]>
Commit | Line | Data |
---|---|---|
bae9f6d2 JC |
1 | // Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT. |
2 | ||
3 | package sts | |
4 | ||
5 | import ( | |
863486a6 | 6 | "fmt" |
bae9f6d2 JC |
7 | "time" |
8 | ||
9 | "github.com/aws/aws-sdk-go/aws" | |
10 | "github.com/aws/aws-sdk-go/aws/awsutil" | |
107c1cdb | 11 | "github.com/aws/aws-sdk-go/aws/credentials" |
bae9f6d2 JC |
12 | "github.com/aws/aws-sdk-go/aws/request" |
13 | ) | |
14 | ||
15 | const opAssumeRole = "AssumeRole" | |
16 | ||
17 | // AssumeRoleRequest generates a "aws/request.Request" representing the | |
18 | // client's request for the AssumeRole operation. The "output" return | |
15c0b25d | 19 | // value will be populated with the request's response once the request completes |
107c1cdb | 20 | // successfully. |
bae9f6d2 | 21 | // |
15c0b25d AP |
22 | // Use "Send" method on the returned Request to send the API call to the service. |
23 | // the "output" return value is not valid until after Send returns without error. | |
bae9f6d2 | 24 | // |
15c0b25d AP |
25 | // See AssumeRole for more information on using the AssumeRole |
26 | // API call, and error handling. | |
27 | // | |
28 | // This method is useful when you want to inject custom logic or configuration | |
29 | // into the SDK's request lifecycle. Such as custom headers, or retry logic. | |
bae9f6d2 | 30 | // |
bae9f6d2 JC |
31 | // |
32 | // // Example sending a request using the AssumeRoleRequest method. | |
33 | // req, resp := client.AssumeRoleRequest(params) | |
34 | // | |
35 | // err := req.Send() | |
36 | // if err == nil { // resp is now filled | |
37 | // fmt.Println(resp) | |
38 | // } | |
39 | // | |
15c0b25d | 40 | // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole |
bae9f6d2 JC |
41 | func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, output *AssumeRoleOutput) { |
42 | op := &request.Operation{ | |
43 | Name: opAssumeRole, | |
44 | HTTPMethod: "POST", | |
45 | HTTPPath: "/", | |
46 | } | |
47 | ||
48 | if input == nil { | |
49 | input = &AssumeRoleInput{} | |
50 | } | |
51 | ||
52 | output = &AssumeRoleOutput{} | |
53 | req = c.newRequest(op, input, output) | |
54 | return | |
55 | } | |
56 | ||
57 | // AssumeRole API operation for AWS Security Token Service. | |
58 | // | |
863486a6 AG |
59 | // Returns a set of temporary security credentials that you can use to access |
60 | // AWS resources that you might not normally have access to. These temporary | |
61 | // credentials consist of an access key ID, a secret access key, and a security | |
62 | // token. Typically, you use AssumeRole within your account or for cross-account | |
63 | // access. For a comparison of AssumeRole with other API operations that produce | |
64 | // temporary credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) | |
65 | // and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) | |
bae9f6d2 JC |
66 | // in the IAM User Guide. |
67 | // | |
863486a6 AG |
68 | // You cannot use AWS account root user credentials to call AssumeRole. You |
69 | // must use credentials for an IAM user or an IAM role to call AssumeRole. | |
bae9f6d2 JC |
70 | // |
71 | // For cross-account access, imagine that you own multiple accounts and need | |
72 | // to access resources in each account. You could create long-term credentials | |
73 | // in each account to access those resources. However, managing all those credentials | |
74 | // and remembering which one can access which account can be time consuming. | |
863486a6 AG |
75 | // Instead, you can create one set of long-term credentials in one account. |
76 | // Then use temporary security credentials to access all the other accounts | |
bae9f6d2 | 77 | // by assuming roles in those accounts. For more information about roles, see |
863486a6 | 78 | // IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) |
bae9f6d2 JC |
79 | // in the IAM User Guide. |
80 | // | |
15c0b25d AP |
81 | // By default, the temporary security credentials created by AssumeRole last |
82 | // for one hour. However, you can use the optional DurationSeconds parameter | |
83 | // to specify the duration of your session. You can provide a value from 900 | |
84 | // seconds (15 minutes) up to the maximum session duration setting for the role. | |
85 | // This setting can have a value from 1 hour to 12 hours. To learn how to view | |
86 | // the maximum value for your role, see View the Maximum Session Duration Setting | |
863486a6 | 87 | // for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) |
15c0b25d | 88 | // in the IAM User Guide. The maximum session duration limit applies when you |
863486a6 AG |
89 | // use the AssumeRole* API operations or the assume-role* CLI commands. However |
90 | // the limit does not apply when you use those operations to create a console | |
91 | // URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) | |
15c0b25d | 92 | // in the IAM User Guide. |
bae9f6d2 JC |
93 | // |
94 | // The temporary security credentials created by AssumeRole can be used to make | |
863486a6 AG |
95 | // API calls to any AWS service with the following exception: You cannot call |
96 | // the AWS STS GetFederationToken or GetSessionToken API operations. | |
97 | // | |
98 | // (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) | |
99 | // to this operation. You can pass a single JSON policy document to use as an | |
100 | // inline session policy. You can also specify up to 10 managed policies to | |
101 | // use as managed session policies. The plain text that you use for both inline | |
102 | // and managed session policies shouldn't exceed 2048 characters. Passing policies | |
103 | // to this operation returns new temporary credentials. The resulting session's | |
104 | // permissions are the intersection of the role's identity-based policy and | |
105 | // the session policies. You can use the role's temporary credentials in subsequent | |
106 | // AWS API calls to access resources in the account that owns the role. You | |
107 | // cannot use session policies to grant more permissions than those allowed | |
108 | // by the identity-based policy of the role that is being assumed. For more | |
109 | // information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) | |
bae9f6d2 JC |
110 | // in the IAM User Guide. |
111 | // | |
863486a6 AG |
112 | // To assume a role from a different account, your AWS account must be trusted |
113 | // by the role. The trust relationship is defined in the role's trust policy | |
114 | // when the role is created. That trust policy states which accounts are allowed | |
115 | // to delegate that access to users in the account. | |
116 | // | |
117 | // A user who wants to access a role in a different account must also have permissions | |
118 | // that are delegated from the user account administrator. The administrator | |
119 | // must attach a policy that allows the user to call AssumeRole for the ARN | |
120 | // of the role in the other account. If the user is in the same account as the | |
121 | // role, then you can do either of the following: | |
122 | // | |
123 | // * Attach a policy to the user (identical to the previous user in a different | |
124 | // account). | |
125 | // | |
126 | // * Add the user as a principal directly in the role's trust policy. | |
127 | // | |
128 | // In this case, the trust policy acts as an IAM resource-based policy. Users | |
129 | // in the same account as the role do not need explicit permission to assume | |
130 | // the role. For more information about trust policies and resource-based policies, | |
131 | // see IAM Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) | |
15c0b25d | 132 | // in the IAM User Guide. |
bae9f6d2 JC |
133 | // |
134 | // Using MFA with AssumeRole | |
135 | // | |
863486a6 AG |
136 | // (Optional) You can include multi-factor authentication (MFA) information |
137 | // when you call AssumeRole. This is useful for cross-account scenarios to ensure | |
138 | // that the user that assumes the role has been authenticated with an AWS MFA | |
139 | // device. In that scenario, the trust policy of the role being assumed includes | |
140 | // a condition that tests for MFA authentication. If the caller does not include | |
141 | // valid MFA information, the request to assume the role is denied. The condition | |
142 | // in a trust policy that tests for MFA authentication might look like the following | |
143 | // example. | |
bae9f6d2 JC |
144 | // |
145 | // "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}} | |
146 | // | |
863486a6 | 147 | // For more information, see Configuring MFA-Protected API Access (https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html) |
bae9f6d2 JC |
148 | // in the IAM User Guide guide. |
149 | // | |
150 | // To use MFA with AssumeRole, you pass values for the SerialNumber and TokenCode | |
151 | // parameters. The SerialNumber value identifies the user's hardware or virtual | |
152 | // MFA device. The TokenCode is the time-based one-time password (TOTP) that | |
863486a6 | 153 | // the MFA device produces. |
bae9f6d2 JC |
154 | // |
155 | // Returns awserr.Error for service API and SDK errors. Use runtime type assertions | |
156 | // with awserr.Error's Code and Message methods to get detailed information about | |
157 | // the error. | |
158 | // | |
159 | // See the AWS API reference guide for AWS Security Token Service's | |
160 | // API operation AssumeRole for usage and error information. | |
161 | // | |
162 | // Returned Error Codes: | |
163 | // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument" | |
164 | // The request was rejected because the policy document was malformed. The error | |
165 | // message describes the specific error. | |
166 | // | |
167 | // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" | |
168 | // The request was rejected because the policy document was too large. The error | |
169 | // message describes how big the policy document is, in packed form, as a percentage | |
170 | // of what the API allows. | |
171 | // | |
172 | // * ErrCodeRegionDisabledException "RegionDisabledException" | |
173 | // STS is not activated in the requested region for the account that is being | |
174 | // asked to generate credentials. The account administrator must use the IAM | |
175 | // console to activate STS in that region. For more information, see Activating | |
863486a6 | 176 | // and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) |
bae9f6d2 JC |
177 | // in the IAM User Guide. |
178 | // | |
15c0b25d | 179 | // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole |
bae9f6d2 JC |
180 | func (c *STS) AssumeRole(input *AssumeRoleInput) (*AssumeRoleOutput, error) { |
181 | req, out := c.AssumeRoleRequest(input) | |
182 | return out, req.Send() | |
183 | } | |
184 | ||
185 | // AssumeRoleWithContext is the same as AssumeRole with the addition of | |
186 | // the ability to pass a context and additional request options. | |
187 | // | |
188 | // See AssumeRole for details on how to use this API operation. | |
189 | // | |
190 | // The context must be non-nil and will be used for request cancellation. If | |
191 | // the context is nil a panic will occur. In the future the SDK may create | |
192 | // sub-contexts for http.Requests. See https://golang.org/pkg/context/ | |
193 | // for more information on using Contexts. | |
194 | func (c *STS) AssumeRoleWithContext(ctx aws.Context, input *AssumeRoleInput, opts ...request.Option) (*AssumeRoleOutput, error) { | |
195 | req, out := c.AssumeRoleRequest(input) | |
196 | req.SetContext(ctx) | |
197 | req.ApplyOptions(opts...) | |
198 | return out, req.Send() | |
199 | } | |
200 | ||
201 | const opAssumeRoleWithSAML = "AssumeRoleWithSAML" | |
202 | ||
203 | // AssumeRoleWithSAMLRequest generates a "aws/request.Request" representing the | |
204 | // client's request for the AssumeRoleWithSAML operation. The "output" return | |
15c0b25d | 205 | // value will be populated with the request's response once the request completes |
107c1cdb | 206 | // successfully. |
bae9f6d2 | 207 | // |
15c0b25d AP |
208 | // Use "Send" method on the returned Request to send the API call to the service. |
209 | // the "output" return value is not valid until after Send returns without error. | |
bae9f6d2 | 210 | // |
15c0b25d AP |
211 | // See AssumeRoleWithSAML for more information on using the AssumeRoleWithSAML |
212 | // API call, and error handling. | |
213 | // | |
214 | // This method is useful when you want to inject custom logic or configuration | |
215 | // into the SDK's request lifecycle. Such as custom headers, or retry logic. | |
bae9f6d2 | 216 | // |
bae9f6d2 JC |
217 | // |
218 | // // Example sending a request using the AssumeRoleWithSAMLRequest method. | |
219 | // req, resp := client.AssumeRoleWithSAMLRequest(params) | |
220 | // | |
221 | // err := req.Send() | |
222 | // if err == nil { // resp is now filled | |
223 | // fmt.Println(resp) | |
224 | // } | |
225 | // | |
15c0b25d | 226 | // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML |
bae9f6d2 JC |
227 | func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *request.Request, output *AssumeRoleWithSAMLOutput) { |
228 | op := &request.Operation{ | |
229 | Name: opAssumeRoleWithSAML, | |
230 | HTTPMethod: "POST", | |
231 | HTTPPath: "/", | |
232 | } | |
233 | ||
234 | if input == nil { | |
235 | input = &AssumeRoleWithSAMLInput{} | |
236 | } | |
237 | ||
238 | output = &AssumeRoleWithSAMLOutput{} | |
239 | req = c.newRequest(op, input, output) | |
107c1cdb | 240 | req.Config.Credentials = credentials.AnonymousCredentials |
bae9f6d2 JC |
241 | return |
242 | } | |
243 | ||
244 | // AssumeRoleWithSAML API operation for AWS Security Token Service. | |
245 | // | |
246 | // Returns a set of temporary security credentials for users who have been authenticated | |
247 | // via a SAML authentication response. This operation provides a mechanism for | |
248 | // tying an enterprise identity store or directory to role-based AWS access | |
249 | // without user-specific credentials or configuration. For a comparison of AssumeRoleWithSAML | |
863486a6 AG |
250 | // with the other API operations that produce temporary credentials, see Requesting |
251 | // Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) | |
252 | // and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) | |
bae9f6d2 JC |
253 | // in the IAM User Guide. |
254 | // | |
255 | // The temporary security credentials returned by this operation consist of | |
256 | // an access key ID, a secret access key, and a security token. Applications | |
257 | // can use these temporary security credentials to sign calls to AWS services. | |
258 | // | |
15c0b25d AP |
259 | // By default, the temporary security credentials created by AssumeRoleWithSAML |
260 | // last for one hour. However, you can use the optional DurationSeconds parameter | |
261 | // to specify the duration of your session. Your role session lasts for the | |
262 | // duration that you specify, or until the time specified in the SAML authentication | |
263 | // response's SessionNotOnOrAfter value, whichever is shorter. You can provide | |
264 | // a DurationSeconds value from 900 seconds (15 minutes) up to the maximum session | |
265 | // duration setting for the role. This setting can have a value from 1 hour | |
266 | // to 12 hours. To learn how to view the maximum value for your role, see View | |
863486a6 | 267 | // the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) |
15c0b25d | 268 | // in the IAM User Guide. The maximum session duration limit applies when you |
863486a6 AG |
269 | // use the AssumeRole* API operations or the assume-role* CLI commands. However |
270 | // the limit does not apply when you use those operations to create a console | |
271 | // URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) | |
15c0b25d | 272 | // in the IAM User Guide. |
bae9f6d2 JC |
273 | // |
274 | // The temporary security credentials created by AssumeRoleWithSAML can be used | |
275 | // to make API calls to any AWS service with the following exception: you cannot | |
863486a6 AG |
276 | // call the STS GetFederationToken or GetSessionToken API operations. |
277 | // | |
278 | // (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) | |
279 | // to this operation. You can pass a single JSON policy document to use as an | |
280 | // inline session policy. You can also specify up to 10 managed policies to | |
281 | // use as managed session policies. The plain text that you use for both inline | |
282 | // and managed session policies shouldn't exceed 2048 characters. Passing policies | |
283 | // to this operation returns new temporary credentials. The resulting session's | |
284 | // permissions are the intersection of the role's identity-based policy and | |
285 | // the session policies. You can use the role's temporary credentials in subsequent | |
286 | // AWS API calls to access resources in the account that owns the role. You | |
287 | // cannot use session policies to grant more permissions than those allowed | |
288 | // by the identity-based policy of the role that is being assumed. For more | |
289 | // information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) | |
bae9f6d2 JC |
290 | // in the IAM User Guide. |
291 | // | |
292 | // Before your application can call AssumeRoleWithSAML, you must configure your | |
293 | // SAML identity provider (IdP) to issue the claims required by AWS. Additionally, | |
294 | // you must use AWS Identity and Access Management (IAM) to create a SAML provider | |
863486a6 AG |
295 | // entity in your AWS account that represents your identity provider. You must |
296 | // also create an IAM role that specifies this SAML provider in its trust policy. | |
bae9f6d2 JC |
297 | // |
298 | // Calling AssumeRoleWithSAML does not require the use of AWS security credentials. | |
299 | // The identity of the caller is validated by using keys in the metadata document | |
300 | // that is uploaded for the SAML provider entity for your identity provider. | |
301 | // | |
302 | // Calling AssumeRoleWithSAML can result in an entry in your AWS CloudTrail | |
303 | // logs. The entry includes the value in the NameID element of the SAML assertion. | |
304 | // We recommend that you use a NameIDType that is not associated with any personally | |
305 | // identifiable information (PII). For example, you could instead use the Persistent | |
306 | // Identifier (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent). | |
307 | // | |
308 | // For more information, see the following resources: | |
309 | // | |
863486a6 | 310 | // * About SAML 2.0-based Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) |
bae9f6d2 JC |
311 | // in the IAM User Guide. |
312 | // | |
863486a6 | 313 | // * Creating SAML Identity Providers (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html) |
bae9f6d2 JC |
314 | // in the IAM User Guide. |
315 | // | |
863486a6 | 316 | // * Configuring a Relying Party and Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html) |
bae9f6d2 JC |
317 | // in the IAM User Guide. |
318 | // | |
863486a6 | 319 | // * Creating a Role for SAML 2.0 Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html) |
bae9f6d2 JC |
320 | // in the IAM User Guide. |
321 | // | |
322 | // Returns awserr.Error for service API and SDK errors. Use runtime type assertions | |
323 | // with awserr.Error's Code and Message methods to get detailed information about | |
324 | // the error. | |
325 | // | |
326 | // See the AWS API reference guide for AWS Security Token Service's | |
327 | // API operation AssumeRoleWithSAML for usage and error information. | |
328 | // | |
329 | // Returned Error Codes: | |
330 | // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument" | |
331 | // The request was rejected because the policy document was malformed. The error | |
332 | // message describes the specific error. | |
333 | // | |
334 | // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" | |
335 | // The request was rejected because the policy document was too large. The error | |
336 | // message describes how big the policy document is, in packed form, as a percentage | |
337 | // of what the API allows. | |
338 | // | |
339 | // * ErrCodeIDPRejectedClaimException "IDPRejectedClaim" | |
340 | // The identity provider (IdP) reported that authentication failed. This might | |
341 | // be because the claim is invalid. | |
342 | // | |
343 | // If this error is returned for the AssumeRoleWithWebIdentity operation, it | |
344 | // can also mean that the claim has expired or has been explicitly revoked. | |
345 | // | |
346 | // * ErrCodeInvalidIdentityTokenException "InvalidIdentityToken" | |
347 | // The web identity token that was passed could not be validated by AWS. Get | |
348 | // a new identity token from the identity provider and then retry the request. | |
349 | // | |
350 | // * ErrCodeExpiredTokenException "ExpiredTokenException" | |
351 | // The web identity token that was passed is expired or is not valid. Get a | |
352 | // new identity token from the identity provider and then retry the request. | |
353 | // | |
354 | // * ErrCodeRegionDisabledException "RegionDisabledException" | |
355 | // STS is not activated in the requested region for the account that is being | |
356 | // asked to generate credentials. The account administrator must use the IAM | |
357 | // console to activate STS in that region. For more information, see Activating | |
863486a6 | 358 | // and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) |
bae9f6d2 JC |
359 | // in the IAM User Guide. |
360 | // | |
15c0b25d | 361 | // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML |
bae9f6d2 JC |
362 | func (c *STS) AssumeRoleWithSAML(input *AssumeRoleWithSAMLInput) (*AssumeRoleWithSAMLOutput, error) { |
363 | req, out := c.AssumeRoleWithSAMLRequest(input) | |
364 | return out, req.Send() | |
365 | } | |
366 | ||
367 | // AssumeRoleWithSAMLWithContext is the same as AssumeRoleWithSAML with the addition of | |
368 | // the ability to pass a context and additional request options. | |
369 | // | |
370 | // See AssumeRoleWithSAML for details on how to use this API operation. | |
371 | // | |
372 | // The context must be non-nil and will be used for request cancellation. If | |
373 | // the context is nil a panic will occur. In the future the SDK may create | |
374 | // sub-contexts for http.Requests. See https://golang.org/pkg/context/ | |
375 | // for more information on using Contexts. | |
376 | func (c *STS) AssumeRoleWithSAMLWithContext(ctx aws.Context, input *AssumeRoleWithSAMLInput, opts ...request.Option) (*AssumeRoleWithSAMLOutput, error) { | |
377 | req, out := c.AssumeRoleWithSAMLRequest(input) | |
378 | req.SetContext(ctx) | |
379 | req.ApplyOptions(opts...) | |
380 | return out, req.Send() | |
381 | } | |
382 | ||
383 | const opAssumeRoleWithWebIdentity = "AssumeRoleWithWebIdentity" | |
384 | ||
385 | // AssumeRoleWithWebIdentityRequest generates a "aws/request.Request" representing the | |
386 | // client's request for the AssumeRoleWithWebIdentity operation. The "output" return | |
15c0b25d | 387 | // value will be populated with the request's response once the request completes |
107c1cdb | 388 | // successfully. |
bae9f6d2 | 389 | // |
15c0b25d AP |
390 | // Use "Send" method on the returned Request to send the API call to the service. |
391 | // the "output" return value is not valid until after Send returns without error. | |
bae9f6d2 | 392 | // |
15c0b25d AP |
393 | // See AssumeRoleWithWebIdentity for more information on using the AssumeRoleWithWebIdentity |
394 | // API call, and error handling. | |
395 | // | |
396 | // This method is useful when you want to inject custom logic or configuration | |
397 | // into the SDK's request lifecycle. Such as custom headers, or retry logic. | |
bae9f6d2 | 398 | // |
bae9f6d2 JC |
399 | // |
400 | // // Example sending a request using the AssumeRoleWithWebIdentityRequest method. | |
401 | // req, resp := client.AssumeRoleWithWebIdentityRequest(params) | |
402 | // | |
403 | // err := req.Send() | |
404 | // if err == nil { // resp is now filled | |
405 | // fmt.Println(resp) | |
406 | // } | |
407 | // | |
15c0b25d | 408 | // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity |
bae9f6d2 JC |
409 | func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityInput) (req *request.Request, output *AssumeRoleWithWebIdentityOutput) { |
410 | op := &request.Operation{ | |
411 | Name: opAssumeRoleWithWebIdentity, | |
412 | HTTPMethod: "POST", | |
413 | HTTPPath: "/", | |
414 | } | |
415 | ||
416 | if input == nil { | |
417 | input = &AssumeRoleWithWebIdentityInput{} | |
418 | } | |
419 | ||
420 | output = &AssumeRoleWithWebIdentityOutput{} | |
421 | req = c.newRequest(op, input, output) | |
107c1cdb | 422 | req.Config.Credentials = credentials.AnonymousCredentials |
bae9f6d2 JC |
423 | return |
424 | } | |
425 | ||
426 | // AssumeRoleWithWebIdentity API operation for AWS Security Token Service. | |
427 | // | |
428 | // Returns a set of temporary security credentials for users who have been authenticated | |
863486a6 AG |
429 | // in a mobile or web application with a web identity provider. Example providers |
430 | // include Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID | |
431 | // Connect-compatible identity provider. | |
bae9f6d2 JC |
432 | // |
433 | // For mobile applications, we recommend that you use Amazon Cognito. You can | |
863486a6 AG |
434 | // use Amazon Cognito with the AWS SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/) |
435 | // and the AWS SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/) | |
436 | // to uniquely identify a user. You can also supply the user with a consistent | |
437 | // identity throughout the lifetime of an application. | |
438 | // | |
439 | // To learn more about Amazon Cognito, see Amazon Cognito Overview (https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840) | |
440 | // in AWS SDK for Android Developer Guide and Amazon Cognito Overview (https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664) | |
bae9f6d2 JC |
441 | // in the AWS SDK for iOS Developer Guide. |
442 | // | |
443 | // Calling AssumeRoleWithWebIdentity does not require the use of AWS security | |
444 | // credentials. Therefore, you can distribute an application (for example, on | |
445 | // mobile devices) that requests temporary security credentials without including | |
863486a6 AG |
446 | // long-term AWS credentials in the application. You also don't need to deploy |
447 | // server-based proxy services that use long-term AWS credentials. Instead, | |
448 | // the identity of the caller is validated by using a token from the web identity | |
449 | // provider. For a comparison of AssumeRoleWithWebIdentity with the other API | |
450 | // operations that produce temporary credentials, see Requesting Temporary Security | |
451 | // Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) | |
452 | // and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) | |
bae9f6d2 JC |
453 | // in the IAM User Guide. |
454 | // | |
455 | // The temporary security credentials returned by this API consist of an access | |
456 | // key ID, a secret access key, and a security token. Applications can use these | |
863486a6 | 457 | // temporary security credentials to sign calls to AWS service API operations. |
bae9f6d2 | 458 | // |
15c0b25d AP |
459 | // By default, the temporary security credentials created by AssumeRoleWithWebIdentity |
460 | // last for one hour. However, you can use the optional DurationSeconds parameter | |
461 | // to specify the duration of your session. You can provide a value from 900 | |
462 | // seconds (15 minutes) up to the maximum session duration setting for the role. | |
463 | // This setting can have a value from 1 hour to 12 hours. To learn how to view | |
464 | // the maximum value for your role, see View the Maximum Session Duration Setting | |
863486a6 | 465 | // for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) |
15c0b25d | 466 | // in the IAM User Guide. The maximum session duration limit applies when you |
863486a6 AG |
467 | // use the AssumeRole* API operations or the assume-role* CLI commands. However |
468 | // the limit does not apply when you use those operations to create a console | |
469 | // URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) | |
15c0b25d | 470 | // in the IAM User Guide. |
bae9f6d2 JC |
471 | // |
472 | // The temporary security credentials created by AssumeRoleWithWebIdentity can | |
473 | // be used to make API calls to any AWS service with the following exception: | |
863486a6 AG |
474 | // you cannot call the STS GetFederationToken or GetSessionToken API operations. |
475 | // | |
476 | // (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) | |
477 | // to this operation. You can pass a single JSON policy document to use as an | |
478 | // inline session policy. You can also specify up to 10 managed policies to | |
479 | // use as managed session policies. The plain text that you use for both inline | |
480 | // and managed session policies shouldn't exceed 2048 characters. Passing policies | |
481 | // to this operation returns new temporary credentials. The resulting session's | |
482 | // permissions are the intersection of the role's identity-based policy and | |
483 | // the session policies. You can use the role's temporary credentials in subsequent | |
484 | // AWS API calls to access resources in the account that owns the role. You | |
485 | // cannot use session policies to grant more permissions than those allowed | |
486 | // by the identity-based policy of the role that is being assumed. For more | |
487 | // information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) | |
bae9f6d2 JC |
488 | // in the IAM User Guide. |
489 | // | |
490 | // Before your application can call AssumeRoleWithWebIdentity, you must have | |
491 | // an identity token from a supported identity provider and create a role that | |
492 | // the application can assume. The role that your application assumes must trust | |
493 | // the identity provider that is associated with the identity token. In other | |
494 | // words, the identity provider must be specified in the role's trust policy. | |
495 | // | |
496 | // Calling AssumeRoleWithWebIdentity can result in an entry in your AWS CloudTrail | |
497 | // logs. The entry includes the Subject (http://openid.net/specs/openid-connect-core-1_0.html#Claims) | |
498 | // of the provided Web Identity Token. We recommend that you avoid using any | |
499 | // personally identifiable information (PII) in this field. For example, you | |
500 | // could instead use a GUID or a pairwise identifier, as suggested in the OIDC | |
501 | // specification (http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes). | |
502 | // | |
503 | // For more information about how to use web identity federation and the AssumeRoleWithWebIdentity | |
504 | // API, see the following resources: | |
505 | // | |
863486a6 AG |
506 | // * Using Web Identity Federation API Operations for Mobile Apps (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html) |
507 | // and Federation Through a Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity). | |
bae9f6d2 | 508 | // |
863486a6 AG |
509 | // * Web Identity Federation Playground (https://web-identity-federation-playground.s3.amazonaws.com/index.html). |
510 | // Walk through the process of authenticating through Login with Amazon, | |
511 | // Facebook, or Google, getting temporary security credentials, and then | |
512 | // using those credentials to make a request to AWS. | |
bae9f6d2 | 513 | // |
863486a6 AG |
514 | // * AWS SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/) and |
515 | // AWS SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/). | |
516 | // These toolkits contain sample apps that show how to invoke the identity | |
517 | // providers, and then how to use the information from these providers to | |
518 | // get and use temporary security credentials. | |
bae9f6d2 | 519 | // |
15c0b25d | 520 | // * Web Identity Federation with Mobile Applications (http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications). |
bae9f6d2 JC |
521 | // This article discusses web identity federation and shows an example of |
522 | // how to use web identity federation to get access to content in Amazon | |
523 | // S3. | |
524 | // | |
525 | // Returns awserr.Error for service API and SDK errors. Use runtime type assertions | |
526 | // with awserr.Error's Code and Message methods to get detailed information about | |
527 | // the error. | |
528 | // | |
529 | // See the AWS API reference guide for AWS Security Token Service's | |
530 | // API operation AssumeRoleWithWebIdentity for usage and error information. | |
531 | // | |
532 | // Returned Error Codes: | |
533 | // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument" | |
534 | // The request was rejected because the policy document was malformed. The error | |
535 | // message describes the specific error. | |
536 | // | |
537 | // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" | |
538 | // The request was rejected because the policy document was too large. The error | |
539 | // message describes how big the policy document is, in packed form, as a percentage | |
540 | // of what the API allows. | |
541 | // | |
542 | // * ErrCodeIDPRejectedClaimException "IDPRejectedClaim" | |
543 | // The identity provider (IdP) reported that authentication failed. This might | |
544 | // be because the claim is invalid. | |
545 | // | |
546 | // If this error is returned for the AssumeRoleWithWebIdentity operation, it | |
547 | // can also mean that the claim has expired or has been explicitly revoked. | |
548 | // | |
549 | // * ErrCodeIDPCommunicationErrorException "IDPCommunicationError" | |
550 | // The request could not be fulfilled because the non-AWS identity provider | |
551 | // (IDP) that was asked to verify the incoming identity token could not be reached. | |
552 | // This is often a transient error caused by network conditions. Retry the request | |
553 | // a limited number of times so that you don't exceed the request rate. If the | |
554 | // error persists, the non-AWS identity provider might be down or not responding. | |
555 | // | |
556 | // * ErrCodeInvalidIdentityTokenException "InvalidIdentityToken" | |
557 | // The web identity token that was passed could not be validated by AWS. Get | |
558 | // a new identity token from the identity provider and then retry the request. | |
559 | // | |
560 | // * ErrCodeExpiredTokenException "ExpiredTokenException" | |
561 | // The web identity token that was passed is expired or is not valid. Get a | |
562 | // new identity token from the identity provider and then retry the request. | |
563 | // | |
564 | // * ErrCodeRegionDisabledException "RegionDisabledException" | |
565 | // STS is not activated in the requested region for the account that is being | |
566 | // asked to generate credentials. The account administrator must use the IAM | |
567 | // console to activate STS in that region. For more information, see Activating | |
863486a6 | 568 | // and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) |
bae9f6d2 JC |
569 | // in the IAM User Guide. |
570 | // | |
15c0b25d | 571 | // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity |
bae9f6d2 JC |
572 | func (c *STS) AssumeRoleWithWebIdentity(input *AssumeRoleWithWebIdentityInput) (*AssumeRoleWithWebIdentityOutput, error) { |
573 | req, out := c.AssumeRoleWithWebIdentityRequest(input) | |
574 | return out, req.Send() | |
575 | } | |
576 | ||
577 | // AssumeRoleWithWebIdentityWithContext is the same as AssumeRoleWithWebIdentity with the addition of | |
578 | // the ability to pass a context and additional request options. | |
579 | // | |
580 | // See AssumeRoleWithWebIdentity for details on how to use this API operation. | |
581 | // | |
582 | // The context must be non-nil and will be used for request cancellation. If | |
583 | // the context is nil a panic will occur. In the future the SDK may create | |
584 | // sub-contexts for http.Requests. See https://golang.org/pkg/context/ | |
585 | // for more information on using Contexts. | |
586 | func (c *STS) AssumeRoleWithWebIdentityWithContext(ctx aws.Context, input *AssumeRoleWithWebIdentityInput, opts ...request.Option) (*AssumeRoleWithWebIdentityOutput, error) { | |
587 | req, out := c.AssumeRoleWithWebIdentityRequest(input) | |
588 | req.SetContext(ctx) | |
589 | req.ApplyOptions(opts...) | |
590 | return out, req.Send() | |
591 | } | |
592 | ||
593 | const opDecodeAuthorizationMessage = "DecodeAuthorizationMessage" | |
594 | ||
595 | // DecodeAuthorizationMessageRequest generates a "aws/request.Request" representing the | |
596 | // client's request for the DecodeAuthorizationMessage operation. The "output" return | |
15c0b25d | 597 | // value will be populated with the request's response once the request completes |
107c1cdb | 598 | // successfully. |
bae9f6d2 | 599 | // |
15c0b25d AP |
600 | // Use "Send" method on the returned Request to send the API call to the service. |
601 | // the "output" return value is not valid until after Send returns without error. | |
bae9f6d2 | 602 | // |
15c0b25d AP |
603 | // See DecodeAuthorizationMessage for more information on using the DecodeAuthorizationMessage |
604 | // API call, and error handling. | |
605 | // | |
606 | // This method is useful when you want to inject custom logic or configuration | |
607 | // into the SDK's request lifecycle. Such as custom headers, or retry logic. | |
bae9f6d2 | 608 | // |
bae9f6d2 JC |
609 | // |
610 | // // Example sending a request using the DecodeAuthorizationMessageRequest method. | |
611 | // req, resp := client.DecodeAuthorizationMessageRequest(params) | |
612 | // | |
613 | // err := req.Send() | |
614 | // if err == nil { // resp is now filled | |
615 | // fmt.Println(resp) | |
616 | // } | |
617 | // | |
15c0b25d | 618 | // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessage |
bae9f6d2 JC |
619 | func (c *STS) DecodeAuthorizationMessageRequest(input *DecodeAuthorizationMessageInput) (req *request.Request, output *DecodeAuthorizationMessageOutput) { |
620 | op := &request.Operation{ | |
621 | Name: opDecodeAuthorizationMessage, | |
622 | HTTPMethod: "POST", | |
623 | HTTPPath: "/", | |
624 | } | |
625 | ||
626 | if input == nil { | |
627 | input = &DecodeAuthorizationMessageInput{} | |
628 | } | |
629 | ||
630 | output = &DecodeAuthorizationMessageOutput{} | |
631 | req = c.newRequest(op, input, output) | |
632 | return | |
633 | } | |
634 | ||
635 | // DecodeAuthorizationMessage API operation for AWS Security Token Service. | |
636 | // | |
637 | // Decodes additional information about the authorization status of a request | |
638 | // from an encoded message returned in response to an AWS request. | |
639 | // | |
863486a6 AG |
640 | // For example, if a user is not authorized to perform an operation that he |
641 | // or she has requested, the request returns a Client.UnauthorizedOperation | |
642 | // response (an HTTP 403 response). Some AWS operations additionally return | |
643 | // an encoded message that can provide details about this authorization failure. | |
bae9f6d2 | 644 | // |
863486a6 AG |
645 | // Only certain AWS operations return an encoded authorization message. The |
646 | // documentation for an individual operation indicates whether that operation | |
647 | // returns an encoded message in addition to returning an HTTP code. | |
bae9f6d2 JC |
648 | // |
649 | // The message is encoded because the details of the authorization status can | |
863486a6 | 650 | // constitute privileged information that the user who requested the operation |
bae9f6d2 JC |
651 | // should not see. To decode an authorization status message, a user must be |
652 | // granted permissions via an IAM policy to request the DecodeAuthorizationMessage | |
653 | // (sts:DecodeAuthorizationMessage) action. | |
654 | // | |
655 | // The decoded message includes the following type of information: | |
656 | // | |
657 | // * Whether the request was denied due to an explicit deny or due to the | |
658 | // absence of an explicit allow. For more information, see Determining Whether | |
863486a6 | 659 | // a Request is Allowed or Denied (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow) |
bae9f6d2 JC |
660 | // in the IAM User Guide. |
661 | // | |
662 | // * The principal who made the request. | |
663 | // | |
664 | // * The requested action. | |
665 | // | |
666 | // * The requested resource. | |
667 | // | |
668 | // * The values of condition keys in the context of the user's request. | |
669 | // | |
670 | // Returns awserr.Error for service API and SDK errors. Use runtime type assertions | |
671 | // with awserr.Error's Code and Message methods to get detailed information about | |
672 | // the error. | |
673 | // | |
674 | // See the AWS API reference guide for AWS Security Token Service's | |
675 | // API operation DecodeAuthorizationMessage for usage and error information. | |
676 | // | |
677 | // Returned Error Codes: | |
678 | // * ErrCodeInvalidAuthorizationMessageException "InvalidAuthorizationMessageException" | |
679 | // The error returned if the message passed to DecodeAuthorizationMessage was | |
680 | // invalid. This can happen if the token contains invalid characters, such as | |
681 | // linebreaks. | |
682 | // | |
15c0b25d | 683 | // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessage |
bae9f6d2 JC |
684 | func (c *STS) DecodeAuthorizationMessage(input *DecodeAuthorizationMessageInput) (*DecodeAuthorizationMessageOutput, error) { |
685 | req, out := c.DecodeAuthorizationMessageRequest(input) | |
686 | return out, req.Send() | |
687 | } | |
688 | ||
689 | // DecodeAuthorizationMessageWithContext is the same as DecodeAuthorizationMessage with the addition of | |
690 | // the ability to pass a context and additional request options. | |
691 | // | |
692 | // See DecodeAuthorizationMessage for details on how to use this API operation. | |
693 | // | |
694 | // The context must be non-nil and will be used for request cancellation. If | |
695 | // the context is nil a panic will occur. In the future the SDK may create | |
696 | // sub-contexts for http.Requests. See https://golang.org/pkg/context/ | |
697 | // for more information on using Contexts. | |
698 | func (c *STS) DecodeAuthorizationMessageWithContext(ctx aws.Context, input *DecodeAuthorizationMessageInput, opts ...request.Option) (*DecodeAuthorizationMessageOutput, error) { | |
699 | req, out := c.DecodeAuthorizationMessageRequest(input) | |
700 | req.SetContext(ctx) | |
701 | req.ApplyOptions(opts...) | |
702 | return out, req.Send() | |
703 | } | |
704 | ||
863486a6 AG |
705 | const opGetAccessKeyInfo = "GetAccessKeyInfo" |
706 | ||
707 | // GetAccessKeyInfoRequest generates a "aws/request.Request" representing the | |
708 | // client's request for the GetAccessKeyInfo operation. The "output" return | |
709 | // value will be populated with the request's response once the request completes | |
710 | // successfully. | |
711 | // | |
712 | // Use "Send" method on the returned Request to send the API call to the service. | |
713 | // the "output" return value is not valid until after Send returns without error. | |
714 | // | |
715 | // See GetAccessKeyInfo for more information on using the GetAccessKeyInfo | |
716 | // API call, and error handling. | |
717 | // | |
718 | // This method is useful when you want to inject custom logic or configuration | |
719 | // into the SDK's request lifecycle. Such as custom headers, or retry logic. | |
720 | // | |
721 | // | |
722 | // // Example sending a request using the GetAccessKeyInfoRequest method. | |
723 | // req, resp := client.GetAccessKeyInfoRequest(params) | |
724 | // | |
725 | // err := req.Send() | |
726 | // if err == nil { // resp is now filled | |
727 | // fmt.Println(resp) | |
728 | // } | |
729 | // | |
730 | // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfo | |
731 | func (c *STS) GetAccessKeyInfoRequest(input *GetAccessKeyInfoInput) (req *request.Request, output *GetAccessKeyInfoOutput) { | |
732 | op := &request.Operation{ | |
733 | Name: opGetAccessKeyInfo, | |
734 | HTTPMethod: "POST", | |
735 | HTTPPath: "/", | |
736 | } | |
737 | ||
738 | if input == nil { | |
739 | input = &GetAccessKeyInfoInput{} | |
740 | } | |
741 | ||
742 | output = &GetAccessKeyInfoOutput{} | |
743 | req = c.newRequest(op, input, output) | |
744 | return | |
745 | } | |
746 | ||
747 | // GetAccessKeyInfo API operation for AWS Security Token Service. | |
748 | // | |
749 | // Returns the account identifier for the specified access key ID. | |
750 | // | |
751 | // Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) | |
752 | // and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). | |
753 | // For more information about access keys, see Managing Access Keys for IAM | |
754 | // Users (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) | |
755 | // in the IAM User Guide. | |
756 | // | |
757 | // When you pass an access key ID to this operation, it returns the ID of the | |
758 | // AWS account to which the keys belong. Access key IDs beginning with AKIA | |
759 | // are long-term credentials for an IAM user or the AWS account root user. Access | |
760 | // key IDs beginning with ASIA are temporary credentials that are created using | |
761 | // STS operations. If the account in the response belongs to you, you can sign | |
762 | // in as the root user and review your root user access keys. Then, you can | |
763 | // pull a credentials report (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report) | |
764 | // to learn which IAM user owns the keys. To learn who requested the temporary | |
765 | // credentials for an ASIA access key, view the STS events in your CloudTrail | |
766 | // logs (https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration). | |
767 | // | |
768 | // This operation does not indicate the state of the access key. The key might | |
769 | // be active, inactive, or deleted. Active keys might not have permissions to | |
770 | // perform an operation. Providing a deleted keys might return an error that | |
771 | // the key doesn't exist. | |
772 | // | |
773 | // Returns awserr.Error for service API and SDK errors. Use runtime type assertions | |
774 | // with awserr.Error's Code and Message methods to get detailed information about | |
775 | // the error. | |
776 | // | |
777 | // See the AWS API reference guide for AWS Security Token Service's | |
778 | // API operation GetAccessKeyInfo for usage and error information. | |
779 | // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfo | |
780 | func (c *STS) GetAccessKeyInfo(input *GetAccessKeyInfoInput) (*GetAccessKeyInfoOutput, error) { | |
781 | req, out := c.GetAccessKeyInfoRequest(input) | |
782 | return out, req.Send() | |
783 | } | |
784 | ||
785 | // GetAccessKeyInfoWithContext is the same as GetAccessKeyInfo with the addition of | |
786 | // the ability to pass a context and additional request options. | |
787 | // | |
788 | // See GetAccessKeyInfo for details on how to use this API operation. | |
789 | // | |
790 | // The context must be non-nil and will be used for request cancellation. If | |
791 | // the context is nil a panic will occur. In the future the SDK may create | |
792 | // sub-contexts for http.Requests. See https://golang.org/pkg/context/ | |
793 | // for more information on using Contexts. | |
794 | func (c *STS) GetAccessKeyInfoWithContext(ctx aws.Context, input *GetAccessKeyInfoInput, opts ...request.Option) (*GetAccessKeyInfoOutput, error) { | |
795 | req, out := c.GetAccessKeyInfoRequest(input) | |
796 | req.SetContext(ctx) | |
797 | req.ApplyOptions(opts...) | |
798 | return out, req.Send() | |
799 | } | |
800 | ||
bae9f6d2 JC |
801 | const opGetCallerIdentity = "GetCallerIdentity" |
802 | ||
803 | // GetCallerIdentityRequest generates a "aws/request.Request" representing the | |
804 | // client's request for the GetCallerIdentity operation. The "output" return | |
15c0b25d | 805 | // value will be populated with the request's response once the request completes |
107c1cdb | 806 | // successfully. |
15c0b25d AP |
807 | // |
808 | // Use "Send" method on the returned Request to send the API call to the service. | |
809 | // the "output" return value is not valid until after Send returns without error. | |
bae9f6d2 | 810 | // |
15c0b25d AP |
811 | // See GetCallerIdentity for more information on using the GetCallerIdentity |
812 | // API call, and error handling. | |
bae9f6d2 | 813 | // |
15c0b25d AP |
814 | // This method is useful when you want to inject custom logic or configuration |
815 | // into the SDK's request lifecycle. Such as custom headers, or retry logic. | |
bae9f6d2 | 816 | // |
bae9f6d2 JC |
817 | // |
818 | // // Example sending a request using the GetCallerIdentityRequest method. | |
819 | // req, resp := client.GetCallerIdentityRequest(params) | |
820 | // | |
821 | // err := req.Send() | |
822 | // if err == nil { // resp is now filled | |
823 | // fmt.Println(resp) | |
824 | // } | |
825 | // | |
15c0b25d | 826 | // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentity |
bae9f6d2 JC |
827 | func (c *STS) GetCallerIdentityRequest(input *GetCallerIdentityInput) (req *request.Request, output *GetCallerIdentityOutput) { |
828 | op := &request.Operation{ | |
829 | Name: opGetCallerIdentity, | |
830 | HTTPMethod: "POST", | |
831 | HTTPPath: "/", | |
832 | } | |
833 | ||
834 | if input == nil { | |
835 | input = &GetCallerIdentityInput{} | |
836 | } | |
837 | ||
838 | output = &GetCallerIdentityOutput{} | |
839 | req = c.newRequest(op, input, output) | |
840 | return | |
841 | } | |
842 | ||
843 | // GetCallerIdentity API operation for AWS Security Token Service. | |
844 | // | |
845 | // Returns details about the IAM identity whose credentials are used to call | |
846 | // the API. | |
847 | // | |
848 | // Returns awserr.Error for service API and SDK errors. Use runtime type assertions | |
849 | // with awserr.Error's Code and Message methods to get detailed information about | |
850 | // the error. | |
851 | // | |
852 | // See the AWS API reference guide for AWS Security Token Service's | |
853 | // API operation GetCallerIdentity for usage and error information. | |
15c0b25d | 854 | // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentity |
bae9f6d2 JC |
855 | func (c *STS) GetCallerIdentity(input *GetCallerIdentityInput) (*GetCallerIdentityOutput, error) { |
856 | req, out := c.GetCallerIdentityRequest(input) | |
857 | return out, req.Send() | |
858 | } | |
859 | ||
860 | // GetCallerIdentityWithContext is the same as GetCallerIdentity with the addition of | |
861 | // the ability to pass a context and additional request options. | |
862 | // | |
863 | // See GetCallerIdentity for details on how to use this API operation. | |
864 | // | |
865 | // The context must be non-nil and will be used for request cancellation. If | |
866 | // the context is nil a panic will occur. In the future the SDK may create | |
867 | // sub-contexts for http.Requests. See https://golang.org/pkg/context/ | |
868 | // for more information on using Contexts. | |
869 | func (c *STS) GetCallerIdentityWithContext(ctx aws.Context, input *GetCallerIdentityInput, opts ...request.Option) (*GetCallerIdentityOutput, error) { | |
870 | req, out := c.GetCallerIdentityRequest(input) | |
871 | req.SetContext(ctx) | |
872 | req.ApplyOptions(opts...) | |
873 | return out, req.Send() | |
874 | } | |
875 | ||
876 | const opGetFederationToken = "GetFederationToken" | |
877 | ||
878 | // GetFederationTokenRequest generates a "aws/request.Request" representing the | |
879 | // client's request for the GetFederationToken operation. The "output" return | |
15c0b25d | 880 | // value will be populated with the request's response once the request completes |
107c1cdb | 881 | // successfully. |
bae9f6d2 | 882 | // |
15c0b25d AP |
883 | // Use "Send" method on the returned Request to send the API call to the service. |
884 | // the "output" return value is not valid until after Send returns without error. | |
bae9f6d2 | 885 | // |
15c0b25d AP |
886 | // See GetFederationToken for more information on using the GetFederationToken |
887 | // API call, and error handling. | |
888 | // | |
889 | // This method is useful when you want to inject custom logic or configuration | |
890 | // into the SDK's request lifecycle. Such as custom headers, or retry logic. | |
bae9f6d2 | 891 | // |
bae9f6d2 JC |
892 | // |
893 | // // Example sending a request using the GetFederationTokenRequest method. | |
894 | // req, resp := client.GetFederationTokenRequest(params) | |
895 | // | |
896 | // err := req.Send() | |
897 | // if err == nil { // resp is now filled | |
898 | // fmt.Println(resp) | |
899 | // } | |
900 | // | |
15c0b25d | 901 | // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationToken |
bae9f6d2 JC |
902 | func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *request.Request, output *GetFederationTokenOutput) { |
903 | op := &request.Operation{ | |
904 | Name: opGetFederationToken, | |
905 | HTTPMethod: "POST", | |
906 | HTTPPath: "/", | |
907 | } | |
908 | ||
909 | if input == nil { | |
910 | input = &GetFederationTokenInput{} | |
911 | } | |
912 | ||
913 | output = &GetFederationTokenOutput{} | |
914 | req = c.newRequest(op, input, output) | |
915 | return | |
916 | } | |
917 | ||
918 | // GetFederationToken API operation for AWS Security Token Service. | |
919 | // | |
920 | // Returns a set of temporary security credentials (consisting of an access | |
921 | // key ID, a secret access key, and a security token) for a federated user. | |
922 | // A typical use is in a proxy application that gets temporary security credentials | |
863486a6 AG |
923 | // on behalf of distributed applications inside a corporate network. You must |
924 | // call the GetFederationToken operation using the long-term security credentials | |
925 | // of an IAM user. As a result, this call is appropriate in contexts where those | |
bae9f6d2 | 926 | // credentials can be safely stored, usually in a server-based application. |
863486a6 AG |
927 | // For a comparison of GetFederationToken with the other API operations that |
928 | // produce temporary credentials, see Requesting Temporary Security Credentials | |
929 | // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) | |
930 | // and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) | |
bae9f6d2 JC |
931 | // in the IAM User Guide. |
932 | // | |
863486a6 | 933 | // You can create a mobile-based or browser-based app that can authenticate |
bae9f6d2 | 934 | // users using a web identity provider like Login with Amazon, Facebook, Google, |
863486a6 AG |
935 | // or an OpenID Connect-compatible identity provider. In this case, we recommend |
936 | // that you use Amazon Cognito (http://aws.amazon.com/cognito/) or AssumeRoleWithWebIdentity. | |
bae9f6d2 | 937 | // For more information, see Federation Through a Web-based Identity Provider |
863486a6 AG |
938 | // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity). |
939 | // | |
940 | // You can also call GetFederationToken using the security credentials of an | |
941 | // AWS account root user, but we do not recommend it. Instead, we recommend | |
942 | // that you create an IAM user for the purpose of the proxy application. Then | |
943 | // attach a policy to the IAM user that limits federated users to only the actions | |
944 | // and resources that they need to access. For more information, see IAM Best | |
945 | // Practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) | |
bae9f6d2 JC |
946 | // in the IAM User Guide. |
947 | // | |
863486a6 AG |
948 | // The temporary credentials are valid for the specified duration, from 900 |
949 | // seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default | |
950 | // is 43,200 seconds (12 hours). Temporary credentials that are obtained by | |
951 | // using AWS account root user credentials have a maximum duration of 3,600 | |
952 | // seconds (1 hour). | |
bae9f6d2 JC |
953 | // |
954 | // The temporary security credentials created by GetFederationToken can be used | |
955 | // to make API calls to any AWS service with the following exceptions: | |
956 | // | |
863486a6 | 957 | // * You cannot use these credentials to call any IAM API operations. |
bae9f6d2 | 958 | // |
863486a6 | 959 | // * You cannot call any STS API operations except GetCallerIdentity. |
bae9f6d2 JC |
960 | // |
961 | // Permissions | |
962 | // | |
863486a6 AG |
963 | // You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) |
964 | // to this operation. You can pass a single JSON policy document to use as an | |
965 | // inline session policy. You can also specify up to 10 managed policies to | |
966 | // use as managed session policies. The plain text that you use for both inline | |
967 | // and managed session policies shouldn't exceed 2048 characters. | |
968 | // | |
969 | // Though the session policy parameters are optional, if you do not pass a policy, | |
970 | // then the resulting federated user session has no permissions. The only exception | |
971 | // is when the credentials are used to access a resource that has a resource-based | |
972 | // policy that specifically references the federated user session in the Principal | |
973 | // element of the policy. When you pass session policies, the session permissions | |
974 | // are the intersection of the IAM user policies and the session policies that | |
975 | // you pass. This gives you a way to further restrict the permissions for a | |
976 | // federated user. You cannot use session policies to grant more permissions | |
977 | // than those that are defined in the permissions policy of the IAM user. For | |
978 | // more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) | |
979 | // in the IAM User Guide. For information about using GetFederationToken to | |
980 | // create temporary security credentials, see GetFederationToken—Federation | |
981 | // Through a Custom Identity Broker (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken). | |
bae9f6d2 JC |
982 | // |
983 | // Returns awserr.Error for service API and SDK errors. Use runtime type assertions | |
984 | // with awserr.Error's Code and Message methods to get detailed information about | |
985 | // the error. | |
986 | // | |
987 | // See the AWS API reference guide for AWS Security Token Service's | |
988 | // API operation GetFederationToken for usage and error information. | |
989 | // | |
990 | // Returned Error Codes: | |
991 | // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument" | |
992 | // The request was rejected because the policy document was malformed. The error | |
993 | // message describes the specific error. | |
994 | // | |
995 | // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" | |
996 | // The request was rejected because the policy document was too large. The error | |
997 | // message describes how big the policy document is, in packed form, as a percentage | |
998 | // of what the API allows. | |
999 | // | |
1000 | // * ErrCodeRegionDisabledException "RegionDisabledException" | |
1001 | // STS is not activated in the requested region for the account that is being | |
1002 | // asked to generate credentials. The account administrator must use the IAM | |
1003 | // console to activate STS in that region. For more information, see Activating | |
863486a6 | 1004 | // and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) |
bae9f6d2 JC |
1005 | // in the IAM User Guide. |
1006 | // | |
15c0b25d | 1007 | // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationToken |
bae9f6d2 JC |
1008 | func (c *STS) GetFederationToken(input *GetFederationTokenInput) (*GetFederationTokenOutput, error) { |
1009 | req, out := c.GetFederationTokenRequest(input) | |
1010 | return out, req.Send() | |
1011 | } | |
1012 | ||
1013 | // GetFederationTokenWithContext is the same as GetFederationToken with the addition of | |
1014 | // the ability to pass a context and additional request options. | |
1015 | // | |
1016 | // See GetFederationToken for details on how to use this API operation. | |
1017 | // | |
1018 | // The context must be non-nil and will be used for request cancellation. If | |
1019 | // the context is nil a panic will occur. In the future the SDK may create | |
1020 | // sub-contexts for http.Requests. See https://golang.org/pkg/context/ | |
1021 | // for more information on using Contexts. | |
1022 | func (c *STS) GetFederationTokenWithContext(ctx aws.Context, input *GetFederationTokenInput, opts ...request.Option) (*GetFederationTokenOutput, error) { | |
1023 | req, out := c.GetFederationTokenRequest(input) | |
1024 | req.SetContext(ctx) | |
1025 | req.ApplyOptions(opts...) | |
1026 | return out, req.Send() | |
1027 | } | |
1028 | ||
1029 | const opGetSessionToken = "GetSessionToken" | |
1030 | ||
1031 | // GetSessionTokenRequest generates a "aws/request.Request" representing the | |
1032 | // client's request for the GetSessionToken operation. The "output" return | |
15c0b25d | 1033 | // value will be populated with the request's response once the request completes |
107c1cdb | 1034 | // successfully. |
15c0b25d AP |
1035 | // |
1036 | // Use "Send" method on the returned Request to send the API call to the service. | |
1037 | // the "output" return value is not valid until after Send returns without error. | |
bae9f6d2 | 1038 | // |
15c0b25d AP |
1039 | // See GetSessionToken for more information on using the GetSessionToken |
1040 | // API call, and error handling. | |
bae9f6d2 | 1041 | // |
15c0b25d AP |
1042 | // This method is useful when you want to inject custom logic or configuration |
1043 | // into the SDK's request lifecycle. Such as custom headers, or retry logic. | |
bae9f6d2 | 1044 | // |
bae9f6d2 JC |
1045 | // |
1046 | // // Example sending a request using the GetSessionTokenRequest method. | |
1047 | // req, resp := client.GetSessionTokenRequest(params) | |
1048 | // | |
1049 | // err := req.Send() | |
1050 | // if err == nil { // resp is now filled | |
1051 | // fmt.Println(resp) | |
1052 | // } | |
1053 | // | |
15c0b25d | 1054 | // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionToken |
bae9f6d2 JC |
1055 | func (c *STS) GetSessionTokenRequest(input *GetSessionTokenInput) (req *request.Request, output *GetSessionTokenOutput) { |
1056 | op := &request.Operation{ | |
1057 | Name: opGetSessionToken, | |
1058 | HTTPMethod: "POST", | |
1059 | HTTPPath: "/", | |
1060 | } | |
1061 | ||
1062 | if input == nil { | |
1063 | input = &GetSessionTokenInput{} | |
1064 | } | |
1065 | ||
1066 | output = &GetSessionTokenOutput{} | |
1067 | req = c.newRequest(op, input, output) | |
1068 | return | |
1069 | } | |
1070 | ||
1071 | // GetSessionToken API operation for AWS Security Token Service. | |
1072 | // | |
1073 | // Returns a set of temporary credentials for an AWS account or IAM user. The | |
1074 | // credentials consist of an access key ID, a secret access key, and a security | |
1075 | // token. Typically, you use GetSessionToken if you want to use MFA to protect | |
863486a6 AG |
1076 | // programmatic calls to specific AWS API operations like Amazon EC2 StopInstances. |
1077 | // MFA-enabled IAM users would need to call GetSessionToken and submit an MFA | |
1078 | // code that is associated with their MFA device. Using the temporary security | |
1079 | // credentials that are returned from the call, IAM users can then make programmatic | |
1080 | // calls to API operations that require MFA authentication. If you do not supply | |
1081 | // a correct MFA code, then the API returns an access denied error. For a comparison | |
1082 | // of GetSessionToken with the other API operations that produce temporary credentials, | |
1083 | // see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) | |
1084 | // and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) | |
bae9f6d2 JC |
1085 | // in the IAM User Guide. |
1086 | // | |
863486a6 AG |
1087 | // The GetSessionToken operation must be called by using the long-term AWS security |
1088 | // credentials of the AWS account root user or an IAM user. Credentials that | |
1089 | // are created by IAM users are valid for the duration that you specify. This | |
1090 | // duration can range from 900 seconds (15 minutes) up to a maximum of 129,600 | |
1091 | // seconds (36 hours), with a default of 43,200 seconds (12 hours). Credentials | |
1092 | // based on account credentials can range from 900 seconds (15 minutes) up to | |
1093 | // 3,600 seconds (1 hour), with a default of 1 hour. | |
bae9f6d2 JC |
1094 | // |
1095 | // The temporary security credentials created by GetSessionToken can be used | |
1096 | // to make API calls to any AWS service with the following exceptions: | |
1097 | // | |
863486a6 AG |
1098 | // * You cannot call any IAM API operations unless MFA authentication information |
1099 | // is included in the request. | |
bae9f6d2 | 1100 | // |
863486a6 | 1101 | // * You cannot call any STS API except AssumeRole or GetCallerIdentity. |
bae9f6d2 | 1102 | // |
863486a6 AG |
1103 | // We recommend that you do not call GetSessionToken with AWS account root user |
1104 | // credentials. Instead, follow our best practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users) | |
bae9f6d2 JC |
1105 | // by creating one or more IAM users, giving them the necessary permissions, |
1106 | // and using IAM users for everyday interaction with AWS. | |
1107 | // | |
863486a6 AG |
1108 | // The credentials that are returned by GetSessionToken are based on permissions |
1109 | // associated with the user whose credentials were used to call the operation. | |
1110 | // If GetSessionToken is called using AWS account root user credentials, the | |
1111 | // temporary credentials have root user permissions. Similarly, if GetSessionToken | |
1112 | // is called using the credentials of an IAM user, the temporary credentials | |
1113 | // have the same permissions as the IAM user. | |
bae9f6d2 JC |
1114 | // |
1115 | // For more information about using GetSessionToken to create temporary credentials, | |
863486a6 | 1116 | // go to Temporary Credentials for Users in Untrusted Environments (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken) |
bae9f6d2 JC |
1117 | // in the IAM User Guide. |
1118 | // | |
1119 | // Returns awserr.Error for service API and SDK errors. Use runtime type assertions | |
1120 | // with awserr.Error's Code and Message methods to get detailed information about | |
1121 | // the error. | |
1122 | // | |
1123 | // See the AWS API reference guide for AWS Security Token Service's | |
1124 | // API operation GetSessionToken for usage and error information. | |
1125 | // | |
1126 | // Returned Error Codes: | |
1127 | // * ErrCodeRegionDisabledException "RegionDisabledException" | |
1128 | // STS is not activated in the requested region for the account that is being | |
1129 | // asked to generate credentials. The account administrator must use the IAM | |
1130 | // console to activate STS in that region. For more information, see Activating | |
863486a6 | 1131 | // and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) |
bae9f6d2 JC |
1132 | // in the IAM User Guide. |
1133 | // | |
15c0b25d | 1134 | // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionToken |
bae9f6d2 JC |
1135 | func (c *STS) GetSessionToken(input *GetSessionTokenInput) (*GetSessionTokenOutput, error) { |
1136 | req, out := c.GetSessionTokenRequest(input) | |
1137 | return out, req.Send() | |
1138 | } | |
1139 | ||
1140 | // GetSessionTokenWithContext is the same as GetSessionToken with the addition of | |
1141 | // the ability to pass a context and additional request options. | |
1142 | // | |
1143 | // See GetSessionToken for details on how to use this API operation. | |
1144 | // | |
1145 | // The context must be non-nil and will be used for request cancellation. If | |
1146 | // the context is nil a panic will occur. In the future the SDK may create | |
1147 | // sub-contexts for http.Requests. See https://golang.org/pkg/context/ | |
1148 | // for more information on using Contexts. | |
1149 | func (c *STS) GetSessionTokenWithContext(ctx aws.Context, input *GetSessionTokenInput, opts ...request.Option) (*GetSessionTokenOutput, error) { | |
1150 | req, out := c.GetSessionTokenRequest(input) | |
1151 | req.SetContext(ctx) | |
1152 | req.ApplyOptions(opts...) | |
1153 | return out, req.Send() | |
1154 | } | |
1155 | ||
bae9f6d2 JC |
1156 | type AssumeRoleInput struct { |
1157 | _ struct{} `type:"structure"` | |
1158 | ||
1159 | // The duration, in seconds, of the role session. The value can range from 900 | |
15c0b25d AP |
1160 | // seconds (15 minutes) up to the maximum session duration setting for the role. |
1161 | // This setting can have a value from 1 hour to 12 hours. If you specify a value | |
1162 | // higher than this setting, the operation fails. For example, if you specify | |
1163 | // a session duration of 12 hours, but your administrator set the maximum session | |
1164 | // duration to 6 hours, your operation fails. To learn how to view the maximum | |
1165 | // value for your role, see View the Maximum Session Duration Setting for a | |
863486a6 | 1166 | // Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) |
15c0b25d | 1167 | // in the IAM User Guide. |
bae9f6d2 | 1168 | // |
15c0b25d AP |
1169 | // By default, the value is set to 3600 seconds. |
1170 | // | |
1171 | // The DurationSeconds parameter is separate from the duration of a console | |
1172 | // session that you might request using the returned credentials. The request | |
1173 | // to the federation endpoint for a console sign-in token takes a SessionDuration | |
1174 | // parameter that specifies the maximum length of the console session. For more | |
1175 | // information, see Creating a URL that Enables Federated Users to Access the | |
863486a6 | 1176 | // AWS Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) |
bae9f6d2 JC |
1177 | // in the IAM User Guide. |
1178 | DurationSeconds *int64 `min:"900" type:"integer"` | |
1179 | ||
863486a6 AG |
1180 | // A unique identifier that might be required when you assume a role in another |
1181 | // account. If the administrator of the account to which the role belongs provided | |
1182 | // you with an external ID, then provide that value in the ExternalId parameter. | |
1183 | // This value can be any string, such as a passphrase or account number. A cross-account | |
1184 | // role is usually set up to trust everyone in an account. Therefore, the administrator | |
1185 | // of the trusting account might send an external ID to the administrator of | |
1186 | // the trusted account. That way, only someone with the ID can assume the role, | |
1187 | // rather than everyone in the account. For more information about the external | |
1188 | // ID, see How to Use an External ID When Granting Access to Your AWS Resources | |
1189 | // to a Third Party (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html) | |
bae9f6d2 JC |
1190 | // in the IAM User Guide. |
1191 | // | |
863486a6 | 1192 | // The regex used to validate this parameter is a string of characters consisting |
bae9f6d2 | 1193 | // of upper- and lower-case alphanumeric characters with no spaces. You can |
9b12e4fe | 1194 | // also include underscores or any of the following characters: =,.@:/- |
bae9f6d2 JC |
1195 | ExternalId *string `min:"2" type:"string"` |
1196 | ||
863486a6 AG |
1197 | // An IAM policy in JSON format that you want to use as an inline session policy. |
1198 | // | |
1199 | // This parameter is optional. Passing policies to this operation returns new | |
1200 | // temporary credentials. The resulting session's permissions are the intersection | |
1201 | // of the role's identity-based policy and the session policies. You can use | |
1202 | // the role's temporary credentials in subsequent AWS API calls to access resources | |
1203 | // in the account that owns the role. You cannot use session policies to grant | |
1204 | // more permissions than those allowed by the identity-based policy of the role | |
1205 | // that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) | |
bae9f6d2 JC |
1206 | // in the IAM User Guide. |
1207 | // | |
863486a6 AG |
1208 | // The plain text that you use for both inline and managed session policies |
1209 | // shouldn't exceed 2048 characters. The JSON policy characters can be any ASCII | |
1210 | // character from the space character to the end of the valid character list | |
1211 | // (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A), | |
bae9f6d2 JC |
1212 | // and carriage return (\u000D) characters. |
1213 | // | |
863486a6 AG |
1214 | // The characters in this parameter count towards the 2048 character session |
1215 | // policy guideline. However, an AWS conversion compresses the session policies | |
1216 | // into a packed binary format that has a separate limit. This is the enforced | |
1217 | // limit. The PackedPolicySize response element indicates by percentage how | |
1218 | // close the policy is to the upper size limit. | |
bae9f6d2 JC |
1219 | Policy *string `min:"1" type:"string"` |
1220 | ||
863486a6 AG |
1221 | // The Amazon Resource Names (ARNs) of the IAM managed policies that you want |
1222 | // to use as managed session policies. The policies must exist in the same account | |
1223 | // as the role. | |
1224 | // | |
1225 | // This parameter is optional. You can provide up to 10 managed policy ARNs. | |
1226 | // However, the plain text that you use for both inline and managed session | |
1227 | // policies shouldn't exceed 2048 characters. For more information about ARNs, | |
1228 | // see Amazon Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) | |
1229 | // in the AWS General Reference. | |
1230 | // | |
1231 | // The characters in this parameter count towards the 2048 character session | |
1232 | // policy guideline. However, an AWS conversion compresses the session policies | |
1233 | // into a packed binary format that has a separate limit. This is the enforced | |
1234 | // limit. The PackedPolicySize response element indicates by percentage how | |
1235 | // close the policy is to the upper size limit. | |
1236 | // | |
1237 | // Passing policies to this operation returns new temporary credentials. The | |
1238 | // resulting session's permissions are the intersection of the role's identity-based | |
1239 | // policy and the session policies. You can use the role's temporary credentials | |
1240 | // in subsequent AWS API calls to access resources in the account that owns | |
1241 | // the role. You cannot use session policies to grant more permissions than | |
1242 | // those allowed by the identity-based policy of the role that is being assumed. | |
1243 | // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) | |
1244 | // in the IAM User Guide. | |
1245 | PolicyArns []*PolicyDescriptorType `type:"list"` | |
1246 | ||
bae9f6d2 JC |
1247 | // The Amazon Resource Name (ARN) of the role to assume. |
1248 | // | |
1249 | // RoleArn is a required field | |
1250 | RoleArn *string `min:"20" type:"string" required:"true"` | |
1251 | ||
1252 | // An identifier for the assumed role session. | |
1253 | // | |
1254 | // Use the role session name to uniquely identify a session when the same role | |
1255 | // is assumed by different principals or for different reasons. In cross-account | |
1256 | // scenarios, the role session name is visible to, and can be logged by the | |
1257 | // account that owns the role. The role session name is also used in the ARN | |
1258 | // of the assumed role principal. This means that subsequent cross-account API | |
863486a6 AG |
1259 | // requests that use the temporary security credentials will expose the role |
1260 | // session name to the external account in their AWS CloudTrail logs. | |
bae9f6d2 JC |
1261 | // |
1262 | // The regex used to validate this parameter is a string of characters consisting | |
1263 | // of upper- and lower-case alphanumeric characters with no spaces. You can | |
1264 | // also include underscores or any of the following characters: =,.@- | |
1265 | // | |
1266 | // RoleSessionName is a required field | |
1267 | RoleSessionName *string `min:"2" type:"string" required:"true"` | |
1268 | ||
1269 | // The identification number of the MFA device that is associated with the user | |
1270 | // who is making the AssumeRole call. Specify this value if the trust policy | |
1271 | // of the role being assumed includes a condition that requires MFA authentication. | |
1272 | // The value is either the serial number for a hardware device (such as GAHT12345678) | |
1273 | // or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user). | |
1274 | // | |
1275 | // The regex used to validate this parameter is a string of characters consisting | |
1276 | // of upper- and lower-case alphanumeric characters with no spaces. You can | |
1277 | // also include underscores or any of the following characters: =,.@- | |
1278 | SerialNumber *string `min:"9" type:"string"` | |
1279 | ||
1280 | // The value provided by the MFA device, if the trust policy of the role being | |
1281 | // assumed requires MFA (that is, if the policy includes a condition that tests | |
1282 | // for MFA). If the role being assumed requires MFA and if the TokenCode value | |
1283 | // is missing or expired, the AssumeRole call returns an "access denied" error. | |
1284 | // | |
1285 | // The format for this parameter, as described by its regex pattern, is a sequence | |
1286 | // of six numeric digits. | |
1287 | TokenCode *string `min:"6" type:"string"` | |
1288 | } | |
1289 | ||
1290 | // String returns the string representation | |
1291 | func (s AssumeRoleInput) String() string { | |
1292 | return awsutil.Prettify(s) | |
1293 | } | |
1294 | ||
1295 | // GoString returns the string representation | |
1296 | func (s AssumeRoleInput) GoString() string { | |
1297 | return s.String() | |
1298 | } | |
1299 | ||
1300 | // Validate inspects the fields of the type to determine if they are valid. | |
1301 | func (s *AssumeRoleInput) Validate() error { | |
1302 | invalidParams := request.ErrInvalidParams{Context: "AssumeRoleInput"} | |
1303 | if s.DurationSeconds != nil && *s.DurationSeconds < 900 { | |
1304 | invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) | |
1305 | } | |
1306 | if s.ExternalId != nil && len(*s.ExternalId) < 2 { | |
1307 | invalidParams.Add(request.NewErrParamMinLen("ExternalId", 2)) | |
1308 | } | |
1309 | if s.Policy != nil && len(*s.Policy) < 1 { | |
1310 | invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) | |
1311 | } | |
1312 | if s.RoleArn == nil { | |
1313 | invalidParams.Add(request.NewErrParamRequired("RoleArn")) | |
1314 | } | |
1315 | if s.RoleArn != nil && len(*s.RoleArn) < 20 { | |
1316 | invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20)) | |
1317 | } | |
1318 | if s.RoleSessionName == nil { | |
1319 | invalidParams.Add(request.NewErrParamRequired("RoleSessionName")) | |
1320 | } | |
1321 | if s.RoleSessionName != nil && len(*s.RoleSessionName) < 2 { | |
1322 | invalidParams.Add(request.NewErrParamMinLen("RoleSessionName", 2)) | |
1323 | } | |
1324 | if s.SerialNumber != nil && len(*s.SerialNumber) < 9 { | |
1325 | invalidParams.Add(request.NewErrParamMinLen("SerialNumber", 9)) | |
1326 | } | |
1327 | if s.TokenCode != nil && len(*s.TokenCode) < 6 { | |
1328 | invalidParams.Add(request.NewErrParamMinLen("TokenCode", 6)) | |
1329 | } | |
863486a6 AG |
1330 | if s.PolicyArns != nil { |
1331 | for i, v := range s.PolicyArns { | |
1332 | if v == nil { | |
1333 | continue | |
1334 | } | |
1335 | if err := v.Validate(); err != nil { | |
1336 | invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams)) | |
1337 | } | |
1338 | } | |
1339 | } | |
bae9f6d2 JC |
1340 | |
1341 | if invalidParams.Len() > 0 { | |
1342 | return invalidParams | |
1343 | } | |
1344 | return nil | |
1345 | } | |
1346 | ||
1347 | // SetDurationSeconds sets the DurationSeconds field's value. | |
1348 | func (s *AssumeRoleInput) SetDurationSeconds(v int64) *AssumeRoleInput { | |
1349 | s.DurationSeconds = &v | |
1350 | return s | |
1351 | } | |
1352 | ||
1353 | // SetExternalId sets the ExternalId field's value. | |
1354 | func (s *AssumeRoleInput) SetExternalId(v string) *AssumeRoleInput { | |
1355 | s.ExternalId = &v | |
1356 | return s | |
1357 | } | |
1358 | ||
1359 | // SetPolicy sets the Policy field's value. | |
1360 | func (s *AssumeRoleInput) SetPolicy(v string) *AssumeRoleInput { | |
1361 | s.Policy = &v | |
1362 | return s | |
1363 | } | |
1364 | ||
863486a6 AG |
1365 | // SetPolicyArns sets the PolicyArns field's value. |
1366 | func (s *AssumeRoleInput) SetPolicyArns(v []*PolicyDescriptorType) *AssumeRoleInput { | |
1367 | s.PolicyArns = v | |
1368 | return s | |
1369 | } | |
1370 | ||
bae9f6d2 JC |
1371 | // SetRoleArn sets the RoleArn field's value. |
1372 | func (s *AssumeRoleInput) SetRoleArn(v string) *AssumeRoleInput { | |
1373 | s.RoleArn = &v | |
1374 | return s | |
1375 | } | |
1376 | ||
1377 | // SetRoleSessionName sets the RoleSessionName field's value. | |
1378 | func (s *AssumeRoleInput) SetRoleSessionName(v string) *AssumeRoleInput { | |
1379 | s.RoleSessionName = &v | |
1380 | return s | |
1381 | } | |
1382 | ||
1383 | // SetSerialNumber sets the SerialNumber field's value. | |
1384 | func (s *AssumeRoleInput) SetSerialNumber(v string) *AssumeRoleInput { | |
1385 | s.SerialNumber = &v | |
1386 | return s | |
1387 | } | |
1388 | ||
1389 | // SetTokenCode sets the TokenCode field's value. | |
1390 | func (s *AssumeRoleInput) SetTokenCode(v string) *AssumeRoleInput { | |
1391 | s.TokenCode = &v | |
1392 | return s | |
1393 | } | |
1394 | ||
1395 | // Contains the response to a successful AssumeRole request, including temporary | |
1396 | // AWS credentials that can be used to make AWS requests. | |
bae9f6d2 JC |
1397 | type AssumeRoleOutput struct { |
1398 | _ struct{} `type:"structure"` | |
1399 | ||
1400 | // The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers | |
1401 | // that you can use to refer to the resulting temporary security credentials. | |
1402 | // For example, you can reference these credentials as a principal in a resource-based | |
1403 | // policy by using the ARN or assumed role ID. The ARN and ID include the RoleSessionName | |
1404 | // that you specified when you called AssumeRole. | |
1405 | AssumedRoleUser *AssumedRoleUser `type:"structure"` | |
1406 | ||
1407 | // The temporary security credentials, which include an access key ID, a secret | |
1408 | // access key, and a security (or session) token. | |
1409 | // | |
863486a6 AG |
1410 | // The size of the security token that STS API operations return is not fixed. |
1411 | // We strongly recommend that you make no assumptions about the maximum size. | |
bae9f6d2 JC |
1412 | Credentials *Credentials `type:"structure"` |
1413 | ||
1414 | // A percentage value that indicates the size of the policy in packed form. | |
1415 | // The service rejects any policy with a packed size greater than 100 percent, | |
1416 | // which means the policy exceeded the allowed space. | |
1417 | PackedPolicySize *int64 `type:"integer"` | |
1418 | } | |
1419 | ||
1420 | // String returns the string representation | |
1421 | func (s AssumeRoleOutput) String() string { | |
1422 | return awsutil.Prettify(s) | |
1423 | } | |
1424 | ||
1425 | // GoString returns the string representation | |
1426 | func (s AssumeRoleOutput) GoString() string { | |
1427 | return s.String() | |
1428 | } | |
1429 | ||
1430 | // SetAssumedRoleUser sets the AssumedRoleUser field's value. | |
1431 | func (s *AssumeRoleOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleOutput { | |
1432 | s.AssumedRoleUser = v | |
1433 | return s | |
1434 | } | |
1435 | ||
1436 | // SetCredentials sets the Credentials field's value. | |
1437 | func (s *AssumeRoleOutput) SetCredentials(v *Credentials) *AssumeRoleOutput { | |
1438 | s.Credentials = v | |
1439 | return s | |
1440 | } | |
1441 | ||
1442 | // SetPackedPolicySize sets the PackedPolicySize field's value. | |
1443 | func (s *AssumeRoleOutput) SetPackedPolicySize(v int64) *AssumeRoleOutput { | |
1444 | s.PackedPolicySize = &v | |
1445 | return s | |
1446 | } | |
1447 | ||
bae9f6d2 JC |
1448 | type AssumeRoleWithSAMLInput struct { |
1449 | _ struct{} `type:"structure"` | |
1450 | ||
15c0b25d AP |
1451 | // The duration, in seconds, of the role session. Your role session lasts for |
1452 | // the duration that you specify for the DurationSeconds parameter, or until | |
1453 | // the time specified in the SAML authentication response's SessionNotOnOrAfter | |
1454 | // value, whichever is shorter. You can provide a DurationSeconds value from | |
1455 | // 900 seconds (15 minutes) up to the maximum session duration setting for the | |
1456 | // role. This setting can have a value from 1 hour to 12 hours. If you specify | |
1457 | // a value higher than this setting, the operation fails. For example, if you | |
1458 | // specify a session duration of 12 hours, but your administrator set the maximum | |
1459 | // session duration to 6 hours, your operation fails. To learn how to view the | |
1460 | // maximum value for your role, see View the Maximum Session Duration Setting | |
863486a6 | 1461 | // for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) |
15c0b25d AP |
1462 | // in the IAM User Guide. |
1463 | // | |
1464 | // By default, the value is set to 3600 seconds. | |
bae9f6d2 | 1465 | // |
15c0b25d AP |
1466 | // The DurationSeconds parameter is separate from the duration of a console |
1467 | // session that you might request using the returned credentials. The request | |
1468 | // to the federation endpoint for a console sign-in token takes a SessionDuration | |
1469 | // parameter that specifies the maximum length of the console session. For more | |
1470 | // information, see Creating a URL that Enables Federated Users to Access the | |
863486a6 | 1471 | // AWS Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) |
bae9f6d2 JC |
1472 | // in the IAM User Guide. |
1473 | DurationSeconds *int64 `min:"900" type:"integer"` | |
1474 | ||
863486a6 AG |
1475 | // An IAM policy in JSON format that you want to use as an inline session policy. |
1476 | // | |
1477 | // This parameter is optional. Passing policies to this operation returns new | |
1478 | // temporary credentials. The resulting session's permissions are the intersection | |
1479 | // of the role's identity-based policy and the session policies. You can use | |
1480 | // the role's temporary credentials in subsequent AWS API calls to access resources | |
1481 | // in the account that owns the role. You cannot use session policies to grant | |
1482 | // more permissions than those allowed by the identity-based policy of the role | |
1483 | // that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) | |
bae9f6d2 JC |
1484 | // in the IAM User Guide. |
1485 | // | |
863486a6 AG |
1486 | // The plain text that you use for both inline and managed session policies |
1487 | // shouldn't exceed 2048 characters. The JSON policy characters can be any ASCII | |
1488 | // character from the space character to the end of the valid character list | |
1489 | // (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A), | |
bae9f6d2 JC |
1490 | // and carriage return (\u000D) characters. |
1491 | // | |
863486a6 AG |
1492 | // The characters in this parameter count towards the 2048 character session |
1493 | // policy guideline. However, an AWS conversion compresses the session policies | |
1494 | // into a packed binary format that has a separate limit. This is the enforced | |
1495 | // limit. The PackedPolicySize response element indicates by percentage how | |
1496 | // close the policy is to the upper size limit. | |
bae9f6d2 JC |
1497 | Policy *string `min:"1" type:"string"` |
1498 | ||
863486a6 AG |
1499 | // The Amazon Resource Names (ARNs) of the IAM managed policies that you want |
1500 | // to use as managed session policies. The policies must exist in the same account | |
1501 | // as the role. | |
1502 | // | |
1503 | // This parameter is optional. You can provide up to 10 managed policy ARNs. | |
1504 | // However, the plain text that you use for both inline and managed session | |
1505 | // policies shouldn't exceed 2048 characters. For more information about ARNs, | |
1506 | // see Amazon Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) | |
1507 | // in the AWS General Reference. | |
1508 | // | |
1509 | // The characters in this parameter count towards the 2048 character session | |
1510 | // policy guideline. However, an AWS conversion compresses the session policies | |
1511 | // into a packed binary format that has a separate limit. This is the enforced | |
1512 | // limit. The PackedPolicySize response element indicates by percentage how | |
1513 | // close the policy is to the upper size limit. | |
1514 | // | |
1515 | // Passing policies to this operation returns new temporary credentials. The | |
1516 | // resulting session's permissions are the intersection of the role's identity-based | |
1517 | // policy and the session policies. You can use the role's temporary credentials | |
1518 | // in subsequent AWS API calls to access resources in the account that owns | |
1519 | // the role. You cannot use session policies to grant more permissions than | |
1520 | // those allowed by the identity-based policy of the role that is being assumed. | |
1521 | // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) | |
1522 | // in the IAM User Guide. | |
1523 | PolicyArns []*PolicyDescriptorType `type:"list"` | |
1524 | ||
bae9f6d2 JC |
1525 | // The Amazon Resource Name (ARN) of the SAML provider in IAM that describes |
1526 | // the IdP. | |
1527 | // | |
1528 | // PrincipalArn is a required field | |
1529 | PrincipalArn *string `min:"20" type:"string" required:"true"` | |
1530 | ||
1531 | // The Amazon Resource Name (ARN) of the role that the caller is assuming. | |
1532 | // | |
1533 | // RoleArn is a required field | |
1534 | RoleArn *string `min:"20" type:"string" required:"true"` | |
1535 | ||
1536 | // The base-64 encoded SAML authentication response provided by the IdP. | |
1537 | // | |
863486a6 AG |
1538 | // For more information, see Configuring a Relying Party and Adding Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html) |
1539 | // in the IAM User Guide. | |
bae9f6d2 JC |
1540 | // |
1541 | // SAMLAssertion is a required field | |
1542 | SAMLAssertion *string `min:"4" type:"string" required:"true"` | |
1543 | } | |
1544 | ||
1545 | // String returns the string representation | |
1546 | func (s AssumeRoleWithSAMLInput) String() string { | |
1547 | return awsutil.Prettify(s) | |
1548 | } | |
1549 | ||
1550 | // GoString returns the string representation | |
1551 | func (s AssumeRoleWithSAMLInput) GoString() string { | |
1552 | return s.String() | |
1553 | } | |
1554 | ||
1555 | // Validate inspects the fields of the type to determine if they are valid. | |
1556 | func (s *AssumeRoleWithSAMLInput) Validate() error { | |
1557 | invalidParams := request.ErrInvalidParams{Context: "AssumeRoleWithSAMLInput"} | |
1558 | if s.DurationSeconds != nil && *s.DurationSeconds < 900 { | |
1559 | invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) | |
1560 | } | |
1561 | if s.Policy != nil && len(*s.Policy) < 1 { | |
1562 | invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) | |
1563 | } | |
1564 | if s.PrincipalArn == nil { | |
1565 | invalidParams.Add(request.NewErrParamRequired("PrincipalArn")) | |
1566 | } | |
1567 | if s.PrincipalArn != nil && len(*s.PrincipalArn) < 20 { | |
1568 | invalidParams.Add(request.NewErrParamMinLen("PrincipalArn", 20)) | |
1569 | } | |
1570 | if s.RoleArn == nil { | |
1571 | invalidParams.Add(request.NewErrParamRequired("RoleArn")) | |
1572 | } | |
1573 | if s.RoleArn != nil && len(*s.RoleArn) < 20 { | |
1574 | invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20)) | |
1575 | } | |
1576 | if s.SAMLAssertion == nil { | |
1577 | invalidParams.Add(request.NewErrParamRequired("SAMLAssertion")) | |
1578 | } | |
1579 | if s.SAMLAssertion != nil && len(*s.SAMLAssertion) < 4 { | |
1580 | invalidParams.Add(request.NewErrParamMinLen("SAMLAssertion", 4)) | |
1581 | } | |
863486a6 AG |
1582 | if s.PolicyArns != nil { |
1583 | for i, v := range s.PolicyArns { | |
1584 | if v == nil { | |
1585 | continue | |
1586 | } | |
1587 | if err := v.Validate(); err != nil { | |
1588 | invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams)) | |
1589 | } | |
1590 | } | |
1591 | } | |
bae9f6d2 JC |
1592 | |
1593 | if invalidParams.Len() > 0 { | |
1594 | return invalidParams | |
1595 | } | |
1596 | return nil | |
1597 | } | |
1598 | ||
1599 | // SetDurationSeconds sets the DurationSeconds field's value. | |
1600 | func (s *AssumeRoleWithSAMLInput) SetDurationSeconds(v int64) *AssumeRoleWithSAMLInput { | |
1601 | s.DurationSeconds = &v | |
1602 | return s | |
1603 | } | |
1604 | ||
1605 | // SetPolicy sets the Policy field's value. | |
1606 | func (s *AssumeRoleWithSAMLInput) SetPolicy(v string) *AssumeRoleWithSAMLInput { | |
1607 | s.Policy = &v | |
1608 | return s | |
1609 | } | |
1610 | ||
863486a6 AG |
1611 | // SetPolicyArns sets the PolicyArns field's value. |
1612 | func (s *AssumeRoleWithSAMLInput) SetPolicyArns(v []*PolicyDescriptorType) *AssumeRoleWithSAMLInput { | |
1613 | s.PolicyArns = v | |
1614 | return s | |
1615 | } | |
1616 | ||
bae9f6d2 JC |
1617 | // SetPrincipalArn sets the PrincipalArn field's value. |
1618 | func (s *AssumeRoleWithSAMLInput) SetPrincipalArn(v string) *AssumeRoleWithSAMLInput { | |
1619 | s.PrincipalArn = &v | |
1620 | return s | |
1621 | } | |
1622 | ||
1623 | // SetRoleArn sets the RoleArn field's value. | |
1624 | func (s *AssumeRoleWithSAMLInput) SetRoleArn(v string) *AssumeRoleWithSAMLInput { | |
1625 | s.RoleArn = &v | |
1626 | return s | |
1627 | } | |
1628 | ||
1629 | // SetSAMLAssertion sets the SAMLAssertion field's value. | |
1630 | func (s *AssumeRoleWithSAMLInput) SetSAMLAssertion(v string) *AssumeRoleWithSAMLInput { | |
1631 | s.SAMLAssertion = &v | |
1632 | return s | |
1633 | } | |
1634 | ||
1635 | // Contains the response to a successful AssumeRoleWithSAML request, including | |
1636 | // temporary AWS credentials that can be used to make AWS requests. | |
bae9f6d2 JC |
1637 | type AssumeRoleWithSAMLOutput struct { |
1638 | _ struct{} `type:"structure"` | |
1639 | ||
1640 | // The identifiers for the temporary security credentials that the operation | |
1641 | // returns. | |
1642 | AssumedRoleUser *AssumedRoleUser `type:"structure"` | |
1643 | ||
1644 | // The value of the Recipient attribute of the SubjectConfirmationData element | |
1645 | // of the SAML assertion. | |
1646 | Audience *string `type:"string"` | |
1647 | ||
1648 | // The temporary security credentials, which include an access key ID, a secret | |
1649 | // access key, and a security (or session) token. | |
1650 | // | |
863486a6 AG |
1651 | // The size of the security token that STS API operations return is not fixed. |
1652 | // We strongly recommend that you make no assumptions about the maximum size. | |
bae9f6d2 JC |
1653 | Credentials *Credentials `type:"structure"` |
1654 | ||
1655 | // The value of the Issuer element of the SAML assertion. | |
1656 | Issuer *string `type:"string"` | |
1657 | ||
1658 | // A hash value based on the concatenation of the Issuer response value, the | |
1659 | // AWS account ID, and the friendly name (the last part of the ARN) of the SAML | |
1660 | // provider in IAM. The combination of NameQualifier and Subject can be used | |
1661 | // to uniquely identify a federated user. | |
1662 | // | |
1663 | // The following pseudocode shows how the hash value is calculated: | |
1664 | // | |
1665 | // BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" | |
1666 | // ) ) | |
1667 | NameQualifier *string `type:"string"` | |
1668 | ||
1669 | // A percentage value that indicates the size of the policy in packed form. | |
1670 | // The service rejects any policy with a packed size greater than 100 percent, | |
1671 | // which means the policy exceeded the allowed space. | |
1672 | PackedPolicySize *int64 `type:"integer"` | |
1673 | ||
1674 | // The value of the NameID element in the Subject element of the SAML assertion. | |
1675 | Subject *string `type:"string"` | |
1676 | ||
1677 | // The format of the name ID, as defined by the Format attribute in the NameID | |
1678 | // element of the SAML assertion. Typical examples of the format are transient | |
1679 | // or persistent. | |
1680 | // | |
1681 | // If the format includes the prefix urn:oasis:names:tc:SAML:2.0:nameid-format, | |
1682 | // that prefix is removed. For example, urn:oasis:names:tc:SAML:2.0:nameid-format:transient | |
1683 | // is returned as transient. If the format includes any other prefix, the format | |
1684 | // is returned with no modifications. | |
1685 | SubjectType *string `type:"string"` | |
1686 | } | |
1687 | ||
1688 | // String returns the string representation | |
1689 | func (s AssumeRoleWithSAMLOutput) String() string { | |
1690 | return awsutil.Prettify(s) | |
1691 | } | |
1692 | ||
1693 | // GoString returns the string representation | |
1694 | func (s AssumeRoleWithSAMLOutput) GoString() string { | |
1695 | return s.String() | |
1696 | } | |
1697 | ||
1698 | // SetAssumedRoleUser sets the AssumedRoleUser field's value. | |
1699 | func (s *AssumeRoleWithSAMLOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleWithSAMLOutput { | |
1700 | s.AssumedRoleUser = v | |
1701 | return s | |
1702 | } | |
1703 | ||
1704 | // SetAudience sets the Audience field's value. | |
1705 | func (s *AssumeRoleWithSAMLOutput) SetAudience(v string) *AssumeRoleWithSAMLOutput { | |
1706 | s.Audience = &v | |
1707 | return s | |
1708 | } | |
1709 | ||
1710 | // SetCredentials sets the Credentials field's value. | |
1711 | func (s *AssumeRoleWithSAMLOutput) SetCredentials(v *Credentials) *AssumeRoleWithSAMLOutput { | |
1712 | s.Credentials = v | |
1713 | return s | |
1714 | } | |
1715 | ||
1716 | // SetIssuer sets the Issuer field's value. | |
1717 | func (s *AssumeRoleWithSAMLOutput) SetIssuer(v string) *AssumeRoleWithSAMLOutput { | |
1718 | s.Issuer = &v | |
1719 | return s | |
1720 | } | |
1721 | ||
1722 | // SetNameQualifier sets the NameQualifier field's value. | |
1723 | func (s *AssumeRoleWithSAMLOutput) SetNameQualifier(v string) *AssumeRoleWithSAMLOutput { | |
1724 | s.NameQualifier = &v | |
1725 | return s | |
1726 | } | |
1727 | ||
1728 | // SetPackedPolicySize sets the PackedPolicySize field's value. | |
1729 | func (s *AssumeRoleWithSAMLOutput) SetPackedPolicySize(v int64) *AssumeRoleWithSAMLOutput { | |
1730 | s.PackedPolicySize = &v | |
1731 | return s | |
1732 | } | |
1733 | ||
1734 | // SetSubject sets the Subject field's value. | |
1735 | func (s *AssumeRoleWithSAMLOutput) SetSubject(v string) *AssumeRoleWithSAMLOutput { | |
1736 | s.Subject = &v | |
1737 | return s | |
1738 | } | |
1739 | ||
1740 | // SetSubjectType sets the SubjectType field's value. | |
1741 | func (s *AssumeRoleWithSAMLOutput) SetSubjectType(v string) *AssumeRoleWithSAMLOutput { | |
1742 | s.SubjectType = &v | |
1743 | return s | |
1744 | } | |
1745 | ||
bae9f6d2 JC |
1746 | type AssumeRoleWithWebIdentityInput struct { |
1747 | _ struct{} `type:"structure"` | |
1748 | ||
1749 | // The duration, in seconds, of the role session. The value can range from 900 | |
15c0b25d AP |
1750 | // seconds (15 minutes) up to the maximum session duration setting for the role. |
1751 | // This setting can have a value from 1 hour to 12 hours. If you specify a value | |
1752 | // higher than this setting, the operation fails. For example, if you specify | |
1753 | // a session duration of 12 hours, but your administrator set the maximum session | |
1754 | // duration to 6 hours, your operation fails. To learn how to view the maximum | |
1755 | // value for your role, see View the Maximum Session Duration Setting for a | |
863486a6 | 1756 | // Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) |
15c0b25d AP |
1757 | // in the IAM User Guide. |
1758 | // | |
1759 | // By default, the value is set to 3600 seconds. | |
bae9f6d2 | 1760 | // |
15c0b25d AP |
1761 | // The DurationSeconds parameter is separate from the duration of a console |
1762 | // session that you might request using the returned credentials. The request | |
1763 | // to the federation endpoint for a console sign-in token takes a SessionDuration | |
1764 | // parameter that specifies the maximum length of the console session. For more | |
1765 | // information, see Creating a URL that Enables Federated Users to Access the | |
863486a6 | 1766 | // AWS Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) |
bae9f6d2 JC |
1767 | // in the IAM User Guide. |
1768 | DurationSeconds *int64 `min:"900" type:"integer"` | |
1769 | ||
863486a6 | 1770 | // An IAM policy in JSON format that you want to use as an inline session policy. |
bae9f6d2 | 1771 | // |
863486a6 AG |
1772 | // This parameter is optional. Passing policies to this operation returns new |
1773 | // temporary credentials. The resulting session's permissions are the intersection | |
1774 | // of the role's identity-based policy and the session policies. You can use | |
1775 | // the role's temporary credentials in subsequent AWS API calls to access resources | |
1776 | // in the account that owns the role. You cannot use session policies to grant | |
1777 | // more permissions than those allowed by the identity-based policy of the role | |
1778 | // that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) | |
bae9f6d2 JC |
1779 | // in the IAM User Guide. |
1780 | // | |
863486a6 AG |
1781 | // The plain text that you use for both inline and managed session policies |
1782 | // shouldn't exceed 2048 characters. The JSON policy characters can be any ASCII | |
1783 | // character from the space character to the end of the valid character list | |
1784 | // (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A), | |
bae9f6d2 JC |
1785 | // and carriage return (\u000D) characters. |
1786 | // | |
863486a6 AG |
1787 | // The characters in this parameter count towards the 2048 character session |
1788 | // policy guideline. However, an AWS conversion compresses the session policies | |
1789 | // into a packed binary format that has a separate limit. This is the enforced | |
1790 | // limit. The PackedPolicySize response element indicates by percentage how | |
1791 | // close the policy is to the upper size limit. | |
bae9f6d2 JC |
1792 | Policy *string `min:"1" type:"string"` |
1793 | ||
863486a6 AG |
1794 | // The Amazon Resource Names (ARNs) of the IAM managed policies that you want |
1795 | // to use as managed session policies. The policies must exist in the same account | |
1796 | // as the role. | |
1797 | // | |
1798 | // This parameter is optional. You can provide up to 10 managed policy ARNs. | |
1799 | // However, the plain text that you use for both inline and managed session | |
1800 | // policies shouldn't exceed 2048 characters. For more information about ARNs, | |
1801 | // see Amazon Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) | |
1802 | // in the AWS General Reference. | |
1803 | // | |
1804 | // The characters in this parameter count towards the 2048 character session | |
1805 | // policy guideline. However, an AWS conversion compresses the session policies | |
1806 | // into a packed binary format that has a separate limit. This is the enforced | |
1807 | // limit. The PackedPolicySize response element indicates by percentage how | |
1808 | // close the policy is to the upper size limit. | |
1809 | // | |
1810 | // Passing policies to this operation returns new temporary credentials. The | |
1811 | // resulting session's permissions are the intersection of the role's identity-based | |
1812 | // policy and the session policies. You can use the role's temporary credentials | |
1813 | // in subsequent AWS API calls to access resources in the account that owns | |
1814 | // the role. You cannot use session policies to grant more permissions than | |
1815 | // those allowed by the identity-based policy of the role that is being assumed. | |
1816 | // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) | |
1817 | // in the IAM User Guide. | |
1818 | PolicyArns []*PolicyDescriptorType `type:"list"` | |
1819 | ||
bae9f6d2 JC |
1820 | // The fully qualified host component of the domain name of the identity provider. |
1821 | // | |
1822 | // Specify this value only for OAuth 2.0 access tokens. Currently www.amazon.com | |
1823 | // and graph.facebook.com are the only supported identity providers for OAuth | |
1824 | // 2.0 access tokens. Do not include URL schemes and port numbers. | |
1825 | // | |
1826 | // Do not specify this value for OpenID Connect ID tokens. | |
1827 | ProviderId *string `min:"4" type:"string"` | |
1828 | ||
1829 | // The Amazon Resource Name (ARN) of the role that the caller is assuming. | |
1830 | // | |
1831 | // RoleArn is a required field | |
1832 | RoleArn *string `min:"20" type:"string" required:"true"` | |
1833 | ||
1834 | // An identifier for the assumed role session. Typically, you pass the name | |
1835 | // or identifier that is associated with the user who is using your application. | |
1836 | // That way, the temporary security credentials that your application will use | |
1837 | // are associated with that user. This session name is included as part of the | |
1838 | // ARN and assumed role ID in the AssumedRoleUser response element. | |
1839 | // | |
1840 | // The regex used to validate this parameter is a string of characters consisting | |
1841 | // of upper- and lower-case alphanumeric characters with no spaces. You can | |
1842 | // also include underscores or any of the following characters: =,.@- | |
1843 | // | |
1844 | // RoleSessionName is a required field | |
1845 | RoleSessionName *string `min:"2" type:"string" required:"true"` | |
1846 | ||
1847 | // The OAuth 2.0 access token or OpenID Connect ID token that is provided by | |
1848 | // the identity provider. Your application must get this token by authenticating | |
1849 | // the user who is using your application with a web identity provider before | |
1850 | // the application makes an AssumeRoleWithWebIdentity call. | |
1851 | // | |
1852 | // WebIdentityToken is a required field | |
1853 | WebIdentityToken *string `min:"4" type:"string" required:"true"` | |
1854 | } | |
1855 | ||
1856 | // String returns the string representation | |
1857 | func (s AssumeRoleWithWebIdentityInput) String() string { | |
1858 | return awsutil.Prettify(s) | |
1859 | } | |
1860 | ||
1861 | // GoString returns the string representation | |
1862 | func (s AssumeRoleWithWebIdentityInput) GoString() string { | |
1863 | return s.String() | |
1864 | } | |
1865 | ||
1866 | // Validate inspects the fields of the type to determine if they are valid. | |
1867 | func (s *AssumeRoleWithWebIdentityInput) Validate() error { | |
1868 | invalidParams := request.ErrInvalidParams{Context: "AssumeRoleWithWebIdentityInput"} | |
1869 | if s.DurationSeconds != nil && *s.DurationSeconds < 900 { | |
1870 | invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) | |
1871 | } | |
1872 | if s.Policy != nil && len(*s.Policy) < 1 { | |
1873 | invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) | |
1874 | } | |
1875 | if s.ProviderId != nil && len(*s.ProviderId) < 4 { | |
1876 | invalidParams.Add(request.NewErrParamMinLen("ProviderId", 4)) | |
1877 | } | |
1878 | if s.RoleArn == nil { | |
1879 | invalidParams.Add(request.NewErrParamRequired("RoleArn")) | |
1880 | } | |
1881 | if s.RoleArn != nil && len(*s.RoleArn) < 20 { | |
1882 | invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20)) | |
1883 | } | |
1884 | if s.RoleSessionName == nil { | |
1885 | invalidParams.Add(request.NewErrParamRequired("RoleSessionName")) | |
1886 | } | |
1887 | if s.RoleSessionName != nil && len(*s.RoleSessionName) < 2 { | |
1888 | invalidParams.Add(request.NewErrParamMinLen("RoleSessionName", 2)) | |
1889 | } | |
1890 | if s.WebIdentityToken == nil { | |
1891 | invalidParams.Add(request.NewErrParamRequired("WebIdentityToken")) | |
1892 | } | |
1893 | if s.WebIdentityToken != nil && len(*s.WebIdentityToken) < 4 { | |
1894 | invalidParams.Add(request.NewErrParamMinLen("WebIdentityToken", 4)) | |
1895 | } | |
863486a6 AG |
1896 | if s.PolicyArns != nil { |
1897 | for i, v := range s.PolicyArns { | |
1898 | if v == nil { | |
1899 | continue | |
1900 | } | |
1901 | if err := v.Validate(); err != nil { | |
1902 | invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams)) | |
1903 | } | |
1904 | } | |
1905 | } | |
bae9f6d2 JC |
1906 | |
1907 | if invalidParams.Len() > 0 { | |
1908 | return invalidParams | |
1909 | } | |
1910 | return nil | |
1911 | } | |
1912 | ||
1913 | // SetDurationSeconds sets the DurationSeconds field's value. | |
1914 | func (s *AssumeRoleWithWebIdentityInput) SetDurationSeconds(v int64) *AssumeRoleWithWebIdentityInput { | |
1915 | s.DurationSeconds = &v | |
1916 | return s | |
1917 | } | |
1918 | ||
1919 | // SetPolicy sets the Policy field's value. | |
1920 | func (s *AssumeRoleWithWebIdentityInput) SetPolicy(v string) *AssumeRoleWithWebIdentityInput { | |
1921 | s.Policy = &v | |
1922 | return s | |
1923 | } | |
1924 | ||
863486a6 AG |
1925 | // SetPolicyArns sets the PolicyArns field's value. |
1926 | func (s *AssumeRoleWithWebIdentityInput) SetPolicyArns(v []*PolicyDescriptorType) *AssumeRoleWithWebIdentityInput { | |
1927 | s.PolicyArns = v | |
1928 | return s | |
1929 | } | |
1930 | ||
bae9f6d2 JC |
1931 | // SetProviderId sets the ProviderId field's value. |
1932 | func (s *AssumeRoleWithWebIdentityInput) SetProviderId(v string) *AssumeRoleWithWebIdentityInput { | |
1933 | s.ProviderId = &v | |
1934 | return s | |
1935 | } | |
1936 | ||
1937 | // SetRoleArn sets the RoleArn field's value. | |
1938 | func (s *AssumeRoleWithWebIdentityInput) SetRoleArn(v string) *AssumeRoleWithWebIdentityInput { | |
1939 | s.RoleArn = &v | |
1940 | return s | |
1941 | } | |
1942 | ||
1943 | // SetRoleSessionName sets the RoleSessionName field's value. | |
1944 | func (s *AssumeRoleWithWebIdentityInput) SetRoleSessionName(v string) *AssumeRoleWithWebIdentityInput { | |
1945 | s.RoleSessionName = &v | |
1946 | return s | |
1947 | } | |
1948 | ||
1949 | // SetWebIdentityToken sets the WebIdentityToken field's value. | |
1950 | func (s *AssumeRoleWithWebIdentityInput) SetWebIdentityToken(v string) *AssumeRoleWithWebIdentityInput { | |
1951 | s.WebIdentityToken = &v | |
1952 | return s | |
1953 | } | |
1954 | ||
1955 | // Contains the response to a successful AssumeRoleWithWebIdentity request, | |
1956 | // including temporary AWS credentials that can be used to make AWS requests. | |
bae9f6d2 JC |
1957 | type AssumeRoleWithWebIdentityOutput struct { |
1958 | _ struct{} `type:"structure"` | |
1959 | ||
1960 | // The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers | |
1961 | // that you can use to refer to the resulting temporary security credentials. | |
1962 | // For example, you can reference these credentials as a principal in a resource-based | |
1963 | // policy by using the ARN or assumed role ID. The ARN and ID include the RoleSessionName | |
1964 | // that you specified when you called AssumeRole. | |
1965 | AssumedRoleUser *AssumedRoleUser `type:"structure"` | |
1966 | ||
1967 | // The intended audience (also known as client ID) of the web identity token. | |
1968 | // This is traditionally the client identifier issued to the application that | |
1969 | // requested the web identity token. | |
1970 | Audience *string `type:"string"` | |
1971 | ||
1972 | // The temporary security credentials, which include an access key ID, a secret | |
1973 | // access key, and a security token. | |
1974 | // | |
863486a6 AG |
1975 | // The size of the security token that STS API operations return is not fixed. |
1976 | // We strongly recommend that you make no assumptions about the maximum size. | |
bae9f6d2 JC |
1977 | Credentials *Credentials `type:"structure"` |
1978 | ||
1979 | // A percentage value that indicates the size of the policy in packed form. | |
1980 | // The service rejects any policy with a packed size greater than 100 percent, | |
1981 | // which means the policy exceeded the allowed space. | |
1982 | PackedPolicySize *int64 `type:"integer"` | |
1983 | ||
1984 | // The issuing authority of the web identity token presented. For OpenID Connect | |
863486a6 | 1985 | // ID tokens, this contains the value of the iss field. For OAuth 2.0 access |
bae9f6d2 JC |
1986 | // tokens, this contains the value of the ProviderId parameter that was passed |
1987 | // in the AssumeRoleWithWebIdentity request. | |
1988 | Provider *string `type:"string"` | |
1989 | ||
1990 | // The unique user identifier that is returned by the identity provider. This | |
1991 | // identifier is associated with the WebIdentityToken that was submitted with | |
1992 | // the AssumeRoleWithWebIdentity call. The identifier is typically unique to | |
1993 | // the user and the application that acquired the WebIdentityToken (pairwise | |
1994 | // identifier). For OpenID Connect ID tokens, this field contains the value | |
1995 | // returned by the identity provider as the token's sub (Subject) claim. | |
1996 | SubjectFromWebIdentityToken *string `min:"6" type:"string"` | |
1997 | } | |
1998 | ||
1999 | // String returns the string representation | |
2000 | func (s AssumeRoleWithWebIdentityOutput) String() string { | |
2001 | return awsutil.Prettify(s) | |
2002 | } | |
2003 | ||
2004 | // GoString returns the string representation | |
2005 | func (s AssumeRoleWithWebIdentityOutput) GoString() string { | |
2006 | return s.String() | |
2007 | } | |
2008 | ||
2009 | // SetAssumedRoleUser sets the AssumedRoleUser field's value. | |
2010 | func (s *AssumeRoleWithWebIdentityOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleWithWebIdentityOutput { | |
2011 | s.AssumedRoleUser = v | |
2012 | return s | |
2013 | } | |
2014 | ||
2015 | // SetAudience sets the Audience field's value. | |
2016 | func (s *AssumeRoleWithWebIdentityOutput) SetAudience(v string) *AssumeRoleWithWebIdentityOutput { | |
2017 | s.Audience = &v | |
2018 | return s | |
2019 | } | |
2020 | ||
2021 | // SetCredentials sets the Credentials field's value. | |
2022 | func (s *AssumeRoleWithWebIdentityOutput) SetCredentials(v *Credentials) *AssumeRoleWithWebIdentityOutput { | |
2023 | s.Credentials = v | |
2024 | return s | |
2025 | } | |
2026 | ||
2027 | // SetPackedPolicySize sets the PackedPolicySize field's value. | |
2028 | func (s *AssumeRoleWithWebIdentityOutput) SetPackedPolicySize(v int64) *AssumeRoleWithWebIdentityOutput { | |
2029 | s.PackedPolicySize = &v | |
2030 | return s | |
2031 | } | |
2032 | ||
2033 | // SetProvider sets the Provider field's value. | |
2034 | func (s *AssumeRoleWithWebIdentityOutput) SetProvider(v string) *AssumeRoleWithWebIdentityOutput { | |
2035 | s.Provider = &v | |
2036 | return s | |
2037 | } | |
2038 | ||
2039 | // SetSubjectFromWebIdentityToken sets the SubjectFromWebIdentityToken field's value. | |
2040 | func (s *AssumeRoleWithWebIdentityOutput) SetSubjectFromWebIdentityToken(v string) *AssumeRoleWithWebIdentityOutput { | |
2041 | s.SubjectFromWebIdentityToken = &v | |
2042 | return s | |
2043 | } | |
2044 | ||
2045 | // The identifiers for the temporary security credentials that the operation | |
2046 | // returns. | |
bae9f6d2 JC |
2047 | type AssumedRoleUser struct { |
2048 | _ struct{} `type:"structure"` | |
2049 | ||
2050 | // The ARN of the temporary security credentials that are returned from the | |
2051 | // AssumeRole action. For more information about ARNs and how to use them in | |
863486a6 | 2052 | // policies, see IAM Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) |
bae9f6d2 JC |
2053 | // in Using IAM. |
2054 | // | |
2055 | // Arn is a required field | |
2056 | Arn *string `min:"20" type:"string" required:"true"` | |
2057 | ||
2058 | // A unique identifier that contains the role ID and the role session name of | |
2059 | // the role that is being assumed. The role ID is generated by AWS when the | |
2060 | // role is created. | |
2061 | // | |
2062 | // AssumedRoleId is a required field | |
2063 | AssumedRoleId *string `min:"2" type:"string" required:"true"` | |
2064 | } | |
2065 | ||
2066 | // String returns the string representation | |
2067 | func (s AssumedRoleUser) String() string { | |
2068 | return awsutil.Prettify(s) | |
2069 | } | |
2070 | ||
2071 | // GoString returns the string representation | |
2072 | func (s AssumedRoleUser) GoString() string { | |
2073 | return s.String() | |
2074 | } | |
2075 | ||
2076 | // SetArn sets the Arn field's value. | |
2077 | func (s *AssumedRoleUser) SetArn(v string) *AssumedRoleUser { | |
2078 | s.Arn = &v | |
2079 | return s | |
2080 | } | |
2081 | ||
2082 | // SetAssumedRoleId sets the AssumedRoleId field's value. | |
2083 | func (s *AssumedRoleUser) SetAssumedRoleId(v string) *AssumedRoleUser { | |
2084 | s.AssumedRoleId = &v | |
2085 | return s | |
2086 | } | |
2087 | ||
2088 | // AWS credentials for API authentication. | |
bae9f6d2 JC |
2089 | type Credentials struct { |
2090 | _ struct{} `type:"structure"` | |
2091 | ||
2092 | // The access key ID that identifies the temporary security credentials. | |
2093 | // | |
2094 | // AccessKeyId is a required field | |
2095 | AccessKeyId *string `min:"16" type:"string" required:"true"` | |
2096 | ||
2097 | // The date on which the current credentials expire. | |
2098 | // | |
2099 | // Expiration is a required field | |
15c0b25d | 2100 | Expiration *time.Time `type:"timestamp" required:"true"` |
bae9f6d2 JC |
2101 | |
2102 | // The secret access key that can be used to sign requests. | |
2103 | // | |
2104 | // SecretAccessKey is a required field | |
2105 | SecretAccessKey *string `type:"string" required:"true"` | |
2106 | ||
2107 | // The token that users must pass to the service API to use the temporary credentials. | |
2108 | // | |
2109 | // SessionToken is a required field | |
2110 | SessionToken *string `type:"string" required:"true"` | |
2111 | } | |
2112 | ||
2113 | // String returns the string representation | |
2114 | func (s Credentials) String() string { | |
2115 | return awsutil.Prettify(s) | |
2116 | } | |
2117 | ||
2118 | // GoString returns the string representation | |
2119 | func (s Credentials) GoString() string { | |
2120 | return s.String() | |
2121 | } | |
2122 | ||
2123 | // SetAccessKeyId sets the AccessKeyId field's value. | |
2124 | func (s *Credentials) SetAccessKeyId(v string) *Credentials { | |
2125 | s.AccessKeyId = &v | |
2126 | return s | |
2127 | } | |
2128 | ||
2129 | // SetExpiration sets the Expiration field's value. | |
2130 | func (s *Credentials) SetExpiration(v time.Time) *Credentials { | |
2131 | s.Expiration = &v | |
2132 | return s | |
2133 | } | |
2134 | ||
2135 | // SetSecretAccessKey sets the SecretAccessKey field's value. | |
2136 | func (s *Credentials) SetSecretAccessKey(v string) *Credentials { | |
2137 | s.SecretAccessKey = &v | |
2138 | return s | |
2139 | } | |
2140 | ||
2141 | // SetSessionToken sets the SessionToken field's value. | |
2142 | func (s *Credentials) SetSessionToken(v string) *Credentials { | |
2143 | s.SessionToken = &v | |
2144 | return s | |
2145 | } | |
2146 | ||
bae9f6d2 JC |
2147 | type DecodeAuthorizationMessageInput struct { |
2148 | _ struct{} `type:"structure"` | |
2149 | ||
2150 | // The encoded message that was returned with the response. | |
2151 | // | |
2152 | // EncodedMessage is a required field | |
2153 | EncodedMessage *string `min:"1" type:"string" required:"true"` | |
2154 | } | |
2155 | ||
2156 | // String returns the string representation | |
2157 | func (s DecodeAuthorizationMessageInput) String() string { | |
2158 | return awsutil.Prettify(s) | |
2159 | } | |
2160 | ||
2161 | // GoString returns the string representation | |
2162 | func (s DecodeAuthorizationMessageInput) GoString() string { | |
2163 | return s.String() | |
2164 | } | |
2165 | ||
2166 | // Validate inspects the fields of the type to determine if they are valid. | |
2167 | func (s *DecodeAuthorizationMessageInput) Validate() error { | |
2168 | invalidParams := request.ErrInvalidParams{Context: "DecodeAuthorizationMessageInput"} | |
2169 | if s.EncodedMessage == nil { | |
2170 | invalidParams.Add(request.NewErrParamRequired("EncodedMessage")) | |
2171 | } | |
2172 | if s.EncodedMessage != nil && len(*s.EncodedMessage) < 1 { | |
2173 | invalidParams.Add(request.NewErrParamMinLen("EncodedMessage", 1)) | |
2174 | } | |
2175 | ||
2176 | if invalidParams.Len() > 0 { | |
2177 | return invalidParams | |
2178 | } | |
2179 | return nil | |
2180 | } | |
2181 | ||
2182 | // SetEncodedMessage sets the EncodedMessage field's value. | |
2183 | func (s *DecodeAuthorizationMessageInput) SetEncodedMessage(v string) *DecodeAuthorizationMessageInput { | |
2184 | s.EncodedMessage = &v | |
2185 | return s | |
2186 | } | |
2187 | ||
2188 | // A document that contains additional information about the authorization status | |
2189 | // of a request from an encoded message that is returned in response to an AWS | |
2190 | // request. | |
bae9f6d2 JC |
2191 | type DecodeAuthorizationMessageOutput struct { |
2192 | _ struct{} `type:"structure"` | |
2193 | ||
2194 | // An XML document that contains the decoded message. | |
2195 | DecodedMessage *string `type:"string"` | |
2196 | } | |
2197 | ||
2198 | // String returns the string representation | |
2199 | func (s DecodeAuthorizationMessageOutput) String() string { | |
2200 | return awsutil.Prettify(s) | |
2201 | } | |
2202 | ||
2203 | // GoString returns the string representation | |
2204 | func (s DecodeAuthorizationMessageOutput) GoString() string { | |
2205 | return s.String() | |
2206 | } | |
2207 | ||
2208 | // SetDecodedMessage sets the DecodedMessage field's value. | |
2209 | func (s *DecodeAuthorizationMessageOutput) SetDecodedMessage(v string) *DecodeAuthorizationMessageOutput { | |
2210 | s.DecodedMessage = &v | |
2211 | return s | |
2212 | } | |
2213 | ||
2214 | // Identifiers for the federated user that is associated with the credentials. | |
bae9f6d2 JC |
2215 | type FederatedUser struct { |
2216 | _ struct{} `type:"structure"` | |
2217 | ||
2218 | // The ARN that specifies the federated user that is associated with the credentials. | |
2219 | // For more information about ARNs and how to use them in policies, see IAM | |
863486a6 | 2220 | // Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) |
bae9f6d2 JC |
2221 | // in Using IAM. |
2222 | // | |
2223 | // Arn is a required field | |
2224 | Arn *string `min:"20" type:"string" required:"true"` | |
2225 | ||
2226 | // The string that identifies the federated user associated with the credentials, | |
2227 | // similar to the unique ID of an IAM user. | |
2228 | // | |
2229 | // FederatedUserId is a required field | |
2230 | FederatedUserId *string `min:"2" type:"string" required:"true"` | |
2231 | } | |
2232 | ||
2233 | // String returns the string representation | |
2234 | func (s FederatedUser) String() string { | |
2235 | return awsutil.Prettify(s) | |
2236 | } | |
2237 | ||
2238 | // GoString returns the string representation | |
2239 | func (s FederatedUser) GoString() string { | |
2240 | return s.String() | |
2241 | } | |
2242 | ||
2243 | // SetArn sets the Arn field's value. | |
2244 | func (s *FederatedUser) SetArn(v string) *FederatedUser { | |
2245 | s.Arn = &v | |
2246 | return s | |
2247 | } | |
2248 | ||
2249 | // SetFederatedUserId sets the FederatedUserId field's value. | |
2250 | func (s *FederatedUser) SetFederatedUserId(v string) *FederatedUser { | |
2251 | s.FederatedUserId = &v | |
2252 | return s | |
2253 | } | |
2254 | ||
863486a6 AG |
2255 | type GetAccessKeyInfoInput struct { |
2256 | _ struct{} `type:"structure"` | |
2257 | ||
2258 | // The identifier of an access key. | |
2259 | // | |
2260 | // This parameter allows (through its regex pattern) a string of characters | |
2261 | // that can consist of any upper- or lowercased letter or digit. | |
2262 | // | |
2263 | // AccessKeyId is a required field | |
2264 | AccessKeyId *string `min:"16" type:"string" required:"true"` | |
2265 | } | |
2266 | ||
2267 | // String returns the string representation | |
2268 | func (s GetAccessKeyInfoInput) String() string { | |
2269 | return awsutil.Prettify(s) | |
2270 | } | |
2271 | ||
2272 | // GoString returns the string representation | |
2273 | func (s GetAccessKeyInfoInput) GoString() string { | |
2274 | return s.String() | |
2275 | } | |
2276 | ||
2277 | // Validate inspects the fields of the type to determine if they are valid. | |
2278 | func (s *GetAccessKeyInfoInput) Validate() error { | |
2279 | invalidParams := request.ErrInvalidParams{Context: "GetAccessKeyInfoInput"} | |
2280 | if s.AccessKeyId == nil { | |
2281 | invalidParams.Add(request.NewErrParamRequired("AccessKeyId")) | |
2282 | } | |
2283 | if s.AccessKeyId != nil && len(*s.AccessKeyId) < 16 { | |
2284 | invalidParams.Add(request.NewErrParamMinLen("AccessKeyId", 16)) | |
2285 | } | |
2286 | ||
2287 | if invalidParams.Len() > 0 { | |
2288 | return invalidParams | |
2289 | } | |
2290 | return nil | |
2291 | } | |
2292 | ||
2293 | // SetAccessKeyId sets the AccessKeyId field's value. | |
2294 | func (s *GetAccessKeyInfoInput) SetAccessKeyId(v string) *GetAccessKeyInfoInput { | |
2295 | s.AccessKeyId = &v | |
2296 | return s | |
2297 | } | |
2298 | ||
2299 | type GetAccessKeyInfoOutput struct { | |
2300 | _ struct{} `type:"structure"` | |
2301 | ||
2302 | // The number used to identify the AWS account. | |
2303 | Account *string `type:"string"` | |
2304 | } | |
2305 | ||
2306 | // String returns the string representation | |
2307 | func (s GetAccessKeyInfoOutput) String() string { | |
2308 | return awsutil.Prettify(s) | |
2309 | } | |
2310 | ||
2311 | // GoString returns the string representation | |
2312 | func (s GetAccessKeyInfoOutput) GoString() string { | |
2313 | return s.String() | |
2314 | } | |
2315 | ||
2316 | // SetAccount sets the Account field's value. | |
2317 | func (s *GetAccessKeyInfoOutput) SetAccount(v string) *GetAccessKeyInfoOutput { | |
2318 | s.Account = &v | |
2319 | return s | |
2320 | } | |
2321 | ||
bae9f6d2 JC |
2322 | type GetCallerIdentityInput struct { |
2323 | _ struct{} `type:"structure"` | |
2324 | } | |
2325 | ||
2326 | // String returns the string representation | |
2327 | func (s GetCallerIdentityInput) String() string { | |
2328 | return awsutil.Prettify(s) | |
2329 | } | |
2330 | ||
2331 | // GoString returns the string representation | |
2332 | func (s GetCallerIdentityInput) GoString() string { | |
2333 | return s.String() | |
2334 | } | |
2335 | ||
2336 | // Contains the response to a successful GetCallerIdentity request, including | |
2337 | // information about the entity making the request. | |
bae9f6d2 JC |
2338 | type GetCallerIdentityOutput struct { |
2339 | _ struct{} `type:"structure"` | |
2340 | ||
2341 | // The AWS account ID number of the account that owns or contains the calling | |
2342 | // entity. | |
2343 | Account *string `type:"string"` | |
2344 | ||
2345 | // The AWS ARN associated with the calling entity. | |
2346 | Arn *string `min:"20" type:"string"` | |
2347 | ||
2348 | // The unique identifier of the calling entity. The exact value depends on the | |
863486a6 AG |
2349 | // type of entity that is making the call. The values returned are those listed |
2350 | // in the aws:userid column in the Principal table (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable) | |
bae9f6d2 JC |
2351 | // found on the Policy Variables reference page in the IAM User Guide. |
2352 | UserId *string `type:"string"` | |
2353 | } | |
2354 | ||
2355 | // String returns the string representation | |
2356 | func (s GetCallerIdentityOutput) String() string { | |
2357 | return awsutil.Prettify(s) | |
2358 | } | |
2359 | ||
2360 | // GoString returns the string representation | |
2361 | func (s GetCallerIdentityOutput) GoString() string { | |
2362 | return s.String() | |
2363 | } | |
2364 | ||
2365 | // SetAccount sets the Account field's value. | |
2366 | func (s *GetCallerIdentityOutput) SetAccount(v string) *GetCallerIdentityOutput { | |
2367 | s.Account = &v | |
2368 | return s | |
2369 | } | |
2370 | ||
2371 | // SetArn sets the Arn field's value. | |
2372 | func (s *GetCallerIdentityOutput) SetArn(v string) *GetCallerIdentityOutput { | |
2373 | s.Arn = &v | |
2374 | return s | |
2375 | } | |
2376 | ||
2377 | // SetUserId sets the UserId field's value. | |
2378 | func (s *GetCallerIdentityOutput) SetUserId(v string) *GetCallerIdentityOutput { | |
2379 | s.UserId = &v | |
2380 | return s | |
2381 | } | |
2382 | ||
bae9f6d2 JC |
2383 | type GetFederationTokenInput struct { |
2384 | _ struct{} `type:"structure"` | |
2385 | ||
2386 | // The duration, in seconds, that the session should last. Acceptable durations | |
863486a6 AG |
2387 | // for federation sessions range from 900 seconds (15 minutes) to 129,600 seconds |
2388 | // (36 hours), with 43,200 seconds (12 hours) as the default. Sessions obtained | |
2389 | // using AWS account root user credentials are restricted to a maximum of 3,600 | |
bae9f6d2 | 2390 | // seconds (one hour). If the specified duration is longer than one hour, the |
863486a6 | 2391 | // session obtained by using root user credentials defaults to one hour. |
bae9f6d2 JC |
2392 | DurationSeconds *int64 `min:"900" type:"integer"` |
2393 | ||
2394 | // The name of the federated user. The name is used as an identifier for the | |
2395 | // temporary security credentials (such as Bob). For example, you can reference | |
2396 | // the federated user name in a resource-based policy, such as in an Amazon | |
2397 | // S3 bucket policy. | |
2398 | // | |
2399 | // The regex used to validate this parameter is a string of characters consisting | |
2400 | // of upper- and lower-case alphanumeric characters with no spaces. You can | |
2401 | // also include underscores or any of the following characters: =,.@- | |
2402 | // | |
2403 | // Name is a required field | |
2404 | Name *string `min:"2" type:"string" required:"true"` | |
2405 | ||
863486a6 AG |
2406 | // An IAM policy in JSON format that you want to use as an inline session policy. |
2407 | // | |
2408 | // You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) | |
2409 | // to this operation. You can pass a single JSON policy document to use as an | |
2410 | // inline session policy. You can also specify up to 10 managed policies to | |
2411 | // use as managed session policies. | |
bae9f6d2 | 2412 | // |
863486a6 AG |
2413 | // This parameter is optional. However, if you do not pass any session policies, |
2414 | // then the resulting federated user session has no permissions. The only exception | |
2415 | // is when the credentials are used to access a resource that has a resource-based | |
2416 | // policy that specifically references the federated user session in the Principal | |
2417 | // element of the policy. | |
bae9f6d2 | 2418 | // |
863486a6 AG |
2419 | // When you pass session policies, the session permissions are the intersection |
2420 | // of the IAM user policies and the session policies that you pass. This gives | |
2421 | // you a way to further restrict the permissions for a federated user. You cannot | |
2422 | // use session policies to grant more permissions than those that are defined | |
2423 | // in the permissions policy of the IAM user. For more information, see Session | |
2424 | // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) | |
2425 | // in the IAM User Guide. | |
2426 | // | |
2427 | // The plain text that you use for both inline and managed session policies | |
2428 | // shouldn't exceed 2048 characters. The JSON policy characters can be any ASCII | |
2429 | // character from the space character to the end of the valid character list | |
2430 | // (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A), | |
2431 | // and carriage return (\u000D) characters. | |
2432 | // | |
2433 | // The characters in this parameter count towards the 2048 character session | |
2434 | // policy guideline. However, an AWS conversion compresses the session policies | |
2435 | // into a packed binary format that has a separate limit. This is the enforced | |
2436 | // limit. The PackedPolicySize response element indicates by percentage how | |
2437 | // close the policy is to the upper size limit. | |
bae9f6d2 | 2438 | Policy *string `min:"1" type:"string"` |
863486a6 AG |
2439 | |
2440 | // The Amazon Resource Names (ARNs) of the IAM managed policies that you want | |
2441 | // to use as a managed session policy. The policies must exist in the same account | |
2442 | // as the IAM user that is requesting federated access. | |
2443 | // | |
2444 | // You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) | |
2445 | // to this operation. You can pass a single JSON policy document to use as an | |
2446 | // inline session policy. You can also specify up to 10 managed policies to | |
2447 | // use as managed session policies. The plain text that you use for both inline | |
2448 | // and managed session policies shouldn't exceed 2048 characters. You can provide | |
2449 | // up to 10 managed policy ARNs. For more information about ARNs, see Amazon | |
2450 | // Resource Names (ARNs) and AWS Service Namespaces (general/latest/gr/aws-arns-and-namespaces.html) | |
2451 | // in the AWS General Reference. | |
2452 | // | |
2453 | // This parameter is optional. However, if you do not pass any session policies, | |
2454 | // then the resulting federated user session has no permissions. The only exception | |
2455 | // is when the credentials are used to access a resource that has a resource-based | |
2456 | // policy that specifically references the federated user session in the Principal | |
2457 | // element of the policy. | |
2458 | // | |
2459 | // When you pass session policies, the session permissions are the intersection | |
2460 | // of the IAM user policies and the session policies that you pass. This gives | |
2461 | // you a way to further restrict the permissions for a federated user. You cannot | |
2462 | // use session policies to grant more permissions than those that are defined | |
2463 | // in the permissions policy of the IAM user. For more information, see Session | |
2464 | // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) | |
2465 | // in the IAM User Guide. | |
2466 | // | |
2467 | // The characters in this parameter count towards the 2048 character session | |
2468 | // policy guideline. However, an AWS conversion compresses the session policies | |
2469 | // into a packed binary format that has a separate limit. This is the enforced | |
2470 | // limit. The PackedPolicySize response element indicates by percentage how | |
2471 | // close the policy is to the upper size limit. | |
2472 | PolicyArns []*PolicyDescriptorType `type:"list"` | |
bae9f6d2 JC |
2473 | } |
2474 | ||
2475 | // String returns the string representation | |
2476 | func (s GetFederationTokenInput) String() string { | |
2477 | return awsutil.Prettify(s) | |
2478 | } | |
2479 | ||
2480 | // GoString returns the string representation | |
2481 | func (s GetFederationTokenInput) GoString() string { | |
2482 | return s.String() | |
2483 | } | |
2484 | ||
2485 | // Validate inspects the fields of the type to determine if they are valid. | |
2486 | func (s *GetFederationTokenInput) Validate() error { | |
2487 | invalidParams := request.ErrInvalidParams{Context: "GetFederationTokenInput"} | |
2488 | if s.DurationSeconds != nil && *s.DurationSeconds < 900 { | |
2489 | invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) | |
2490 | } | |
2491 | if s.Name == nil { | |
2492 | invalidParams.Add(request.NewErrParamRequired("Name")) | |
2493 | } | |
2494 | if s.Name != nil && len(*s.Name) < 2 { | |
2495 | invalidParams.Add(request.NewErrParamMinLen("Name", 2)) | |
2496 | } | |
2497 | if s.Policy != nil && len(*s.Policy) < 1 { | |
2498 | invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) | |
2499 | } | |
863486a6 AG |
2500 | if s.PolicyArns != nil { |
2501 | for i, v := range s.PolicyArns { | |
2502 | if v == nil { | |
2503 | continue | |
2504 | } | |
2505 | if err := v.Validate(); err != nil { | |
2506 | invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams)) | |
2507 | } | |
2508 | } | |
2509 | } | |
bae9f6d2 JC |
2510 | |
2511 | if invalidParams.Len() > 0 { | |
2512 | return invalidParams | |
2513 | } | |
2514 | return nil | |
2515 | } | |
2516 | ||
2517 | // SetDurationSeconds sets the DurationSeconds field's value. | |
2518 | func (s *GetFederationTokenInput) SetDurationSeconds(v int64) *GetFederationTokenInput { | |
2519 | s.DurationSeconds = &v | |
2520 | return s | |
2521 | } | |
2522 | ||
2523 | // SetName sets the Name field's value. | |
2524 | func (s *GetFederationTokenInput) SetName(v string) *GetFederationTokenInput { | |
2525 | s.Name = &v | |
2526 | return s | |
2527 | } | |
2528 | ||
2529 | // SetPolicy sets the Policy field's value. | |
2530 | func (s *GetFederationTokenInput) SetPolicy(v string) *GetFederationTokenInput { | |
2531 | s.Policy = &v | |
2532 | return s | |
2533 | } | |
2534 | ||
863486a6 AG |
2535 | // SetPolicyArns sets the PolicyArns field's value. |
2536 | func (s *GetFederationTokenInput) SetPolicyArns(v []*PolicyDescriptorType) *GetFederationTokenInput { | |
2537 | s.PolicyArns = v | |
2538 | return s | |
2539 | } | |
2540 | ||
bae9f6d2 JC |
2541 | // Contains the response to a successful GetFederationToken request, including |
2542 | // temporary AWS credentials that can be used to make AWS requests. | |
bae9f6d2 JC |
2543 | type GetFederationTokenOutput struct { |
2544 | _ struct{} `type:"structure"` | |
2545 | ||
2546 | // The temporary security credentials, which include an access key ID, a secret | |
2547 | // access key, and a security (or session) token. | |
2548 | // | |
863486a6 AG |
2549 | // The size of the security token that STS API operations return is not fixed. |
2550 | // We strongly recommend that you make no assumptions about the maximum size. | |
bae9f6d2 JC |
2551 | Credentials *Credentials `type:"structure"` |
2552 | ||
2553 | // Identifiers for the federated user associated with the credentials (such | |
2554 | // as arn:aws:sts::123456789012:federated-user/Bob or 123456789012:Bob). You | |
2555 | // can use the federated user's ARN in your resource-based policies, such as | |
2556 | // an Amazon S3 bucket policy. | |
2557 | FederatedUser *FederatedUser `type:"structure"` | |
2558 | ||
2559 | // A percentage value indicating the size of the policy in packed form. The | |
2560 | // service rejects policies for which the packed size is greater than 100 percent | |
2561 | // of the allowed value. | |
2562 | PackedPolicySize *int64 `type:"integer"` | |
2563 | } | |
2564 | ||
2565 | // String returns the string representation | |
2566 | func (s GetFederationTokenOutput) String() string { | |
2567 | return awsutil.Prettify(s) | |
2568 | } | |
2569 | ||
2570 | // GoString returns the string representation | |
2571 | func (s GetFederationTokenOutput) GoString() string { | |
2572 | return s.String() | |
2573 | } | |
2574 | ||
2575 | // SetCredentials sets the Credentials field's value. | |
2576 | func (s *GetFederationTokenOutput) SetCredentials(v *Credentials) *GetFederationTokenOutput { | |
2577 | s.Credentials = v | |
2578 | return s | |
2579 | } | |
2580 | ||
2581 | // SetFederatedUser sets the FederatedUser field's value. | |
2582 | func (s *GetFederationTokenOutput) SetFederatedUser(v *FederatedUser) *GetFederationTokenOutput { | |
2583 | s.FederatedUser = v | |
2584 | return s | |
2585 | } | |
2586 | ||
2587 | // SetPackedPolicySize sets the PackedPolicySize field's value. | |
2588 | func (s *GetFederationTokenOutput) SetPackedPolicySize(v int64) *GetFederationTokenOutput { | |
2589 | s.PackedPolicySize = &v | |
2590 | return s | |
2591 | } | |
2592 | ||
bae9f6d2 JC |
2593 | type GetSessionTokenInput struct { |
2594 | _ struct{} `type:"structure"` | |
2595 | ||
2596 | // The duration, in seconds, that the credentials should remain valid. Acceptable | |
863486a6 AG |
2597 | // durations for IAM user sessions range from 900 seconds (15 minutes) to 129,600 |
2598 | // seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions | |
2599 | // for AWS account owners are restricted to a maximum of 3,600 seconds (one | |
2600 | // hour). If the duration is longer than one hour, the session for AWS account | |
2601 | // owners defaults to one hour. | |
bae9f6d2 JC |
2602 | DurationSeconds *int64 `min:"900" type:"integer"` |
2603 | ||
2604 | // The identification number of the MFA device that is associated with the IAM | |
2605 | // user who is making the GetSessionToken call. Specify this value if the IAM | |
2606 | // user has a policy that requires MFA authentication. The value is either the | |
2607 | // serial number for a hardware device (such as GAHT12345678) or an Amazon Resource | |
2608 | // Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user). | |
2609 | // You can find the device for an IAM user by going to the AWS Management Console | |
2610 | // and viewing the user's security credentials. | |
2611 | // | |
863486a6 | 2612 | // The regex used to validate this parameter is a string of characters consisting |
bae9f6d2 | 2613 | // of upper- and lower-case alphanumeric characters with no spaces. You can |
9b12e4fe | 2614 | // also include underscores or any of the following characters: =,.@:/- |
bae9f6d2 JC |
2615 | SerialNumber *string `min:"9" type:"string"` |
2616 | ||
2617 | // The value provided by the MFA device, if MFA is required. If any policy requires | |
2618 | // the IAM user to submit an MFA code, specify this value. If MFA authentication | |
863486a6 AG |
2619 | // is required, the user must provide a code when requesting a set of temporary |
2620 | // security credentials. A user who fails to provide the code receives an "access | |
2621 | // denied" response when requesting resources that require MFA authentication. | |
bae9f6d2 JC |
2622 | // |
2623 | // The format for this parameter, as described by its regex pattern, is a sequence | |
2624 | // of six numeric digits. | |
2625 | TokenCode *string `min:"6" type:"string"` | |
2626 | } | |
2627 | ||
2628 | // String returns the string representation | |
2629 | func (s GetSessionTokenInput) String() string { | |
2630 | return awsutil.Prettify(s) | |
2631 | } | |
2632 | ||
2633 | // GoString returns the string representation | |
2634 | func (s GetSessionTokenInput) GoString() string { | |
2635 | return s.String() | |
2636 | } | |
2637 | ||
2638 | // Validate inspects the fields of the type to determine if they are valid. | |
2639 | func (s *GetSessionTokenInput) Validate() error { | |
2640 | invalidParams := request.ErrInvalidParams{Context: "GetSessionTokenInput"} | |
2641 | if s.DurationSeconds != nil && *s.DurationSeconds < 900 { | |
2642 | invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) | |
2643 | } | |
2644 | if s.SerialNumber != nil && len(*s.SerialNumber) < 9 { | |
2645 | invalidParams.Add(request.NewErrParamMinLen("SerialNumber", 9)) | |
2646 | } | |
2647 | if s.TokenCode != nil && len(*s.TokenCode) < 6 { | |
2648 | invalidParams.Add(request.NewErrParamMinLen("TokenCode", 6)) | |
2649 | } | |
2650 | ||
2651 | if invalidParams.Len() > 0 { | |
2652 | return invalidParams | |
2653 | } | |
2654 | return nil | |
2655 | } | |
2656 | ||
2657 | // SetDurationSeconds sets the DurationSeconds field's value. | |
2658 | func (s *GetSessionTokenInput) SetDurationSeconds(v int64) *GetSessionTokenInput { | |
2659 | s.DurationSeconds = &v | |
2660 | return s | |
2661 | } | |
2662 | ||
2663 | // SetSerialNumber sets the SerialNumber field's value. | |
2664 | func (s *GetSessionTokenInput) SetSerialNumber(v string) *GetSessionTokenInput { | |
2665 | s.SerialNumber = &v | |
2666 | return s | |
2667 | } | |
2668 | ||
2669 | // SetTokenCode sets the TokenCode field's value. | |
2670 | func (s *GetSessionTokenInput) SetTokenCode(v string) *GetSessionTokenInput { | |
2671 | s.TokenCode = &v | |
2672 | return s | |
2673 | } | |
2674 | ||
2675 | // Contains the response to a successful GetSessionToken request, including | |
2676 | // temporary AWS credentials that can be used to make AWS requests. | |
bae9f6d2 JC |
2677 | type GetSessionTokenOutput struct { |
2678 | _ struct{} `type:"structure"` | |
2679 | ||
2680 | // The temporary security credentials, which include an access key ID, a secret | |
2681 | // access key, and a security (or session) token. | |
2682 | // | |
863486a6 AG |
2683 | // The size of the security token that STS API operations return is not fixed. |
2684 | // We strongly recommend that you make no assumptions about the maximum size. | |
bae9f6d2 JC |
2685 | Credentials *Credentials `type:"structure"` |
2686 | } | |
2687 | ||
2688 | // String returns the string representation | |
2689 | func (s GetSessionTokenOutput) String() string { | |
2690 | return awsutil.Prettify(s) | |
2691 | } | |
2692 | ||
2693 | // GoString returns the string representation | |
2694 | func (s GetSessionTokenOutput) GoString() string { | |
2695 | return s.String() | |
2696 | } | |
2697 | ||
2698 | // SetCredentials sets the Credentials field's value. | |
2699 | func (s *GetSessionTokenOutput) SetCredentials(v *Credentials) *GetSessionTokenOutput { | |
2700 | s.Credentials = v | |
2701 | return s | |
2702 | } | |
863486a6 AG |
2703 | |
2704 | // A reference to the IAM managed policy that is passed as a session policy | |
2705 | // for a role session or a federated user session. | |
2706 | type PolicyDescriptorType struct { | |
2707 | _ struct{} `type:"structure"` | |
2708 | ||
2709 | // The Amazon Resource Name (ARN) of the IAM managed policy to use as a session | |
2710 | // policy for the role. For more information about ARNs, see Amazon Resource | |
2711 | // Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) | |
2712 | // in the AWS General Reference. | |
2713 | Arn *string `locationName:"arn" min:"20" type:"string"` | |
2714 | } | |
2715 | ||
2716 | // String returns the string representation | |
2717 | func (s PolicyDescriptorType) String() string { | |
2718 | return awsutil.Prettify(s) | |
2719 | } | |
2720 | ||
2721 | // GoString returns the string representation | |
2722 | func (s PolicyDescriptorType) GoString() string { | |
2723 | return s.String() | |
2724 | } | |
2725 | ||
2726 | // Validate inspects the fields of the type to determine if they are valid. | |
2727 | func (s *PolicyDescriptorType) Validate() error { | |
2728 | invalidParams := request.ErrInvalidParams{Context: "PolicyDescriptorType"} | |
2729 | if s.Arn != nil && len(*s.Arn) < 20 { | |
2730 | invalidParams.Add(request.NewErrParamMinLen("Arn", 20)) | |
2731 | } | |
2732 | ||
2733 | if invalidParams.Len() > 0 { | |
2734 | return invalidParams | |
2735 | } | |
2736 | return nil | |
2737 | } | |
2738 | ||
2739 | // SetArn sets the Arn field's value. | |
2740 | func (s *PolicyDescriptorType) SetArn(v string) *PolicyDescriptorType { | |
2741 | s.Arn = &v | |
2742 | return s | |
2743 | } |