1// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT. 2 3package sts 4 5import ( 6 "fmt" 7 "time" 8 9 "github.com/aws/aws-sdk-go/aws" 10 "github.com/aws/aws-sdk-go/aws/awsutil" 11 "github.com/aws/aws-sdk-go/aws/credentials" 12 "github.com/aws/aws-sdk-go/aws/request" 13) 14 15const opAssumeRole = "AssumeRole" 16 17// AssumeRoleRequest generates a "aws/request.Request" representing the 18// client's request for the AssumeRole operation. The "output" return 19// value will be populated with the request's response once the request completes 20// successfully. 21// 22// Use "Send" method on the returned Request to send the API call to the service. 23// the "output" return value is not valid until after Send returns without error. 24// 25// See AssumeRole for more information on using the AssumeRole 26// API call, and error handling. 27// 28// This method is useful when you want to inject custom logic or configuration 29// into the SDK's request lifecycle. Such as custom headers, or retry logic. 30// 31// 32// // Example sending a request using the AssumeRoleRequest method. 33// req, resp := client.AssumeRoleRequest(params) 34// 35// err := req.Send() 36// if err == nil { // resp is now filled 37// fmt.Println(resp) 38// } 39// 40// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole 41func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, output *AssumeRoleOutput) { 42 op := &request.Operation{ 43 Name: opAssumeRole, 44 HTTPMethod: "POST", 45 HTTPPath: "/", 46 } 47 48 if input == nil { 49 input = &AssumeRoleInput{} 50 } 51 52 output = &AssumeRoleOutput{} 53 req = c.newRequest(op, input, output) 54 return 55} 56 57// AssumeRole API operation for AWS Security Token Service. 58// 59// Returns a set of temporary security credentials that you can use to access 60// AWS resources that you might not normally have access to. These temporary 61// credentials consist of an access key ID, a secret access key, and a security 62// token. Typically, you use AssumeRole within your account or for cross-account 63// access. For a comparison of AssumeRole with other API operations that produce 64// temporary credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) 65// and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) 66// in the IAM User Guide. 67// 68// Permissions 69// 70// The temporary security credentials created by AssumeRole can be used to make 71// API calls to any AWS service with the following exception: You cannot call 72// the AWS STS GetFederationToken or GetSessionToken API operations. 73// 74// (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 75// to this operation. You can pass a single JSON policy document to use as an 76// inline session policy. You can also specify up to 10 managed policies to 77// use as managed session policies. The plaintext that you use for both inline 78// and managed session policies can't exceed 2,048 characters. Passing policies 79// to this operation returns new temporary credentials. The resulting session's 80// permissions are the intersection of the role's identity-based policy and 81// the session policies. You can use the role's temporary credentials in subsequent 82// AWS API calls to access resources in the account that owns the role. You 83// cannot use session policies to grant more permissions than those allowed 84// by the identity-based policy of the role that is being assumed. For more 85// information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 86// in the IAM User Guide. 87// 88// To assume a role from a different account, your AWS account must be trusted 89// by the role. The trust relationship is defined in the role's trust policy 90// when the role is created. That trust policy states which accounts are allowed 91// to delegate that access to users in the account. 92// 93// A user who wants to access a role in a different account must also have permissions 94// that are delegated from the user account administrator. The administrator 95// must attach a policy that allows the user to call AssumeRole for the ARN 96// of the role in the other account. If the user is in the same account as the 97// role, then you can do either of the following: 98// 99// * Attach a policy to the user (identical to the previous user in a different 100// account). 101// 102// * Add the user as a principal directly in the role's trust policy. 103// 104// In this case, the trust policy acts as an IAM resource-based policy. Users 105// in the same account as the role do not need explicit permission to assume 106// the role. For more information about trust policies and resource-based policies, 107// see IAM Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) 108// in the IAM User Guide. 109// 110// Tags 111// 112// (Optional) You can pass tag key-value pairs to your session. These tags are 113// called session tags. For more information about session tags, see Passing 114// Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) 115// in the IAM User Guide. 116// 117// An administrator must grant you the permissions necessary to pass session 118// tags. The administrator can also create granular permissions to allow you 119// to pass only specific session tags. For more information, see Tutorial: Using 120// Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) 121// in the IAM User Guide. 122// 123// You can set the session tags as transitive. Transitive tags persist during 124// role chaining. For more information, see Chaining Roles with Session Tags 125// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining) 126// in the IAM User Guide. 127// 128// Using MFA with AssumeRole 129// 130// (Optional) You can include multi-factor authentication (MFA) information 131// when you call AssumeRole. This is useful for cross-account scenarios to ensure 132// that the user that assumes the role has been authenticated with an AWS MFA 133// device. In that scenario, the trust policy of the role being assumed includes 134// a condition that tests for MFA authentication. If the caller does not include 135// valid MFA information, the request to assume the role is denied. The condition 136// in a trust policy that tests for MFA authentication might look like the following 137// example. 138// 139// "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}} 140// 141// For more information, see Configuring MFA-Protected API Access (https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html) 142// in the IAM User Guide guide. 143// 144// To use MFA with AssumeRole, you pass values for the SerialNumber and TokenCode 145// parameters. The SerialNumber value identifies the user's hardware or virtual 146// MFA device. The TokenCode is the time-based one-time password (TOTP) that 147// the MFA device produces. 148// 149// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 150// with awserr.Error's Code and Message methods to get detailed information about 151// the error. 152// 153// See the AWS API reference guide for AWS Security Token Service's 154// API operation AssumeRole for usage and error information. 155// 156// Returned Error Codes: 157// * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument" 158// The request was rejected because the policy document was malformed. The error 159// message describes the specific error. 160// 161// * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" 162// The request was rejected because the total packed size of the session policies 163// and session tags combined was too large. An AWS conversion compresses the 164// session policy document, session policy ARNs, and session tags into a packed 165// binary format that has a separate limit. The error message indicates by percentage 166// how close the policies and tags are to the upper size limit. For more information, 167// see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) 168// in the IAM User Guide. 169// 170// You could receive this error even though you meet other defined session policy 171// and session tag limits. For more information, see IAM and STS Entity Character 172// Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) 173// in the IAM User Guide. 174// 175// * ErrCodeRegionDisabledException "RegionDisabledException" 176// STS is not activated in the requested region for the account that is being 177// asked to generate credentials. The account administrator must use the IAM 178// console to activate STS in that region. For more information, see Activating 179// and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) 180// in the IAM User Guide. 181// 182// * ErrCodeExpiredTokenException "ExpiredTokenException" 183// The web identity token that was passed is expired or is not valid. Get a 184// new identity token from the identity provider and then retry the request. 185// 186// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole 187func (c *STS) AssumeRole(input *AssumeRoleInput) (*AssumeRoleOutput, error) { 188 req, out := c.AssumeRoleRequest(input) 189 return out, req.Send() 190} 191 192// AssumeRoleWithContext is the same as AssumeRole with the addition of 193// the ability to pass a context and additional request options. 194// 195// See AssumeRole for details on how to use this API operation. 196// 197// The context must be non-nil and will be used for request cancellation. If 198// the context is nil a panic will occur. In the future the SDK may create 199// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 200// for more information on using Contexts. 201func (c *STS) AssumeRoleWithContext(ctx aws.Context, input *AssumeRoleInput, opts ...request.Option) (*AssumeRoleOutput, error) { 202 req, out := c.AssumeRoleRequest(input) 203 req.SetContext(ctx) 204 req.ApplyOptions(opts...) 205 return out, req.Send() 206} 207 208const opAssumeRoleWithSAML = "AssumeRoleWithSAML" 209 210// AssumeRoleWithSAMLRequest generates a "aws/request.Request" representing the 211// client's request for the AssumeRoleWithSAML operation. The "output" return 212// value will be populated with the request's response once the request completes 213// successfully. 214// 215// Use "Send" method on the returned Request to send the API call to the service. 216// the "output" return value is not valid until after Send returns without error. 217// 218// See AssumeRoleWithSAML for more information on using the AssumeRoleWithSAML 219// API call, and error handling. 220// 221// This method is useful when you want to inject custom logic or configuration 222// into the SDK's request lifecycle. Such as custom headers, or retry logic. 223// 224// 225// // Example sending a request using the AssumeRoleWithSAMLRequest method. 226// req, resp := client.AssumeRoleWithSAMLRequest(params) 227// 228// err := req.Send() 229// if err == nil { // resp is now filled 230// fmt.Println(resp) 231// } 232// 233// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML 234func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *request.Request, output *AssumeRoleWithSAMLOutput) { 235 op := &request.Operation{ 236 Name: opAssumeRoleWithSAML, 237 HTTPMethod: "POST", 238 HTTPPath: "/", 239 } 240 241 if input == nil { 242 input = &AssumeRoleWithSAMLInput{} 243 } 244 245 output = &AssumeRoleWithSAMLOutput{} 246 req = c.newRequest(op, input, output) 247 req.Config.Credentials = credentials.AnonymousCredentials 248 return 249} 250 251// AssumeRoleWithSAML API operation for AWS Security Token Service. 252// 253// Returns a set of temporary security credentials for users who have been authenticated 254// via a SAML authentication response. This operation provides a mechanism for 255// tying an enterprise identity store or directory to role-based AWS access 256// without user-specific credentials or configuration. For a comparison of AssumeRoleWithSAML 257// with the other API operations that produce temporary credentials, see Requesting 258// Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) 259// and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) 260// in the IAM User Guide. 261// 262// The temporary security credentials returned by this operation consist of 263// an access key ID, a secret access key, and a security token. Applications 264// can use these temporary security credentials to sign calls to AWS services. 265// 266// Session Duration 267// 268// By default, the temporary security credentials created by AssumeRoleWithSAML 269// last for one hour. However, you can use the optional DurationSeconds parameter 270// to specify the duration of your session. Your role session lasts for the 271// duration that you specify, or until the time specified in the SAML authentication 272// response's SessionNotOnOrAfter value, whichever is shorter. You can provide 273// a DurationSeconds value from 900 seconds (15 minutes) up to the maximum session 274// duration setting for the role. This setting can have a value from 1 hour 275// to 12 hours. To learn how to view the maximum value for your role, see View 276// the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) 277// in the IAM User Guide. The maximum session duration limit applies when you 278// use the AssumeRole* API operations or the assume-role* CLI commands. However 279// the limit does not apply when you use those operations to create a console 280// URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) 281// in the IAM User Guide. 282// 283// Role chaining (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining) 284// limits your AWS CLI or AWS API role session to a maximum of one hour. When 285// you use the AssumeRole API operation to assume a role, you can specify the 286// duration of your role session with the DurationSeconds parameter. You can 287// specify a parameter value of up to 43200 seconds (12 hours), depending on 288// the maximum session duration setting for your role. However, if you assume 289// a role using role chaining and provide a DurationSeconds parameter value 290// greater than one hour, the operation fails. 291// 292// Permissions 293// 294// The temporary security credentials created by AssumeRoleWithSAML can be used 295// to make API calls to any AWS service with the following exception: you cannot 296// call the STS GetFederationToken or GetSessionToken API operations. 297// 298// (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 299// to this operation. You can pass a single JSON policy document to use as an 300// inline session policy. You can also specify up to 10 managed policies to 301// use as managed session policies. The plaintext that you use for both inline 302// and managed session policies can't exceed 2,048 characters. Passing policies 303// to this operation returns new temporary credentials. The resulting session's 304// permissions are the intersection of the role's identity-based policy and 305// the session policies. You can use the role's temporary credentials in subsequent 306// AWS API calls to access resources in the account that owns the role. You 307// cannot use session policies to grant more permissions than those allowed 308// by the identity-based policy of the role that is being assumed. For more 309// information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 310// in the IAM User Guide. 311// 312// Calling AssumeRoleWithSAML does not require the use of AWS security credentials. 313// The identity of the caller is validated by using keys in the metadata document 314// that is uploaded for the SAML provider entity for your identity provider. 315// 316// Calling AssumeRoleWithSAML can result in an entry in your AWS CloudTrail 317// logs. The entry includes the value in the NameID element of the SAML assertion. 318// We recommend that you use a NameIDType that is not associated with any personally 319// identifiable information (PII). For example, you could instead use the persistent 320// identifier (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent). 321// 322// Tags 323// 324// (Optional) You can configure your IdP to pass attributes into your SAML assertion 325// as session tags. Each session tag consists of a key name and an associated 326// value. For more information about session tags, see Passing Session Tags 327// in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) 328// in the IAM User Guide. 329// 330// You can pass up to 50 session tags. The plaintext session tag keys can’t 331// exceed 128 characters and the values can’t exceed 256 characters. For these 332// and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) 333// in the IAM User Guide. 334// 335// An AWS conversion compresses the passed session policies and session tags 336// into a packed binary format that has a separate limit. Your request can fail 337// for this limit even if your plaintext meets the other requirements. The PackedPolicySize 338// response element indicates by percentage how close the policies and tags 339// for your request are to the upper size limit. 340// 341// You can pass a session tag with the same key as a tag that is attached to 342// the role. When you do, session tags override the role's tags with the same 343// key. 344// 345// An administrator must grant you the permissions necessary to pass session 346// tags. The administrator can also create granular permissions to allow you 347// to pass only specific session tags. For more information, see Tutorial: Using 348// Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) 349// in the IAM User Guide. 350// 351// You can set the session tags as transitive. Transitive tags persist during 352// role chaining. For more information, see Chaining Roles with Session Tags 353// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining) 354// in the IAM User Guide. 355// 356// SAML Configuration 357// 358// Before your application can call AssumeRoleWithSAML, you must configure your 359// SAML identity provider (IdP) to issue the claims required by AWS. Additionally, 360// you must use AWS Identity and Access Management (IAM) to create a SAML provider 361// entity in your AWS account that represents your identity provider. You must 362// also create an IAM role that specifies this SAML provider in its trust policy. 363// 364// For more information, see the following resources: 365// 366// * About SAML 2.0-based Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) 367// in the IAM User Guide. 368// 369// * Creating SAML Identity Providers (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html) 370// in the IAM User Guide. 371// 372// * Configuring a Relying Party and Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html) 373// in the IAM User Guide. 374// 375// * Creating a Role for SAML 2.0 Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html) 376// in the IAM User Guide. 377// 378// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 379// with awserr.Error's Code and Message methods to get detailed information about 380// the error. 381// 382// See the AWS API reference guide for AWS Security Token Service's 383// API operation AssumeRoleWithSAML for usage and error information. 384// 385// Returned Error Codes: 386// * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument" 387// The request was rejected because the policy document was malformed. The error 388// message describes the specific error. 389// 390// * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" 391// The request was rejected because the total packed size of the session policies 392// and session tags combined was too large. An AWS conversion compresses the 393// session policy document, session policy ARNs, and session tags into a packed 394// binary format that has a separate limit. The error message indicates by percentage 395// how close the policies and tags are to the upper size limit. For more information, 396// see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) 397// in the IAM User Guide. 398// 399// You could receive this error even though you meet other defined session policy 400// and session tag limits. For more information, see IAM and STS Entity Character 401// Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) 402// in the IAM User Guide. 403// 404// * ErrCodeIDPRejectedClaimException "IDPRejectedClaim" 405// The identity provider (IdP) reported that authentication failed. This might 406// be because the claim is invalid. 407// 408// If this error is returned for the AssumeRoleWithWebIdentity operation, it 409// can also mean that the claim has expired or has been explicitly revoked. 410// 411// * ErrCodeInvalidIdentityTokenException "InvalidIdentityToken" 412// The web identity token that was passed could not be validated by AWS. Get 413// a new identity token from the identity provider and then retry the request. 414// 415// * ErrCodeExpiredTokenException "ExpiredTokenException" 416// The web identity token that was passed is expired or is not valid. Get a 417// new identity token from the identity provider and then retry the request. 418// 419// * ErrCodeRegionDisabledException "RegionDisabledException" 420// STS is not activated in the requested region for the account that is being 421// asked to generate credentials. The account administrator must use the IAM 422// console to activate STS in that region. For more information, see Activating 423// and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) 424// in the IAM User Guide. 425// 426// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML 427func (c *STS) AssumeRoleWithSAML(input *AssumeRoleWithSAMLInput) (*AssumeRoleWithSAMLOutput, error) { 428 req, out := c.AssumeRoleWithSAMLRequest(input) 429 return out, req.Send() 430} 431 432// AssumeRoleWithSAMLWithContext is the same as AssumeRoleWithSAML with the addition of 433// the ability to pass a context and additional request options. 434// 435// See AssumeRoleWithSAML for details on how to use this API operation. 436// 437// The context must be non-nil and will be used for request cancellation. If 438// the context is nil a panic will occur. In the future the SDK may create 439// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 440// for more information on using Contexts. 441func (c *STS) AssumeRoleWithSAMLWithContext(ctx aws.Context, input *AssumeRoleWithSAMLInput, opts ...request.Option) (*AssumeRoleWithSAMLOutput, error) { 442 req, out := c.AssumeRoleWithSAMLRequest(input) 443 req.SetContext(ctx) 444 req.ApplyOptions(opts...) 445 return out, req.Send() 446} 447 448const opAssumeRoleWithWebIdentity = "AssumeRoleWithWebIdentity" 449 450// AssumeRoleWithWebIdentityRequest generates a "aws/request.Request" representing the 451// client's request for the AssumeRoleWithWebIdentity operation. The "output" return 452// value will be populated with the request's response once the request completes 453// successfully. 454// 455// Use "Send" method on the returned Request to send the API call to the service. 456// the "output" return value is not valid until after Send returns without error. 457// 458// See AssumeRoleWithWebIdentity for more information on using the AssumeRoleWithWebIdentity 459// API call, and error handling. 460// 461// This method is useful when you want to inject custom logic or configuration 462// into the SDK's request lifecycle. Such as custom headers, or retry logic. 463// 464// 465// // Example sending a request using the AssumeRoleWithWebIdentityRequest method. 466// req, resp := client.AssumeRoleWithWebIdentityRequest(params) 467// 468// err := req.Send() 469// if err == nil { // resp is now filled 470// fmt.Println(resp) 471// } 472// 473// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity 474func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityInput) (req *request.Request, output *AssumeRoleWithWebIdentityOutput) { 475 op := &request.Operation{ 476 Name: opAssumeRoleWithWebIdentity, 477 HTTPMethod: "POST", 478 HTTPPath: "/", 479 } 480 481 if input == nil { 482 input = &AssumeRoleWithWebIdentityInput{} 483 } 484 485 output = &AssumeRoleWithWebIdentityOutput{} 486 req = c.newRequest(op, input, output) 487 req.Config.Credentials = credentials.AnonymousCredentials 488 return 489} 490 491// AssumeRoleWithWebIdentity API operation for AWS Security Token Service. 492// 493// Returns a set of temporary security credentials for users who have been authenticated 494// in a mobile or web application with a web identity provider. Example providers 495// include Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID 496// Connect-compatible identity provider. 497// 498// For mobile applications, we recommend that you use Amazon Cognito. You can 499// use Amazon Cognito with the AWS SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/) 500// and the AWS SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/) 501// to uniquely identify a user. You can also supply the user with a consistent 502// identity throughout the lifetime of an application. 503// 504// To learn more about Amazon Cognito, see Amazon Cognito Overview (https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840) 505// in AWS SDK for Android Developer Guide and Amazon Cognito Overview (https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664) 506// in the AWS SDK for iOS Developer Guide. 507// 508// Calling AssumeRoleWithWebIdentity does not require the use of AWS security 509// credentials. Therefore, you can distribute an application (for example, on 510// mobile devices) that requests temporary security credentials without including 511// long-term AWS credentials in the application. You also don't need to deploy 512// server-based proxy services that use long-term AWS credentials. Instead, 513// the identity of the caller is validated by using a token from the web identity 514// provider. For a comparison of AssumeRoleWithWebIdentity with the other API 515// operations that produce temporary credentials, see Requesting Temporary Security 516// Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) 517// and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) 518// in the IAM User Guide. 519// 520// The temporary security credentials returned by this API consist of an access 521// key ID, a secret access key, and a security token. Applications can use these 522// temporary security credentials to sign calls to AWS service API operations. 523// 524// Session Duration 525// 526// By default, the temporary security credentials created by AssumeRoleWithWebIdentity 527// last for one hour. However, you can use the optional DurationSeconds parameter 528// to specify the duration of your session. You can provide a value from 900 529// seconds (15 minutes) up to the maximum session duration setting for the role. 530// This setting can have a value from 1 hour to 12 hours. To learn how to view 531// the maximum value for your role, see View the Maximum Session Duration Setting 532// for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) 533// in the IAM User Guide. The maximum session duration limit applies when you 534// use the AssumeRole* API operations or the assume-role* CLI commands. However 535// the limit does not apply when you use those operations to create a console 536// URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) 537// in the IAM User Guide. 538// 539// Permissions 540// 541// The temporary security credentials created by AssumeRoleWithWebIdentity can 542// be used to make API calls to any AWS service with the following exception: 543// you cannot call the STS GetFederationToken or GetSessionToken API operations. 544// 545// (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 546// to this operation. You can pass a single JSON policy document to use as an 547// inline session policy. You can also specify up to 10 managed policies to 548// use as managed session policies. The plaintext that you use for both inline 549// and managed session policies can't exceed 2,048 characters. Passing policies 550// to this operation returns new temporary credentials. The resulting session's 551// permissions are the intersection of the role's identity-based policy and 552// the session policies. You can use the role's temporary credentials in subsequent 553// AWS API calls to access resources in the account that owns the role. You 554// cannot use session policies to grant more permissions than those allowed 555// by the identity-based policy of the role that is being assumed. For more 556// information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 557// in the IAM User Guide. 558// 559// Tags 560// 561// (Optional) You can configure your IdP to pass attributes into your web identity 562// token as session tags. Each session tag consists of a key name and an associated 563// value. For more information about session tags, see Passing Session Tags 564// in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) 565// in the IAM User Guide. 566// 567// You can pass up to 50 session tags. The plaintext session tag keys can’t 568// exceed 128 characters and the values can’t exceed 256 characters. For these 569// and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) 570// in the IAM User Guide. 571// 572// An AWS conversion compresses the passed session policies and session tags 573// into a packed binary format that has a separate limit. Your request can fail 574// for this limit even if your plaintext meets the other requirements. The PackedPolicySize 575// response element indicates by percentage how close the policies and tags 576// for your request are to the upper size limit. 577// 578// You can pass a session tag with the same key as a tag that is attached to 579// the role. When you do, the session tag overrides the role tag with the same 580// key. 581// 582// An administrator must grant you the permissions necessary to pass session 583// tags. The administrator can also create granular permissions to allow you 584// to pass only specific session tags. For more information, see Tutorial: Using 585// Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) 586// in the IAM User Guide. 587// 588// You can set the session tags as transitive. Transitive tags persist during 589// role chaining. For more information, see Chaining Roles with Session Tags 590// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining) 591// in the IAM User Guide. 592// 593// Identities 594// 595// Before your application can call AssumeRoleWithWebIdentity, you must have 596// an identity token from a supported identity provider and create a role that 597// the application can assume. The role that your application assumes must trust 598// the identity provider that is associated with the identity token. In other 599// words, the identity provider must be specified in the role's trust policy. 600// 601// Calling AssumeRoleWithWebIdentity can result in an entry in your AWS CloudTrail 602// logs. The entry includes the Subject (http://openid.net/specs/openid-connect-core-1_0.html#Claims) 603// of the provided web identity token. We recommend that you avoid using any 604// personally identifiable information (PII) in this field. For example, you 605// could instead use a GUID or a pairwise identifier, as suggested in the OIDC 606// specification (http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes). 607// 608// For more information about how to use web identity federation and the AssumeRoleWithWebIdentity 609// API, see the following resources: 610// 611// * Using Web Identity Federation API Operations for Mobile Apps (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html) 612// and Federation Through a Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity). 613// 614// * Web Identity Federation Playground (https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/). 615// Walk through the process of authenticating through Login with Amazon, 616// Facebook, or Google, getting temporary security credentials, and then 617// using those credentials to make a request to AWS. 618// 619// * AWS SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/) and 620// AWS SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/). 621// These toolkits contain sample apps that show how to invoke the identity 622// providers. The toolkits then show how to use the information from these 623// providers to get and use temporary security credentials. 624// 625// * Web Identity Federation with Mobile Applications (http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications). 626// This article discusses web identity federation and shows an example of 627// how to use web identity federation to get access to content in Amazon 628// S3. 629// 630// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 631// with awserr.Error's Code and Message methods to get detailed information about 632// the error. 633// 634// See the AWS API reference guide for AWS Security Token Service's 635// API operation AssumeRoleWithWebIdentity for usage and error information. 636// 637// Returned Error Codes: 638// * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument" 639// The request was rejected because the policy document was malformed. The error 640// message describes the specific error. 641// 642// * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" 643// The request was rejected because the total packed size of the session policies 644// and session tags combined was too large. An AWS conversion compresses the 645// session policy document, session policy ARNs, and session tags into a packed 646// binary format that has a separate limit. The error message indicates by percentage 647// how close the policies and tags are to the upper size limit. For more information, 648// see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) 649// in the IAM User Guide. 650// 651// You could receive this error even though you meet other defined session policy 652// and session tag limits. For more information, see IAM and STS Entity Character 653// Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) 654// in the IAM User Guide. 655// 656// * ErrCodeIDPRejectedClaimException "IDPRejectedClaim" 657// The identity provider (IdP) reported that authentication failed. This might 658// be because the claim is invalid. 659// 660// If this error is returned for the AssumeRoleWithWebIdentity operation, it 661// can also mean that the claim has expired or has been explicitly revoked. 662// 663// * ErrCodeIDPCommunicationErrorException "IDPCommunicationError" 664// The request could not be fulfilled because the identity provider (IDP) that 665// was asked to verify the incoming identity token could not be reached. This 666// is often a transient error caused by network conditions. Retry the request 667// a limited number of times so that you don't exceed the request rate. If the 668// error persists, the identity provider might be down or not responding. 669// 670// * ErrCodeInvalidIdentityTokenException "InvalidIdentityToken" 671// The web identity token that was passed could not be validated by AWS. Get 672// a new identity token from the identity provider and then retry the request. 673// 674// * ErrCodeExpiredTokenException "ExpiredTokenException" 675// The web identity token that was passed is expired or is not valid. Get a 676// new identity token from the identity provider and then retry the request. 677// 678// * ErrCodeRegionDisabledException "RegionDisabledException" 679// STS is not activated in the requested region for the account that is being 680// asked to generate credentials. The account administrator must use the IAM 681// console to activate STS in that region. For more information, see Activating 682// and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) 683// in the IAM User Guide. 684// 685// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity 686func (c *STS) AssumeRoleWithWebIdentity(input *AssumeRoleWithWebIdentityInput) (*AssumeRoleWithWebIdentityOutput, error) { 687 req, out := c.AssumeRoleWithWebIdentityRequest(input) 688 return out, req.Send() 689} 690 691// AssumeRoleWithWebIdentityWithContext is the same as AssumeRoleWithWebIdentity with the addition of 692// the ability to pass a context and additional request options. 693// 694// See AssumeRoleWithWebIdentity for details on how to use this API operation. 695// 696// The context must be non-nil and will be used for request cancellation. If 697// the context is nil a panic will occur. In the future the SDK may create 698// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 699// for more information on using Contexts. 700func (c *STS) AssumeRoleWithWebIdentityWithContext(ctx aws.Context, input *AssumeRoleWithWebIdentityInput, opts ...request.Option) (*AssumeRoleWithWebIdentityOutput, error) { 701 req, out := c.AssumeRoleWithWebIdentityRequest(input) 702 req.SetContext(ctx) 703 req.ApplyOptions(opts...) 704 return out, req.Send() 705} 706 707const opDecodeAuthorizationMessage = "DecodeAuthorizationMessage" 708 709// DecodeAuthorizationMessageRequest generates a "aws/request.Request" representing the 710// client's request for the DecodeAuthorizationMessage operation. The "output" return 711// value will be populated with the request's response once the request completes 712// successfully. 713// 714// Use "Send" method on the returned Request to send the API call to the service. 715// the "output" return value is not valid until after Send returns without error. 716// 717// See DecodeAuthorizationMessage for more information on using the DecodeAuthorizationMessage 718// API call, and error handling. 719// 720// This method is useful when you want to inject custom logic or configuration 721// into the SDK's request lifecycle. Such as custom headers, or retry logic. 722// 723// 724// // Example sending a request using the DecodeAuthorizationMessageRequest method. 725// req, resp := client.DecodeAuthorizationMessageRequest(params) 726// 727// err := req.Send() 728// if err == nil { // resp is now filled 729// fmt.Println(resp) 730// } 731// 732// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessage 733func (c *STS) DecodeAuthorizationMessageRequest(input *DecodeAuthorizationMessageInput) (req *request.Request, output *DecodeAuthorizationMessageOutput) { 734 op := &request.Operation{ 735 Name: opDecodeAuthorizationMessage, 736 HTTPMethod: "POST", 737 HTTPPath: "/", 738 } 739 740 if input == nil { 741 input = &DecodeAuthorizationMessageInput{} 742 } 743 744 output = &DecodeAuthorizationMessageOutput{} 745 req = c.newRequest(op, input, output) 746 return 747} 748 749// DecodeAuthorizationMessage API operation for AWS Security Token Service. 750// 751// Decodes additional information about the authorization status of a request 752// from an encoded message returned in response to an AWS request. 753// 754// For example, if a user is not authorized to perform an operation that he 755// or she has requested, the request returns a Client.UnauthorizedOperation 756// response (an HTTP 403 response). Some AWS operations additionally return 757// an encoded message that can provide details about this authorization failure. 758// 759// Only certain AWS operations return an encoded authorization message. The 760// documentation for an individual operation indicates whether that operation 761// returns an encoded message in addition to returning an HTTP code. 762// 763// The message is encoded because the details of the authorization status can 764// constitute privileged information that the user who requested the operation 765// should not see. To decode an authorization status message, a user must be 766// granted permissions via an IAM policy to request the DecodeAuthorizationMessage 767// (sts:DecodeAuthorizationMessage) action. 768// 769// The decoded message includes the following type of information: 770// 771// * Whether the request was denied due to an explicit deny or due to the 772// absence of an explicit allow. For more information, see Determining Whether 773// a Request is Allowed or Denied (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow) 774// in the IAM User Guide. 775// 776// * The principal who made the request. 777// 778// * The requested action. 779// 780// * The requested resource. 781// 782// * The values of condition keys in the context of the user's request. 783// 784// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 785// with awserr.Error's Code and Message methods to get detailed information about 786// the error. 787// 788// See the AWS API reference guide for AWS Security Token Service's 789// API operation DecodeAuthorizationMessage for usage and error information. 790// 791// Returned Error Codes: 792// * ErrCodeInvalidAuthorizationMessageException "InvalidAuthorizationMessageException" 793// The error returned if the message passed to DecodeAuthorizationMessage was 794// invalid. This can happen if the token contains invalid characters, such as 795// linebreaks. 796// 797// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessage 798func (c *STS) DecodeAuthorizationMessage(input *DecodeAuthorizationMessageInput) (*DecodeAuthorizationMessageOutput, error) { 799 req, out := c.DecodeAuthorizationMessageRequest(input) 800 return out, req.Send() 801} 802 803// DecodeAuthorizationMessageWithContext is the same as DecodeAuthorizationMessage with the addition of 804// the ability to pass a context and additional request options. 805// 806// See DecodeAuthorizationMessage for details on how to use this API operation. 807// 808// The context must be non-nil and will be used for request cancellation. If 809// the context is nil a panic will occur. In the future the SDK may create 810// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 811// for more information on using Contexts. 812func (c *STS) DecodeAuthorizationMessageWithContext(ctx aws.Context, input *DecodeAuthorizationMessageInput, opts ...request.Option) (*DecodeAuthorizationMessageOutput, error) { 813 req, out := c.DecodeAuthorizationMessageRequest(input) 814 req.SetContext(ctx) 815 req.ApplyOptions(opts...) 816 return out, req.Send() 817} 818 819const opGetAccessKeyInfo = "GetAccessKeyInfo" 820 821// GetAccessKeyInfoRequest generates a "aws/request.Request" representing the 822// client's request for the GetAccessKeyInfo operation. The "output" return 823// value will be populated with the request's response once the request completes 824// successfully. 825// 826// Use "Send" method on the returned Request to send the API call to the service. 827// the "output" return value is not valid until after Send returns without error. 828// 829// See GetAccessKeyInfo for more information on using the GetAccessKeyInfo 830// API call, and error handling. 831// 832// This method is useful when you want to inject custom logic or configuration 833// into the SDK's request lifecycle. Such as custom headers, or retry logic. 834// 835// 836// // Example sending a request using the GetAccessKeyInfoRequest method. 837// req, resp := client.GetAccessKeyInfoRequest(params) 838// 839// err := req.Send() 840// if err == nil { // resp is now filled 841// fmt.Println(resp) 842// } 843// 844// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfo 845func (c *STS) GetAccessKeyInfoRequest(input *GetAccessKeyInfoInput) (req *request.Request, output *GetAccessKeyInfoOutput) { 846 op := &request.Operation{ 847 Name: opGetAccessKeyInfo, 848 HTTPMethod: "POST", 849 HTTPPath: "/", 850 } 851 852 if input == nil { 853 input = &GetAccessKeyInfoInput{} 854 } 855 856 output = &GetAccessKeyInfoOutput{} 857 req = c.newRequest(op, input, output) 858 return 859} 860 861// GetAccessKeyInfo API operation for AWS Security Token Service. 862// 863// Returns the account identifier for the specified access key ID. 864// 865// Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) 866// and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). 867// For more information about access keys, see Managing Access Keys for IAM 868// Users (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) 869// in the IAM User Guide. 870// 871// When you pass an access key ID to this operation, it returns the ID of the 872// AWS account to which the keys belong. Access key IDs beginning with AKIA 873// are long-term credentials for an IAM user or the AWS account root user. Access 874// key IDs beginning with ASIA are temporary credentials that are created using 875// STS operations. If the account in the response belongs to you, you can sign 876// in as the root user and review your root user access keys. Then, you can 877// pull a credentials report (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html) 878// to learn which IAM user owns the keys. To learn who requested the temporary 879// credentials for an ASIA access key, view the STS events in your CloudTrail 880// logs (https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html) 881// in the IAM User Guide. 882// 883// This operation does not indicate the state of the access key. The key might 884// be active, inactive, or deleted. Active keys might not have permissions to 885// perform an operation. Providing a deleted access key might return an error 886// that the key doesn't exist. 887// 888// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 889// with awserr.Error's Code and Message methods to get detailed information about 890// the error. 891// 892// See the AWS API reference guide for AWS Security Token Service's 893// API operation GetAccessKeyInfo for usage and error information. 894// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfo 895func (c *STS) GetAccessKeyInfo(input *GetAccessKeyInfoInput) (*GetAccessKeyInfoOutput, error) { 896 req, out := c.GetAccessKeyInfoRequest(input) 897 return out, req.Send() 898} 899 900// GetAccessKeyInfoWithContext is the same as GetAccessKeyInfo with the addition of 901// the ability to pass a context and additional request options. 902// 903// See GetAccessKeyInfo for details on how to use this API operation. 904// 905// The context must be non-nil and will be used for request cancellation. If 906// the context is nil a panic will occur. In the future the SDK may create 907// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 908// for more information on using Contexts. 909func (c *STS) GetAccessKeyInfoWithContext(ctx aws.Context, input *GetAccessKeyInfoInput, opts ...request.Option) (*GetAccessKeyInfoOutput, error) { 910 req, out := c.GetAccessKeyInfoRequest(input) 911 req.SetContext(ctx) 912 req.ApplyOptions(opts...) 913 return out, req.Send() 914} 915 916const opGetCallerIdentity = "GetCallerIdentity" 917 918// GetCallerIdentityRequest generates a "aws/request.Request" representing the 919// client's request for the GetCallerIdentity operation. The "output" return 920// value will be populated with the request's response once the request completes 921// successfully. 922// 923// Use "Send" method on the returned Request to send the API call to the service. 924// the "output" return value is not valid until after Send returns without error. 925// 926// See GetCallerIdentity for more information on using the GetCallerIdentity 927// API call, and error handling. 928// 929// This method is useful when you want to inject custom logic or configuration 930// into the SDK's request lifecycle. Such as custom headers, or retry logic. 931// 932// 933// // Example sending a request using the GetCallerIdentityRequest method. 934// req, resp := client.GetCallerIdentityRequest(params) 935// 936// err := req.Send() 937// if err == nil { // resp is now filled 938// fmt.Println(resp) 939// } 940// 941// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentity 942func (c *STS) GetCallerIdentityRequest(input *GetCallerIdentityInput) (req *request.Request, output *GetCallerIdentityOutput) { 943 op := &request.Operation{ 944 Name: opGetCallerIdentity, 945 HTTPMethod: "POST", 946 HTTPPath: "/", 947 } 948 949 if input == nil { 950 input = &GetCallerIdentityInput{} 951 } 952 953 output = &GetCallerIdentityOutput{} 954 req = c.newRequest(op, input, output) 955 return 956} 957 958// GetCallerIdentity API operation for AWS Security Token Service. 959// 960// Returns details about the IAM user or role whose credentials are used to 961// call the operation. 962// 963// No permissions are required to perform this operation. If an administrator 964// adds a policy to your IAM user or role that explicitly denies access to the 965// sts:GetCallerIdentity action, you can still perform this operation. Permissions 966// are not required because the same information is returned when an IAM user 967// or role is denied access. To view an example response, see I Am Not Authorized 968// to Perform: iam:DeleteVirtualMFADevice (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa) 969// in the IAM User Guide. 970// 971// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 972// with awserr.Error's Code and Message methods to get detailed information about 973// the error. 974// 975// See the AWS API reference guide for AWS Security Token Service's 976// API operation GetCallerIdentity for usage and error information. 977// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentity 978func (c *STS) GetCallerIdentity(input *GetCallerIdentityInput) (*GetCallerIdentityOutput, error) { 979 req, out := c.GetCallerIdentityRequest(input) 980 return out, req.Send() 981} 982 983// GetCallerIdentityWithContext is the same as GetCallerIdentity with the addition of 984// the ability to pass a context and additional request options. 985// 986// See GetCallerIdentity for details on how to use this API operation. 987// 988// The context must be non-nil and will be used for request cancellation. If 989// the context is nil a panic will occur. In the future the SDK may create 990// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 991// for more information on using Contexts. 992func (c *STS) GetCallerIdentityWithContext(ctx aws.Context, input *GetCallerIdentityInput, opts ...request.Option) (*GetCallerIdentityOutput, error) { 993 req, out := c.GetCallerIdentityRequest(input) 994 req.SetContext(ctx) 995 req.ApplyOptions(opts...) 996 return out, req.Send() 997} 998 999const opGetFederationToken = "GetFederationToken" 1000 1001// GetFederationTokenRequest generates a "aws/request.Request" representing the 1002// client's request for the GetFederationToken operation. The "output" return 1003// value will be populated with the request's response once the request completes 1004// successfully. 1005// 1006// Use "Send" method on the returned Request to send the API call to the service. 1007// the "output" return value is not valid until after Send returns without error. 1008// 1009// See GetFederationToken for more information on using the GetFederationToken 1010// API call, and error handling. 1011// 1012// This method is useful when you want to inject custom logic or configuration 1013// into the SDK's request lifecycle. Such as custom headers, or retry logic. 1014// 1015// 1016// // Example sending a request using the GetFederationTokenRequest method. 1017// req, resp := client.GetFederationTokenRequest(params) 1018// 1019// err := req.Send() 1020// if err == nil { // resp is now filled 1021// fmt.Println(resp) 1022// } 1023// 1024// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationToken 1025func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *request.Request, output *GetFederationTokenOutput) { 1026 op := &request.Operation{ 1027 Name: opGetFederationToken, 1028 HTTPMethod: "POST", 1029 HTTPPath: "/", 1030 } 1031 1032 if input == nil { 1033 input = &GetFederationTokenInput{} 1034 } 1035 1036 output = &GetFederationTokenOutput{} 1037 req = c.newRequest(op, input, output) 1038 return 1039} 1040 1041// GetFederationToken API operation for AWS Security Token Service. 1042// 1043// Returns a set of temporary security credentials (consisting of an access 1044// key ID, a secret access key, and a security token) for a federated user. 1045// A typical use is in a proxy application that gets temporary security credentials 1046// on behalf of distributed applications inside a corporate network. You must 1047// call the GetFederationToken operation using the long-term security credentials 1048// of an IAM user. As a result, this call is appropriate in contexts where those 1049// credentials can be safely stored, usually in a server-based application. 1050// For a comparison of GetFederationToken with the other API operations that 1051// produce temporary credentials, see Requesting Temporary Security Credentials 1052// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) 1053// and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) 1054// in the IAM User Guide. 1055// 1056// You can create a mobile-based or browser-based app that can authenticate 1057// users using a web identity provider like Login with Amazon, Facebook, Google, 1058// or an OpenID Connect-compatible identity provider. In this case, we recommend 1059// that you use Amazon Cognito (http://aws.amazon.com/cognito/) or AssumeRoleWithWebIdentity. 1060// For more information, see Federation Through a Web-based Identity Provider 1061// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity) 1062// in the IAM User Guide. 1063// 1064// You can also call GetFederationToken using the security credentials of an 1065// AWS account root user, but we do not recommend it. Instead, we recommend 1066// that you create an IAM user for the purpose of the proxy application. Then 1067// attach a policy to the IAM user that limits federated users to only the actions 1068// and resources that they need to access. For more information, see IAM Best 1069// Practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) 1070// in the IAM User Guide. 1071// 1072// Session duration 1073// 1074// The temporary credentials are valid for the specified duration, from 900 1075// seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default 1076// session duration is 43,200 seconds (12 hours). Temporary credentials that 1077// are obtained by using AWS account root user credentials have a maximum duration 1078// of 3,600 seconds (1 hour). 1079// 1080// Permissions 1081// 1082// You can use the temporary credentials created by GetFederationToken in any 1083// AWS service except the following: 1084// 1085// * You cannot call any IAM operations using the AWS CLI or the AWS API. 1086// 1087// * You cannot call any STS operations except GetCallerIdentity. 1088// 1089// You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 1090// to this operation. You can pass a single JSON policy document to use as an 1091// inline session policy. You can also specify up to 10 managed policies to 1092// use as managed session policies. The plaintext that you use for both inline 1093// and managed session policies can't exceed 2,048 characters. 1094// 1095// Though the session policy parameters are optional, if you do not pass a policy, 1096// then the resulting federated user session has no permissions. When you pass 1097// session policies, the session permissions are the intersection of the IAM 1098// user policies and the session policies that you pass. This gives you a way 1099// to further restrict the permissions for a federated user. You cannot use 1100// session policies to grant more permissions than those that are defined in 1101// the permissions policy of the IAM user. For more information, see Session 1102// Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 1103// in the IAM User Guide. For information about using GetFederationToken to 1104// create temporary security credentials, see GetFederationToken—Federation 1105// Through a Custom Identity Broker (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken). 1106// 1107// You can use the credentials to access a resource that has a resource-based 1108// policy. If that policy specifically references the federated user session 1109// in the Principal element of the policy, the session has the permissions allowed 1110// by the policy. These permissions are granted in addition to the permissions 1111// granted by the session policies. 1112// 1113// Tags 1114// 1115// (Optional) You can pass tag key-value pairs to your session. These are called 1116// session tags. For more information about session tags, see Passing Session 1117// Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) 1118// in the IAM User Guide. 1119// 1120// You can create a mobile-based or browser-based app that can authenticate 1121// users using a web identity provider like Login with Amazon, Facebook, Google, 1122// or an OpenID Connect-compatible identity provider. In this case, we recommend 1123// that you use Amazon Cognito (http://aws.amazon.com/cognito/) or AssumeRoleWithWebIdentity. 1124// For more information, see Federation Through a Web-based Identity Provider 1125// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity) 1126// in the IAM User Guide. 1127// 1128// You can also call GetFederationToken using the security credentials of an 1129// AWS account root user, but we do not recommend it. Instead, we recommend 1130// that you create an IAM user for the purpose of the proxy application. Then 1131// attach a policy to the IAM user that limits federated users to only the actions 1132// and resources that they need to access. For more information, see IAM Best 1133// Practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) 1134// in the IAM User Guide. 1135// 1136// Session duration 1137// 1138// The temporary credentials are valid for the specified duration, from 900 1139// seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default 1140// session duration is 43,200 seconds (12 hours). Temporary credentials that 1141// are obtained by using AWS account root user credentials have a maximum duration 1142// of 3,600 seconds (1 hour). 1143// 1144// Permissions 1145// 1146// You can use the temporary credentials created by GetFederationToken in any 1147// AWS service except the following: 1148// 1149// * You cannot call any IAM operations using the AWS CLI or the AWS API. 1150// 1151// * You cannot call any STS operations except GetCallerIdentity. 1152// 1153// You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 1154// to this operation. You can pass a single JSON policy document to use as an 1155// inline session policy. You can also specify up to 10 managed policies to 1156// use as managed session policies. The plain text that you use for both inline 1157// and managed session policies can't exceed 2,048 characters. 1158// 1159// Though the session policy parameters are optional, if you do not pass a policy, 1160// then the resulting federated user session has no permissions. When you pass 1161// session policies, the session permissions are the intersection of the IAM 1162// user policies and the session policies that you pass. This gives you a way 1163// to further restrict the permissions for a federated user. You cannot use 1164// session policies to grant more permissions than those that are defined in 1165// the permissions policy of the IAM user. For more information, see Session 1166// Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 1167// in the IAM User Guide. For information about using GetFederationToken to 1168// create temporary security credentials, see GetFederationToken—Federation 1169// Through a Custom Identity Broker (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken). 1170// 1171// You can use the credentials to access a resource that has a resource-based 1172// policy. If that policy specifically references the federated user session 1173// in the Principal element of the policy, the session has the permissions allowed 1174// by the policy. These permissions are granted in addition to the permissions 1175// granted by the session policies. 1176// 1177// Tags 1178// 1179// (Optional) You can pass tag key-value pairs to your session. These are called 1180// session tags. For more information about session tags, see Passing Session 1181// Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) 1182// in the IAM User Guide. 1183// 1184// An administrator must grant you the permissions necessary to pass session 1185// tags. The administrator can also create granular permissions to allow you 1186// to pass only specific session tags. For more information, see Tutorial: Using 1187// Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) 1188// in the IAM User Guide. 1189// 1190// Tag key–value pairs are not case sensitive, but case is preserved. This 1191// means that you cannot have separate Department and department tag keys. Assume 1192// that the user that you are federating has the Department=Marketing tag and 1193// you pass the department=engineering session tag. Department and department 1194// are not saved as separate tags, and the session tag passed in the request 1195// takes precedence over the user tag. 1196// 1197// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 1198// with awserr.Error's Code and Message methods to get detailed information about 1199// the error. 1200// 1201// See the AWS API reference guide for AWS Security Token Service's 1202// API operation GetFederationToken for usage and error information. 1203// 1204// Returned Error Codes: 1205// * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument" 1206// The request was rejected because the policy document was malformed. The error 1207// message describes the specific error. 1208// 1209// * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" 1210// The request was rejected because the total packed size of the session policies 1211// and session tags combined was too large. An AWS conversion compresses the 1212// session policy document, session policy ARNs, and session tags into a packed 1213// binary format that has a separate limit. The error message indicates by percentage 1214// how close the policies and tags are to the upper size limit. For more information, 1215// see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) 1216// in the IAM User Guide. 1217// 1218// You could receive this error even though you meet other defined session policy 1219// and session tag limits. For more information, see IAM and STS Entity Character 1220// Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) 1221// in the IAM User Guide. 1222// 1223// * ErrCodeRegionDisabledException "RegionDisabledException" 1224// STS is not activated in the requested region for the account that is being 1225// asked to generate credentials. The account administrator must use the IAM 1226// console to activate STS in that region. For more information, see Activating 1227// and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) 1228// in the IAM User Guide. 1229// 1230// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationToken 1231func (c *STS) GetFederationToken(input *GetFederationTokenInput) (*GetFederationTokenOutput, error) { 1232 req, out := c.GetFederationTokenRequest(input) 1233 return out, req.Send() 1234} 1235 1236// GetFederationTokenWithContext is the same as GetFederationToken with the addition of 1237// the ability to pass a context and additional request options. 1238// 1239// See GetFederationToken for details on how to use this API operation. 1240// 1241// The context must be non-nil and will be used for request cancellation. If 1242// the context is nil a panic will occur. In the future the SDK may create 1243// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 1244// for more information on using Contexts. 1245func (c *STS) GetFederationTokenWithContext(ctx aws.Context, input *GetFederationTokenInput, opts ...request.Option) (*GetFederationTokenOutput, error) { 1246 req, out := c.GetFederationTokenRequest(input) 1247 req.SetContext(ctx) 1248 req.ApplyOptions(opts...) 1249 return out, req.Send() 1250} 1251 1252const opGetSessionToken = "GetSessionToken" 1253 1254// GetSessionTokenRequest generates a "aws/request.Request" representing the 1255// client's request for the GetSessionToken operation. The "output" return 1256// value will be populated with the request's response once the request completes 1257// successfully. 1258// 1259// Use "Send" method on the returned Request to send the API call to the service. 1260// the "output" return value is not valid until after Send returns without error. 1261// 1262// See GetSessionToken for more information on using the GetSessionToken 1263// API call, and error handling. 1264// 1265// This method is useful when you want to inject custom logic or configuration 1266// into the SDK's request lifecycle. Such as custom headers, or retry logic. 1267// 1268// 1269// // Example sending a request using the GetSessionTokenRequest method. 1270// req, resp := client.GetSessionTokenRequest(params) 1271// 1272// err := req.Send() 1273// if err == nil { // resp is now filled 1274// fmt.Println(resp) 1275// } 1276// 1277// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionToken 1278func (c *STS) GetSessionTokenRequest(input *GetSessionTokenInput) (req *request.Request, output *GetSessionTokenOutput) { 1279 op := &request.Operation{ 1280 Name: opGetSessionToken, 1281 HTTPMethod: "POST", 1282 HTTPPath: "/", 1283 } 1284 1285 if input == nil { 1286 input = &GetSessionTokenInput{} 1287 } 1288 1289 output = &GetSessionTokenOutput{} 1290 req = c.newRequest(op, input, output) 1291 return 1292} 1293 1294// GetSessionToken API operation for AWS Security Token Service. 1295// 1296// Returns a set of temporary credentials for an AWS account or IAM user. The 1297// credentials consist of an access key ID, a secret access key, and a security 1298// token. Typically, you use GetSessionToken if you want to use MFA to protect 1299// programmatic calls to specific AWS API operations like Amazon EC2 StopInstances. 1300// MFA-enabled IAM users would need to call GetSessionToken and submit an MFA 1301// code that is associated with their MFA device. Using the temporary security 1302// credentials that are returned from the call, IAM users can then make programmatic 1303// calls to API operations that require MFA authentication. If you do not supply 1304// a correct MFA code, then the API returns an access denied error. For a comparison 1305// of GetSessionToken with the other API operations that produce temporary credentials, 1306// see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) 1307// and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) 1308// in the IAM User Guide. 1309// 1310// Session Duration 1311// 1312// The GetSessionToken operation must be called by using the long-term AWS security 1313// credentials of the AWS account root user or an IAM user. Credentials that 1314// are created by IAM users are valid for the duration that you specify. This 1315// duration can range from 900 seconds (15 minutes) up to a maximum of 129,600 1316// seconds (36 hours), with a default of 43,200 seconds (12 hours). Credentials 1317// based on account credentials can range from 900 seconds (15 minutes) up to 1318// 3,600 seconds (1 hour), with a default of 1 hour. 1319// 1320// Permissions 1321// 1322// The temporary security credentials created by GetSessionToken can be used 1323// to make API calls to any AWS service with the following exceptions: 1324// 1325// * You cannot call any IAM API operations unless MFA authentication information 1326// is included in the request. 1327// 1328// * You cannot call any STS API except AssumeRole or GetCallerIdentity. 1329// 1330// We recommend that you do not call GetSessionToken with AWS account root user 1331// credentials. Instead, follow our best practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users) 1332// by creating one or more IAM users, giving them the necessary permissions, 1333// and using IAM users for everyday interaction with AWS. 1334// 1335// The credentials that are returned by GetSessionToken are based on permissions 1336// associated with the user whose credentials were used to call the operation. 1337// If GetSessionToken is called using AWS account root user credentials, the 1338// temporary credentials have root user permissions. Similarly, if GetSessionToken 1339// is called using the credentials of an IAM user, the temporary credentials 1340// have the same permissions as the IAM user. 1341// 1342// For more information about using GetSessionToken to create temporary credentials, 1343// go to Temporary Credentials for Users in Untrusted Environments (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken) 1344// in the IAM User Guide. 1345// 1346// Returns awserr.Error for service API and SDK errors. Use runtime type assertions 1347// with awserr.Error's Code and Message methods to get detailed information about 1348// the error. 1349// 1350// See the AWS API reference guide for AWS Security Token Service's 1351// API operation GetSessionToken for usage and error information. 1352// 1353// Returned Error Codes: 1354// * ErrCodeRegionDisabledException "RegionDisabledException" 1355// STS is not activated in the requested region for the account that is being 1356// asked to generate credentials. The account administrator must use the IAM 1357// console to activate STS in that region. For more information, see Activating 1358// and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) 1359// in the IAM User Guide. 1360// 1361// See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionToken 1362func (c *STS) GetSessionToken(input *GetSessionTokenInput) (*GetSessionTokenOutput, error) { 1363 req, out := c.GetSessionTokenRequest(input) 1364 return out, req.Send() 1365} 1366 1367// GetSessionTokenWithContext is the same as GetSessionToken with the addition of 1368// the ability to pass a context and additional request options. 1369// 1370// See GetSessionToken for details on how to use this API operation. 1371// 1372// The context must be non-nil and will be used for request cancellation. If 1373// the context is nil a panic will occur. In the future the SDK may create 1374// sub-contexts for http.Requests. See https://golang.org/pkg/context/ 1375// for more information on using Contexts. 1376func (c *STS) GetSessionTokenWithContext(ctx aws.Context, input *GetSessionTokenInput, opts ...request.Option) (*GetSessionTokenOutput, error) { 1377 req, out := c.GetSessionTokenRequest(input) 1378 req.SetContext(ctx) 1379 req.ApplyOptions(opts...) 1380 return out, req.Send() 1381} 1382 1383type AssumeRoleInput struct { 1384 _ struct{} `type:"structure"` 1385 1386 // The duration, in seconds, of the role session. The value specified can can 1387 // range from 900 seconds (15 minutes) up to the maximum session duration that 1388 // is set for the role. The maximum session duration setting can have a value 1389 // from 1 hour to 12 hours. If you specify a value higher than this setting 1390 // or the administrator setting (whichever is lower), the operation fails. For 1391 // example, if you specify a session duration of 12 hours, but your administrator 1392 // set the maximum session duration to 6 hours, your operation fails. To learn 1393 // how to view the maximum value for your role, see View the Maximum Session 1394 // Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) 1395 // in the IAM User Guide. 1396 // 1397 // By default, the value is set to 3600 seconds. 1398 // 1399 // The DurationSeconds parameter is separate from the duration of a console 1400 // session that you might request using the returned credentials. The request 1401 // to the federation endpoint for a console sign-in token takes a SessionDuration 1402 // parameter that specifies the maximum length of the console session. For more 1403 // information, see Creating a URL that Enables Federated Users to Access the 1404 // AWS Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) 1405 // in the IAM User Guide. 1406 DurationSeconds *int64 `min:"900" type:"integer"` 1407 1408 // A unique identifier that might be required when you assume a role in another 1409 // account. If the administrator of the account to which the role belongs provided 1410 // you with an external ID, then provide that value in the ExternalId parameter. 1411 // This value can be any string, such as a passphrase or account number. A cross-account 1412 // role is usually set up to trust everyone in an account. Therefore, the administrator 1413 // of the trusting account might send an external ID to the administrator of 1414 // the trusted account. That way, only someone with the ID can assume the role, 1415 // rather than everyone in the account. For more information about the external 1416 // ID, see How to Use an External ID When Granting Access to Your AWS Resources 1417 // to a Third Party (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html) 1418 // in the IAM User Guide. 1419 // 1420 // The regex used to validate this parameter is a string of characters consisting 1421 // of upper- and lower-case alphanumeric characters with no spaces. You can 1422 // also include underscores or any of the following characters: =,.@:/- 1423 ExternalId *string `min:"2" type:"string"` 1424 1425 // An IAM policy in JSON format that you want to use as an inline session policy. 1426 // 1427 // This parameter is optional. Passing policies to this operation returns new 1428 // temporary credentials. The resulting session's permissions are the intersection 1429 // of the role's identity-based policy and the session policies. You can use 1430 // the role's temporary credentials in subsequent AWS API calls to access resources 1431 // in the account that owns the role. You cannot use session policies to grant 1432 // more permissions than those allowed by the identity-based policy of the role 1433 // that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 1434 // in the IAM User Guide. 1435 // 1436 // The plaintext that you use for both inline and managed session policies can't 1437 // exceed 2,048 characters. The JSON policy characters can be any ASCII character 1438 // from the space character to the end of the valid character list (\u0020 through 1439 // \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage 1440 // return (\u000D) characters. 1441 // 1442 // An AWS conversion compresses the passed session policies and session tags 1443 // into a packed binary format that has a separate limit. Your request can fail 1444 // for this limit even if your plaintext meets the other requirements. The PackedPolicySize 1445 // response element indicates by percentage how close the policies and tags 1446 // for your request are to the upper size limit. 1447 Policy *string `min:"1" type:"string"` 1448 1449 // The Amazon Resource Names (ARNs) of the IAM managed policies that you want 1450 // to use as managed session policies. The policies must exist in the same account 1451 // as the role. 1452 // 1453 // This parameter is optional. You can provide up to 10 managed policy ARNs. 1454 // However, the plaintext that you use for both inline and managed session policies 1455 // can't exceed 2,048 characters. For more information about ARNs, see Amazon 1456 // Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) 1457 // in the AWS General Reference. 1458 // 1459 // An AWS conversion compresses the passed session policies and session tags 1460 // into a packed binary format that has a separate limit. Your request can fail 1461 // for this limit even if your plaintext meets the other requirements. The PackedPolicySize 1462 // response element indicates by percentage how close the policies and tags 1463 // for your request are to the upper size limit. 1464 // 1465 // Passing policies to this operation returns new temporary credentials. The 1466 // resulting session's permissions are the intersection of the role's identity-based 1467 // policy and the session policies. You can use the role's temporary credentials 1468 // in subsequent AWS API calls to access resources in the account that owns 1469 // the role. You cannot use session policies to grant more permissions than 1470 // those allowed by the identity-based policy of the role that is being assumed. 1471 // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 1472 // in the IAM User Guide. 1473 PolicyArns []*PolicyDescriptorType `type:"list"` 1474 1475 // The Amazon Resource Name (ARN) of the role to assume. 1476 // 1477 // RoleArn is a required field 1478 RoleArn *string `min:"20" type:"string" required:"true"` 1479 1480 // An identifier for the assumed role session. 1481 // 1482 // Use the role session name to uniquely identify a session when the same role 1483 // is assumed by different principals or for different reasons. In cross-account 1484 // scenarios, the role session name is visible to, and can be logged by the 1485 // account that owns the role. The role session name is also used in the ARN 1486 // of the assumed role principal. This means that subsequent cross-account API 1487 // requests that use the temporary security credentials will expose the role 1488 // session name to the external account in their AWS CloudTrail logs. 1489 // 1490 // The regex used to validate this parameter is a string of characters consisting 1491 // of upper- and lower-case alphanumeric characters with no spaces. You can 1492 // also include underscores or any of the following characters: =,.@- 1493 // 1494 // RoleSessionName is a required field 1495 RoleSessionName *string `min:"2" type:"string" required:"true"` 1496 1497 // The identification number of the MFA device that is associated with the user 1498 // who is making the AssumeRole call. Specify this value if the trust policy 1499 // of the role being assumed includes a condition that requires MFA authentication. 1500 // The value is either the serial number for a hardware device (such as GAHT12345678) 1501 // or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user). 1502 // 1503 // The regex used to validate this parameter is a string of characters consisting 1504 // of upper- and lower-case alphanumeric characters with no spaces. You can 1505 // also include underscores or any of the following characters: =,.@- 1506 SerialNumber *string `min:"9" type:"string"` 1507 1508 // The source identity specified by the principal that is calling the AssumeRole 1509 // operation. 1510 // 1511 // You can require users to specify a source identity when they assume a role. 1512 // You do this by using the sts:SourceIdentity condition key in a role trust 1513 // policy. You can use source identity information in AWS CloudTrail logs to 1514 // determine who took actions with a role. You can use the aws:SourceIdentity 1515 // condition key to further control access to AWS resources based on the value 1516 // of source identity. For more information about using source identity, see 1517 // Monitor and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) 1518 // in the IAM User Guide. 1519 // 1520 // The regex used to validate this parameter is a string of characters consisting 1521 // of upper- and lower-case alphanumeric characters with no spaces. You can 1522 // also include underscores or any of the following characters: =,.@-. You cannot 1523 // use a value that begins with the text aws:. This prefix is reserved for AWS 1524 // internal use. 1525 SourceIdentity *string `min:"2" type:"string"` 1526 1527 // A list of session tags that you want to pass. Each session tag consists of 1528 // a key name and an associated value. For more information about session tags, 1529 // see Tagging AWS STS Sessions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) 1530 // in the IAM User Guide. 1531 // 1532 // This parameter is optional. You can pass up to 50 session tags. The plaintext 1533 // session tag keys can’t exceed 128 characters, and the values can’t exceed 1534 // 256 characters. For these and additional limits, see IAM and STS Character 1535 // Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) 1536 // in the IAM User Guide. 1537 // 1538 // An AWS conversion compresses the passed session policies and session tags 1539 // into a packed binary format that has a separate limit. Your request can fail 1540 // for this limit even if your plaintext meets the other requirements. The PackedPolicySize 1541 // response element indicates by percentage how close the policies and tags 1542 // for your request are to the upper size limit. 1543 // 1544 // You can pass a session tag with the same key as a tag that is already attached 1545 // to the role. When you do, session tags override a role tag with the same 1546 // key. 1547 // 1548 // Tag key–value pairs are not case sensitive, but case is preserved. This 1549 // means that you cannot have separate Department and department tag keys. Assume 1550 // that the role has the Department=Marketing tag and you pass the department=engineering 1551 // session tag. Department and department are not saved as separate tags, and 1552 // the session tag passed in the request takes precedence over the role tag. 1553 // 1554 // Additionally, if you used temporary credentials to perform this operation, 1555 // the new session inherits any transitive session tags from the calling session. 1556 // If you pass a session tag with the same key as an inherited tag, the operation 1557 // fails. To view the inherited tags for a session, see the AWS CloudTrail logs. 1558 // For more information, see Viewing Session Tags in CloudTrail (https://docs.aws.amazon.com/IAM/latest/UserGuide/session-tags.html#id_session-tags_ctlogs) 1559 // in the IAM User Guide. 1560 Tags []*Tag `type:"list"` 1561 1562 // The value provided by the MFA device, if the trust policy of the role being 1563 // assumed requires MFA. (In other words, if the policy includes a condition 1564 // that tests for MFA). If the role being assumed requires MFA and if the TokenCode 1565 // value is missing or expired, the AssumeRole call returns an "access denied" 1566 // error. 1567 // 1568 // The format for this parameter, as described by its regex pattern, is a sequence 1569 // of six numeric digits. 1570 TokenCode *string `min:"6" type:"string"` 1571 1572 // A list of keys for session tags that you want to set as transitive. If you 1573 // set a tag key as transitive, the corresponding key and value passes to subsequent 1574 // sessions in a role chain. For more information, see Chaining Roles with Session 1575 // Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining) 1576 // in the IAM User Guide. 1577 // 1578 // This parameter is optional. When you set session tags as transitive, the 1579 // session policy and session tags packed binary limit is not affected. 1580 // 1581 // If you choose not to specify a transitive tag key, then no tags are passed 1582 // from this session to any subsequent sessions. 1583 TransitiveTagKeys []*string `type:"list"` 1584} 1585 1586// String returns the string representation 1587func (s AssumeRoleInput) String() string { 1588 return awsutil.Prettify(s) 1589} 1590 1591// GoString returns the string representation 1592func (s AssumeRoleInput) GoString() string { 1593 return s.String() 1594} 1595 1596// Validate inspects the fields of the type to determine if they are valid. 1597func (s *AssumeRoleInput) Validate() error { 1598 invalidParams := request.ErrInvalidParams{Context: "AssumeRoleInput"} 1599 if s.DurationSeconds != nil && *s.DurationSeconds < 900 { 1600 invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) 1601 } 1602 if s.ExternalId != nil && len(*s.ExternalId) < 2 { 1603 invalidParams.Add(request.NewErrParamMinLen("ExternalId", 2)) 1604 } 1605 if s.Policy != nil && len(*s.Policy) < 1 { 1606 invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) 1607 } 1608 if s.RoleArn == nil { 1609 invalidParams.Add(request.NewErrParamRequired("RoleArn")) 1610 } 1611 if s.RoleArn != nil && len(*s.RoleArn) < 20 { 1612 invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20)) 1613 } 1614 if s.RoleSessionName == nil { 1615 invalidParams.Add(request.NewErrParamRequired("RoleSessionName")) 1616 } 1617 if s.RoleSessionName != nil && len(*s.RoleSessionName) < 2 { 1618 invalidParams.Add(request.NewErrParamMinLen("RoleSessionName", 2)) 1619 } 1620 if s.SerialNumber != nil && len(*s.SerialNumber) < 9 { 1621 invalidParams.Add(request.NewErrParamMinLen("SerialNumber", 9)) 1622 } 1623 if s.SourceIdentity != nil && len(*s.SourceIdentity) < 2 { 1624 invalidParams.Add(request.NewErrParamMinLen("SourceIdentity", 2)) 1625 } 1626 if s.TokenCode != nil && len(*s.TokenCode) < 6 { 1627 invalidParams.Add(request.NewErrParamMinLen("TokenCode", 6)) 1628 } 1629 if s.PolicyArns != nil { 1630 for i, v := range s.PolicyArns { 1631 if v == nil { 1632 continue 1633 } 1634 if err := v.Validate(); err != nil { 1635 invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams)) 1636 } 1637 } 1638 } 1639 if s.Tags != nil { 1640 for i, v := range s.Tags { 1641 if v == nil { 1642 continue 1643 } 1644 if err := v.Validate(); err != nil { 1645 invalidParams.AddNested(fmt.Sprintf("%s[%v]", "Tags", i), err.(request.ErrInvalidParams)) 1646 } 1647 } 1648 } 1649 1650 if invalidParams.Len() > 0 { 1651 return invalidParams 1652 } 1653 return nil 1654} 1655 1656// SetDurationSeconds sets the DurationSeconds field's value. 1657func (s *AssumeRoleInput) SetDurationSeconds(v int64) *AssumeRoleInput { 1658 s.DurationSeconds = &v 1659 return s 1660} 1661 1662// SetExternalId sets the ExternalId field's value. 1663func (s *AssumeRoleInput) SetExternalId(v string) *AssumeRoleInput { 1664 s.ExternalId = &v 1665 return s 1666} 1667 1668// SetPolicy sets the Policy field's value. 1669func (s *AssumeRoleInput) SetPolicy(v string) *AssumeRoleInput { 1670 s.Policy = &v 1671 return s 1672} 1673 1674// SetPolicyArns sets the PolicyArns field's value. 1675func (s *AssumeRoleInput) SetPolicyArns(v []*PolicyDescriptorType) *AssumeRoleInput { 1676 s.PolicyArns = v 1677 return s 1678} 1679 1680// SetRoleArn sets the RoleArn field's value. 1681func (s *AssumeRoleInput) SetRoleArn(v string) *AssumeRoleInput { 1682 s.RoleArn = &v 1683 return s 1684} 1685 1686// SetRoleSessionName sets the RoleSessionName field's value. 1687func (s *AssumeRoleInput) SetRoleSessionName(v string) *AssumeRoleInput { 1688 s.RoleSessionName = &v 1689 return s 1690} 1691 1692// SetSerialNumber sets the SerialNumber field's value. 1693func (s *AssumeRoleInput) SetSerialNumber(v string) *AssumeRoleInput { 1694 s.SerialNumber = &v 1695 return s 1696} 1697 1698// SetSourceIdentity sets the SourceIdentity field's value. 1699func (s *AssumeRoleInput) SetSourceIdentity(v string) *AssumeRoleInput { 1700 s.SourceIdentity = &v 1701 return s 1702} 1703 1704// SetTags sets the Tags field's value. 1705func (s *AssumeRoleInput) SetTags(v []*Tag) *AssumeRoleInput { 1706 s.Tags = v 1707 return s 1708} 1709 1710// SetTokenCode sets the TokenCode field's value. 1711func (s *AssumeRoleInput) SetTokenCode(v string) *AssumeRoleInput { 1712 s.TokenCode = &v 1713 return s 1714} 1715 1716// SetTransitiveTagKeys sets the TransitiveTagKeys field's value. 1717func (s *AssumeRoleInput) SetTransitiveTagKeys(v []*string) *AssumeRoleInput { 1718 s.TransitiveTagKeys = v 1719 return s 1720} 1721 1722// Contains the response to a successful AssumeRole request, including temporary 1723// AWS credentials that can be used to make AWS requests. 1724type AssumeRoleOutput struct { 1725 _ struct{} `type:"structure"` 1726 1727 // The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers 1728 // that you can use to refer to the resulting temporary security credentials. 1729 // For example, you can reference these credentials as a principal in a resource-based 1730 // policy by using the ARN or assumed role ID. The ARN and ID include the RoleSessionName 1731 // that you specified when you called AssumeRole. 1732 AssumedRoleUser *AssumedRoleUser `type:"structure"` 1733 1734 // The temporary security credentials, which include an access key ID, a secret 1735 // access key, and a security (or session) token. 1736 // 1737 // The size of the security token that STS API operations return is not fixed. 1738 // We strongly recommend that you make no assumptions about the maximum size. 1739 Credentials *Credentials `type:"structure"` 1740 1741 // A percentage value that indicates the packed size of the session policies 1742 // and session tags combined passed in the request. The request fails if the 1743 // packed size is greater than 100 percent, which means the policies and tags 1744 // exceeded the allowed space. 1745 PackedPolicySize *int64 `type:"integer"` 1746 1747 // The source identity specified by the principal that is calling the AssumeRole 1748 // operation. 1749 // 1750 // You can require users to specify a source identity when they assume a role. 1751 // You do this by using the sts:SourceIdentity condition key in a role trust 1752 // policy. You can use source identity information in AWS CloudTrail logs to 1753 // determine who took actions with a role. You can use the aws:SourceIdentity 1754 // condition key to further control access to AWS resources based on the value 1755 // of source identity. For more information about using source identity, see 1756 // Monitor and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) 1757 // in the IAM User Guide. 1758 // 1759 // The regex used to validate this parameter is a string of characters consisting 1760 // of upper- and lower-case alphanumeric characters with no spaces. You can 1761 // also include underscores or any of the following characters: =,.@- 1762 SourceIdentity *string `min:"2" type:"string"` 1763} 1764 1765// String returns the string representation 1766func (s AssumeRoleOutput) String() string { 1767 return awsutil.Prettify(s) 1768} 1769 1770// GoString returns the string representation 1771func (s AssumeRoleOutput) GoString() string { 1772 return s.String() 1773} 1774 1775// SetAssumedRoleUser sets the AssumedRoleUser field's value. 1776func (s *AssumeRoleOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleOutput { 1777 s.AssumedRoleUser = v 1778 return s 1779} 1780 1781// SetCredentials sets the Credentials field's value. 1782func (s *AssumeRoleOutput) SetCredentials(v *Credentials) *AssumeRoleOutput { 1783 s.Credentials = v 1784 return s 1785} 1786 1787// SetPackedPolicySize sets the PackedPolicySize field's value. 1788func (s *AssumeRoleOutput) SetPackedPolicySize(v int64) *AssumeRoleOutput { 1789 s.PackedPolicySize = &v 1790 return s 1791} 1792 1793// SetSourceIdentity sets the SourceIdentity field's value. 1794func (s *AssumeRoleOutput) SetSourceIdentity(v string) *AssumeRoleOutput { 1795 s.SourceIdentity = &v 1796 return s 1797} 1798 1799type AssumeRoleWithSAMLInput struct { 1800 _ struct{} `type:"structure"` 1801 1802 // The duration, in seconds, of the role session. Your role session lasts for 1803 // the duration that you specify for the DurationSeconds parameter, or until 1804 // the time specified in the SAML authentication response's SessionNotOnOrAfter 1805 // value, whichever is shorter. You can provide a DurationSeconds value from 1806 // 900 seconds (15 minutes) up to the maximum session duration setting for the 1807 // role. This setting can have a value from 1 hour to 12 hours. If you specify 1808 // a value higher than this setting, the operation fails. For example, if you 1809 // specify a session duration of 12 hours, but your administrator set the maximum 1810 // session duration to 6 hours, your operation fails. To learn how to view the 1811 // maximum value for your role, see View the Maximum Session Duration Setting 1812 // for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) 1813 // in the IAM User Guide. 1814 // 1815 // By default, the value is set to 3600 seconds. 1816 // 1817 // The DurationSeconds parameter is separate from the duration of a console 1818 // session that you might request using the returned credentials. The request 1819 // to the federation endpoint for a console sign-in token takes a SessionDuration 1820 // parameter that specifies the maximum length of the console session. For more 1821 // information, see Creating a URL that Enables Federated Users to Access the 1822 // AWS Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) 1823 // in the IAM User Guide. 1824 DurationSeconds *int64 `min:"900" type:"integer"` 1825 1826 // An IAM policy in JSON format that you want to use as an inline session policy. 1827 // 1828 // This parameter is optional. Passing policies to this operation returns new 1829 // temporary credentials. The resulting session's permissions are the intersection 1830 // of the role's identity-based policy and the session policies. You can use 1831 // the role's temporary credentials in subsequent AWS API calls to access resources 1832 // in the account that owns the role. You cannot use session policies to grant 1833 // more permissions than those allowed by the identity-based policy of the role 1834 // that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 1835 // in the IAM User Guide. 1836 // 1837 // The plaintext that you use for both inline and managed session policies can't 1838 // exceed 2,048 characters. The JSON policy characters can be any ASCII character 1839 // from the space character to the end of the valid character list (\u0020 through 1840 // \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage 1841 // return (\u000D) characters. 1842 // 1843 // An AWS conversion compresses the passed session policies and session tags 1844 // into a packed binary format that has a separate limit. Your request can fail 1845 // for this limit even if your plaintext meets the other requirements. The PackedPolicySize 1846 // response element indicates by percentage how close the policies and tags 1847 // for your request are to the upper size limit. 1848 Policy *string `min:"1" type:"string"` 1849 1850 // The Amazon Resource Names (ARNs) of the IAM managed policies that you want 1851 // to use as managed session policies. The policies must exist in the same account 1852 // as the role. 1853 // 1854 // This parameter is optional. You can provide up to 10 managed policy ARNs. 1855 // However, the plaintext that you use for both inline and managed session policies 1856 // can't exceed 2,048 characters. For more information about ARNs, see Amazon 1857 // Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) 1858 // in the AWS General Reference. 1859 // 1860 // An AWS conversion compresses the passed session policies and session tags 1861 // into a packed binary format that has a separate limit. Your request can fail 1862 // for this limit even if your plaintext meets the other requirements. The PackedPolicySize 1863 // response element indicates by percentage how close the policies and tags 1864 // for your request are to the upper size limit. 1865 // 1866 // Passing policies to this operation returns new temporary credentials. The 1867 // resulting session's permissions are the intersection of the role's identity-based 1868 // policy and the session policies. You can use the role's temporary credentials 1869 // in subsequent AWS API calls to access resources in the account that owns 1870 // the role. You cannot use session policies to grant more permissions than 1871 // those allowed by the identity-based policy of the role that is being assumed. 1872 // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 1873 // in the IAM User Guide. 1874 PolicyArns []*PolicyDescriptorType `type:"list"` 1875 1876 // The Amazon Resource Name (ARN) of the SAML provider in IAM that describes 1877 // the IdP. 1878 // 1879 // PrincipalArn is a required field 1880 PrincipalArn *string `min:"20" type:"string" required:"true"` 1881 1882 // The Amazon Resource Name (ARN) of the role that the caller is assuming. 1883 // 1884 // RoleArn is a required field 1885 RoleArn *string `min:"20" type:"string" required:"true"` 1886 1887 // The base64 encoded SAML authentication response provided by the IdP. 1888 // 1889 // For more information, see Configuring a Relying Party and Adding Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html) 1890 // in the IAM User Guide. 1891 // 1892 // SAMLAssertion is a required field 1893 SAMLAssertion *string `min:"4" type:"string" required:"true"` 1894} 1895 1896// String returns the string representation 1897func (s AssumeRoleWithSAMLInput) String() string { 1898 return awsutil.Prettify(s) 1899} 1900 1901// GoString returns the string representation 1902func (s AssumeRoleWithSAMLInput) GoString() string { 1903 return s.String() 1904} 1905 1906// Validate inspects the fields of the type to determine if they are valid. 1907func (s *AssumeRoleWithSAMLInput) Validate() error { 1908 invalidParams := request.ErrInvalidParams{Context: "AssumeRoleWithSAMLInput"} 1909 if s.DurationSeconds != nil && *s.DurationSeconds < 900 { 1910 invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) 1911 } 1912 if s.Policy != nil && len(*s.Policy) < 1 { 1913 invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) 1914 } 1915 if s.PrincipalArn == nil { 1916 invalidParams.Add(request.NewErrParamRequired("PrincipalArn")) 1917 } 1918 if s.PrincipalArn != nil && len(*s.PrincipalArn) < 20 { 1919 invalidParams.Add(request.NewErrParamMinLen("PrincipalArn", 20)) 1920 } 1921 if s.RoleArn == nil { 1922 invalidParams.Add(request.NewErrParamRequired("RoleArn")) 1923 } 1924 if s.RoleArn != nil && len(*s.RoleArn) < 20 { 1925 invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20)) 1926 } 1927 if s.SAMLAssertion == nil { 1928 invalidParams.Add(request.NewErrParamRequired("SAMLAssertion")) 1929 } 1930 if s.SAMLAssertion != nil && len(*s.SAMLAssertion) < 4 { 1931 invalidParams.Add(request.NewErrParamMinLen("SAMLAssertion", 4)) 1932 } 1933 if s.PolicyArns != nil { 1934 for i, v := range s.PolicyArns { 1935 if v == nil { 1936 continue 1937 } 1938 if err := v.Validate(); err != nil { 1939 invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams)) 1940 } 1941 } 1942 } 1943 1944 if invalidParams.Len() > 0 { 1945 return invalidParams 1946 } 1947 return nil 1948} 1949 1950// SetDurationSeconds sets the DurationSeconds field's value. 1951func (s *AssumeRoleWithSAMLInput) SetDurationSeconds(v int64) *AssumeRoleWithSAMLInput { 1952 s.DurationSeconds = &v 1953 return s 1954} 1955 1956// SetPolicy sets the Policy field's value. 1957func (s *AssumeRoleWithSAMLInput) SetPolicy(v string) *AssumeRoleWithSAMLInput { 1958 s.Policy = &v 1959 return s 1960} 1961 1962// SetPolicyArns sets the PolicyArns field's value. 1963func (s *AssumeRoleWithSAMLInput) SetPolicyArns(v []*PolicyDescriptorType) *AssumeRoleWithSAMLInput { 1964 s.PolicyArns = v 1965 return s 1966} 1967 1968// SetPrincipalArn sets the PrincipalArn field's value. 1969func (s *AssumeRoleWithSAMLInput) SetPrincipalArn(v string) *AssumeRoleWithSAMLInput { 1970 s.PrincipalArn = &v 1971 return s 1972} 1973 1974// SetRoleArn sets the RoleArn field's value. 1975func (s *AssumeRoleWithSAMLInput) SetRoleArn(v string) *AssumeRoleWithSAMLInput { 1976 s.RoleArn = &v 1977 return s 1978} 1979 1980// SetSAMLAssertion sets the SAMLAssertion field's value. 1981func (s *AssumeRoleWithSAMLInput) SetSAMLAssertion(v string) *AssumeRoleWithSAMLInput { 1982 s.SAMLAssertion = &v 1983 return s 1984} 1985 1986// Contains the response to a successful AssumeRoleWithSAML request, including 1987// temporary AWS credentials that can be used to make AWS requests. 1988type AssumeRoleWithSAMLOutput struct { 1989 _ struct{} `type:"structure"` 1990 1991 // The identifiers for the temporary security credentials that the operation 1992 // returns. 1993 AssumedRoleUser *AssumedRoleUser `type:"structure"` 1994 1995 // The value of the Recipient attribute of the SubjectConfirmationData element 1996 // of the SAML assertion. 1997 Audience *string `type:"string"` 1998 1999 // The temporary security credentials, which include an access key ID, a secret 2000 // access key, and a security (or session) token. 2001 // 2002 // The size of the security token that STS API operations return is not fixed. 2003 // We strongly recommend that you make no assumptions about the maximum size. 2004 Credentials *Credentials `type:"structure"` 2005 2006 // The value of the Issuer element of the SAML assertion. 2007 Issuer *string `type:"string"` 2008 2009 // A hash value based on the concatenation of the following: 2010 // 2011 // * The Issuer response value. 2012 // 2013 // * The AWS account ID. 2014 // 2015 // * The friendly name (the last part of the ARN) of the SAML provider in 2016 // IAM. 2017 // 2018 // The combination of NameQualifier and Subject can be used to uniquely identify 2019 // a federated user. 2020 // 2021 // The following pseudocode shows how the hash value is calculated: 2022 // 2023 // BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" 2024 // ) ) 2025 NameQualifier *string `type:"string"` 2026 2027 // A percentage value that indicates the packed size of the session policies 2028 // and session tags combined passed in the request. The request fails if the 2029 // packed size is greater than 100 percent, which means the policies and tags 2030 // exceeded the allowed space. 2031 PackedPolicySize *int64 `type:"integer"` 2032 2033 // The value in the SourceIdentity attribute in the SAML assertion. 2034 // 2035 // You can require users to set a source identity value when they assume a role. 2036 // You do this by using the sts:SourceIdentity condition key in a role trust 2037 // policy. That way, actions that are taken with the role are associated with 2038 // that user. After the source identity is set, the value cannot be changed. 2039 // It is present in the request for all actions that are taken by the role and 2040 // persists across chained role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining) 2041 // sessions. You can configure your SAML identity provider to use an attribute 2042 // associated with your users, like user name or email, as the source identity 2043 // when calling AssumeRoleWithSAML. You do this by adding an attribute to the 2044 // SAML assertion. For more information about using source identity, see Monitor 2045 // and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) 2046 // in the IAM User Guide. 2047 // 2048 // The regex used to validate this parameter is a string of characters consisting 2049 // of upper- and lower-case alphanumeric characters with no spaces. You can 2050 // also include underscores or any of the following characters: =,.@- 2051 SourceIdentity *string `min:"2" type:"string"` 2052 2053 // The value of the NameID element in the Subject element of the SAML assertion. 2054 Subject *string `type:"string"` 2055 2056 // The format of the name ID, as defined by the Format attribute in the NameID 2057 // element of the SAML assertion. Typical examples of the format are transient 2058 // or persistent. 2059 // 2060 // If the format includes the prefix urn:oasis:names:tc:SAML:2.0:nameid-format, 2061 // that prefix is removed. For example, urn:oasis:names:tc:SAML:2.0:nameid-format:transient 2062 // is returned as transient. If the format includes any other prefix, the format 2063 // is returned with no modifications. 2064 SubjectType *string `type:"string"` 2065} 2066 2067// String returns the string representation 2068func (s AssumeRoleWithSAMLOutput) String() string { 2069 return awsutil.Prettify(s) 2070} 2071 2072// GoString returns the string representation 2073func (s AssumeRoleWithSAMLOutput) GoString() string { 2074 return s.String() 2075} 2076 2077// SetAssumedRoleUser sets the AssumedRoleUser field's value. 2078func (s *AssumeRoleWithSAMLOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleWithSAMLOutput { 2079 s.AssumedRoleUser = v 2080 return s 2081} 2082 2083// SetAudience sets the Audience field's value. 2084func (s *AssumeRoleWithSAMLOutput) SetAudience(v string) *AssumeRoleWithSAMLOutput { 2085 s.Audience = &v 2086 return s 2087} 2088 2089// SetCredentials sets the Credentials field's value. 2090func (s *AssumeRoleWithSAMLOutput) SetCredentials(v *Credentials) *AssumeRoleWithSAMLOutput { 2091 s.Credentials = v 2092 return s 2093} 2094 2095// SetIssuer sets the Issuer field's value. 2096func (s *AssumeRoleWithSAMLOutput) SetIssuer(v string) *AssumeRoleWithSAMLOutput { 2097 s.Issuer = &v 2098 return s 2099} 2100 2101// SetNameQualifier sets the NameQualifier field's value. 2102func (s *AssumeRoleWithSAMLOutput) SetNameQualifier(v string) *AssumeRoleWithSAMLOutput { 2103 s.NameQualifier = &v 2104 return s 2105} 2106 2107// SetPackedPolicySize sets the PackedPolicySize field's value. 2108func (s *AssumeRoleWithSAMLOutput) SetPackedPolicySize(v int64) *AssumeRoleWithSAMLOutput { 2109 s.PackedPolicySize = &v 2110 return s 2111} 2112 2113// SetSourceIdentity sets the SourceIdentity field's value. 2114func (s *AssumeRoleWithSAMLOutput) SetSourceIdentity(v string) *AssumeRoleWithSAMLOutput { 2115 s.SourceIdentity = &v 2116 return s 2117} 2118 2119// SetSubject sets the Subject field's value. 2120func (s *AssumeRoleWithSAMLOutput) SetSubject(v string) *AssumeRoleWithSAMLOutput { 2121 s.Subject = &v 2122 return s 2123} 2124 2125// SetSubjectType sets the SubjectType field's value. 2126func (s *AssumeRoleWithSAMLOutput) SetSubjectType(v string) *AssumeRoleWithSAMLOutput { 2127 s.SubjectType = &v 2128 return s 2129} 2130 2131type AssumeRoleWithWebIdentityInput struct { 2132 _ struct{} `type:"structure"` 2133 2134 // The duration, in seconds, of the role session. The value can range from 900 2135 // seconds (15 minutes) up to the maximum session duration setting for the role. 2136 // This setting can have a value from 1 hour to 12 hours. If you specify a value 2137 // higher than this setting, the operation fails. For example, if you specify 2138 // a session duration of 12 hours, but your administrator set the maximum session 2139 // duration to 6 hours, your operation fails. To learn how to view the maximum 2140 // value for your role, see View the Maximum Session Duration Setting for a 2141 // Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) 2142 // in the IAM User Guide. 2143 // 2144 // By default, the value is set to 3600 seconds. 2145 // 2146 // The DurationSeconds parameter is separate from the duration of a console 2147 // session that you might request using the returned credentials. The request 2148 // to the federation endpoint for a console sign-in token takes a SessionDuration 2149 // parameter that specifies the maximum length of the console session. For more 2150 // information, see Creating a URL that Enables Federated Users to Access the 2151 // AWS Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) 2152 // in the IAM User Guide. 2153 DurationSeconds *int64 `min:"900" type:"integer"` 2154 2155 // An IAM policy in JSON format that you want to use as an inline session policy. 2156 // 2157 // This parameter is optional. Passing policies to this operation returns new 2158 // temporary credentials. The resulting session's permissions are the intersection 2159 // of the role's identity-based policy and the session policies. You can use 2160 // the role's temporary credentials in subsequent AWS API calls to access resources 2161 // in the account that owns the role. You cannot use session policies to grant 2162 // more permissions than those allowed by the identity-based policy of the role 2163 // that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 2164 // in the IAM User Guide. 2165 // 2166 // The plaintext that you use for both inline and managed session policies can't 2167 // exceed 2,048 characters. The JSON policy characters can be any ASCII character 2168 // from the space character to the end of the valid character list (\u0020 through 2169 // \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage 2170 // return (\u000D) characters. 2171 // 2172 // An AWS conversion compresses the passed session policies and session tags 2173 // into a packed binary format that has a separate limit. Your request can fail 2174 // for this limit even if your plaintext meets the other requirements. The PackedPolicySize 2175 // response element indicates by percentage how close the policies and tags 2176 // for your request are to the upper size limit. 2177 Policy *string `min:"1" type:"string"` 2178 2179 // The Amazon Resource Names (ARNs) of the IAM managed policies that you want 2180 // to use as managed session policies. The policies must exist in the same account 2181 // as the role. 2182 // 2183 // This parameter is optional. You can provide up to 10 managed policy ARNs. 2184 // However, the plaintext that you use for both inline and managed session policies 2185 // can't exceed 2,048 characters. For more information about ARNs, see Amazon 2186 // Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) 2187 // in the AWS General Reference. 2188 // 2189 // An AWS conversion compresses the passed session policies and session tags 2190 // into a packed binary format that has a separate limit. Your request can fail 2191 // for this limit even if your plaintext meets the other requirements. The PackedPolicySize 2192 // response element indicates by percentage how close the policies and tags 2193 // for your request are to the upper size limit. 2194 // 2195 // Passing policies to this operation returns new temporary credentials. The 2196 // resulting session's permissions are the intersection of the role's identity-based 2197 // policy and the session policies. You can use the role's temporary credentials 2198 // in subsequent AWS API calls to access resources in the account that owns 2199 // the role. You cannot use session policies to grant more permissions than 2200 // those allowed by the identity-based policy of the role that is being assumed. 2201 // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 2202 // in the IAM User Guide. 2203 PolicyArns []*PolicyDescriptorType `type:"list"` 2204 2205 // The fully qualified host component of the domain name of the identity provider. 2206 // 2207 // Specify this value only for OAuth 2.0 access tokens. Currently www.amazon.com 2208 // and graph.facebook.com are the only supported identity providers for OAuth 2209 // 2.0 access tokens. Do not include URL schemes and port numbers. 2210 // 2211 // Do not specify this value for OpenID Connect ID tokens. 2212 ProviderId *string `min:"4" type:"string"` 2213 2214 // The Amazon Resource Name (ARN) of the role that the caller is assuming. 2215 // 2216 // RoleArn is a required field 2217 RoleArn *string `min:"20" type:"string" required:"true"` 2218 2219 // An identifier for the assumed role session. Typically, you pass the name 2220 // or identifier that is associated with the user who is using your application. 2221 // That way, the temporary security credentials that your application will use 2222 // are associated with that user. This session name is included as part of the 2223 // ARN and assumed role ID in the AssumedRoleUser response element. 2224 // 2225 // The regex used to validate this parameter is a string of characters consisting 2226 // of upper- and lower-case alphanumeric characters with no spaces. You can 2227 // also include underscores or any of the following characters: =,.@- 2228 // 2229 // RoleSessionName is a required field 2230 RoleSessionName *string `min:"2" type:"string" required:"true"` 2231 2232 // The OAuth 2.0 access token or OpenID Connect ID token that is provided by 2233 // the identity provider. Your application must get this token by authenticating 2234 // the user who is using your application with a web identity provider before 2235 // the application makes an AssumeRoleWithWebIdentity call. 2236 // 2237 // WebIdentityToken is a required field 2238 WebIdentityToken *string `min:"4" type:"string" required:"true"` 2239} 2240 2241// String returns the string representation 2242func (s AssumeRoleWithWebIdentityInput) String() string { 2243 return awsutil.Prettify(s) 2244} 2245 2246// GoString returns the string representation 2247func (s AssumeRoleWithWebIdentityInput) GoString() string { 2248 return s.String() 2249} 2250 2251// Validate inspects the fields of the type to determine if they are valid. 2252func (s *AssumeRoleWithWebIdentityInput) Validate() error { 2253 invalidParams := request.ErrInvalidParams{Context: "AssumeRoleWithWebIdentityInput"} 2254 if s.DurationSeconds != nil && *s.DurationSeconds < 900 { 2255 invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) 2256 } 2257 if s.Policy != nil && len(*s.Policy) < 1 { 2258 invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) 2259 } 2260 if s.ProviderId != nil && len(*s.ProviderId) < 4 { 2261 invalidParams.Add(request.NewErrParamMinLen("ProviderId", 4)) 2262 } 2263 if s.RoleArn == nil { 2264 invalidParams.Add(request.NewErrParamRequired("RoleArn")) 2265 } 2266 if s.RoleArn != nil && len(*s.RoleArn) < 20 { 2267 invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20)) 2268 } 2269 if s.RoleSessionName == nil { 2270 invalidParams.Add(request.NewErrParamRequired("RoleSessionName")) 2271 } 2272 if s.RoleSessionName != nil && len(*s.RoleSessionName) < 2 { 2273 invalidParams.Add(request.NewErrParamMinLen("RoleSessionName", 2)) 2274 } 2275 if s.WebIdentityToken == nil { 2276 invalidParams.Add(request.NewErrParamRequired("WebIdentityToken")) 2277 } 2278 if s.WebIdentityToken != nil && len(*s.WebIdentityToken) < 4 { 2279 invalidParams.Add(request.NewErrParamMinLen("WebIdentityToken", 4)) 2280 } 2281 if s.PolicyArns != nil { 2282 for i, v := range s.PolicyArns { 2283 if v == nil { 2284 continue 2285 } 2286 if err := v.Validate(); err != nil { 2287 invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams)) 2288 } 2289 } 2290 } 2291 2292 if invalidParams.Len() > 0 { 2293 return invalidParams 2294 } 2295 return nil 2296} 2297 2298// SetDurationSeconds sets the DurationSeconds field's value. 2299func (s *AssumeRoleWithWebIdentityInput) SetDurationSeconds(v int64) *AssumeRoleWithWebIdentityInput { 2300 s.DurationSeconds = &v 2301 return s 2302} 2303 2304// SetPolicy sets the Policy field's value. 2305func (s *AssumeRoleWithWebIdentityInput) SetPolicy(v string) *AssumeRoleWithWebIdentityInput { 2306 s.Policy = &v 2307 return s 2308} 2309 2310// SetPolicyArns sets the PolicyArns field's value. 2311func (s *AssumeRoleWithWebIdentityInput) SetPolicyArns(v []*PolicyDescriptorType) *AssumeRoleWithWebIdentityInput { 2312 s.PolicyArns = v 2313 return s 2314} 2315 2316// SetProviderId sets the ProviderId field's value. 2317func (s *AssumeRoleWithWebIdentityInput) SetProviderId(v string) *AssumeRoleWithWebIdentityInput { 2318 s.ProviderId = &v 2319 return s 2320} 2321 2322// SetRoleArn sets the RoleArn field's value. 2323func (s *AssumeRoleWithWebIdentityInput) SetRoleArn(v string) *AssumeRoleWithWebIdentityInput { 2324 s.RoleArn = &v 2325 return s 2326} 2327 2328// SetRoleSessionName sets the RoleSessionName field's value. 2329func (s *AssumeRoleWithWebIdentityInput) SetRoleSessionName(v string) *AssumeRoleWithWebIdentityInput { 2330 s.RoleSessionName = &v 2331 return s 2332} 2333 2334// SetWebIdentityToken sets the WebIdentityToken field's value. 2335func (s *AssumeRoleWithWebIdentityInput) SetWebIdentityToken(v string) *AssumeRoleWithWebIdentityInput { 2336 s.WebIdentityToken = &v 2337 return s 2338} 2339 2340// Contains the response to a successful AssumeRoleWithWebIdentity request, 2341// including temporary AWS credentials that can be used to make AWS requests. 2342type AssumeRoleWithWebIdentityOutput struct { 2343 _ struct{} `type:"structure"` 2344 2345 // The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers 2346 // that you can use to refer to the resulting temporary security credentials. 2347 // For example, you can reference these credentials as a principal in a resource-based 2348 // policy by using the ARN or assumed role ID. The ARN and ID include the RoleSessionName 2349 // that you specified when you called AssumeRole. 2350 AssumedRoleUser *AssumedRoleUser `type:"structure"` 2351 2352 // The intended audience (also known as client ID) of the web identity token. 2353 // This is traditionally the client identifier issued to the application that 2354 // requested the web identity token. 2355 Audience *string `type:"string"` 2356 2357 // The temporary security credentials, which include an access key ID, a secret 2358 // access key, and a security token. 2359 // 2360 // The size of the security token that STS API operations return is not fixed. 2361 // We strongly recommend that you make no assumptions about the maximum size. 2362 Credentials *Credentials `type:"structure"` 2363 2364 // A percentage value that indicates the packed size of the session policies 2365 // and session tags combined passed in the request. The request fails if the 2366 // packed size is greater than 100 percent, which means the policies and tags 2367 // exceeded the allowed space. 2368 PackedPolicySize *int64 `type:"integer"` 2369 2370 // The issuing authority of the web identity token presented. For OpenID Connect 2371 // ID tokens, this contains the value of the iss field. For OAuth 2.0 access 2372 // tokens, this contains the value of the ProviderId parameter that was passed 2373 // in the AssumeRoleWithWebIdentity request. 2374 Provider *string `type:"string"` 2375 2376 // The value of the source identity that is returned in the JSON web token (JWT) 2377 // from the identity provider. 2378 // 2379 // You can require users to set a source identity value when they assume a role. 2380 // You do this by using the sts:SourceIdentity condition key in a role trust 2381 // policy. That way, actions that are taken with the role are associated with 2382 // that user. After the source identity is set, the value cannot be changed. 2383 // It is present in the request for all actions that are taken by the role and 2384 // persists across chained role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining) 2385 // sessions. You can configure your identity provider to use an attribute associated 2386 // with your users, like user name or email, as the source identity when calling 2387 // AssumeRoleWithWebIdentity. You do this by adding a claim to the JSON web 2388 // token. To learn more about OIDC tokens and claims, see Using Tokens with 2389 // User Pools (https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html) 2390 // in the Amazon Cognito Developer Guide. For more information about using source 2391 // identity, see Monitor and control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) 2392 // in the IAM User Guide. 2393 // 2394 // The regex used to validate this parameter is a string of characters consisting 2395 // of upper- and lower-case alphanumeric characters with no spaces. You can 2396 // also include underscores or any of the following characters: =,.@- 2397 SourceIdentity *string `min:"2" type:"string"` 2398 2399 // The unique user identifier that is returned by the identity provider. This 2400 // identifier is associated with the WebIdentityToken that was submitted with 2401 // the AssumeRoleWithWebIdentity call. The identifier is typically unique to 2402 // the user and the application that acquired the WebIdentityToken (pairwise 2403 // identifier). For OpenID Connect ID tokens, this field contains the value 2404 // returned by the identity provider as the token's sub (Subject) claim. 2405 SubjectFromWebIdentityToken *string `min:"6" type:"string"` 2406} 2407 2408// String returns the string representation 2409func (s AssumeRoleWithWebIdentityOutput) String() string { 2410 return awsutil.Prettify(s) 2411} 2412 2413// GoString returns the string representation 2414func (s AssumeRoleWithWebIdentityOutput) GoString() string { 2415 return s.String() 2416} 2417 2418// SetAssumedRoleUser sets the AssumedRoleUser field's value. 2419func (s *AssumeRoleWithWebIdentityOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleWithWebIdentityOutput { 2420 s.AssumedRoleUser = v 2421 return s 2422} 2423 2424// SetAudience sets the Audience field's value. 2425func (s *AssumeRoleWithWebIdentityOutput) SetAudience(v string) *AssumeRoleWithWebIdentityOutput { 2426 s.Audience = &v 2427 return s 2428} 2429 2430// SetCredentials sets the Credentials field's value. 2431func (s *AssumeRoleWithWebIdentityOutput) SetCredentials(v *Credentials) *AssumeRoleWithWebIdentityOutput { 2432 s.Credentials = v 2433 return s 2434} 2435 2436// SetPackedPolicySize sets the PackedPolicySize field's value. 2437func (s *AssumeRoleWithWebIdentityOutput) SetPackedPolicySize(v int64) *AssumeRoleWithWebIdentityOutput { 2438 s.PackedPolicySize = &v 2439 return s 2440} 2441 2442// SetProvider sets the Provider field's value. 2443func (s *AssumeRoleWithWebIdentityOutput) SetProvider(v string) *AssumeRoleWithWebIdentityOutput { 2444 s.Provider = &v 2445 return s 2446} 2447 2448// SetSourceIdentity sets the SourceIdentity field's value. 2449func (s *AssumeRoleWithWebIdentityOutput) SetSourceIdentity(v string) *AssumeRoleWithWebIdentityOutput { 2450 s.SourceIdentity = &v 2451 return s 2452} 2453 2454// SetSubjectFromWebIdentityToken sets the SubjectFromWebIdentityToken field's value. 2455func (s *AssumeRoleWithWebIdentityOutput) SetSubjectFromWebIdentityToken(v string) *AssumeRoleWithWebIdentityOutput { 2456 s.SubjectFromWebIdentityToken = &v 2457 return s 2458} 2459 2460// The identifiers for the temporary security credentials that the operation 2461// returns. 2462type AssumedRoleUser struct { 2463 _ struct{} `type:"structure"` 2464 2465 // The ARN of the temporary security credentials that are returned from the 2466 // AssumeRole action. For more information about ARNs and how to use them in 2467 // policies, see IAM Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) 2468 // in the IAM User Guide. 2469 // 2470 // Arn is a required field 2471 Arn *string `min:"20" type:"string" required:"true"` 2472 2473 // A unique identifier that contains the role ID and the role session name of 2474 // the role that is being assumed. The role ID is generated by AWS when the 2475 // role is created. 2476 // 2477 // AssumedRoleId is a required field 2478 AssumedRoleId *string `min:"2" type:"string" required:"true"` 2479} 2480 2481// String returns the string representation 2482func (s AssumedRoleUser) String() string { 2483 return awsutil.Prettify(s) 2484} 2485 2486// GoString returns the string representation 2487func (s AssumedRoleUser) GoString() string { 2488 return s.String() 2489} 2490 2491// SetArn sets the Arn field's value. 2492func (s *AssumedRoleUser) SetArn(v string) *AssumedRoleUser { 2493 s.Arn = &v 2494 return s 2495} 2496 2497// SetAssumedRoleId sets the AssumedRoleId field's value. 2498func (s *AssumedRoleUser) SetAssumedRoleId(v string) *AssumedRoleUser { 2499 s.AssumedRoleId = &v 2500 return s 2501} 2502 2503// AWS credentials for API authentication. 2504type Credentials struct { 2505 _ struct{} `type:"structure"` 2506 2507 // The access key ID that identifies the temporary security credentials. 2508 // 2509 // AccessKeyId is a required field 2510 AccessKeyId *string `min:"16" type:"string" required:"true"` 2511 2512 // The date on which the current credentials expire. 2513 // 2514 // Expiration is a required field 2515 Expiration *time.Time `type:"timestamp" required:"true"` 2516 2517 // The secret access key that can be used to sign requests. 2518 // 2519 // SecretAccessKey is a required field 2520 SecretAccessKey *string `type:"string" required:"true"` 2521 2522 // The token that users must pass to the service API to use the temporary credentials. 2523 // 2524 // SessionToken is a required field 2525 SessionToken *string `type:"string" required:"true"` 2526} 2527 2528// String returns the string representation 2529func (s Credentials) String() string { 2530 return awsutil.Prettify(s) 2531} 2532 2533// GoString returns the string representation 2534func (s Credentials) GoString() string { 2535 return s.String() 2536} 2537 2538// SetAccessKeyId sets the AccessKeyId field's value. 2539func (s *Credentials) SetAccessKeyId(v string) *Credentials { 2540 s.AccessKeyId = &v 2541 return s 2542} 2543 2544// SetExpiration sets the Expiration field's value. 2545func (s *Credentials) SetExpiration(v time.Time) *Credentials { 2546 s.Expiration = &v 2547 return s 2548} 2549 2550// SetSecretAccessKey sets the SecretAccessKey field's value. 2551func (s *Credentials) SetSecretAccessKey(v string) *Credentials { 2552 s.SecretAccessKey = &v 2553 return s 2554} 2555 2556// SetSessionToken sets the SessionToken field's value. 2557func (s *Credentials) SetSessionToken(v string) *Credentials { 2558 s.SessionToken = &v 2559 return s 2560} 2561 2562type DecodeAuthorizationMessageInput struct { 2563 _ struct{} `type:"structure"` 2564 2565 // The encoded message that was returned with the response. 2566 // 2567 // EncodedMessage is a required field 2568 EncodedMessage *string `min:"1" type:"string" required:"true"` 2569} 2570 2571// String returns the string representation 2572func (s DecodeAuthorizationMessageInput) String() string { 2573 return awsutil.Prettify(s) 2574} 2575 2576// GoString returns the string representation 2577func (s DecodeAuthorizationMessageInput) GoString() string { 2578 return s.String() 2579} 2580 2581// Validate inspects the fields of the type to determine if they are valid. 2582func (s *DecodeAuthorizationMessageInput) Validate() error { 2583 invalidParams := request.ErrInvalidParams{Context: "DecodeAuthorizationMessageInput"} 2584 if s.EncodedMessage == nil { 2585 invalidParams.Add(request.NewErrParamRequired("EncodedMessage")) 2586 } 2587 if s.EncodedMessage != nil && len(*s.EncodedMessage) < 1 { 2588 invalidParams.Add(request.NewErrParamMinLen("EncodedMessage", 1)) 2589 } 2590 2591 if invalidParams.Len() > 0 { 2592 return invalidParams 2593 } 2594 return nil 2595} 2596 2597// SetEncodedMessage sets the EncodedMessage field's value. 2598func (s *DecodeAuthorizationMessageInput) SetEncodedMessage(v string) *DecodeAuthorizationMessageInput { 2599 s.EncodedMessage = &v 2600 return s 2601} 2602 2603// A document that contains additional information about the authorization status 2604// of a request from an encoded message that is returned in response to an AWS 2605// request. 2606type DecodeAuthorizationMessageOutput struct { 2607 _ struct{} `type:"structure"` 2608 2609 // An XML document that contains the decoded message. 2610 DecodedMessage *string `type:"string"` 2611} 2612 2613// String returns the string representation 2614func (s DecodeAuthorizationMessageOutput) String() string { 2615 return awsutil.Prettify(s) 2616} 2617 2618// GoString returns the string representation 2619func (s DecodeAuthorizationMessageOutput) GoString() string { 2620 return s.String() 2621} 2622 2623// SetDecodedMessage sets the DecodedMessage field's value. 2624func (s *DecodeAuthorizationMessageOutput) SetDecodedMessage(v string) *DecodeAuthorizationMessageOutput { 2625 s.DecodedMessage = &v 2626 return s 2627} 2628 2629// Identifiers for the federated user that is associated with the credentials. 2630type FederatedUser struct { 2631 _ struct{} `type:"structure"` 2632 2633 // The ARN that specifies the federated user that is associated with the credentials. 2634 // For more information about ARNs and how to use them in policies, see IAM 2635 // Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) 2636 // in the IAM User Guide. 2637 // 2638 // Arn is a required field 2639 Arn *string `min:"20" type:"string" required:"true"` 2640 2641 // The string that identifies the federated user associated with the credentials, 2642 // similar to the unique ID of an IAM user. 2643 // 2644 // FederatedUserId is a required field 2645 FederatedUserId *string `min:"2" type:"string" required:"true"` 2646} 2647 2648// String returns the string representation 2649func (s FederatedUser) String() string { 2650 return awsutil.Prettify(s) 2651} 2652 2653// GoString returns the string representation 2654func (s FederatedUser) GoString() string { 2655 return s.String() 2656} 2657 2658// SetArn sets the Arn field's value. 2659func (s *FederatedUser) SetArn(v string) *FederatedUser { 2660 s.Arn = &v 2661 return s 2662} 2663 2664// SetFederatedUserId sets the FederatedUserId field's value. 2665func (s *FederatedUser) SetFederatedUserId(v string) *FederatedUser { 2666 s.FederatedUserId = &v 2667 return s 2668} 2669 2670type GetAccessKeyInfoInput struct { 2671 _ struct{} `type:"structure"` 2672 2673 // The identifier of an access key. 2674 // 2675 // This parameter allows (through its regex pattern) a string of characters 2676 // that can consist of any upper- or lowercase letter or digit. 2677 // 2678 // AccessKeyId is a required field 2679 AccessKeyId *string `min:"16" type:"string" required:"true"` 2680} 2681 2682// String returns the string representation 2683func (s GetAccessKeyInfoInput) String() string { 2684 return awsutil.Prettify(s) 2685} 2686 2687// GoString returns the string representation 2688func (s GetAccessKeyInfoInput) GoString() string { 2689 return s.String() 2690} 2691 2692// Validate inspects the fields of the type to determine if they are valid. 2693func (s *GetAccessKeyInfoInput) Validate() error { 2694 invalidParams := request.ErrInvalidParams{Context: "GetAccessKeyInfoInput"} 2695 if s.AccessKeyId == nil { 2696 invalidParams.Add(request.NewErrParamRequired("AccessKeyId")) 2697 } 2698 if s.AccessKeyId != nil && len(*s.AccessKeyId) < 16 { 2699 invalidParams.Add(request.NewErrParamMinLen("AccessKeyId", 16)) 2700 } 2701 2702 if invalidParams.Len() > 0 { 2703 return invalidParams 2704 } 2705 return nil 2706} 2707 2708// SetAccessKeyId sets the AccessKeyId field's value. 2709func (s *GetAccessKeyInfoInput) SetAccessKeyId(v string) *GetAccessKeyInfoInput { 2710 s.AccessKeyId = &v 2711 return s 2712} 2713 2714type GetAccessKeyInfoOutput struct { 2715 _ struct{} `type:"structure"` 2716 2717 // The number used to identify the AWS account. 2718 Account *string `type:"string"` 2719} 2720 2721// String returns the string representation 2722func (s GetAccessKeyInfoOutput) String() string { 2723 return awsutil.Prettify(s) 2724} 2725 2726// GoString returns the string representation 2727func (s GetAccessKeyInfoOutput) GoString() string { 2728 return s.String() 2729} 2730 2731// SetAccount sets the Account field's value. 2732func (s *GetAccessKeyInfoOutput) SetAccount(v string) *GetAccessKeyInfoOutput { 2733 s.Account = &v 2734 return s 2735} 2736 2737type GetCallerIdentityInput struct { 2738 _ struct{} `type:"structure"` 2739} 2740 2741// String returns the string representation 2742func (s GetCallerIdentityInput) String() string { 2743 return awsutil.Prettify(s) 2744} 2745 2746// GoString returns the string representation 2747func (s GetCallerIdentityInput) GoString() string { 2748 return s.String() 2749} 2750 2751// Contains the response to a successful GetCallerIdentity request, including 2752// information about the entity making the request. 2753type GetCallerIdentityOutput struct { 2754 _ struct{} `type:"structure"` 2755 2756 // The AWS account ID number of the account that owns or contains the calling 2757 // entity. 2758 Account *string `type:"string"` 2759 2760 // The AWS ARN associated with the calling entity. 2761 Arn *string `min:"20" type:"string"` 2762 2763 // The unique identifier of the calling entity. The exact value depends on the 2764 // type of entity that is making the call. The values returned are those listed 2765 // in the aws:userid column in the Principal table (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable) 2766 // found on the Policy Variables reference page in the IAM User Guide. 2767 UserId *string `type:"string"` 2768} 2769 2770// String returns the string representation 2771func (s GetCallerIdentityOutput) String() string { 2772 return awsutil.Prettify(s) 2773} 2774 2775// GoString returns the string representation 2776func (s GetCallerIdentityOutput) GoString() string { 2777 return s.String() 2778} 2779 2780// SetAccount sets the Account field's value. 2781func (s *GetCallerIdentityOutput) SetAccount(v string) *GetCallerIdentityOutput { 2782 s.Account = &v 2783 return s 2784} 2785 2786// SetArn sets the Arn field's value. 2787func (s *GetCallerIdentityOutput) SetArn(v string) *GetCallerIdentityOutput { 2788 s.Arn = &v 2789 return s 2790} 2791 2792// SetUserId sets the UserId field's value. 2793func (s *GetCallerIdentityOutput) SetUserId(v string) *GetCallerIdentityOutput { 2794 s.UserId = &v 2795 return s 2796} 2797 2798type GetFederationTokenInput struct { 2799 _ struct{} `type:"structure"` 2800 2801 // The duration, in seconds, that the session should last. Acceptable durations 2802 // for federation sessions range from 900 seconds (15 minutes) to 129,600 seconds 2803 // (36 hours), with 43,200 seconds (12 hours) as the default. Sessions obtained 2804 // using AWS account root user credentials are restricted to a maximum of 3,600 2805 // seconds (one hour). If the specified duration is longer than one hour, the 2806 // session obtained by using root user credentials defaults to one hour. 2807 DurationSeconds *int64 `min:"900" type:"integer"` 2808 2809 // The name of the federated user. The name is used as an identifier for the 2810 // temporary security credentials (such as Bob). For example, you can reference 2811 // the federated user name in a resource-based policy, such as in an Amazon 2812 // S3 bucket policy. 2813 // 2814 // The regex used to validate this parameter is a string of characters consisting 2815 // of upper- and lower-case alphanumeric characters with no spaces. You can 2816 // also include underscores or any of the following characters: =,.@- 2817 // 2818 // Name is a required field 2819 Name *string `min:"2" type:"string" required:"true"` 2820 2821 // An IAM policy in JSON format that you want to use as an inline session policy. 2822 // 2823 // You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 2824 // to this operation. You can pass a single JSON policy document to use as an 2825 // inline session policy. You can also specify up to 10 managed policies to 2826 // use as managed session policies. 2827 // 2828 // This parameter is optional. However, if you do not pass any session policies, 2829 // then the resulting federated user session has no permissions. 2830 // 2831 // When you pass session policies, the session permissions are the intersection 2832 // of the IAM user policies and the session policies that you pass. This gives 2833 // you a way to further restrict the permissions for a federated user. You cannot 2834 // use session policies to grant more permissions than those that are defined 2835 // in the permissions policy of the IAM user. For more information, see Session 2836 // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 2837 // in the IAM User Guide. 2838 // 2839 // The resulting credentials can be used to access a resource that has a resource-based 2840 // policy. If that policy specifically references the federated user session 2841 // in the Principal element of the policy, the session has the permissions allowed 2842 // by the policy. These permissions are granted in addition to the permissions 2843 // that are granted by the session policies. 2844 // 2845 // The plaintext that you use for both inline and managed session policies can't 2846 // exceed 2,048 characters. The JSON policy characters can be any ASCII character 2847 // from the space character to the end of the valid character list (\u0020 through 2848 // \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage 2849 // return (\u000D) characters. 2850 // 2851 // An AWS conversion compresses the passed session policies and session tags 2852 // into a packed binary format that has a separate limit. Your request can fail 2853 // for this limit even if your plaintext meets the other requirements. The PackedPolicySize 2854 // response element indicates by percentage how close the policies and tags 2855 // for your request are to the upper size limit. 2856 Policy *string `min:"1" type:"string"` 2857 2858 // The Amazon Resource Names (ARNs) of the IAM managed policies that you want 2859 // to use as a managed session policy. The policies must exist in the same account 2860 // as the IAM user that is requesting federated access. 2861 // 2862 // You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 2863 // to this operation. You can pass a single JSON policy document to use as an 2864 // inline session policy. You can also specify up to 10 managed policies to 2865 // use as managed session policies. The plaintext that you use for both inline 2866 // and managed session policies can't exceed 2,048 characters. You can provide 2867 // up to 10 managed policy ARNs. For more information about ARNs, see Amazon 2868 // Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) 2869 // in the AWS General Reference. 2870 // 2871 // This parameter is optional. However, if you do not pass any session policies, 2872 // then the resulting federated user session has no permissions. 2873 // 2874 // When you pass session policies, the session permissions are the intersection 2875 // of the IAM user policies and the session policies that you pass. This gives 2876 // you a way to further restrict the permissions for a federated user. You cannot 2877 // use session policies to grant more permissions than those that are defined 2878 // in the permissions policy of the IAM user. For more information, see Session 2879 // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 2880 // in the IAM User Guide. 2881 // 2882 // The resulting credentials can be used to access a resource that has a resource-based 2883 // policy. If that policy specifically references the federated user session 2884 // in the Principal element of the policy, the session has the permissions allowed 2885 // by the policy. These permissions are granted in addition to the permissions 2886 // that are granted by the session policies. 2887 // 2888 // An AWS conversion compresses the passed session policies and session tags 2889 // into a packed binary format that has a separate limit. Your request can fail 2890 // for this limit even if your plaintext meets the other requirements. The PackedPolicySize 2891 // response element indicates by percentage how close the policies and tags 2892 // for your request are to the upper size limit. 2893 PolicyArns []*PolicyDescriptorType `type:"list"` 2894 2895 // A list of session tags. Each session tag consists of a key name and an associated 2896 // value. For more information about session tags, see Passing Session Tags 2897 // in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) 2898 // in the IAM User Guide. 2899 // 2900 // This parameter is optional. You can pass up to 50 session tags. The plaintext 2901 // session tag keys can’t exceed 128 characters and the values can’t exceed 2902 // 256 characters. For these and additional limits, see IAM and STS Character 2903 // Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) 2904 // in the IAM User Guide. 2905 // 2906 // An AWS conversion compresses the passed session policies and session tags 2907 // into a packed binary format that has a separate limit. Your request can fail 2908 // for this limit even if your plaintext meets the other requirements. The PackedPolicySize 2909 // response element indicates by percentage how close the policies and tags 2910 // for your request are to the upper size limit. 2911 // 2912 // You can pass a session tag with the same key as a tag that is already attached 2913 // to the user you are federating. When you do, session tags override a user 2914 // tag with the same key. 2915 // 2916 // Tag key–value pairs are not case sensitive, but case is preserved. This 2917 // means that you cannot have separate Department and department tag keys. Assume 2918 // that the role has the Department=Marketing tag and you pass the department=engineering 2919 // session tag. Department and department are not saved as separate tags, and 2920 // the session tag passed in the request takes precedence over the role tag. 2921 Tags []*Tag `type:"list"` 2922} 2923 2924// String returns the string representation 2925func (s GetFederationTokenInput) String() string { 2926 return awsutil.Prettify(s) 2927} 2928 2929// GoString returns the string representation 2930func (s GetFederationTokenInput) GoString() string { 2931 return s.String() 2932} 2933 2934// Validate inspects the fields of the type to determine if they are valid. 2935func (s *GetFederationTokenInput) Validate() error { 2936 invalidParams := request.ErrInvalidParams{Context: "GetFederationTokenInput"} 2937 if s.DurationSeconds != nil && *s.DurationSeconds < 900 { 2938 invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) 2939 } 2940 if s.Name == nil { 2941 invalidParams.Add(request.NewErrParamRequired("Name")) 2942 } 2943 if s.Name != nil && len(*s.Name) < 2 { 2944 invalidParams.Add(request.NewErrParamMinLen("Name", 2)) 2945 } 2946 if s.Policy != nil && len(*s.Policy) < 1 { 2947 invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) 2948 } 2949 if s.PolicyArns != nil { 2950 for i, v := range s.PolicyArns { 2951 if v == nil { 2952 continue 2953 } 2954 if err := v.Validate(); err != nil { 2955 invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams)) 2956 } 2957 } 2958 } 2959 if s.Tags != nil { 2960 for i, v := range s.Tags { 2961 if v == nil { 2962 continue 2963 } 2964 if err := v.Validate(); err != nil { 2965 invalidParams.AddNested(fmt.Sprintf("%s[%v]", "Tags", i), err.(request.ErrInvalidParams)) 2966 } 2967 } 2968 } 2969 2970 if invalidParams.Len() > 0 { 2971 return invalidParams 2972 } 2973 return nil 2974} 2975 2976// SetDurationSeconds sets the DurationSeconds field's value. 2977func (s *GetFederationTokenInput) SetDurationSeconds(v int64) *GetFederationTokenInput { 2978 s.DurationSeconds = &v 2979 return s 2980} 2981 2982// SetName sets the Name field's value. 2983func (s *GetFederationTokenInput) SetName(v string) *GetFederationTokenInput { 2984 s.Name = &v 2985 return s 2986} 2987 2988// SetPolicy sets the Policy field's value. 2989func (s *GetFederationTokenInput) SetPolicy(v string) *GetFederationTokenInput { 2990 s.Policy = &v 2991 return s 2992} 2993 2994// SetPolicyArns sets the PolicyArns field's value. 2995func (s *GetFederationTokenInput) SetPolicyArns(v []*PolicyDescriptorType) *GetFederationTokenInput { 2996 s.PolicyArns = v 2997 return s 2998} 2999 3000// SetTags sets the Tags field's value. 3001func (s *GetFederationTokenInput) SetTags(v []*Tag) *GetFederationTokenInput { 3002 s.Tags = v 3003 return s 3004} 3005 3006// Contains the response to a successful GetFederationToken request, including 3007// temporary AWS credentials that can be used to make AWS requests. 3008type GetFederationTokenOutput struct { 3009 _ struct{} `type:"structure"` 3010 3011 // The temporary security credentials, which include an access key ID, a secret 3012 // access key, and a security (or session) token. 3013 // 3014 // The size of the security token that STS API operations return is not fixed. 3015 // We strongly recommend that you make no assumptions about the maximum size. 3016 Credentials *Credentials `type:"structure"` 3017 3018 // Identifiers for the federated user associated with the credentials (such 3019 // as arn:aws:sts::123456789012:federated-user/Bob or 123456789012:Bob). You 3020 // can use the federated user's ARN in your resource-based policies, such as 3021 // an Amazon S3 bucket policy. 3022 FederatedUser *FederatedUser `type:"structure"` 3023 3024 // A percentage value that indicates the packed size of the session policies 3025 // and session tags combined passed in the request. The request fails if the 3026 // packed size is greater than 100 percent, which means the policies and tags 3027 // exceeded the allowed space. 3028 PackedPolicySize *int64 `type:"integer"` 3029} 3030 3031// String returns the string representation 3032func (s GetFederationTokenOutput) String() string { 3033 return awsutil.Prettify(s) 3034} 3035 3036// GoString returns the string representation 3037func (s GetFederationTokenOutput) GoString() string { 3038 return s.String() 3039} 3040 3041// SetCredentials sets the Credentials field's value. 3042func (s *GetFederationTokenOutput) SetCredentials(v *Credentials) *GetFederationTokenOutput { 3043 s.Credentials = v 3044 return s 3045} 3046 3047// SetFederatedUser sets the FederatedUser field's value. 3048func (s *GetFederationTokenOutput) SetFederatedUser(v *FederatedUser) *GetFederationTokenOutput { 3049 s.FederatedUser = v 3050 return s 3051} 3052 3053// SetPackedPolicySize sets the PackedPolicySize field's value. 3054func (s *GetFederationTokenOutput) SetPackedPolicySize(v int64) *GetFederationTokenOutput { 3055 s.PackedPolicySize = &v 3056 return s 3057} 3058 3059type GetSessionTokenInput struct { 3060 _ struct{} `type:"structure"` 3061 3062 // The duration, in seconds, that the credentials should remain valid. Acceptable 3063 // durations for IAM user sessions range from 900 seconds (15 minutes) to 129,600 3064 // seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions 3065 // for AWS account owners are restricted to a maximum of 3,600 seconds (one 3066 // hour). If the duration is longer than one hour, the session for AWS account 3067 // owners defaults to one hour. 3068 DurationSeconds *int64 `min:"900" type:"integer"` 3069 3070 // The identification number of the MFA device that is associated with the IAM 3071 // user who is making the GetSessionToken call. Specify this value if the IAM 3072 // user has a policy that requires MFA authentication. The value is either the 3073 // serial number for a hardware device (such as GAHT12345678) or an Amazon Resource 3074 // Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user). 3075 // You can find the device for an IAM user by going to the AWS Management Console 3076 // and viewing the user's security credentials. 3077 // 3078 // The regex used to validate this parameter is a string of characters consisting 3079 // of upper- and lower-case alphanumeric characters with no spaces. You can 3080 // also include underscores or any of the following characters: =,.@:/- 3081 SerialNumber *string `min:"9" type:"string"` 3082 3083 // The value provided by the MFA device, if MFA is required. If any policy requires 3084 // the IAM user to submit an MFA code, specify this value. If MFA authentication 3085 // is required, the user must provide a code when requesting a set of temporary 3086 // security credentials. A user who fails to provide the code receives an "access 3087 // denied" response when requesting resources that require MFA authentication. 3088 // 3089 // The format for this parameter, as described by its regex pattern, is a sequence 3090 // of six numeric digits. 3091 TokenCode *string `min:"6" type:"string"` 3092} 3093 3094// String returns the string representation 3095func (s GetSessionTokenInput) String() string { 3096 return awsutil.Prettify(s) 3097} 3098 3099// GoString returns the string representation 3100func (s GetSessionTokenInput) GoString() string { 3101 return s.String() 3102} 3103 3104// Validate inspects the fields of the type to determine if they are valid. 3105func (s *GetSessionTokenInput) Validate() error { 3106 invalidParams := request.ErrInvalidParams{Context: "GetSessionTokenInput"} 3107 if s.DurationSeconds != nil && *s.DurationSeconds < 900 { 3108 invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) 3109 } 3110 if s.SerialNumber != nil && len(*s.SerialNumber) < 9 { 3111 invalidParams.Add(request.NewErrParamMinLen("SerialNumber", 9)) 3112 } 3113 if s.TokenCode != nil && len(*s.TokenCode) < 6 { 3114 invalidParams.Add(request.NewErrParamMinLen("TokenCode", 6)) 3115 } 3116 3117 if invalidParams.Len() > 0 { 3118 return invalidParams 3119 } 3120 return nil 3121} 3122 3123// SetDurationSeconds sets the DurationSeconds field's value. 3124func (s *GetSessionTokenInput) SetDurationSeconds(v int64) *GetSessionTokenInput { 3125 s.DurationSeconds = &v 3126 return s 3127} 3128 3129// SetSerialNumber sets the SerialNumber field's value. 3130func (s *GetSessionTokenInput) SetSerialNumber(v string) *GetSessionTokenInput { 3131 s.SerialNumber = &v 3132 return s 3133} 3134 3135// SetTokenCode sets the TokenCode field's value. 3136func (s *GetSessionTokenInput) SetTokenCode(v string) *GetSessionTokenInput { 3137 s.TokenCode = &v 3138 return s 3139} 3140 3141// Contains the response to a successful GetSessionToken request, including 3142// temporary AWS credentials that can be used to make AWS requests. 3143type GetSessionTokenOutput struct { 3144 _ struct{} `type:"structure"` 3145 3146 // The temporary security credentials, which include an access key ID, a secret 3147 // access key, and a security (or session) token. 3148 // 3149 // The size of the security token that STS API operations return is not fixed. 3150 // We strongly recommend that you make no assumptions about the maximum size. 3151 Credentials *Credentials `type:"structure"` 3152} 3153 3154// String returns the string representation 3155func (s GetSessionTokenOutput) String() string { 3156 return awsutil.Prettify(s) 3157} 3158 3159// GoString returns the string representation 3160func (s GetSessionTokenOutput) GoString() string { 3161 return s.String() 3162} 3163 3164// SetCredentials sets the Credentials field's value. 3165func (s *GetSessionTokenOutput) SetCredentials(v *Credentials) *GetSessionTokenOutput { 3166 s.Credentials = v 3167 return s 3168} 3169 3170// A reference to the IAM managed policy that is passed as a session policy 3171// for a role session or a federated user session. 3172type PolicyDescriptorType struct { 3173 _ struct{} `type:"structure"` 3174 3175 // The Amazon Resource Name (ARN) of the IAM managed policy to use as a session 3176 // policy for the role. For more information about ARNs, see Amazon Resource 3177 // Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) 3178 // in the AWS General Reference. 3179 Arn *string `locationName:"arn" min:"20" type:"string"` 3180} 3181 3182// String returns the string representation 3183func (s PolicyDescriptorType) String() string { 3184 return awsutil.Prettify(s) 3185} 3186 3187// GoString returns the string representation 3188func (s PolicyDescriptorType) GoString() string { 3189 return s.String() 3190} 3191 3192// Validate inspects the fields of the type to determine if they are valid. 3193func (s *PolicyDescriptorType) Validate() error { 3194 invalidParams := request.ErrInvalidParams{Context: "PolicyDescriptorType"} 3195 if s.Arn != nil && len(*s.Arn) < 20 { 3196 invalidParams.Add(request.NewErrParamMinLen("Arn", 20)) 3197 } 3198 3199 if invalidParams.Len() > 0 { 3200 return invalidParams 3201 } 3202 return nil 3203} 3204 3205// SetArn sets the Arn field's value. 3206func (s *PolicyDescriptorType) SetArn(v string) *PolicyDescriptorType { 3207 s.Arn = &v 3208 return s 3209} 3210 3211// You can pass custom key-value pair attributes when you assume a role or federate 3212// a user. These are called session tags. You can then use the session tags 3213// to control access to resources. For more information, see Tagging AWS STS 3214// Sessions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) 3215// in the IAM User Guide. 3216type Tag struct { 3217 _ struct{} `type:"structure"` 3218 3219 // The key for a session tag. 3220 // 3221 // You can pass up to 50 session tags. The plain text session tag keys can’t 3222 // exceed 128 characters. For these and additional limits, see IAM and STS Character 3223 // Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) 3224 // in the IAM User Guide. 3225 // 3226 // Key is a required field 3227 Key *string `min:"1" type:"string" required:"true"` 3228 3229 // The value for a session tag. 3230 // 3231 // You can pass up to 50 session tags. The plain text session tag values can’t 3232 // exceed 256 characters. For these and additional limits, see IAM and STS Character 3233 // Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) 3234 // in the IAM User Guide. 3235 // 3236 // Value is a required field 3237 Value *string `type:"string" required:"true"` 3238} 3239 3240// String returns the string representation 3241func (s Tag) String() string { 3242 return awsutil.Prettify(s) 3243} 3244 3245// GoString returns the string representation 3246func (s Tag) GoString() string { 3247 return s.String() 3248} 3249 3250// Validate inspects the fields of the type to determine if they are valid. 3251func (s *Tag) Validate() error { 3252 invalidParams := request.ErrInvalidParams{Context: "Tag"} 3253 if s.Key == nil { 3254 invalidParams.Add(request.NewErrParamRequired("Key")) 3255 } 3256 if s.Key != nil && len(*s.Key) < 1 { 3257 invalidParams.Add(request.NewErrParamMinLen("Key", 1)) 3258 } 3259 if s.Value == nil { 3260 invalidParams.Add(request.NewErrParamRequired("Value")) 3261 } 3262 3263 if invalidParams.Len() > 0 { 3264 return invalidParams 3265 } 3266 return nil 3267} 3268 3269// SetKey sets the Key field's value. 3270func (s *Tag) SetKey(v string) *Tag { 3271 s.Key = &v 3272 return s 3273} 3274 3275// SetValue sets the Value field's value. 3276func (s *Tag) SetValue(v string) *Tag { 3277 s.Value = &v 3278 return s 3279} 3280