1// Code generated by smithy-go-codegen DO NOT EDIT. 2 3package iam 4 5import ( 6 "context" 7 "fmt" 8 awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware" 9 "github.com/aws/aws-sdk-go-v2/aws/signer/v4" 10 "github.com/aws/aws-sdk-go-v2/service/iam/types" 11 "github.com/aws/smithy-go/middleware" 12 smithyhttp "github.com/aws/smithy-go/transport/http" 13) 14 15// Simulate how a set of IAM policies and optionally a resource-based policy works 16// with a list of API operations and AWS resources to determine the policies' 17// effective permissions. The policies are provided as strings. The simulation does 18// not perform the API operations; it only checks the authorization to determine if 19// the simulated policies allow or deny the operations. If you want to simulate 20// existing policies that are attached to an IAM user, group, or role, use 21// SimulatePrincipalPolicy instead. Context keys are variables that are maintained 22// by AWS and its services and which provide details about the context of an API 23// query request. You can use the Condition element of an IAM policy to evaluate 24// context keys. To get the list of context keys that the policies require for 25// correct simulation, use GetContextKeysForCustomPolicy. If the output is long, 26// you can use MaxItems and Marker parameters to paginate the results. 27func (c *Client) SimulateCustomPolicy(ctx context.Context, params *SimulateCustomPolicyInput, optFns ...func(*Options)) (*SimulateCustomPolicyOutput, error) { 28 if params == nil { 29 params = &SimulateCustomPolicyInput{} 30 } 31 32 result, metadata, err := c.invokeOperation(ctx, "SimulateCustomPolicy", params, optFns, addOperationSimulateCustomPolicyMiddlewares) 33 if err != nil { 34 return nil, err 35 } 36 37 out := result.(*SimulateCustomPolicyOutput) 38 out.ResultMetadata = metadata 39 return out, nil 40} 41 42type SimulateCustomPolicyInput struct { 43 44 // A list of names of API operations to evaluate in the simulation. Each operation 45 // is evaluated against each resource. Each operation must include the service 46 // identifier, such as iam:CreateUser. This operation does not support using 47 // wildcards (*) in an action name. 48 // 49 // This member is required. 50 ActionNames []string 51 52 // A list of policy documents to include in the simulation. Each document is 53 // specified as a string containing the complete, valid JSON text of an IAM policy. 54 // Do not include any resource-based policies in this parameter. Any resource-based 55 // policy must be submitted with the ResourcePolicy parameter. The policies cannot 56 // be "scope-down" policies, such as you could include in a call to 57 // GetFederationToken 58 // (https://docs.aws.amazon.com/IAM/latest/APIReference/API_GetFederationToken.html) 59 // or one of the AssumeRole 60 // (https://docs.aws.amazon.com/IAM/latest/APIReference/API_AssumeRole.html) API 61 // operations. In other words, do not use policies designed to restrict what a user 62 // can do while using the temporary credentials. The regex pattern 63 // (http://wikipedia.org/wiki/regex) used to validate this parameter is a string of 64 // characters consisting of the following: 65 // 66 // * Any printable ASCII character ranging 67 // from the space character (\u0020) through the end of the ASCII character 68 // range 69 // 70 // * The printable characters in the Basic Latin and Latin-1 Supplement 71 // character set (through \u00FF) 72 // 73 // * The special characters tab (\u0009), line feed 74 // (\u000A), and carriage return (\u000D) 75 // 76 // This member is required. 77 PolicyInputList []string 78 79 // The ARN of the IAM user that you want to use as the simulated caller of the API 80 // operations. CallerArn is required if you include a ResourcePolicy so that the 81 // policy's Principal element has a value to use in evaluating the policy. You can 82 // specify only the ARN of an IAM user. You cannot specify the ARN of an assumed 83 // role, federated user, or a service principal. 84 CallerArn *string 85 86 // A list of context keys and corresponding values for the simulation to use. 87 // Whenever a context key is evaluated in one of the simulated IAM permissions 88 // policies, the corresponding value is supplied. 89 ContextEntries []types.ContextEntry 90 91 // Use this parameter only when paginating results and only after you receive a 92 // response indicating that the results are truncated. Set it to the value of the 93 // Marker element in the response that you received to indicate where the next call 94 // should start. 95 Marker *string 96 97 // Use this only when paginating results to indicate the maximum number of items 98 // you want in the response. If additional items exist beyond the maximum you 99 // specify, the IsTruncated response element is true. If you do not include this 100 // parameter, the number of items defaults to 100. Note that IAM might return fewer 101 // results, even when there are more results available. In that case, the 102 // IsTruncated response element returns true, and Marker contains a value to 103 // include in the subsequent call that tells the service where to continue from. 104 MaxItems *int32 105 106 // The IAM permissions boundary policy to simulate. The permissions boundary sets 107 // the maximum permissions that an IAM entity can have. You can input only one 108 // permissions boundary when you pass a policy to this operation. For more 109 // information about permissions boundaries, see Permissions Boundaries for IAM 110 // Entities 111 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) 112 // in the IAM User Guide. The policy input is specified as a string that contains 113 // the complete, valid JSON text of a permissions boundary policy. The regex 114 // pattern (http://wikipedia.org/wiki/regex) used to validate this parameter is a 115 // string of characters consisting of the following: 116 // 117 // * Any printable ASCII 118 // character ranging from the space character (\u0020) through the end of the ASCII 119 // character range 120 // 121 // * The printable characters in the Basic Latin and Latin-1 122 // Supplement character set (through \u00FF) 123 // 124 // * The special characters tab 125 // (\u0009), line feed (\u000A), and carriage return (\u000D) 126 PermissionsBoundaryPolicyInputList []string 127 128 // A list of ARNs of AWS resources to include in the simulation. If this parameter 129 // is not provided, then the value defaults to * (all resources). Each API in the 130 // ActionNames parameter is evaluated for each resource in this list. The 131 // simulation determines the access result (allowed or denied) of each combination 132 // and reports it in the response. The simulation does not automatically retrieve 133 // policies for the specified resources. If you want to include a resource policy 134 // in the simulation, then you must include the policy as a string in the 135 // ResourcePolicy parameter. If you include a ResourcePolicy, then it must be 136 // applicable to all of the resources included in the simulation or you receive an 137 // invalid input error. For more information about ARNs, see Amazon Resource Names 138 // (ARNs) and AWS Service Namespaces 139 // (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in 140 // the AWS General Reference. 141 ResourceArns []string 142 143 // Specifies the type of simulation to run. Different API operations that support 144 // resource-based policies require different combinations of resources. By 145 // specifying the type of simulation to run, you enable the policy simulator to 146 // enforce the presence of the required resources to ensure reliable simulation 147 // results. If your simulation does not match one of the following scenarios, then 148 // you can omit this parameter. The following list shows each of the supported 149 // scenario values and the resources that you must define to run the simulation. 150 // Each of the EC2 scenarios requires that you specify instance, image, and 151 // security-group resources. If your scenario includes an EBS volume, then you must 152 // specify that volume as a resource. If the EC2 scenario includes VPC, then you 153 // must supply the network-interface resource. If it includes an IP subnet, then 154 // you must specify the subnet resource. For more information on the EC2 scenario 155 // options, see Supported Platforms 156 // (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-platforms.html) 157 // in the Amazon EC2 User Guide. 158 // 159 // * EC2-Classic-InstanceStore instance, image, 160 // security-group 161 // 162 // * EC2-Classic-EBS instance, image, security-group, volume 163 // 164 // * 165 // EC2-VPC-InstanceStore instance, image, security-group, network-interface 166 // 167 // * 168 // EC2-VPC-InstanceStore-Subnet instance, image, security-group, network-interface, 169 // subnet 170 // 171 // * EC2-VPC-EBS instance, image, security-group, network-interface, 172 // volume 173 // 174 // * EC2-VPC-EBS-Subnet instance, image, security-group, network-interface, 175 // subnet, volume 176 ResourceHandlingOption *string 177 178 // An ARN representing the AWS account ID that specifies the owner of any simulated 179 // resource that does not identify its owner in the resource ARN. Examples of 180 // resource ARNs include an S3 bucket or object. If ResourceOwner is specified, it 181 // is also used as the account owner of any ResourcePolicy included in the 182 // simulation. If the ResourceOwner parameter is not specified, then the owner of 183 // the resources and the resource policy defaults to the account of the identity 184 // provided in CallerArn. This parameter is required only if you specify a 185 // resource-based policy and account that owns the resource is different from the 186 // account that owns the simulated calling user CallerArn. The ARN for an account 187 // uses the following syntax: arn:aws:iam::AWS-account-ID:root. For example, to 188 // represent the account with the 112233445566 ID, use the following ARN: 189 // arn:aws:iam::112233445566-ID:root. 190 ResourceOwner *string 191 192 // A resource-based policy to include in the simulation provided as a string. Each 193 // resource in the simulation is treated as if it had this policy attached. You can 194 // include only one resource-based policy in a simulation. The regex pattern 195 // (http://wikipedia.org/wiki/regex) used to validate this parameter is a string of 196 // characters consisting of the following: 197 // 198 // * Any printable ASCII character ranging 199 // from the space character (\u0020) through the end of the ASCII character 200 // range 201 // 202 // * The printable characters in the Basic Latin and Latin-1 Supplement 203 // character set (through \u00FF) 204 // 205 // * The special characters tab (\u0009), line feed 206 // (\u000A), and carriage return (\u000D) 207 ResourcePolicy *string 208} 209 210// Contains the response to a successful SimulatePrincipalPolicy or 211// SimulateCustomPolicy request. 212type SimulateCustomPolicyOutput struct { 213 214 // The results of the simulation. 215 EvaluationResults []types.EvaluationResult 216 217 // A flag that indicates whether there are more items to return. If your results 218 // were truncated, you can make a subsequent pagination request using the Marker 219 // request parameter to retrieve more items. Note that IAM might return fewer than 220 // the MaxItems number of results even when there are more results available. We 221 // recommend that you check IsTruncated after every call to ensure that you receive 222 // all your results. 223 IsTruncated bool 224 225 // When IsTruncated is true, this element is present and contains the value to use 226 // for the Marker parameter in a subsequent pagination request. 227 Marker *string 228 229 // Metadata pertaining to the operation's result. 230 ResultMetadata middleware.Metadata 231} 232 233func addOperationSimulateCustomPolicyMiddlewares(stack *middleware.Stack, options Options) (err error) { 234 err = stack.Serialize.Add(&awsAwsquery_serializeOpSimulateCustomPolicy{}, middleware.After) 235 if err != nil { 236 return err 237 } 238 err = stack.Deserialize.Add(&awsAwsquery_deserializeOpSimulateCustomPolicy{}, middleware.After) 239 if err != nil { 240 return err 241 } 242 if err = addSetLoggerMiddleware(stack, options); err != nil { 243 return err 244 } 245 if err = awsmiddleware.AddClientRequestIDMiddleware(stack); err != nil { 246 return err 247 } 248 if err = smithyhttp.AddComputeContentLengthMiddleware(stack); err != nil { 249 return err 250 } 251 if err = addResolveEndpointMiddleware(stack, options); err != nil { 252 return err 253 } 254 if err = v4.AddComputePayloadSHA256Middleware(stack); err != nil { 255 return err 256 } 257 if err = addRetryMiddlewares(stack, options); err != nil { 258 return err 259 } 260 if err = addHTTPSignerV4Middleware(stack, options); err != nil { 261 return err 262 } 263 if err = awsmiddleware.AddRawResponseToMetadata(stack); err != nil { 264 return err 265 } 266 if err = awsmiddleware.AddRecordResponseTiming(stack); err != nil { 267 return err 268 } 269 if err = addClientUserAgent(stack); err != nil { 270 return err 271 } 272 if err = smithyhttp.AddErrorCloseResponseBodyMiddleware(stack); err != nil { 273 return err 274 } 275 if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { 276 return err 277 } 278 if err = addOpSimulateCustomPolicyValidationMiddleware(stack); err != nil { 279 return err 280 } 281 if err = stack.Initialize.Add(newServiceMetadataMiddleware_opSimulateCustomPolicy(options.Region), middleware.Before); err != nil { 282 return err 283 } 284 if err = addRequestIDRetrieverMiddleware(stack); err != nil { 285 return err 286 } 287 if err = addResponseErrorMiddleware(stack); err != nil { 288 return err 289 } 290 if err = addRequestResponseLogging(stack, options); err != nil { 291 return err 292 } 293 return nil 294} 295 296// SimulateCustomPolicyAPIClient is a client that implements the 297// SimulateCustomPolicy operation. 298type SimulateCustomPolicyAPIClient interface { 299 SimulateCustomPolicy(context.Context, *SimulateCustomPolicyInput, ...func(*Options)) (*SimulateCustomPolicyOutput, error) 300} 301 302var _ SimulateCustomPolicyAPIClient = (*Client)(nil) 303 304// SimulateCustomPolicyPaginatorOptions is the paginator options for 305// SimulateCustomPolicy 306type SimulateCustomPolicyPaginatorOptions struct { 307 // Use this only when paginating results to indicate the maximum number of items 308 // you want in the response. If additional items exist beyond the maximum you 309 // specify, the IsTruncated response element is true. If you do not include this 310 // parameter, the number of items defaults to 100. Note that IAM might return fewer 311 // results, even when there are more results available. In that case, the 312 // IsTruncated response element returns true, and Marker contains a value to 313 // include in the subsequent call that tells the service where to continue from. 314 Limit int32 315 316 // Set to true if pagination should stop if the service returns a pagination token 317 // that matches the most recent token provided to the service. 318 StopOnDuplicateToken bool 319} 320 321// SimulateCustomPolicyPaginator is a paginator for SimulateCustomPolicy 322type SimulateCustomPolicyPaginator struct { 323 options SimulateCustomPolicyPaginatorOptions 324 client SimulateCustomPolicyAPIClient 325 params *SimulateCustomPolicyInput 326 nextToken *string 327 firstPage bool 328} 329 330// NewSimulateCustomPolicyPaginator returns a new SimulateCustomPolicyPaginator 331func NewSimulateCustomPolicyPaginator(client SimulateCustomPolicyAPIClient, params *SimulateCustomPolicyInput, optFns ...func(*SimulateCustomPolicyPaginatorOptions)) *SimulateCustomPolicyPaginator { 332 options := SimulateCustomPolicyPaginatorOptions{} 333 if params.MaxItems != nil { 334 options.Limit = *params.MaxItems 335 } 336 337 for _, fn := range optFns { 338 fn(&options) 339 } 340 341 if params == nil { 342 params = &SimulateCustomPolicyInput{} 343 } 344 345 return &SimulateCustomPolicyPaginator{ 346 options: options, 347 client: client, 348 params: params, 349 firstPage: true, 350 } 351} 352 353// HasMorePages returns a boolean indicating whether more pages are available 354func (p *SimulateCustomPolicyPaginator) HasMorePages() bool { 355 return p.firstPage || p.nextToken != nil 356} 357 358// NextPage retrieves the next SimulateCustomPolicy page. 359func (p *SimulateCustomPolicyPaginator) NextPage(ctx context.Context, optFns ...func(*Options)) (*SimulateCustomPolicyOutput, error) { 360 if !p.HasMorePages() { 361 return nil, fmt.Errorf("no more pages available") 362 } 363 364 params := *p.params 365 params.Marker = p.nextToken 366 367 var limit *int32 368 if p.options.Limit > 0 { 369 limit = &p.options.Limit 370 } 371 params.MaxItems = limit 372 373 result, err := p.client.SimulateCustomPolicy(ctx, ¶ms, optFns...) 374 if err != nil { 375 return nil, err 376 } 377 p.firstPage = false 378 379 prevToken := p.nextToken 380 p.nextToken = result.Marker 381 382 if p.options.StopOnDuplicateToken && prevToken != nil && p.nextToken != nil && *prevToken == *p.nextToken { 383 p.nextToken = nil 384 } 385 386 return result, nil 387} 388 389func newServiceMetadataMiddleware_opSimulateCustomPolicy(region string) *awsmiddleware.RegisterServiceMetadata { 390 return &awsmiddleware.RegisterServiceMetadata{ 391 Region: region, 392 ServiceID: ServiceID, 393 SigningName: "iam", 394 OperationName: "SimulateCustomPolicy", 395 } 396} 397