1 // Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
8 "github.com/aws/aws-sdk-go/aws"
9 "github.com/aws/aws-sdk-go/aws/awsutil"
10 "github.com/aws/aws-sdk-go/aws/request"
13 const opAssumeRole = "AssumeRole"
15 // AssumeRoleRequest generates a "aws/request.Request" representing the
16 // client's request for the AssumeRole operation. The "output" return
17 // value will be populated with the request's response once the request completes
20 // Use "Send" method on the returned Request to send the API call to the service.
21 // the "output" return value is not valid until after Send returns without error.
23 // See AssumeRole for more information on using the AssumeRole
24 // API call, and error handling.
26 // This method is useful when you want to inject custom logic or configuration
27 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
30 // // Example sending a request using the AssumeRoleRequest method.
31 // req, resp := client.AssumeRoleRequest(params)
34 // if err == nil { // resp is now filled
38 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole
39 func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, output *AssumeRoleOutput) {
40 op := &request.Operation{
47 input = &AssumeRoleInput{}
50 output = &AssumeRoleOutput{}
51 req = c.newRequest(op, input, output)
55 // AssumeRole API operation for AWS Security Token Service.
57 // Returns a set of temporary security credentials (consisting of an access
58 // key ID, a secret access key, and a security token) that you can use to access
59 // AWS resources that you might not normally have access to. Typically, you
60 // use AssumeRole for cross-account access or federation. For a comparison of
61 // AssumeRole with the other APIs that produce temporary credentials, see Requesting
62 // Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
63 // and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
64 // in the IAM User Guide.
66 // Important: You cannot call AssumeRole by using AWS root account credentials;
67 // access is denied. You must use credentials for an IAM user or an IAM role
68 // to call AssumeRole.
70 // For cross-account access, imagine that you own multiple accounts and need
71 // to access resources in each account. You could create long-term credentials
72 // in each account to access those resources. However, managing all those credentials
73 // and remembering which one can access which account can be time consuming.
74 // Instead, you can create one set of long-term credentials in one account and
75 // then use temporary security credentials to access all the other accounts
76 // by assuming roles in those accounts. For more information about roles, see
77 // IAM Roles (Delegation and Federation) (http://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html)
78 // in the IAM User Guide.
80 // For federation, you can, for example, grant single sign-on access to the
81 // AWS Management Console. If you already have an identity and authentication
82 // system in your corporate network, you don't have to recreate user identities
83 // in AWS in order to grant those user identities access to AWS. Instead, after
84 // a user has been authenticated, you call AssumeRole (and specify the role
85 // with the appropriate permissions) to get temporary security credentials for
86 // that user. With those temporary security credentials, you construct a sign-in
87 // URL that users can use to access the console. For more information, see Common
88 // Scenarios for Temporary Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html#sts-introduction)
89 // in the IAM User Guide.
91 // By default, the temporary security credentials created by AssumeRole last
92 // for one hour. However, you can use the optional DurationSeconds parameter
93 // to specify the duration of your session. You can provide a value from 900
94 // seconds (15 minutes) up to the maximum session duration setting for the role.
95 // This setting can have a value from 1 hour to 12 hours. To learn how to view
96 // the maximum value for your role, see View the Maximum Session Duration Setting
97 // for a Role (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
98 // in the IAM User Guide. The maximum session duration limit applies when you
99 // use the AssumeRole* API operations or the assume-role* CLI operations but
100 // does not apply when you use those operations to create a console URL. For
101 // more information, see Using IAM Roles (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
102 // in the IAM User Guide.
104 // The temporary security credentials created by AssumeRole can be used to make
105 // API calls to any AWS service with the following exception: you cannot call
106 // the STS service's GetFederationToken or GetSessionToken APIs.
108 // Optionally, you can pass an IAM access policy to this operation. If you choose
109 // not to pass a policy, the temporary security credentials that are returned
110 // by the operation have the permissions that are defined in the access policy
111 // of the role that is being assumed. If you pass a policy to this operation,
112 // the temporary security credentials that are returned by the operation have
113 // the permissions that are allowed by both the access policy of the role that
114 // is being assumed, and the policy that you pass. This gives you a way to further
115 // restrict the permissions for the resulting temporary security credentials.
116 // You cannot use the passed policy to grant permissions that are in excess
117 // of those allowed by the access policy of the role that is being assumed.
118 // For more information, see Permissions for AssumeRole, AssumeRoleWithSAML,
119 // and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
120 // in the IAM User Guide.
122 // To assume a role, your AWS account must be trusted by the role. The trust
123 // relationship is defined in the role's trust policy when the role is created.
124 // That trust policy states which accounts are allowed to delegate access to
125 // this account's role.
127 // The user who wants to access the role must also have permissions delegated
128 // from the role's administrator. If the user is in a different account than
129 // the role, then the user's administrator must attach a policy that allows
130 // the user to call AssumeRole on the ARN of the role in the other account.
131 // If the user is in the same account as the role, then you can either attach
132 // a policy to the user (identical to the previous different account user),
133 // or you can add the user as a principal directly in the role's trust policy.
134 // In this case, the trust policy acts as the only resource-based policy in
135 // IAM, and users in the same account as the role do not need explicit permission
136 // to assume the role. For more information about trust policies and resource-based
137 // policies, see IAM Policies (http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)
138 // in the IAM User Guide.
140 // Using MFA with AssumeRole
142 // You can optionally include multi-factor authentication (MFA) information
143 // when you call AssumeRole. This is useful for cross-account scenarios in which
144 // you want to make sure that the user who is assuming the role has been authenticated
145 // using an AWS MFA device. In that scenario, the trust policy of the role being
146 // assumed includes a condition that tests for MFA authentication; if the caller
147 // does not include valid MFA information, the request to assume the role is
148 // denied. The condition in a trust policy that tests for MFA authentication
149 // might look like the following example.
151 // "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}
153 // For more information, see Configuring MFA-Protected API Access (http://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html)
154 // in the IAM User Guide guide.
156 // To use MFA with AssumeRole, you pass values for the SerialNumber and TokenCode
157 // parameters. The SerialNumber value identifies the user's hardware or virtual
158 // MFA device. The TokenCode is the time-based one-time password (TOTP) that
159 // the MFA devices produces.
161 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
162 // with awserr.Error's Code and Message methods to get detailed information about
165 // See the AWS API reference guide for AWS Security Token Service's
166 // API operation AssumeRole for usage and error information.
168 // Returned Error Codes:
169 // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument"
170 // The request was rejected because the policy document was malformed. The error
171 // message describes the specific error.
173 // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge"
174 // The request was rejected because the policy document was too large. The error
175 // message describes how big the policy document is, in packed form, as a percentage
176 // of what the API allows.
178 // * ErrCodeRegionDisabledException "RegionDisabledException"
179 // STS is not activated in the requested region for the account that is being
180 // asked to generate credentials. The account administrator must use the IAM
181 // console to activate STS in that region. For more information, see Activating
182 // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
183 // in the IAM User Guide.
185 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole
186 func (c *STS) AssumeRole(input *AssumeRoleInput) (*AssumeRoleOutput, error) {
187 req, out := c.AssumeRoleRequest(input)
188 return out, req.Send()
191 // AssumeRoleWithContext is the same as AssumeRole with the addition of
192 // the ability to pass a context and additional request options.
194 // See AssumeRole for details on how to use this API operation.
196 // The context must be non-nil and will be used for request cancellation. If
197 // the context is nil a panic will occur. In the future the SDK may create
198 // sub-contexts for http.Requests. See https://golang.org/pkg/context/
199 // for more information on using Contexts.
200 func (c *STS) AssumeRoleWithContext(ctx aws.Context, input *AssumeRoleInput, opts ...request.Option) (*AssumeRoleOutput, error) {
201 req, out := c.AssumeRoleRequest(input)
203 req.ApplyOptions(opts...)
204 return out, req.Send()
207 const opAssumeRoleWithSAML = "AssumeRoleWithSAML"
209 // AssumeRoleWithSAMLRequest generates a "aws/request.Request" representing the
210 // client's request for the AssumeRoleWithSAML operation. The "output" return
211 // value will be populated with the request's response once the request completes
214 // Use "Send" method on the returned Request to send the API call to the service.
215 // the "output" return value is not valid until after Send returns without error.
217 // See AssumeRoleWithSAML for more information on using the AssumeRoleWithSAML
218 // API call, and error handling.
220 // This method is useful when you want to inject custom logic or configuration
221 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
224 // // Example sending a request using the AssumeRoleWithSAMLRequest method.
225 // req, resp := client.AssumeRoleWithSAMLRequest(params)
228 // if err == nil { // resp is now filled
232 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML
233 func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *request.Request, output *AssumeRoleWithSAMLOutput) {
234 op := &request.Operation{
235 Name: opAssumeRoleWithSAML,
241 input = &AssumeRoleWithSAMLInput{}
244 output = &AssumeRoleWithSAMLOutput{}
245 req = c.newRequest(op, input, output)
249 // AssumeRoleWithSAML API operation for AWS Security Token Service.
251 // Returns a set of temporary security credentials for users who have been authenticated
252 // via a SAML authentication response. This operation provides a mechanism for
253 // tying an enterprise identity store or directory to role-based AWS access
254 // without user-specific credentials or configuration. For a comparison of AssumeRoleWithSAML
255 // with the other APIs that produce temporary credentials, see Requesting Temporary
256 // Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
257 // and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
258 // in the IAM User Guide.
260 // The temporary security credentials returned by this operation consist of
261 // an access key ID, a secret access key, and a security token. Applications
262 // can use these temporary security credentials to sign calls to AWS services.
264 // By default, the temporary security credentials created by AssumeRoleWithSAML
265 // last for one hour. However, you can use the optional DurationSeconds parameter
266 // to specify the duration of your session. Your role session lasts for the
267 // duration that you specify, or until the time specified in the SAML authentication
268 // response's SessionNotOnOrAfter value, whichever is shorter. You can provide
269 // a DurationSeconds value from 900 seconds (15 minutes) up to the maximum session
270 // duration setting for the role. This setting can have a value from 1 hour
271 // to 12 hours. To learn how to view the maximum value for your role, see View
272 // the Maximum Session Duration Setting for a Role (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
273 // in the IAM User Guide. The maximum session duration limit applies when you
274 // use the AssumeRole* API operations or the assume-role* CLI operations but
275 // does not apply when you use those operations to create a console URL. For
276 // more information, see Using IAM Roles (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
277 // in the IAM User Guide.
279 // The temporary security credentials created by AssumeRoleWithSAML can be used
280 // to make API calls to any AWS service with the following exception: you cannot
281 // call the STS service's GetFederationToken or GetSessionToken APIs.
283 // Optionally, you can pass an IAM access policy to this operation. If you choose
284 // not to pass a policy, the temporary security credentials that are returned
285 // by the operation have the permissions that are defined in the access policy
286 // of the role that is being assumed. If you pass a policy to this operation,
287 // the temporary security credentials that are returned by the operation have
288 // the permissions that are allowed by the intersection of both the access policy
289 // of the role that is being assumed, and the policy that you pass. This means
290 // that both policies must grant the permission for the action to be allowed.
291 // This gives you a way to further restrict the permissions for the resulting
292 // temporary security credentials. You cannot use the passed policy to grant
293 // permissions that are in excess of those allowed by the access policy of the
294 // role that is being assumed. For more information, see Permissions for AssumeRole,
295 // AssumeRoleWithSAML, and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
296 // in the IAM User Guide.
298 // Before your application can call AssumeRoleWithSAML, you must configure your
299 // SAML identity provider (IdP) to issue the claims required by AWS. Additionally,
300 // you must use AWS Identity and Access Management (IAM) to create a SAML provider
301 // entity in your AWS account that represents your identity provider, and create
302 // an IAM role that specifies this SAML provider in its trust policy.
304 // Calling AssumeRoleWithSAML does not require the use of AWS security credentials.
305 // The identity of the caller is validated by using keys in the metadata document
306 // that is uploaded for the SAML provider entity for your identity provider.
308 // Calling AssumeRoleWithSAML can result in an entry in your AWS CloudTrail
309 // logs. The entry includes the value in the NameID element of the SAML assertion.
310 // We recommend that you use a NameIDType that is not associated with any personally
311 // identifiable information (PII). For example, you could instead use the Persistent
312 // Identifier (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent).
314 // For more information, see the following resources:
316 // * About SAML 2.0-based Federation (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html)
317 // in the IAM User Guide.
319 // * Creating SAML Identity Providers (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)
320 // in the IAM User Guide.
322 // * Configuring a Relying Party and Claims (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html)
323 // in the IAM User Guide.
325 // * Creating a Role for SAML 2.0 Federation (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html)
326 // in the IAM User Guide.
328 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
329 // with awserr.Error's Code and Message methods to get detailed information about
332 // See the AWS API reference guide for AWS Security Token Service's
333 // API operation AssumeRoleWithSAML for usage and error information.
335 // Returned Error Codes:
336 // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument"
337 // The request was rejected because the policy document was malformed. The error
338 // message describes the specific error.
340 // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge"
341 // The request was rejected because the policy document was too large. The error
342 // message describes how big the policy document is, in packed form, as a percentage
343 // of what the API allows.
345 // * ErrCodeIDPRejectedClaimException "IDPRejectedClaim"
346 // The identity provider (IdP) reported that authentication failed. This might
347 // be because the claim is invalid.
349 // If this error is returned for the AssumeRoleWithWebIdentity operation, it
350 // can also mean that the claim has expired or has been explicitly revoked.
352 // * ErrCodeInvalidIdentityTokenException "InvalidIdentityToken"
353 // The web identity token that was passed could not be validated by AWS. Get
354 // a new identity token from the identity provider and then retry the request.
356 // * ErrCodeExpiredTokenException "ExpiredTokenException"
357 // The web identity token that was passed is expired or is not valid. Get a
358 // new identity token from the identity provider and then retry the request.
360 // * ErrCodeRegionDisabledException "RegionDisabledException"
361 // STS is not activated in the requested region for the account that is being
362 // asked to generate credentials. The account administrator must use the IAM
363 // console to activate STS in that region. For more information, see Activating
364 // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
365 // in the IAM User Guide.
367 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML
368 func (c *STS) AssumeRoleWithSAML(input *AssumeRoleWithSAMLInput) (*AssumeRoleWithSAMLOutput, error) {
369 req, out := c.AssumeRoleWithSAMLRequest(input)
370 return out, req.Send()
373 // AssumeRoleWithSAMLWithContext is the same as AssumeRoleWithSAML with the addition of
374 // the ability to pass a context and additional request options.
376 // See AssumeRoleWithSAML for details on how to use this API operation.
378 // The context must be non-nil and will be used for request cancellation. If
379 // the context is nil a panic will occur. In the future the SDK may create
380 // sub-contexts for http.Requests. See https://golang.org/pkg/context/
381 // for more information on using Contexts.
382 func (c *STS) AssumeRoleWithSAMLWithContext(ctx aws.Context, input *AssumeRoleWithSAMLInput, opts ...request.Option) (*AssumeRoleWithSAMLOutput, error) {
383 req, out := c.AssumeRoleWithSAMLRequest(input)
385 req.ApplyOptions(opts...)
386 return out, req.Send()
389 const opAssumeRoleWithWebIdentity = "AssumeRoleWithWebIdentity"
391 // AssumeRoleWithWebIdentityRequest generates a "aws/request.Request" representing the
392 // client's request for the AssumeRoleWithWebIdentity operation. The "output" return
393 // value will be populated with the request's response once the request completes
396 // Use "Send" method on the returned Request to send the API call to the service.
397 // the "output" return value is not valid until after Send returns without error.
399 // See AssumeRoleWithWebIdentity for more information on using the AssumeRoleWithWebIdentity
400 // API call, and error handling.
402 // This method is useful when you want to inject custom logic or configuration
403 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
406 // // Example sending a request using the AssumeRoleWithWebIdentityRequest method.
407 // req, resp := client.AssumeRoleWithWebIdentityRequest(params)
410 // if err == nil { // resp is now filled
414 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity
415 func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityInput) (req *request.Request, output *AssumeRoleWithWebIdentityOutput) {
416 op := &request.Operation{
417 Name: opAssumeRoleWithWebIdentity,
423 input = &AssumeRoleWithWebIdentityInput{}
426 output = &AssumeRoleWithWebIdentityOutput{}
427 req = c.newRequest(op, input, output)
431 // AssumeRoleWithWebIdentity API operation for AWS Security Token Service.
433 // Returns a set of temporary security credentials for users who have been authenticated
434 // in a mobile or web application with a web identity provider, such as Amazon
435 // Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible
436 // identity provider.
438 // For mobile applications, we recommend that you use Amazon Cognito. You can
439 // use Amazon Cognito with the AWS SDK for iOS (http://aws.amazon.com/sdkforios/)
440 // and the AWS SDK for Android (http://aws.amazon.com/sdkforandroid/) to uniquely
441 // identify a user and supply the user with a consistent identity throughout
442 // the lifetime of an application.
444 // To learn more about Amazon Cognito, see Amazon Cognito Overview (http://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840)
445 // in the AWS SDK for Android Developer Guide guide and Amazon Cognito Overview
446 // (http://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664)
447 // in the AWS SDK for iOS Developer Guide.
449 // Calling AssumeRoleWithWebIdentity does not require the use of AWS security
450 // credentials. Therefore, you can distribute an application (for example, on
451 // mobile devices) that requests temporary security credentials without including
452 // long-term AWS credentials in the application, and without deploying server-based
453 // proxy services that use long-term AWS credentials. Instead, the identity
454 // of the caller is validated by using a token from the web identity provider.
455 // For a comparison of AssumeRoleWithWebIdentity with the other APIs that produce
456 // temporary credentials, see Requesting Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
457 // and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
458 // in the IAM User Guide.
460 // The temporary security credentials returned by this API consist of an access
461 // key ID, a secret access key, and a security token. Applications can use these
462 // temporary security credentials to sign calls to AWS service APIs.
464 // By default, the temporary security credentials created by AssumeRoleWithWebIdentity
465 // last for one hour. However, you can use the optional DurationSeconds parameter
466 // to specify the duration of your session. You can provide a value from 900
467 // seconds (15 minutes) up to the maximum session duration setting for the role.
468 // This setting can have a value from 1 hour to 12 hours. To learn how to view
469 // the maximum value for your role, see View the Maximum Session Duration Setting
470 // for a Role (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
471 // in the IAM User Guide. The maximum session duration limit applies when you
472 // use the AssumeRole* API operations or the assume-role* CLI operations but
473 // does not apply when you use those operations to create a console URL. For
474 // more information, see Using IAM Roles (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
475 // in the IAM User Guide.
477 // The temporary security credentials created by AssumeRoleWithWebIdentity can
478 // be used to make API calls to any AWS service with the following exception:
479 // you cannot call the STS service's GetFederationToken or GetSessionToken APIs.
481 // Optionally, you can pass an IAM access policy to this operation. If you choose
482 // not to pass a policy, the temporary security credentials that are returned
483 // by the operation have the permissions that are defined in the access policy
484 // of the role that is being assumed. If you pass a policy to this operation,
485 // the temporary security credentials that are returned by the operation have
486 // the permissions that are allowed by both the access policy of the role that
487 // is being assumed, and the policy that you pass. This gives you a way to further
488 // restrict the permissions for the resulting temporary security credentials.
489 // You cannot use the passed policy to grant permissions that are in excess
490 // of those allowed by the access policy of the role that is being assumed.
491 // For more information, see Permissions for AssumeRole, AssumeRoleWithSAML,
492 // and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
493 // in the IAM User Guide.
495 // Before your application can call AssumeRoleWithWebIdentity, you must have
496 // an identity token from a supported identity provider and create a role that
497 // the application can assume. The role that your application assumes must trust
498 // the identity provider that is associated with the identity token. In other
499 // words, the identity provider must be specified in the role's trust policy.
501 // Calling AssumeRoleWithWebIdentity can result in an entry in your AWS CloudTrail
502 // logs. The entry includes the Subject (http://openid.net/specs/openid-connect-core-1_0.html#Claims)
503 // of the provided Web Identity Token. We recommend that you avoid using any
504 // personally identifiable information (PII) in this field. For example, you
505 // could instead use a GUID or a pairwise identifier, as suggested in the OIDC
506 // specification (http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes).
508 // For more information about how to use web identity federation and the AssumeRoleWithWebIdentity
509 // API, see the following resources:
511 // * Using Web Identity Federation APIs for Mobile Apps (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html)
512 // and Federation Through a Web-based Identity Provider (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity).
515 // * Web Identity Federation Playground (https://web-identity-federation-playground.s3.amazonaws.com/index.html).
516 // This interactive website lets you walk through the process of authenticating
517 // via Login with Amazon, Facebook, or Google, getting temporary security
518 // credentials, and then using those credentials to make a request to AWS.
521 // * AWS SDK for iOS (http://aws.amazon.com/sdkforios/) and AWS SDK for Android
522 // (http://aws.amazon.com/sdkforandroid/). These toolkits contain sample
523 // apps that show how to invoke the identity providers, and then how to use
524 // the information from these providers to get and use temporary security
527 // * Web Identity Federation with Mobile Applications (http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications).
528 // This article discusses web identity federation and shows an example of
529 // how to use web identity federation to get access to content in Amazon
532 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
533 // with awserr.Error's Code and Message methods to get detailed information about
536 // See the AWS API reference guide for AWS Security Token Service's
537 // API operation AssumeRoleWithWebIdentity for usage and error information.
539 // Returned Error Codes:
540 // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument"
541 // The request was rejected because the policy document was malformed. The error
542 // message describes the specific error.
544 // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge"
545 // The request was rejected because the policy document was too large. The error
546 // message describes how big the policy document is, in packed form, as a percentage
547 // of what the API allows.
549 // * ErrCodeIDPRejectedClaimException "IDPRejectedClaim"
550 // The identity provider (IdP) reported that authentication failed. This might
551 // be because the claim is invalid.
553 // If this error is returned for the AssumeRoleWithWebIdentity operation, it
554 // can also mean that the claim has expired or has been explicitly revoked.
556 // * ErrCodeIDPCommunicationErrorException "IDPCommunicationError"
557 // The request could not be fulfilled because the non-AWS identity provider
558 // (IDP) that was asked to verify the incoming identity token could not be reached.
559 // This is often a transient error caused by network conditions. Retry the request
560 // a limited number of times so that you don't exceed the request rate. If the
561 // error persists, the non-AWS identity provider might be down or not responding.
563 // * ErrCodeInvalidIdentityTokenException "InvalidIdentityToken"
564 // The web identity token that was passed could not be validated by AWS. Get
565 // a new identity token from the identity provider and then retry the request.
567 // * ErrCodeExpiredTokenException "ExpiredTokenException"
568 // The web identity token that was passed is expired or is not valid. Get a
569 // new identity token from the identity provider and then retry the request.
571 // * ErrCodeRegionDisabledException "RegionDisabledException"
572 // STS is not activated in the requested region for the account that is being
573 // asked to generate credentials. The account administrator must use the IAM
574 // console to activate STS in that region. For more information, see Activating
575 // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
576 // in the IAM User Guide.
578 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity
579 func (c *STS) AssumeRoleWithWebIdentity(input *AssumeRoleWithWebIdentityInput) (*AssumeRoleWithWebIdentityOutput, error) {
580 req, out := c.AssumeRoleWithWebIdentityRequest(input)
581 return out, req.Send()
584 // AssumeRoleWithWebIdentityWithContext is the same as AssumeRoleWithWebIdentity with the addition of
585 // the ability to pass a context and additional request options.
587 // See AssumeRoleWithWebIdentity for details on how to use this API operation.
589 // The context must be non-nil and will be used for request cancellation. If
590 // the context is nil a panic will occur. In the future the SDK may create
591 // sub-contexts for http.Requests. See https://golang.org/pkg/context/
592 // for more information on using Contexts.
593 func (c *STS) AssumeRoleWithWebIdentityWithContext(ctx aws.Context, input *AssumeRoleWithWebIdentityInput, opts ...request.Option) (*AssumeRoleWithWebIdentityOutput, error) {
594 req, out := c.AssumeRoleWithWebIdentityRequest(input)
596 req.ApplyOptions(opts...)
597 return out, req.Send()
600 const opDecodeAuthorizationMessage = "DecodeAuthorizationMessage"
602 // DecodeAuthorizationMessageRequest generates a "aws/request.Request" representing the
603 // client's request for the DecodeAuthorizationMessage operation. The "output" return
604 // value will be populated with the request's response once the request completes
607 // Use "Send" method on the returned Request to send the API call to the service.
608 // the "output" return value is not valid until after Send returns without error.
610 // See DecodeAuthorizationMessage for more information on using the DecodeAuthorizationMessage
611 // API call, and error handling.
613 // This method is useful when you want to inject custom logic or configuration
614 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
617 // // Example sending a request using the DecodeAuthorizationMessageRequest method.
618 // req, resp := client.DecodeAuthorizationMessageRequest(params)
621 // if err == nil { // resp is now filled
625 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessage
626 func (c *STS) DecodeAuthorizationMessageRequest(input *DecodeAuthorizationMessageInput) (req *request.Request, output *DecodeAuthorizationMessageOutput) {
627 op := &request.Operation{
628 Name: opDecodeAuthorizationMessage,
634 input = &DecodeAuthorizationMessageInput{}
637 output = &DecodeAuthorizationMessageOutput{}
638 req = c.newRequest(op, input, output)
642 // DecodeAuthorizationMessage API operation for AWS Security Token Service.
644 // Decodes additional information about the authorization status of a request
645 // from an encoded message returned in response to an AWS request.
647 // For example, if a user is not authorized to perform an action that he or
648 // she has requested, the request returns a Client.UnauthorizedOperation response
649 // (an HTTP 403 response). Some AWS actions additionally return an encoded message
650 // that can provide details about this authorization failure.
652 // Only certain AWS actions return an encoded authorization message. The documentation
653 // for an individual action indicates whether that action returns an encoded
654 // message in addition to returning an HTTP code.
656 // The message is encoded because the details of the authorization status can
657 // constitute privileged information that the user who requested the action
658 // should not see. To decode an authorization status message, a user must be
659 // granted permissions via an IAM policy to request the DecodeAuthorizationMessage
660 // (sts:DecodeAuthorizationMessage) action.
662 // The decoded message includes the following type of information:
664 // * Whether the request was denied due to an explicit deny or due to the
665 // absence of an explicit allow. For more information, see Determining Whether
666 // a Request is Allowed or Denied (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow)
667 // in the IAM User Guide.
669 // * The principal who made the request.
671 // * The requested action.
673 // * The requested resource.
675 // * The values of condition keys in the context of the user's request.
677 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
678 // with awserr.Error's Code and Message methods to get detailed information about
681 // See the AWS API reference guide for AWS Security Token Service's
682 // API operation DecodeAuthorizationMessage for usage and error information.
684 // Returned Error Codes:
685 // * ErrCodeInvalidAuthorizationMessageException "InvalidAuthorizationMessageException"
686 // The error returned if the message passed to DecodeAuthorizationMessage was
687 // invalid. This can happen if the token contains invalid characters, such as
690 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessage
691 func (c *STS) DecodeAuthorizationMessage(input *DecodeAuthorizationMessageInput) (*DecodeAuthorizationMessageOutput, error) {
692 req, out := c.DecodeAuthorizationMessageRequest(input)
693 return out, req.Send()
696 // DecodeAuthorizationMessageWithContext is the same as DecodeAuthorizationMessage with the addition of
697 // the ability to pass a context and additional request options.
699 // See DecodeAuthorizationMessage for details on how to use this API operation.
701 // The context must be non-nil and will be used for request cancellation. If
702 // the context is nil a panic will occur. In the future the SDK may create
703 // sub-contexts for http.Requests. See https://golang.org/pkg/context/
704 // for more information on using Contexts.
705 func (c *STS) DecodeAuthorizationMessageWithContext(ctx aws.Context, input *DecodeAuthorizationMessageInput, opts ...request.Option) (*DecodeAuthorizationMessageOutput, error) {
706 req, out := c.DecodeAuthorizationMessageRequest(input)
708 req.ApplyOptions(opts...)
709 return out, req.Send()
712 const opGetCallerIdentity = "GetCallerIdentity"
714 // GetCallerIdentityRequest generates a "aws/request.Request" representing the
715 // client's request for the GetCallerIdentity operation. The "output" return
716 // value will be populated with the request's response once the request completes
719 // Use "Send" method on the returned Request to send the API call to the service.
720 // the "output" return value is not valid until after Send returns without error.
722 // See GetCallerIdentity for more information on using the GetCallerIdentity
723 // API call, and error handling.
725 // This method is useful when you want to inject custom logic or configuration
726 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
729 // // Example sending a request using the GetCallerIdentityRequest method.
730 // req, resp := client.GetCallerIdentityRequest(params)
733 // if err == nil { // resp is now filled
737 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentity
738 func (c *STS) GetCallerIdentityRequest(input *GetCallerIdentityInput) (req *request.Request, output *GetCallerIdentityOutput) {
739 op := &request.Operation{
740 Name: opGetCallerIdentity,
746 input = &GetCallerIdentityInput{}
749 output = &GetCallerIdentityOutput{}
750 req = c.newRequest(op, input, output)
754 // GetCallerIdentity API operation for AWS Security Token Service.
756 // Returns details about the IAM identity whose credentials are used to call
759 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
760 // with awserr.Error's Code and Message methods to get detailed information about
763 // See the AWS API reference guide for AWS Security Token Service's
764 // API operation GetCallerIdentity for usage and error information.
765 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentity
766 func (c *STS) GetCallerIdentity(input *GetCallerIdentityInput) (*GetCallerIdentityOutput, error) {
767 req, out := c.GetCallerIdentityRequest(input)
768 return out, req.Send()
771 // GetCallerIdentityWithContext is the same as GetCallerIdentity with the addition of
772 // the ability to pass a context and additional request options.
774 // See GetCallerIdentity for details on how to use this API operation.
776 // The context must be non-nil and will be used for request cancellation. If
777 // the context is nil a panic will occur. In the future the SDK may create
778 // sub-contexts for http.Requests. See https://golang.org/pkg/context/
779 // for more information on using Contexts.
780 func (c *STS) GetCallerIdentityWithContext(ctx aws.Context, input *GetCallerIdentityInput, opts ...request.Option) (*GetCallerIdentityOutput, error) {
781 req, out := c.GetCallerIdentityRequest(input)
783 req.ApplyOptions(opts...)
784 return out, req.Send()
787 const opGetFederationToken = "GetFederationToken"
789 // GetFederationTokenRequest generates a "aws/request.Request" representing the
790 // client's request for the GetFederationToken operation. The "output" return
791 // value will be populated with the request's response once the request completes
794 // Use "Send" method on the returned Request to send the API call to the service.
795 // the "output" return value is not valid until after Send returns without error.
797 // See GetFederationToken for more information on using the GetFederationToken
798 // API call, and error handling.
800 // This method is useful when you want to inject custom logic or configuration
801 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
804 // // Example sending a request using the GetFederationTokenRequest method.
805 // req, resp := client.GetFederationTokenRequest(params)
808 // if err == nil { // resp is now filled
812 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationToken
813 func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *request.Request, output *GetFederationTokenOutput) {
814 op := &request.Operation{
815 Name: opGetFederationToken,
821 input = &GetFederationTokenInput{}
824 output = &GetFederationTokenOutput{}
825 req = c.newRequest(op, input, output)
829 // GetFederationToken API operation for AWS Security Token Service.
831 // Returns a set of temporary security credentials (consisting of an access
832 // key ID, a secret access key, and a security token) for a federated user.
833 // A typical use is in a proxy application that gets temporary security credentials
834 // on behalf of distributed applications inside a corporate network. Because
835 // you must call the GetFederationToken action using the long-term security
836 // credentials of an IAM user, this call is appropriate in contexts where those
837 // credentials can be safely stored, usually in a server-based application.
838 // For a comparison of GetFederationToken with the other APIs that produce temporary
839 // credentials, see Requesting Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
840 // and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
841 // in the IAM User Guide.
843 // If you are creating a mobile-based or browser-based app that can authenticate
844 // users using a web identity provider like Login with Amazon, Facebook, Google,
845 // or an OpenID Connect-compatible identity provider, we recommend that you
846 // use Amazon Cognito (http://aws.amazon.com/cognito/) or AssumeRoleWithWebIdentity.
847 // For more information, see Federation Through a Web-based Identity Provider
848 // (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity).
850 // The GetFederationToken action must be called by using the long-term AWS security
851 // credentials of an IAM user. You can also call GetFederationToken using the
852 // security credentials of an AWS root account, but we do not recommended it.
853 // Instead, we recommend that you create an IAM user for the purpose of the
854 // proxy application and then attach a policy to the IAM user that limits federated
855 // users to only the actions and resources that they need access to. For more
856 // information, see IAM Best Practices (http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
857 // in the IAM User Guide.
859 // The temporary security credentials that are obtained by using the long-term
860 // credentials of an IAM user are valid for the specified duration, from 900
861 // seconds (15 minutes) up to a maximium of 129600 seconds (36 hours). The default
862 // is 43200 seconds (12 hours). Temporary credentials that are obtained by using
863 // AWS root account credentials have a maximum duration of 3600 seconds (1 hour).
865 // The temporary security credentials created by GetFederationToken can be used
866 // to make API calls to any AWS service with the following exceptions:
868 // * You cannot use these credentials to call any IAM APIs.
870 // * You cannot call any STS APIs except GetCallerIdentity.
874 // The permissions for the temporary security credentials returned by GetFederationToken
875 // are determined by a combination of the following:
877 // * The policy or policies that are attached to the IAM user whose credentials
878 // are used to call GetFederationToken.
880 // * The policy that is passed as a parameter in the call.
882 // The passed policy is attached to the temporary security credentials that
883 // result from the GetFederationToken API call--that is, to the federated user.
884 // When the federated user makes an AWS request, AWS evaluates the policy attached
885 // to the federated user in combination with the policy or policies attached
886 // to the IAM user whose credentials were used to call GetFederationToken. AWS
887 // allows the federated user's request only when both the federated user and
888 // the IAM user are explicitly allowed to perform the requested action. The
889 // passed policy cannot grant more permissions than those that are defined in
890 // the IAM user policy.
892 // A typical use case is that the permissions of the IAM user whose credentials
893 // are used to call GetFederationToken are designed to allow access to all the
894 // actions and resources that any federated user will need. Then, for individual
895 // users, you pass a policy to the operation that scopes down the permissions
896 // to a level that's appropriate to that individual user, using a policy that
897 // allows only a subset of permissions that are granted to the IAM user.
899 // If you do not pass a policy, the resulting temporary security credentials
900 // have no effective permissions. The only exception is when the temporary security
901 // credentials are used to access a resource that has a resource-based policy
902 // that specifically allows the federated user to access the resource.
904 // For more information about how permissions work, see Permissions for GetFederationToken
905 // (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html).
906 // For information about using GetFederationToken to create temporary security
907 // credentials, see GetFederationToken—Federation Through a Custom Identity
908 // Broker (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken).
910 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
911 // with awserr.Error's Code and Message methods to get detailed information about
914 // See the AWS API reference guide for AWS Security Token Service's
915 // API operation GetFederationToken for usage and error information.
917 // Returned Error Codes:
918 // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument"
919 // The request was rejected because the policy document was malformed. The error
920 // message describes the specific error.
922 // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge"
923 // The request was rejected because the policy document was too large. The error
924 // message describes how big the policy document is, in packed form, as a percentage
925 // of what the API allows.
927 // * ErrCodeRegionDisabledException "RegionDisabledException"
928 // STS is not activated in the requested region for the account that is being
929 // asked to generate credentials. The account administrator must use the IAM
930 // console to activate STS in that region. For more information, see Activating
931 // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
932 // in the IAM User Guide.
934 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationToken
935 func (c *STS) GetFederationToken(input *GetFederationTokenInput) (*GetFederationTokenOutput, error) {
936 req, out := c.GetFederationTokenRequest(input)
937 return out, req.Send()
940 // GetFederationTokenWithContext is the same as GetFederationToken with the addition of
941 // the ability to pass a context and additional request options.
943 // See GetFederationToken for details on how to use this API operation.
945 // The context must be non-nil and will be used for request cancellation. If
946 // the context is nil a panic will occur. In the future the SDK may create
947 // sub-contexts for http.Requests. See https://golang.org/pkg/context/
948 // for more information on using Contexts.
949 func (c *STS) GetFederationTokenWithContext(ctx aws.Context, input *GetFederationTokenInput, opts ...request.Option) (*GetFederationTokenOutput, error) {
950 req, out := c.GetFederationTokenRequest(input)
952 req.ApplyOptions(opts...)
953 return out, req.Send()
956 const opGetSessionToken = "GetSessionToken"
958 // GetSessionTokenRequest generates a "aws/request.Request" representing the
959 // client's request for the GetSessionToken operation. The "output" return
960 // value will be populated with the request's response once the request completes
963 // Use "Send" method on the returned Request to send the API call to the service.
964 // the "output" return value is not valid until after Send returns without error.
966 // See GetSessionToken for more information on using the GetSessionToken
967 // API call, and error handling.
969 // This method is useful when you want to inject custom logic or configuration
970 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
973 // // Example sending a request using the GetSessionTokenRequest method.
974 // req, resp := client.GetSessionTokenRequest(params)
977 // if err == nil { // resp is now filled
981 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionToken
982 func (c *STS) GetSessionTokenRequest(input *GetSessionTokenInput) (req *request.Request, output *GetSessionTokenOutput) {
983 op := &request.Operation{
984 Name: opGetSessionToken,
990 input = &GetSessionTokenInput{}
993 output = &GetSessionTokenOutput{}
994 req = c.newRequest(op, input, output)
998 // GetSessionToken API operation for AWS Security Token Service.
1000 // Returns a set of temporary credentials for an AWS account or IAM user. The
1001 // credentials consist of an access key ID, a secret access key, and a security
1002 // token. Typically, you use GetSessionToken if you want to use MFA to protect
1003 // programmatic calls to specific AWS APIs like Amazon EC2 StopInstances. MFA-enabled
1004 // IAM users would need to call GetSessionToken and submit an MFA code that
1005 // is associated with their MFA device. Using the temporary security credentials
1006 // that are returned from the call, IAM users can then make programmatic calls
1007 // to APIs that require MFA authentication. If you do not supply a correct MFA
1008 // code, then the API returns an access denied error. For a comparison of GetSessionToken
1009 // with the other APIs that produce temporary credentials, see Requesting Temporary
1010 // Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
1011 // and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
1012 // in the IAM User Guide.
1014 // The GetSessionToken action must be called by using the long-term AWS security
1015 // credentials of the AWS account or an IAM user. Credentials that are created
1016 // by IAM users are valid for the duration that you specify, from 900 seconds
1017 // (15 minutes) up to a maximum of 129600 seconds (36 hours), with a default
1018 // of 43200 seconds (12 hours); credentials that are created by using account
1019 // credentials can range from 900 seconds (15 minutes) up to a maximum of 3600
1020 // seconds (1 hour), with a default of 1 hour.
1022 // The temporary security credentials created by GetSessionToken can be used
1023 // to make API calls to any AWS service with the following exceptions:
1025 // * You cannot call any IAM APIs unless MFA authentication information is
1026 // included in the request.
1028 // * You cannot call any STS API exceptAssumeRole or GetCallerIdentity.
1030 // We recommend that you do not call GetSessionToken with root account credentials.
1031 // Instead, follow our best practices (http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users)
1032 // by creating one or more IAM users, giving them the necessary permissions,
1033 // and using IAM users for everyday interaction with AWS.
1035 // The permissions associated with the temporary security credentials returned
1036 // by GetSessionToken are based on the permissions associated with account or
1037 // IAM user whose credentials are used to call the action. If GetSessionToken
1038 // is called using root account credentials, the temporary credentials have
1039 // root account permissions. Similarly, if GetSessionToken is called using the
1040 // credentials of an IAM user, the temporary credentials have the same permissions
1043 // For more information about using GetSessionToken to create temporary credentials,
1044 // go to Temporary Credentials for Users in Untrusted Environments (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken)
1045 // in the IAM User Guide.
1047 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
1048 // with awserr.Error's Code and Message methods to get detailed information about
1051 // See the AWS API reference guide for AWS Security Token Service's
1052 // API operation GetSessionToken for usage and error information.
1054 // Returned Error Codes:
1055 // * ErrCodeRegionDisabledException "RegionDisabledException"
1056 // STS is not activated in the requested region for the account that is being
1057 // asked to generate credentials. The account administrator must use the IAM
1058 // console to activate STS in that region. For more information, see Activating
1059 // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
1060 // in the IAM User Guide.
1062 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionToken
1063 func (c *STS) GetSessionToken(input *GetSessionTokenInput) (*GetSessionTokenOutput, error) {
1064 req, out := c.GetSessionTokenRequest(input)
1065 return out, req.Send()
1068 // GetSessionTokenWithContext is the same as GetSessionToken with the addition of
1069 // the ability to pass a context and additional request options.
1071 // See GetSessionToken for details on how to use this API operation.
1073 // The context must be non-nil and will be used for request cancellation. If
1074 // the context is nil a panic will occur. In the future the SDK may create
1075 // sub-contexts for http.Requests. See https://golang.org/pkg/context/
1076 // for more information on using Contexts.
1077 func (c *STS) GetSessionTokenWithContext(ctx aws.Context, input *GetSessionTokenInput, opts ...request.Option) (*GetSessionTokenOutput, error) {
1078 req, out := c.GetSessionTokenRequest(input)
1080 req.ApplyOptions(opts...)
1081 return out, req.Send()
1084 type AssumeRoleInput struct {
1085 _ struct{} `type:"structure"`
1087 // The duration, in seconds, of the role session. The value can range from 900
1088 // seconds (15 minutes) up to the maximum session duration setting for the role.
1089 // This setting can have a value from 1 hour to 12 hours. If you specify a value
1090 // higher than this setting, the operation fails. For example, if you specify
1091 // a session duration of 12 hours, but your administrator set the maximum session
1092 // duration to 6 hours, your operation fails. To learn how to view the maximum
1093 // value for your role, see View the Maximum Session Duration Setting for a
1094 // Role (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
1095 // in the IAM User Guide.
1097 // By default, the value is set to 3600 seconds.
1099 // The DurationSeconds parameter is separate from the duration of a console
1100 // session that you might request using the returned credentials. The request
1101 // to the federation endpoint for a console sign-in token takes a SessionDuration
1102 // parameter that specifies the maximum length of the console session. For more
1103 // information, see Creating a URL that Enables Federated Users to Access the
1104 // AWS Management Console (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
1105 // in the IAM User Guide.
1106 DurationSeconds *int64 `min:"900" type:"integer"`
1108 // A unique identifier that is used by third parties when assuming roles in
1109 // their customers' accounts. For each role that the third party can assume,
1110 // they should instruct their customers to ensure the role's trust policy checks
1111 // for the external ID that the third party generated. Each time the third party
1112 // assumes the role, they should pass the customer's external ID. The external
1113 // ID is useful in order to help third parties bind a role to the customer who
1114 // created it. For more information about the external ID, see How to Use an
1115 // External ID When Granting Access to Your AWS Resources to a Third Party (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html)
1116 // in the IAM User Guide.
1118 // The regex used to validated this parameter is a string of characters consisting
1119 // of upper- and lower-case alphanumeric characters with no spaces. You can
1120 // also include underscores or any of the following characters: =,.@:/-
1121 ExternalId *string `min:"2" type:"string"`
1123 // An IAM policy in JSON format.
1125 // This parameter is optional. If you pass a policy, the temporary security
1126 // credentials that are returned by the operation have the permissions that
1127 // are allowed by both (the intersection of) the access policy of the role that
1128 // is being assumed, and the policy that you pass. This gives you a way to further
1129 // restrict the permissions for the resulting temporary security credentials.
1130 // You cannot use the passed policy to grant permissions that are in excess
1131 // of those allowed by the access policy of the role that is being assumed.
1132 // For more information, see Permissions for AssumeRole, AssumeRoleWithSAML,
1133 // and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
1134 // in the IAM User Guide.
1136 // The format for this parameter, as described by its regex pattern, is a string
1137 // of characters up to 2048 characters in length. The characters can be any
1138 // ASCII character from the space character to the end of the valid character
1139 // list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A),
1140 // and carriage return (\u000D) characters.
1142 // The policy plain text must be 2048 bytes or shorter. However, an internal
1143 // conversion compresses it into a packed binary format with a separate limit.
1144 // The PackedPolicySize response element indicates by percentage how close to
1145 // the upper size limit the policy is, with 100% equaling the maximum allowed
1147 Policy *string `min:"1" type:"string"`
1149 // The Amazon Resource Name (ARN) of the role to assume.
1151 // RoleArn is a required field
1152 RoleArn *string `min:"20" type:"string" required:"true"`
1154 // An identifier for the assumed role session.
1156 // Use the role session name to uniquely identify a session when the same role
1157 // is assumed by different principals or for different reasons. In cross-account
1158 // scenarios, the role session name is visible to, and can be logged by the
1159 // account that owns the role. The role session name is also used in the ARN
1160 // of the assumed role principal. This means that subsequent cross-account API
1161 // requests using the temporary security credentials will expose the role session
1162 // name to the external account in their CloudTrail logs.
1164 // The regex used to validate this parameter is a string of characters consisting
1165 // of upper- and lower-case alphanumeric characters with no spaces. You can
1166 // also include underscores or any of the following characters: =,.@-
1168 // RoleSessionName is a required field
1169 RoleSessionName *string `min:"2" type:"string" required:"true"`
1171 // The identification number of the MFA device that is associated with the user
1172 // who is making the AssumeRole call. Specify this value if the trust policy
1173 // of the role being assumed includes a condition that requires MFA authentication.
1174 // The value is either the serial number for a hardware device (such as GAHT12345678)
1175 // or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user).
1177 // The regex used to validate this parameter is a string of characters consisting
1178 // of upper- and lower-case alphanumeric characters with no spaces. You can
1179 // also include underscores or any of the following characters: =,.@-
1180 SerialNumber *string `min:"9" type:"string"`
1182 // The value provided by the MFA device, if the trust policy of the role being
1183 // assumed requires MFA (that is, if the policy includes a condition that tests
1184 // for MFA). If the role being assumed requires MFA and if the TokenCode value
1185 // is missing or expired, the AssumeRole call returns an "access denied" error.
1187 // The format for this parameter, as described by its regex pattern, is a sequence
1188 // of six numeric digits.
1189 TokenCode *string `min:"6" type:"string"`
1192 // String returns the string representation
1193 func (s AssumeRoleInput) String() string {
1194 return awsutil.Prettify(s)
1197 // GoString returns the string representation
1198 func (s AssumeRoleInput) GoString() string {
1202 // Validate inspects the fields of the type to determine if they are valid.
1203 func (s *AssumeRoleInput) Validate() error {
1204 invalidParams := request.ErrInvalidParams{Context: "AssumeRoleInput"}
1205 if s.DurationSeconds != nil && *s.DurationSeconds < 900 {
1206 invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900))
1208 if s.ExternalId != nil && len(*s.ExternalId) < 2 {
1209 invalidParams.Add(request.NewErrParamMinLen("ExternalId", 2))
1211 if s.Policy != nil && len(*s.Policy) < 1 {
1212 invalidParams.Add(request.NewErrParamMinLen("Policy", 1))
1214 if s.RoleArn == nil {
1215 invalidParams.Add(request.NewErrParamRequired("RoleArn"))
1217 if s.RoleArn != nil && len(*s.RoleArn) < 20 {
1218 invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20))
1220 if s.RoleSessionName == nil {
1221 invalidParams.Add(request.NewErrParamRequired("RoleSessionName"))
1223 if s.RoleSessionName != nil && len(*s.RoleSessionName) < 2 {
1224 invalidParams.Add(request.NewErrParamMinLen("RoleSessionName", 2))
1226 if s.SerialNumber != nil && len(*s.SerialNumber) < 9 {
1227 invalidParams.Add(request.NewErrParamMinLen("SerialNumber", 9))
1229 if s.TokenCode != nil && len(*s.TokenCode) < 6 {
1230 invalidParams.Add(request.NewErrParamMinLen("TokenCode", 6))
1233 if invalidParams.Len() > 0 {
1234 return invalidParams
1239 // SetDurationSeconds sets the DurationSeconds field's value.
1240 func (s *AssumeRoleInput) SetDurationSeconds(v int64) *AssumeRoleInput {
1241 s.DurationSeconds = &v
1245 // SetExternalId sets the ExternalId field's value.
1246 func (s *AssumeRoleInput) SetExternalId(v string) *AssumeRoleInput {
1251 // SetPolicy sets the Policy field's value.
1252 func (s *AssumeRoleInput) SetPolicy(v string) *AssumeRoleInput {
1257 // SetRoleArn sets the RoleArn field's value.
1258 func (s *AssumeRoleInput) SetRoleArn(v string) *AssumeRoleInput {
1263 // SetRoleSessionName sets the RoleSessionName field's value.
1264 func (s *AssumeRoleInput) SetRoleSessionName(v string) *AssumeRoleInput {
1265 s.RoleSessionName = &v
1269 // SetSerialNumber sets the SerialNumber field's value.
1270 func (s *AssumeRoleInput) SetSerialNumber(v string) *AssumeRoleInput {
1275 // SetTokenCode sets the TokenCode field's value.
1276 func (s *AssumeRoleInput) SetTokenCode(v string) *AssumeRoleInput {
1281 // Contains the response to a successful AssumeRole request, including temporary
1282 // AWS credentials that can be used to make AWS requests.
1283 type AssumeRoleOutput struct {
1284 _ struct{} `type:"structure"`
1286 // The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers
1287 // that you can use to refer to the resulting temporary security credentials.
1288 // For example, you can reference these credentials as a principal in a resource-based
1289 // policy by using the ARN or assumed role ID. The ARN and ID include the RoleSessionName
1290 // that you specified when you called AssumeRole.
1291 AssumedRoleUser *AssumedRoleUser `type:"structure"`
1293 // The temporary security credentials, which include an access key ID, a secret
1294 // access key, and a security (or session) token.
1296 // Note: The size of the security token that STS APIs return is not fixed. We
1297 // strongly recommend that you make no assumptions about the maximum size. As
1298 // of this writing, the typical size is less than 4096 bytes, but that can vary.
1299 // Also, future updates to AWS might require larger sizes.
1300 Credentials *Credentials `type:"structure"`
1302 // A percentage value that indicates the size of the policy in packed form.
1303 // The service rejects any policy with a packed size greater than 100 percent,
1304 // which means the policy exceeded the allowed space.
1305 PackedPolicySize *int64 `type:"integer"`
1308 // String returns the string representation
1309 func (s AssumeRoleOutput) String() string {
1310 return awsutil.Prettify(s)
1313 // GoString returns the string representation
1314 func (s AssumeRoleOutput) GoString() string {
1318 // SetAssumedRoleUser sets the AssumedRoleUser field's value.
1319 func (s *AssumeRoleOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleOutput {
1320 s.AssumedRoleUser = v
1324 // SetCredentials sets the Credentials field's value.
1325 func (s *AssumeRoleOutput) SetCredentials(v *Credentials) *AssumeRoleOutput {
1330 // SetPackedPolicySize sets the PackedPolicySize field's value.
1331 func (s *AssumeRoleOutput) SetPackedPolicySize(v int64) *AssumeRoleOutput {
1332 s.PackedPolicySize = &v
1336 type AssumeRoleWithSAMLInput struct {
1337 _ struct{} `type:"structure"`
1339 // The duration, in seconds, of the role session. Your role session lasts for
1340 // the duration that you specify for the DurationSeconds parameter, or until
1341 // the time specified in the SAML authentication response's SessionNotOnOrAfter
1342 // value, whichever is shorter. You can provide a DurationSeconds value from
1343 // 900 seconds (15 minutes) up to the maximum session duration setting for the
1344 // role. This setting can have a value from 1 hour to 12 hours. If you specify
1345 // a value higher than this setting, the operation fails. For example, if you
1346 // specify a session duration of 12 hours, but your administrator set the maximum
1347 // session duration to 6 hours, your operation fails. To learn how to view the
1348 // maximum value for your role, see View the Maximum Session Duration Setting
1349 // for a Role (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
1350 // in the IAM User Guide.
1352 // By default, the value is set to 3600 seconds.
1354 // The DurationSeconds parameter is separate from the duration of a console
1355 // session that you might request using the returned credentials. The request
1356 // to the federation endpoint for a console sign-in token takes a SessionDuration
1357 // parameter that specifies the maximum length of the console session. For more
1358 // information, see Creating a URL that Enables Federated Users to Access the
1359 // AWS Management Console (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
1360 // in the IAM User Guide.
1361 DurationSeconds *int64 `min:"900" type:"integer"`
1363 // An IAM policy in JSON format.
1365 // The policy parameter is optional. If you pass a policy, the temporary security
1366 // credentials that are returned by the operation have the permissions that
1367 // are allowed by both the access policy of the role that is being assumed,
1368 // and the policy that you pass. This gives you a way to further restrict the
1369 // permissions for the resulting temporary security credentials. You cannot
1370 // use the passed policy to grant permissions that are in excess of those allowed
1371 // by the access policy of the role that is being assumed. For more information,
1372 // Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity
1373 // (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
1374 // in the IAM User Guide.
1376 // The format for this parameter, as described by its regex pattern, is a string
1377 // of characters up to 2048 characters in length. The characters can be any
1378 // ASCII character from the space character to the end of the valid character
1379 // list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A),
1380 // and carriage return (\u000D) characters.
1382 // The policy plain text must be 2048 bytes or shorter. However, an internal
1383 // conversion compresses it into a packed binary format with a separate limit.
1384 // The PackedPolicySize response element indicates by percentage how close to
1385 // the upper size limit the policy is, with 100% equaling the maximum allowed
1387 Policy *string `min:"1" type:"string"`
1389 // The Amazon Resource Name (ARN) of the SAML provider in IAM that describes
1392 // PrincipalArn is a required field
1393 PrincipalArn *string `min:"20" type:"string" required:"true"`
1395 // The Amazon Resource Name (ARN) of the role that the caller is assuming.
1397 // RoleArn is a required field
1398 RoleArn *string `min:"20" type:"string" required:"true"`
1400 // The base-64 encoded SAML authentication response provided by the IdP.
1402 // For more information, see Configuring a Relying Party and Adding Claims (http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html)
1403 // in the Using IAM guide.
1405 // SAMLAssertion is a required field
1406 SAMLAssertion *string `min:"4" type:"string" required:"true"`
1409 // String returns the string representation
1410 func (s AssumeRoleWithSAMLInput) String() string {
1411 return awsutil.Prettify(s)
1414 // GoString returns the string representation
1415 func (s AssumeRoleWithSAMLInput) GoString() string {
1419 // Validate inspects the fields of the type to determine if they are valid.
1420 func (s *AssumeRoleWithSAMLInput) Validate() error {
1421 invalidParams := request.ErrInvalidParams{Context: "AssumeRoleWithSAMLInput"}
1422 if s.DurationSeconds != nil && *s.DurationSeconds < 900 {
1423 invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900))
1425 if s.Policy != nil && len(*s.Policy) < 1 {
1426 invalidParams.Add(request.NewErrParamMinLen("Policy", 1))
1428 if s.PrincipalArn == nil {
1429 invalidParams.Add(request.NewErrParamRequired("PrincipalArn"))
1431 if s.PrincipalArn != nil && len(*s.PrincipalArn) < 20 {
1432 invalidParams.Add(request.NewErrParamMinLen("PrincipalArn", 20))
1434 if s.RoleArn == nil {
1435 invalidParams.Add(request.NewErrParamRequired("RoleArn"))
1437 if s.RoleArn != nil && len(*s.RoleArn) < 20 {
1438 invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20))
1440 if s.SAMLAssertion == nil {
1441 invalidParams.Add(request.NewErrParamRequired("SAMLAssertion"))
1443 if s.SAMLAssertion != nil && len(*s.SAMLAssertion) < 4 {
1444 invalidParams.Add(request.NewErrParamMinLen("SAMLAssertion", 4))
1447 if invalidParams.Len() > 0 {
1448 return invalidParams
1453 // SetDurationSeconds sets the DurationSeconds field's value.
1454 func (s *AssumeRoleWithSAMLInput) SetDurationSeconds(v int64) *AssumeRoleWithSAMLInput {
1455 s.DurationSeconds = &v
1459 // SetPolicy sets the Policy field's value.
1460 func (s *AssumeRoleWithSAMLInput) SetPolicy(v string) *AssumeRoleWithSAMLInput {
1465 // SetPrincipalArn sets the PrincipalArn field's value.
1466 func (s *AssumeRoleWithSAMLInput) SetPrincipalArn(v string) *AssumeRoleWithSAMLInput {
1471 // SetRoleArn sets the RoleArn field's value.
1472 func (s *AssumeRoleWithSAMLInput) SetRoleArn(v string) *AssumeRoleWithSAMLInput {
1477 // SetSAMLAssertion sets the SAMLAssertion field's value.
1478 func (s *AssumeRoleWithSAMLInput) SetSAMLAssertion(v string) *AssumeRoleWithSAMLInput {
1479 s.SAMLAssertion = &v
1483 // Contains the response to a successful AssumeRoleWithSAML request, including
1484 // temporary AWS credentials that can be used to make AWS requests.
1485 type AssumeRoleWithSAMLOutput struct {
1486 _ struct{} `type:"structure"`
1488 // The identifiers for the temporary security credentials that the operation
1490 AssumedRoleUser *AssumedRoleUser `type:"structure"`
1492 // The value of the Recipient attribute of the SubjectConfirmationData element
1493 // of the SAML assertion.
1494 Audience *string `type:"string"`
1496 // The temporary security credentials, which include an access key ID, a secret
1497 // access key, and a security (or session) token.
1499 // Note: The size of the security token that STS APIs return is not fixed. We
1500 // strongly recommend that you make no assumptions about the maximum size. As
1501 // of this writing, the typical size is less than 4096 bytes, but that can vary.
1502 // Also, future updates to AWS might require larger sizes.
1503 Credentials *Credentials `type:"structure"`
1505 // The value of the Issuer element of the SAML assertion.
1506 Issuer *string `type:"string"`
1508 // A hash value based on the concatenation of the Issuer response value, the
1509 // AWS account ID, and the friendly name (the last part of the ARN) of the SAML
1510 // provider in IAM. The combination of NameQualifier and Subject can be used
1511 // to uniquely identify a federated user.
1513 // The following pseudocode shows how the hash value is calculated:
1515 // BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP"
1517 NameQualifier *string `type:"string"`
1519 // A percentage value that indicates the size of the policy in packed form.
1520 // The service rejects any policy with a packed size greater than 100 percent,
1521 // which means the policy exceeded the allowed space.
1522 PackedPolicySize *int64 `type:"integer"`
1524 // The value of the NameID element in the Subject element of the SAML assertion.
1525 Subject *string `type:"string"`
1527 // The format of the name ID, as defined by the Format attribute in the NameID
1528 // element of the SAML assertion. Typical examples of the format are transient
1531 // If the format includes the prefix urn:oasis:names:tc:SAML:2.0:nameid-format,
1532 // that prefix is removed. For example, urn:oasis:names:tc:SAML:2.0:nameid-format:transient
1533 // is returned as transient. If the format includes any other prefix, the format
1534 // is returned with no modifications.
1535 SubjectType *string `type:"string"`
1538 // String returns the string representation
1539 func (s AssumeRoleWithSAMLOutput) String() string {
1540 return awsutil.Prettify(s)
1543 // GoString returns the string representation
1544 func (s AssumeRoleWithSAMLOutput) GoString() string {
1548 // SetAssumedRoleUser sets the AssumedRoleUser field's value.
1549 func (s *AssumeRoleWithSAMLOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleWithSAMLOutput {
1550 s.AssumedRoleUser = v
1554 // SetAudience sets the Audience field's value.
1555 func (s *AssumeRoleWithSAMLOutput) SetAudience(v string) *AssumeRoleWithSAMLOutput {
1560 // SetCredentials sets the Credentials field's value.
1561 func (s *AssumeRoleWithSAMLOutput) SetCredentials(v *Credentials) *AssumeRoleWithSAMLOutput {
1566 // SetIssuer sets the Issuer field's value.
1567 func (s *AssumeRoleWithSAMLOutput) SetIssuer(v string) *AssumeRoleWithSAMLOutput {
1572 // SetNameQualifier sets the NameQualifier field's value.
1573 func (s *AssumeRoleWithSAMLOutput) SetNameQualifier(v string) *AssumeRoleWithSAMLOutput {
1574 s.NameQualifier = &v
1578 // SetPackedPolicySize sets the PackedPolicySize field's value.
1579 func (s *AssumeRoleWithSAMLOutput) SetPackedPolicySize(v int64) *AssumeRoleWithSAMLOutput {
1580 s.PackedPolicySize = &v
1584 // SetSubject sets the Subject field's value.
1585 func (s *AssumeRoleWithSAMLOutput) SetSubject(v string) *AssumeRoleWithSAMLOutput {
1590 // SetSubjectType sets the SubjectType field's value.
1591 func (s *AssumeRoleWithSAMLOutput) SetSubjectType(v string) *AssumeRoleWithSAMLOutput {
1596 type AssumeRoleWithWebIdentityInput struct {
1597 _ struct{} `type:"structure"`
1599 // The duration, in seconds, of the role session. The value can range from 900
1600 // seconds (15 minutes) up to the maximum session duration setting for the role.
1601 // This setting can have a value from 1 hour to 12 hours. If you specify a value
1602 // higher than this setting, the operation fails. For example, if you specify
1603 // a session duration of 12 hours, but your administrator set the maximum session
1604 // duration to 6 hours, your operation fails. To learn how to view the maximum
1605 // value for your role, see View the Maximum Session Duration Setting for a
1606 // Role (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
1607 // in the IAM User Guide.
1609 // By default, the value is set to 3600 seconds.
1611 // The DurationSeconds parameter is separate from the duration of a console
1612 // session that you might request using the returned credentials. The request
1613 // to the federation endpoint for a console sign-in token takes a SessionDuration
1614 // parameter that specifies the maximum length of the console session. For more
1615 // information, see Creating a URL that Enables Federated Users to Access the
1616 // AWS Management Console (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
1617 // in the IAM User Guide.
1618 DurationSeconds *int64 `min:"900" type:"integer"`
1620 // An IAM policy in JSON format.
1622 // The policy parameter is optional. If you pass a policy, the temporary security
1623 // credentials that are returned by the operation have the permissions that
1624 // are allowed by both the access policy of the role that is being assumed,
1625 // and the policy that you pass. This gives you a way to further restrict the
1626 // permissions for the resulting temporary security credentials. You cannot
1627 // use the passed policy to grant permissions that are in excess of those allowed
1628 // by the access policy of the role that is being assumed. For more information,
1629 // see Permissions for AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
1630 // in the IAM User Guide.
1632 // The format for this parameter, as described by its regex pattern, is a string
1633 // of characters up to 2048 characters in length. The characters can be any
1634 // ASCII character from the space character to the end of the valid character
1635 // list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A),
1636 // and carriage return (\u000D) characters.
1638 // The policy plain text must be 2048 bytes or shorter. However, an internal
1639 // conversion compresses it into a packed binary format with a separate limit.
1640 // The PackedPolicySize response element indicates by percentage how close to
1641 // the upper size limit the policy is, with 100% equaling the maximum allowed
1643 Policy *string `min:"1" type:"string"`
1645 // The fully qualified host component of the domain name of the identity provider.
1647 // Specify this value only for OAuth 2.0 access tokens. Currently www.amazon.com
1648 // and graph.facebook.com are the only supported identity providers for OAuth
1649 // 2.0 access tokens. Do not include URL schemes and port numbers.
1651 // Do not specify this value for OpenID Connect ID tokens.
1652 ProviderId *string `min:"4" type:"string"`
1654 // The Amazon Resource Name (ARN) of the role that the caller is assuming.
1656 // RoleArn is a required field
1657 RoleArn *string `min:"20" type:"string" required:"true"`
1659 // An identifier for the assumed role session. Typically, you pass the name
1660 // or identifier that is associated with the user who is using your application.
1661 // That way, the temporary security credentials that your application will use
1662 // are associated with that user. This session name is included as part of the
1663 // ARN and assumed role ID in the AssumedRoleUser response element.
1665 // The regex used to validate this parameter is a string of characters consisting
1666 // of upper- and lower-case alphanumeric characters with no spaces. You can
1667 // also include underscores or any of the following characters: =,.@-
1669 // RoleSessionName is a required field
1670 RoleSessionName *string `min:"2" type:"string" required:"true"`
1672 // The OAuth 2.0 access token or OpenID Connect ID token that is provided by
1673 // the identity provider. Your application must get this token by authenticating
1674 // the user who is using your application with a web identity provider before
1675 // the application makes an AssumeRoleWithWebIdentity call.
1677 // WebIdentityToken is a required field
1678 WebIdentityToken *string `min:"4" type:"string" required:"true"`
1681 // String returns the string representation
1682 func (s AssumeRoleWithWebIdentityInput) String() string {
1683 return awsutil.Prettify(s)
1686 // GoString returns the string representation
1687 func (s AssumeRoleWithWebIdentityInput) GoString() string {
1691 // Validate inspects the fields of the type to determine if they are valid.
1692 func (s *AssumeRoleWithWebIdentityInput) Validate() error {
1693 invalidParams := request.ErrInvalidParams{Context: "AssumeRoleWithWebIdentityInput"}
1694 if s.DurationSeconds != nil && *s.DurationSeconds < 900 {
1695 invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900))
1697 if s.Policy != nil && len(*s.Policy) < 1 {
1698 invalidParams.Add(request.NewErrParamMinLen("Policy", 1))
1700 if s.ProviderId != nil && len(*s.ProviderId) < 4 {
1701 invalidParams.Add(request.NewErrParamMinLen("ProviderId", 4))
1703 if s.RoleArn == nil {
1704 invalidParams.Add(request.NewErrParamRequired("RoleArn"))
1706 if s.RoleArn != nil && len(*s.RoleArn) < 20 {
1707 invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20))
1709 if s.RoleSessionName == nil {
1710 invalidParams.Add(request.NewErrParamRequired("RoleSessionName"))
1712 if s.RoleSessionName != nil && len(*s.RoleSessionName) < 2 {
1713 invalidParams.Add(request.NewErrParamMinLen("RoleSessionName", 2))
1715 if s.WebIdentityToken == nil {
1716 invalidParams.Add(request.NewErrParamRequired("WebIdentityToken"))
1718 if s.WebIdentityToken != nil && len(*s.WebIdentityToken) < 4 {
1719 invalidParams.Add(request.NewErrParamMinLen("WebIdentityToken", 4))
1722 if invalidParams.Len() > 0 {
1723 return invalidParams
1728 // SetDurationSeconds sets the DurationSeconds field's value.
1729 func (s *AssumeRoleWithWebIdentityInput) SetDurationSeconds(v int64) *AssumeRoleWithWebIdentityInput {
1730 s.DurationSeconds = &v
1734 // SetPolicy sets the Policy field's value.
1735 func (s *AssumeRoleWithWebIdentityInput) SetPolicy(v string) *AssumeRoleWithWebIdentityInput {
1740 // SetProviderId sets the ProviderId field's value.
1741 func (s *AssumeRoleWithWebIdentityInput) SetProviderId(v string) *AssumeRoleWithWebIdentityInput {
1746 // SetRoleArn sets the RoleArn field's value.
1747 func (s *AssumeRoleWithWebIdentityInput) SetRoleArn(v string) *AssumeRoleWithWebIdentityInput {
1752 // SetRoleSessionName sets the RoleSessionName field's value.
1753 func (s *AssumeRoleWithWebIdentityInput) SetRoleSessionName(v string) *AssumeRoleWithWebIdentityInput {
1754 s.RoleSessionName = &v
1758 // SetWebIdentityToken sets the WebIdentityToken field's value.
1759 func (s *AssumeRoleWithWebIdentityInput) SetWebIdentityToken(v string) *AssumeRoleWithWebIdentityInput {
1760 s.WebIdentityToken = &v
1764 // Contains the response to a successful AssumeRoleWithWebIdentity request,
1765 // including temporary AWS credentials that can be used to make AWS requests.
1766 type AssumeRoleWithWebIdentityOutput struct {
1767 _ struct{} `type:"structure"`
1769 // The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers
1770 // that you can use to refer to the resulting temporary security credentials.
1771 // For example, you can reference these credentials as a principal in a resource-based
1772 // policy by using the ARN or assumed role ID. The ARN and ID include the RoleSessionName
1773 // that you specified when you called AssumeRole.
1774 AssumedRoleUser *AssumedRoleUser `type:"structure"`
1776 // The intended audience (also known as client ID) of the web identity token.
1777 // This is traditionally the client identifier issued to the application that
1778 // requested the web identity token.
1779 Audience *string `type:"string"`
1781 // The temporary security credentials, which include an access key ID, a secret
1782 // access key, and a security token.
1784 // Note: The size of the security token that STS APIs return is not fixed. We
1785 // strongly recommend that you make no assumptions about the maximum size. As
1786 // of this writing, the typical size is less than 4096 bytes, but that can vary.
1787 // Also, future updates to AWS might require larger sizes.
1788 Credentials *Credentials `type:"structure"`
1790 // A percentage value that indicates the size of the policy in packed form.
1791 // The service rejects any policy with a packed size greater than 100 percent,
1792 // which means the policy exceeded the allowed space.
1793 PackedPolicySize *int64 `type:"integer"`
1795 // The issuing authority of the web identity token presented. For OpenID Connect
1796 // ID Tokens this contains the value of the iss field. For OAuth 2.0 access
1797 // tokens, this contains the value of the ProviderId parameter that was passed
1798 // in the AssumeRoleWithWebIdentity request.
1799 Provider *string `type:"string"`
1801 // The unique user identifier that is returned by the identity provider. This
1802 // identifier is associated with the WebIdentityToken that was submitted with
1803 // the AssumeRoleWithWebIdentity call. The identifier is typically unique to
1804 // the user and the application that acquired the WebIdentityToken (pairwise
1805 // identifier). For OpenID Connect ID tokens, this field contains the value
1806 // returned by the identity provider as the token's sub (Subject) claim.
1807 SubjectFromWebIdentityToken *string `min:"6" type:"string"`
1810 // String returns the string representation
1811 func (s AssumeRoleWithWebIdentityOutput) String() string {
1812 return awsutil.Prettify(s)
1815 // GoString returns the string representation
1816 func (s AssumeRoleWithWebIdentityOutput) GoString() string {
1820 // SetAssumedRoleUser sets the AssumedRoleUser field's value.
1821 func (s *AssumeRoleWithWebIdentityOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleWithWebIdentityOutput {
1822 s.AssumedRoleUser = v
1826 // SetAudience sets the Audience field's value.
1827 func (s *AssumeRoleWithWebIdentityOutput) SetAudience(v string) *AssumeRoleWithWebIdentityOutput {
1832 // SetCredentials sets the Credentials field's value.
1833 func (s *AssumeRoleWithWebIdentityOutput) SetCredentials(v *Credentials) *AssumeRoleWithWebIdentityOutput {
1838 // SetPackedPolicySize sets the PackedPolicySize field's value.
1839 func (s *AssumeRoleWithWebIdentityOutput) SetPackedPolicySize(v int64) *AssumeRoleWithWebIdentityOutput {
1840 s.PackedPolicySize = &v
1844 // SetProvider sets the Provider field's value.
1845 func (s *AssumeRoleWithWebIdentityOutput) SetProvider(v string) *AssumeRoleWithWebIdentityOutput {
1850 // SetSubjectFromWebIdentityToken sets the SubjectFromWebIdentityToken field's value.
1851 func (s *AssumeRoleWithWebIdentityOutput) SetSubjectFromWebIdentityToken(v string) *AssumeRoleWithWebIdentityOutput {
1852 s.SubjectFromWebIdentityToken = &v
1856 // The identifiers for the temporary security credentials that the operation
1858 type AssumedRoleUser struct {
1859 _ struct{} `type:"structure"`
1861 // The ARN of the temporary security credentials that are returned from the
1862 // AssumeRole action. For more information about ARNs and how to use them in
1863 // policies, see IAM Identifiers (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
1866 // Arn is a required field
1867 Arn *string `min:"20" type:"string" required:"true"`
1869 // A unique identifier that contains the role ID and the role session name of
1870 // the role that is being assumed. The role ID is generated by AWS when the
1873 // AssumedRoleId is a required field
1874 AssumedRoleId *string `min:"2" type:"string" required:"true"`
1877 // String returns the string representation
1878 func (s AssumedRoleUser) String() string {
1879 return awsutil.Prettify(s)
1882 // GoString returns the string representation
1883 func (s AssumedRoleUser) GoString() string {
1887 // SetArn sets the Arn field's value.
1888 func (s *AssumedRoleUser) SetArn(v string) *AssumedRoleUser {
1893 // SetAssumedRoleId sets the AssumedRoleId field's value.
1894 func (s *AssumedRoleUser) SetAssumedRoleId(v string) *AssumedRoleUser {
1895 s.AssumedRoleId = &v
1899 // AWS credentials for API authentication.
1900 type Credentials struct {
1901 _ struct{} `type:"structure"`
1903 // The access key ID that identifies the temporary security credentials.
1905 // AccessKeyId is a required field
1906 AccessKeyId *string `min:"16" type:"string" required:"true"`
1908 // The date on which the current credentials expire.
1910 // Expiration is a required field
1911 Expiration *time.Time `type:"timestamp" required:"true"`
1913 // The secret access key that can be used to sign requests.
1915 // SecretAccessKey is a required field
1916 SecretAccessKey *string `type:"string" required:"true"`
1918 // The token that users must pass to the service API to use the temporary credentials.
1920 // SessionToken is a required field
1921 SessionToken *string `type:"string" required:"true"`
1924 // String returns the string representation
1925 func (s Credentials) String() string {
1926 return awsutil.Prettify(s)
1929 // GoString returns the string representation
1930 func (s Credentials) GoString() string {
1934 // SetAccessKeyId sets the AccessKeyId field's value.
1935 func (s *Credentials) SetAccessKeyId(v string) *Credentials {
1940 // SetExpiration sets the Expiration field's value.
1941 func (s *Credentials) SetExpiration(v time.Time) *Credentials {
1946 // SetSecretAccessKey sets the SecretAccessKey field's value.
1947 func (s *Credentials) SetSecretAccessKey(v string) *Credentials {
1948 s.SecretAccessKey = &v
1952 // SetSessionToken sets the SessionToken field's value.
1953 func (s *Credentials) SetSessionToken(v string) *Credentials {
1958 type DecodeAuthorizationMessageInput struct {
1959 _ struct{} `type:"structure"`
1961 // The encoded message that was returned with the response.
1963 // EncodedMessage is a required field
1964 EncodedMessage *string `min:"1" type:"string" required:"true"`
1967 // String returns the string representation
1968 func (s DecodeAuthorizationMessageInput) String() string {
1969 return awsutil.Prettify(s)
1972 // GoString returns the string representation
1973 func (s DecodeAuthorizationMessageInput) GoString() string {
1977 // Validate inspects the fields of the type to determine if they are valid.
1978 func (s *DecodeAuthorizationMessageInput) Validate() error {
1979 invalidParams := request.ErrInvalidParams{Context: "DecodeAuthorizationMessageInput"}
1980 if s.EncodedMessage == nil {
1981 invalidParams.Add(request.NewErrParamRequired("EncodedMessage"))
1983 if s.EncodedMessage != nil && len(*s.EncodedMessage) < 1 {
1984 invalidParams.Add(request.NewErrParamMinLen("EncodedMessage", 1))
1987 if invalidParams.Len() > 0 {
1988 return invalidParams
1993 // SetEncodedMessage sets the EncodedMessage field's value.
1994 func (s *DecodeAuthorizationMessageInput) SetEncodedMessage(v string) *DecodeAuthorizationMessageInput {
1995 s.EncodedMessage = &v
1999 // A document that contains additional information about the authorization status
2000 // of a request from an encoded message that is returned in response to an AWS
2002 type DecodeAuthorizationMessageOutput struct {
2003 _ struct{} `type:"structure"`
2005 // An XML document that contains the decoded message.
2006 DecodedMessage *string `type:"string"`
2009 // String returns the string representation
2010 func (s DecodeAuthorizationMessageOutput) String() string {
2011 return awsutil.Prettify(s)
2014 // GoString returns the string representation
2015 func (s DecodeAuthorizationMessageOutput) GoString() string {
2019 // SetDecodedMessage sets the DecodedMessage field's value.
2020 func (s *DecodeAuthorizationMessageOutput) SetDecodedMessage(v string) *DecodeAuthorizationMessageOutput {
2021 s.DecodedMessage = &v
2025 // Identifiers for the federated user that is associated with the credentials.
2026 type FederatedUser struct {
2027 _ struct{} `type:"structure"`
2029 // The ARN that specifies the federated user that is associated with the credentials.
2030 // For more information about ARNs and how to use them in policies, see IAM
2031 // Identifiers (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
2034 // Arn is a required field
2035 Arn *string `min:"20" type:"string" required:"true"`
2037 // The string that identifies the federated user associated with the credentials,
2038 // similar to the unique ID of an IAM user.
2040 // FederatedUserId is a required field
2041 FederatedUserId *string `min:"2" type:"string" required:"true"`
2044 // String returns the string representation
2045 func (s FederatedUser) String() string {
2046 return awsutil.Prettify(s)
2049 // GoString returns the string representation
2050 func (s FederatedUser) GoString() string {
2054 // SetArn sets the Arn field's value.
2055 func (s *FederatedUser) SetArn(v string) *FederatedUser {
2060 // SetFederatedUserId sets the FederatedUserId field's value.
2061 func (s *FederatedUser) SetFederatedUserId(v string) *FederatedUser {
2062 s.FederatedUserId = &v
2066 type GetCallerIdentityInput struct {
2067 _ struct{} `type:"structure"`
2070 // String returns the string representation
2071 func (s GetCallerIdentityInput) String() string {
2072 return awsutil.Prettify(s)
2075 // GoString returns the string representation
2076 func (s GetCallerIdentityInput) GoString() string {
2080 // Contains the response to a successful GetCallerIdentity request, including
2081 // information about the entity making the request.
2082 type GetCallerIdentityOutput struct {
2083 _ struct{} `type:"structure"`
2085 // The AWS account ID number of the account that owns or contains the calling
2087 Account *string `type:"string"`
2089 // The AWS ARN associated with the calling entity.
2090 Arn *string `min:"20" type:"string"`
2092 // The unique identifier of the calling entity. The exact value depends on the
2093 // type of entity making the call. The values returned are those listed in the
2094 // aws:userid column in the Principal table (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable)
2095 // found on the Policy Variables reference page in the IAM User Guide.
2096 UserId *string `type:"string"`
2099 // String returns the string representation
2100 func (s GetCallerIdentityOutput) String() string {
2101 return awsutil.Prettify(s)
2104 // GoString returns the string representation
2105 func (s GetCallerIdentityOutput) GoString() string {
2109 // SetAccount sets the Account field's value.
2110 func (s *GetCallerIdentityOutput) SetAccount(v string) *GetCallerIdentityOutput {
2115 // SetArn sets the Arn field's value.
2116 func (s *GetCallerIdentityOutput) SetArn(v string) *GetCallerIdentityOutput {
2121 // SetUserId sets the UserId field's value.
2122 func (s *GetCallerIdentityOutput) SetUserId(v string) *GetCallerIdentityOutput {
2127 type GetFederationTokenInput struct {
2128 _ struct{} `type:"structure"`
2130 // The duration, in seconds, that the session should last. Acceptable durations
2131 // for federation sessions range from 900 seconds (15 minutes) to 129600 seconds
2132 // (36 hours), with 43200 seconds (12 hours) as the default. Sessions obtained
2133 // using AWS account (root) credentials are restricted to a maximum of 3600
2134 // seconds (one hour). If the specified duration is longer than one hour, the
2135 // session obtained by using AWS account (root) credentials defaults to one
2137 DurationSeconds *int64 `min:"900" type:"integer"`
2139 // The name of the federated user. The name is used as an identifier for the
2140 // temporary security credentials (such as Bob). For example, you can reference
2141 // the federated user name in a resource-based policy, such as in an Amazon
2142 // S3 bucket policy.
2144 // The regex used to validate this parameter is a string of characters consisting
2145 // of upper- and lower-case alphanumeric characters with no spaces. You can
2146 // also include underscores or any of the following characters: =,.@-
2148 // Name is a required field
2149 Name *string `min:"2" type:"string" required:"true"`
2151 // An IAM policy in JSON format that is passed with the GetFederationToken call
2152 // and evaluated along with the policy or policies that are attached to the
2153 // IAM user whose credentials are used to call GetFederationToken. The passed
2154 // policy is used to scope down the permissions that are available to the IAM
2155 // user, by allowing only a subset of the permissions that are granted to the
2156 // IAM user. The passed policy cannot grant more permissions than those granted
2157 // to the IAM user. The final permissions for the federated user are the most
2158 // restrictive set based on the intersection of the passed policy and the IAM
2161 // If you do not pass a policy, the resulting temporary security credentials
2162 // have no effective permissions. The only exception is when the temporary security
2163 // credentials are used to access a resource that has a resource-based policy
2164 // that specifically allows the federated user to access the resource.
2166 // The format for this parameter, as described by its regex pattern, is a string
2167 // of characters up to 2048 characters in length. The characters can be any
2168 // ASCII character from the space character to the end of the valid character
2169 // list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A),
2170 // and carriage return (\u000D) characters.
2172 // The policy plain text must be 2048 bytes or shorter. However, an internal
2173 // conversion compresses it into a packed binary format with a separate limit.
2174 // The PackedPolicySize response element indicates by percentage how close to
2175 // the upper size limit the policy is, with 100% equaling the maximum allowed
2178 // For more information about how permissions work, see Permissions for GetFederationToken
2179 // (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html).
2180 Policy *string `min:"1" type:"string"`
2183 // String returns the string representation
2184 func (s GetFederationTokenInput) String() string {
2185 return awsutil.Prettify(s)
2188 // GoString returns the string representation
2189 func (s GetFederationTokenInput) GoString() string {
2193 // Validate inspects the fields of the type to determine if they are valid.
2194 func (s *GetFederationTokenInput) Validate() error {
2195 invalidParams := request.ErrInvalidParams{Context: "GetFederationTokenInput"}
2196 if s.DurationSeconds != nil && *s.DurationSeconds < 900 {
2197 invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900))
2200 invalidParams.Add(request.NewErrParamRequired("Name"))
2202 if s.Name != nil && len(*s.Name) < 2 {
2203 invalidParams.Add(request.NewErrParamMinLen("Name", 2))
2205 if s.Policy != nil && len(*s.Policy) < 1 {
2206 invalidParams.Add(request.NewErrParamMinLen("Policy", 1))
2209 if invalidParams.Len() > 0 {
2210 return invalidParams
2215 // SetDurationSeconds sets the DurationSeconds field's value.
2216 func (s *GetFederationTokenInput) SetDurationSeconds(v int64) *GetFederationTokenInput {
2217 s.DurationSeconds = &v
2221 // SetName sets the Name field's value.
2222 func (s *GetFederationTokenInput) SetName(v string) *GetFederationTokenInput {
2227 // SetPolicy sets the Policy field's value.
2228 func (s *GetFederationTokenInput) SetPolicy(v string) *GetFederationTokenInput {
2233 // Contains the response to a successful GetFederationToken request, including
2234 // temporary AWS credentials that can be used to make AWS requests.
2235 type GetFederationTokenOutput struct {
2236 _ struct{} `type:"structure"`
2238 // The temporary security credentials, which include an access key ID, a secret
2239 // access key, and a security (or session) token.
2241 // Note: The size of the security token that STS APIs return is not fixed. We
2242 // strongly recommend that you make no assumptions about the maximum size. As
2243 // of this writing, the typical size is less than 4096 bytes, but that can vary.
2244 // Also, future updates to AWS might require larger sizes.
2245 Credentials *Credentials `type:"structure"`
2247 // Identifiers for the federated user associated with the credentials (such
2248 // as arn:aws:sts::123456789012:federated-user/Bob or 123456789012:Bob). You
2249 // can use the federated user's ARN in your resource-based policies, such as
2250 // an Amazon S3 bucket policy.
2251 FederatedUser *FederatedUser `type:"structure"`
2253 // A percentage value indicating the size of the policy in packed form. The
2254 // service rejects policies for which the packed size is greater than 100 percent
2255 // of the allowed value.
2256 PackedPolicySize *int64 `type:"integer"`
2259 // String returns the string representation
2260 func (s GetFederationTokenOutput) String() string {
2261 return awsutil.Prettify(s)
2264 // GoString returns the string representation
2265 func (s GetFederationTokenOutput) GoString() string {
2269 // SetCredentials sets the Credentials field's value.
2270 func (s *GetFederationTokenOutput) SetCredentials(v *Credentials) *GetFederationTokenOutput {
2275 // SetFederatedUser sets the FederatedUser field's value.
2276 func (s *GetFederationTokenOutput) SetFederatedUser(v *FederatedUser) *GetFederationTokenOutput {
2281 // SetPackedPolicySize sets the PackedPolicySize field's value.
2282 func (s *GetFederationTokenOutput) SetPackedPolicySize(v int64) *GetFederationTokenOutput {
2283 s.PackedPolicySize = &v
2287 type GetSessionTokenInput struct {
2288 _ struct{} `type:"structure"`
2290 // The duration, in seconds, that the credentials should remain valid. Acceptable
2291 // durations for IAM user sessions range from 900 seconds (15 minutes) to 129600
2292 // seconds (36 hours), with 43200 seconds (12 hours) as the default. Sessions
2293 // for AWS account owners are restricted to a maximum of 3600 seconds (one hour).
2294 // If the duration is longer than one hour, the session for AWS account owners
2295 // defaults to one hour.
2296 DurationSeconds *int64 `min:"900" type:"integer"`
2298 // The identification number of the MFA device that is associated with the IAM
2299 // user who is making the GetSessionToken call. Specify this value if the IAM
2300 // user has a policy that requires MFA authentication. The value is either the
2301 // serial number for a hardware device (such as GAHT12345678) or an Amazon Resource
2302 // Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user).
2303 // You can find the device for an IAM user by going to the AWS Management Console
2304 // and viewing the user's security credentials.
2306 // The regex used to validated this parameter is a string of characters consisting
2307 // of upper- and lower-case alphanumeric characters with no spaces. You can
2308 // also include underscores or any of the following characters: =,.@:/-
2309 SerialNumber *string `min:"9" type:"string"`
2311 // The value provided by the MFA device, if MFA is required. If any policy requires
2312 // the IAM user to submit an MFA code, specify this value. If MFA authentication
2313 // is required, and the user does not provide a code when requesting a set of
2314 // temporary security credentials, the user will receive an "access denied"
2315 // response when requesting resources that require MFA authentication.
2317 // The format for this parameter, as described by its regex pattern, is a sequence
2318 // of six numeric digits.
2319 TokenCode *string `min:"6" type:"string"`
2322 // String returns the string representation
2323 func (s GetSessionTokenInput) String() string {
2324 return awsutil.Prettify(s)
2327 // GoString returns the string representation
2328 func (s GetSessionTokenInput) GoString() string {
2332 // Validate inspects the fields of the type to determine if they are valid.
2333 func (s *GetSessionTokenInput) Validate() error {
2334 invalidParams := request.ErrInvalidParams{Context: "GetSessionTokenInput"}
2335 if s.DurationSeconds != nil && *s.DurationSeconds < 900 {
2336 invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900))
2338 if s.SerialNumber != nil && len(*s.SerialNumber) < 9 {
2339 invalidParams.Add(request.NewErrParamMinLen("SerialNumber", 9))
2341 if s.TokenCode != nil && len(*s.TokenCode) < 6 {
2342 invalidParams.Add(request.NewErrParamMinLen("TokenCode", 6))
2345 if invalidParams.Len() > 0 {
2346 return invalidParams
2351 // SetDurationSeconds sets the DurationSeconds field's value.
2352 func (s *GetSessionTokenInput) SetDurationSeconds(v int64) *GetSessionTokenInput {
2353 s.DurationSeconds = &v
2357 // SetSerialNumber sets the SerialNumber field's value.
2358 func (s *GetSessionTokenInput) SetSerialNumber(v string) *GetSessionTokenInput {
2363 // SetTokenCode sets the TokenCode field's value.
2364 func (s *GetSessionTokenInput) SetTokenCode(v string) *GetSessionTokenInput {
2369 // Contains the response to a successful GetSessionToken request, including
2370 // temporary AWS credentials that can be used to make AWS requests.
2371 type GetSessionTokenOutput struct {
2372 _ struct{} `type:"structure"`
2374 // The temporary security credentials, which include an access key ID, a secret
2375 // access key, and a security (or session) token.
2377 // Note: The size of the security token that STS APIs return is not fixed. We
2378 // strongly recommend that you make no assumptions about the maximum size. As
2379 // of this writing, the typical size is less than 4096 bytes, but that can vary.
2380 // Also, future updates to AWS might require larger sizes.
2381 Credentials *Credentials `type:"structure"`
2384 // String returns the string representation
2385 func (s GetSessionTokenOutput) String() string {
2386 return awsutil.Prettify(s)
2389 // GoString returns the string representation
2390 func (s GetSessionTokenOutput) GoString() string {
2394 // SetCredentials sets the Credentials field's value.
2395 func (s *GetSessionTokenOutput) SetCredentials(v *Credentials) *GetSessionTokenOutput {