]>
Commit | Line | Data |
---|---|---|
bae9f6d2 JC |
1 | // Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT. |
2 | ||
3 | package sts | |
4 | ||
5 | import ( | |
6 | "time" | |
7 | ||
8 | "github.com/aws/aws-sdk-go/aws" | |
9 | "github.com/aws/aws-sdk-go/aws/awsutil" | |
10 | "github.com/aws/aws-sdk-go/aws/request" | |
11 | ) | |
12 | ||
13 | const opAssumeRole = "AssumeRole" | |
14 | ||
15 | // AssumeRoleRequest generates a "aws/request.Request" representing the | |
16 | // client's request for the AssumeRole operation. The "output" return | |
17 | // value can be used to capture response data after the request's "Send" method | |
18 | // is called. | |
19 | // | |
20 | // See AssumeRole for usage and error information. | |
21 | // | |
22 | // Creating a request object using this method should be used when you want to inject | |
23 | // custom logic into the request's lifecycle using a custom handler, or if you want to | |
24 | // access properties on the request object before or after sending the request. If | |
25 | // you just want the service response, call the AssumeRole method directly | |
26 | // instead. | |
27 | // | |
28 | // Note: You must call the "Send" method on the returned request object in order | |
29 | // to execute the request. | |
30 | // | |
31 | // // Example sending a request using the AssumeRoleRequest method. | |
32 | // req, resp := client.AssumeRoleRequest(params) | |
33 | // | |
34 | // err := req.Send() | |
35 | // if err == nil { // resp is now filled | |
36 | // fmt.Println(resp) | |
37 | // } | |
38 | // | |
39 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole | |
40 | func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, output *AssumeRoleOutput) { | |
41 | op := &request.Operation{ | |
42 | Name: opAssumeRole, | |
43 | HTTPMethod: "POST", | |
44 | HTTPPath: "/", | |
45 | } | |
46 | ||
47 | if input == nil { | |
48 | input = &AssumeRoleInput{} | |
49 | } | |
50 | ||
51 | output = &AssumeRoleOutput{} | |
52 | req = c.newRequest(op, input, output) | |
53 | return | |
54 | } | |
55 | ||
56 | // AssumeRole API operation for AWS Security Token Service. | |
57 | // | |
58 | // Returns a set of temporary security credentials (consisting of an access | |
59 | // key ID, a secret access key, and a security token) that you can use to access | |
60 | // AWS resources that you might not normally have access to. Typically, you | |
61 | // use AssumeRole for cross-account access or federation. For a comparison of | |
62 | // AssumeRole with the other APIs that produce temporary credentials, see Requesting | |
63 | // Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) | |
64 | // and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) | |
65 | // in the IAM User Guide. | |
66 | // | |
67 | // Important: You cannot call AssumeRole by using AWS root account credentials; | |
68 | // access is denied. You must use credentials for an IAM user or an IAM role | |
69 | // to call AssumeRole. | |
70 | // | |
71 | // For cross-account access, imagine that you own multiple accounts and need | |
72 | // to access resources in each account. You could create long-term credentials | |
73 | // in each account to access those resources. However, managing all those credentials | |
74 | // and remembering which one can access which account can be time consuming. | |
75 | // Instead, you can create one set of long-term credentials in one account and | |
76 | // then use temporary security credentials to access all the other accounts | |
77 | // by assuming roles in those accounts. For more information about roles, see | |
78 | // IAM Roles (Delegation and Federation) (http://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html) | |
79 | // in the IAM User Guide. | |
80 | // | |
81 | // For federation, you can, for example, grant single sign-on access to the | |
82 | // AWS Management Console. If you already have an identity and authentication | |
83 | // system in your corporate network, you don't have to recreate user identities | |
84 | // in AWS in order to grant those user identities access to AWS. Instead, after | |
85 | // a user has been authenticated, you call AssumeRole (and specify the role | |
86 | // with the appropriate permissions) to get temporary security credentials for | |
87 | // that user. With those temporary security credentials, you construct a sign-in | |
88 | // URL that users can use to access the console. For more information, see Common | |
89 | // Scenarios for Temporary Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html#sts-introduction) | |
90 | // in the IAM User Guide. | |
91 | // | |
92 | // The temporary security credentials are valid for the duration that you specified | |
93 | // when calling AssumeRole, which can be from 900 seconds (15 minutes) to a | |
94 | // maximum of 3600 seconds (1 hour). The default is 1 hour. | |
95 | // | |
96 | // The temporary security credentials created by AssumeRole can be used to make | |
97 | // API calls to any AWS service with the following exception: you cannot call | |
98 | // the STS service's GetFederationToken or GetSessionToken APIs. | |
99 | // | |
100 | // Optionally, you can pass an IAM access policy to this operation. If you choose | |
101 | // not to pass a policy, the temporary security credentials that are returned | |
102 | // by the operation have the permissions that are defined in the access policy | |
103 | // of the role that is being assumed. If you pass a policy to this operation, | |
104 | // the temporary security credentials that are returned by the operation have | |
105 | // the permissions that are allowed by both the access policy of the role that | |
106 | // is being assumed, and the policy that you pass. This gives you a way to further | |
107 | // restrict the permissions for the resulting temporary security credentials. | |
108 | // You cannot use the passed policy to grant permissions that are in excess | |
109 | // of those allowed by the access policy of the role that is being assumed. | |
110 | // For more information, see Permissions for AssumeRole, AssumeRoleWithSAML, | |
111 | // and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html) | |
112 | // in the IAM User Guide. | |
113 | // | |
114 | // To assume a role, your AWS account must be trusted by the role. The trust | |
115 | // relationship is defined in the role's trust policy when the role is created. | |
116 | // That trust policy states which accounts are allowed to delegate access to | |
117 | // this account's role. | |
118 | // | |
119 | // The user who wants to access the role must also have permissions delegated | |
120 | // from the role's administrator. If the user is in a different account than | |
121 | // the role, then the user's administrator must attach a policy that allows | |
122 | // the user to call AssumeRole on the ARN of the role in the other account. | |
123 | // If the user is in the same account as the role, then you can either attach | |
124 | // a policy to the user (identical to the previous different account user), | |
125 | // or you can add the user as a principal directly in the role's trust policy | |
126 | // | |
127 | // Using MFA with AssumeRole | |
128 | // | |
129 | // You can optionally include multi-factor authentication (MFA) information | |
130 | // when you call AssumeRole. This is useful for cross-account scenarios in which | |
131 | // you want to make sure that the user who is assuming the role has been authenticated | |
132 | // using an AWS MFA device. In that scenario, the trust policy of the role being | |
133 | // assumed includes a condition that tests for MFA authentication; if the caller | |
134 | // does not include valid MFA information, the request to assume the role is | |
135 | // denied. The condition in a trust policy that tests for MFA authentication | |
136 | // might look like the following example. | |
137 | // | |
138 | // "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}} | |
139 | // | |
140 | // For more information, see Configuring MFA-Protected API Access (http://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html) | |
141 | // in the IAM User Guide guide. | |
142 | // | |
143 | // To use MFA with AssumeRole, you pass values for the SerialNumber and TokenCode | |
144 | // parameters. The SerialNumber value identifies the user's hardware or virtual | |
145 | // MFA device. The TokenCode is the time-based one-time password (TOTP) that | |
146 | // the MFA devices produces. | |
147 | // | |
148 | // Returns awserr.Error for service API and SDK errors. Use runtime type assertions | |
149 | // with awserr.Error's Code and Message methods to get detailed information about | |
150 | // the error. | |
151 | // | |
152 | // See the AWS API reference guide for AWS Security Token Service's | |
153 | // API operation AssumeRole for usage and error information. | |
154 | // | |
155 | // Returned Error Codes: | |
156 | // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument" | |
157 | // The request was rejected because the policy document was malformed. The error | |
158 | // message describes the specific error. | |
159 | // | |
160 | // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" | |
161 | // The request was rejected because the policy document was too large. The error | |
162 | // message describes how big the policy document is, in packed form, as a percentage | |
163 | // of what the API allows. | |
164 | // | |
165 | // * ErrCodeRegionDisabledException "RegionDisabledException" | |
166 | // STS is not activated in the requested region for the account that is being | |
167 | // asked to generate credentials. The account administrator must use the IAM | |
168 | // console to activate STS in that region. For more information, see Activating | |
169 | // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) | |
170 | // in the IAM User Guide. | |
171 | // | |
172 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole | |
173 | func (c *STS) AssumeRole(input *AssumeRoleInput) (*AssumeRoleOutput, error) { | |
174 | req, out := c.AssumeRoleRequest(input) | |
175 | return out, req.Send() | |
176 | } | |
177 | ||
178 | // AssumeRoleWithContext is the same as AssumeRole with the addition of | |
179 | // the ability to pass a context and additional request options. | |
180 | // | |
181 | // See AssumeRole for details on how to use this API operation. | |
182 | // | |
183 | // The context must be non-nil and will be used for request cancellation. If | |
184 | // the context is nil a panic will occur. In the future the SDK may create | |
185 | // sub-contexts for http.Requests. See https://golang.org/pkg/context/ | |
186 | // for more information on using Contexts. | |
187 | func (c *STS) AssumeRoleWithContext(ctx aws.Context, input *AssumeRoleInput, opts ...request.Option) (*AssumeRoleOutput, error) { | |
188 | req, out := c.AssumeRoleRequest(input) | |
189 | req.SetContext(ctx) | |
190 | req.ApplyOptions(opts...) | |
191 | return out, req.Send() | |
192 | } | |
193 | ||
194 | const opAssumeRoleWithSAML = "AssumeRoleWithSAML" | |
195 | ||
196 | // AssumeRoleWithSAMLRequest generates a "aws/request.Request" representing the | |
197 | // client's request for the AssumeRoleWithSAML operation. The "output" return | |
198 | // value can be used to capture response data after the request's "Send" method | |
199 | // is called. | |
200 | // | |
201 | // See AssumeRoleWithSAML for usage and error information. | |
202 | // | |
203 | // Creating a request object using this method should be used when you want to inject | |
204 | // custom logic into the request's lifecycle using a custom handler, or if you want to | |
205 | // access properties on the request object before or after sending the request. If | |
206 | // you just want the service response, call the AssumeRoleWithSAML method directly | |
207 | // instead. | |
208 | // | |
209 | // Note: You must call the "Send" method on the returned request object in order | |
210 | // to execute the request. | |
211 | // | |
212 | // // Example sending a request using the AssumeRoleWithSAMLRequest method. | |
213 | // req, resp := client.AssumeRoleWithSAMLRequest(params) | |
214 | // | |
215 | // err := req.Send() | |
216 | // if err == nil { // resp is now filled | |
217 | // fmt.Println(resp) | |
218 | // } | |
219 | // | |
220 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML | |
221 | func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *request.Request, output *AssumeRoleWithSAMLOutput) { | |
222 | op := &request.Operation{ | |
223 | Name: opAssumeRoleWithSAML, | |
224 | HTTPMethod: "POST", | |
225 | HTTPPath: "/", | |
226 | } | |
227 | ||
228 | if input == nil { | |
229 | input = &AssumeRoleWithSAMLInput{} | |
230 | } | |
231 | ||
232 | output = &AssumeRoleWithSAMLOutput{} | |
233 | req = c.newRequest(op, input, output) | |
234 | return | |
235 | } | |
236 | ||
237 | // AssumeRoleWithSAML API operation for AWS Security Token Service. | |
238 | // | |
239 | // Returns a set of temporary security credentials for users who have been authenticated | |
240 | // via a SAML authentication response. This operation provides a mechanism for | |
241 | // tying an enterprise identity store or directory to role-based AWS access | |
242 | // without user-specific credentials or configuration. For a comparison of AssumeRoleWithSAML | |
243 | // with the other APIs that produce temporary credentials, see Requesting Temporary | |
244 | // Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) | |
245 | // and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) | |
246 | // in the IAM User Guide. | |
247 | // | |
248 | // The temporary security credentials returned by this operation consist of | |
249 | // an access key ID, a secret access key, and a security token. Applications | |
250 | // can use these temporary security credentials to sign calls to AWS services. | |
251 | // | |
252 | // The temporary security credentials are valid for the duration that you specified | |
253 | // when calling AssumeRole, or until the time specified in the SAML authentication | |
254 | // response's SessionNotOnOrAfter value, whichever is shorter. The duration | |
255 | // can be from 900 seconds (15 minutes) to a maximum of 3600 seconds (1 hour). | |
256 | // The default is 1 hour. | |
257 | // | |
258 | // The temporary security credentials created by AssumeRoleWithSAML can be used | |
259 | // to make API calls to any AWS service with the following exception: you cannot | |
260 | // call the STS service's GetFederationToken or GetSessionToken APIs. | |
261 | // | |
262 | // Optionally, you can pass an IAM access policy to this operation. If you choose | |
263 | // not to pass a policy, the temporary security credentials that are returned | |
264 | // by the operation have the permissions that are defined in the access policy | |
265 | // of the role that is being assumed. If you pass a policy to this operation, | |
266 | // the temporary security credentials that are returned by the operation have | |
267 | // the permissions that are allowed by the intersection of both the access policy | |
268 | // of the role that is being assumed, and the policy that you pass. This means | |
269 | // that both policies must grant the permission for the action to be allowed. | |
270 | // This gives you a way to further restrict the permissions for the resulting | |
271 | // temporary security credentials. You cannot use the passed policy to grant | |
272 | // permissions that are in excess of those allowed by the access policy of the | |
273 | // role that is being assumed. For more information, see Permissions for AssumeRole, | |
274 | // AssumeRoleWithSAML, and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html) | |
275 | // in the IAM User Guide. | |
276 | // | |
277 | // Before your application can call AssumeRoleWithSAML, you must configure your | |
278 | // SAML identity provider (IdP) to issue the claims required by AWS. Additionally, | |
279 | // you must use AWS Identity and Access Management (IAM) to create a SAML provider | |
280 | // entity in your AWS account that represents your identity provider, and create | |
281 | // an IAM role that specifies this SAML provider in its trust policy. | |
282 | // | |
283 | // Calling AssumeRoleWithSAML does not require the use of AWS security credentials. | |
284 | // The identity of the caller is validated by using keys in the metadata document | |
285 | // that is uploaded for the SAML provider entity for your identity provider. | |
286 | // | |
287 | // Calling AssumeRoleWithSAML can result in an entry in your AWS CloudTrail | |
288 | // logs. The entry includes the value in the NameID element of the SAML assertion. | |
289 | // We recommend that you use a NameIDType that is not associated with any personally | |
290 | // identifiable information (PII). For example, you could instead use the Persistent | |
291 | // Identifier (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent). | |
292 | // | |
293 | // For more information, see the following resources: | |
294 | // | |
295 | // * About SAML 2.0-based Federation (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) | |
296 | // in the IAM User Guide. | |
297 | // | |
298 | // * Creating SAML Identity Providers (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html) | |
299 | // in the IAM User Guide. | |
300 | // | |
301 | // * Configuring a Relying Party and Claims (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html) | |
302 | // in the IAM User Guide. | |
303 | // | |
304 | // * Creating a Role for SAML 2.0 Federation (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html) | |
305 | // in the IAM User Guide. | |
306 | // | |
307 | // Returns awserr.Error for service API and SDK errors. Use runtime type assertions | |
308 | // with awserr.Error's Code and Message methods to get detailed information about | |
309 | // the error. | |
310 | // | |
311 | // See the AWS API reference guide for AWS Security Token Service's | |
312 | // API operation AssumeRoleWithSAML for usage and error information. | |
313 | // | |
314 | // Returned Error Codes: | |
315 | // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument" | |
316 | // The request was rejected because the policy document was malformed. The error | |
317 | // message describes the specific error. | |
318 | // | |
319 | // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" | |
320 | // The request was rejected because the policy document was too large. The error | |
321 | // message describes how big the policy document is, in packed form, as a percentage | |
322 | // of what the API allows. | |
323 | // | |
324 | // * ErrCodeIDPRejectedClaimException "IDPRejectedClaim" | |
325 | // The identity provider (IdP) reported that authentication failed. This might | |
326 | // be because the claim is invalid. | |
327 | // | |
328 | // If this error is returned for the AssumeRoleWithWebIdentity operation, it | |
329 | // can also mean that the claim has expired or has been explicitly revoked. | |
330 | // | |
331 | // * ErrCodeInvalidIdentityTokenException "InvalidIdentityToken" | |
332 | // The web identity token that was passed could not be validated by AWS. Get | |
333 | // a new identity token from the identity provider and then retry the request. | |
334 | // | |
335 | // * ErrCodeExpiredTokenException "ExpiredTokenException" | |
336 | // The web identity token that was passed is expired or is not valid. Get a | |
337 | // new identity token from the identity provider and then retry the request. | |
338 | // | |
339 | // * ErrCodeRegionDisabledException "RegionDisabledException" | |
340 | // STS is not activated in the requested region for the account that is being | |
341 | // asked to generate credentials. The account administrator must use the IAM | |
342 | // console to activate STS in that region. For more information, see Activating | |
343 | // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) | |
344 | // in the IAM User Guide. | |
345 | // | |
346 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML | |
347 | func (c *STS) AssumeRoleWithSAML(input *AssumeRoleWithSAMLInput) (*AssumeRoleWithSAMLOutput, error) { | |
348 | req, out := c.AssumeRoleWithSAMLRequest(input) | |
349 | return out, req.Send() | |
350 | } | |
351 | ||
352 | // AssumeRoleWithSAMLWithContext is the same as AssumeRoleWithSAML with the addition of | |
353 | // the ability to pass a context and additional request options. | |
354 | // | |
355 | // See AssumeRoleWithSAML for details on how to use this API operation. | |
356 | // | |
357 | // The context must be non-nil and will be used for request cancellation. If | |
358 | // the context is nil a panic will occur. In the future the SDK may create | |
359 | // sub-contexts for http.Requests. See https://golang.org/pkg/context/ | |
360 | // for more information on using Contexts. | |
361 | func (c *STS) AssumeRoleWithSAMLWithContext(ctx aws.Context, input *AssumeRoleWithSAMLInput, opts ...request.Option) (*AssumeRoleWithSAMLOutput, error) { | |
362 | req, out := c.AssumeRoleWithSAMLRequest(input) | |
363 | req.SetContext(ctx) | |
364 | req.ApplyOptions(opts...) | |
365 | return out, req.Send() | |
366 | } | |
367 | ||
368 | const opAssumeRoleWithWebIdentity = "AssumeRoleWithWebIdentity" | |
369 | ||
370 | // AssumeRoleWithWebIdentityRequest generates a "aws/request.Request" representing the | |
371 | // client's request for the AssumeRoleWithWebIdentity operation. The "output" return | |
372 | // value can be used to capture response data after the request's "Send" method | |
373 | // is called. | |
374 | // | |
375 | // See AssumeRoleWithWebIdentity for usage and error information. | |
376 | // | |
377 | // Creating a request object using this method should be used when you want to inject | |
378 | // custom logic into the request's lifecycle using a custom handler, or if you want to | |
379 | // access properties on the request object before or after sending the request. If | |
380 | // you just want the service response, call the AssumeRoleWithWebIdentity method directly | |
381 | // instead. | |
382 | // | |
383 | // Note: You must call the "Send" method on the returned request object in order | |
384 | // to execute the request. | |
385 | // | |
386 | // // Example sending a request using the AssumeRoleWithWebIdentityRequest method. | |
387 | // req, resp := client.AssumeRoleWithWebIdentityRequest(params) | |
388 | // | |
389 | // err := req.Send() | |
390 | // if err == nil { // resp is now filled | |
391 | // fmt.Println(resp) | |
392 | // } | |
393 | // | |
394 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity | |
395 | func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityInput) (req *request.Request, output *AssumeRoleWithWebIdentityOutput) { | |
396 | op := &request.Operation{ | |
397 | Name: opAssumeRoleWithWebIdentity, | |
398 | HTTPMethod: "POST", | |
399 | HTTPPath: "/", | |
400 | } | |
401 | ||
402 | if input == nil { | |
403 | input = &AssumeRoleWithWebIdentityInput{} | |
404 | } | |
405 | ||
406 | output = &AssumeRoleWithWebIdentityOutput{} | |
407 | req = c.newRequest(op, input, output) | |
408 | return | |
409 | } | |
410 | ||
411 | // AssumeRoleWithWebIdentity API operation for AWS Security Token Service. | |
412 | // | |
413 | // Returns a set of temporary security credentials for users who have been authenticated | |
414 | // in a mobile or web application with a web identity provider, such as Amazon | |
415 | // Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible | |
416 | // identity provider. | |
417 | // | |
418 | // For mobile applications, we recommend that you use Amazon Cognito. You can | |
419 | // use Amazon Cognito with the AWS SDK for iOS (http://aws.amazon.com/sdkforios/) | |
420 | // and the AWS SDK for Android (http://aws.amazon.com/sdkforandroid/) to uniquely | |
421 | // identify a user and supply the user with a consistent identity throughout | |
422 | // the lifetime of an application. | |
423 | // | |
424 | // To learn more about Amazon Cognito, see Amazon Cognito Overview (http://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840) | |
425 | // in the AWS SDK for Android Developer Guide guide and Amazon Cognito Overview | |
426 | // (http://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664) | |
427 | // in the AWS SDK for iOS Developer Guide. | |
428 | // | |
429 | // Calling AssumeRoleWithWebIdentity does not require the use of AWS security | |
430 | // credentials. Therefore, you can distribute an application (for example, on | |
431 | // mobile devices) that requests temporary security credentials without including | |
432 | // long-term AWS credentials in the application, and without deploying server-based | |
433 | // proxy services that use long-term AWS credentials. Instead, the identity | |
434 | // of the caller is validated by using a token from the web identity provider. | |
435 | // For a comparison of AssumeRoleWithWebIdentity with the other APIs that produce | |
436 | // temporary credentials, see Requesting Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) | |
437 | // and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) | |
438 | // in the IAM User Guide. | |
439 | // | |
440 | // The temporary security credentials returned by this API consist of an access | |
441 | // key ID, a secret access key, and a security token. Applications can use these | |
442 | // temporary security credentials to sign calls to AWS service APIs. | |
443 | // | |
444 | // The credentials are valid for the duration that you specified when calling | |
445 | // AssumeRoleWithWebIdentity, which can be from 900 seconds (15 minutes) to | |
446 | // a maximum of 3600 seconds (1 hour). The default is 1 hour. | |
447 | // | |
448 | // The temporary security credentials created by AssumeRoleWithWebIdentity can | |
449 | // be used to make API calls to any AWS service with the following exception: | |
450 | // you cannot call the STS service's GetFederationToken or GetSessionToken APIs. | |
451 | // | |
452 | // Optionally, you can pass an IAM access policy to this operation. If you choose | |
453 | // not to pass a policy, the temporary security credentials that are returned | |
454 | // by the operation have the permissions that are defined in the access policy | |
455 | // of the role that is being assumed. If you pass a policy to this operation, | |
456 | // the temporary security credentials that are returned by the operation have | |
457 | // the permissions that are allowed by both the access policy of the role that | |
458 | // is being assumed, and the policy that you pass. This gives you a way to further | |
459 | // restrict the permissions for the resulting temporary security credentials. | |
460 | // You cannot use the passed policy to grant permissions that are in excess | |
461 | // of those allowed by the access policy of the role that is being assumed. | |
462 | // For more information, see Permissions for AssumeRole, AssumeRoleWithSAML, | |
463 | // and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html) | |
464 | // in the IAM User Guide. | |
465 | // | |
466 | // Before your application can call AssumeRoleWithWebIdentity, you must have | |
467 | // an identity token from a supported identity provider and create a role that | |
468 | // the application can assume. The role that your application assumes must trust | |
469 | // the identity provider that is associated with the identity token. In other | |
470 | // words, the identity provider must be specified in the role's trust policy. | |
471 | // | |
472 | // Calling AssumeRoleWithWebIdentity can result in an entry in your AWS CloudTrail | |
473 | // logs. The entry includes the Subject (http://openid.net/specs/openid-connect-core-1_0.html#Claims) | |
474 | // of the provided Web Identity Token. We recommend that you avoid using any | |
475 | // personally identifiable information (PII) in this field. For example, you | |
476 | // could instead use a GUID or a pairwise identifier, as suggested in the OIDC | |
477 | // specification (http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes). | |
478 | // | |
479 | // For more information about how to use web identity federation and the AssumeRoleWithWebIdentity | |
480 | // API, see the following resources: | |
481 | // | |
482 | // * Using Web Identity Federation APIs for Mobile Apps (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html) | |
483 | // and Federation Through a Web-based Identity Provider (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity). | |
484 | // | |
485 | // | |
486 | // * Web Identity Federation Playground (https://web-identity-federation-playground.s3.amazonaws.com/index.html). | |
487 | // This interactive website lets you walk through the process of authenticating | |
488 | // via Login with Amazon, Facebook, or Google, getting temporary security | |
489 | // credentials, and then using those credentials to make a request to AWS. | |
490 | // | |
491 | // | |
492 | // * AWS SDK for iOS (http://aws.amazon.com/sdkforios/) and AWS SDK for Android | |
493 | // (http://aws.amazon.com/sdkforandroid/). These toolkits contain sample | |
494 | // apps that show how to invoke the identity providers, and then how to use | |
495 | // the information from these providers to get and use temporary security | |
496 | // credentials. | |
497 | // | |
498 | // * Web Identity Federation with Mobile Applications (http://aws.amazon.com/articles/4617974389850313). | |
499 | // This article discusses web identity federation and shows an example of | |
500 | // how to use web identity federation to get access to content in Amazon | |
501 | // S3. | |
502 | // | |
503 | // Returns awserr.Error for service API and SDK errors. Use runtime type assertions | |
504 | // with awserr.Error's Code and Message methods to get detailed information about | |
505 | // the error. | |
506 | // | |
507 | // See the AWS API reference guide for AWS Security Token Service's | |
508 | // API operation AssumeRoleWithWebIdentity for usage and error information. | |
509 | // | |
510 | // Returned Error Codes: | |
511 | // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument" | |
512 | // The request was rejected because the policy document was malformed. The error | |
513 | // message describes the specific error. | |
514 | // | |
515 | // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" | |
516 | // The request was rejected because the policy document was too large. The error | |
517 | // message describes how big the policy document is, in packed form, as a percentage | |
518 | // of what the API allows. | |
519 | // | |
520 | // * ErrCodeIDPRejectedClaimException "IDPRejectedClaim" | |
521 | // The identity provider (IdP) reported that authentication failed. This might | |
522 | // be because the claim is invalid. | |
523 | // | |
524 | // If this error is returned for the AssumeRoleWithWebIdentity operation, it | |
525 | // can also mean that the claim has expired or has been explicitly revoked. | |
526 | // | |
527 | // * ErrCodeIDPCommunicationErrorException "IDPCommunicationError" | |
528 | // The request could not be fulfilled because the non-AWS identity provider | |
529 | // (IDP) that was asked to verify the incoming identity token could not be reached. | |
530 | // This is often a transient error caused by network conditions. Retry the request | |
531 | // a limited number of times so that you don't exceed the request rate. If the | |
532 | // error persists, the non-AWS identity provider might be down or not responding. | |
533 | // | |
534 | // * ErrCodeInvalidIdentityTokenException "InvalidIdentityToken" | |
535 | // The web identity token that was passed could not be validated by AWS. Get | |
536 | // a new identity token from the identity provider and then retry the request. | |
537 | // | |
538 | // * ErrCodeExpiredTokenException "ExpiredTokenException" | |
539 | // The web identity token that was passed is expired or is not valid. Get a | |
540 | // new identity token from the identity provider and then retry the request. | |
541 | // | |
542 | // * ErrCodeRegionDisabledException "RegionDisabledException" | |
543 | // STS is not activated in the requested region for the account that is being | |
544 | // asked to generate credentials. The account administrator must use the IAM | |
545 | // console to activate STS in that region. For more information, see Activating | |
546 | // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) | |
547 | // in the IAM User Guide. | |
548 | // | |
549 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity | |
550 | func (c *STS) AssumeRoleWithWebIdentity(input *AssumeRoleWithWebIdentityInput) (*AssumeRoleWithWebIdentityOutput, error) { | |
551 | req, out := c.AssumeRoleWithWebIdentityRequest(input) | |
552 | return out, req.Send() | |
553 | } | |
554 | ||
555 | // AssumeRoleWithWebIdentityWithContext is the same as AssumeRoleWithWebIdentity with the addition of | |
556 | // the ability to pass a context and additional request options. | |
557 | // | |
558 | // See AssumeRoleWithWebIdentity for details on how to use this API operation. | |
559 | // | |
560 | // The context must be non-nil and will be used for request cancellation. If | |
561 | // the context is nil a panic will occur. In the future the SDK may create | |
562 | // sub-contexts for http.Requests. See https://golang.org/pkg/context/ | |
563 | // for more information on using Contexts. | |
564 | func (c *STS) AssumeRoleWithWebIdentityWithContext(ctx aws.Context, input *AssumeRoleWithWebIdentityInput, opts ...request.Option) (*AssumeRoleWithWebIdentityOutput, error) { | |
565 | req, out := c.AssumeRoleWithWebIdentityRequest(input) | |
566 | req.SetContext(ctx) | |
567 | req.ApplyOptions(opts...) | |
568 | return out, req.Send() | |
569 | } | |
570 | ||
571 | const opDecodeAuthorizationMessage = "DecodeAuthorizationMessage" | |
572 | ||
573 | // DecodeAuthorizationMessageRequest generates a "aws/request.Request" representing the | |
574 | // client's request for the DecodeAuthorizationMessage operation. The "output" return | |
575 | // value can be used to capture response data after the request's "Send" method | |
576 | // is called. | |
577 | // | |
578 | // See DecodeAuthorizationMessage for usage and error information. | |
579 | // | |
580 | // Creating a request object using this method should be used when you want to inject | |
581 | // custom logic into the request's lifecycle using a custom handler, or if you want to | |
582 | // access properties on the request object before or after sending the request. If | |
583 | // you just want the service response, call the DecodeAuthorizationMessage method directly | |
584 | // instead. | |
585 | // | |
586 | // Note: You must call the "Send" method on the returned request object in order | |
587 | // to execute the request. | |
588 | // | |
589 | // // Example sending a request using the DecodeAuthorizationMessageRequest method. | |
590 | // req, resp := client.DecodeAuthorizationMessageRequest(params) | |
591 | // | |
592 | // err := req.Send() | |
593 | // if err == nil { // resp is now filled | |
594 | // fmt.Println(resp) | |
595 | // } | |
596 | // | |
597 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessage | |
598 | func (c *STS) DecodeAuthorizationMessageRequest(input *DecodeAuthorizationMessageInput) (req *request.Request, output *DecodeAuthorizationMessageOutput) { | |
599 | op := &request.Operation{ | |
600 | Name: opDecodeAuthorizationMessage, | |
601 | HTTPMethod: "POST", | |
602 | HTTPPath: "/", | |
603 | } | |
604 | ||
605 | if input == nil { | |
606 | input = &DecodeAuthorizationMessageInput{} | |
607 | } | |
608 | ||
609 | output = &DecodeAuthorizationMessageOutput{} | |
610 | req = c.newRequest(op, input, output) | |
611 | return | |
612 | } | |
613 | ||
614 | // DecodeAuthorizationMessage API operation for AWS Security Token Service. | |
615 | // | |
616 | // Decodes additional information about the authorization status of a request | |
617 | // from an encoded message returned in response to an AWS request. | |
618 | // | |
619 | // For example, if a user is not authorized to perform an action that he or | |
620 | // she has requested, the request returns a Client.UnauthorizedOperation response | |
621 | // (an HTTP 403 response). Some AWS actions additionally return an encoded message | |
622 | // that can provide details about this authorization failure. | |
623 | // | |
624 | // Only certain AWS actions return an encoded authorization message. The documentation | |
625 | // for an individual action indicates whether that action returns an encoded | |
626 | // message in addition to returning an HTTP code. | |
627 | // | |
628 | // The message is encoded because the details of the authorization status can | |
629 | // constitute privileged information that the user who requested the action | |
630 | // should not see. To decode an authorization status message, a user must be | |
631 | // granted permissions via an IAM policy to request the DecodeAuthorizationMessage | |
632 | // (sts:DecodeAuthorizationMessage) action. | |
633 | // | |
634 | // The decoded message includes the following type of information: | |
635 | // | |
636 | // * Whether the request was denied due to an explicit deny or due to the | |
637 | // absence of an explicit allow. For more information, see Determining Whether | |
638 | // a Request is Allowed or Denied (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow) | |
639 | // in the IAM User Guide. | |
640 | // | |
641 | // * The principal who made the request. | |
642 | // | |
643 | // * The requested action. | |
644 | // | |
645 | // * The requested resource. | |
646 | // | |
647 | // * The values of condition keys in the context of the user's request. | |
648 | // | |
649 | // Returns awserr.Error for service API and SDK errors. Use runtime type assertions | |
650 | // with awserr.Error's Code and Message methods to get detailed information about | |
651 | // the error. | |
652 | // | |
653 | // See the AWS API reference guide for AWS Security Token Service's | |
654 | // API operation DecodeAuthorizationMessage for usage and error information. | |
655 | // | |
656 | // Returned Error Codes: | |
657 | // * ErrCodeInvalidAuthorizationMessageException "InvalidAuthorizationMessageException" | |
658 | // The error returned if the message passed to DecodeAuthorizationMessage was | |
659 | // invalid. This can happen if the token contains invalid characters, such as | |
660 | // linebreaks. | |
661 | // | |
662 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessage | |
663 | func (c *STS) DecodeAuthorizationMessage(input *DecodeAuthorizationMessageInput) (*DecodeAuthorizationMessageOutput, error) { | |
664 | req, out := c.DecodeAuthorizationMessageRequest(input) | |
665 | return out, req.Send() | |
666 | } | |
667 | ||
668 | // DecodeAuthorizationMessageWithContext is the same as DecodeAuthorizationMessage with the addition of | |
669 | // the ability to pass a context and additional request options. | |
670 | // | |
671 | // See DecodeAuthorizationMessage for details on how to use this API operation. | |
672 | // | |
673 | // The context must be non-nil and will be used for request cancellation. If | |
674 | // the context is nil a panic will occur. In the future the SDK may create | |
675 | // sub-contexts for http.Requests. See https://golang.org/pkg/context/ | |
676 | // for more information on using Contexts. | |
677 | func (c *STS) DecodeAuthorizationMessageWithContext(ctx aws.Context, input *DecodeAuthorizationMessageInput, opts ...request.Option) (*DecodeAuthorizationMessageOutput, error) { | |
678 | req, out := c.DecodeAuthorizationMessageRequest(input) | |
679 | req.SetContext(ctx) | |
680 | req.ApplyOptions(opts...) | |
681 | return out, req.Send() | |
682 | } | |
683 | ||
684 | const opGetCallerIdentity = "GetCallerIdentity" | |
685 | ||
686 | // GetCallerIdentityRequest generates a "aws/request.Request" representing the | |
687 | // client's request for the GetCallerIdentity operation. The "output" return | |
688 | // value can be used to capture response data after the request's "Send" method | |
689 | // is called. | |
690 | // | |
691 | // See GetCallerIdentity for usage and error information. | |
692 | // | |
693 | // Creating a request object using this method should be used when you want to inject | |
694 | // custom logic into the request's lifecycle using a custom handler, or if you want to | |
695 | // access properties on the request object before or after sending the request. If | |
696 | // you just want the service response, call the GetCallerIdentity method directly | |
697 | // instead. | |
698 | // | |
699 | // Note: You must call the "Send" method on the returned request object in order | |
700 | // to execute the request. | |
701 | // | |
702 | // // Example sending a request using the GetCallerIdentityRequest method. | |
703 | // req, resp := client.GetCallerIdentityRequest(params) | |
704 | // | |
705 | // err := req.Send() | |
706 | // if err == nil { // resp is now filled | |
707 | // fmt.Println(resp) | |
708 | // } | |
709 | // | |
710 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentity | |
711 | func (c *STS) GetCallerIdentityRequest(input *GetCallerIdentityInput) (req *request.Request, output *GetCallerIdentityOutput) { | |
712 | op := &request.Operation{ | |
713 | Name: opGetCallerIdentity, | |
714 | HTTPMethod: "POST", | |
715 | HTTPPath: "/", | |
716 | } | |
717 | ||
718 | if input == nil { | |
719 | input = &GetCallerIdentityInput{} | |
720 | } | |
721 | ||
722 | output = &GetCallerIdentityOutput{} | |
723 | req = c.newRequest(op, input, output) | |
724 | return | |
725 | } | |
726 | ||
727 | // GetCallerIdentity API operation for AWS Security Token Service. | |
728 | // | |
729 | // Returns details about the IAM identity whose credentials are used to call | |
730 | // the API. | |
731 | // | |
732 | // Returns awserr.Error for service API and SDK errors. Use runtime type assertions | |
733 | // with awserr.Error's Code and Message methods to get detailed information about | |
734 | // the error. | |
735 | // | |
736 | // See the AWS API reference guide for AWS Security Token Service's | |
737 | // API operation GetCallerIdentity for usage and error information. | |
738 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentity | |
739 | func (c *STS) GetCallerIdentity(input *GetCallerIdentityInput) (*GetCallerIdentityOutput, error) { | |
740 | req, out := c.GetCallerIdentityRequest(input) | |
741 | return out, req.Send() | |
742 | } | |
743 | ||
744 | // GetCallerIdentityWithContext is the same as GetCallerIdentity with the addition of | |
745 | // the ability to pass a context and additional request options. | |
746 | // | |
747 | // See GetCallerIdentity for details on how to use this API operation. | |
748 | // | |
749 | // The context must be non-nil and will be used for request cancellation. If | |
750 | // the context is nil a panic will occur. In the future the SDK may create | |
751 | // sub-contexts for http.Requests. See https://golang.org/pkg/context/ | |
752 | // for more information on using Contexts. | |
753 | func (c *STS) GetCallerIdentityWithContext(ctx aws.Context, input *GetCallerIdentityInput, opts ...request.Option) (*GetCallerIdentityOutput, error) { | |
754 | req, out := c.GetCallerIdentityRequest(input) | |
755 | req.SetContext(ctx) | |
756 | req.ApplyOptions(opts...) | |
757 | return out, req.Send() | |
758 | } | |
759 | ||
760 | const opGetFederationToken = "GetFederationToken" | |
761 | ||
762 | // GetFederationTokenRequest generates a "aws/request.Request" representing the | |
763 | // client's request for the GetFederationToken operation. The "output" return | |
764 | // value can be used to capture response data after the request's "Send" method | |
765 | // is called. | |
766 | // | |
767 | // See GetFederationToken for usage and error information. | |
768 | // | |
769 | // Creating a request object using this method should be used when you want to inject | |
770 | // custom logic into the request's lifecycle using a custom handler, or if you want to | |
771 | // access properties on the request object before or after sending the request. If | |
772 | // you just want the service response, call the GetFederationToken method directly | |
773 | // instead. | |
774 | // | |
775 | // Note: You must call the "Send" method on the returned request object in order | |
776 | // to execute the request. | |
777 | // | |
778 | // // Example sending a request using the GetFederationTokenRequest method. | |
779 | // req, resp := client.GetFederationTokenRequest(params) | |
780 | // | |
781 | // err := req.Send() | |
782 | // if err == nil { // resp is now filled | |
783 | // fmt.Println(resp) | |
784 | // } | |
785 | // | |
786 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationToken | |
787 | func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *request.Request, output *GetFederationTokenOutput) { | |
788 | op := &request.Operation{ | |
789 | Name: opGetFederationToken, | |
790 | HTTPMethod: "POST", | |
791 | HTTPPath: "/", | |
792 | } | |
793 | ||
794 | if input == nil { | |
795 | input = &GetFederationTokenInput{} | |
796 | } | |
797 | ||
798 | output = &GetFederationTokenOutput{} | |
799 | req = c.newRequest(op, input, output) | |
800 | return | |
801 | } | |
802 | ||
803 | // GetFederationToken API operation for AWS Security Token Service. | |
804 | // | |
805 | // Returns a set of temporary security credentials (consisting of an access | |
806 | // key ID, a secret access key, and a security token) for a federated user. | |
807 | // A typical use is in a proxy application that gets temporary security credentials | |
808 | // on behalf of distributed applications inside a corporate network. Because | |
809 | // you must call the GetFederationToken action using the long-term security | |
810 | // credentials of an IAM user, this call is appropriate in contexts where those | |
811 | // credentials can be safely stored, usually in a server-based application. | |
812 | // For a comparison of GetFederationToken with the other APIs that produce temporary | |
813 | // credentials, see Requesting Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) | |
814 | // and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) | |
815 | // in the IAM User Guide. | |
816 | // | |
817 | // If you are creating a mobile-based or browser-based app that can authenticate | |
818 | // users using a web identity provider like Login with Amazon, Facebook, Google, | |
819 | // or an OpenID Connect-compatible identity provider, we recommend that you | |
820 | // use Amazon Cognito (http://aws.amazon.com/cognito/) or AssumeRoleWithWebIdentity. | |
821 | // For more information, see Federation Through a Web-based Identity Provider | |
822 | // (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity). | |
823 | // | |
824 | // The GetFederationToken action must be called by using the long-term AWS security | |
825 | // credentials of an IAM user. You can also call GetFederationToken using the | |
826 | // security credentials of an AWS root account, but we do not recommended it. | |
827 | // Instead, we recommend that you create an IAM user for the purpose of the | |
828 | // proxy application and then attach a policy to the IAM user that limits federated | |
829 | // users to only the actions and resources that they need access to. For more | |
830 | // information, see IAM Best Practices (http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) | |
831 | // in the IAM User Guide. | |
832 | // | |
833 | // The temporary security credentials that are obtained by using the long-term | |
834 | // credentials of an IAM user are valid for the specified duration, from 900 | |
835 | // seconds (15 minutes) up to a maximium of 129600 seconds (36 hours). The default | |
836 | // is 43200 seconds (12 hours). Temporary credentials that are obtained by using | |
837 | // AWS root account credentials have a maximum duration of 3600 seconds (1 hour). | |
838 | // | |
839 | // The temporary security credentials created by GetFederationToken can be used | |
840 | // to make API calls to any AWS service with the following exceptions: | |
841 | // | |
842 | // * You cannot use these credentials to call any IAM APIs. | |
843 | // | |
844 | // * You cannot call any STS APIs except GetCallerIdentity. | |
845 | // | |
846 | // Permissions | |
847 | // | |
848 | // The permissions for the temporary security credentials returned by GetFederationToken | |
849 | // are determined by a combination of the following: | |
850 | // | |
851 | // * The policy or policies that are attached to the IAM user whose credentials | |
852 | // are used to call GetFederationToken. | |
853 | // | |
854 | // * The policy that is passed as a parameter in the call. | |
855 | // | |
856 | // The passed policy is attached to the temporary security credentials that | |
857 | // result from the GetFederationToken API call--that is, to the federated user. | |
858 | // When the federated user makes an AWS request, AWS evaluates the policy attached | |
859 | // to the federated user in combination with the policy or policies attached | |
860 | // to the IAM user whose credentials were used to call GetFederationToken. AWS | |
861 | // allows the federated user's request only when both the federated user and | |
862 | // the IAM user are explicitly allowed to perform the requested action. The | |
863 | // passed policy cannot grant more permissions than those that are defined in | |
864 | // the IAM user policy. | |
865 | // | |
866 | // A typical use case is that the permissions of the IAM user whose credentials | |
867 | // are used to call GetFederationToken are designed to allow access to all the | |
868 | // actions and resources that any federated user will need. Then, for individual | |
869 | // users, you pass a policy to the operation that scopes down the permissions | |
870 | // to a level that's appropriate to that individual user, using a policy that | |
871 | // allows only a subset of permissions that are granted to the IAM user. | |
872 | // | |
873 | // If you do not pass a policy, the resulting temporary security credentials | |
874 | // have no effective permissions. The only exception is when the temporary security | |
875 | // credentials are used to access a resource that has a resource-based policy | |
876 | // that specifically allows the federated user to access the resource. | |
877 | // | |
878 | // For more information about how permissions work, see Permissions for GetFederationToken | |
879 | // (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html). | |
880 | // For information about using GetFederationToken to create temporary security | |
881 | // credentials, see GetFederationToken—Federation Through a Custom Identity | |
882 | // Broker (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken). | |
883 | // | |
884 | // Returns awserr.Error for service API and SDK errors. Use runtime type assertions | |
885 | // with awserr.Error's Code and Message methods to get detailed information about | |
886 | // the error. | |
887 | // | |
888 | // See the AWS API reference guide for AWS Security Token Service's | |
889 | // API operation GetFederationToken for usage and error information. | |
890 | // | |
891 | // Returned Error Codes: | |
892 | // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument" | |
893 | // The request was rejected because the policy document was malformed. The error | |
894 | // message describes the specific error. | |
895 | // | |
896 | // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" | |
897 | // The request was rejected because the policy document was too large. The error | |
898 | // message describes how big the policy document is, in packed form, as a percentage | |
899 | // of what the API allows. | |
900 | // | |
901 | // * ErrCodeRegionDisabledException "RegionDisabledException" | |
902 | // STS is not activated in the requested region for the account that is being | |
903 | // asked to generate credentials. The account administrator must use the IAM | |
904 | // console to activate STS in that region. For more information, see Activating | |
905 | // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) | |
906 | // in the IAM User Guide. | |
907 | // | |
908 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationToken | |
909 | func (c *STS) GetFederationToken(input *GetFederationTokenInput) (*GetFederationTokenOutput, error) { | |
910 | req, out := c.GetFederationTokenRequest(input) | |
911 | return out, req.Send() | |
912 | } | |
913 | ||
914 | // GetFederationTokenWithContext is the same as GetFederationToken with the addition of | |
915 | // the ability to pass a context and additional request options. | |
916 | // | |
917 | // See GetFederationToken for details on how to use this API operation. | |
918 | // | |
919 | // The context must be non-nil and will be used for request cancellation. If | |
920 | // the context is nil a panic will occur. In the future the SDK may create | |
921 | // sub-contexts for http.Requests. See https://golang.org/pkg/context/ | |
922 | // for more information on using Contexts. | |
923 | func (c *STS) GetFederationTokenWithContext(ctx aws.Context, input *GetFederationTokenInput, opts ...request.Option) (*GetFederationTokenOutput, error) { | |
924 | req, out := c.GetFederationTokenRequest(input) | |
925 | req.SetContext(ctx) | |
926 | req.ApplyOptions(opts...) | |
927 | return out, req.Send() | |
928 | } | |
929 | ||
930 | const opGetSessionToken = "GetSessionToken" | |
931 | ||
932 | // GetSessionTokenRequest generates a "aws/request.Request" representing the | |
933 | // client's request for the GetSessionToken operation. The "output" return | |
934 | // value can be used to capture response data after the request's "Send" method | |
935 | // is called. | |
936 | // | |
937 | // See GetSessionToken for usage and error information. | |
938 | // | |
939 | // Creating a request object using this method should be used when you want to inject | |
940 | // custom logic into the request's lifecycle using a custom handler, or if you want to | |
941 | // access properties on the request object before or after sending the request. If | |
942 | // you just want the service response, call the GetSessionToken method directly | |
943 | // instead. | |
944 | // | |
945 | // Note: You must call the "Send" method on the returned request object in order | |
946 | // to execute the request. | |
947 | // | |
948 | // // Example sending a request using the GetSessionTokenRequest method. | |
949 | // req, resp := client.GetSessionTokenRequest(params) | |
950 | // | |
951 | // err := req.Send() | |
952 | // if err == nil { // resp is now filled | |
953 | // fmt.Println(resp) | |
954 | // } | |
955 | // | |
956 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionToken | |
957 | func (c *STS) GetSessionTokenRequest(input *GetSessionTokenInput) (req *request.Request, output *GetSessionTokenOutput) { | |
958 | op := &request.Operation{ | |
959 | Name: opGetSessionToken, | |
960 | HTTPMethod: "POST", | |
961 | HTTPPath: "/", | |
962 | } | |
963 | ||
964 | if input == nil { | |
965 | input = &GetSessionTokenInput{} | |
966 | } | |
967 | ||
968 | output = &GetSessionTokenOutput{} | |
969 | req = c.newRequest(op, input, output) | |
970 | return | |
971 | } | |
972 | ||
973 | // GetSessionToken API operation for AWS Security Token Service. | |
974 | // | |
975 | // Returns a set of temporary credentials for an AWS account or IAM user. The | |
976 | // credentials consist of an access key ID, a secret access key, and a security | |
977 | // token. Typically, you use GetSessionToken if you want to use MFA to protect | |
978 | // programmatic calls to specific AWS APIs like Amazon EC2 StopInstances. MFA-enabled | |
979 | // IAM users would need to call GetSessionToken and submit an MFA code that | |
980 | // is associated with their MFA device. Using the temporary security credentials | |
981 | // that are returned from the call, IAM users can then make programmatic calls | |
982 | // to APIs that require MFA authentication. If you do not supply a correct MFA | |
983 | // code, then the API returns an access denied error. For a comparison of GetSessionToken | |
984 | // with the other APIs that produce temporary credentials, see Requesting Temporary | |
985 | // Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) | |
986 | // and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) | |
987 | // in the IAM User Guide. | |
988 | // | |
989 | // The GetSessionToken action must be called by using the long-term AWS security | |
990 | // credentials of the AWS account or an IAM user. Credentials that are created | |
991 | // by IAM users are valid for the duration that you specify, from 900 seconds | |
992 | // (15 minutes) up to a maximum of 129600 seconds (36 hours), with a default | |
993 | // of 43200 seconds (12 hours); credentials that are created by using account | |
994 | // credentials can range from 900 seconds (15 minutes) up to a maximum of 3600 | |
995 | // seconds (1 hour), with a default of 1 hour. | |
996 | // | |
997 | // The temporary security credentials created by GetSessionToken can be used | |
998 | // to make API calls to any AWS service with the following exceptions: | |
999 | // | |
1000 | // * You cannot call any IAM APIs unless MFA authentication information is | |
1001 | // included in the request. | |
1002 | // | |
1003 | // * You cannot call any STS API exceptAssumeRole or GetCallerIdentity. | |
1004 | // | |
1005 | // We recommend that you do not call GetSessionToken with root account credentials. | |
1006 | // Instead, follow our best practices (http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users) | |
1007 | // by creating one or more IAM users, giving them the necessary permissions, | |
1008 | // and using IAM users for everyday interaction with AWS. | |
1009 | // | |
1010 | // The permissions associated with the temporary security credentials returned | |
1011 | // by GetSessionToken are based on the permissions associated with account or | |
1012 | // IAM user whose credentials are used to call the action. If GetSessionToken | |
1013 | // is called using root account credentials, the temporary credentials have | |
1014 | // root account permissions. Similarly, if GetSessionToken is called using the | |
1015 | // credentials of an IAM user, the temporary credentials have the same permissions | |
1016 | // as the IAM user. | |
1017 | // | |
1018 | // For more information about using GetSessionToken to create temporary credentials, | |
1019 | // go to Temporary Credentials for Users in Untrusted Environments (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken) | |
1020 | // in the IAM User Guide. | |
1021 | // | |
1022 | // Returns awserr.Error for service API and SDK errors. Use runtime type assertions | |
1023 | // with awserr.Error's Code and Message methods to get detailed information about | |
1024 | // the error. | |
1025 | // | |
1026 | // See the AWS API reference guide for AWS Security Token Service's | |
1027 | // API operation GetSessionToken for usage and error information. | |
1028 | // | |
1029 | // Returned Error Codes: | |
1030 | // * ErrCodeRegionDisabledException "RegionDisabledException" | |
1031 | // STS is not activated in the requested region for the account that is being | |
1032 | // asked to generate credentials. The account administrator must use the IAM | |
1033 | // console to activate STS in that region. For more information, see Activating | |
1034 | // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) | |
1035 | // in the IAM User Guide. | |
1036 | // | |
1037 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionToken | |
1038 | func (c *STS) GetSessionToken(input *GetSessionTokenInput) (*GetSessionTokenOutput, error) { | |
1039 | req, out := c.GetSessionTokenRequest(input) | |
1040 | return out, req.Send() | |
1041 | } | |
1042 | ||
1043 | // GetSessionTokenWithContext is the same as GetSessionToken with the addition of | |
1044 | // the ability to pass a context and additional request options. | |
1045 | // | |
1046 | // See GetSessionToken for details on how to use this API operation. | |
1047 | // | |
1048 | // The context must be non-nil and will be used for request cancellation. If | |
1049 | // the context is nil a panic will occur. In the future the SDK may create | |
1050 | // sub-contexts for http.Requests. See https://golang.org/pkg/context/ | |
1051 | // for more information on using Contexts. | |
1052 | func (c *STS) GetSessionTokenWithContext(ctx aws.Context, input *GetSessionTokenInput, opts ...request.Option) (*GetSessionTokenOutput, error) { | |
1053 | req, out := c.GetSessionTokenRequest(input) | |
1054 | req.SetContext(ctx) | |
1055 | req.ApplyOptions(opts...) | |
1056 | return out, req.Send() | |
1057 | } | |
1058 | ||
1059 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleRequest | |
1060 | type AssumeRoleInput struct { | |
1061 | _ struct{} `type:"structure"` | |
1062 | ||
1063 | // The duration, in seconds, of the role session. The value can range from 900 | |
1064 | // seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set | |
1065 | // to 3600 seconds. | |
1066 | // | |
1067 | // This is separate from the duration of a console session that you might request | |
1068 | // using the returned credentials. The request to the federation endpoint for | |
1069 | // a console sign-in token takes a SessionDuration parameter that specifies | |
1070 | // the maximum length of the console session, separately from the DurationSeconds | |
1071 | // parameter on this API. For more information, see Creating a URL that Enables | |
1072 | // Federated Users to Access the AWS Management Console (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) | |
1073 | // in the IAM User Guide. | |
1074 | DurationSeconds *int64 `min:"900" type:"integer"` | |
1075 | ||
1076 | // A unique identifier that is used by third parties when assuming roles in | |
1077 | // their customers' accounts. For each role that the third party can assume, | |
1078 | // they should instruct their customers to ensure the role's trust policy checks | |
1079 | // for the external ID that the third party generated. Each time the third party | |
1080 | // assumes the role, they should pass the customer's external ID. The external | |
1081 | // ID is useful in order to help third parties bind a role to the customer who | |
1082 | // created it. For more information about the external ID, see How to Use an | |
1083 | // External ID When Granting Access to Your AWS Resources to a Third Party (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html) | |
1084 | // in the IAM User Guide. | |
1085 | // | |
1086 | // The regex used to validated this parameter is a string of characters consisting | |
1087 | // of upper- and lower-case alphanumeric characters with no spaces. You can | |
9b12e4fe | 1088 | // also include underscores or any of the following characters: =,.@:/- |
bae9f6d2 JC |
1089 | ExternalId *string `min:"2" type:"string"` |
1090 | ||
1091 | // An IAM policy in JSON format. | |
1092 | // | |
1093 | // This parameter is optional. If you pass a policy, the temporary security | |
1094 | // credentials that are returned by the operation have the permissions that | |
1095 | // are allowed by both (the intersection of) the access policy of the role that | |
1096 | // is being assumed, and the policy that you pass. This gives you a way to further | |
1097 | // restrict the permissions for the resulting temporary security credentials. | |
1098 | // You cannot use the passed policy to grant permissions that are in excess | |
1099 | // of those allowed by the access policy of the role that is being assumed. | |
1100 | // For more information, see Permissions for AssumeRole, AssumeRoleWithSAML, | |
1101 | // and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html) | |
1102 | // in the IAM User Guide. | |
1103 | // | |
1104 | // The format for this parameter, as described by its regex pattern, is a string | |
1105 | // of characters up to 2048 characters in length. The characters can be any | |
1106 | // ASCII character from the space character to the end of the valid character | |
1107 | // list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A), | |
1108 | // and carriage return (\u000D) characters. | |
1109 | // | |
1110 | // The policy plain text must be 2048 bytes or shorter. However, an internal | |
1111 | // conversion compresses it into a packed binary format with a separate limit. | |
1112 | // The PackedPolicySize response element indicates by percentage how close to | |
1113 | // the upper size limit the policy is, with 100% equaling the maximum allowed | |
1114 | // size. | |
1115 | Policy *string `min:"1" type:"string"` | |
1116 | ||
1117 | // The Amazon Resource Name (ARN) of the role to assume. | |
1118 | // | |
1119 | // RoleArn is a required field | |
1120 | RoleArn *string `min:"20" type:"string" required:"true"` | |
1121 | ||
1122 | // An identifier for the assumed role session. | |
1123 | // | |
1124 | // Use the role session name to uniquely identify a session when the same role | |
1125 | // is assumed by different principals or for different reasons. In cross-account | |
1126 | // scenarios, the role session name is visible to, and can be logged by the | |
1127 | // account that owns the role. The role session name is also used in the ARN | |
1128 | // of the assumed role principal. This means that subsequent cross-account API | |
1129 | // requests using the temporary security credentials will expose the role session | |
1130 | // name to the external account in their CloudTrail logs. | |
1131 | // | |
1132 | // The regex used to validate this parameter is a string of characters consisting | |
1133 | // of upper- and lower-case alphanumeric characters with no spaces. You can | |
1134 | // also include underscores or any of the following characters: =,.@- | |
1135 | // | |
1136 | // RoleSessionName is a required field | |
1137 | RoleSessionName *string `min:"2" type:"string" required:"true"` | |
1138 | ||
1139 | // The identification number of the MFA device that is associated with the user | |
1140 | // who is making the AssumeRole call. Specify this value if the trust policy | |
1141 | // of the role being assumed includes a condition that requires MFA authentication. | |
1142 | // The value is either the serial number for a hardware device (such as GAHT12345678) | |
1143 | // or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user). | |
1144 | // | |
1145 | // The regex used to validate this parameter is a string of characters consisting | |
1146 | // of upper- and lower-case alphanumeric characters with no spaces. You can | |
1147 | // also include underscores or any of the following characters: =,.@- | |
1148 | SerialNumber *string `min:"9" type:"string"` | |
1149 | ||
1150 | // The value provided by the MFA device, if the trust policy of the role being | |
1151 | // assumed requires MFA (that is, if the policy includes a condition that tests | |
1152 | // for MFA). If the role being assumed requires MFA and if the TokenCode value | |
1153 | // is missing or expired, the AssumeRole call returns an "access denied" error. | |
1154 | // | |
1155 | // The format for this parameter, as described by its regex pattern, is a sequence | |
1156 | // of six numeric digits. | |
1157 | TokenCode *string `min:"6" type:"string"` | |
1158 | } | |
1159 | ||
1160 | // String returns the string representation | |
1161 | func (s AssumeRoleInput) String() string { | |
1162 | return awsutil.Prettify(s) | |
1163 | } | |
1164 | ||
1165 | // GoString returns the string representation | |
1166 | func (s AssumeRoleInput) GoString() string { | |
1167 | return s.String() | |
1168 | } | |
1169 | ||
1170 | // Validate inspects the fields of the type to determine if they are valid. | |
1171 | func (s *AssumeRoleInput) Validate() error { | |
1172 | invalidParams := request.ErrInvalidParams{Context: "AssumeRoleInput"} | |
1173 | if s.DurationSeconds != nil && *s.DurationSeconds < 900 { | |
1174 | invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) | |
1175 | } | |
1176 | if s.ExternalId != nil && len(*s.ExternalId) < 2 { | |
1177 | invalidParams.Add(request.NewErrParamMinLen("ExternalId", 2)) | |
1178 | } | |
1179 | if s.Policy != nil && len(*s.Policy) < 1 { | |
1180 | invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) | |
1181 | } | |
1182 | if s.RoleArn == nil { | |
1183 | invalidParams.Add(request.NewErrParamRequired("RoleArn")) | |
1184 | } | |
1185 | if s.RoleArn != nil && len(*s.RoleArn) < 20 { | |
1186 | invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20)) | |
1187 | } | |
1188 | if s.RoleSessionName == nil { | |
1189 | invalidParams.Add(request.NewErrParamRequired("RoleSessionName")) | |
1190 | } | |
1191 | if s.RoleSessionName != nil && len(*s.RoleSessionName) < 2 { | |
1192 | invalidParams.Add(request.NewErrParamMinLen("RoleSessionName", 2)) | |
1193 | } | |
1194 | if s.SerialNumber != nil && len(*s.SerialNumber) < 9 { | |
1195 | invalidParams.Add(request.NewErrParamMinLen("SerialNumber", 9)) | |
1196 | } | |
1197 | if s.TokenCode != nil && len(*s.TokenCode) < 6 { | |
1198 | invalidParams.Add(request.NewErrParamMinLen("TokenCode", 6)) | |
1199 | } | |
1200 | ||
1201 | if invalidParams.Len() > 0 { | |
1202 | return invalidParams | |
1203 | } | |
1204 | return nil | |
1205 | } | |
1206 | ||
1207 | // SetDurationSeconds sets the DurationSeconds field's value. | |
1208 | func (s *AssumeRoleInput) SetDurationSeconds(v int64) *AssumeRoleInput { | |
1209 | s.DurationSeconds = &v | |
1210 | return s | |
1211 | } | |
1212 | ||
1213 | // SetExternalId sets the ExternalId field's value. | |
1214 | func (s *AssumeRoleInput) SetExternalId(v string) *AssumeRoleInput { | |
1215 | s.ExternalId = &v | |
1216 | return s | |
1217 | } | |
1218 | ||
1219 | // SetPolicy sets the Policy field's value. | |
1220 | func (s *AssumeRoleInput) SetPolicy(v string) *AssumeRoleInput { | |
1221 | s.Policy = &v | |
1222 | return s | |
1223 | } | |
1224 | ||
1225 | // SetRoleArn sets the RoleArn field's value. | |
1226 | func (s *AssumeRoleInput) SetRoleArn(v string) *AssumeRoleInput { | |
1227 | s.RoleArn = &v | |
1228 | return s | |
1229 | } | |
1230 | ||
1231 | // SetRoleSessionName sets the RoleSessionName field's value. | |
1232 | func (s *AssumeRoleInput) SetRoleSessionName(v string) *AssumeRoleInput { | |
1233 | s.RoleSessionName = &v | |
1234 | return s | |
1235 | } | |
1236 | ||
1237 | // SetSerialNumber sets the SerialNumber field's value. | |
1238 | func (s *AssumeRoleInput) SetSerialNumber(v string) *AssumeRoleInput { | |
1239 | s.SerialNumber = &v | |
1240 | return s | |
1241 | } | |
1242 | ||
1243 | // SetTokenCode sets the TokenCode field's value. | |
1244 | func (s *AssumeRoleInput) SetTokenCode(v string) *AssumeRoleInput { | |
1245 | s.TokenCode = &v | |
1246 | return s | |
1247 | } | |
1248 | ||
1249 | // Contains the response to a successful AssumeRole request, including temporary | |
1250 | // AWS credentials that can be used to make AWS requests. | |
1251 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleResponse | |
1252 | type AssumeRoleOutput struct { | |
1253 | _ struct{} `type:"structure"` | |
1254 | ||
1255 | // The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers | |
1256 | // that you can use to refer to the resulting temporary security credentials. | |
1257 | // For example, you can reference these credentials as a principal in a resource-based | |
1258 | // policy by using the ARN or assumed role ID. The ARN and ID include the RoleSessionName | |
1259 | // that you specified when you called AssumeRole. | |
1260 | AssumedRoleUser *AssumedRoleUser `type:"structure"` | |
1261 | ||
1262 | // The temporary security credentials, which include an access key ID, a secret | |
1263 | // access key, and a security (or session) token. | |
1264 | // | |
1265 | // Note: The size of the security token that STS APIs return is not fixed. We | |
1266 | // strongly recommend that you make no assumptions about the maximum size. As | |
1267 | // of this writing, the typical size is less than 4096 bytes, but that can vary. | |
1268 | // Also, future updates to AWS might require larger sizes. | |
1269 | Credentials *Credentials `type:"structure"` | |
1270 | ||
1271 | // A percentage value that indicates the size of the policy in packed form. | |
1272 | // The service rejects any policy with a packed size greater than 100 percent, | |
1273 | // which means the policy exceeded the allowed space. | |
1274 | PackedPolicySize *int64 `type:"integer"` | |
1275 | } | |
1276 | ||
1277 | // String returns the string representation | |
1278 | func (s AssumeRoleOutput) String() string { | |
1279 | return awsutil.Prettify(s) | |
1280 | } | |
1281 | ||
1282 | // GoString returns the string representation | |
1283 | func (s AssumeRoleOutput) GoString() string { | |
1284 | return s.String() | |
1285 | } | |
1286 | ||
1287 | // SetAssumedRoleUser sets the AssumedRoleUser field's value. | |
1288 | func (s *AssumeRoleOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleOutput { | |
1289 | s.AssumedRoleUser = v | |
1290 | return s | |
1291 | } | |
1292 | ||
1293 | // SetCredentials sets the Credentials field's value. | |
1294 | func (s *AssumeRoleOutput) SetCredentials(v *Credentials) *AssumeRoleOutput { | |
1295 | s.Credentials = v | |
1296 | return s | |
1297 | } | |
1298 | ||
1299 | // SetPackedPolicySize sets the PackedPolicySize field's value. | |
1300 | func (s *AssumeRoleOutput) SetPackedPolicySize(v int64) *AssumeRoleOutput { | |
1301 | s.PackedPolicySize = &v | |
1302 | return s | |
1303 | } | |
1304 | ||
1305 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAMLRequest | |
1306 | type AssumeRoleWithSAMLInput struct { | |
1307 | _ struct{} `type:"structure"` | |
1308 | ||
1309 | // The duration, in seconds, of the role session. The value can range from 900 | |
1310 | // seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set | |
1311 | // to 3600 seconds. An expiration can also be specified in the SAML authentication | |
1312 | // response's SessionNotOnOrAfter value. The actual expiration time is whichever | |
1313 | // value is shorter. | |
1314 | // | |
1315 | // This is separate from the duration of a console session that you might request | |
1316 | // using the returned credentials. The request to the federation endpoint for | |
1317 | // a console sign-in token takes a SessionDuration parameter that specifies | |
1318 | // the maximum length of the console session, separately from the DurationSeconds | |
1319 | // parameter on this API. For more information, see Enabling SAML 2.0 Federated | |
1320 | // Users to Access the AWS Management Console (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html) | |
1321 | // in the IAM User Guide. | |
1322 | DurationSeconds *int64 `min:"900" type:"integer"` | |
1323 | ||
1324 | // An IAM policy in JSON format. | |
1325 | // | |
1326 | // The policy parameter is optional. If you pass a policy, the temporary security | |
1327 | // credentials that are returned by the operation have the permissions that | |
1328 | // are allowed by both the access policy of the role that is being assumed, | |
1329 | // and the policy that you pass. This gives you a way to further restrict the | |
1330 | // permissions for the resulting temporary security credentials. You cannot | |
1331 | // use the passed policy to grant permissions that are in excess of those allowed | |
1332 | // by the access policy of the role that is being assumed. For more information, | |
1333 | // Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity | |
1334 | // (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html) | |
1335 | // in the IAM User Guide. | |
1336 | // | |
1337 | // The format for this parameter, as described by its regex pattern, is a string | |
1338 | // of characters up to 2048 characters in length. The characters can be any | |
1339 | // ASCII character from the space character to the end of the valid character | |
1340 | // list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A), | |
1341 | // and carriage return (\u000D) characters. | |
1342 | // | |
1343 | // The policy plain text must be 2048 bytes or shorter. However, an internal | |
1344 | // conversion compresses it into a packed binary format with a separate limit. | |
1345 | // The PackedPolicySize response element indicates by percentage how close to | |
1346 | // the upper size limit the policy is, with 100% equaling the maximum allowed | |
1347 | // size. | |
1348 | Policy *string `min:"1" type:"string"` | |
1349 | ||
1350 | // The Amazon Resource Name (ARN) of the SAML provider in IAM that describes | |
1351 | // the IdP. | |
1352 | // | |
1353 | // PrincipalArn is a required field | |
1354 | PrincipalArn *string `min:"20" type:"string" required:"true"` | |
1355 | ||
1356 | // The Amazon Resource Name (ARN) of the role that the caller is assuming. | |
1357 | // | |
1358 | // RoleArn is a required field | |
1359 | RoleArn *string `min:"20" type:"string" required:"true"` | |
1360 | ||
1361 | // The base-64 encoded SAML authentication response provided by the IdP. | |
1362 | // | |
1363 | // For more information, see Configuring a Relying Party and Adding Claims (http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html) | |
1364 | // in the Using IAM guide. | |
1365 | // | |
1366 | // SAMLAssertion is a required field | |
1367 | SAMLAssertion *string `min:"4" type:"string" required:"true"` | |
1368 | } | |
1369 | ||
1370 | // String returns the string representation | |
1371 | func (s AssumeRoleWithSAMLInput) String() string { | |
1372 | return awsutil.Prettify(s) | |
1373 | } | |
1374 | ||
1375 | // GoString returns the string representation | |
1376 | func (s AssumeRoleWithSAMLInput) GoString() string { | |
1377 | return s.String() | |
1378 | } | |
1379 | ||
1380 | // Validate inspects the fields of the type to determine if they are valid. | |
1381 | func (s *AssumeRoleWithSAMLInput) Validate() error { | |
1382 | invalidParams := request.ErrInvalidParams{Context: "AssumeRoleWithSAMLInput"} | |
1383 | if s.DurationSeconds != nil && *s.DurationSeconds < 900 { | |
1384 | invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) | |
1385 | } | |
1386 | if s.Policy != nil && len(*s.Policy) < 1 { | |
1387 | invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) | |
1388 | } | |
1389 | if s.PrincipalArn == nil { | |
1390 | invalidParams.Add(request.NewErrParamRequired("PrincipalArn")) | |
1391 | } | |
1392 | if s.PrincipalArn != nil && len(*s.PrincipalArn) < 20 { | |
1393 | invalidParams.Add(request.NewErrParamMinLen("PrincipalArn", 20)) | |
1394 | } | |
1395 | if s.RoleArn == nil { | |
1396 | invalidParams.Add(request.NewErrParamRequired("RoleArn")) | |
1397 | } | |
1398 | if s.RoleArn != nil && len(*s.RoleArn) < 20 { | |
1399 | invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20)) | |
1400 | } | |
1401 | if s.SAMLAssertion == nil { | |
1402 | invalidParams.Add(request.NewErrParamRequired("SAMLAssertion")) | |
1403 | } | |
1404 | if s.SAMLAssertion != nil && len(*s.SAMLAssertion) < 4 { | |
1405 | invalidParams.Add(request.NewErrParamMinLen("SAMLAssertion", 4)) | |
1406 | } | |
1407 | ||
1408 | if invalidParams.Len() > 0 { | |
1409 | return invalidParams | |
1410 | } | |
1411 | return nil | |
1412 | } | |
1413 | ||
1414 | // SetDurationSeconds sets the DurationSeconds field's value. | |
1415 | func (s *AssumeRoleWithSAMLInput) SetDurationSeconds(v int64) *AssumeRoleWithSAMLInput { | |
1416 | s.DurationSeconds = &v | |
1417 | return s | |
1418 | } | |
1419 | ||
1420 | // SetPolicy sets the Policy field's value. | |
1421 | func (s *AssumeRoleWithSAMLInput) SetPolicy(v string) *AssumeRoleWithSAMLInput { | |
1422 | s.Policy = &v | |
1423 | return s | |
1424 | } | |
1425 | ||
1426 | // SetPrincipalArn sets the PrincipalArn field's value. | |
1427 | func (s *AssumeRoleWithSAMLInput) SetPrincipalArn(v string) *AssumeRoleWithSAMLInput { | |
1428 | s.PrincipalArn = &v | |
1429 | return s | |
1430 | } | |
1431 | ||
1432 | // SetRoleArn sets the RoleArn field's value. | |
1433 | func (s *AssumeRoleWithSAMLInput) SetRoleArn(v string) *AssumeRoleWithSAMLInput { | |
1434 | s.RoleArn = &v | |
1435 | return s | |
1436 | } | |
1437 | ||
1438 | // SetSAMLAssertion sets the SAMLAssertion field's value. | |
1439 | func (s *AssumeRoleWithSAMLInput) SetSAMLAssertion(v string) *AssumeRoleWithSAMLInput { | |
1440 | s.SAMLAssertion = &v | |
1441 | return s | |
1442 | } | |
1443 | ||
1444 | // Contains the response to a successful AssumeRoleWithSAML request, including | |
1445 | // temporary AWS credentials that can be used to make AWS requests. | |
1446 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAMLResponse | |
1447 | type AssumeRoleWithSAMLOutput struct { | |
1448 | _ struct{} `type:"structure"` | |
1449 | ||
1450 | // The identifiers for the temporary security credentials that the operation | |
1451 | // returns. | |
1452 | AssumedRoleUser *AssumedRoleUser `type:"structure"` | |
1453 | ||
1454 | // The value of the Recipient attribute of the SubjectConfirmationData element | |
1455 | // of the SAML assertion. | |
1456 | Audience *string `type:"string"` | |
1457 | ||
1458 | // The temporary security credentials, which include an access key ID, a secret | |
1459 | // access key, and a security (or session) token. | |
1460 | // | |
1461 | // Note: The size of the security token that STS APIs return is not fixed. We | |
1462 | // strongly recommend that you make no assumptions about the maximum size. As | |
1463 | // of this writing, the typical size is less than 4096 bytes, but that can vary. | |
1464 | // Also, future updates to AWS might require larger sizes. | |
1465 | Credentials *Credentials `type:"structure"` | |
1466 | ||
1467 | // The value of the Issuer element of the SAML assertion. | |
1468 | Issuer *string `type:"string"` | |
1469 | ||
1470 | // A hash value based on the concatenation of the Issuer response value, the | |
1471 | // AWS account ID, and the friendly name (the last part of the ARN) of the SAML | |
1472 | // provider in IAM. The combination of NameQualifier and Subject can be used | |
1473 | // to uniquely identify a federated user. | |
1474 | // | |
1475 | // The following pseudocode shows how the hash value is calculated: | |
1476 | // | |
1477 | // BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" | |
1478 | // ) ) | |
1479 | NameQualifier *string `type:"string"` | |
1480 | ||
1481 | // A percentage value that indicates the size of the policy in packed form. | |
1482 | // The service rejects any policy with a packed size greater than 100 percent, | |
1483 | // which means the policy exceeded the allowed space. | |
1484 | PackedPolicySize *int64 `type:"integer"` | |
1485 | ||
1486 | // The value of the NameID element in the Subject element of the SAML assertion. | |
1487 | Subject *string `type:"string"` | |
1488 | ||
1489 | // The format of the name ID, as defined by the Format attribute in the NameID | |
1490 | // element of the SAML assertion. Typical examples of the format are transient | |
1491 | // or persistent. | |
1492 | // | |
1493 | // If the format includes the prefix urn:oasis:names:tc:SAML:2.0:nameid-format, | |
1494 | // that prefix is removed. For example, urn:oasis:names:tc:SAML:2.0:nameid-format:transient | |
1495 | // is returned as transient. If the format includes any other prefix, the format | |
1496 | // is returned with no modifications. | |
1497 | SubjectType *string `type:"string"` | |
1498 | } | |
1499 | ||
1500 | // String returns the string representation | |
1501 | func (s AssumeRoleWithSAMLOutput) String() string { | |
1502 | return awsutil.Prettify(s) | |
1503 | } | |
1504 | ||
1505 | // GoString returns the string representation | |
1506 | func (s AssumeRoleWithSAMLOutput) GoString() string { | |
1507 | return s.String() | |
1508 | } | |
1509 | ||
1510 | // SetAssumedRoleUser sets the AssumedRoleUser field's value. | |
1511 | func (s *AssumeRoleWithSAMLOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleWithSAMLOutput { | |
1512 | s.AssumedRoleUser = v | |
1513 | return s | |
1514 | } | |
1515 | ||
1516 | // SetAudience sets the Audience field's value. | |
1517 | func (s *AssumeRoleWithSAMLOutput) SetAudience(v string) *AssumeRoleWithSAMLOutput { | |
1518 | s.Audience = &v | |
1519 | return s | |
1520 | } | |
1521 | ||
1522 | // SetCredentials sets the Credentials field's value. | |
1523 | func (s *AssumeRoleWithSAMLOutput) SetCredentials(v *Credentials) *AssumeRoleWithSAMLOutput { | |
1524 | s.Credentials = v | |
1525 | return s | |
1526 | } | |
1527 | ||
1528 | // SetIssuer sets the Issuer field's value. | |
1529 | func (s *AssumeRoleWithSAMLOutput) SetIssuer(v string) *AssumeRoleWithSAMLOutput { | |
1530 | s.Issuer = &v | |
1531 | return s | |
1532 | } | |
1533 | ||
1534 | // SetNameQualifier sets the NameQualifier field's value. | |
1535 | func (s *AssumeRoleWithSAMLOutput) SetNameQualifier(v string) *AssumeRoleWithSAMLOutput { | |
1536 | s.NameQualifier = &v | |
1537 | return s | |
1538 | } | |
1539 | ||
1540 | // SetPackedPolicySize sets the PackedPolicySize field's value. | |
1541 | func (s *AssumeRoleWithSAMLOutput) SetPackedPolicySize(v int64) *AssumeRoleWithSAMLOutput { | |
1542 | s.PackedPolicySize = &v | |
1543 | return s | |
1544 | } | |
1545 | ||
1546 | // SetSubject sets the Subject field's value. | |
1547 | func (s *AssumeRoleWithSAMLOutput) SetSubject(v string) *AssumeRoleWithSAMLOutput { | |
1548 | s.Subject = &v | |
1549 | return s | |
1550 | } | |
1551 | ||
1552 | // SetSubjectType sets the SubjectType field's value. | |
1553 | func (s *AssumeRoleWithSAMLOutput) SetSubjectType(v string) *AssumeRoleWithSAMLOutput { | |
1554 | s.SubjectType = &v | |
1555 | return s | |
1556 | } | |
1557 | ||
1558 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentityRequest | |
1559 | type AssumeRoleWithWebIdentityInput struct { | |
1560 | _ struct{} `type:"structure"` | |
1561 | ||
1562 | // The duration, in seconds, of the role session. The value can range from 900 | |
1563 | // seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set | |
1564 | // to 3600 seconds. | |
1565 | // | |
1566 | // This is separate from the duration of a console session that you might request | |
1567 | // using the returned credentials. The request to the federation endpoint for | |
1568 | // a console sign-in token takes a SessionDuration parameter that specifies | |
1569 | // the maximum length of the console session, separately from the DurationSeconds | |
1570 | // parameter on this API. For more information, see Creating a URL that Enables | |
1571 | // Federated Users to Access the AWS Management Console (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) | |
1572 | // in the IAM User Guide. | |
1573 | DurationSeconds *int64 `min:"900" type:"integer"` | |
1574 | ||
1575 | // An IAM policy in JSON format. | |
1576 | // | |
1577 | // The policy parameter is optional. If you pass a policy, the temporary security | |
1578 | // credentials that are returned by the operation have the permissions that | |
1579 | // are allowed by both the access policy of the role that is being assumed, | |
1580 | // and the policy that you pass. This gives you a way to further restrict the | |
1581 | // permissions for the resulting temporary security credentials. You cannot | |
1582 | // use the passed policy to grant permissions that are in excess of those allowed | |
1583 | // by the access policy of the role that is being assumed. For more information, | |
1584 | // see Permissions for AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html) | |
1585 | // in the IAM User Guide. | |
1586 | // | |
1587 | // The format for this parameter, as described by its regex pattern, is a string | |
1588 | // of characters up to 2048 characters in length. The characters can be any | |
1589 | // ASCII character from the space character to the end of the valid character | |
1590 | // list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A), | |
1591 | // and carriage return (\u000D) characters. | |
1592 | // | |
1593 | // The policy plain text must be 2048 bytes or shorter. However, an internal | |
1594 | // conversion compresses it into a packed binary format with a separate limit. | |
1595 | // The PackedPolicySize response element indicates by percentage how close to | |
1596 | // the upper size limit the policy is, with 100% equaling the maximum allowed | |
1597 | // size. | |
1598 | Policy *string `min:"1" type:"string"` | |
1599 | ||
1600 | // The fully qualified host component of the domain name of the identity provider. | |
1601 | // | |
1602 | // Specify this value only for OAuth 2.0 access tokens. Currently www.amazon.com | |
1603 | // and graph.facebook.com are the only supported identity providers for OAuth | |
1604 | // 2.0 access tokens. Do not include URL schemes and port numbers. | |
1605 | // | |
1606 | // Do not specify this value for OpenID Connect ID tokens. | |
1607 | ProviderId *string `min:"4" type:"string"` | |
1608 | ||
1609 | // The Amazon Resource Name (ARN) of the role that the caller is assuming. | |
1610 | // | |
1611 | // RoleArn is a required field | |
1612 | RoleArn *string `min:"20" type:"string" required:"true"` | |
1613 | ||
1614 | // An identifier for the assumed role session. Typically, you pass the name | |
1615 | // or identifier that is associated with the user who is using your application. | |
1616 | // That way, the temporary security credentials that your application will use | |
1617 | // are associated with that user. This session name is included as part of the | |
1618 | // ARN and assumed role ID in the AssumedRoleUser response element. | |
1619 | // | |
1620 | // The regex used to validate this parameter is a string of characters consisting | |
1621 | // of upper- and lower-case alphanumeric characters with no spaces. You can | |
1622 | // also include underscores or any of the following characters: =,.@- | |
1623 | // | |
1624 | // RoleSessionName is a required field | |
1625 | RoleSessionName *string `min:"2" type:"string" required:"true"` | |
1626 | ||
1627 | // The OAuth 2.0 access token or OpenID Connect ID token that is provided by | |
1628 | // the identity provider. Your application must get this token by authenticating | |
1629 | // the user who is using your application with a web identity provider before | |
1630 | // the application makes an AssumeRoleWithWebIdentity call. | |
1631 | // | |
1632 | // WebIdentityToken is a required field | |
1633 | WebIdentityToken *string `min:"4" type:"string" required:"true"` | |
1634 | } | |
1635 | ||
1636 | // String returns the string representation | |
1637 | func (s AssumeRoleWithWebIdentityInput) String() string { | |
1638 | return awsutil.Prettify(s) | |
1639 | } | |
1640 | ||
1641 | // GoString returns the string representation | |
1642 | func (s AssumeRoleWithWebIdentityInput) GoString() string { | |
1643 | return s.String() | |
1644 | } | |
1645 | ||
1646 | // Validate inspects the fields of the type to determine if they are valid. | |
1647 | func (s *AssumeRoleWithWebIdentityInput) Validate() error { | |
1648 | invalidParams := request.ErrInvalidParams{Context: "AssumeRoleWithWebIdentityInput"} | |
1649 | if s.DurationSeconds != nil && *s.DurationSeconds < 900 { | |
1650 | invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) | |
1651 | } | |
1652 | if s.Policy != nil && len(*s.Policy) < 1 { | |
1653 | invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) | |
1654 | } | |
1655 | if s.ProviderId != nil && len(*s.ProviderId) < 4 { | |
1656 | invalidParams.Add(request.NewErrParamMinLen("ProviderId", 4)) | |
1657 | } | |
1658 | if s.RoleArn == nil { | |
1659 | invalidParams.Add(request.NewErrParamRequired("RoleArn")) | |
1660 | } | |
1661 | if s.RoleArn != nil && len(*s.RoleArn) < 20 { | |
1662 | invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20)) | |
1663 | } | |
1664 | if s.RoleSessionName == nil { | |
1665 | invalidParams.Add(request.NewErrParamRequired("RoleSessionName")) | |
1666 | } | |
1667 | if s.RoleSessionName != nil && len(*s.RoleSessionName) < 2 { | |
1668 | invalidParams.Add(request.NewErrParamMinLen("RoleSessionName", 2)) | |
1669 | } | |
1670 | if s.WebIdentityToken == nil { | |
1671 | invalidParams.Add(request.NewErrParamRequired("WebIdentityToken")) | |
1672 | } | |
1673 | if s.WebIdentityToken != nil && len(*s.WebIdentityToken) < 4 { | |
1674 | invalidParams.Add(request.NewErrParamMinLen("WebIdentityToken", 4)) | |
1675 | } | |
1676 | ||
1677 | if invalidParams.Len() > 0 { | |
1678 | return invalidParams | |
1679 | } | |
1680 | return nil | |
1681 | } | |
1682 | ||
1683 | // SetDurationSeconds sets the DurationSeconds field's value. | |
1684 | func (s *AssumeRoleWithWebIdentityInput) SetDurationSeconds(v int64) *AssumeRoleWithWebIdentityInput { | |
1685 | s.DurationSeconds = &v | |
1686 | return s | |
1687 | } | |
1688 | ||
1689 | // SetPolicy sets the Policy field's value. | |
1690 | func (s *AssumeRoleWithWebIdentityInput) SetPolicy(v string) *AssumeRoleWithWebIdentityInput { | |
1691 | s.Policy = &v | |
1692 | return s | |
1693 | } | |
1694 | ||
1695 | // SetProviderId sets the ProviderId field's value. | |
1696 | func (s *AssumeRoleWithWebIdentityInput) SetProviderId(v string) *AssumeRoleWithWebIdentityInput { | |
1697 | s.ProviderId = &v | |
1698 | return s | |
1699 | } | |
1700 | ||
1701 | // SetRoleArn sets the RoleArn field's value. | |
1702 | func (s *AssumeRoleWithWebIdentityInput) SetRoleArn(v string) *AssumeRoleWithWebIdentityInput { | |
1703 | s.RoleArn = &v | |
1704 | return s | |
1705 | } | |
1706 | ||
1707 | // SetRoleSessionName sets the RoleSessionName field's value. | |
1708 | func (s *AssumeRoleWithWebIdentityInput) SetRoleSessionName(v string) *AssumeRoleWithWebIdentityInput { | |
1709 | s.RoleSessionName = &v | |
1710 | return s | |
1711 | } | |
1712 | ||
1713 | // SetWebIdentityToken sets the WebIdentityToken field's value. | |
1714 | func (s *AssumeRoleWithWebIdentityInput) SetWebIdentityToken(v string) *AssumeRoleWithWebIdentityInput { | |
1715 | s.WebIdentityToken = &v | |
1716 | return s | |
1717 | } | |
1718 | ||
1719 | // Contains the response to a successful AssumeRoleWithWebIdentity request, | |
1720 | // including temporary AWS credentials that can be used to make AWS requests. | |
1721 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentityResponse | |
1722 | type AssumeRoleWithWebIdentityOutput struct { | |
1723 | _ struct{} `type:"structure"` | |
1724 | ||
1725 | // The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers | |
1726 | // that you can use to refer to the resulting temporary security credentials. | |
1727 | // For example, you can reference these credentials as a principal in a resource-based | |
1728 | // policy by using the ARN or assumed role ID. The ARN and ID include the RoleSessionName | |
1729 | // that you specified when you called AssumeRole. | |
1730 | AssumedRoleUser *AssumedRoleUser `type:"structure"` | |
1731 | ||
1732 | // The intended audience (also known as client ID) of the web identity token. | |
1733 | // This is traditionally the client identifier issued to the application that | |
1734 | // requested the web identity token. | |
1735 | Audience *string `type:"string"` | |
1736 | ||
1737 | // The temporary security credentials, which include an access key ID, a secret | |
1738 | // access key, and a security token. | |
1739 | // | |
1740 | // Note: The size of the security token that STS APIs return is not fixed. We | |
1741 | // strongly recommend that you make no assumptions about the maximum size. As | |
1742 | // of this writing, the typical size is less than 4096 bytes, but that can vary. | |
1743 | // Also, future updates to AWS might require larger sizes. | |
1744 | Credentials *Credentials `type:"structure"` | |
1745 | ||
1746 | // A percentage value that indicates the size of the policy in packed form. | |
1747 | // The service rejects any policy with a packed size greater than 100 percent, | |
1748 | // which means the policy exceeded the allowed space. | |
1749 | PackedPolicySize *int64 `type:"integer"` | |
1750 | ||
1751 | // The issuing authority of the web identity token presented. For OpenID Connect | |
1752 | // ID Tokens this contains the value of the iss field. For OAuth 2.0 access | |
1753 | // tokens, this contains the value of the ProviderId parameter that was passed | |
1754 | // in the AssumeRoleWithWebIdentity request. | |
1755 | Provider *string `type:"string"` | |
1756 | ||
1757 | // The unique user identifier that is returned by the identity provider. This | |
1758 | // identifier is associated with the WebIdentityToken that was submitted with | |
1759 | // the AssumeRoleWithWebIdentity call. The identifier is typically unique to | |
1760 | // the user and the application that acquired the WebIdentityToken (pairwise | |
1761 | // identifier). For OpenID Connect ID tokens, this field contains the value | |
1762 | // returned by the identity provider as the token's sub (Subject) claim. | |
1763 | SubjectFromWebIdentityToken *string `min:"6" type:"string"` | |
1764 | } | |
1765 | ||
1766 | // String returns the string representation | |
1767 | func (s AssumeRoleWithWebIdentityOutput) String() string { | |
1768 | return awsutil.Prettify(s) | |
1769 | } | |
1770 | ||
1771 | // GoString returns the string representation | |
1772 | func (s AssumeRoleWithWebIdentityOutput) GoString() string { | |
1773 | return s.String() | |
1774 | } | |
1775 | ||
1776 | // SetAssumedRoleUser sets the AssumedRoleUser field's value. | |
1777 | func (s *AssumeRoleWithWebIdentityOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleWithWebIdentityOutput { | |
1778 | s.AssumedRoleUser = v | |
1779 | return s | |
1780 | } | |
1781 | ||
1782 | // SetAudience sets the Audience field's value. | |
1783 | func (s *AssumeRoleWithWebIdentityOutput) SetAudience(v string) *AssumeRoleWithWebIdentityOutput { | |
1784 | s.Audience = &v | |
1785 | return s | |
1786 | } | |
1787 | ||
1788 | // SetCredentials sets the Credentials field's value. | |
1789 | func (s *AssumeRoleWithWebIdentityOutput) SetCredentials(v *Credentials) *AssumeRoleWithWebIdentityOutput { | |
1790 | s.Credentials = v | |
1791 | return s | |
1792 | } | |
1793 | ||
1794 | // SetPackedPolicySize sets the PackedPolicySize field's value. | |
1795 | func (s *AssumeRoleWithWebIdentityOutput) SetPackedPolicySize(v int64) *AssumeRoleWithWebIdentityOutput { | |
1796 | s.PackedPolicySize = &v | |
1797 | return s | |
1798 | } | |
1799 | ||
1800 | // SetProvider sets the Provider field's value. | |
1801 | func (s *AssumeRoleWithWebIdentityOutput) SetProvider(v string) *AssumeRoleWithWebIdentityOutput { | |
1802 | s.Provider = &v | |
1803 | return s | |
1804 | } | |
1805 | ||
1806 | // SetSubjectFromWebIdentityToken sets the SubjectFromWebIdentityToken field's value. | |
1807 | func (s *AssumeRoleWithWebIdentityOutput) SetSubjectFromWebIdentityToken(v string) *AssumeRoleWithWebIdentityOutput { | |
1808 | s.SubjectFromWebIdentityToken = &v | |
1809 | return s | |
1810 | } | |
1811 | ||
1812 | // The identifiers for the temporary security credentials that the operation | |
1813 | // returns. | |
1814 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumedRoleUser | |
1815 | type AssumedRoleUser struct { | |
1816 | _ struct{} `type:"structure"` | |
1817 | ||
1818 | // The ARN of the temporary security credentials that are returned from the | |
1819 | // AssumeRole action. For more information about ARNs and how to use them in | |
1820 | // policies, see IAM Identifiers (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) | |
1821 | // in Using IAM. | |
1822 | // | |
1823 | // Arn is a required field | |
1824 | Arn *string `min:"20" type:"string" required:"true"` | |
1825 | ||
1826 | // A unique identifier that contains the role ID and the role session name of | |
1827 | // the role that is being assumed. The role ID is generated by AWS when the | |
1828 | // role is created. | |
1829 | // | |
1830 | // AssumedRoleId is a required field | |
1831 | AssumedRoleId *string `min:"2" type:"string" required:"true"` | |
1832 | } | |
1833 | ||
1834 | // String returns the string representation | |
1835 | func (s AssumedRoleUser) String() string { | |
1836 | return awsutil.Prettify(s) | |
1837 | } | |
1838 | ||
1839 | // GoString returns the string representation | |
1840 | func (s AssumedRoleUser) GoString() string { | |
1841 | return s.String() | |
1842 | } | |
1843 | ||
1844 | // SetArn sets the Arn field's value. | |
1845 | func (s *AssumedRoleUser) SetArn(v string) *AssumedRoleUser { | |
1846 | s.Arn = &v | |
1847 | return s | |
1848 | } | |
1849 | ||
1850 | // SetAssumedRoleId sets the AssumedRoleId field's value. | |
1851 | func (s *AssumedRoleUser) SetAssumedRoleId(v string) *AssumedRoleUser { | |
1852 | s.AssumedRoleId = &v | |
1853 | return s | |
1854 | } | |
1855 | ||
1856 | // AWS credentials for API authentication. | |
1857 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/Credentials | |
1858 | type Credentials struct { | |
1859 | _ struct{} `type:"structure"` | |
1860 | ||
1861 | // The access key ID that identifies the temporary security credentials. | |
1862 | // | |
1863 | // AccessKeyId is a required field | |
1864 | AccessKeyId *string `min:"16" type:"string" required:"true"` | |
1865 | ||
1866 | // The date on which the current credentials expire. | |
1867 | // | |
1868 | // Expiration is a required field | |
1869 | Expiration *time.Time `type:"timestamp" timestampFormat:"iso8601" required:"true"` | |
1870 | ||
1871 | // The secret access key that can be used to sign requests. | |
1872 | // | |
1873 | // SecretAccessKey is a required field | |
1874 | SecretAccessKey *string `type:"string" required:"true"` | |
1875 | ||
1876 | // The token that users must pass to the service API to use the temporary credentials. | |
1877 | // | |
1878 | // SessionToken is a required field | |
1879 | SessionToken *string `type:"string" required:"true"` | |
1880 | } | |
1881 | ||
1882 | // String returns the string representation | |
1883 | func (s Credentials) String() string { | |
1884 | return awsutil.Prettify(s) | |
1885 | } | |
1886 | ||
1887 | // GoString returns the string representation | |
1888 | func (s Credentials) GoString() string { | |
1889 | return s.String() | |
1890 | } | |
1891 | ||
1892 | // SetAccessKeyId sets the AccessKeyId field's value. | |
1893 | func (s *Credentials) SetAccessKeyId(v string) *Credentials { | |
1894 | s.AccessKeyId = &v | |
1895 | return s | |
1896 | } | |
1897 | ||
1898 | // SetExpiration sets the Expiration field's value. | |
1899 | func (s *Credentials) SetExpiration(v time.Time) *Credentials { | |
1900 | s.Expiration = &v | |
1901 | return s | |
1902 | } | |
1903 | ||
1904 | // SetSecretAccessKey sets the SecretAccessKey field's value. | |
1905 | func (s *Credentials) SetSecretAccessKey(v string) *Credentials { | |
1906 | s.SecretAccessKey = &v | |
1907 | return s | |
1908 | } | |
1909 | ||
1910 | // SetSessionToken sets the SessionToken field's value. | |
1911 | func (s *Credentials) SetSessionToken(v string) *Credentials { | |
1912 | s.SessionToken = &v | |
1913 | return s | |
1914 | } | |
1915 | ||
1916 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessageRequest | |
1917 | type DecodeAuthorizationMessageInput struct { | |
1918 | _ struct{} `type:"structure"` | |
1919 | ||
1920 | // The encoded message that was returned with the response. | |
1921 | // | |
1922 | // EncodedMessage is a required field | |
1923 | EncodedMessage *string `min:"1" type:"string" required:"true"` | |
1924 | } | |
1925 | ||
1926 | // String returns the string representation | |
1927 | func (s DecodeAuthorizationMessageInput) String() string { | |
1928 | return awsutil.Prettify(s) | |
1929 | } | |
1930 | ||
1931 | // GoString returns the string representation | |
1932 | func (s DecodeAuthorizationMessageInput) GoString() string { | |
1933 | return s.String() | |
1934 | } | |
1935 | ||
1936 | // Validate inspects the fields of the type to determine if they are valid. | |
1937 | func (s *DecodeAuthorizationMessageInput) Validate() error { | |
1938 | invalidParams := request.ErrInvalidParams{Context: "DecodeAuthorizationMessageInput"} | |
1939 | if s.EncodedMessage == nil { | |
1940 | invalidParams.Add(request.NewErrParamRequired("EncodedMessage")) | |
1941 | } | |
1942 | if s.EncodedMessage != nil && len(*s.EncodedMessage) < 1 { | |
1943 | invalidParams.Add(request.NewErrParamMinLen("EncodedMessage", 1)) | |
1944 | } | |
1945 | ||
1946 | if invalidParams.Len() > 0 { | |
1947 | return invalidParams | |
1948 | } | |
1949 | return nil | |
1950 | } | |
1951 | ||
1952 | // SetEncodedMessage sets the EncodedMessage field's value. | |
1953 | func (s *DecodeAuthorizationMessageInput) SetEncodedMessage(v string) *DecodeAuthorizationMessageInput { | |
1954 | s.EncodedMessage = &v | |
1955 | return s | |
1956 | } | |
1957 | ||
1958 | // A document that contains additional information about the authorization status | |
1959 | // of a request from an encoded message that is returned in response to an AWS | |
1960 | // request. | |
1961 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessageResponse | |
1962 | type DecodeAuthorizationMessageOutput struct { | |
1963 | _ struct{} `type:"structure"` | |
1964 | ||
1965 | // An XML document that contains the decoded message. | |
1966 | DecodedMessage *string `type:"string"` | |
1967 | } | |
1968 | ||
1969 | // String returns the string representation | |
1970 | func (s DecodeAuthorizationMessageOutput) String() string { | |
1971 | return awsutil.Prettify(s) | |
1972 | } | |
1973 | ||
1974 | // GoString returns the string representation | |
1975 | func (s DecodeAuthorizationMessageOutput) GoString() string { | |
1976 | return s.String() | |
1977 | } | |
1978 | ||
1979 | // SetDecodedMessage sets the DecodedMessage field's value. | |
1980 | func (s *DecodeAuthorizationMessageOutput) SetDecodedMessage(v string) *DecodeAuthorizationMessageOutput { | |
1981 | s.DecodedMessage = &v | |
1982 | return s | |
1983 | } | |
1984 | ||
1985 | // Identifiers for the federated user that is associated with the credentials. | |
1986 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/FederatedUser | |
1987 | type FederatedUser struct { | |
1988 | _ struct{} `type:"structure"` | |
1989 | ||
1990 | // The ARN that specifies the federated user that is associated with the credentials. | |
1991 | // For more information about ARNs and how to use them in policies, see IAM | |
1992 | // Identifiers (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) | |
1993 | // in Using IAM. | |
1994 | // | |
1995 | // Arn is a required field | |
1996 | Arn *string `min:"20" type:"string" required:"true"` | |
1997 | ||
1998 | // The string that identifies the federated user associated with the credentials, | |
1999 | // similar to the unique ID of an IAM user. | |
2000 | // | |
2001 | // FederatedUserId is a required field | |
2002 | FederatedUserId *string `min:"2" type:"string" required:"true"` | |
2003 | } | |
2004 | ||
2005 | // String returns the string representation | |
2006 | func (s FederatedUser) String() string { | |
2007 | return awsutil.Prettify(s) | |
2008 | } | |
2009 | ||
2010 | // GoString returns the string representation | |
2011 | func (s FederatedUser) GoString() string { | |
2012 | return s.String() | |
2013 | } | |
2014 | ||
2015 | // SetArn sets the Arn field's value. | |
2016 | func (s *FederatedUser) SetArn(v string) *FederatedUser { | |
2017 | s.Arn = &v | |
2018 | return s | |
2019 | } | |
2020 | ||
2021 | // SetFederatedUserId sets the FederatedUserId field's value. | |
2022 | func (s *FederatedUser) SetFederatedUserId(v string) *FederatedUser { | |
2023 | s.FederatedUserId = &v | |
2024 | return s | |
2025 | } | |
2026 | ||
2027 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentityRequest | |
2028 | type GetCallerIdentityInput struct { | |
2029 | _ struct{} `type:"structure"` | |
2030 | } | |
2031 | ||
2032 | // String returns the string representation | |
2033 | func (s GetCallerIdentityInput) String() string { | |
2034 | return awsutil.Prettify(s) | |
2035 | } | |
2036 | ||
2037 | // GoString returns the string representation | |
2038 | func (s GetCallerIdentityInput) GoString() string { | |
2039 | return s.String() | |
2040 | } | |
2041 | ||
2042 | // Contains the response to a successful GetCallerIdentity request, including | |
2043 | // information about the entity making the request. | |
2044 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentityResponse | |
2045 | type GetCallerIdentityOutput struct { | |
2046 | _ struct{} `type:"structure"` | |
2047 | ||
2048 | // The AWS account ID number of the account that owns or contains the calling | |
2049 | // entity. | |
2050 | Account *string `type:"string"` | |
2051 | ||
2052 | // The AWS ARN associated with the calling entity. | |
2053 | Arn *string `min:"20" type:"string"` | |
2054 | ||
2055 | // The unique identifier of the calling entity. The exact value depends on the | |
2056 | // type of entity making the call. The values returned are those listed in the | |
2057 | // aws:userid column in the Principal table (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable) | |
2058 | // found on the Policy Variables reference page in the IAM User Guide. | |
2059 | UserId *string `type:"string"` | |
2060 | } | |
2061 | ||
2062 | // String returns the string representation | |
2063 | func (s GetCallerIdentityOutput) String() string { | |
2064 | return awsutil.Prettify(s) | |
2065 | } | |
2066 | ||
2067 | // GoString returns the string representation | |
2068 | func (s GetCallerIdentityOutput) GoString() string { | |
2069 | return s.String() | |
2070 | } | |
2071 | ||
2072 | // SetAccount sets the Account field's value. | |
2073 | func (s *GetCallerIdentityOutput) SetAccount(v string) *GetCallerIdentityOutput { | |
2074 | s.Account = &v | |
2075 | return s | |
2076 | } | |
2077 | ||
2078 | // SetArn sets the Arn field's value. | |
2079 | func (s *GetCallerIdentityOutput) SetArn(v string) *GetCallerIdentityOutput { | |
2080 | s.Arn = &v | |
2081 | return s | |
2082 | } | |
2083 | ||
2084 | // SetUserId sets the UserId field's value. | |
2085 | func (s *GetCallerIdentityOutput) SetUserId(v string) *GetCallerIdentityOutput { | |
2086 | s.UserId = &v | |
2087 | return s | |
2088 | } | |
2089 | ||
2090 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationTokenRequest | |
2091 | type GetFederationTokenInput struct { | |
2092 | _ struct{} `type:"structure"` | |
2093 | ||
2094 | // The duration, in seconds, that the session should last. Acceptable durations | |
2095 | // for federation sessions range from 900 seconds (15 minutes) to 129600 seconds | |
2096 | // (36 hours), with 43200 seconds (12 hours) as the default. Sessions obtained | |
2097 | // using AWS account (root) credentials are restricted to a maximum of 3600 | |
2098 | // seconds (one hour). If the specified duration is longer than one hour, the | |
2099 | // session obtained by using AWS account (root) credentials defaults to one | |
2100 | // hour. | |
2101 | DurationSeconds *int64 `min:"900" type:"integer"` | |
2102 | ||
2103 | // The name of the federated user. The name is used as an identifier for the | |
2104 | // temporary security credentials (such as Bob). For example, you can reference | |
2105 | // the federated user name in a resource-based policy, such as in an Amazon | |
2106 | // S3 bucket policy. | |
2107 | // | |
2108 | // The regex used to validate this parameter is a string of characters consisting | |
2109 | // of upper- and lower-case alphanumeric characters with no spaces. You can | |
2110 | // also include underscores or any of the following characters: =,.@- | |
2111 | // | |
2112 | // Name is a required field | |
2113 | Name *string `min:"2" type:"string" required:"true"` | |
2114 | ||
2115 | // An IAM policy in JSON format that is passed with the GetFederationToken call | |
2116 | // and evaluated along with the policy or policies that are attached to the | |
2117 | // IAM user whose credentials are used to call GetFederationToken. The passed | |
2118 | // policy is used to scope down the permissions that are available to the IAM | |
2119 | // user, by allowing only a subset of the permissions that are granted to the | |
2120 | // IAM user. The passed policy cannot grant more permissions than those granted | |
2121 | // to the IAM user. The final permissions for the federated user are the most | |
2122 | // restrictive set based on the intersection of the passed policy and the IAM | |
2123 | // user policy. | |
2124 | // | |
2125 | // If you do not pass a policy, the resulting temporary security credentials | |
2126 | // have no effective permissions. The only exception is when the temporary security | |
2127 | // credentials are used to access a resource that has a resource-based policy | |
2128 | // that specifically allows the federated user to access the resource. | |
2129 | // | |
2130 | // The format for this parameter, as described by its regex pattern, is a string | |
2131 | // of characters up to 2048 characters in length. The characters can be any | |
2132 | // ASCII character from the space character to the end of the valid character | |
2133 | // list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A), | |
2134 | // and carriage return (\u000D) characters. | |
2135 | // | |
2136 | // The policy plain text must be 2048 bytes or shorter. However, an internal | |
2137 | // conversion compresses it into a packed binary format with a separate limit. | |
2138 | // The PackedPolicySize response element indicates by percentage how close to | |
2139 | // the upper size limit the policy is, with 100% equaling the maximum allowed | |
2140 | // size. | |
2141 | // | |
2142 | // For more information about how permissions work, see Permissions for GetFederationToken | |
2143 | // (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html). | |
2144 | Policy *string `min:"1" type:"string"` | |
2145 | } | |
2146 | ||
2147 | // String returns the string representation | |
2148 | func (s GetFederationTokenInput) String() string { | |
2149 | return awsutil.Prettify(s) | |
2150 | } | |
2151 | ||
2152 | // GoString returns the string representation | |
2153 | func (s GetFederationTokenInput) GoString() string { | |
2154 | return s.String() | |
2155 | } | |
2156 | ||
2157 | // Validate inspects the fields of the type to determine if they are valid. | |
2158 | func (s *GetFederationTokenInput) Validate() error { | |
2159 | invalidParams := request.ErrInvalidParams{Context: "GetFederationTokenInput"} | |
2160 | if s.DurationSeconds != nil && *s.DurationSeconds < 900 { | |
2161 | invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) | |
2162 | } | |
2163 | if s.Name == nil { | |
2164 | invalidParams.Add(request.NewErrParamRequired("Name")) | |
2165 | } | |
2166 | if s.Name != nil && len(*s.Name) < 2 { | |
2167 | invalidParams.Add(request.NewErrParamMinLen("Name", 2)) | |
2168 | } | |
2169 | if s.Policy != nil && len(*s.Policy) < 1 { | |
2170 | invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) | |
2171 | } | |
2172 | ||
2173 | if invalidParams.Len() > 0 { | |
2174 | return invalidParams | |
2175 | } | |
2176 | return nil | |
2177 | } | |
2178 | ||
2179 | // SetDurationSeconds sets the DurationSeconds field's value. | |
2180 | func (s *GetFederationTokenInput) SetDurationSeconds(v int64) *GetFederationTokenInput { | |
2181 | s.DurationSeconds = &v | |
2182 | return s | |
2183 | } | |
2184 | ||
2185 | // SetName sets the Name field's value. | |
2186 | func (s *GetFederationTokenInput) SetName(v string) *GetFederationTokenInput { | |
2187 | s.Name = &v | |
2188 | return s | |
2189 | } | |
2190 | ||
2191 | // SetPolicy sets the Policy field's value. | |
2192 | func (s *GetFederationTokenInput) SetPolicy(v string) *GetFederationTokenInput { | |
2193 | s.Policy = &v | |
2194 | return s | |
2195 | } | |
2196 | ||
2197 | // Contains the response to a successful GetFederationToken request, including | |
2198 | // temporary AWS credentials that can be used to make AWS requests. | |
2199 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationTokenResponse | |
2200 | type GetFederationTokenOutput struct { | |
2201 | _ struct{} `type:"structure"` | |
2202 | ||
2203 | // The temporary security credentials, which include an access key ID, a secret | |
2204 | // access key, and a security (or session) token. | |
2205 | // | |
2206 | // Note: The size of the security token that STS APIs return is not fixed. We | |
2207 | // strongly recommend that you make no assumptions about the maximum size. As | |
2208 | // of this writing, the typical size is less than 4096 bytes, but that can vary. | |
2209 | // Also, future updates to AWS might require larger sizes. | |
2210 | Credentials *Credentials `type:"structure"` | |
2211 | ||
2212 | // Identifiers for the federated user associated with the credentials (such | |
2213 | // as arn:aws:sts::123456789012:federated-user/Bob or 123456789012:Bob). You | |
2214 | // can use the federated user's ARN in your resource-based policies, such as | |
2215 | // an Amazon S3 bucket policy. | |
2216 | FederatedUser *FederatedUser `type:"structure"` | |
2217 | ||
2218 | // A percentage value indicating the size of the policy in packed form. The | |
2219 | // service rejects policies for which the packed size is greater than 100 percent | |
2220 | // of the allowed value. | |
2221 | PackedPolicySize *int64 `type:"integer"` | |
2222 | } | |
2223 | ||
2224 | // String returns the string representation | |
2225 | func (s GetFederationTokenOutput) String() string { | |
2226 | return awsutil.Prettify(s) | |
2227 | } | |
2228 | ||
2229 | // GoString returns the string representation | |
2230 | func (s GetFederationTokenOutput) GoString() string { | |
2231 | return s.String() | |
2232 | } | |
2233 | ||
2234 | // SetCredentials sets the Credentials field's value. | |
2235 | func (s *GetFederationTokenOutput) SetCredentials(v *Credentials) *GetFederationTokenOutput { | |
2236 | s.Credentials = v | |
2237 | return s | |
2238 | } | |
2239 | ||
2240 | // SetFederatedUser sets the FederatedUser field's value. | |
2241 | func (s *GetFederationTokenOutput) SetFederatedUser(v *FederatedUser) *GetFederationTokenOutput { | |
2242 | s.FederatedUser = v | |
2243 | return s | |
2244 | } | |
2245 | ||
2246 | // SetPackedPolicySize sets the PackedPolicySize field's value. | |
2247 | func (s *GetFederationTokenOutput) SetPackedPolicySize(v int64) *GetFederationTokenOutput { | |
2248 | s.PackedPolicySize = &v | |
2249 | return s | |
2250 | } | |
2251 | ||
2252 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionTokenRequest | |
2253 | type GetSessionTokenInput struct { | |
2254 | _ struct{} `type:"structure"` | |
2255 | ||
2256 | // The duration, in seconds, that the credentials should remain valid. Acceptable | |
2257 | // durations for IAM user sessions range from 900 seconds (15 minutes) to 129600 | |
2258 | // seconds (36 hours), with 43200 seconds (12 hours) as the default. Sessions | |
2259 | // for AWS account owners are restricted to a maximum of 3600 seconds (one hour). | |
2260 | // If the duration is longer than one hour, the session for AWS account owners | |
2261 | // defaults to one hour. | |
2262 | DurationSeconds *int64 `min:"900" type:"integer"` | |
2263 | ||
2264 | // The identification number of the MFA device that is associated with the IAM | |
2265 | // user who is making the GetSessionToken call. Specify this value if the IAM | |
2266 | // user has a policy that requires MFA authentication. The value is either the | |
2267 | // serial number for a hardware device (such as GAHT12345678) or an Amazon Resource | |
2268 | // Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user). | |
2269 | // You can find the device for an IAM user by going to the AWS Management Console | |
2270 | // and viewing the user's security credentials. | |
2271 | // | |
9b12e4fe | 2272 | // The regex used to validated this parameter is a string of characters consisting |
bae9f6d2 | 2273 | // of upper- and lower-case alphanumeric characters with no spaces. You can |
9b12e4fe | 2274 | // also include underscores or any of the following characters: =,.@:/- |
bae9f6d2 JC |
2275 | SerialNumber *string `min:"9" type:"string"` |
2276 | ||
2277 | // The value provided by the MFA device, if MFA is required. If any policy requires | |
2278 | // the IAM user to submit an MFA code, specify this value. If MFA authentication | |
2279 | // is required, and the user does not provide a code when requesting a set of | |
2280 | // temporary security credentials, the user will receive an "access denied" | |
2281 | // response when requesting resources that require MFA authentication. | |
2282 | // | |
2283 | // The format for this parameter, as described by its regex pattern, is a sequence | |
2284 | // of six numeric digits. | |
2285 | TokenCode *string `min:"6" type:"string"` | |
2286 | } | |
2287 | ||
2288 | // String returns the string representation | |
2289 | func (s GetSessionTokenInput) String() string { | |
2290 | return awsutil.Prettify(s) | |
2291 | } | |
2292 | ||
2293 | // GoString returns the string representation | |
2294 | func (s GetSessionTokenInput) GoString() string { | |
2295 | return s.String() | |
2296 | } | |
2297 | ||
2298 | // Validate inspects the fields of the type to determine if they are valid. | |
2299 | func (s *GetSessionTokenInput) Validate() error { | |
2300 | invalidParams := request.ErrInvalidParams{Context: "GetSessionTokenInput"} | |
2301 | if s.DurationSeconds != nil && *s.DurationSeconds < 900 { | |
2302 | invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) | |
2303 | } | |
2304 | if s.SerialNumber != nil && len(*s.SerialNumber) < 9 { | |
2305 | invalidParams.Add(request.NewErrParamMinLen("SerialNumber", 9)) | |
2306 | } | |
2307 | if s.TokenCode != nil && len(*s.TokenCode) < 6 { | |
2308 | invalidParams.Add(request.NewErrParamMinLen("TokenCode", 6)) | |
2309 | } | |
2310 | ||
2311 | if invalidParams.Len() > 0 { | |
2312 | return invalidParams | |
2313 | } | |
2314 | return nil | |
2315 | } | |
2316 | ||
2317 | // SetDurationSeconds sets the DurationSeconds field's value. | |
2318 | func (s *GetSessionTokenInput) SetDurationSeconds(v int64) *GetSessionTokenInput { | |
2319 | s.DurationSeconds = &v | |
2320 | return s | |
2321 | } | |
2322 | ||
2323 | // SetSerialNumber sets the SerialNumber field's value. | |
2324 | func (s *GetSessionTokenInput) SetSerialNumber(v string) *GetSessionTokenInput { | |
2325 | s.SerialNumber = &v | |
2326 | return s | |
2327 | } | |
2328 | ||
2329 | // SetTokenCode sets the TokenCode field's value. | |
2330 | func (s *GetSessionTokenInput) SetTokenCode(v string) *GetSessionTokenInput { | |
2331 | s.TokenCode = &v | |
2332 | return s | |
2333 | } | |
2334 | ||
2335 | // Contains the response to a successful GetSessionToken request, including | |
2336 | // temporary AWS credentials that can be used to make AWS requests. | |
2337 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionTokenResponse | |
2338 | type GetSessionTokenOutput struct { | |
2339 | _ struct{} `type:"structure"` | |
2340 | ||
2341 | // The temporary security credentials, which include an access key ID, a secret | |
2342 | // access key, and a security (or session) token. | |
2343 | // | |
2344 | // Note: The size of the security token that STS APIs return is not fixed. We | |
2345 | // strongly recommend that you make no assumptions about the maximum size. As | |
2346 | // of this writing, the typical size is less than 4096 bytes, but that can vary. | |
2347 | // Also, future updates to AWS might require larger sizes. | |
2348 | Credentials *Credentials `type:"structure"` | |
2349 | } | |
2350 | ||
2351 | // String returns the string representation | |
2352 | func (s GetSessionTokenOutput) String() string { | |
2353 | return awsutil.Prettify(s) | |
2354 | } | |
2355 | ||
2356 | // GoString returns the string representation | |
2357 | func (s GetSessionTokenOutput) GoString() string { | |
2358 | return s.String() | |
2359 | } | |
2360 | ||
2361 | // SetCredentials sets the Credentials field's value. | |
2362 | func (s *GetSessionTokenOutput) SetCredentials(v *Credentials) *GetSessionTokenOutput { | |
2363 | s.Credentials = v | |
2364 | return s | |
2365 | } |