1// Code generated by smithy-go-codegen DO NOT EDIT. 2 3package iam 4 5import ( 6 "context" 7 "fmt" 8 awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware" 9 "github.com/aws/aws-sdk-go-v2/aws/signer/v4" 10 "github.com/aws/aws-sdk-go-v2/service/iam/types" 11 "github.com/aws/smithy-go/middleware" 12 smithyhttp "github.com/aws/smithy-go/transport/http" 13) 14 15// Simulate how a set of IAM policies attached to an IAM entity works with a list 16// of API operations and AWS resources to determine the policies' effective 17// permissions. The entity can be an IAM user, group, or role. If you specify a 18// user, then the simulation also includes all of the policies that are attached to 19// groups that the user belongs to. You can simulate resources that don't exist in 20// your account. You can optionally include a list of one or more additional 21// policies specified as strings to include in the simulation. If you want to 22// simulate only policies specified as strings, use SimulateCustomPolicy instead. 23// You can also optionally include one resource-based policy to be evaluated with 24// each of the resources included in the simulation. The simulation does not 25// perform the API operations; it only checks the authorization to determine if the 26// simulated policies allow or deny the operations. Note: This operation discloses 27// information about the permissions granted to other users. If you do not want 28// users to see other user's permissions, then consider allowing them to use 29// SimulateCustomPolicy instead. Context keys are variables maintained by AWS and 30// its services that provide details about the context of an API query request. You 31// can use the Condition element of an IAM policy to evaluate context keys. To get 32// the list of context keys that the policies require for correct simulation, use 33// GetContextKeysForPrincipalPolicy. If the output is long, you can use the 34// MaxItems and Marker parameters to paginate the results. For more information 35// about using the policy simulator, see Testing IAM policies with the IAM policy 36// simulator 37// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_testing-policies.html)in 38// the IAM User Guide. 39func (c *Client) SimulatePrincipalPolicy(ctx context.Context, params *SimulatePrincipalPolicyInput, optFns ...func(*Options)) (*SimulatePrincipalPolicyOutput, error) { 40 if params == nil { 41 params = &SimulatePrincipalPolicyInput{} 42 } 43 44 result, metadata, err := c.invokeOperation(ctx, "SimulatePrincipalPolicy", params, optFns, addOperationSimulatePrincipalPolicyMiddlewares) 45 if err != nil { 46 return nil, err 47 } 48 49 out := result.(*SimulatePrincipalPolicyOutput) 50 out.ResultMetadata = metadata 51 return out, nil 52} 53 54type SimulatePrincipalPolicyInput struct { 55 56 // A list of names of API operations to evaluate in the simulation. Each operation 57 // is evaluated for each resource. Each operation must include the service 58 // identifier, such as iam:CreateUser. 59 // 60 // This member is required. 61 ActionNames []string 62 63 // The Amazon Resource Name (ARN) of a user, group, or role whose policies you want 64 // to include in the simulation. If you specify a user, group, or role, the 65 // simulation includes all policies that are associated with that entity. If you 66 // specify a user, the simulation also includes all policies that are attached to 67 // any groups the user belongs to. For more information about ARNs, see Amazon 68 // Resource Names (ARNs) 69 // (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in 70 // the AWS General Reference. 71 // 72 // This member is required. 73 PolicySourceArn *string 74 75 // The ARN of the IAM user that you want to specify as the simulated caller of the 76 // API operations. If you do not specify a CallerArn, it defaults to the ARN of the 77 // user that you specify in PolicySourceArn, if you specified a user. If you 78 // include both a PolicySourceArn (for example, 79 // arn:aws:iam::123456789012:user/David) and a CallerArn (for example, 80 // arn:aws:iam::123456789012:user/Bob), the result is that you simulate calling the 81 // API operations as Bob, as if Bob had David's policies. You can specify only the 82 // ARN of an IAM user. You cannot specify the ARN of an assumed role, federated 83 // user, or a service principal. CallerArn is required if you include a 84 // ResourcePolicy and the PolicySourceArn is not the ARN for an IAM user. This is 85 // required so that the resource-based policy's Principal element has a value to 86 // use in evaluating the policy. For more information about ARNs, see Amazon 87 // Resource Names (ARNs) 88 // (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in 89 // the AWS General Reference. 90 CallerArn *string 91 92 // A list of context keys and corresponding values for the simulation to use. 93 // Whenever a context key is evaluated in one of the simulated IAM permissions 94 // policies, the corresponding value is supplied. 95 ContextEntries []types.ContextEntry 96 97 // Use this parameter only when paginating results and only after you receive a 98 // response indicating that the results are truncated. Set it to the value of the 99 // Marker element in the response that you received to indicate where the next call 100 // should start. 101 Marker *string 102 103 // Use this only when paginating results to indicate the maximum number of items 104 // you want in the response. If additional items exist beyond the maximum you 105 // specify, the IsTruncated response element is true. If you do not include this 106 // parameter, the number of items defaults to 100. Note that IAM might return fewer 107 // results, even when there are more results available. In that case, the 108 // IsTruncated response element returns true, and Marker contains a value to 109 // include in the subsequent call that tells the service where to continue from. 110 MaxItems *int32 111 112 // The IAM permissions boundary policy to simulate. The permissions boundary sets 113 // the maximum permissions that the entity can have. You can input only one 114 // permissions boundary when you pass a policy to this operation. An IAM entity can 115 // only have one permissions boundary in effect at a time. For example, if a 116 // permissions boundary is attached to an entity and you pass in a different 117 // permissions boundary policy using this parameter, then the new permissions 118 // boundary policy is used for the simulation. For more information about 119 // permissions boundaries, see Permissions boundaries for IAM entities 120 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html) 121 // in the IAM User Guide. The policy input is specified as a string containing the 122 // complete, valid JSON text of a permissions boundary policy. The regex pattern 123 // (http://wikipedia.org/wiki/regex) used to validate this parameter is a string of 124 // characters consisting of the following: 125 // 126 // * Any printable ASCII character ranging 127 // from the space character (\u0020) through the end of the ASCII character 128 // range 129 // 130 // * The printable characters in the Basic Latin and Latin-1 Supplement 131 // character set (through \u00FF) 132 // 133 // * The special characters tab (\u0009), line feed 134 // (\u000A), and carriage return (\u000D) 135 PermissionsBoundaryPolicyInputList []string 136 137 // An optional list of additional policy documents to include in the simulation. 138 // Each document is specified as a string containing the complete, valid JSON text 139 // of an IAM policy. The regex pattern (http://wikipedia.org/wiki/regex) used to 140 // validate this parameter is a string of characters consisting of the 141 // following: 142 // 143 // * Any printable ASCII character ranging from the space character 144 // (\u0020) through the end of the ASCII character range 145 // 146 // * The printable 147 // characters in the Basic Latin and Latin-1 Supplement character set (through 148 // \u00FF) 149 // 150 // * The special characters tab (\u0009), line feed (\u000A), and carriage 151 // return (\u000D) 152 PolicyInputList []string 153 154 // A list of ARNs of AWS resources to include in the simulation. If this parameter 155 // is not provided, then the value defaults to * (all resources). Each API in the 156 // ActionNames parameter is evaluated for each resource in this list. The 157 // simulation determines the access result (allowed or denied) of each combination 158 // and reports it in the response. You can simulate resources that don't exist in 159 // your account. The simulation does not automatically retrieve policies for the 160 // specified resources. If you want to include a resource policy in the simulation, 161 // then you must include the policy as a string in the ResourcePolicy parameter. 162 // For more information about ARNs, see Amazon Resource Names (ARNs) 163 // (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in 164 // the AWS General Reference. 165 ResourceArns []string 166 167 // Specifies the type of simulation to run. Different API operations that support 168 // resource-based policies require different combinations of resources. By 169 // specifying the type of simulation to run, you enable the policy simulator to 170 // enforce the presence of the required resources to ensure reliable simulation 171 // results. If your simulation does not match one of the following scenarios, then 172 // you can omit this parameter. The following list shows each of the supported 173 // scenario values and the resources that you must define to run the simulation. 174 // Each of the EC2 scenarios requires that you specify instance, image, and 175 // security group resources. If your scenario includes an EBS volume, then you must 176 // specify that volume as a resource. If the EC2 scenario includes VPC, then you 177 // must supply the network interface resource. If it includes an IP subnet, then 178 // you must specify the subnet resource. For more information on the EC2 scenario 179 // options, see Supported platforms 180 // (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/ec2-supported-platforms.html) 181 // in the Amazon EC2 User Guide. 182 // 183 // * EC2-Classic-InstanceStore instance, image, 184 // security group 185 // 186 // * EC2-Classic-EBS instance, image, security group, volume 187 // 188 // * 189 // EC2-VPC-InstanceStore instance, image, security group, network interface 190 // 191 // * 192 // EC2-VPC-InstanceStore-Subnet instance, image, security group, network interface, 193 // subnet 194 // 195 // * EC2-VPC-EBS instance, image, security group, network interface, 196 // volume 197 // 198 // * EC2-VPC-EBS-Subnet instance, image, security group, network interface, 199 // subnet, volume 200 ResourceHandlingOption *string 201 202 // An AWS account ID that specifies the owner of any simulated resource that does 203 // not identify its owner in the resource ARN. Examples of resource ARNs include an 204 // S3 bucket or object. If ResourceOwner is specified, it is also used as the 205 // account owner of any ResourcePolicy included in the simulation. If the 206 // ResourceOwner parameter is not specified, then the owner of the resources and 207 // the resource policy defaults to the account of the identity provided in 208 // CallerArn. This parameter is required only if you specify a resource-based 209 // policy and account that owns the resource is different from the account that 210 // owns the simulated calling user CallerArn. 211 ResourceOwner *string 212 213 // A resource-based policy to include in the simulation provided as a string. Each 214 // resource in the simulation is treated as if it had this policy attached. You can 215 // include only one resource-based policy in a simulation. The regex pattern 216 // (http://wikipedia.org/wiki/regex) used to validate this parameter is a string of 217 // characters consisting of the following: 218 // 219 // * Any printable ASCII character ranging 220 // from the space character (\u0020) through the end of the ASCII character 221 // range 222 // 223 // * The printable characters in the Basic Latin and Latin-1 Supplement 224 // character set (through \u00FF) 225 // 226 // * The special characters tab (\u0009), line feed 227 // (\u000A), and carriage return (\u000D) 228 ResourcePolicy *string 229} 230 231// Contains the response to a successful SimulatePrincipalPolicy or 232// SimulateCustomPolicy request. 233type SimulatePrincipalPolicyOutput struct { 234 235 // The results of the simulation. 236 EvaluationResults []types.EvaluationResult 237 238 // A flag that indicates whether there are more items to return. If your results 239 // were truncated, you can make a subsequent pagination request using the Marker 240 // request parameter to retrieve more items. Note that IAM might return fewer than 241 // the MaxItems number of results even when there are more results available. We 242 // recommend that you check IsTruncated after every call to ensure that you receive 243 // all your results. 244 IsTruncated bool 245 246 // When IsTruncated is true, this element is present and contains the value to use 247 // for the Marker parameter in a subsequent pagination request. 248 Marker *string 249 250 // Metadata pertaining to the operation's result. 251 ResultMetadata middleware.Metadata 252} 253 254func addOperationSimulatePrincipalPolicyMiddlewares(stack *middleware.Stack, options Options) (err error) { 255 err = stack.Serialize.Add(&awsAwsquery_serializeOpSimulatePrincipalPolicy{}, middleware.After) 256 if err != nil { 257 return err 258 } 259 err = stack.Deserialize.Add(&awsAwsquery_deserializeOpSimulatePrincipalPolicy{}, middleware.After) 260 if err != nil { 261 return err 262 } 263 if err = addSetLoggerMiddleware(stack, options); err != nil { 264 return err 265 } 266 if err = awsmiddleware.AddClientRequestIDMiddleware(stack); err != nil { 267 return err 268 } 269 if err = smithyhttp.AddComputeContentLengthMiddleware(stack); err != nil { 270 return err 271 } 272 if err = addResolveEndpointMiddleware(stack, options); err != nil { 273 return err 274 } 275 if err = v4.AddComputePayloadSHA256Middleware(stack); err != nil { 276 return err 277 } 278 if err = addRetryMiddlewares(stack, options); err != nil { 279 return err 280 } 281 if err = addHTTPSignerV4Middleware(stack, options); err != nil { 282 return err 283 } 284 if err = awsmiddleware.AddRawResponseToMetadata(stack); err != nil { 285 return err 286 } 287 if err = awsmiddleware.AddRecordResponseTiming(stack); err != nil { 288 return err 289 } 290 if err = addClientUserAgent(stack); err != nil { 291 return err 292 } 293 if err = smithyhttp.AddErrorCloseResponseBodyMiddleware(stack); err != nil { 294 return err 295 } 296 if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { 297 return err 298 } 299 if err = addOpSimulatePrincipalPolicyValidationMiddleware(stack); err != nil { 300 return err 301 } 302 if err = stack.Initialize.Add(newServiceMetadataMiddleware_opSimulatePrincipalPolicy(options.Region), middleware.Before); err != nil { 303 return err 304 } 305 if err = addRequestIDRetrieverMiddleware(stack); err != nil { 306 return err 307 } 308 if err = addResponseErrorMiddleware(stack); err != nil { 309 return err 310 } 311 if err = addRequestResponseLogging(stack, options); err != nil { 312 return err 313 } 314 return nil 315} 316 317// SimulatePrincipalPolicyAPIClient is a client that implements the 318// SimulatePrincipalPolicy operation. 319type SimulatePrincipalPolicyAPIClient interface { 320 SimulatePrincipalPolicy(context.Context, *SimulatePrincipalPolicyInput, ...func(*Options)) (*SimulatePrincipalPolicyOutput, error) 321} 322 323var _ SimulatePrincipalPolicyAPIClient = (*Client)(nil) 324 325// SimulatePrincipalPolicyPaginatorOptions is the paginator options for 326// SimulatePrincipalPolicy 327type SimulatePrincipalPolicyPaginatorOptions struct { 328 // Use this only when paginating results to indicate the maximum number of items 329 // you want in the response. If additional items exist beyond the maximum you 330 // specify, the IsTruncated response element is true. If you do not include this 331 // parameter, the number of items defaults to 100. Note that IAM might return fewer 332 // results, even when there are more results available. In that case, the 333 // IsTruncated response element returns true, and Marker contains a value to 334 // include in the subsequent call that tells the service where to continue from. 335 Limit int32 336 337 // Set to true if pagination should stop if the service returns a pagination token 338 // that matches the most recent token provided to the service. 339 StopOnDuplicateToken bool 340} 341 342// SimulatePrincipalPolicyPaginator is a paginator for SimulatePrincipalPolicy 343type SimulatePrincipalPolicyPaginator struct { 344 options SimulatePrincipalPolicyPaginatorOptions 345 client SimulatePrincipalPolicyAPIClient 346 params *SimulatePrincipalPolicyInput 347 nextToken *string 348 firstPage bool 349} 350 351// NewSimulatePrincipalPolicyPaginator returns a new 352// SimulatePrincipalPolicyPaginator 353func NewSimulatePrincipalPolicyPaginator(client SimulatePrincipalPolicyAPIClient, params *SimulatePrincipalPolicyInput, optFns ...func(*SimulatePrincipalPolicyPaginatorOptions)) *SimulatePrincipalPolicyPaginator { 354 if params == nil { 355 params = &SimulatePrincipalPolicyInput{} 356 } 357 358 options := SimulatePrincipalPolicyPaginatorOptions{} 359 if params.MaxItems != nil { 360 options.Limit = *params.MaxItems 361 } 362 363 for _, fn := range optFns { 364 fn(&options) 365 } 366 367 return &SimulatePrincipalPolicyPaginator{ 368 options: options, 369 client: client, 370 params: params, 371 firstPage: true, 372 } 373} 374 375// HasMorePages returns a boolean indicating whether more pages are available 376func (p *SimulatePrincipalPolicyPaginator) HasMorePages() bool { 377 return p.firstPage || p.nextToken != nil 378} 379 380// NextPage retrieves the next SimulatePrincipalPolicy page. 381func (p *SimulatePrincipalPolicyPaginator) NextPage(ctx context.Context, optFns ...func(*Options)) (*SimulatePrincipalPolicyOutput, error) { 382 if !p.HasMorePages() { 383 return nil, fmt.Errorf("no more pages available") 384 } 385 386 params := *p.params 387 params.Marker = p.nextToken 388 389 var limit *int32 390 if p.options.Limit > 0 { 391 limit = &p.options.Limit 392 } 393 params.MaxItems = limit 394 395 result, err := p.client.SimulatePrincipalPolicy(ctx, ¶ms, optFns...) 396 if err != nil { 397 return nil, err 398 } 399 p.firstPage = false 400 401 prevToken := p.nextToken 402 p.nextToken = result.Marker 403 404 if p.options.StopOnDuplicateToken && prevToken != nil && p.nextToken != nil && *prevToken == *p.nextToken { 405 p.nextToken = nil 406 } 407 408 return result, nil 409} 410 411func newServiceMetadataMiddleware_opSimulatePrincipalPolicy(region string) *awsmiddleware.RegisterServiceMetadata { 412 return &awsmiddleware.RegisterServiceMetadata{ 413 Region: region, 414 ServiceID: ServiceID, 415 SigningName: "iam", 416 OperationName: "SimulatePrincipalPolicy", 417 } 418} 419