1// Code generated by smithy-go-codegen DO NOT EDIT. 2 3package sts 4 5import ( 6 "context" 7 awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware" 8 "github.com/aws/aws-sdk-go-v2/service/sts/types" 9 "github.com/aws/smithy-go/middleware" 10 smithyhttp "github.com/aws/smithy-go/transport/http" 11) 12 13// Returns a set of temporary security credentials for users who have been 14// authenticated via a SAML authentication response. This operation provides a 15// mechanism for tying an enterprise identity store or directory to role-based AWS 16// access without user-specific credentials or configuration. For a comparison of 17// AssumeRoleWithSAML with the other API operations that produce temporary 18// credentials, see Requesting Temporary Security Credentials 19// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) 20// and Comparing the AWS STS API operations 21// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) 22// in the IAM User Guide. The temporary security credentials returned by this 23// operation consist of an access key ID, a secret access key, and a security 24// token. Applications can use these temporary security credentials to sign calls 25// to AWS services. Session Duration By default, the temporary security credentials 26// created by AssumeRoleWithSAML last for one hour. However, you can use the 27// optional DurationSeconds parameter to specify the duration of your session. Your 28// role session lasts for the duration that you specify, or until the time 29// specified in the SAML authentication response's SessionNotOnOrAfter value, 30// whichever is shorter. You can provide a DurationSeconds value from 900 seconds 31// (15 minutes) up to the maximum session duration setting for the role. This 32// setting can have a value from 1 hour to 12 hours. To learn how to view the 33// maximum value for your role, see View the Maximum Session Duration Setting for a 34// Role 35// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) 36// in the IAM User Guide. The maximum session duration limit applies when you use 37// the AssumeRole* API operations or the assume-role* CLI commands. However the 38// limit does not apply when you use those operations to create a console URL. For 39// more information, see Using IAM Roles 40// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) in the IAM 41// User Guide. Permissions The temporary security credentials created by 42// AssumeRoleWithSAML can be used to make API calls to any AWS service with the 43// following exception: you cannot call the STS GetFederationToken or 44// GetSessionToken API operations. (Optional) You can pass inline or managed 45// session policies 46// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 47// to this operation. You can pass a single JSON policy document to use as an 48// inline session policy. You can also specify up to 10 managed policies to use as 49// managed session policies. The plain text that you use for both inline and 50// managed session policies can't exceed 2,048 characters. Passing policies to this 51// operation returns new temporary credentials. The resulting session's permissions 52// are the intersection of the role's identity-based policy and the session 53// policies. You can use the role's temporary credentials in subsequent AWS API 54// calls to access resources in the account that owns the role. You cannot use 55// session policies to grant more permissions than those allowed by the 56// identity-based policy of the role that is being assumed. For more information, 57// see Session Policies 58// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 59// in the IAM User Guide. Calling AssumeRoleWithSAML does not require the use of 60// AWS security credentials. The identity of the caller is validated by using keys 61// in the metadata document that is uploaded for the SAML provider entity for your 62// identity provider. Calling AssumeRoleWithSAML can result in an entry in your AWS 63// CloudTrail logs. The entry includes the value in the NameID element of the SAML 64// assertion. We recommend that you use a NameIDType that is not associated with 65// any personally identifiable information (PII). For example, you could instead 66// use the persistent identifier 67// (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent). Tags (Optional) You can 68// configure your IdP to pass attributes into your SAML assertion as session tags. 69// Each session tag consists of a key name and an associated value. For more 70// information about session tags, see Passing Session Tags in STS 71// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) in the 72// IAM User Guide. You can pass up to 50 session tags. The plain text session tag 73// keys can’t exceed 128 characters and the values can’t exceed 256 characters. For 74// these and additional limits, see IAM and STS Character Limits 75// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) 76// in the IAM User Guide. An AWS conversion compresses the passed session policies 77// and session tags into a packed binary format that has a separate limit. Your 78// request can fail for this limit even if your plain text meets the other 79// requirements. The PackedPolicySize response element indicates by percentage how 80// close the policies and tags for your request are to the upper size limit. You 81// can pass a session tag with the same key as a tag that is attached to the role. 82// When you do, session tags override the role's tags with the same key. An 83// administrator must grant you the permissions necessary to pass session tags. The 84// administrator can also create granular permissions to allow you to pass only 85// specific session tags. For more information, see Tutorial: Using Tags for 86// Attribute-Based Access Control 87// (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) 88// in the IAM User Guide. You can set the session tags as transitive. Transitive 89// tags persist during role chaining. For more information, see Chaining Roles with 90// Session Tags 91// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining) 92// in the IAM User Guide. SAML Configuration Before your application can call 93// AssumeRoleWithSAML, you must configure your SAML identity provider (IdP) to 94// issue the claims required by AWS. Additionally, you must use AWS Identity and 95// Access Management (IAM) to create a SAML provider entity in your AWS account 96// that represents your identity provider. You must also create an IAM role that 97// specifies this SAML provider in its trust policy. For more information, see the 98// following resources: 99// 100// * About SAML 2.0-based Federation 101// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) 102// in the IAM User Guide. 103// 104// * Creating SAML Identity Providers 105// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html) 106// in the IAM User Guide. 107// 108// * Configuring a Relying Party and Claims 109// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html) 110// in the IAM User Guide. 111// 112// * Creating a Role for SAML 2.0 Federation 113// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html) 114// in the IAM User Guide. 115func (c *Client) AssumeRoleWithSAML(ctx context.Context, params *AssumeRoleWithSAMLInput, optFns ...func(*Options)) (*AssumeRoleWithSAMLOutput, error) { 116 if params == nil { 117 params = &AssumeRoleWithSAMLInput{} 118 } 119 120 result, metadata, err := c.invokeOperation(ctx, "AssumeRoleWithSAML", params, optFns, addOperationAssumeRoleWithSAMLMiddlewares) 121 if err != nil { 122 return nil, err 123 } 124 125 out := result.(*AssumeRoleWithSAMLOutput) 126 out.ResultMetadata = metadata 127 return out, nil 128} 129 130type AssumeRoleWithSAMLInput struct { 131 132 // The Amazon Resource Name (ARN) of the SAML provider in IAM that describes the 133 // IdP. 134 // 135 // This member is required. 136 PrincipalArn *string 137 138 // The Amazon Resource Name (ARN) of the role that the caller is assuming. 139 // 140 // This member is required. 141 RoleArn *string 142 143 // The base-64 encoded SAML authentication response provided by the IdP. For more 144 // information, see Configuring a Relying Party and Adding Claims 145 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html) 146 // in the IAM User Guide. 147 // 148 // This member is required. 149 SAMLAssertion *string 150 151 // The duration, in seconds, of the role session. Your role session lasts for the 152 // duration that you specify for the DurationSeconds parameter, or until the time 153 // specified in the SAML authentication response's SessionNotOnOrAfter value, 154 // whichever is shorter. You can provide a DurationSeconds value from 900 seconds 155 // (15 minutes) up to the maximum session duration setting for the role. This 156 // setting can have a value from 1 hour to 12 hours. If you specify a value higher 157 // than this setting, the operation fails. For example, if you specify a session 158 // duration of 12 hours, but your administrator set the maximum session duration to 159 // 6 hours, your operation fails. To learn how to view the maximum value for your 160 // role, see View the Maximum Session Duration Setting for a Role 161 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) 162 // in the IAM User Guide. By default, the value is set to 3600 seconds. The 163 // DurationSeconds parameter is separate from the duration of a console session 164 // that you might request using the returned credentials. The request to the 165 // federation endpoint for a console sign-in token takes a SessionDuration 166 // parameter that specifies the maximum length of the console session. For more 167 // information, see Creating a URL that Enables Federated Users to Access the AWS 168 // Management Console 169 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) 170 // in the IAM User Guide. 171 DurationSeconds *int32 172 173 // An IAM policy in JSON format that you want to use as an inline session policy. 174 // This parameter is optional. Passing policies to this operation returns new 175 // temporary credentials. The resulting session's permissions are the intersection 176 // of the role's identity-based policy and the session policies. You can use the 177 // role's temporary credentials in subsequent AWS API calls to access resources in 178 // the account that owns the role. You cannot use session policies to grant more 179 // permissions than those allowed by the identity-based policy of the role that is 180 // being assumed. For more information, see Session Policies 181 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 182 // in the IAM User Guide. The plain text that you use for both inline and managed 183 // session policies can't exceed 2,048 characters. The JSON policy characters can 184 // be any ASCII character from the space character to the end of the valid 185 // character list (\u0020 through \u00FF). It can also include the tab (\u0009), 186 // linefeed (\u000A), and carriage return (\u000D) characters. An AWS conversion 187 // compresses the passed session policies and session tags into a packed binary 188 // format that has a separate limit. Your request can fail for this limit even if 189 // your plain text meets the other requirements. The PackedPolicySize response 190 // element indicates by percentage how close the policies and tags for your request 191 // are to the upper size limit. 192 Policy *string 193 194 // The Amazon Resource Names (ARNs) of the IAM managed policies that you want to 195 // use as managed session policies. The policies must exist in the same account as 196 // the role. This parameter is optional. You can provide up to 10 managed policy 197 // ARNs. However, the plain text that you use for both inline and managed session 198 // policies can't exceed 2,048 characters. For more information about ARNs, see 199 // Amazon Resource Names (ARNs) and AWS Service Namespaces 200 // (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in 201 // the AWS General Reference. An AWS conversion compresses the passed session 202 // policies and session tags into a packed binary format that has a separate limit. 203 // Your request can fail for this limit even if your plain text meets the other 204 // requirements. The PackedPolicySize response element indicates by percentage how 205 // close the policies and tags for your request are to the upper size limit. 206 // Passing policies to this operation returns new temporary credentials. The 207 // resulting session's permissions are the intersection of the role's 208 // identity-based policy and the session policies. You can use the role's temporary 209 // credentials in subsequent AWS API calls to access resources in the account that 210 // owns the role. You cannot use session policies to grant more permissions than 211 // those allowed by the identity-based policy of the role that is being assumed. 212 // For more information, see Session Policies 213 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 214 // in the IAM User Guide. 215 PolicyArns []types.PolicyDescriptorType 216} 217 218// Contains the response to a successful AssumeRoleWithSAML request, including 219// temporary AWS credentials that can be used to make AWS requests. 220type AssumeRoleWithSAMLOutput struct { 221 222 // The identifiers for the temporary security credentials that the operation 223 // returns. 224 AssumedRoleUser *types.AssumedRoleUser 225 226 // The value of the Recipient attribute of the SubjectConfirmationData element of 227 // the SAML assertion. 228 Audience *string 229 230 // The temporary security credentials, which include an access key ID, a secret 231 // access key, and a security (or session) token. The size of the security token 232 // that STS API operations return is not fixed. We strongly recommend that you make 233 // no assumptions about the maximum size. 234 Credentials *types.Credentials 235 236 // The value of the Issuer element of the SAML assertion. 237 Issuer *string 238 239 // A hash value based on the concatenation of the Issuer response value, the AWS 240 // account ID, and the friendly name (the last part of the ARN) of the SAML 241 // provider in IAM. The combination of NameQualifier and Subject can be used to 242 // uniquely identify a federated user. The following pseudocode shows how the hash 243 // value is calculated: BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" 244 // + "/MySAMLIdP" ) ) 245 NameQualifier *string 246 247 // A percentage value that indicates the packed size of the session policies and 248 // session tags combined passed in the request. The request fails if the packed 249 // size is greater than 100 percent, which means the policies and tags exceeded the 250 // allowed space. 251 PackedPolicySize *int32 252 253 // The value of the NameID element in the Subject element of the SAML assertion. 254 Subject *string 255 256 // The format of the name ID, as defined by the Format attribute in the NameID 257 // element of the SAML assertion. Typical examples of the format are transient or 258 // persistent. If the format includes the prefix 259 // urn:oasis:names:tc:SAML:2.0:nameid-format, that prefix is removed. For example, 260 // urn:oasis:names:tc:SAML:2.0:nameid-format:transient is returned as transient. If 261 // the format includes any other prefix, the format is returned with no 262 // modifications. 263 SubjectType *string 264 265 // Metadata pertaining to the operation's result. 266 ResultMetadata middleware.Metadata 267} 268 269func addOperationAssumeRoleWithSAMLMiddlewares(stack *middleware.Stack, options Options) (err error) { 270 err = stack.Serialize.Add(&awsAwsquery_serializeOpAssumeRoleWithSAML{}, middleware.After) 271 if err != nil { 272 return err 273 } 274 err = stack.Deserialize.Add(&awsAwsquery_deserializeOpAssumeRoleWithSAML{}, middleware.After) 275 if err != nil { 276 return err 277 } 278 if err = addSetLoggerMiddleware(stack, options); err != nil { 279 return err 280 } 281 if err = awsmiddleware.AddClientRequestIDMiddleware(stack); err != nil { 282 return err 283 } 284 if err = smithyhttp.AddComputeContentLengthMiddleware(stack); err != nil { 285 return err 286 } 287 if err = addResolveEndpointMiddleware(stack, options); err != nil { 288 return err 289 } 290 if err = addRetryMiddlewares(stack, options); err != nil { 291 return err 292 } 293 if err = awsmiddleware.AddRawResponseToMetadata(stack); err != nil { 294 return err 295 } 296 if err = awsmiddleware.AddRecordResponseTiming(stack); err != nil { 297 return err 298 } 299 if err = addClientUserAgent(stack); err != nil { 300 return err 301 } 302 if err = smithyhttp.AddErrorCloseResponseBodyMiddleware(stack); err != nil { 303 return err 304 } 305 if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { 306 return err 307 } 308 if err = addOpAssumeRoleWithSAMLValidationMiddleware(stack); err != nil { 309 return err 310 } 311 if err = stack.Initialize.Add(newServiceMetadataMiddleware_opAssumeRoleWithSAML(options.Region), middleware.Before); err != nil { 312 return err 313 } 314 if err = addRequestIDRetrieverMiddleware(stack); err != nil { 315 return err 316 } 317 if err = addResponseErrorMiddleware(stack); err != nil { 318 return err 319 } 320 if err = addRequestResponseLogging(stack, options); err != nil { 321 return err 322 } 323 return nil 324} 325 326func newServiceMetadataMiddleware_opAssumeRoleWithSAML(region string) *awsmiddleware.RegisterServiceMetadata { 327 return &awsmiddleware.RegisterServiceMetadata{ 328 Region: region, 329 ServiceID: ServiceID, 330 SigningName: "sts", 331 OperationName: "AssumeRoleWithSAML", 332 } 333} 334