mirror of
https://github.com/weaveworks/scope.git
synced 2026-07-19 13:29:35 +00:00
``` $ gvt delete github.com/weaveworks/common $ gvt fetch --revision 4d96fd8dcf2c7b417912c6219b310112cb4a4626 github.com/weaveworks/common 2018/07/23 15:31:11 Fetching: github.com/weaveworks/common 2018/07/23 15:31:14 · Skipping (existing): github.com/golang/protobuf/ptypes/any 2018/07/23 15:31:14 · Fetching recursive dependency: github.com/pkg/errors 2018/07/23 15:31:16 · Skipping (existing): github.com/aws/aws-sdk-go/aws 2018/07/23 15:31:16 · Fetching recursive dependency: github.com/sirupsen/logrus 2018/07/23 15:31:18 ·· Skipping (existing): golang.org/x/sys/unix 2018/07/23 15:31:18 ·· Skipping (existing): golang.org/x/crypto/ssh/terminal 2018/07/23 15:31:18 · Skipping (existing): google.golang.org/grpc/status 2018/07/23 15:31:18 · Skipping (existing): github.com/gorilla/mux 2018/07/23 15:31:18 · Fetching recursive dependency: github.com/opentracing-contrib/go-stdlib/nethttp 2018/07/23 15:31:20 ·· Skipping (existing): github.com/opentracing/opentracing-go/ext 2018/07/23 15:31:20 ·· Skipping (existing): github.com/opentracing/opentracing-go/log 2018/07/23 15:31:20 ·· Skipping (existing): github.com/opentracing/opentracing-go 2018/07/23 15:31:20 · Skipping (existing): github.com/prometheus/client_golang/prometheus 2018/07/23 15:31:20 · Skipping (existing): google.golang.org/grpc 2018/07/23 15:31:20 · Skipping (existing): github.com/pmezard/go-difflib/difflib 2018/07/23 15:31:20 · Fetching recursive dependency: github.com/go-kit/kit/log 2018/07/23 15:31:23 ·· Fetching recursive dependency: github.com/go-logfmt/logfmt 2018/07/23 15:31:25 ··· Fetching recursive dependency: github.com/kr/logfmt 2018/07/23 15:31:27 ·· Fetching recursive dependency: github.com/go-stack/stack 2018/07/23 15:31:29 · Fetching recursive dependency: google.golang.org/genproto/googleapis/rpc/status 2018/07/23 15:31:37 ·· Skipping (existing): github.com/golang/protobuf/proto 2018/07/23 15:31:37 ·· Skipping (existing): github.com/golang/protobuf/ptypes/any 2018/07/23 15:31:37 · Skipping (existing): github.com/opentracing/opentracing-go/log 2018/07/23 15:31:37 · Fetching recursive dependency: github.com/sercand/kuberesolver 2018/07/23 15:31:39 ·· Skipping (existing): google.golang.org/grpc/grpclog 2018/07/23 15:31:39 ·· Skipping (existing): google.golang.org/grpc/resolver 2018/07/23 15:31:39 ·· Skipping (existing): golang.org/x/net/context 2018/07/23 15:31:39 · Skipping (existing): google.golang.org/grpc/metadata 2018/07/23 15:31:39 · Skipping (existing): github.com/opentracing/opentracing-go/ext 2018/07/23 15:31:39 · Skipping (existing): github.com/armon/go-socks5 2018/07/23 15:31:39 · Skipping (existing): github.com/opentracing/opentracing-go 2018/07/23 15:31:39 · Skipping (existing): github.com/davecgh/go-spew/spew 2018/07/23 15:31:39 · Skipping (existing): github.com/golang/protobuf/ptypes 2018/07/23 15:31:39 · Skipping (existing): github.com/golang/protobuf/proto 2018/07/23 15:31:39 · Fetching recursive dependency: github.com/grpc-ecosystem/grpc-opentracing/go/otgrpc 2018/07/23 15:31:41 ·· Skipping (existing): github.com/opentracing/opentracing-go/log 2018/07/23 15:31:41 ·· Skipping (existing): golang.org/x/net/context 2018/07/23 15:31:41 ·· Skipping (existing): google.golang.org/grpc/codes 2018/07/23 15:31:41 ·· Skipping (existing): github.com/golang/protobuf/proto 2018/07/23 15:31:41 ·· Skipping (existing): github.com/opentracing/opentracing-go 2018/07/23 15:31:41 ·· Skipping (existing): github.com/opentracing/opentracing-go/ext 2018/07/23 15:31:41 ·· Skipping (existing): google.golang.org/grpc 2018/07/23 15:31:41 ·· Skipping (existing): google.golang.org/grpc/metadata 2018/07/23 15:31:41 ·· Skipping (existing): google.golang.org/grpc/status 2018/07/23 15:31:41 · Fetching recursive dependency: github.com/uber/jaeger-client-go/config 2018/07/23 15:31:44 ·· Fetching recursive dependency: github.com/uber/jaeger-client-go/internal/throttler/remote 2018/07/23 15:31:44 ··· Fetching recursive dependency: github.com/uber/jaeger-client-go/utils 2018/07/23 15:31:44 ···· Fetching recursive dependency: github.com/uber/jaeger-client-go/thrift 2018/07/23 15:31:44 ···· Fetching recursive dependency: github.com/uber/jaeger-client-go/thrift-gen/agent 2018/07/23 15:31:44 ····· Fetching recursive dependency: github.com/uber/jaeger-client-go/thrift-gen/jaeger 2018/07/23 15:31:44 ····· Fetching recursive dependency: github.com/uber/jaeger-client-go/thrift-gen/zipkincore 2018/07/23 15:31:44 ··· Fetching recursive dependency: github.com/uber/jaeger-client-go 2018/07/23 15:31:44 ···· Fetching recursive dependency: github.com/crossdock/crossdock-go 2018/07/23 15:31:46 ····· Skipping (existing): github.com/davecgh/go-spew/spew 2018/07/23 15:31:46 ····· Skipping (existing): golang.org/x/net/context/ctxhttp 2018/07/23 15:31:46 ····· Skipping (existing): golang.org/x/net/context 2018/07/23 15:31:46 ····· Skipping (existing): github.com/pmezard/go-difflib/difflib 2018/07/23 15:31:46 ···· Skipping (existing): github.com/opentracing/opentracing-go/log 2018/07/23 15:31:46 ···· Fetching recursive dependency: go.uber.org/zap/zapcore 2018/07/23 15:31:49 ····· Fetching recursive dependency: go.uber.org/atomic 2018/07/23 15:31:51 ····· Fetching recursive dependency: go.uber.org/zap/internal/bufferpool 2018/07/23 15:31:51 ······ Fetching recursive dependency: go.uber.org/zap/buffer 2018/07/23 15:31:51 ····· Fetching recursive dependency: go.uber.org/multierr 2018/07/23 15:31:54 ····· Fetching recursive dependency: go.uber.org/zap/internal/exit 2018/07/23 15:31:54 ····· Fetching recursive dependency: go.uber.org/zap/internal/color 2018/07/23 15:31:54 ···· Fetching recursive dependency: go.uber.org/zap 2018/07/23 15:31:54 ···· Skipping (existing): github.com/opentracing/opentracing-go 2018/07/23 15:31:54 ···· Skipping (existing): github.com/opentracing/opentracing-go/ext 2018/07/23 15:31:54 ···· Fetching recursive dependency: github.com/uber/jaeger-lib/metrics 2018/07/23 15:31:56 ····· Fetching recursive dependency: github.com/uber-go/tally 2018/07/23 15:31:58 ······ Fetching recursive dependency: github.com/m3db/prometheus_client_golang/prometheus/promhttp 2018/07/23 15:32:00 ······· Skipping (existing): github.com/prometheus/client_golang/prometheus 2018/07/23 15:32:00 ······· Skipping (existing): github.com/prometheus/common/expfmt 2018/07/23 15:32:00 ······· Skipping (existing): github.com/prometheus/client_model/go 2018/07/23 15:32:00 ······ Fetching recursive dependency: gopkg.in/validator.v2 2018/07/23 15:32:06 ······ Fetching recursive dependency: github.com/cactus/go-statsd-client/statsd 2018/07/23 15:32:08 ······ Skipping (existing): gopkg.in/yaml.v2 2018/07/23 15:32:08 ······ Fetching recursive dependency: github.com/m3db/prometheus_client_golang/prometheus 2018/07/23 15:32:08 ······· Skipping (existing): github.com/prometheus/procfs 2018/07/23 15:32:08 ······· Skipping (existing): github.com/prometheus/client_model/go 2018/07/23 15:32:08 ······· Skipping (existing): github.com/prometheus/common/expfmt 2018/07/23 15:32:08 ······· Skipping (existing): golang.org/x/net/context 2018/07/23 15:32:08 ······· Skipping (existing): github.com/beorn7/perks/quantile 2018/07/23 15:32:08 ······· Skipping (existing): github.com/golang/protobuf/proto 2018/07/23 15:32:08 ······· Skipping (existing): github.com/prometheus/common/model 2018/07/23 15:32:08 ······· Skipping (existing): github.com/prometheus/client_golang/prometheus 2018/07/23 15:32:08 ······ Fetching recursive dependency: github.com/apache/thrift/lib/go/thrift 2018/07/23 15:32:13 ····· Skipping (existing): github.com/stretchr/testify/assert 2018/07/23 15:32:13 ····· Fetching recursive dependency: github.com/go-kit/kit/metrics/influx 2018/07/23 15:32:13 ······ Fetching recursive dependency: github.com/influxdata/influxdb/client/v2 2018/07/23 15:32:17 ······· Fetching recursive dependency: github.com/influxdata/influxdb/models 2018/07/23 15:32:17 ········ Fetching recursive dependency: github.com/influxdata/influxdb/pkg/escape 2018/07/23 15:32:17 ······ Fetching recursive dependency: github.com/go-kit/kit/metrics 2018/07/23 15:32:17 ······· Fetching recursive dependency: github.com/performancecopilot/speed 2018/07/23 15:32:19 ······· Fetching recursive dependency: github.com/aws/aws-sdk-go-v2/aws 2018/07/23 15:32:28 ········ Fetching recursive dependency: github.com/aws/aws-sdk-go-v2/internal/sdk 2018/07/23 15:32:28 ········ Skipping (existing): github.com/go-ini/ini 2018/07/23 15:32:28 ········ Fetching recursive dependency: github.com/aws/aws-sdk-go-v2/service/sts 2018/07/23 15:32:28 ········· Fetching recursive dependency: github.com/aws/aws-sdk-go-v2/private/protocol/query 2018/07/23 15:32:28 ·········· Fetching recursive dependency: github.com/aws/aws-sdk-go-v2/private/protocol 2018/07/23 15:32:28 ········· Fetching recursive dependency: github.com/aws/aws-sdk-go-v2/internal/awsutil 2018/07/23 15:32:28 ·········· Skipping (existing): github.com/jmespath/go-jmespath 2018/07/23 15:32:28 ······· Fetching recursive dependency: github.com/aws/aws-sdk-go-v2/service/cloudwatch 2018/07/23 15:32:29 ······· Skipping (existing): github.com/aws/aws-sdk-go/aws 2018/07/23 15:32:29 ······· Skipping (existing): github.com/prometheus/client_golang/prometheus 2018/07/23 15:32:29 ······· Skipping (existing): github.com/aws/aws-sdk-go/service/cloudwatch 2018/07/23 15:32:29 ······· Skipping (existing): github.com/aws/aws-sdk-go/service/cloudwatch/cloudwatchiface 2018/07/23 15:32:29 ······· Fetching recursive dependency: golang.org/x/sync/errgroup 2018/07/23 15:32:31 ········ Skipping (existing): golang.org/x/net/context 2018/07/23 15:32:31 ······· Fetching recursive dependency: github.com/go-kit/kit/util/conn 2018/07/23 15:32:31 ······· Fetching recursive dependency: github.com/VividCortex/gohistogram 2018/07/23 15:32:33 ····· Skipping (existing): github.com/prometheus/client_golang/prometheus 2018/07/23 15:32:33 ····· Fetching recursive dependency: github.com/codahale/hdrhistogram 2018/07/23 15:32:35 ·· Skipping (existing): github.com/opentracing/opentracing-go 2018/07/23 15:32:35 · Fetching recursive dependency: github.com/mwitkow/go-grpc-middleware 2018/07/23 15:32:37 ·· Fetching recursive dependency: github.com/grpc-ecosystem/go-grpc-middleware/logging 2018/07/23 15:32:39 ··· Fetching recursive dependency: github.com/grpc-ecosystem/go-grpc-middleware 2018/07/23 15:32:39 ···· Fetching recursive dependency: github.com/golang/protobuf/jsonpb 2018/07/23 15:32:42 ····· Skipping (existing): github.com/golang/protobuf/ptypes/timestamp 2018/07/23 15:32:42 ····· Skipping (existing): github.com/golang/protobuf/proto 2018/07/23 15:32:42 ····· Skipping (existing): github.com/golang/protobuf/ptypes/duration 2018/07/23 15:32:42 ····· Skipping (existing): github.com/golang/protobuf/ptypes/any 2018/07/23 15:32:42 ····· Skipping (existing): github.com/golang/protobuf/ptypes/struct 2018/07/23 15:32:42 ····· Skipping (existing): github.com/golang/protobuf/ptypes/wrappers 2018/07/23 15:32:42 ···· Skipping (existing): google.golang.org/grpc/metadata 2018/07/23 15:32:42 ···· Fetching recursive dependency: github.com/stretchr/testify/suite 2018/07/23 15:32:45 ····· Skipping (existing): github.com/stretchr/testify/assert 2018/07/23 15:32:45 ····· Fetching recursive dependency: github.com/stretchr/testify/require 2018/07/23 15:32:45 ······ Skipping (existing): github.com/stretchr/testify/assert 2018/07/23 15:32:45 ···· Skipping (existing): google.golang.org/grpc/peer 2018/07/23 15:32:45 ···· Skipping (existing): golang.org/x/net/context 2018/07/23 15:32:45 ···· Skipping (existing): golang.org/x/net/trace 2018/07/23 15:32:45 ···· Fetching recursive dependency: github.com/gogo/protobuf/gogoproto 2018/07/23 15:32:48 ····· Fetching recursive dependency: github.com/gogo/protobuf/protoc-gen-gogo/descriptor 2018/07/23 15:32:48 ······ Skipping (existing): github.com/gogo/protobuf/proto 2018/07/23 15:32:48 ····· Skipping (existing): github.com/gogo/protobuf/proto 2018/07/23 15:32:48 ···· Skipping (existing): google.golang.org/grpc/credentials 2018/07/23 15:32:48 ···· Skipping (existing): google.golang.org/grpc 2018/07/23 15:32:48 ···· Skipping (existing): github.com/opentracing/opentracing-go 2018/07/23 15:32:48 ···· Skipping (existing): google.golang.org/grpc/codes 2018/07/23 15:32:48 ···· Skipping (existing): github.com/golang/protobuf/proto 2018/07/23 15:32:48 ···· Skipping (existing): google.golang.org/grpc/grpclog 2018/07/23 15:32:48 ···· Skipping (existing): github.com/opentracing/opentracing-go/ext 2018/07/23 15:32:48 ···· Skipping (existing): github.com/opentracing/opentracing-go/log 2018/07/23 15:32:48 ··· Skipping (existing): golang.org/x/net/context 2018/07/23 15:32:48 ··· Skipping (existing): google.golang.org/grpc 2018/07/23 15:32:48 ··· Skipping (existing): google.golang.org/grpc/grpclog 2018/07/23 15:32:48 ··· Skipping (existing): google.golang.org/grpc/codes 2018/07/23 15:32:48 ··· Skipping (existing): github.com/golang/protobuf/proto 2018/07/23 15:32:48 ·· Skipping (existing): github.com/opentracing/opentracing-go 2018/07/23 15:32:48 ·· Skipping (existing): google.golang.org/grpc 2018/07/23 15:32:48 ·· Skipping (existing): golang.org/x/net/context 2018/07/23 15:32:48 ·· Skipping (existing): google.golang.org/grpc/codes 2018/07/23 15:32:48 ·· Skipping (existing): google.golang.org/grpc/grpclog 2018/07/23 15:32:48 ·· Skipping (existing): github.com/opentracing/opentracing-go/log 2018/07/23 15:32:48 ·· Skipping (existing): google.golang.org/grpc/metadata 2018/07/23 15:32:48 ·· Skipping (existing): google.golang.org/grpc/peer 2018/07/23 15:32:48 ·· Skipping (existing): google.golang.org/grpc/credentials 2018/07/23 15:32:48 ·· Skipping (existing): github.com/golang/protobuf/proto 2018/07/23 15:32:48 ·· Skipping (existing): golang.org/x/net/trace 2018/07/23 15:32:48 ·· Skipping (existing): github.com/opentracing/opentracing-go/ext 2018/07/23 15:32:48 · Fetching recursive dependency: github.com/weaveworks/promrus 2018/07/23 15:32:53 ·· Skipping (existing): gopkg.in/yaml.v2 2018/07/23 15:32:53 ·· Skipping (existing): golang.org/x/net/context/ctxhttp 2018/07/23 15:32:53 ·· Fetching recursive dependency: github.com/stretchr/objx 2018/07/23 15:32:55 ·· Fetching recursive dependency: gopkg.in/alecthomas/kingpin.v2 2018/07/23 15:32:58 ··· Fetching recursive dependency: github.com/alecthomas/units 2018/07/23 15:33:00 ··· Fetching recursive dependency: github.com/alecthomas/template 2018/07/23 15:33:02 ·· Fetching recursive dependency: github.com/julienschmidt/httprouter 2018/07/23 15:33:05 ·· Skipping (existing): golang.org/x/net/context 2018/07/23 15:33:05 · Skipping (existing): github.com/aws/aws-sdk-go/aws/credentials 2018/07/23 15:33:05 · Skipping (existing): github.com/golang/protobuf/ptypes/empty 2018/07/23 15:33:05 · Skipping (existing): golang.org/x/net/context 2018/07/23 15:33:05 · Skipping (existing): golang.org/x/tools/cover 2018/07/23 15:33:05 · Skipping (existing): github.com/mgutz/ansi ```
1833 lines
82 KiB
Go
1833 lines
82 KiB
Go
// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
|
|
|
|
package sts
|
|
|
|
import (
|
|
"time"
|
|
|
|
"github.com/aws/aws-sdk-go-v2/aws"
|
|
"github.com/aws/aws-sdk-go-v2/internal/awsutil"
|
|
)
|
|
|
|
const opAssumeRole = "AssumeRole"
|
|
|
|
// AssumeRoleRequest is a API request type for the AssumeRole API operation.
|
|
type AssumeRoleRequest struct {
|
|
*aws.Request
|
|
Input *AssumeRoleInput
|
|
Copy func(*AssumeRoleInput) AssumeRoleRequest
|
|
}
|
|
|
|
// Send marshals and sends the AssumeRole API request.
|
|
func (r AssumeRoleRequest) Send() (*AssumeRoleOutput, error) {
|
|
err := r.Request.Send()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return r.Request.Data.(*AssumeRoleOutput), nil
|
|
}
|
|
|
|
// AssumeRoleRequest returns a request value for making API operation for
|
|
// AWS Security Token Service.
|
|
//
|
|
// Returns a set of temporary security credentials (consisting of an access
|
|
// key ID, a secret access key, and a security token) that you can use to access
|
|
// AWS resources that you might not normally have access to. Typically, you
|
|
// use AssumeRole for cross-account access or federation. For a comparison of
|
|
// AssumeRole with the other APIs that produce temporary credentials, see Requesting
|
|
// Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
|
|
// and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
|
|
// in the IAM User Guide.
|
|
//
|
|
// Important: You cannot call AssumeRole by using AWS root account credentials;
|
|
// access is denied. You must use credentials for an IAM user or an IAM role
|
|
// to call AssumeRole.
|
|
//
|
|
// For cross-account access, imagine that you own multiple accounts and need
|
|
// to access resources in each account. You could create long-term credentials
|
|
// in each account to access those resources. However, managing all those credentials
|
|
// and remembering which one can access which account can be time consuming.
|
|
// Instead, you can create one set of long-term credentials in one account and
|
|
// then use temporary security credentials to access all the other accounts
|
|
// by assuming roles in those accounts. For more information about roles, see
|
|
// IAM Roles (Delegation and Federation) (http://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html)
|
|
// in the IAM User Guide.
|
|
//
|
|
// For federation, you can, for example, grant single sign-on access to the
|
|
// AWS Management Console. If you already have an identity and authentication
|
|
// system in your corporate network, you don't have to recreate user identities
|
|
// in AWS in order to grant those user identities access to AWS. Instead, after
|
|
// a user has been authenticated, you call AssumeRole (and specify the role
|
|
// with the appropriate permissions) to get temporary security credentials for
|
|
// that user. With those temporary security credentials, you construct a sign-in
|
|
// URL that users can use to access the console. For more information, see Common
|
|
// Scenarios for Temporary Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html#sts-introduction)
|
|
// in the IAM User Guide.
|
|
//
|
|
// By default, the temporary security credentials created by AssumeRole last
|
|
// for one hour. However, you can use the optional DurationSeconds parameter
|
|
// to specify the duration of your session. You can provide a value from 900
|
|
// seconds (15 minutes) up to the maximum session duration setting for the role.
|
|
// This setting can have a value from 1 hour to 12 hours. To learn how to view
|
|
// the maximum value for your role, see View the Maximum Session Duration Setting
|
|
// for a Role (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
|
|
// in the IAM User Guide. The maximum session duration limit applies when you
|
|
// use the AssumeRole* API operations or the assume-role* CLI operations but
|
|
// does not apply when you use those operations to create a console URL. For
|
|
// more information, see Using IAM Roles (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
|
|
// in the IAM User Guide.
|
|
//
|
|
// The temporary security credentials created by AssumeRole can be used to make
|
|
// API calls to any AWS service with the following exception: you cannot call
|
|
// the STS service's GetFederationToken or GetSessionToken APIs.
|
|
//
|
|
// Optionally, you can pass an IAM access policy to this operation. If you choose
|
|
// not to pass a policy, the temporary security credentials that are returned
|
|
// by the operation have the permissions that are defined in the access policy
|
|
// of the role that is being assumed. If you pass a policy to this operation,
|
|
// the temporary security credentials that are returned by the operation have
|
|
// the permissions that are allowed by both the access policy of the role that
|
|
// is being assumed, and the policy that you pass. This gives you a way to further
|
|
// restrict the permissions for the resulting temporary security credentials.
|
|
// You cannot use the passed policy to grant permissions that are in excess
|
|
// of those allowed by the access policy of the role that is being assumed.
|
|
// For more information, see Permissions for AssumeRole, AssumeRoleWithSAML,
|
|
// and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
|
|
// in the IAM User Guide.
|
|
//
|
|
// To assume a role, your AWS account must be trusted by the role. The trust
|
|
// relationship is defined in the role's trust policy when the role is created.
|
|
// That trust policy states which accounts are allowed to delegate access to
|
|
// this account's role.
|
|
//
|
|
// The user who wants to access the role must also have permissions delegated
|
|
// from the role's administrator. If the user is in a different account than
|
|
// the role, then the user's administrator must attach a policy that allows
|
|
// the user to call AssumeRole on the ARN of the role in the other account.
|
|
// If the user is in the same account as the role, then you can either attach
|
|
// a policy to the user (identical to the previous different account user),
|
|
// or you can add the user as a principal directly in the role's trust policy.
|
|
// In this case, the trust policy acts as the only resource-based policy in
|
|
// IAM, and users in the same account as the role do not need explicit permission
|
|
// to assume the role. For more information about trust policies and resource-based
|
|
// policies, see IAM Policies (http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)
|
|
// in the IAM User Guide.
|
|
//
|
|
// Using MFA with AssumeRole
|
|
//
|
|
// You can optionally include multi-factor authentication (MFA) information
|
|
// when you call AssumeRole. This is useful for cross-account scenarios in which
|
|
// you want to make sure that the user who is assuming the role has been authenticated
|
|
// using an AWS MFA device. In that scenario, the trust policy of the role being
|
|
// assumed includes a condition that tests for MFA authentication; if the caller
|
|
// does not include valid MFA information, the request to assume the role is
|
|
// denied. The condition in a trust policy that tests for MFA authentication
|
|
// might look like the following example.
|
|
//
|
|
// "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}
|
|
//
|
|
// For more information, see Configuring MFA-Protected API Access (http://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html)
|
|
// in the IAM User Guide guide.
|
|
//
|
|
// To use MFA with AssumeRole, you pass values for the SerialNumber and TokenCode
|
|
// parameters. The SerialNumber value identifies the user's hardware or virtual
|
|
// MFA device. The TokenCode is the time-based one-time password (TOTP) that
|
|
// the MFA devices produces.
|
|
//
|
|
// // Example sending a request using the AssumeRoleRequest method.
|
|
// req := client.AssumeRoleRequest(params)
|
|
// resp, err := req.Send()
|
|
// if err == nil {
|
|
// fmt.Println(resp)
|
|
// }
|
|
//
|
|
// Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole
|
|
func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) AssumeRoleRequest {
|
|
op := &aws.Operation{
|
|
Name: opAssumeRole,
|
|
HTTPMethod: "POST",
|
|
HTTPPath: "/",
|
|
}
|
|
|
|
if input == nil {
|
|
input = &AssumeRoleInput{}
|
|
}
|
|
|
|
output := &AssumeRoleOutput{}
|
|
req := c.newRequest(op, input, output)
|
|
output.responseMetadata = aws.Response{Request: req}
|
|
|
|
return AssumeRoleRequest{Request: req, Input: input, Copy: c.AssumeRoleRequest}
|
|
}
|
|
|
|
const opAssumeRoleWithSAML = "AssumeRoleWithSAML"
|
|
|
|
// AssumeRoleWithSAMLRequest is a API request type for the AssumeRoleWithSAML API operation.
|
|
type AssumeRoleWithSAMLRequest struct {
|
|
*aws.Request
|
|
Input *AssumeRoleWithSAMLInput
|
|
Copy func(*AssumeRoleWithSAMLInput) AssumeRoleWithSAMLRequest
|
|
}
|
|
|
|
// Send marshals and sends the AssumeRoleWithSAML API request.
|
|
func (r AssumeRoleWithSAMLRequest) Send() (*AssumeRoleWithSAMLOutput, error) {
|
|
err := r.Request.Send()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return r.Request.Data.(*AssumeRoleWithSAMLOutput), nil
|
|
}
|
|
|
|
// AssumeRoleWithSAMLRequest returns a request value for making API operation for
|
|
// AWS Security Token Service.
|
|
//
|
|
// Returns a set of temporary security credentials for users who have been authenticated
|
|
// via a SAML authentication response. This operation provides a mechanism for
|
|
// tying an enterprise identity store or directory to role-based AWS access
|
|
// without user-specific credentials or configuration. For a comparison of AssumeRoleWithSAML
|
|
// with the other APIs that produce temporary credentials, see Requesting Temporary
|
|
// Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
|
|
// and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
|
|
// in the IAM User Guide.
|
|
//
|
|
// The temporary security credentials returned by this operation consist of
|
|
// an access key ID, a secret access key, and a security token. Applications
|
|
// can use these temporary security credentials to sign calls to AWS services.
|
|
//
|
|
// By default, the temporary security credentials created by AssumeRoleWithSAML
|
|
// last for one hour. However, you can use the optional DurationSeconds parameter
|
|
// to specify the duration of your session. Your role session lasts for the
|
|
// duration that you specify, or until the time specified in the SAML authentication
|
|
// response's SessionNotOnOrAfter value, whichever is shorter. You can provide
|
|
// a DurationSeconds value from 900 seconds (15 minutes) up to the maximum session
|
|
// duration setting for the role. This setting can have a value from 1 hour
|
|
// to 12 hours. To learn how to view the maximum value for your role, see View
|
|
// the Maximum Session Duration Setting for a Role (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
|
|
// in the IAM User Guide. The maximum session duration limit applies when you
|
|
// use the AssumeRole* API operations or the assume-role* CLI operations but
|
|
// does not apply when you use those operations to create a console URL. For
|
|
// more information, see Using IAM Roles (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
|
|
// in the IAM User Guide.
|
|
//
|
|
// The temporary security credentials created by AssumeRoleWithSAML can be used
|
|
// to make API calls to any AWS service with the following exception: you cannot
|
|
// call the STS service's GetFederationToken or GetSessionToken APIs.
|
|
//
|
|
// Optionally, you can pass an IAM access policy to this operation. If you choose
|
|
// not to pass a policy, the temporary security credentials that are returned
|
|
// by the operation have the permissions that are defined in the access policy
|
|
// of the role that is being assumed. If you pass a policy to this operation,
|
|
// the temporary security credentials that are returned by the operation have
|
|
// the permissions that are allowed by the intersection of both the access policy
|
|
// of the role that is being assumed, and the policy that you pass. This means
|
|
// that both policies must grant the permission for the action to be allowed.
|
|
// This gives you a way to further restrict the permissions for the resulting
|
|
// temporary security credentials. You cannot use the passed policy to grant
|
|
// permissions that are in excess of those allowed by the access policy of the
|
|
// role that is being assumed. For more information, see Permissions for AssumeRole,
|
|
// AssumeRoleWithSAML, and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
|
|
// in the IAM User Guide.
|
|
//
|
|
// Before your application can call AssumeRoleWithSAML, you must configure your
|
|
// SAML identity provider (IdP) to issue the claims required by AWS. Additionally,
|
|
// you must use AWS Identity and Access Management (IAM) to create a SAML provider
|
|
// entity in your AWS account that represents your identity provider, and create
|
|
// an IAM role that specifies this SAML provider in its trust policy.
|
|
//
|
|
// Calling AssumeRoleWithSAML does not require the use of AWS security credentials.
|
|
// The identity of the caller is validated by using keys in the metadata document
|
|
// that is uploaded for the SAML provider entity for your identity provider.
|
|
//
|
|
// Calling AssumeRoleWithSAML can result in an entry in your AWS CloudTrail
|
|
// logs. The entry includes the value in the NameID element of the SAML assertion.
|
|
// We recommend that you use a NameIDType that is not associated with any personally
|
|
// identifiable information (PII). For example, you could instead use the Persistent
|
|
// Identifier (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent).
|
|
//
|
|
// For more information, see the following resources:
|
|
//
|
|
// * About SAML 2.0-based Federation (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html)
|
|
// in the IAM User Guide.
|
|
//
|
|
// * Creating SAML Identity Providers (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)
|
|
// in the IAM User Guide.
|
|
//
|
|
// * Configuring a Relying Party and Claims (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html)
|
|
// in the IAM User Guide.
|
|
//
|
|
// * Creating a Role for SAML 2.0 Federation (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html)
|
|
// in the IAM User Guide.
|
|
//
|
|
// // Example sending a request using the AssumeRoleWithSAMLRequest method.
|
|
// req := client.AssumeRoleWithSAMLRequest(params)
|
|
// resp, err := req.Send()
|
|
// if err == nil {
|
|
// fmt.Println(resp)
|
|
// }
|
|
//
|
|
// Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML
|
|
func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) AssumeRoleWithSAMLRequest {
|
|
op := &aws.Operation{
|
|
Name: opAssumeRoleWithSAML,
|
|
HTTPMethod: "POST",
|
|
HTTPPath: "/",
|
|
}
|
|
|
|
if input == nil {
|
|
input = &AssumeRoleWithSAMLInput{}
|
|
}
|
|
|
|
output := &AssumeRoleWithSAMLOutput{}
|
|
req := c.newRequest(op, input, output)
|
|
output.responseMetadata = aws.Response{Request: req}
|
|
|
|
return AssumeRoleWithSAMLRequest{Request: req, Input: input, Copy: c.AssumeRoleWithSAMLRequest}
|
|
}
|
|
|
|
const opAssumeRoleWithWebIdentity = "AssumeRoleWithWebIdentity"
|
|
|
|
// AssumeRoleWithWebIdentityRequest is a API request type for the AssumeRoleWithWebIdentity API operation.
|
|
type AssumeRoleWithWebIdentityRequest struct {
|
|
*aws.Request
|
|
Input *AssumeRoleWithWebIdentityInput
|
|
Copy func(*AssumeRoleWithWebIdentityInput) AssumeRoleWithWebIdentityRequest
|
|
}
|
|
|
|
// Send marshals and sends the AssumeRoleWithWebIdentity API request.
|
|
func (r AssumeRoleWithWebIdentityRequest) Send() (*AssumeRoleWithWebIdentityOutput, error) {
|
|
err := r.Request.Send()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return r.Request.Data.(*AssumeRoleWithWebIdentityOutput), nil
|
|
}
|
|
|
|
// AssumeRoleWithWebIdentityRequest returns a request value for making API operation for
|
|
// AWS Security Token Service.
|
|
//
|
|
// Returns a set of temporary security credentials for users who have been authenticated
|
|
// in a mobile or web application with a web identity provider, such as Amazon
|
|
// Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible
|
|
// identity provider.
|
|
//
|
|
// For mobile applications, we recommend that you use Amazon Cognito. You can
|
|
// use Amazon Cognito with the AWS SDK for iOS (http://aws.amazon.com/sdkforios/)
|
|
// and the AWS SDK for Android (http://aws.amazon.com/sdkforandroid/) to uniquely
|
|
// identify a user and supply the user with a consistent identity throughout
|
|
// the lifetime of an application.
|
|
//
|
|
// To learn more about Amazon Cognito, see Amazon Cognito Overview (http://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840)
|
|
// in the AWS SDK for Android Developer Guide guide and Amazon Cognito Overview
|
|
// (http://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664)
|
|
// in the AWS SDK for iOS Developer Guide.
|
|
//
|
|
// Calling AssumeRoleWithWebIdentity does not require the use of AWS security
|
|
// credentials. Therefore, you can distribute an application (for example, on
|
|
// mobile devices) that requests temporary security credentials without including
|
|
// long-term AWS credentials in the application, and without deploying server-based
|
|
// proxy services that use long-term AWS credentials. Instead, the identity
|
|
// of the caller is validated by using a token from the web identity provider.
|
|
// For a comparison of AssumeRoleWithWebIdentity with the other APIs that produce
|
|
// temporary credentials, see Requesting Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
|
|
// and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
|
|
// in the IAM User Guide.
|
|
//
|
|
// The temporary security credentials returned by this API consist of an access
|
|
// key ID, a secret access key, and a security token. Applications can use these
|
|
// temporary security credentials to sign calls to AWS service APIs.
|
|
//
|
|
// By default, the temporary security credentials created by AssumeRoleWithWebIdentity
|
|
// last for one hour. However, you can use the optional DurationSeconds parameter
|
|
// to specify the duration of your session. You can provide a value from 900
|
|
// seconds (15 minutes) up to the maximum session duration setting for the role.
|
|
// This setting can have a value from 1 hour to 12 hours. To learn how to view
|
|
// the maximum value for your role, see View the Maximum Session Duration Setting
|
|
// for a Role (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
|
|
// in the IAM User Guide. The maximum session duration limit applies when you
|
|
// use the AssumeRole* API operations or the assume-role* CLI operations but
|
|
// does not apply when you use those operations to create a console URL. For
|
|
// more information, see Using IAM Roles (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
|
|
// in the IAM User Guide.
|
|
//
|
|
// The temporary security credentials created by AssumeRoleWithWebIdentity can
|
|
// be used to make API calls to any AWS service with the following exception:
|
|
// you cannot call the STS service's GetFederationToken or GetSessionToken APIs.
|
|
//
|
|
// Optionally, you can pass an IAM access policy to this operation. If you choose
|
|
// not to pass a policy, the temporary security credentials that are returned
|
|
// by the operation have the permissions that are defined in the access policy
|
|
// of the role that is being assumed. If you pass a policy to this operation,
|
|
// the temporary security credentials that are returned by the operation have
|
|
// the permissions that are allowed by both the access policy of the role that
|
|
// is being assumed, and the policy that you pass. This gives you a way to further
|
|
// restrict the permissions for the resulting temporary security credentials.
|
|
// You cannot use the passed policy to grant permissions that are in excess
|
|
// of those allowed by the access policy of the role that is being assumed.
|
|
// For more information, see Permissions for AssumeRole, AssumeRoleWithSAML,
|
|
// and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
|
|
// in the IAM User Guide.
|
|
//
|
|
// Before your application can call AssumeRoleWithWebIdentity, you must have
|
|
// an identity token from a supported identity provider and create a role that
|
|
// the application can assume. The role that your application assumes must trust
|
|
// the identity provider that is associated with the identity token. In other
|
|
// words, the identity provider must be specified in the role's trust policy.
|
|
//
|
|
// Calling AssumeRoleWithWebIdentity can result in an entry in your AWS CloudTrail
|
|
// logs. The entry includes the Subject (http://openid.net/specs/openid-connect-core-1_0.html#Claims)
|
|
// of the provided Web Identity Token. We recommend that you avoid using any
|
|
// personally identifiable information (PII) in this field. For example, you
|
|
// could instead use a GUID or a pairwise identifier, as suggested in the OIDC
|
|
// specification (http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes).
|
|
//
|
|
// For more information about how to use web identity federation and the AssumeRoleWithWebIdentity
|
|
// API, see the following resources:
|
|
//
|
|
// * Using Web Identity Federation APIs for Mobile Apps (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html)
|
|
// and Federation Through a Web-based Identity Provider (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity).
|
|
//
|
|
//
|
|
// * Web Identity Federation Playground (https://web-identity-federation-playground.s3.amazonaws.com/index.html).
|
|
// This interactive website lets you walk through the process of authenticating
|
|
// via Login with Amazon, Facebook, or Google, getting temporary security
|
|
// credentials, and then using those credentials to make a request to AWS.
|
|
//
|
|
//
|
|
// * AWS SDK for iOS (http://aws.amazon.com/sdkforios/) and AWS SDK for Android
|
|
// (http://aws.amazon.com/sdkforandroid/). These toolkits contain sample
|
|
// apps that show how to invoke the identity providers, and then how to use
|
|
// the information from these providers to get and use temporary security
|
|
// credentials.
|
|
//
|
|
// * Web Identity Federation with Mobile Applications (http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications).
|
|
// This article discusses web identity federation and shows an example of
|
|
// how to use web identity federation to get access to content in Amazon
|
|
// S3.
|
|
//
|
|
// // Example sending a request using the AssumeRoleWithWebIdentityRequest method.
|
|
// req := client.AssumeRoleWithWebIdentityRequest(params)
|
|
// resp, err := req.Send()
|
|
// if err == nil {
|
|
// fmt.Println(resp)
|
|
// }
|
|
//
|
|
// Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity
|
|
func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityInput) AssumeRoleWithWebIdentityRequest {
|
|
op := &aws.Operation{
|
|
Name: opAssumeRoleWithWebIdentity,
|
|
HTTPMethod: "POST",
|
|
HTTPPath: "/",
|
|
}
|
|
|
|
if input == nil {
|
|
input = &AssumeRoleWithWebIdentityInput{}
|
|
}
|
|
|
|
output := &AssumeRoleWithWebIdentityOutput{}
|
|
req := c.newRequest(op, input, output)
|
|
output.responseMetadata = aws.Response{Request: req}
|
|
|
|
return AssumeRoleWithWebIdentityRequest{Request: req, Input: input, Copy: c.AssumeRoleWithWebIdentityRequest}
|
|
}
|
|
|
|
const opDecodeAuthorizationMessage = "DecodeAuthorizationMessage"
|
|
|
|
// DecodeAuthorizationMessageRequest is a API request type for the DecodeAuthorizationMessage API operation.
|
|
type DecodeAuthorizationMessageRequest struct {
|
|
*aws.Request
|
|
Input *DecodeAuthorizationMessageInput
|
|
Copy func(*DecodeAuthorizationMessageInput) DecodeAuthorizationMessageRequest
|
|
}
|
|
|
|
// Send marshals and sends the DecodeAuthorizationMessage API request.
|
|
func (r DecodeAuthorizationMessageRequest) Send() (*DecodeAuthorizationMessageOutput, error) {
|
|
err := r.Request.Send()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return r.Request.Data.(*DecodeAuthorizationMessageOutput), nil
|
|
}
|
|
|
|
// DecodeAuthorizationMessageRequest returns a request value for making API operation for
|
|
// AWS Security Token Service.
|
|
//
|
|
// Decodes additional information about the authorization status of a request
|
|
// from an encoded message returned in response to an AWS request.
|
|
//
|
|
// For example, if a user is not authorized to perform an action that he or
|
|
// she has requested, the request returns a Client.UnauthorizedOperation response
|
|
// (an HTTP 403 response). Some AWS actions additionally return an encoded message
|
|
// that can provide details about this authorization failure.
|
|
//
|
|
// Only certain AWS actions return an encoded authorization message. The documentation
|
|
// for an individual action indicates whether that action returns an encoded
|
|
// message in addition to returning an HTTP code.
|
|
//
|
|
// The message is encoded because the details of the authorization status can
|
|
// constitute privileged information that the user who requested the action
|
|
// should not see. To decode an authorization status message, a user must be
|
|
// granted permissions via an IAM policy to request the DecodeAuthorizationMessage
|
|
// (sts:DecodeAuthorizationMessage) action.
|
|
//
|
|
// The decoded message includes the following type of information:
|
|
//
|
|
// * Whether the request was denied due to an explicit deny or due to the
|
|
// absence of an explicit allow. For more information, see Determining Whether
|
|
// a Request is Allowed or Denied (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow)
|
|
// in the IAM User Guide.
|
|
//
|
|
// * The principal who made the request.
|
|
//
|
|
// * The requested action.
|
|
//
|
|
// * The requested resource.
|
|
//
|
|
// * The values of condition keys in the context of the user's request.
|
|
//
|
|
// // Example sending a request using the DecodeAuthorizationMessageRequest method.
|
|
// req := client.DecodeAuthorizationMessageRequest(params)
|
|
// resp, err := req.Send()
|
|
// if err == nil {
|
|
// fmt.Println(resp)
|
|
// }
|
|
//
|
|
// Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessage
|
|
func (c *STS) DecodeAuthorizationMessageRequest(input *DecodeAuthorizationMessageInput) DecodeAuthorizationMessageRequest {
|
|
op := &aws.Operation{
|
|
Name: opDecodeAuthorizationMessage,
|
|
HTTPMethod: "POST",
|
|
HTTPPath: "/",
|
|
}
|
|
|
|
if input == nil {
|
|
input = &DecodeAuthorizationMessageInput{}
|
|
}
|
|
|
|
output := &DecodeAuthorizationMessageOutput{}
|
|
req := c.newRequest(op, input, output)
|
|
output.responseMetadata = aws.Response{Request: req}
|
|
|
|
return DecodeAuthorizationMessageRequest{Request: req, Input: input, Copy: c.DecodeAuthorizationMessageRequest}
|
|
}
|
|
|
|
const opGetCallerIdentity = "GetCallerIdentity"
|
|
|
|
// GetCallerIdentityRequest is a API request type for the GetCallerIdentity API operation.
|
|
type GetCallerIdentityRequest struct {
|
|
*aws.Request
|
|
Input *GetCallerIdentityInput
|
|
Copy func(*GetCallerIdentityInput) GetCallerIdentityRequest
|
|
}
|
|
|
|
// Send marshals and sends the GetCallerIdentity API request.
|
|
func (r GetCallerIdentityRequest) Send() (*GetCallerIdentityOutput, error) {
|
|
err := r.Request.Send()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return r.Request.Data.(*GetCallerIdentityOutput), nil
|
|
}
|
|
|
|
// GetCallerIdentityRequest returns a request value for making API operation for
|
|
// AWS Security Token Service.
|
|
//
|
|
// Returns details about the IAM identity whose credentials are used to call
|
|
// the API.
|
|
//
|
|
// // Example sending a request using the GetCallerIdentityRequest method.
|
|
// req := client.GetCallerIdentityRequest(params)
|
|
// resp, err := req.Send()
|
|
// if err == nil {
|
|
// fmt.Println(resp)
|
|
// }
|
|
//
|
|
// Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentity
|
|
func (c *STS) GetCallerIdentityRequest(input *GetCallerIdentityInput) GetCallerIdentityRequest {
|
|
op := &aws.Operation{
|
|
Name: opGetCallerIdentity,
|
|
HTTPMethod: "POST",
|
|
HTTPPath: "/",
|
|
}
|
|
|
|
if input == nil {
|
|
input = &GetCallerIdentityInput{}
|
|
}
|
|
|
|
output := &GetCallerIdentityOutput{}
|
|
req := c.newRequest(op, input, output)
|
|
output.responseMetadata = aws.Response{Request: req}
|
|
|
|
return GetCallerIdentityRequest{Request: req, Input: input, Copy: c.GetCallerIdentityRequest}
|
|
}
|
|
|
|
const opGetFederationToken = "GetFederationToken"
|
|
|
|
// GetFederationTokenRequest is a API request type for the GetFederationToken API operation.
|
|
type GetFederationTokenRequest struct {
|
|
*aws.Request
|
|
Input *GetFederationTokenInput
|
|
Copy func(*GetFederationTokenInput) GetFederationTokenRequest
|
|
}
|
|
|
|
// Send marshals and sends the GetFederationToken API request.
|
|
func (r GetFederationTokenRequest) Send() (*GetFederationTokenOutput, error) {
|
|
err := r.Request.Send()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return r.Request.Data.(*GetFederationTokenOutput), nil
|
|
}
|
|
|
|
// GetFederationTokenRequest returns a request value for making API operation for
|
|
// AWS Security Token Service.
|
|
//
|
|
// Returns a set of temporary security credentials (consisting of an access
|
|
// key ID, a secret access key, and a security token) for a federated user.
|
|
// A typical use is in a proxy application that gets temporary security credentials
|
|
// on behalf of distributed applications inside a corporate network. Because
|
|
// you must call the GetFederationToken action using the long-term security
|
|
// credentials of an IAM user, this call is appropriate in contexts where those
|
|
// credentials can be safely stored, usually in a server-based application.
|
|
// For a comparison of GetFederationToken with the other APIs that produce temporary
|
|
// credentials, see Requesting Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
|
|
// and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
|
|
// in the IAM User Guide.
|
|
//
|
|
// If you are creating a mobile-based or browser-based app that can authenticate
|
|
// users using a web identity provider like Login with Amazon, Facebook, Google,
|
|
// or an OpenID Connect-compatible identity provider, we recommend that you
|
|
// use Amazon Cognito (http://aws.amazon.com/cognito/) or AssumeRoleWithWebIdentity.
|
|
// For more information, see Federation Through a Web-based Identity Provider
|
|
// (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity).
|
|
//
|
|
// The GetFederationToken action must be called by using the long-term AWS security
|
|
// credentials of an IAM user. You can also call GetFederationToken using the
|
|
// security credentials of an AWS root account, but we do not recommended it.
|
|
// Instead, we recommend that you create an IAM user for the purpose of the
|
|
// proxy application and then attach a policy to the IAM user that limits federated
|
|
// users to only the actions and resources that they need access to. For more
|
|
// information, see IAM Best Practices (http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
|
|
// in the IAM User Guide.
|
|
//
|
|
// The temporary security credentials that are obtained by using the long-term
|
|
// credentials of an IAM user are valid for the specified duration, from 900
|
|
// seconds (15 minutes) up to a maximium of 129600 seconds (36 hours). The default
|
|
// is 43200 seconds (12 hours). Temporary credentials that are obtained by using
|
|
// AWS root account credentials have a maximum duration of 3600 seconds (1 hour).
|
|
//
|
|
// The temporary security credentials created by GetFederationToken can be used
|
|
// to make API calls to any AWS service with the following exceptions:
|
|
//
|
|
// * You cannot use these credentials to call any IAM APIs.
|
|
//
|
|
// * You cannot call any STS APIs except GetCallerIdentity.
|
|
//
|
|
// Permissions
|
|
//
|
|
// The permissions for the temporary security credentials returned by GetFederationToken
|
|
// are determined by a combination of the following:
|
|
//
|
|
// * The policy or policies that are attached to the IAM user whose credentials
|
|
// are used to call GetFederationToken.
|
|
//
|
|
// * The policy that is passed as a parameter in the call.
|
|
//
|
|
// The passed policy is attached to the temporary security credentials that
|
|
// result from the GetFederationToken API call--that is, to the federated user.
|
|
// When the federated user makes an AWS request, AWS evaluates the policy attached
|
|
// to the federated user in combination with the policy or policies attached
|
|
// to the IAM user whose credentials were used to call GetFederationToken. AWS
|
|
// allows the federated user's request only when both the federated user and
|
|
// the IAM user are explicitly allowed to perform the requested action. The
|
|
// passed policy cannot grant more permissions than those that are defined in
|
|
// the IAM user policy.
|
|
//
|
|
// A typical use case is that the permissions of the IAM user whose credentials
|
|
// are used to call GetFederationToken are designed to allow access to all the
|
|
// actions and resources that any federated user will need. Then, for individual
|
|
// users, you pass a policy to the operation that scopes down the permissions
|
|
// to a level that's appropriate to that individual user, using a policy that
|
|
// allows only a subset of permissions that are granted to the IAM user.
|
|
//
|
|
// If you do not pass a policy, the resulting temporary security credentials
|
|
// have no effective permissions. The only exception is when the temporary security
|
|
// credentials are used to access a resource that has a resource-based policy
|
|
// that specifically allows the federated user to access the resource.
|
|
//
|
|
// For more information about how permissions work, see Permissions for GetFederationToken
|
|
// (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html).
|
|
// For information about using GetFederationToken to create temporary security
|
|
// credentials, see GetFederationToken—Federation Through a Custom Identity
|
|
// Broker (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken).
|
|
//
|
|
// // Example sending a request using the GetFederationTokenRequest method.
|
|
// req := client.GetFederationTokenRequest(params)
|
|
// resp, err := req.Send()
|
|
// if err == nil {
|
|
// fmt.Println(resp)
|
|
// }
|
|
//
|
|
// Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationToken
|
|
func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) GetFederationTokenRequest {
|
|
op := &aws.Operation{
|
|
Name: opGetFederationToken,
|
|
HTTPMethod: "POST",
|
|
HTTPPath: "/",
|
|
}
|
|
|
|
if input == nil {
|
|
input = &GetFederationTokenInput{}
|
|
}
|
|
|
|
output := &GetFederationTokenOutput{}
|
|
req := c.newRequest(op, input, output)
|
|
output.responseMetadata = aws.Response{Request: req}
|
|
|
|
return GetFederationTokenRequest{Request: req, Input: input, Copy: c.GetFederationTokenRequest}
|
|
}
|
|
|
|
const opGetSessionToken = "GetSessionToken"
|
|
|
|
// GetSessionTokenRequest is a API request type for the GetSessionToken API operation.
|
|
type GetSessionTokenRequest struct {
|
|
*aws.Request
|
|
Input *GetSessionTokenInput
|
|
Copy func(*GetSessionTokenInput) GetSessionTokenRequest
|
|
}
|
|
|
|
// Send marshals and sends the GetSessionToken API request.
|
|
func (r GetSessionTokenRequest) Send() (*GetSessionTokenOutput, error) {
|
|
err := r.Request.Send()
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
return r.Request.Data.(*GetSessionTokenOutput), nil
|
|
}
|
|
|
|
// GetSessionTokenRequest returns a request value for making API operation for
|
|
// AWS Security Token Service.
|
|
//
|
|
// Returns a set of temporary credentials for an AWS account or IAM user. The
|
|
// credentials consist of an access key ID, a secret access key, and a security
|
|
// token. Typically, you use GetSessionToken if you want to use MFA to protect
|
|
// programmatic calls to specific AWS APIs like Amazon EC2 StopInstances. MFA-enabled
|
|
// IAM users would need to call GetSessionToken and submit an MFA code that
|
|
// is associated with their MFA device. Using the temporary security credentials
|
|
// that are returned from the call, IAM users can then make programmatic calls
|
|
// to APIs that require MFA authentication. If you do not supply a correct MFA
|
|
// code, then the API returns an access denied error. For a comparison of GetSessionToken
|
|
// with the other APIs that produce temporary credentials, see Requesting Temporary
|
|
// Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
|
|
// and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
|
|
// in the IAM User Guide.
|
|
//
|
|
// The GetSessionToken action must be called by using the long-term AWS security
|
|
// credentials of the AWS account or an IAM user. Credentials that are created
|
|
// by IAM users are valid for the duration that you specify, from 900 seconds
|
|
// (15 minutes) up to a maximum of 129600 seconds (36 hours), with a default
|
|
// of 43200 seconds (12 hours); credentials that are created by using account
|
|
// credentials can range from 900 seconds (15 minutes) up to a maximum of 3600
|
|
// seconds (1 hour), with a default of 1 hour.
|
|
//
|
|
// The temporary security credentials created by GetSessionToken can be used
|
|
// to make API calls to any AWS service with the following exceptions:
|
|
//
|
|
// * You cannot call any IAM APIs unless MFA authentication information is
|
|
// included in the request.
|
|
//
|
|
// * You cannot call any STS API exceptAssumeRole or GetCallerIdentity.
|
|
//
|
|
// We recommend that you do not call GetSessionToken with root account credentials.
|
|
// Instead, follow our best practices (http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users)
|
|
// by creating one or more IAM users, giving them the necessary permissions,
|
|
// and using IAM users for everyday interaction with AWS.
|
|
//
|
|
// The permissions associated with the temporary security credentials returned
|
|
// by GetSessionToken are based on the permissions associated with account or
|
|
// IAM user whose credentials are used to call the action. If GetSessionToken
|
|
// is called using root account credentials, the temporary credentials have
|
|
// root account permissions. Similarly, if GetSessionToken is called using the
|
|
// credentials of an IAM user, the temporary credentials have the same permissions
|
|
// as the IAM user.
|
|
//
|
|
// For more information about using GetSessionToken to create temporary credentials,
|
|
// go to Temporary Credentials for Users in Untrusted Environments (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken)
|
|
// in the IAM User Guide.
|
|
//
|
|
// // Example sending a request using the GetSessionTokenRequest method.
|
|
// req := client.GetSessionTokenRequest(params)
|
|
// resp, err := req.Send()
|
|
// if err == nil {
|
|
// fmt.Println(resp)
|
|
// }
|
|
//
|
|
// Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionToken
|
|
func (c *STS) GetSessionTokenRequest(input *GetSessionTokenInput) GetSessionTokenRequest {
|
|
op := &aws.Operation{
|
|
Name: opGetSessionToken,
|
|
HTTPMethod: "POST",
|
|
HTTPPath: "/",
|
|
}
|
|
|
|
if input == nil {
|
|
input = &GetSessionTokenInput{}
|
|
}
|
|
|
|
output := &GetSessionTokenOutput{}
|
|
req := c.newRequest(op, input, output)
|
|
output.responseMetadata = aws.Response{Request: req}
|
|
|
|
return GetSessionTokenRequest{Request: req, Input: input, Copy: c.GetSessionTokenRequest}
|
|
}
|
|
|
|
// Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleRequest
|
|
type AssumeRoleInput struct {
|
|
_ struct{} `type:"structure"`
|
|
|
|
// The duration, in seconds, of the role session. The value can range from 900
|
|
// seconds (15 minutes) up to the maximum session duration setting for the role.
|
|
// This setting can have a value from 1 hour to 12 hours. If you specify a value
|
|
// higher than this setting, the operation fails. For example, if you specify
|
|
// a session duration of 12 hours, but your administrator set the maximum session
|
|
// duration to 6 hours, your operation fails. To learn how to view the maximum
|
|
// value for your role, see View the Maximum Session Duration Setting for a
|
|
// Role (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
|
|
// in the IAM User Guide.
|
|
//
|
|
// By default, the value is set to 3600 seconds.
|
|
//
|
|
// The DurationSeconds parameter is separate from the duration of a console
|
|
// session that you might request using the returned credentials. The request
|
|
// to the federation endpoint for a console sign-in token takes a SessionDuration
|
|
// parameter that specifies the maximum length of the console session. For more
|
|
// information, see Creating a URL that Enables Federated Users to Access the
|
|
// AWS Management Console (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
|
|
// in the IAM User Guide.
|
|
DurationSeconds *int64 `min:"900" type:"integer"`
|
|
|
|
// A unique identifier that is used by third parties when assuming roles in
|
|
// their customers' accounts. For each role that the third party can assume,
|
|
// they should instruct their customers to ensure the role's trust policy checks
|
|
// for the external ID that the third party generated. Each time the third party
|
|
// assumes the role, they should pass the customer's external ID. The external
|
|
// ID is useful in order to help third parties bind a role to the customer who
|
|
// created it. For more information about the external ID, see How to Use an
|
|
// External ID When Granting Access to Your AWS Resources to a Third Party (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html)
|
|
// in the IAM User Guide.
|
|
//
|
|
// The regex used to validated this parameter is a string of characters consisting
|
|
// of upper- and lower-case alphanumeric characters with no spaces. You can
|
|
// also include underscores or any of the following characters: =,.@:/-
|
|
ExternalId *string `min:"2" type:"string"`
|
|
|
|
// An IAM policy in JSON format.
|
|
//
|
|
// This parameter is optional. If you pass a policy, the temporary security
|
|
// credentials that are returned by the operation have the permissions that
|
|
// are allowed by both (the intersection of) the access policy of the role that
|
|
// is being assumed, and the policy that you pass. This gives you a way to further
|
|
// restrict the permissions for the resulting temporary security credentials.
|
|
// You cannot use the passed policy to grant permissions that are in excess
|
|
// of those allowed by the access policy of the role that is being assumed.
|
|
// For more information, see Permissions for AssumeRole, AssumeRoleWithSAML,
|
|
// and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
|
|
// in the IAM User Guide.
|
|
//
|
|
// The format for this parameter, as described by its regex pattern, is a string
|
|
// of characters up to 2048 characters in length. The characters can be any
|
|
// ASCII character from the space character to the end of the valid character
|
|
// list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A),
|
|
// and carriage return (\u000D) characters.
|
|
//
|
|
// The policy plain text must be 2048 bytes or shorter. However, an internal
|
|
// conversion compresses it into a packed binary format with a separate limit.
|
|
// The PackedPolicySize response element indicates by percentage how close to
|
|
// the upper size limit the policy is, with 100% equaling the maximum allowed
|
|
// size.
|
|
Policy *string `min:"1" type:"string"`
|
|
|
|
// The Amazon Resource Name (ARN) of the role to assume.
|
|
//
|
|
// RoleArn is a required field
|
|
RoleArn *string `min:"20" type:"string" required:"true"`
|
|
|
|
// An identifier for the assumed role session.
|
|
//
|
|
// Use the role session name to uniquely identify a session when the same role
|
|
// is assumed by different principals or for different reasons. In cross-account
|
|
// scenarios, the role session name is visible to, and can be logged by the
|
|
// account that owns the role. The role session name is also used in the ARN
|
|
// of the assumed role principal. This means that subsequent cross-account API
|
|
// requests using the temporary security credentials will expose the role session
|
|
// name to the external account in their CloudTrail logs.
|
|
//
|
|
// The regex used to validate this parameter is a string of characters consisting
|
|
// of upper- and lower-case alphanumeric characters with no spaces. You can
|
|
// also include underscores or any of the following characters: =,.@-
|
|
//
|
|
// RoleSessionName is a required field
|
|
RoleSessionName *string `min:"2" type:"string" required:"true"`
|
|
|
|
// The identification number of the MFA device that is associated with the user
|
|
// who is making the AssumeRole call. Specify this value if the trust policy
|
|
// of the role being assumed includes a condition that requires MFA authentication.
|
|
// The value is either the serial number for a hardware device (such as GAHT12345678)
|
|
// or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user).
|
|
//
|
|
// The regex used to validate this parameter is a string of characters consisting
|
|
// of upper- and lower-case alphanumeric characters with no spaces. You can
|
|
// also include underscores or any of the following characters: =,.@-
|
|
SerialNumber *string `min:"9" type:"string"`
|
|
|
|
// The value provided by the MFA device, if the trust policy of the role being
|
|
// assumed requires MFA (that is, if the policy includes a condition that tests
|
|
// for MFA). If the role being assumed requires MFA and if the TokenCode value
|
|
// is missing or expired, the AssumeRole call returns an "access denied" error.
|
|
//
|
|
// The format for this parameter, as described by its regex pattern, is a sequence
|
|
// of six numeric digits.
|
|
TokenCode *string `min:"6" type:"string"`
|
|
}
|
|
|
|
// String returns the string representation
|
|
func (s AssumeRoleInput) String() string {
|
|
return awsutil.Prettify(s)
|
|
}
|
|
|
|
// GoString returns the string representation
|
|
func (s AssumeRoleInput) GoString() string {
|
|
return s.String()
|
|
}
|
|
|
|
// Validate inspects the fields of the type to determine if they are valid.
|
|
func (s *AssumeRoleInput) Validate() error {
|
|
invalidParams := aws.ErrInvalidParams{Context: "AssumeRoleInput"}
|
|
if s.DurationSeconds != nil && *s.DurationSeconds < 900 {
|
|
invalidParams.Add(aws.NewErrParamMinValue("DurationSeconds", 900))
|
|
}
|
|
if s.ExternalId != nil && len(*s.ExternalId) < 2 {
|
|
invalidParams.Add(aws.NewErrParamMinLen("ExternalId", 2))
|
|
}
|
|
if s.Policy != nil && len(*s.Policy) < 1 {
|
|
invalidParams.Add(aws.NewErrParamMinLen("Policy", 1))
|
|
}
|
|
|
|
if s.RoleArn == nil {
|
|
invalidParams.Add(aws.NewErrParamRequired("RoleArn"))
|
|
}
|
|
if s.RoleArn != nil && len(*s.RoleArn) < 20 {
|
|
invalidParams.Add(aws.NewErrParamMinLen("RoleArn", 20))
|
|
}
|
|
|
|
if s.RoleSessionName == nil {
|
|
invalidParams.Add(aws.NewErrParamRequired("RoleSessionName"))
|
|
}
|
|
if s.RoleSessionName != nil && len(*s.RoleSessionName) < 2 {
|
|
invalidParams.Add(aws.NewErrParamMinLen("RoleSessionName", 2))
|
|
}
|
|
if s.SerialNumber != nil && len(*s.SerialNumber) < 9 {
|
|
invalidParams.Add(aws.NewErrParamMinLen("SerialNumber", 9))
|
|
}
|
|
if s.TokenCode != nil && len(*s.TokenCode) < 6 {
|
|
invalidParams.Add(aws.NewErrParamMinLen("TokenCode", 6))
|
|
}
|
|
|
|
if invalidParams.Len() > 0 {
|
|
return invalidParams
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Contains the response to a successful AssumeRole request, including temporary
|
|
// AWS credentials that can be used to make AWS requests.
|
|
// Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleResponse
|
|
type AssumeRoleOutput struct {
|
|
_ struct{} `type:"structure"`
|
|
|
|
responseMetadata aws.Response
|
|
|
|
// The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers
|
|
// that you can use to refer to the resulting temporary security credentials.
|
|
// For example, you can reference these credentials as a principal in a resource-based
|
|
// policy by using the ARN or assumed role ID. The ARN and ID include the RoleSessionName
|
|
// that you specified when you called AssumeRole.
|
|
AssumedRoleUser *AssumedRoleUser `type:"structure"`
|
|
|
|
// The temporary security credentials, which include an access key ID, a secret
|
|
// access key, and a security (or session) token.
|
|
//
|
|
// Note: The size of the security token that STS APIs return is not fixed. We
|
|
// strongly recommend that you make no assumptions about the maximum size. As
|
|
// of this writing, the typical size is less than 4096 bytes, but that can vary.
|
|
// Also, future updates to AWS might require larger sizes.
|
|
Credentials *Credentials `type:"structure"`
|
|
|
|
// A percentage value that indicates the size of the policy in packed form.
|
|
// The service rejects any policy with a packed size greater than 100 percent,
|
|
// which means the policy exceeded the allowed space.
|
|
PackedPolicySize *int64 `type:"integer"`
|
|
}
|
|
|
|
// String returns the string representation
|
|
func (s AssumeRoleOutput) String() string {
|
|
return awsutil.Prettify(s)
|
|
}
|
|
|
|
// GoString returns the string representation
|
|
func (s AssumeRoleOutput) GoString() string {
|
|
return s.String()
|
|
}
|
|
|
|
// SDKResponseMetdata return sthe response metadata for the API.
|
|
func (s AssumeRoleOutput) SDKResponseMetadata() aws.Response {
|
|
return s.responseMetadata
|
|
}
|
|
|
|
// Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAMLRequest
|
|
type AssumeRoleWithSAMLInput struct {
|
|
_ struct{} `type:"structure"`
|
|
|
|
// The duration, in seconds, of the role session. Your role session lasts for
|
|
// the duration that you specify for the DurationSeconds parameter, or until
|
|
// the time specified in the SAML authentication response's SessionNotOnOrAfter
|
|
// value, whichever is shorter. You can provide a DurationSeconds value from
|
|
// 900 seconds (15 minutes) up to the maximum session duration setting for the
|
|
// role. This setting can have a value from 1 hour to 12 hours. If you specify
|
|
// a value higher than this setting, the operation fails. For example, if you
|
|
// specify a session duration of 12 hours, but your administrator set the maximum
|
|
// session duration to 6 hours, your operation fails. To learn how to view the
|
|
// maximum value for your role, see View the Maximum Session Duration Setting
|
|
// for a Role (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
|
|
// in the IAM User Guide.
|
|
//
|
|
// By default, the value is set to 3600 seconds.
|
|
//
|
|
// The DurationSeconds parameter is separate from the duration of a console
|
|
// session that you might request using the returned credentials. The request
|
|
// to the federation endpoint for a console sign-in token takes a SessionDuration
|
|
// parameter that specifies the maximum length of the console session. For more
|
|
// information, see Creating a URL that Enables Federated Users to Access the
|
|
// AWS Management Console (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
|
|
// in the IAM User Guide.
|
|
DurationSeconds *int64 `min:"900" type:"integer"`
|
|
|
|
// An IAM policy in JSON format.
|
|
//
|
|
// The policy parameter is optional. If you pass a policy, the temporary security
|
|
// credentials that are returned by the operation have the permissions that
|
|
// are allowed by both the access policy of the role that is being assumed,
|
|
// and the policy that you pass. This gives you a way to further restrict the
|
|
// permissions for the resulting temporary security credentials. You cannot
|
|
// use the passed policy to grant permissions that are in excess of those allowed
|
|
// by the access policy of the role that is being assumed. For more information,
|
|
// Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity
|
|
// (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
|
|
// in the IAM User Guide.
|
|
//
|
|
// The format for this parameter, as described by its regex pattern, is a string
|
|
// of characters up to 2048 characters in length. The characters can be any
|
|
// ASCII character from the space character to the end of the valid character
|
|
// list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A),
|
|
// and carriage return (\u000D) characters.
|
|
//
|
|
// The policy plain text must be 2048 bytes or shorter. However, an internal
|
|
// conversion compresses it into a packed binary format with a separate limit.
|
|
// The PackedPolicySize response element indicates by percentage how close to
|
|
// the upper size limit the policy is, with 100% equaling the maximum allowed
|
|
// size.
|
|
Policy *string `min:"1" type:"string"`
|
|
|
|
// The Amazon Resource Name (ARN) of the SAML provider in IAM that describes
|
|
// the IdP.
|
|
//
|
|
// PrincipalArn is a required field
|
|
PrincipalArn *string `min:"20" type:"string" required:"true"`
|
|
|
|
// The Amazon Resource Name (ARN) of the role that the caller is assuming.
|
|
//
|
|
// RoleArn is a required field
|
|
RoleArn *string `min:"20" type:"string" required:"true"`
|
|
|
|
// The base-64 encoded SAML authentication response provided by the IdP.
|
|
//
|
|
// For more information, see Configuring a Relying Party and Adding Claims (http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html)
|
|
// in the Using IAM guide.
|
|
//
|
|
// SAMLAssertion is a required field
|
|
SAMLAssertion *string `min:"4" type:"string" required:"true"`
|
|
}
|
|
|
|
// String returns the string representation
|
|
func (s AssumeRoleWithSAMLInput) String() string {
|
|
return awsutil.Prettify(s)
|
|
}
|
|
|
|
// GoString returns the string representation
|
|
func (s AssumeRoleWithSAMLInput) GoString() string {
|
|
return s.String()
|
|
}
|
|
|
|
// Validate inspects the fields of the type to determine if they are valid.
|
|
func (s *AssumeRoleWithSAMLInput) Validate() error {
|
|
invalidParams := aws.ErrInvalidParams{Context: "AssumeRoleWithSAMLInput"}
|
|
if s.DurationSeconds != nil && *s.DurationSeconds < 900 {
|
|
invalidParams.Add(aws.NewErrParamMinValue("DurationSeconds", 900))
|
|
}
|
|
if s.Policy != nil && len(*s.Policy) < 1 {
|
|
invalidParams.Add(aws.NewErrParamMinLen("Policy", 1))
|
|
}
|
|
|
|
if s.PrincipalArn == nil {
|
|
invalidParams.Add(aws.NewErrParamRequired("PrincipalArn"))
|
|
}
|
|
if s.PrincipalArn != nil && len(*s.PrincipalArn) < 20 {
|
|
invalidParams.Add(aws.NewErrParamMinLen("PrincipalArn", 20))
|
|
}
|
|
|
|
if s.RoleArn == nil {
|
|
invalidParams.Add(aws.NewErrParamRequired("RoleArn"))
|
|
}
|
|
if s.RoleArn != nil && len(*s.RoleArn) < 20 {
|
|
invalidParams.Add(aws.NewErrParamMinLen("RoleArn", 20))
|
|
}
|
|
|
|
if s.SAMLAssertion == nil {
|
|
invalidParams.Add(aws.NewErrParamRequired("SAMLAssertion"))
|
|
}
|
|
if s.SAMLAssertion != nil && len(*s.SAMLAssertion) < 4 {
|
|
invalidParams.Add(aws.NewErrParamMinLen("SAMLAssertion", 4))
|
|
}
|
|
|
|
if invalidParams.Len() > 0 {
|
|
return invalidParams
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Contains the response to a successful AssumeRoleWithSAML request, including
|
|
// temporary AWS credentials that can be used to make AWS requests.
|
|
// Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAMLResponse
|
|
type AssumeRoleWithSAMLOutput struct {
|
|
_ struct{} `type:"structure"`
|
|
|
|
responseMetadata aws.Response
|
|
|
|
// The identifiers for the temporary security credentials that the operation
|
|
// returns.
|
|
AssumedRoleUser *AssumedRoleUser `type:"structure"`
|
|
|
|
// The value of the Recipient attribute of the SubjectConfirmationData element
|
|
// of the SAML assertion.
|
|
Audience *string `type:"string"`
|
|
|
|
// The temporary security credentials, which include an access key ID, a secret
|
|
// access key, and a security (or session) token.
|
|
//
|
|
// Note: The size of the security token that STS APIs return is not fixed. We
|
|
// strongly recommend that you make no assumptions about the maximum size. As
|
|
// of this writing, the typical size is less than 4096 bytes, but that can vary.
|
|
// Also, future updates to AWS might require larger sizes.
|
|
Credentials *Credentials `type:"structure"`
|
|
|
|
// The value of the Issuer element of the SAML assertion.
|
|
Issuer *string `type:"string"`
|
|
|
|
// A hash value based on the concatenation of the Issuer response value, the
|
|
// AWS account ID, and the friendly name (the last part of the ARN) of the SAML
|
|
// provider in IAM. The combination of NameQualifier and Subject can be used
|
|
// to uniquely identify a federated user.
|
|
//
|
|
// The following pseudocode shows how the hash value is calculated:
|
|
//
|
|
// BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP"
|
|
// ) )
|
|
NameQualifier *string `type:"string"`
|
|
|
|
// A percentage value that indicates the size of the policy in packed form.
|
|
// The service rejects any policy with a packed size greater than 100 percent,
|
|
// which means the policy exceeded the allowed space.
|
|
PackedPolicySize *int64 `type:"integer"`
|
|
|
|
// The value of the NameID element in the Subject element of the SAML assertion.
|
|
Subject *string `type:"string"`
|
|
|
|
// The format of the name ID, as defined by the Format attribute in the NameID
|
|
// element of the SAML assertion. Typical examples of the format are transient
|
|
// or persistent.
|
|
//
|
|
// If the format includes the prefix urn:oasis:names:tc:SAML:2.0:nameid-format,
|
|
// that prefix is removed. For example, urn:oasis:names:tc:SAML:2.0:nameid-format:transient
|
|
// is returned as transient. If the format includes any other prefix, the format
|
|
// is returned with no modifications.
|
|
SubjectType *string `type:"string"`
|
|
}
|
|
|
|
// String returns the string representation
|
|
func (s AssumeRoleWithSAMLOutput) String() string {
|
|
return awsutil.Prettify(s)
|
|
}
|
|
|
|
// GoString returns the string representation
|
|
func (s AssumeRoleWithSAMLOutput) GoString() string {
|
|
return s.String()
|
|
}
|
|
|
|
// SDKResponseMetdata return sthe response metadata for the API.
|
|
func (s AssumeRoleWithSAMLOutput) SDKResponseMetadata() aws.Response {
|
|
return s.responseMetadata
|
|
}
|
|
|
|
// Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentityRequest
|
|
type AssumeRoleWithWebIdentityInput struct {
|
|
_ struct{} `type:"structure"`
|
|
|
|
// The duration, in seconds, of the role session. The value can range from 900
|
|
// seconds (15 minutes) up to the maximum session duration setting for the role.
|
|
// This setting can have a value from 1 hour to 12 hours. If you specify a value
|
|
// higher than this setting, the operation fails. For example, if you specify
|
|
// a session duration of 12 hours, but your administrator set the maximum session
|
|
// duration to 6 hours, your operation fails. To learn how to view the maximum
|
|
// value for your role, see View the Maximum Session Duration Setting for a
|
|
// Role (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
|
|
// in the IAM User Guide.
|
|
//
|
|
// By default, the value is set to 3600 seconds.
|
|
//
|
|
// The DurationSeconds parameter is separate from the duration of a console
|
|
// session that you might request using the returned credentials. The request
|
|
// to the federation endpoint for a console sign-in token takes a SessionDuration
|
|
// parameter that specifies the maximum length of the console session. For more
|
|
// information, see Creating a URL that Enables Federated Users to Access the
|
|
// AWS Management Console (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
|
|
// in the IAM User Guide.
|
|
DurationSeconds *int64 `min:"900" type:"integer"`
|
|
|
|
// An IAM policy in JSON format.
|
|
//
|
|
// The policy parameter is optional. If you pass a policy, the temporary security
|
|
// credentials that are returned by the operation have the permissions that
|
|
// are allowed by both the access policy of the role that is being assumed,
|
|
// and the policy that you pass. This gives you a way to further restrict the
|
|
// permissions for the resulting temporary security credentials. You cannot
|
|
// use the passed policy to grant permissions that are in excess of those allowed
|
|
// by the access policy of the role that is being assumed. For more information,
|
|
// see Permissions for AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
|
|
// in the IAM User Guide.
|
|
//
|
|
// The format for this parameter, as described by its regex pattern, is a string
|
|
// of characters up to 2048 characters in length. The characters can be any
|
|
// ASCII character from the space character to the end of the valid character
|
|
// list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A),
|
|
// and carriage return (\u000D) characters.
|
|
//
|
|
// The policy plain text must be 2048 bytes or shorter. However, an internal
|
|
// conversion compresses it into a packed binary format with a separate limit.
|
|
// The PackedPolicySize response element indicates by percentage how close to
|
|
// the upper size limit the policy is, with 100% equaling the maximum allowed
|
|
// size.
|
|
Policy *string `min:"1" type:"string"`
|
|
|
|
// The fully qualified host component of the domain name of the identity provider.
|
|
//
|
|
// Specify this value only for OAuth 2.0 access tokens. Currently www.amazon.com
|
|
// and graph.facebook.com are the only supported identity providers for OAuth
|
|
// 2.0 access tokens. Do not include URL schemes and port numbers.
|
|
//
|
|
// Do not specify this value for OpenID Connect ID tokens.
|
|
ProviderId *string `min:"4" type:"string"`
|
|
|
|
// The Amazon Resource Name (ARN) of the role that the caller is assuming.
|
|
//
|
|
// RoleArn is a required field
|
|
RoleArn *string `min:"20" type:"string" required:"true"`
|
|
|
|
// An identifier for the assumed role session. Typically, you pass the name
|
|
// or identifier that is associated with the user who is using your application.
|
|
// That way, the temporary security credentials that your application will use
|
|
// are associated with that user. This session name is included as part of the
|
|
// ARN and assumed role ID in the AssumedRoleUser response element.
|
|
//
|
|
// The regex used to validate this parameter is a string of characters consisting
|
|
// of upper- and lower-case alphanumeric characters with no spaces. You can
|
|
// also include underscores or any of the following characters: =,.@-
|
|
//
|
|
// RoleSessionName is a required field
|
|
RoleSessionName *string `min:"2" type:"string" required:"true"`
|
|
|
|
// The OAuth 2.0 access token or OpenID Connect ID token that is provided by
|
|
// the identity provider. Your application must get this token by authenticating
|
|
// the user who is using your application with a web identity provider before
|
|
// the application makes an AssumeRoleWithWebIdentity call.
|
|
//
|
|
// WebIdentityToken is a required field
|
|
WebIdentityToken *string `min:"4" type:"string" required:"true"`
|
|
}
|
|
|
|
// String returns the string representation
|
|
func (s AssumeRoleWithWebIdentityInput) String() string {
|
|
return awsutil.Prettify(s)
|
|
}
|
|
|
|
// GoString returns the string representation
|
|
func (s AssumeRoleWithWebIdentityInput) GoString() string {
|
|
return s.String()
|
|
}
|
|
|
|
// Validate inspects the fields of the type to determine if they are valid.
|
|
func (s *AssumeRoleWithWebIdentityInput) Validate() error {
|
|
invalidParams := aws.ErrInvalidParams{Context: "AssumeRoleWithWebIdentityInput"}
|
|
if s.DurationSeconds != nil && *s.DurationSeconds < 900 {
|
|
invalidParams.Add(aws.NewErrParamMinValue("DurationSeconds", 900))
|
|
}
|
|
if s.Policy != nil && len(*s.Policy) < 1 {
|
|
invalidParams.Add(aws.NewErrParamMinLen("Policy", 1))
|
|
}
|
|
if s.ProviderId != nil && len(*s.ProviderId) < 4 {
|
|
invalidParams.Add(aws.NewErrParamMinLen("ProviderId", 4))
|
|
}
|
|
|
|
if s.RoleArn == nil {
|
|
invalidParams.Add(aws.NewErrParamRequired("RoleArn"))
|
|
}
|
|
if s.RoleArn != nil && len(*s.RoleArn) < 20 {
|
|
invalidParams.Add(aws.NewErrParamMinLen("RoleArn", 20))
|
|
}
|
|
|
|
if s.RoleSessionName == nil {
|
|
invalidParams.Add(aws.NewErrParamRequired("RoleSessionName"))
|
|
}
|
|
if s.RoleSessionName != nil && len(*s.RoleSessionName) < 2 {
|
|
invalidParams.Add(aws.NewErrParamMinLen("RoleSessionName", 2))
|
|
}
|
|
|
|
if s.WebIdentityToken == nil {
|
|
invalidParams.Add(aws.NewErrParamRequired("WebIdentityToken"))
|
|
}
|
|
if s.WebIdentityToken != nil && len(*s.WebIdentityToken) < 4 {
|
|
invalidParams.Add(aws.NewErrParamMinLen("WebIdentityToken", 4))
|
|
}
|
|
|
|
if invalidParams.Len() > 0 {
|
|
return invalidParams
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Contains the response to a successful AssumeRoleWithWebIdentity request,
|
|
// including temporary AWS credentials that can be used to make AWS requests.
|
|
// Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentityResponse
|
|
type AssumeRoleWithWebIdentityOutput struct {
|
|
_ struct{} `type:"structure"`
|
|
|
|
responseMetadata aws.Response
|
|
|
|
// The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers
|
|
// that you can use to refer to the resulting temporary security credentials.
|
|
// For example, you can reference these credentials as a principal in a resource-based
|
|
// policy by using the ARN or assumed role ID. The ARN and ID include the RoleSessionName
|
|
// that you specified when you called AssumeRole.
|
|
AssumedRoleUser *AssumedRoleUser `type:"structure"`
|
|
|
|
// The intended audience (also known as client ID) of the web identity token.
|
|
// This is traditionally the client identifier issued to the application that
|
|
// requested the web identity token.
|
|
Audience *string `type:"string"`
|
|
|
|
// The temporary security credentials, which include an access key ID, a secret
|
|
// access key, and a security token.
|
|
//
|
|
// Note: The size of the security token that STS APIs return is not fixed. We
|
|
// strongly recommend that you make no assumptions about the maximum size. As
|
|
// of this writing, the typical size is less than 4096 bytes, but that can vary.
|
|
// Also, future updates to AWS might require larger sizes.
|
|
Credentials *Credentials `type:"structure"`
|
|
|
|
// A percentage value that indicates the size of the policy in packed form.
|
|
// The service rejects any policy with a packed size greater than 100 percent,
|
|
// which means the policy exceeded the allowed space.
|
|
PackedPolicySize *int64 `type:"integer"`
|
|
|
|
// The issuing authority of the web identity token presented. For OpenID Connect
|
|
// ID Tokens this contains the value of the iss field. For OAuth 2.0 access
|
|
// tokens, this contains the value of the ProviderId parameter that was passed
|
|
// in the AssumeRoleWithWebIdentity request.
|
|
Provider *string `type:"string"`
|
|
|
|
// The unique user identifier that is returned by the identity provider. This
|
|
// identifier is associated with the WebIdentityToken that was submitted with
|
|
// the AssumeRoleWithWebIdentity call. The identifier is typically unique to
|
|
// the user and the application that acquired the WebIdentityToken (pairwise
|
|
// identifier). For OpenID Connect ID tokens, this field contains the value
|
|
// returned by the identity provider as the token's sub (Subject) claim.
|
|
SubjectFromWebIdentityToken *string `min:"6" type:"string"`
|
|
}
|
|
|
|
// String returns the string representation
|
|
func (s AssumeRoleWithWebIdentityOutput) String() string {
|
|
return awsutil.Prettify(s)
|
|
}
|
|
|
|
// GoString returns the string representation
|
|
func (s AssumeRoleWithWebIdentityOutput) GoString() string {
|
|
return s.String()
|
|
}
|
|
|
|
// SDKResponseMetdata return sthe response metadata for the API.
|
|
func (s AssumeRoleWithWebIdentityOutput) SDKResponseMetadata() aws.Response {
|
|
return s.responseMetadata
|
|
}
|
|
|
|
// The identifiers for the temporary security credentials that the operation
|
|
// returns.
|
|
// Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumedRoleUser
|
|
type AssumedRoleUser struct {
|
|
_ struct{} `type:"structure"`
|
|
|
|
// The ARN of the temporary security credentials that are returned from the
|
|
// AssumeRole action. For more information about ARNs and how to use them in
|
|
// policies, see IAM Identifiers (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
|
|
// in Using IAM.
|
|
//
|
|
// Arn is a required field
|
|
Arn *string `min:"20" type:"string" required:"true"`
|
|
|
|
// A unique identifier that contains the role ID and the role session name of
|
|
// the role that is being assumed. The role ID is generated by AWS when the
|
|
// role is created.
|
|
//
|
|
// AssumedRoleId is a required field
|
|
AssumedRoleId *string `min:"2" type:"string" required:"true"`
|
|
}
|
|
|
|
// String returns the string representation
|
|
func (s AssumedRoleUser) String() string {
|
|
return awsutil.Prettify(s)
|
|
}
|
|
|
|
// GoString returns the string representation
|
|
func (s AssumedRoleUser) GoString() string {
|
|
return s.String()
|
|
}
|
|
|
|
// AWS credentials for API authentication.
|
|
// Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/Credentials
|
|
type Credentials struct {
|
|
_ struct{} `type:"structure"`
|
|
|
|
// The access key ID that identifies the temporary security credentials.
|
|
//
|
|
// AccessKeyId is a required field
|
|
AccessKeyId *string `min:"16" type:"string" required:"true"`
|
|
|
|
// The date on which the current credentials expire.
|
|
//
|
|
// Expiration is a required field
|
|
Expiration *time.Time `type:"timestamp" timestampFormat:"iso8601" required:"true"`
|
|
|
|
// The secret access key that can be used to sign requests.
|
|
//
|
|
// SecretAccessKey is a required field
|
|
SecretAccessKey *string `type:"string" required:"true"`
|
|
|
|
// The token that users must pass to the service API to use the temporary credentials.
|
|
//
|
|
// SessionToken is a required field
|
|
SessionToken *string `type:"string" required:"true"`
|
|
}
|
|
|
|
// String returns the string representation
|
|
func (s Credentials) String() string {
|
|
return awsutil.Prettify(s)
|
|
}
|
|
|
|
// GoString returns the string representation
|
|
func (s Credentials) GoString() string {
|
|
return s.String()
|
|
}
|
|
|
|
// Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessageRequest
|
|
type DecodeAuthorizationMessageInput struct {
|
|
_ struct{} `type:"structure"`
|
|
|
|
// The encoded message that was returned with the response.
|
|
//
|
|
// EncodedMessage is a required field
|
|
EncodedMessage *string `min:"1" type:"string" required:"true"`
|
|
}
|
|
|
|
// String returns the string representation
|
|
func (s DecodeAuthorizationMessageInput) String() string {
|
|
return awsutil.Prettify(s)
|
|
}
|
|
|
|
// GoString returns the string representation
|
|
func (s DecodeAuthorizationMessageInput) GoString() string {
|
|
return s.String()
|
|
}
|
|
|
|
// Validate inspects the fields of the type to determine if they are valid.
|
|
func (s *DecodeAuthorizationMessageInput) Validate() error {
|
|
invalidParams := aws.ErrInvalidParams{Context: "DecodeAuthorizationMessageInput"}
|
|
|
|
if s.EncodedMessage == nil {
|
|
invalidParams.Add(aws.NewErrParamRequired("EncodedMessage"))
|
|
}
|
|
if s.EncodedMessage != nil && len(*s.EncodedMessage) < 1 {
|
|
invalidParams.Add(aws.NewErrParamMinLen("EncodedMessage", 1))
|
|
}
|
|
|
|
if invalidParams.Len() > 0 {
|
|
return invalidParams
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// A document that contains additional information about the authorization status
|
|
// of a request from an encoded message that is returned in response to an AWS
|
|
// request.
|
|
// Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessageResponse
|
|
type DecodeAuthorizationMessageOutput struct {
|
|
_ struct{} `type:"structure"`
|
|
|
|
responseMetadata aws.Response
|
|
|
|
// An XML document that contains the decoded message.
|
|
DecodedMessage *string `type:"string"`
|
|
}
|
|
|
|
// String returns the string representation
|
|
func (s DecodeAuthorizationMessageOutput) String() string {
|
|
return awsutil.Prettify(s)
|
|
}
|
|
|
|
// GoString returns the string representation
|
|
func (s DecodeAuthorizationMessageOutput) GoString() string {
|
|
return s.String()
|
|
}
|
|
|
|
// SDKResponseMetdata return sthe response metadata for the API.
|
|
func (s DecodeAuthorizationMessageOutput) SDKResponseMetadata() aws.Response {
|
|
return s.responseMetadata
|
|
}
|
|
|
|
// Identifiers for the federated user that is associated with the credentials.
|
|
// Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/FederatedUser
|
|
type FederatedUser struct {
|
|
_ struct{} `type:"structure"`
|
|
|
|
// The ARN that specifies the federated user that is associated with the credentials.
|
|
// For more information about ARNs and how to use them in policies, see IAM
|
|
// Identifiers (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
|
|
// in Using IAM.
|
|
//
|
|
// Arn is a required field
|
|
Arn *string `min:"20" type:"string" required:"true"`
|
|
|
|
// The string that identifies the federated user associated with the credentials,
|
|
// similar to the unique ID of an IAM user.
|
|
//
|
|
// FederatedUserId is a required field
|
|
FederatedUserId *string `min:"2" type:"string" required:"true"`
|
|
}
|
|
|
|
// String returns the string representation
|
|
func (s FederatedUser) String() string {
|
|
return awsutil.Prettify(s)
|
|
}
|
|
|
|
// GoString returns the string representation
|
|
func (s FederatedUser) GoString() string {
|
|
return s.String()
|
|
}
|
|
|
|
// Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentityRequest
|
|
type GetCallerIdentityInput struct {
|
|
_ struct{} `type:"structure"`
|
|
}
|
|
|
|
// String returns the string representation
|
|
func (s GetCallerIdentityInput) String() string {
|
|
return awsutil.Prettify(s)
|
|
}
|
|
|
|
// GoString returns the string representation
|
|
func (s GetCallerIdentityInput) GoString() string {
|
|
return s.String()
|
|
}
|
|
|
|
// Contains the response to a successful GetCallerIdentity request, including
|
|
// information about the entity making the request.
|
|
// Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentityResponse
|
|
type GetCallerIdentityOutput struct {
|
|
_ struct{} `type:"structure"`
|
|
|
|
responseMetadata aws.Response
|
|
|
|
// The AWS account ID number of the account that owns or contains the calling
|
|
// entity.
|
|
Account *string `type:"string"`
|
|
|
|
// The AWS ARN associated with the calling entity.
|
|
Arn *string `min:"20" type:"string"`
|
|
|
|
// The unique identifier of the calling entity. The exact value depends on the
|
|
// type of entity making the call. The values returned are those listed in the
|
|
// aws:userid column in the Principal table (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable)
|
|
// found on the Policy Variables reference page in the IAM User Guide.
|
|
UserId *string `type:"string"`
|
|
}
|
|
|
|
// String returns the string representation
|
|
func (s GetCallerIdentityOutput) String() string {
|
|
return awsutil.Prettify(s)
|
|
}
|
|
|
|
// GoString returns the string representation
|
|
func (s GetCallerIdentityOutput) GoString() string {
|
|
return s.String()
|
|
}
|
|
|
|
// SDKResponseMetdata return sthe response metadata for the API.
|
|
func (s GetCallerIdentityOutput) SDKResponseMetadata() aws.Response {
|
|
return s.responseMetadata
|
|
}
|
|
|
|
// Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationTokenRequest
|
|
type GetFederationTokenInput struct {
|
|
_ struct{} `type:"structure"`
|
|
|
|
// The duration, in seconds, that the session should last. Acceptable durations
|
|
// for federation sessions range from 900 seconds (15 minutes) to 129600 seconds
|
|
// (36 hours), with 43200 seconds (12 hours) as the default. Sessions obtained
|
|
// using AWS account (root) credentials are restricted to a maximum of 3600
|
|
// seconds (one hour). If the specified duration is longer than one hour, the
|
|
// session obtained by using AWS account (root) credentials defaults to one
|
|
// hour.
|
|
DurationSeconds *int64 `min:"900" type:"integer"`
|
|
|
|
// The name of the federated user. The name is used as an identifier for the
|
|
// temporary security credentials (such as Bob). For example, you can reference
|
|
// the federated user name in a resource-based policy, such as in an Amazon
|
|
// S3 bucket policy.
|
|
//
|
|
// The regex used to validate this parameter is a string of characters consisting
|
|
// of upper- and lower-case alphanumeric characters with no spaces. You can
|
|
// also include underscores or any of the following characters: =,.@-
|
|
//
|
|
// Name is a required field
|
|
Name *string `min:"2" type:"string" required:"true"`
|
|
|
|
// An IAM policy in JSON format that is passed with the GetFederationToken call
|
|
// and evaluated along with the policy or policies that are attached to the
|
|
// IAM user whose credentials are used to call GetFederationToken. The passed
|
|
// policy is used to scope down the permissions that are available to the IAM
|
|
// user, by allowing only a subset of the permissions that are granted to the
|
|
// IAM user. The passed policy cannot grant more permissions than those granted
|
|
// to the IAM user. The final permissions for the federated user are the most
|
|
// restrictive set based on the intersection of the passed policy and the IAM
|
|
// user policy.
|
|
//
|
|
// If you do not pass a policy, the resulting temporary security credentials
|
|
// have no effective permissions. The only exception is when the temporary security
|
|
// credentials are used to access a resource that has a resource-based policy
|
|
// that specifically allows the federated user to access the resource.
|
|
//
|
|
// The format for this parameter, as described by its regex pattern, is a string
|
|
// of characters up to 2048 characters in length. The characters can be any
|
|
// ASCII character from the space character to the end of the valid character
|
|
// list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A),
|
|
// and carriage return (\u000D) characters.
|
|
//
|
|
// The policy plain text must be 2048 bytes or shorter. However, an internal
|
|
// conversion compresses it into a packed binary format with a separate limit.
|
|
// The PackedPolicySize response element indicates by percentage how close to
|
|
// the upper size limit the policy is, with 100% equaling the maximum allowed
|
|
// size.
|
|
//
|
|
// For more information about how permissions work, see Permissions for GetFederationToken
|
|
// (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html).
|
|
Policy *string `min:"1" type:"string"`
|
|
}
|
|
|
|
// String returns the string representation
|
|
func (s GetFederationTokenInput) String() string {
|
|
return awsutil.Prettify(s)
|
|
}
|
|
|
|
// GoString returns the string representation
|
|
func (s GetFederationTokenInput) GoString() string {
|
|
return s.String()
|
|
}
|
|
|
|
// Validate inspects the fields of the type to determine if they are valid.
|
|
func (s *GetFederationTokenInput) Validate() error {
|
|
invalidParams := aws.ErrInvalidParams{Context: "GetFederationTokenInput"}
|
|
if s.DurationSeconds != nil && *s.DurationSeconds < 900 {
|
|
invalidParams.Add(aws.NewErrParamMinValue("DurationSeconds", 900))
|
|
}
|
|
|
|
if s.Name == nil {
|
|
invalidParams.Add(aws.NewErrParamRequired("Name"))
|
|
}
|
|
if s.Name != nil && len(*s.Name) < 2 {
|
|
invalidParams.Add(aws.NewErrParamMinLen("Name", 2))
|
|
}
|
|
if s.Policy != nil && len(*s.Policy) < 1 {
|
|
invalidParams.Add(aws.NewErrParamMinLen("Policy", 1))
|
|
}
|
|
|
|
if invalidParams.Len() > 0 {
|
|
return invalidParams
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Contains the response to a successful GetFederationToken request, including
|
|
// temporary AWS credentials that can be used to make AWS requests.
|
|
// Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationTokenResponse
|
|
type GetFederationTokenOutput struct {
|
|
_ struct{} `type:"structure"`
|
|
|
|
responseMetadata aws.Response
|
|
|
|
// The temporary security credentials, which include an access key ID, a secret
|
|
// access key, and a security (or session) token.
|
|
//
|
|
// Note: The size of the security token that STS APIs return is not fixed. We
|
|
// strongly recommend that you make no assumptions about the maximum size. As
|
|
// of this writing, the typical size is less than 4096 bytes, but that can vary.
|
|
// Also, future updates to AWS might require larger sizes.
|
|
Credentials *Credentials `type:"structure"`
|
|
|
|
// Identifiers for the federated user associated with the credentials (such
|
|
// as arn:aws:sts::123456789012:federated-user/Bob or 123456789012:Bob). You
|
|
// can use the federated user's ARN in your resource-based policies, such as
|
|
// an Amazon S3 bucket policy.
|
|
FederatedUser *FederatedUser `type:"structure"`
|
|
|
|
// A percentage value indicating the size of the policy in packed form. The
|
|
// service rejects policies for which the packed size is greater than 100 percent
|
|
// of the allowed value.
|
|
PackedPolicySize *int64 `type:"integer"`
|
|
}
|
|
|
|
// String returns the string representation
|
|
func (s GetFederationTokenOutput) String() string {
|
|
return awsutil.Prettify(s)
|
|
}
|
|
|
|
// GoString returns the string representation
|
|
func (s GetFederationTokenOutput) GoString() string {
|
|
return s.String()
|
|
}
|
|
|
|
// SDKResponseMetdata return sthe response metadata for the API.
|
|
func (s GetFederationTokenOutput) SDKResponseMetadata() aws.Response {
|
|
return s.responseMetadata
|
|
}
|
|
|
|
// Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionTokenRequest
|
|
type GetSessionTokenInput struct {
|
|
_ struct{} `type:"structure"`
|
|
|
|
// The duration, in seconds, that the credentials should remain valid. Acceptable
|
|
// durations for IAM user sessions range from 900 seconds (15 minutes) to 129600
|
|
// seconds (36 hours), with 43200 seconds (12 hours) as the default. Sessions
|
|
// for AWS account owners are restricted to a maximum of 3600 seconds (one hour).
|
|
// If the duration is longer than one hour, the session for AWS account owners
|
|
// defaults to one hour.
|
|
DurationSeconds *int64 `min:"900" type:"integer"`
|
|
|
|
// The identification number of the MFA device that is associated with the IAM
|
|
// user who is making the GetSessionToken call. Specify this value if the IAM
|
|
// user has a policy that requires MFA authentication. The value is either the
|
|
// serial number for a hardware device (such as GAHT12345678) or an Amazon Resource
|
|
// Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user).
|
|
// You can find the device for an IAM user by going to the AWS Management Console
|
|
// and viewing the user's security credentials.
|
|
//
|
|
// The regex used to validated this parameter is a string of characters consisting
|
|
// of upper- and lower-case alphanumeric characters with no spaces. You can
|
|
// also include underscores or any of the following characters: =,.@:/-
|
|
SerialNumber *string `min:"9" type:"string"`
|
|
|
|
// The value provided by the MFA device, if MFA is required. If any policy requires
|
|
// the IAM user to submit an MFA code, specify this value. If MFA authentication
|
|
// is required, and the user does not provide a code when requesting a set of
|
|
// temporary security credentials, the user will receive an "access denied"
|
|
// response when requesting resources that require MFA authentication.
|
|
//
|
|
// The format for this parameter, as described by its regex pattern, is a sequence
|
|
// of six numeric digits.
|
|
TokenCode *string `min:"6" type:"string"`
|
|
}
|
|
|
|
// String returns the string representation
|
|
func (s GetSessionTokenInput) String() string {
|
|
return awsutil.Prettify(s)
|
|
}
|
|
|
|
// GoString returns the string representation
|
|
func (s GetSessionTokenInput) GoString() string {
|
|
return s.String()
|
|
}
|
|
|
|
// Validate inspects the fields of the type to determine if they are valid.
|
|
func (s *GetSessionTokenInput) Validate() error {
|
|
invalidParams := aws.ErrInvalidParams{Context: "GetSessionTokenInput"}
|
|
if s.DurationSeconds != nil && *s.DurationSeconds < 900 {
|
|
invalidParams.Add(aws.NewErrParamMinValue("DurationSeconds", 900))
|
|
}
|
|
if s.SerialNumber != nil && len(*s.SerialNumber) < 9 {
|
|
invalidParams.Add(aws.NewErrParamMinLen("SerialNumber", 9))
|
|
}
|
|
if s.TokenCode != nil && len(*s.TokenCode) < 6 {
|
|
invalidParams.Add(aws.NewErrParamMinLen("TokenCode", 6))
|
|
}
|
|
|
|
if invalidParams.Len() > 0 {
|
|
return invalidParams
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Contains the response to a successful GetSessionToken request, including
|
|
// temporary AWS credentials that can be used to make AWS requests.
|
|
// Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionTokenResponse
|
|
type GetSessionTokenOutput struct {
|
|
_ struct{} `type:"structure"`
|
|
|
|
responseMetadata aws.Response
|
|
|
|
// The temporary security credentials, which include an access key ID, a secret
|
|
// access key, and a security (or session) token.
|
|
//
|
|
// Note: The size of the security token that STS APIs return is not fixed. We
|
|
// strongly recommend that you make no assumptions about the maximum size. As
|
|
// of this writing, the typical size is less than 4096 bytes, but that can vary.
|
|
// Also, future updates to AWS might require larger sizes.
|
|
Credentials *Credentials `type:"structure"`
|
|
}
|
|
|
|
// String returns the string representation
|
|
func (s GetSessionTokenOutput) String() string {
|
|
return awsutil.Prettify(s)
|
|
}
|
|
|
|
// GoString returns the string representation
|
|
func (s GetSessionTokenOutput) GoString() string {
|
|
return s.String()
|
|
}
|
|
|
|
// SDKResponseMetdata return sthe response metadata for the API.
|
|
func (s GetSessionTokenOutput) SDKResponseMetadata() aws.Response {
|
|
return s.responseMetadata
|
|
}
|