicates
// percentage how close the policies and tags for your request are to the upper // by percentage how close the policies and tags for your request are to the upper
// size limit. // size limit.
PolicyArns []types.PolicyDescriptorType PolicyArns []types.PolicyDescriptorType
// A list of session tags. Each session tag consists of a key name and an // A list of session tags. Each session tag consists of a key name and an
// associated value. For more information about session tags, see Passing Session // associated value. For more information about session tags, see Passing Session
// Tags in STS // Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) in the // in the IAM User Guide. This parameter is optional. You can pass up to 50 session
// IAM User Guide. This parameter is optional. You can pass up to 50 session tags. // tags. The plaintext session tag keys cant exceed 128 characters and the values
// The plaintext session tag keys cant exceed 128 characters and the values cant // cant exceed 256 characters. For these and additional limits, see IAM and STS
// exceed 256 characters. For these and additional limits, see IAM and STS // Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
// Character Limits
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
// in the IAM User Guide. An Amazon Web Services conversion compresses the passed // in the IAM User Guide. An Amazon Web Services conversion compresses the passed
// inline session policy, managed policy ARNs, and session tags into a packed // inline session policy, managed policy ARNs, and session tags into a packed
// binary format that has a separate limit. Your request can fail for this limit // binary format that has a separate limit. Your request can fail for this limit
@ -216,9 +197,9 @@ type GetFederationTokenInput struct {
// you do, session tags override a user tag with the same key. Tag keyvalue pairs // you do, session tags override a user tag with the same key. Tag keyvalue pairs
// are not case sensitive, but case is preserved. This means that you cannot have // are not case sensitive, but case is preserved. This means that you cannot have
// separate Department and department tag keys. Assume that the role has the // separate Department and department tag keys. Assume that the role has the
// Department=Marketing tag and you pass the department=engineering session tag. // Department = Marketing tag and you pass the department = engineering session
// Department and department are not saved as separate tags, and the session tag // tag. Department and department are not saved as separate tags, and the session
// passed in the request takes precedence over the role tag. // tag passed in the request takes precedence over the role tag.
Tags []types.Tag Tags []types.Tag
noSmithyDocumentSerde noSmithyDocumentSerde
@ -236,7 +217,7 @@ type GetFederationTokenOutput struct {
Credentials *types.Credentials Credentials *types.Credentials
// Identifiers for the federated user associated with the credentials (such as // Identifiers for the federated user associated with the credentials (such as
// arn:aws:sts::123456789012:federated-user/Bob or 123456789012:Bob). You can use // arn:aws:sts::123456789012:federated-user/Bob or 123456789012:Bob ). You can use
// the federated user's ARN in your resource-based policies, such as an Amazon S3 // the federated user's ARN in your resource-based policies, such as an Amazon S3
// bucket policy. // bucket policy.
FederatedUser *types.FederatedUser FederatedUser *types.FederatedUser
@ -304,6 +285,9 @@ func (c *Client) addOperationGetFederationTokenMiddlewares(stack *middleware.Sta
if err = stack.Initialize.Add(newServiceMetadataMiddleware_opGetFederationToken(options.Region), middleware.Before); err != nil { if err = stack.Initialize.Add(newServiceMetadataMiddleware_opGetFederationToken(options.Region), middleware.Before); err != nil {
return err return err
} }
if err = awsmiddleware.AddRecursionDetection(stack); err != nil {
return err
}
if err = addRequestIDRetrieverMiddleware(stack); err != nil { if err = addRequestIDRetrieverMiddleware(stack); err != nil {
return err return err
} }

View File

@ -11,26 +11,23 @@ import (
smithyhttp "github.com/aws/smithy-go/transport/http" smithyhttp "github.com/aws/smithy-go/transport/http"
) )
// Returns a set of temporary credentials for an Amazon Web Services account or IAM // Returns a set of temporary credentials for an Amazon Web Services account or
// user. The credentials consist of an access key ID, a secret access key, and a // IAM user. The credentials consist of an access key ID, a secret access key, and
// security token. Typically, you use GetSessionToken if you want to use MFA to // a security token. Typically, you use GetSessionToken if you want to use MFA to
// protect programmatic calls to specific Amazon Web Services API operations like // protect programmatic calls to specific Amazon Web Services API operations like
// Amazon EC2 StopInstances. MFA-enabled IAM users would need to call // Amazon EC2 StopInstances . MFA-enabled IAM users would need to call
// GetSessionToken and submit an MFA code that is associated with their MFA device. // GetSessionToken and submit an MFA code that is associated with their MFA device.
// Using the temporary security credentials that are returned from the call, IAM // Using the temporary security credentials that are returned from the call, IAM
// users can then make programmatic calls to API operations that require MFA // users can then make programmatic calls to API operations that require MFA
// authentication. If you do not supply a correct MFA code, then the API returns an // authentication. If you do not supply a correct MFA code, then the API returns an
// access denied error. For a comparison of GetSessionToken with the other API // access denied error. For a comparison of GetSessionToken with the other API
// operations that produce temporary credentials, see Requesting Temporary Security // operations that produce temporary credentials, see Requesting Temporary
// Credentials // Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) // and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
// and Comparing the Amazon Web Services STS API operations
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
// in the IAM User Guide. No permissions are required for users to perform this // in the IAM User Guide. No permissions are required for users to perform this
// operation. The purpose of the sts:GetSessionToken operation is to authenticate // operation. The purpose of the sts:GetSessionToken operation is to authenticate
// the user using MFA. You cannot use policies to control authentication // the user using MFA. You cannot use policies to control authentication
// operations. For more information, see Permissions for GetSessionToken // operations. For more information, see Permissions for GetSessionToken (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html)
// in the IAM User Guide. Session Duration The GetSessionToken operation must be // in the IAM User Guide. Session Duration The GetSessionToken operation must be
// called by using the long-term Amazon Web Services security credentials of the // called by using the long-term Amazon Web Services security credentials of the
// Amazon Web Services account root user or an IAM user. Credentials that are // Amazon Web Services account root user or an IAM user. Credentials that are
@ -41,18 +38,12 @@ import (
// (1 hour), with a default of 1 hour. Permissions The temporary security // (1 hour), with a default of 1 hour. Permissions The temporary security
// credentials created by GetSessionToken can be used to make API calls to any // credentials created by GetSessionToken can be used to make API calls to any
// Amazon Web Services service with the following exceptions: // Amazon Web Services service with the following exceptions:
// - You cannot call any IAM API operations unless MFA authentication
// information is included in the request.
// - You cannot call any STS API except AssumeRole or GetCallerIdentity .
// //
// * You cannot call // We recommend that you do not call GetSessionToken with Amazon Web Services
// any IAM API operations unless MFA authentication information is included in the // account root user credentials. Instead, follow our best practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users)
// request.
//
// * You cannot call any STS API except AssumeRole or
// GetCallerIdentity.
//
// We recommend that you do not call GetSessionToken with
// Amazon Web Services account root user credentials. Instead, follow our best
// practices
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users)
// by creating one or more IAM users, giving them the necessary permissions, and // by creating one or more IAM users, giving them the necessary permissions, and
// using IAM users for everyday interaction with Amazon Web Services. The // using IAM users for everyday interaction with Amazon Web Services. The
// credentials that are returned by GetSessionToken are based on permissions // credentials that are returned by GetSessionToken are based on permissions
@ -62,8 +53,7 @@ import (
// GetSessionToken is called using the credentials of an IAM user, the temporary // GetSessionToken is called using the credentials of an IAM user, the temporary
// credentials have the same permissions as the IAM user. For more information // credentials have the same permissions as the IAM user. For more information
// about using GetSessionToken to create temporary credentials, go to Temporary // about using GetSessionToken to create temporary credentials, go to Temporary
// Credentials for Users in Untrusted Environments // Credentials for Users in Untrusted Environments (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken)
// in the IAM User Guide. // in the IAM User Guide.
func (c *Client) GetSessionToken(ctx context.Context, params *GetSessionTokenInput, optFns ...func(*Options)) (*GetSessionTokenOutput, error) { func (c *Client) GetSessionToken(ctx context.Context, params *GetSessionTokenInput, optFns ...func(*Options)) (*GetSessionTokenOutput, error) {
if params == nil { if params == nil {
@ -90,25 +80,25 @@ type GetSessionTokenInput struct {
// Services account owners defaults to one hour. // Services account owners defaults to one hour.
DurationSeconds *int32 DurationSeconds *int32
// The identification number of the MFA device that is associated with the IAM user // The identification number of the MFA device that is associated with the IAM
// who is making the GetSessionToken call. Specify this value if the IAM user has a // user who is making the GetSessionToken call. Specify this value if the IAM user
// policy that requires MFA authentication. The value is either the serial number // has a policy that requires MFA authentication. The value is either the serial
// for a hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) // number for a hardware device (such as GAHT12345678 ) or an Amazon Resource Name
// for a virtual device (such as arn:aws:iam::123456789012:mfa/user). You can find // (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user ). You
// the device for an IAM user by going to the Amazon Web Services Management // can find the device for an IAM user by going to the Amazon Web Services
// Console and viewing the user's security credentials. The regex used to validate // Management Console and viewing the user's security credentials. The regex used
// this parameter is a string of characters consisting of upper- and lower-case // to validate this parameter is a string of characters consisting of upper- and
// alphanumeric characters with no spaces. You can also include underscores or any // lower-case alphanumeric characters with no spaces. You can also include
// of the following characters: =,.@:/- // underscores or any of the following characters: =,.@:/-
SerialNumber *string SerialNumber *string
// The value provided by the MFA device, if MFA is required. If any policy requires // The value provided by the MFA device, if MFA is required. If any policy
// the IAM user to submit an MFA code, specify this value. If MFA authentication is // requires the IAM user to submit an MFA code, specify this value. If MFA
// required, the user must provide a code when requesting a set of temporary // authentication is required, the user must provide a code when requesting a set
// security credentials. A user who fails to provide the code receives an "access // of temporary security credentials. A user who fails to provide the code receives
// denied" response when requesting resources that require MFA authentication. The // an "access denied" response when requesting resources that require MFA
// format for this parameter, as described by its regex pattern, is a sequence of // authentication. The format for this parameter, as described by its regex
// six numeric digits. // pattern, is a sequence of six numeric digits.
TokenCode *string TokenCode *string
noSmithyDocumentSerde noSmithyDocumentSerde
@ -179,6 +169,9 @@ func (c *Client) addOperationGetSessionTokenMiddlewares(stack *middleware.Stack,
if err = stack.Initialize.Add(newServiceMetadataMiddleware_opGetSessionToken(options.Region), middleware.Before); err != nil { if err = stack.Initialize.Add(newServiceMetadataMiddleware_opGetSessionToken(options.Region), middleware.Before); err != nil {
return err return err
} }
if err = awsmiddleware.AddRecursionDetection(stack); err != nil {
return err
}
if err = addRequestIDRetrieverMiddleware(stack); err != nil { if err = addRequestIDRetrieverMiddleware(stack); err != nil {
return err return err
} }

View File

@ -7,6 +7,6 @@
// temporary, limited-privilege credentials for Identity and Access Management // temporary, limited-privilege credentials for Identity and Access Management
// (IAM) users or for users that you authenticate (federated users). This guide // (IAM) users or for users that you authenticate (federated users). This guide
// provides descriptions of the STS API. For more information about using this // provides descriptions of the STS API. For more information about using this
// service, see Temporary Security Credentials // service, see Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html). // .
package sts package sts

View File

@ -3,4 +3,4 @@
package sts package sts
// goModuleVersion is the tagged release for this module // goModuleVersion is the tagged release for this module
const goModuleVersion = "1.18.6" const goModuleVersion = "1.18.10"

View File

@ -183,12 +183,10 @@ func (e *MalformedPolicyDocumentException) ErrorFault() smithy.ErrorFault { retu
// compresses the session policy document, session policy ARNs, and session tags // compresses the session policy document, session policy ARNs, and session tags
// into a packed binary format that has a separate limit. The error message // into a packed binary format that has a separate limit. The error message
// indicates by percentage how close the policies and tags are to the upper size // indicates by percentage how close the policies and tags are to the upper size
// limit. For more information, see Passing Session Tags in STS // limit. For more information, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) in the // in the IAM User Guide. You could receive this error even though you meet other
// IAM User Guide. You could receive this error even though you meet other defined // defined session policy and session tag limits. For more information, see IAM
// session policy and session tag limits. For more information, see IAM and STS // and STS Entity Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length)
// Entity Character Limits
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length)
// in the IAM User Guide. // in the IAM User Guide.
type PackedPolicyTooLargeException struct { type PackedPolicyTooLargeException struct {
Message *string Message *string
@ -215,11 +213,10 @@ func (e *PackedPolicyTooLargeException) ErrorCode() string {
} }
func (e *PackedPolicyTooLargeException) ErrorFault() smithy.ErrorFault { return smithy.FaultClient } func (e *PackedPolicyTooLargeException) ErrorFault() smithy.ErrorFault { return smithy.FaultClient }
// STS is not activated in the requested region for the account that is being asked // STS is not activated in the requested region for the account that is being
// to generate credentials. The account administrator must use the IAM console to // asked to generate credentials. The account administrator must use the IAM
// activate STS in that region. For more information, see Activating and // console to activate STS in that region. For more information, see Activating
// Deactivating Amazon Web Services STS in an Amazon Web Services Region // and Deactivating Amazon Web Services STS in an Amazon Web Services Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
// in the IAM User Guide. // in the IAM User Guide.
type RegionDisabledException struct { type RegionDisabledException struct {
Message *string Message *string

View File

@ -13,9 +13,8 @@ type AssumedRoleUser struct {
// The ARN of the temporary security credentials that are returned from the // The ARN of the temporary security credentials that are returned from the
// AssumeRole action. For more information about ARNs and how to use them in // AssumeRole action. For more information about ARNs and how to use them in
// policies, see IAM Identifiers // policies, see IAM Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) in // in the IAM User Guide.
// the IAM User Guide.
// //
// This member is required. // This member is required.
Arn *string Arn *string
@ -62,9 +61,8 @@ type FederatedUser struct {
// The ARN that specifies the federated user that is associated with the // The ARN that specifies the federated user that is associated with the
// credentials. For more information about ARNs and how to use them in policies, // credentials. For more information about ARNs and how to use them in policies,
// see IAM Identifiers // see IAM Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) in // in the IAM User Guide.
// the IAM User Guide.
// //
// This member is required. // This member is required.
Arn *string Arn *string
@ -84,26 +82,23 @@ type PolicyDescriptorType struct {
// The Amazon Resource Name (ARN) of the IAM managed policy to use as a session // The Amazon Resource Name (ARN) of the IAM managed policy to use as a session
// policy for the role. For more information about ARNs, see Amazon Resource Names // policy for the role. For more information about ARNs, see Amazon Resource Names
// (ARNs) and Amazon Web Services Service Namespaces // (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
// (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in // in the Amazon Web Services General Reference.
// the Amazon Web Services General Reference.
Arn *string Arn *string
noSmithyDocumentSerde noSmithyDocumentSerde
} }
// You can pass custom key-value pair attributes when you assume a role or federate // You can pass custom key-value pair attributes when you assume a role or
// a user. These are called session tags. You can then use the session tags to // federate a user. These are called session tags. You can then use the session
// control access to resources. For more information, see Tagging Amazon Web // tags to control access to resources. For more information, see Tagging Amazon
// Services STS Sessions // Web Services STS Sessions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) in the // in the IAM User Guide.
// IAM User Guide.
type Tag struct { type Tag struct {
// The key for a session tag. You can pass up to 50 session tags. The plain text // The key for a session tag. You can pass up to 50 session tags. The plain text
// session tag keys cant exceed 128 characters. For these and additional limits, // session tag keys cant exceed 128 characters. For these and additional limits,
// see IAM and STS Character Limits // see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
// in the IAM User Guide. // in the IAM User Guide.
// //
// This member is required. // This member is required.
@ -111,8 +106,7 @@ type Tag struct {
// The value for a session tag. You can pass up to 50 session tags. The plain text // The value for a session tag. You can pass up to 50 session tags. The plain text
// session tag values cant exceed 256 characters. For these and additional limits, // session tag values cant exceed 256 characters. For these and additional limits,
// see IAM and STS Character Limits // see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
// in the IAM User Guide. // in the IAM User Guide.
// //
// This member is required. // This member is required.

10
vendor/modules.txt vendored
View File

@ -53,7 +53,7 @@ github.com/aws/aws-sdk-go/service/sso
github.com/aws/aws-sdk-go/service/sso/ssoiface github.com/aws/aws-sdk-go/service/sso/ssoiface
github.com/aws/aws-sdk-go/service/sts github.com/aws/aws-sdk-go/service/sts
github.com/aws/aws-sdk-go/service/sts/stsiface github.com/aws/aws-sdk-go/service/sts/stsiface
# github.com/aws/aws-sdk-go-v2 v1.17.6 # github.com/aws/aws-sdk-go-v2 v1.18.0
## explicit; go 1.15 ## explicit; go 1.15
github.com/aws/aws-sdk-go-v2/aws github.com/aws/aws-sdk-go-v2/aws
github.com/aws/aws-sdk-go-v2/aws/defaults github.com/aws/aws-sdk-go-v2/aws/defaults
@ -70,16 +70,16 @@ github.com/aws/aws-sdk-go-v2/internal/sdk
github.com/aws/aws-sdk-go-v2/internal/strings github.com/aws/aws-sdk-go-v2/internal/strings
github.com/aws/aws-sdk-go-v2/internal/sync/singleflight github.com/aws/aws-sdk-go-v2/internal/sync/singleflight
github.com/aws/aws-sdk-go-v2/internal/timeconv github.com/aws/aws-sdk-go-v2/internal/timeconv
# github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.30 # github.com/aws/aws-sdk-go-v2/internal/configsources v1.1.33
## explicit; go 1.15 ## explicit; go 1.15
github.com/aws/aws-sdk-go-v2/internal/configsources github.com/aws/aws-sdk-go-v2/internal/configsources
# github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.24 # github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.4.27
## explicit; go 1.15 ## explicit; go 1.15
github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2
# github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.24 # github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.9.27
## explicit; go 1.15 ## explicit; go 1.15
github.com/aws/aws-sdk-go-v2/service/internal/presigned-url github.com/aws/aws-sdk-go-v2/service/internal/presigned-url
# github.com/aws/aws-sdk-go-v2/service/sts v1.18.6 # github.com/aws/aws-sdk-go-v2/service/sts v1.18.10
## explicit; go 1.15 ## explicit; go 1.15
github.com/aws/aws-sdk-go-v2/service/sts github.com/aws/aws-sdk-go-v2/service/sts
github.com/aws/aws-sdk-go-v2/service/sts/internal/endpoints github.com/aws/aws-sdk-go-v2/service/sts/internal/endpoints