]> git.immae.eu Git - github/fretlink/terraform-provider-statuscake.git/blob - vendor/github.com/aws/aws-sdk-go/service/sts/api.go
update vendor and go.mod
[github/fretlink/terraform-provider-statuscake.git] / vendor / github.com / aws / aws-sdk-go / service / sts / api.go
1 // Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
2
3 package sts
4
5 import (
6 "fmt"
7 "time"
8
9 "github.com/aws/aws-sdk-go/aws"
10 "github.com/aws/aws-sdk-go/aws/awsutil"
11 "github.com/aws/aws-sdk-go/aws/credentials"
12 "github.com/aws/aws-sdk-go/aws/request"
13 )
14
15 const opAssumeRole = "AssumeRole"
16
17 // AssumeRoleRequest generates a "aws/request.Request" representing the
18 // client's request for the AssumeRole operation. The "output" return
19 // value will be populated with the request's response once the request completes
20 // successfully.
21 //
22 // Use "Send" method on the returned Request to send the API call to the service.
23 // the "output" return value is not valid until after Send returns without error.
24 //
25 // See AssumeRole for more information on using the AssumeRole
26 // API call, and error handling.
27 //
28 // This method is useful when you want to inject custom logic or configuration
29 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
30 //
31 //
32 // // Example sending a request using the AssumeRoleRequest method.
33 // req, resp := client.AssumeRoleRequest(params)
34 //
35 // err := req.Send()
36 // if err == nil { // resp is now filled
37 // fmt.Println(resp)
38 // }
39 //
40 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole
41 func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, output *AssumeRoleOutput) {
42 op := &request.Operation{
43 Name: opAssumeRole,
44 HTTPMethod: "POST",
45 HTTPPath: "/",
46 }
47
48 if input == nil {
49 input = &AssumeRoleInput{}
50 }
51
52 output = &AssumeRoleOutput{}
53 req = c.newRequest(op, input, output)
54 return
55 }
56
57 // AssumeRole API operation for AWS Security Token Service.
58 //
59 // Returns a set of temporary security credentials that you can use to access
60 // AWS resources that you might not normally have access to. These temporary
61 // credentials consist of an access key ID, a secret access key, and a security
62 // token. Typically, you use AssumeRole within your account or for cross-account
63 // access. For a comparison of AssumeRole with other API operations that produce
64 // temporary credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
65 // and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
66 // in the IAM User Guide.
67 //
68 // You cannot use AWS account root user credentials to call AssumeRole. You
69 // must use credentials for an IAM user or an IAM role to call AssumeRole.
70 //
71 // For cross-account access, imagine that you own multiple accounts and need
72 // to access resources in each account. You could create long-term credentials
73 // in each account to access those resources. However, managing all those credentials
74 // and remembering which one can access which account can be time consuming.
75 // Instead, you can create one set of long-term credentials in one account.
76 // Then use temporary security credentials to access all the other accounts
77 // by assuming roles in those accounts. For more information about roles, see
78 // IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html)
79 // in the IAM User Guide.
80 //
81 // By default, the temporary security credentials created by AssumeRole last
82 // for one hour. However, you can use the optional DurationSeconds parameter
83 // to specify the duration of your session. You can provide a value from 900
84 // seconds (15 minutes) up to the maximum session duration setting for the role.
85 // This setting can have a value from 1 hour to 12 hours. To learn how to view
86 // the maximum value for your role, see View the Maximum Session Duration Setting
87 // for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
88 // in the IAM User Guide. The maximum session duration limit applies when you
89 // use the AssumeRole* API operations or the assume-role* CLI commands. However
90 // the limit does not apply when you use those operations to create a console
91 // URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
92 // in the IAM User Guide.
93 //
94 // The temporary security credentials created by AssumeRole can be used to make
95 // API calls to any AWS service with the following exception: You cannot call
96 // the AWS STS GetFederationToken or GetSessionToken API operations.
97 //
98 // (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
99 // to this operation. You can pass a single JSON policy document to use as an
100 // inline session policy. You can also specify up to 10 managed policies to
101 // use as managed session policies. The plain text that you use for both inline
102 // and managed session policies shouldn't exceed 2048 characters. Passing policies
103 // to this operation returns new temporary credentials. The resulting session's
104 // permissions are the intersection of the role's identity-based policy and
105 // the session policies. You can use the role's temporary credentials in subsequent
106 // AWS API calls to access resources in the account that owns the role. You
107 // cannot use session policies to grant more permissions than those allowed
108 // by the identity-based policy of the role that is being assumed. For more
109 // information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
110 // in the IAM User Guide.
111 //
112 // To assume a role from a different account, your AWS account must be trusted
113 // by the role. The trust relationship is defined in the role's trust policy
114 // when the role is created. That trust policy states which accounts are allowed
115 // to delegate that access to users in the account.
116 //
117 // A user who wants to access a role in a different account must also have permissions
118 // that are delegated from the user account administrator. The administrator
119 // must attach a policy that allows the user to call AssumeRole for the ARN
120 // of the role in the other account. If the user is in the same account as the
121 // role, then you can do either of the following:
122 //
123 // * Attach a policy to the user (identical to the previous user in a different
124 // account).
125 //
126 // * Add the user as a principal directly in the role's trust policy.
127 //
128 // In this case, the trust policy acts as an IAM resource-based policy. Users
129 // in the same account as the role do not need explicit permission to assume
130 // the role. For more information about trust policies and resource-based policies,
131 // see IAM Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)
132 // in the IAM User Guide.
133 //
134 // Using MFA with AssumeRole
135 //
136 // (Optional) You can include multi-factor authentication (MFA) information
137 // when you call AssumeRole. This is useful for cross-account scenarios to ensure
138 // that the user that assumes the role has been authenticated with an AWS MFA
139 // device. In that scenario, the trust policy of the role being assumed includes
140 // a condition that tests for MFA authentication. If the caller does not include
141 // valid MFA information, the request to assume the role is denied. The condition
142 // in a trust policy that tests for MFA authentication might look like the following
143 // example.
144 //
145 // "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}
146 //
147 // For more information, see Configuring MFA-Protected API Access (https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html)
148 // in the IAM User Guide guide.
149 //
150 // To use MFA with AssumeRole, you pass values for the SerialNumber and TokenCode
151 // parameters. The SerialNumber value identifies the user's hardware or virtual
152 // MFA device. The TokenCode is the time-based one-time password (TOTP) that
153 // the MFA device produces.
154 //
155 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
156 // with awserr.Error's Code and Message methods to get detailed information about
157 // the error.
158 //
159 // See the AWS API reference guide for AWS Security Token Service's
160 // API operation AssumeRole for usage and error information.
161 //
162 // Returned Error Codes:
163 // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument"
164 // The request was rejected because the policy document was malformed. The error
165 // message describes the specific error.
166 //
167 // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge"
168 // The request was rejected because the policy document was too large. The error
169 // message describes how big the policy document is, in packed form, as a percentage
170 // of what the API allows.
171 //
172 // * ErrCodeRegionDisabledException "RegionDisabledException"
173 // STS is not activated in the requested region for the account that is being
174 // asked to generate credentials. The account administrator must use the IAM
175 // console to activate STS in that region. For more information, see Activating
176 // and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
177 // in the IAM User Guide.
178 //
179 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole
180 func (c *STS) AssumeRole(input *AssumeRoleInput) (*AssumeRoleOutput, error) {
181 req, out := c.AssumeRoleRequest(input)
182 return out, req.Send()
183 }
184
185 // AssumeRoleWithContext is the same as AssumeRole with the addition of
186 // the ability to pass a context and additional request options.
187 //
188 // See AssumeRole for details on how to use this API operation.
189 //
190 // The context must be non-nil and will be used for request cancellation. If
191 // the context is nil a panic will occur. In the future the SDK may create
192 // sub-contexts for http.Requests. See https://golang.org/pkg/context/
193 // for more information on using Contexts.
194 func (c *STS) AssumeRoleWithContext(ctx aws.Context, input *AssumeRoleInput, opts ...request.Option) (*AssumeRoleOutput, error) {
195 req, out := c.AssumeRoleRequest(input)
196 req.SetContext(ctx)
197 req.ApplyOptions(opts...)
198 return out, req.Send()
199 }
200
201 const opAssumeRoleWithSAML = "AssumeRoleWithSAML"
202
203 // AssumeRoleWithSAMLRequest generates a "aws/request.Request" representing the
204 // client's request for the AssumeRoleWithSAML operation. The "output" return
205 // value will be populated with the request's response once the request completes
206 // successfully.
207 //
208 // Use "Send" method on the returned Request to send the API call to the service.
209 // the "output" return value is not valid until after Send returns without error.
210 //
211 // See AssumeRoleWithSAML for more information on using the AssumeRoleWithSAML
212 // API call, and error handling.
213 //
214 // This method is useful when you want to inject custom logic or configuration
215 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
216 //
217 //
218 // // Example sending a request using the AssumeRoleWithSAMLRequest method.
219 // req, resp := client.AssumeRoleWithSAMLRequest(params)
220 //
221 // err := req.Send()
222 // if err == nil { // resp is now filled
223 // fmt.Println(resp)
224 // }
225 //
226 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML
227 func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *request.Request, output *AssumeRoleWithSAMLOutput) {
228 op := &request.Operation{
229 Name: opAssumeRoleWithSAML,
230 HTTPMethod: "POST",
231 HTTPPath: "/",
232 }
233
234 if input == nil {
235 input = &AssumeRoleWithSAMLInput{}
236 }
237
238 output = &AssumeRoleWithSAMLOutput{}
239 req = c.newRequest(op, input, output)
240 req.Config.Credentials = credentials.AnonymousCredentials
241 return
242 }
243
244 // AssumeRoleWithSAML API operation for AWS Security Token Service.
245 //
246 // Returns a set of temporary security credentials for users who have been authenticated
247 // via a SAML authentication response. This operation provides a mechanism for
248 // tying an enterprise identity store or directory to role-based AWS access
249 // without user-specific credentials or configuration. For a comparison of AssumeRoleWithSAML
250 // with the other API operations that produce temporary credentials, see Requesting
251 // Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
252 // and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
253 // in the IAM User Guide.
254 //
255 // The temporary security credentials returned by this operation consist of
256 // an access key ID, a secret access key, and a security token. Applications
257 // can use these temporary security credentials to sign calls to AWS services.
258 //
259 // By default, the temporary security credentials created by AssumeRoleWithSAML
260 // last for one hour. However, you can use the optional DurationSeconds parameter
261 // to specify the duration of your session. Your role session lasts for the
262 // duration that you specify, or until the time specified in the SAML authentication
263 // response's SessionNotOnOrAfter value, whichever is shorter. You can provide
264 // a DurationSeconds value from 900 seconds (15 minutes) up to the maximum session
265 // duration setting for the role. This setting can have a value from 1 hour
266 // to 12 hours. To learn how to view the maximum value for your role, see View
267 // the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
268 // in the IAM User Guide. The maximum session duration limit applies when you
269 // use the AssumeRole* API operations or the assume-role* CLI commands. However
270 // the limit does not apply when you use those operations to create a console
271 // URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
272 // in the IAM User Guide.
273 //
274 // The temporary security credentials created by AssumeRoleWithSAML can be used
275 // to make API calls to any AWS service with the following exception: you cannot
276 // call the STS GetFederationToken or GetSessionToken API operations.
277 //
278 // (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
279 // to this operation. You can pass a single JSON policy document to use as an
280 // inline session policy. You can also specify up to 10 managed policies to
281 // use as managed session policies. The plain text that you use for both inline
282 // and managed session policies shouldn't exceed 2048 characters. Passing policies
283 // to this operation returns new temporary credentials. The resulting session's
284 // permissions are the intersection of the role's identity-based policy and
285 // the session policies. You can use the role's temporary credentials in subsequent
286 // AWS API calls to access resources in the account that owns the role. You
287 // cannot use session policies to grant more permissions than those allowed
288 // by the identity-based policy of the role that is being assumed. For more
289 // information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
290 // in the IAM User Guide.
291 //
292 // Before your application can call AssumeRoleWithSAML, you must configure your
293 // SAML identity provider (IdP) to issue the claims required by AWS. Additionally,
294 // you must use AWS Identity and Access Management (IAM) to create a SAML provider
295 // entity in your AWS account that represents your identity provider. You must
296 // also create an IAM role that specifies this SAML provider in its trust policy.
297 //
298 // Calling AssumeRoleWithSAML does not require the use of AWS security credentials.
299 // The identity of the caller is validated by using keys in the metadata document
300 // that is uploaded for the SAML provider entity for your identity provider.
301 //
302 // Calling AssumeRoleWithSAML can result in an entry in your AWS CloudTrail
303 // logs. The entry includes the value in the NameID element of the SAML assertion.
304 // We recommend that you use a NameIDType that is not associated with any personally
305 // identifiable information (PII). For example, you could instead use the Persistent
306 // Identifier (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent).
307 //
308 // For more information, see the following resources:
309 //
310 // * About SAML 2.0-based Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html)
311 // in the IAM User Guide.
312 //
313 // * Creating SAML Identity Providers (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)
314 // in the IAM User Guide.
315 //
316 // * Configuring a Relying Party and Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html)
317 // in the IAM User Guide.
318 //
319 // * Creating a Role for SAML 2.0 Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html)
320 // in the IAM User Guide.
321 //
322 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
323 // with awserr.Error's Code and Message methods to get detailed information about
324 // the error.
325 //
326 // See the AWS API reference guide for AWS Security Token Service's
327 // API operation AssumeRoleWithSAML for usage and error information.
328 //
329 // Returned Error Codes:
330 // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument"
331 // The request was rejected because the policy document was malformed. The error
332 // message describes the specific error.
333 //
334 // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge"
335 // The request was rejected because the policy document was too large. The error
336 // message describes how big the policy document is, in packed form, as a percentage
337 // of what the API allows.
338 //
339 // * ErrCodeIDPRejectedClaimException "IDPRejectedClaim"
340 // The identity provider (IdP) reported that authentication failed. This might
341 // be because the claim is invalid.
342 //
343 // If this error is returned for the AssumeRoleWithWebIdentity operation, it
344 // can also mean that the claim has expired or has been explicitly revoked.
345 //
346 // * ErrCodeInvalidIdentityTokenException "InvalidIdentityToken"
347 // The web identity token that was passed could not be validated by AWS. Get
348 // a new identity token from the identity provider and then retry the request.
349 //
350 // * ErrCodeExpiredTokenException "ExpiredTokenException"
351 // The web identity token that was passed is expired or is not valid. Get a
352 // new identity token from the identity provider and then retry the request.
353 //
354 // * ErrCodeRegionDisabledException "RegionDisabledException"
355 // STS is not activated in the requested region for the account that is being
356 // asked to generate credentials. The account administrator must use the IAM
357 // console to activate STS in that region. For more information, see Activating
358 // and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
359 // in the IAM User Guide.
360 //
361 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML
362 func (c *STS) AssumeRoleWithSAML(input *AssumeRoleWithSAMLInput) (*AssumeRoleWithSAMLOutput, error) {
363 req, out := c.AssumeRoleWithSAMLRequest(input)
364 return out, req.Send()
365 }
366
367 // AssumeRoleWithSAMLWithContext is the same as AssumeRoleWithSAML with the addition of
368 // the ability to pass a context and additional request options.
369 //
370 // See AssumeRoleWithSAML for details on how to use this API operation.
371 //
372 // The context must be non-nil and will be used for request cancellation. If
373 // the context is nil a panic will occur. In the future the SDK may create
374 // sub-contexts for http.Requests. See https://golang.org/pkg/context/
375 // for more information on using Contexts.
376 func (c *STS) AssumeRoleWithSAMLWithContext(ctx aws.Context, input *AssumeRoleWithSAMLInput, opts ...request.Option) (*AssumeRoleWithSAMLOutput, error) {
377 req, out := c.AssumeRoleWithSAMLRequest(input)
378 req.SetContext(ctx)
379 req.ApplyOptions(opts...)
380 return out, req.Send()
381 }
382
383 const opAssumeRoleWithWebIdentity = "AssumeRoleWithWebIdentity"
384
385 // AssumeRoleWithWebIdentityRequest generates a "aws/request.Request" representing the
386 // client's request for the AssumeRoleWithWebIdentity operation. The "output" return
387 // value will be populated with the request's response once the request completes
388 // successfully.
389 //
390 // Use "Send" method on the returned Request to send the API call to the service.
391 // the "output" return value is not valid until after Send returns without error.
392 //
393 // See AssumeRoleWithWebIdentity for more information on using the AssumeRoleWithWebIdentity
394 // API call, and error handling.
395 //
396 // This method is useful when you want to inject custom logic or configuration
397 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
398 //
399 //
400 // // Example sending a request using the AssumeRoleWithWebIdentityRequest method.
401 // req, resp := client.AssumeRoleWithWebIdentityRequest(params)
402 //
403 // err := req.Send()
404 // if err == nil { // resp is now filled
405 // fmt.Println(resp)
406 // }
407 //
408 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity
409 func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityInput) (req *request.Request, output *AssumeRoleWithWebIdentityOutput) {
410 op := &request.Operation{
411 Name: opAssumeRoleWithWebIdentity,
412 HTTPMethod: "POST",
413 HTTPPath: "/",
414 }
415
416 if input == nil {
417 input = &AssumeRoleWithWebIdentityInput{}
418 }
419
420 output = &AssumeRoleWithWebIdentityOutput{}
421 req = c.newRequest(op, input, output)
422 req.Config.Credentials = credentials.AnonymousCredentials
423 return
424 }
425
426 // AssumeRoleWithWebIdentity API operation for AWS Security Token Service.
427 //
428 // Returns a set of temporary security credentials for users who have been authenticated
429 // in a mobile or web application with a web identity provider. Example providers
430 // include Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID
431 // Connect-compatible identity provider.
432 //
433 // For mobile applications, we recommend that you use Amazon Cognito. You can
434 // use Amazon Cognito with the AWS SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/)
435 // and the AWS SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/)
436 // to uniquely identify a user. You can also supply the user with a consistent
437 // identity throughout the lifetime of an application.
438 //
439 // To learn more about Amazon Cognito, see Amazon Cognito Overview (https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840)
440 // in AWS SDK for Android Developer Guide and Amazon Cognito Overview (https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664)
441 // in the AWS SDK for iOS Developer Guide.
442 //
443 // Calling AssumeRoleWithWebIdentity does not require the use of AWS security
444 // credentials. Therefore, you can distribute an application (for example, on
445 // mobile devices) that requests temporary security credentials without including
446 // long-term AWS credentials in the application. You also don't need to deploy
447 // server-based proxy services that use long-term AWS credentials. Instead,
448 // the identity of the caller is validated by using a token from the web identity
449 // provider. For a comparison of AssumeRoleWithWebIdentity with the other API
450 // operations that produce temporary credentials, see Requesting Temporary Security
451 // Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
452 // and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
453 // in the IAM User Guide.
454 //
455 // The temporary security credentials returned by this API consist of an access
456 // key ID, a secret access key, and a security token. Applications can use these
457 // temporary security credentials to sign calls to AWS service API operations.
458 //
459 // By default, the temporary security credentials created by AssumeRoleWithWebIdentity
460 // last for one hour. However, you can use the optional DurationSeconds parameter
461 // to specify the duration of your session. You can provide a value from 900
462 // seconds (15 minutes) up to the maximum session duration setting for the role.
463 // This setting can have a value from 1 hour to 12 hours. To learn how to view
464 // the maximum value for your role, see View the Maximum Session Duration Setting
465 // for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
466 // in the IAM User Guide. The maximum session duration limit applies when you
467 // use the AssumeRole* API operations or the assume-role* CLI commands. However
468 // the limit does not apply when you use those operations to create a console
469 // URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
470 // in the IAM User Guide.
471 //
472 // The temporary security credentials created by AssumeRoleWithWebIdentity can
473 // be used to make API calls to any AWS service with the following exception:
474 // you cannot call the STS GetFederationToken or GetSessionToken API operations.
475 //
476 // (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
477 // to this operation. You can pass a single JSON policy document to use as an
478 // inline session policy. You can also specify up to 10 managed policies to
479 // use as managed session policies. The plain text that you use for both inline
480 // and managed session policies shouldn't exceed 2048 characters. Passing policies
481 // to this operation returns new temporary credentials. The resulting session's
482 // permissions are the intersection of the role's identity-based policy and
483 // the session policies. You can use the role's temporary credentials in subsequent
484 // AWS API calls to access resources in the account that owns the role. You
485 // cannot use session policies to grant more permissions than those allowed
486 // by the identity-based policy of the role that is being assumed. For more
487 // information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
488 // in the IAM User Guide.
489 //
490 // Before your application can call AssumeRoleWithWebIdentity, you must have
491 // an identity token from a supported identity provider and create a role that
492 // the application can assume. The role that your application assumes must trust
493 // the identity provider that is associated with the identity token. In other
494 // words, the identity provider must be specified in the role's trust policy.
495 //
496 // Calling AssumeRoleWithWebIdentity can result in an entry in your AWS CloudTrail
497 // logs. The entry includes the Subject (http://openid.net/specs/openid-connect-core-1_0.html#Claims)
498 // of the provided Web Identity Token. We recommend that you avoid using any
499 // personally identifiable information (PII) in this field. For example, you
500 // could instead use a GUID or a pairwise identifier, as suggested in the OIDC
501 // specification (http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes).
502 //
503 // For more information about how to use web identity federation and the AssumeRoleWithWebIdentity
504 // API, see the following resources:
505 //
506 // * Using Web Identity Federation API Operations for Mobile Apps (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html)
507 // and Federation Through a Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity).
508 //
509 // * Web Identity Federation Playground (https://web-identity-federation-playground.s3.amazonaws.com/index.html).
510 // Walk through the process of authenticating through Login with Amazon,
511 // Facebook, or Google, getting temporary security credentials, and then
512 // using those credentials to make a request to AWS.
513 //
514 // * AWS SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/) and
515 // AWS SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/).
516 // These toolkits contain sample apps that show how to invoke the identity
517 // providers, and then how to use the information from these providers to
518 // get and use temporary security credentials.
519 //
520 // * Web Identity Federation with Mobile Applications (http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications).
521 // This article discusses web identity federation and shows an example of
522 // how to use web identity federation to get access to content in Amazon
523 // S3.
524 //
525 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
526 // with awserr.Error's Code and Message methods to get detailed information about
527 // the error.
528 //
529 // See the AWS API reference guide for AWS Security Token Service's
530 // API operation AssumeRoleWithWebIdentity for usage and error information.
531 //
532 // Returned Error Codes:
533 // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument"
534 // The request was rejected because the policy document was malformed. The error
535 // message describes the specific error.
536 //
537 // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge"
538 // The request was rejected because the policy document was too large. The error
539 // message describes how big the policy document is, in packed form, as a percentage
540 // of what the API allows.
541 //
542 // * ErrCodeIDPRejectedClaimException "IDPRejectedClaim"
543 // The identity provider (IdP) reported that authentication failed. This might
544 // be because the claim is invalid.
545 //
546 // If this error is returned for the AssumeRoleWithWebIdentity operation, it
547 // can also mean that the claim has expired or has been explicitly revoked.
548 //
549 // * ErrCodeIDPCommunicationErrorException "IDPCommunicationError"
550 // The request could not be fulfilled because the non-AWS identity provider
551 // (IDP) that was asked to verify the incoming identity token could not be reached.
552 // This is often a transient error caused by network conditions. Retry the request
553 // a limited number of times so that you don't exceed the request rate. If the
554 // error persists, the non-AWS identity provider might be down or not responding.
555 //
556 // * ErrCodeInvalidIdentityTokenException "InvalidIdentityToken"
557 // The web identity token that was passed could not be validated by AWS. Get
558 // a new identity token from the identity provider and then retry the request.
559 //
560 // * ErrCodeExpiredTokenException "ExpiredTokenException"
561 // The web identity token that was passed is expired or is not valid. Get a
562 // new identity token from the identity provider and then retry the request.
563 //
564 // * ErrCodeRegionDisabledException "RegionDisabledException"
565 // STS is not activated in the requested region for the account that is being
566 // asked to generate credentials. The account administrator must use the IAM
567 // console to activate STS in that region. For more information, see Activating
568 // and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
569 // in the IAM User Guide.
570 //
571 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity
572 func (c *STS) AssumeRoleWithWebIdentity(input *AssumeRoleWithWebIdentityInput) (*AssumeRoleWithWebIdentityOutput, error) {
573 req, out := c.AssumeRoleWithWebIdentityRequest(input)
574 return out, req.Send()
575 }
576
577 // AssumeRoleWithWebIdentityWithContext is the same as AssumeRoleWithWebIdentity with the addition of
578 // the ability to pass a context and additional request options.
579 //
580 // See AssumeRoleWithWebIdentity for details on how to use this API operation.
581 //
582 // The context must be non-nil and will be used for request cancellation. If
583 // the context is nil a panic will occur. In the future the SDK may create
584 // sub-contexts for http.Requests. See https://golang.org/pkg/context/
585 // for more information on using Contexts.
586 func (c *STS) AssumeRoleWithWebIdentityWithContext(ctx aws.Context, input *AssumeRoleWithWebIdentityInput, opts ...request.Option) (*AssumeRoleWithWebIdentityOutput, error) {
587 req, out := c.AssumeRoleWithWebIdentityRequest(input)
588 req.SetContext(ctx)
589 req.ApplyOptions(opts...)
590 return out, req.Send()
591 }
592
593 const opDecodeAuthorizationMessage = "DecodeAuthorizationMessage"
594
595 // DecodeAuthorizationMessageRequest generates a "aws/request.Request" representing the
596 // client's request for the DecodeAuthorizationMessage operation. The "output" return
597 // value will be populated with the request's response once the request completes
598 // successfully.
599 //
600 // Use "Send" method on the returned Request to send the API call to the service.
601 // the "output" return value is not valid until after Send returns without error.
602 //
603 // See DecodeAuthorizationMessage for more information on using the DecodeAuthorizationMessage
604 // API call, and error handling.
605 //
606 // This method is useful when you want to inject custom logic or configuration
607 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
608 //
609 //
610 // // Example sending a request using the DecodeAuthorizationMessageRequest method.
611 // req, resp := client.DecodeAuthorizationMessageRequest(params)
612 //
613 // err := req.Send()
614 // if err == nil { // resp is now filled
615 // fmt.Println(resp)
616 // }
617 //
618 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessage
619 func (c *STS) DecodeAuthorizationMessageRequest(input *DecodeAuthorizationMessageInput) (req *request.Request, output *DecodeAuthorizationMessageOutput) {
620 op := &request.Operation{
621 Name: opDecodeAuthorizationMessage,
622 HTTPMethod: "POST",
623 HTTPPath: "/",
624 }
625
626 if input == nil {
627 input = &DecodeAuthorizationMessageInput{}
628 }
629
630 output = &DecodeAuthorizationMessageOutput{}
631 req = c.newRequest(op, input, output)
632 return
633 }
634
635 // DecodeAuthorizationMessage API operation for AWS Security Token Service.
636 //
637 // Decodes additional information about the authorization status of a request
638 // from an encoded message returned in response to an AWS request.
639 //
640 // For example, if a user is not authorized to perform an operation that he
641 // or she has requested, the request returns a Client.UnauthorizedOperation
642 // response (an HTTP 403 response). Some AWS operations additionally return
643 // an encoded message that can provide details about this authorization failure.
644 //
645 // Only certain AWS operations return an encoded authorization message. The
646 // documentation for an individual operation indicates whether that operation
647 // returns an encoded message in addition to returning an HTTP code.
648 //
649 // The message is encoded because the details of the authorization status can
650 // constitute privileged information that the user who requested the operation
651 // should not see. To decode an authorization status message, a user must be
652 // granted permissions via an IAM policy to request the DecodeAuthorizationMessage
653 // (sts:DecodeAuthorizationMessage) action.
654 //
655 // The decoded message includes the following type of information:
656 //
657 // * Whether the request was denied due to an explicit deny or due to the
658 // absence of an explicit allow. For more information, see Determining Whether
659 // a Request is Allowed or Denied (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow)
660 // in the IAM User Guide.
661 //
662 // * The principal who made the request.
663 //
664 // * The requested action.
665 //
666 // * The requested resource.
667 //
668 // * The values of condition keys in the context of the user's request.
669 //
670 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
671 // with awserr.Error's Code and Message methods to get detailed information about
672 // the error.
673 //
674 // See the AWS API reference guide for AWS Security Token Service's
675 // API operation DecodeAuthorizationMessage for usage and error information.
676 //
677 // Returned Error Codes:
678 // * ErrCodeInvalidAuthorizationMessageException "InvalidAuthorizationMessageException"
679 // The error returned if the message passed to DecodeAuthorizationMessage was
680 // invalid. This can happen if the token contains invalid characters, such as
681 // linebreaks.
682 //
683 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessage
684 func (c *STS) DecodeAuthorizationMessage(input *DecodeAuthorizationMessageInput) (*DecodeAuthorizationMessageOutput, error) {
685 req, out := c.DecodeAuthorizationMessageRequest(input)
686 return out, req.Send()
687 }
688
689 // DecodeAuthorizationMessageWithContext is the same as DecodeAuthorizationMessage with the addition of
690 // the ability to pass a context and additional request options.
691 //
692 // See DecodeAuthorizationMessage for details on how to use this API operation.
693 //
694 // The context must be non-nil and will be used for request cancellation. If
695 // the context is nil a panic will occur. In the future the SDK may create
696 // sub-contexts for http.Requests. See https://golang.org/pkg/context/
697 // for more information on using Contexts.
698 func (c *STS) DecodeAuthorizationMessageWithContext(ctx aws.Context, input *DecodeAuthorizationMessageInput, opts ...request.Option) (*DecodeAuthorizationMessageOutput, error) {
699 req, out := c.DecodeAuthorizationMessageRequest(input)
700 req.SetContext(ctx)
701 req.ApplyOptions(opts...)
702 return out, req.Send()
703 }
704
705 const opGetAccessKeyInfo = "GetAccessKeyInfo"
706
707 // GetAccessKeyInfoRequest generates a "aws/request.Request" representing the
708 // client's request for the GetAccessKeyInfo operation. The "output" return
709 // value will be populated with the request's response once the request completes
710 // successfully.
711 //
712 // Use "Send" method on the returned Request to send the API call to the service.
713 // the "output" return value is not valid until after Send returns without error.
714 //
715 // See GetAccessKeyInfo for more information on using the GetAccessKeyInfo
716 // API call, and error handling.
717 //
718 // This method is useful when you want to inject custom logic or configuration
719 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
720 //
721 //
722 // // Example sending a request using the GetAccessKeyInfoRequest method.
723 // req, resp := client.GetAccessKeyInfoRequest(params)
724 //
725 // err := req.Send()
726 // if err == nil { // resp is now filled
727 // fmt.Println(resp)
728 // }
729 //
730 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfo
731 func (c *STS) GetAccessKeyInfoRequest(input *GetAccessKeyInfoInput) (req *request.Request, output *GetAccessKeyInfoOutput) {
732 op := &request.Operation{
733 Name: opGetAccessKeyInfo,
734 HTTPMethod: "POST",
735 HTTPPath: "/",
736 }
737
738 if input == nil {
739 input = &GetAccessKeyInfoInput{}
740 }
741
742 output = &GetAccessKeyInfoOutput{}
743 req = c.newRequest(op, input, output)
744 return
745 }
746
747 // GetAccessKeyInfo API operation for AWS Security Token Service.
748 //
749 // Returns the account identifier for the specified access key ID.
750 //
751 // Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE)
752 // and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY).
753 // For more information about access keys, see Managing Access Keys for IAM
754 // Users (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)
755 // in the IAM User Guide.
756 //
757 // When you pass an access key ID to this operation, it returns the ID of the
758 // AWS account to which the keys belong. Access key IDs beginning with AKIA
759 // are long-term credentials for an IAM user or the AWS account root user. Access
760 // key IDs beginning with ASIA are temporary credentials that are created using
761 // STS operations. If the account in the response belongs to you, you can sign
762 // in as the root user and review your root user access keys. Then, you can
763 // pull a credentials report (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report)
764 // to learn which IAM user owns the keys. To learn who requested the temporary
765 // credentials for an ASIA access key, view the STS events in your CloudTrail
766 // logs (https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration).
767 //
768 // This operation does not indicate the state of the access key. The key might
769 // be active, inactive, or deleted. Active keys might not have permissions to
770 // perform an operation. Providing a deleted keys might return an error that
771 // the key doesn't exist.
772 //
773 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
774 // with awserr.Error's Code and Message methods to get detailed information about
775 // the error.
776 //
777 // See the AWS API reference guide for AWS Security Token Service's
778 // API operation GetAccessKeyInfo for usage and error information.
779 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfo
780 func (c *STS) GetAccessKeyInfo(input *GetAccessKeyInfoInput) (*GetAccessKeyInfoOutput, error) {
781 req, out := c.GetAccessKeyInfoRequest(input)
782 return out, req.Send()
783 }
784
785 // GetAccessKeyInfoWithContext is the same as GetAccessKeyInfo with the addition of
786 // the ability to pass a context and additional request options.
787 //
788 // See GetAccessKeyInfo for details on how to use this API operation.
789 //
790 // The context must be non-nil and will be used for request cancellation. If
791 // the context is nil a panic will occur. In the future the SDK may create
792 // sub-contexts for http.Requests. See https://golang.org/pkg/context/
793 // for more information on using Contexts.
794 func (c *STS) GetAccessKeyInfoWithContext(ctx aws.Context, input *GetAccessKeyInfoInput, opts ...request.Option) (*GetAccessKeyInfoOutput, error) {
795 req, out := c.GetAccessKeyInfoRequest(input)
796 req.SetContext(ctx)
797 req.ApplyOptions(opts...)
798 return out, req.Send()
799 }
800
801 const opGetCallerIdentity = "GetCallerIdentity"
802
803 // GetCallerIdentityRequest generates a "aws/request.Request" representing the
804 // client's request for the GetCallerIdentity operation. The "output" return
805 // value will be populated with the request's response once the request completes
806 // successfully.
807 //
808 // Use "Send" method on the returned Request to send the API call to the service.
809 // the "output" return value is not valid until after Send returns without error.
810 //
811 // See GetCallerIdentity for more information on using the GetCallerIdentity
812 // API call, and error handling.
813 //
814 // This method is useful when you want to inject custom logic or configuration
815 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
816 //
817 //
818 // // Example sending a request using the GetCallerIdentityRequest method.
819 // req, resp := client.GetCallerIdentityRequest(params)
820 //
821 // err := req.Send()
822 // if err == nil { // resp is now filled
823 // fmt.Println(resp)
824 // }
825 //
826 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentity
827 func (c *STS) GetCallerIdentityRequest(input *GetCallerIdentityInput) (req *request.Request, output *GetCallerIdentityOutput) {
828 op := &request.Operation{
829 Name: opGetCallerIdentity,
830 HTTPMethod: "POST",
831 HTTPPath: "/",
832 }
833
834 if input == nil {
835 input = &GetCallerIdentityInput{}
836 }
837
838 output = &GetCallerIdentityOutput{}
839 req = c.newRequest(op, input, output)
840 return
841 }
842
843 // GetCallerIdentity API operation for AWS Security Token Service.
844 //
845 // Returns details about the IAM identity whose credentials are used to call
846 // the API.
847 //
848 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
849 // with awserr.Error's Code and Message methods to get detailed information about
850 // the error.
851 //
852 // See the AWS API reference guide for AWS Security Token Service's
853 // API operation GetCallerIdentity for usage and error information.
854 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentity
855 func (c *STS) GetCallerIdentity(input *GetCallerIdentityInput) (*GetCallerIdentityOutput, error) {
856 req, out := c.GetCallerIdentityRequest(input)
857 return out, req.Send()
858 }
859
860 // GetCallerIdentityWithContext is the same as GetCallerIdentity with the addition of
861 // the ability to pass a context and additional request options.
862 //
863 // See GetCallerIdentity for details on how to use this API operation.
864 //
865 // The context must be non-nil and will be used for request cancellation. If
866 // the context is nil a panic will occur. In the future the SDK may create
867 // sub-contexts for http.Requests. See https://golang.org/pkg/context/
868 // for more information on using Contexts.
869 func (c *STS) GetCallerIdentityWithContext(ctx aws.Context, input *GetCallerIdentityInput, opts ...request.Option) (*GetCallerIdentityOutput, error) {
870 req, out := c.GetCallerIdentityRequest(input)
871 req.SetContext(ctx)
872 req.ApplyOptions(opts...)
873 return out, req.Send()
874 }
875
876 const opGetFederationToken = "GetFederationToken"
877
878 // GetFederationTokenRequest generates a "aws/request.Request" representing the
879 // client's request for the GetFederationToken operation. The "output" return
880 // value will be populated with the request's response once the request completes
881 // successfully.
882 //
883 // Use "Send" method on the returned Request to send the API call to the service.
884 // the "output" return value is not valid until after Send returns without error.
885 //
886 // See GetFederationToken for more information on using the GetFederationToken
887 // API call, and error handling.
888 //
889 // This method is useful when you want to inject custom logic or configuration
890 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
891 //
892 //
893 // // Example sending a request using the GetFederationTokenRequest method.
894 // req, resp := client.GetFederationTokenRequest(params)
895 //
896 // err := req.Send()
897 // if err == nil { // resp is now filled
898 // fmt.Println(resp)
899 // }
900 //
901 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationToken
902 func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *request.Request, output *GetFederationTokenOutput) {
903 op := &request.Operation{
904 Name: opGetFederationToken,
905 HTTPMethod: "POST",
906 HTTPPath: "/",
907 }
908
909 if input == nil {
910 input = &GetFederationTokenInput{}
911 }
912
913 output = &GetFederationTokenOutput{}
914 req = c.newRequest(op, input, output)
915 return
916 }
917
918 // GetFederationToken API operation for AWS Security Token Service.
919 //
920 // Returns a set of temporary security credentials (consisting of an access
921 // key ID, a secret access key, and a security token) for a federated user.
922 // A typical use is in a proxy application that gets temporary security credentials
923 // on behalf of distributed applications inside a corporate network. You must
924 // call the GetFederationToken operation using the long-term security credentials
925 // of an IAM user. As a result, this call is appropriate in contexts where those
926 // credentials can be safely stored, usually in a server-based application.
927 // For a comparison of GetFederationToken with the other API operations that
928 // produce temporary credentials, see Requesting Temporary Security Credentials
929 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
930 // and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
931 // in the IAM User Guide.
932 //
933 // You can create a mobile-based or browser-based app that can authenticate
934 // users using a web identity provider like Login with Amazon, Facebook, Google,
935 // or an OpenID Connect-compatible identity provider. In this case, we recommend
936 // that you use Amazon Cognito (http://aws.amazon.com/cognito/) or AssumeRoleWithWebIdentity.
937 // For more information, see Federation Through a Web-based Identity Provider
938 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity).
939 //
940 // You can also call GetFederationToken using the security credentials of an
941 // AWS account root user, but we do not recommend it. Instead, we recommend
942 // that you create an IAM user for the purpose of the proxy application. Then
943 // attach a policy to the IAM user that limits federated users to only the actions
944 // and resources that they need to access. For more information, see IAM Best
945 // Practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
946 // in the IAM User Guide.
947 //
948 // The temporary credentials are valid for the specified duration, from 900
949 // seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default
950 // is 43,200 seconds (12 hours). Temporary credentials that are obtained by
951 // using AWS account root user credentials have a maximum duration of 3,600
952 // seconds (1 hour).
953 //
954 // The temporary security credentials created by GetFederationToken can be used
955 // to make API calls to any AWS service with the following exceptions:
956 //
957 // * You cannot use these credentials to call any IAM API operations.
958 //
959 // * You cannot call any STS API operations except GetCallerIdentity.
960 //
961 // Permissions
962 //
963 // You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
964 // to this operation. You can pass a single JSON policy document to use as an
965 // inline session policy. You can also specify up to 10 managed policies to
966 // use as managed session policies. The plain text that you use for both inline
967 // and managed session policies shouldn't exceed 2048 characters.
968 //
969 // Though the session policy parameters are optional, if you do not pass a policy,
970 // then the resulting federated user session has no permissions. The only exception
971 // is when the credentials are used to access a resource that has a resource-based
972 // policy that specifically references the federated user session in the Principal
973 // element of the policy. When you pass session policies, the session permissions
974 // are the intersection of the IAM user policies and the session policies that
975 // you pass. This gives you a way to further restrict the permissions for a
976 // federated user. You cannot use session policies to grant more permissions
977 // than those that are defined in the permissions policy of the IAM user. For
978 // more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
979 // in the IAM User Guide. For information about using GetFederationToken to
980 // create temporary security credentials, see GetFederationToken—Federation
981 // Through a Custom Identity Broker (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken).
982 //
983 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
984 // with awserr.Error's Code and Message methods to get detailed information about
985 // the error.
986 //
987 // See the AWS API reference guide for AWS Security Token Service's
988 // API operation GetFederationToken for usage and error information.
989 //
990 // Returned Error Codes:
991 // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument"
992 // The request was rejected because the policy document was malformed. The error
993 // message describes the specific error.
994 //
995 // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge"
996 // The request was rejected because the policy document was too large. The error
997 // message describes how big the policy document is, in packed form, as a percentage
998 // of what the API allows.
999 //
1000 // * ErrCodeRegionDisabledException "RegionDisabledException"
1001 // STS is not activated in the requested region for the account that is being
1002 // asked to generate credentials. The account administrator must use the IAM
1003 // console to activate STS in that region. For more information, see Activating
1004 // and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
1005 // in the IAM User Guide.
1006 //
1007 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationToken
1008 func (c *STS) GetFederationToken(input *GetFederationTokenInput) (*GetFederationTokenOutput, error) {
1009 req, out := c.GetFederationTokenRequest(input)
1010 return out, req.Send()
1011 }
1012
1013 // GetFederationTokenWithContext is the same as GetFederationToken with the addition of
1014 // the ability to pass a context and additional request options.
1015 //
1016 // See GetFederationToken for details on how to use this API operation.
1017 //
1018 // The context must be non-nil and will be used for request cancellation. If
1019 // the context is nil a panic will occur. In the future the SDK may create
1020 // sub-contexts for http.Requests. See https://golang.org/pkg/context/
1021 // for more information on using Contexts.
1022 func (c *STS) GetFederationTokenWithContext(ctx aws.Context, input *GetFederationTokenInput, opts ...request.Option) (*GetFederationTokenOutput, error) {
1023 req, out := c.GetFederationTokenRequest(input)
1024 req.SetContext(ctx)
1025 req.ApplyOptions(opts...)
1026 return out, req.Send()
1027 }
1028
1029 const opGetSessionToken = "GetSessionToken"
1030
1031 // GetSessionTokenRequest generates a "aws/request.Request" representing the
1032 // client's request for the GetSessionToken operation. The "output" return
1033 // value will be populated with the request's response once the request completes
1034 // successfully.
1035 //
1036 // Use "Send" method on the returned Request to send the API call to the service.
1037 // the "output" return value is not valid until after Send returns without error.
1038 //
1039 // See GetSessionToken for more information on using the GetSessionToken
1040 // API call, and error handling.
1041 //
1042 // This method is useful when you want to inject custom logic or configuration
1043 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
1044 //
1045 //
1046 // // Example sending a request using the GetSessionTokenRequest method.
1047 // req, resp := client.GetSessionTokenRequest(params)
1048 //
1049 // err := req.Send()
1050 // if err == nil { // resp is now filled
1051 // fmt.Println(resp)
1052 // }
1053 //
1054 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionToken
1055 func (c *STS) GetSessionTokenRequest(input *GetSessionTokenInput) (req *request.Request, output *GetSessionTokenOutput) {
1056 op := &request.Operation{
1057 Name: opGetSessionToken,
1058 HTTPMethod: "POST",
1059 HTTPPath: "/",
1060 }
1061
1062 if input == nil {
1063 input = &GetSessionTokenInput{}
1064 }
1065
1066 output = &GetSessionTokenOutput{}
1067 req = c.newRequest(op, input, output)
1068 return
1069 }
1070
1071 // GetSessionToken API operation for AWS Security Token Service.
1072 //
1073 // Returns a set of temporary credentials for an AWS account or IAM user. The
1074 // credentials consist of an access key ID, a secret access key, and a security
1075 // token. Typically, you use GetSessionToken if you want to use MFA to protect
1076 // programmatic calls to specific AWS API operations like Amazon EC2 StopInstances.
1077 // MFA-enabled IAM users would need to call GetSessionToken and submit an MFA
1078 // code that is associated with their MFA device. Using the temporary security
1079 // credentials that are returned from the call, IAM users can then make programmatic
1080 // calls to API operations that require MFA authentication. If you do not supply
1081 // a correct MFA code, then the API returns an access denied error. For a comparison
1082 // of GetSessionToken with the other API operations that produce temporary credentials,
1083 // see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
1084 // and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
1085 // in the IAM User Guide.
1086 //
1087 // The GetSessionToken operation must be called by using the long-term AWS security
1088 // credentials of the AWS account root user or an IAM user. Credentials that
1089 // are created by IAM users are valid for the duration that you specify. This
1090 // duration can range from 900 seconds (15 minutes) up to a maximum of 129,600
1091 // seconds (36 hours), with a default of 43,200 seconds (12 hours). Credentials
1092 // based on account credentials can range from 900 seconds (15 minutes) up to
1093 // 3,600 seconds (1 hour), with a default of 1 hour.
1094 //
1095 // The temporary security credentials created by GetSessionToken can be used
1096 // to make API calls to any AWS service with the following exceptions:
1097 //
1098 // * You cannot call any IAM API operations unless MFA authentication information
1099 // is included in the request.
1100 //
1101 // * You cannot call any STS API except AssumeRole or GetCallerIdentity.
1102 //
1103 // We recommend that you do not call GetSessionToken with AWS account root user
1104 // credentials. Instead, follow our best practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users)
1105 // by creating one or more IAM users, giving them the necessary permissions,
1106 // and using IAM users for everyday interaction with AWS.
1107 //
1108 // The credentials that are returned by GetSessionToken are based on permissions
1109 // associated with the user whose credentials were used to call the operation.
1110 // If GetSessionToken is called using AWS account root user credentials, the
1111 // temporary credentials have root user permissions. Similarly, if GetSessionToken
1112 // is called using the credentials of an IAM user, the temporary credentials
1113 // have the same permissions as the IAM user.
1114 //
1115 // For more information about using GetSessionToken to create temporary credentials,
1116 // go to Temporary Credentials for Users in Untrusted Environments (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken)
1117 // in the IAM User Guide.
1118 //
1119 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
1120 // with awserr.Error's Code and Message methods to get detailed information about
1121 // the error.
1122 //
1123 // See the AWS API reference guide for AWS Security Token Service's
1124 // API operation GetSessionToken for usage and error information.
1125 //
1126 // Returned Error Codes:
1127 // * ErrCodeRegionDisabledException "RegionDisabledException"
1128 // STS is not activated in the requested region for the account that is being
1129 // asked to generate credentials. The account administrator must use the IAM
1130 // console to activate STS in that region. For more information, see Activating
1131 // and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
1132 // in the IAM User Guide.
1133 //
1134 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionToken
1135 func (c *STS) GetSessionToken(input *GetSessionTokenInput) (*GetSessionTokenOutput, error) {
1136 req, out := c.GetSessionTokenRequest(input)
1137 return out, req.Send()
1138 }
1139
1140 // GetSessionTokenWithContext is the same as GetSessionToken with the addition of
1141 // the ability to pass a context and additional request options.
1142 //
1143 // See GetSessionToken for details on how to use this API operation.
1144 //
1145 // The context must be non-nil and will be used for request cancellation. If
1146 // the context is nil a panic will occur. In the future the SDK may create
1147 // sub-contexts for http.Requests. See https://golang.org/pkg/context/
1148 // for more information on using Contexts.
1149 func (c *STS) GetSessionTokenWithContext(ctx aws.Context, input *GetSessionTokenInput, opts ...request.Option) (*GetSessionTokenOutput, error) {
1150 req, out := c.GetSessionTokenRequest(input)
1151 req.SetContext(ctx)
1152 req.ApplyOptions(opts...)
1153 return out, req.Send()
1154 }
1155
1156 type AssumeRoleInput struct {
1157 _ struct{} `type:"structure"`
1158
1159 // The duration, in seconds, of the role session. The value can range from 900
1160 // seconds (15 minutes) up to the maximum session duration setting for the role.
1161 // This setting can have a value from 1 hour to 12 hours. If you specify a value
1162 // higher than this setting, the operation fails. For example, if you specify
1163 // a session duration of 12 hours, but your administrator set the maximum session
1164 // duration to 6 hours, your operation fails. To learn how to view the maximum
1165 // value for your role, see View the Maximum Session Duration Setting for a
1166 // Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
1167 // in the IAM User Guide.
1168 //
1169 // By default, the value is set to 3600 seconds.
1170 //
1171 // The DurationSeconds parameter is separate from the duration of a console
1172 // session that you might request using the returned credentials. The request
1173 // to the federation endpoint for a console sign-in token takes a SessionDuration
1174 // parameter that specifies the maximum length of the console session. For more
1175 // information, see Creating a URL that Enables Federated Users to Access the
1176 // AWS Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
1177 // in the IAM User Guide.
1178 DurationSeconds *int64 `min:"900" type:"integer"`
1179
1180 // A unique identifier that might be required when you assume a role in another
1181 // account. If the administrator of the account to which the role belongs provided
1182 // you with an external ID, then provide that value in the ExternalId parameter.
1183 // This value can be any string, such as a passphrase or account number. A cross-account
1184 // role is usually set up to trust everyone in an account. Therefore, the administrator
1185 // of the trusting account might send an external ID to the administrator of
1186 // the trusted account. That way, only someone with the ID can assume the role,
1187 // rather than everyone in the account. For more information about the external
1188 // ID, see How to Use an External ID When Granting Access to Your AWS Resources
1189 // to a Third Party (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html)
1190 // in the IAM User Guide.
1191 //
1192 // The regex used to validate this parameter is a string of characters consisting
1193 // of upper- and lower-case alphanumeric characters with no spaces. You can
1194 // also include underscores or any of the following characters: =,.@:/-
1195 ExternalId *string `min:"2" type:"string"`
1196
1197 // An IAM policy in JSON format that you want to use as an inline session policy.
1198 //
1199 // This parameter is optional. Passing policies to this operation returns new
1200 // temporary credentials. The resulting session's permissions are the intersection
1201 // of the role's identity-based policy and the session policies. You can use
1202 // the role's temporary credentials in subsequent AWS API calls to access resources
1203 // in the account that owns the role. You cannot use session policies to grant
1204 // more permissions than those allowed by the identity-based policy of the role
1205 // that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
1206 // in the IAM User Guide.
1207 //
1208 // The plain text that you use for both inline and managed session policies
1209 // shouldn't exceed 2048 characters. The JSON policy characters can be any ASCII
1210 // character from the space character to the end of the valid character list
1211 // (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A),
1212 // and carriage return (\u000D) characters.
1213 //
1214 // The characters in this parameter count towards the 2048 character session
1215 // policy guideline. However, an AWS conversion compresses the session policies
1216 // into a packed binary format that has a separate limit. This is the enforced
1217 // limit. The PackedPolicySize response element indicates by percentage how
1218 // close the policy is to the upper size limit.
1219 Policy *string `min:"1" type:"string"`
1220
1221 // The Amazon Resource Names (ARNs) of the IAM managed policies that you want
1222 // to use as managed session policies. The policies must exist in the same account
1223 // as the role.
1224 //
1225 // This parameter is optional. You can provide up to 10 managed policy ARNs.
1226 // However, the plain text that you use for both inline and managed session
1227 // policies shouldn't exceed 2048 characters. For more information about ARNs,
1228 // see Amazon Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
1229 // in the AWS General Reference.
1230 //
1231 // The characters in this parameter count towards the 2048 character session
1232 // policy guideline. However, an AWS conversion compresses the session policies
1233 // into a packed binary format that has a separate limit. This is the enforced
1234 // limit. The PackedPolicySize response element indicates by percentage how
1235 // close the policy is to the upper size limit.
1236 //
1237 // Passing policies to this operation returns new temporary credentials. The
1238 // resulting session's permissions are the intersection of the role's identity-based
1239 // policy and the session policies. You can use the role's temporary credentials
1240 // in subsequent AWS API calls to access resources in the account that owns
1241 // the role. You cannot use session policies to grant more permissions than
1242 // those allowed by the identity-based policy of the role that is being assumed.
1243 // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
1244 // in the IAM User Guide.
1245 PolicyArns []*PolicyDescriptorType `type:"list"`
1246
1247 // The Amazon Resource Name (ARN) of the role to assume.
1248 //
1249 // RoleArn is a required field
1250 RoleArn *string `min:"20" type:"string" required:"true"`
1251
1252 // An identifier for the assumed role session.
1253 //
1254 // Use the role session name to uniquely identify a session when the same role
1255 // is assumed by different principals or for different reasons. In cross-account
1256 // scenarios, the role session name is visible to, and can be logged by the
1257 // account that owns the role. The role session name is also used in the ARN
1258 // of the assumed role principal. This means that subsequent cross-account API
1259 // requests that use the temporary security credentials will expose the role
1260 // session name to the external account in their AWS CloudTrail logs.
1261 //
1262 // The regex used to validate this parameter is a string of characters consisting
1263 // of upper- and lower-case alphanumeric characters with no spaces. You can
1264 // also include underscores or any of the following characters: =,.@-
1265 //
1266 // RoleSessionName is a required field
1267 RoleSessionName *string `min:"2" type:"string" required:"true"`
1268
1269 // The identification number of the MFA device that is associated with the user
1270 // who is making the AssumeRole call. Specify this value if the trust policy
1271 // of the role being assumed includes a condition that requires MFA authentication.
1272 // The value is either the serial number for a hardware device (such as GAHT12345678)
1273 // or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user).
1274 //
1275 // The regex used to validate this parameter is a string of characters consisting
1276 // of upper- and lower-case alphanumeric characters with no spaces. You can
1277 // also include underscores or any of the following characters: =,.@-
1278 SerialNumber *string `min:"9" type:"string"`
1279
1280 // The value provided by the MFA device, if the trust policy of the role being
1281 // assumed requires MFA (that is, if the policy includes a condition that tests
1282 // for MFA). If the role being assumed requires MFA and if the TokenCode value
1283 // is missing or expired, the AssumeRole call returns an "access denied" error.
1284 //
1285 // The format for this parameter, as described by its regex pattern, is a sequence
1286 // of six numeric digits.
1287 TokenCode *string `min:"6" type:"string"`
1288 }
1289
1290 // String returns the string representation
1291 func (s AssumeRoleInput) String() string {
1292 return awsutil.Prettify(s)
1293 }
1294
1295 // GoString returns the string representation
1296 func (s AssumeRoleInput) GoString() string {
1297 return s.String()
1298 }
1299
1300 // Validate inspects the fields of the type to determine if they are valid.
1301 func (s *AssumeRoleInput) Validate() error {
1302 invalidParams := request.ErrInvalidParams{Context: "AssumeRoleInput"}
1303 if s.DurationSeconds != nil && *s.DurationSeconds < 900 {
1304 invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900))
1305 }
1306 if s.ExternalId != nil && len(*s.ExternalId) < 2 {
1307 invalidParams.Add(request.NewErrParamMinLen("ExternalId", 2))
1308 }
1309 if s.Policy != nil && len(*s.Policy) < 1 {
1310 invalidParams.Add(request.NewErrParamMinLen("Policy", 1))
1311 }
1312 if s.RoleArn == nil {
1313 invalidParams.Add(request.NewErrParamRequired("RoleArn"))
1314 }
1315 if s.RoleArn != nil && len(*s.RoleArn) < 20 {
1316 invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20))
1317 }
1318 if s.RoleSessionName == nil {
1319 invalidParams.Add(request.NewErrParamRequired("RoleSessionName"))
1320 }
1321 if s.RoleSessionName != nil && len(*s.RoleSessionName) < 2 {
1322 invalidParams.Add(request.NewErrParamMinLen("RoleSessionName", 2))
1323 }
1324 if s.SerialNumber != nil && len(*s.SerialNumber) < 9 {
1325 invalidParams.Add(request.NewErrParamMinLen("SerialNumber", 9))
1326 }
1327 if s.TokenCode != nil && len(*s.TokenCode) < 6 {
1328 invalidParams.Add(request.NewErrParamMinLen("TokenCode", 6))
1329 }
1330 if s.PolicyArns != nil {
1331 for i, v := range s.PolicyArns {
1332 if v == nil {
1333 continue
1334 }
1335 if err := v.Validate(); err != nil {
1336 invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams))
1337 }
1338 }
1339 }
1340
1341 if invalidParams.Len() > 0 {
1342 return invalidParams
1343 }
1344 return nil
1345 }
1346
1347 // SetDurationSeconds sets the DurationSeconds field's value.
1348 func (s *AssumeRoleInput) SetDurationSeconds(v int64) *AssumeRoleInput {
1349 s.DurationSeconds = &v
1350 return s
1351 }
1352
1353 // SetExternalId sets the ExternalId field's value.
1354 func (s *AssumeRoleInput) SetExternalId(v string) *AssumeRoleInput {
1355 s.ExternalId = &v
1356 return s
1357 }
1358
1359 // SetPolicy sets the Policy field's value.
1360 func (s *AssumeRoleInput) SetPolicy(v string) *AssumeRoleInput {
1361 s.Policy = &v
1362 return s
1363 }
1364
1365 // SetPolicyArns sets the PolicyArns field's value.
1366 func (s *AssumeRoleInput) SetPolicyArns(v []*PolicyDescriptorType) *AssumeRoleInput {
1367 s.PolicyArns = v
1368 return s
1369 }
1370
1371 // SetRoleArn sets the RoleArn field's value.
1372 func (s *AssumeRoleInput) SetRoleArn(v string) *AssumeRoleInput {
1373 s.RoleArn = &v
1374 return s
1375 }
1376
1377 // SetRoleSessionName sets the RoleSessionName field's value.
1378 func (s *AssumeRoleInput) SetRoleSessionName(v string) *AssumeRoleInput {
1379 s.RoleSessionName = &v
1380 return s
1381 }
1382
1383 // SetSerialNumber sets the SerialNumber field's value.
1384 func (s *AssumeRoleInput) SetSerialNumber(v string) *AssumeRoleInput {
1385 s.SerialNumber = &v
1386 return s
1387 }
1388
1389 // SetTokenCode sets the TokenCode field's value.
1390 func (s *AssumeRoleInput) SetTokenCode(v string) *AssumeRoleInput {
1391 s.TokenCode = &v
1392 return s
1393 }
1394
1395 // Contains the response to a successful AssumeRole request, including temporary
1396 // AWS credentials that can be used to make AWS requests.
1397 type AssumeRoleOutput struct {
1398 _ struct{} `type:"structure"`
1399
1400 // The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers
1401 // that you can use to refer to the resulting temporary security credentials.
1402 // For example, you can reference these credentials as a principal in a resource-based
1403 // policy by using the ARN or assumed role ID. The ARN and ID include the RoleSessionName
1404 // that you specified when you called AssumeRole.
1405 AssumedRoleUser *AssumedRoleUser `type:"structure"`
1406
1407 // The temporary security credentials, which include an access key ID, a secret
1408 // access key, and a security (or session) token.
1409 //
1410 // The size of the security token that STS API operations return is not fixed.
1411 // We strongly recommend that you make no assumptions about the maximum size.
1412 Credentials *Credentials `type:"structure"`
1413
1414 // A percentage value that indicates the size of the policy in packed form.
1415 // The service rejects any policy with a packed size greater than 100 percent,
1416 // which means the policy exceeded the allowed space.
1417 PackedPolicySize *int64 `type:"integer"`
1418 }
1419
1420 // String returns the string representation
1421 func (s AssumeRoleOutput) String() string {
1422 return awsutil.Prettify(s)
1423 }
1424
1425 // GoString returns the string representation
1426 func (s AssumeRoleOutput) GoString() string {
1427 return s.String()
1428 }
1429
1430 // SetAssumedRoleUser sets the AssumedRoleUser field's value.
1431 func (s *AssumeRoleOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleOutput {
1432 s.AssumedRoleUser = v
1433 return s
1434 }
1435
1436 // SetCredentials sets the Credentials field's value.
1437 func (s *AssumeRoleOutput) SetCredentials(v *Credentials) *AssumeRoleOutput {
1438 s.Credentials = v
1439 return s
1440 }
1441
1442 // SetPackedPolicySize sets the PackedPolicySize field's value.
1443 func (s *AssumeRoleOutput) SetPackedPolicySize(v int64) *AssumeRoleOutput {
1444 s.PackedPolicySize = &v
1445 return s
1446 }
1447
1448 type AssumeRoleWithSAMLInput struct {
1449 _ struct{} `type:"structure"`
1450
1451 // The duration, in seconds, of the role session. Your role session lasts for
1452 // the duration that you specify for the DurationSeconds parameter, or until
1453 // the time specified in the SAML authentication response's SessionNotOnOrAfter
1454 // value, whichever is shorter. You can provide a DurationSeconds value from
1455 // 900 seconds (15 minutes) up to the maximum session duration setting for the
1456 // role. This setting can have a value from 1 hour to 12 hours. If you specify
1457 // a value higher than this setting, the operation fails. For example, if you
1458 // specify a session duration of 12 hours, but your administrator set the maximum
1459 // session duration to 6 hours, your operation fails. To learn how to view the
1460 // maximum value for your role, see View the Maximum Session Duration Setting
1461 // for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
1462 // in the IAM User Guide.
1463 //
1464 // By default, the value is set to 3600 seconds.
1465 //
1466 // The DurationSeconds parameter is separate from the duration of a console
1467 // session that you might request using the returned credentials. The request
1468 // to the federation endpoint for a console sign-in token takes a SessionDuration
1469 // parameter that specifies the maximum length of the console session. For more
1470 // information, see Creating a URL that Enables Federated Users to Access the
1471 // AWS Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
1472 // in the IAM User Guide.
1473 DurationSeconds *int64 `min:"900" type:"integer"`
1474
1475 // An IAM policy in JSON format that you want to use as an inline session policy.
1476 //
1477 // This parameter is optional. Passing policies to this operation returns new
1478 // temporary credentials. The resulting session's permissions are the intersection
1479 // of the role's identity-based policy and the session policies. You can use
1480 // the role's temporary credentials in subsequent AWS API calls to access resources
1481 // in the account that owns the role. You cannot use session policies to grant
1482 // more permissions than those allowed by the identity-based policy of the role
1483 // that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
1484 // in the IAM User Guide.
1485 //
1486 // The plain text that you use for both inline and managed session policies
1487 // shouldn't exceed 2048 characters. The JSON policy characters can be any ASCII
1488 // character from the space character to the end of the valid character list
1489 // (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A),
1490 // and carriage return (\u000D) characters.
1491 //
1492 // The characters in this parameter count towards the 2048 character session
1493 // policy guideline. However, an AWS conversion compresses the session policies
1494 // into a packed binary format that has a separate limit. This is the enforced
1495 // limit. The PackedPolicySize response element indicates by percentage how
1496 // close the policy is to the upper size limit.
1497 Policy *string `min:"1" type:"string"`
1498
1499 // The Amazon Resource Names (ARNs) of the IAM managed policies that you want
1500 // to use as managed session policies. The policies must exist in the same account
1501 // as the role.
1502 //
1503 // This parameter is optional. You can provide up to 10 managed policy ARNs.
1504 // However, the plain text that you use for both inline and managed session
1505 // policies shouldn't exceed 2048 characters. For more information about ARNs,
1506 // see Amazon Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
1507 // in the AWS General Reference.
1508 //
1509 // The characters in this parameter count towards the 2048 character session
1510 // policy guideline. However, an AWS conversion compresses the session policies
1511 // into a packed binary format that has a separate limit. This is the enforced
1512 // limit. The PackedPolicySize response element indicates by percentage how
1513 // close the policy is to the upper size limit.
1514 //
1515 // Passing policies to this operation returns new temporary credentials. The
1516 // resulting session's permissions are the intersection of the role's identity-based
1517 // policy and the session policies. You can use the role's temporary credentials
1518 // in subsequent AWS API calls to access resources in the account that owns
1519 // the role. You cannot use session policies to grant more permissions than
1520 // those allowed by the identity-based policy of the role that is being assumed.
1521 // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
1522 // in the IAM User Guide.
1523 PolicyArns []*PolicyDescriptorType `type:"list"`
1524
1525 // The Amazon Resource Name (ARN) of the SAML provider in IAM that describes
1526 // the IdP.
1527 //
1528 // PrincipalArn is a required field
1529 PrincipalArn *string `min:"20" type:"string" required:"true"`
1530
1531 // The Amazon Resource Name (ARN) of the role that the caller is assuming.
1532 //
1533 // RoleArn is a required field
1534 RoleArn *string `min:"20" type:"string" required:"true"`
1535
1536 // The base-64 encoded SAML authentication response provided by the IdP.
1537 //
1538 // For more information, see Configuring a Relying Party and Adding Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html)
1539 // in the IAM User Guide.
1540 //
1541 // SAMLAssertion is a required field
1542 SAMLAssertion *string `min:"4" type:"string" required:"true"`
1543 }
1544
1545 // String returns the string representation
1546 func (s AssumeRoleWithSAMLInput) String() string {
1547 return awsutil.Prettify(s)
1548 }
1549
1550 // GoString returns the string representation
1551 func (s AssumeRoleWithSAMLInput) GoString() string {
1552 return s.String()
1553 }
1554
1555 // Validate inspects the fields of the type to determine if they are valid.
1556 func (s *AssumeRoleWithSAMLInput) Validate() error {
1557 invalidParams := request.ErrInvalidParams{Context: "AssumeRoleWithSAMLInput"}
1558 if s.DurationSeconds != nil && *s.DurationSeconds < 900 {
1559 invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900))
1560 }
1561 if s.Policy != nil && len(*s.Policy) < 1 {
1562 invalidParams.Add(request.NewErrParamMinLen("Policy", 1))
1563 }
1564 if s.PrincipalArn == nil {
1565 invalidParams.Add(request.NewErrParamRequired("PrincipalArn"))
1566 }
1567 if s.PrincipalArn != nil && len(*s.PrincipalArn) < 20 {
1568 invalidParams.Add(request.NewErrParamMinLen("PrincipalArn", 20))
1569 }
1570 if s.RoleArn == nil {
1571 invalidParams.Add(request.NewErrParamRequired("RoleArn"))
1572 }
1573 if s.RoleArn != nil && len(*s.RoleArn) < 20 {
1574 invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20))
1575 }
1576 if s.SAMLAssertion == nil {
1577 invalidParams.Add(request.NewErrParamRequired("SAMLAssertion"))
1578 }
1579 if s.SAMLAssertion != nil && len(*s.SAMLAssertion) < 4 {
1580 invalidParams.Add(request.NewErrParamMinLen("SAMLAssertion", 4))
1581 }
1582 if s.PolicyArns != nil {
1583 for i, v := range s.PolicyArns {
1584 if v == nil {
1585 continue
1586 }
1587 if err := v.Validate(); err != nil {
1588 invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams))
1589 }
1590 }
1591 }
1592
1593 if invalidParams.Len() > 0 {
1594 return invalidParams
1595 }
1596 return nil
1597 }
1598
1599 // SetDurationSeconds sets the DurationSeconds field's value.
1600 func (s *AssumeRoleWithSAMLInput) SetDurationSeconds(v int64) *AssumeRoleWithSAMLInput {
1601 s.DurationSeconds = &v
1602 return s
1603 }
1604
1605 // SetPolicy sets the Policy field's value.
1606 func (s *AssumeRoleWithSAMLInput) SetPolicy(v string) *AssumeRoleWithSAMLInput {
1607 s.Policy = &v
1608 return s
1609 }
1610
1611 // SetPolicyArns sets the PolicyArns field's value.
1612 func (s *AssumeRoleWithSAMLInput) SetPolicyArns(v []*PolicyDescriptorType) *AssumeRoleWithSAMLInput {
1613 s.PolicyArns = v
1614 return s
1615 }
1616
1617 // SetPrincipalArn sets the PrincipalArn field's value.
1618 func (s *AssumeRoleWithSAMLInput) SetPrincipalArn(v string) *AssumeRoleWithSAMLInput {
1619 s.PrincipalArn = &v
1620 return s
1621 }
1622
1623 // SetRoleArn sets the RoleArn field's value.
1624 func (s *AssumeRoleWithSAMLInput) SetRoleArn(v string) *AssumeRoleWithSAMLInput {
1625 s.RoleArn = &v
1626 return s
1627 }
1628
1629 // SetSAMLAssertion sets the SAMLAssertion field's value.
1630 func (s *AssumeRoleWithSAMLInput) SetSAMLAssertion(v string) *AssumeRoleWithSAMLInput {
1631 s.SAMLAssertion = &v
1632 return s
1633 }
1634
1635 // Contains the response to a successful AssumeRoleWithSAML request, including
1636 // temporary AWS credentials that can be used to make AWS requests.
1637 type AssumeRoleWithSAMLOutput struct {
1638 _ struct{} `type:"structure"`
1639
1640 // The identifiers for the temporary security credentials that the operation
1641 // returns.
1642 AssumedRoleUser *AssumedRoleUser `type:"structure"`
1643
1644 // The value of the Recipient attribute of the SubjectConfirmationData element
1645 // of the SAML assertion.
1646 Audience *string `type:"string"`
1647
1648 // The temporary security credentials, which include an access key ID, a secret
1649 // access key, and a security (or session) token.
1650 //
1651 // The size of the security token that STS API operations return is not fixed.
1652 // We strongly recommend that you make no assumptions about the maximum size.
1653 Credentials *Credentials `type:"structure"`
1654
1655 // The value of the Issuer element of the SAML assertion.
1656 Issuer *string `type:"string"`
1657
1658 // A hash value based on the concatenation of the Issuer response value, the
1659 // AWS account ID, and the friendly name (the last part of the ARN) of the SAML
1660 // provider in IAM. The combination of NameQualifier and Subject can be used
1661 // to uniquely identify a federated user.
1662 //
1663 // The following pseudocode shows how the hash value is calculated:
1664 //
1665 // BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP"
1666 // ) )
1667 NameQualifier *string `type:"string"`
1668
1669 // A percentage value that indicates the size of the policy in packed form.
1670 // The service rejects any policy with a packed size greater than 100 percent,
1671 // which means the policy exceeded the allowed space.
1672 PackedPolicySize *int64 `type:"integer"`
1673
1674 // The value of the NameID element in the Subject element of the SAML assertion.
1675 Subject *string `type:"string"`
1676
1677 // The format of the name ID, as defined by the Format attribute in the NameID
1678 // element of the SAML assertion. Typical examples of the format are transient
1679 // or persistent.
1680 //
1681 // If the format includes the prefix urn:oasis:names:tc:SAML:2.0:nameid-format,
1682 // that prefix is removed. For example, urn:oasis:names:tc:SAML:2.0:nameid-format:transient
1683 // is returned as transient. If the format includes any other prefix, the format
1684 // is returned with no modifications.
1685 SubjectType *string `type:"string"`
1686 }
1687
1688 // String returns the string representation
1689 func (s AssumeRoleWithSAMLOutput) String() string {
1690 return awsutil.Prettify(s)
1691 }
1692
1693 // GoString returns the string representation
1694 func (s AssumeRoleWithSAMLOutput) GoString() string {
1695 return s.String()
1696 }
1697
1698 // SetAssumedRoleUser sets the AssumedRoleUser field's value.
1699 func (s *AssumeRoleWithSAMLOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleWithSAMLOutput {
1700 s.AssumedRoleUser = v
1701 return s
1702 }
1703
1704 // SetAudience sets the Audience field's value.
1705 func (s *AssumeRoleWithSAMLOutput) SetAudience(v string) *AssumeRoleWithSAMLOutput {
1706 s.Audience = &v
1707 return s
1708 }
1709
1710 // SetCredentials sets the Credentials field's value.
1711 func (s *AssumeRoleWithSAMLOutput) SetCredentials(v *Credentials) *AssumeRoleWithSAMLOutput {
1712 s.Credentials = v
1713 return s
1714 }
1715
1716 // SetIssuer sets the Issuer field's value.
1717 func (s *AssumeRoleWithSAMLOutput) SetIssuer(v string) *AssumeRoleWithSAMLOutput {
1718 s.Issuer = &v
1719 return s
1720 }
1721
1722 // SetNameQualifier sets the NameQualifier field's value.
1723 func (s *AssumeRoleWithSAMLOutput) SetNameQualifier(v string) *AssumeRoleWithSAMLOutput {
1724 s.NameQualifier = &v
1725 return s
1726 }
1727
1728 // SetPackedPolicySize sets the PackedPolicySize field's value.
1729 func (s *AssumeRoleWithSAMLOutput) SetPackedPolicySize(v int64) *AssumeRoleWithSAMLOutput {
1730 s.PackedPolicySize = &v
1731 return s
1732 }
1733
1734 // SetSubject sets the Subject field's value.
1735 func (s *AssumeRoleWithSAMLOutput) SetSubject(v string) *AssumeRoleWithSAMLOutput {
1736 s.Subject = &v
1737 return s
1738 }
1739
1740 // SetSubjectType sets the SubjectType field's value.
1741 func (s *AssumeRoleWithSAMLOutput) SetSubjectType(v string) *AssumeRoleWithSAMLOutput {
1742 s.SubjectType = &v
1743 return s
1744 }
1745
1746 type AssumeRoleWithWebIdentityInput struct {
1747 _ struct{} `type:"structure"`
1748
1749 // The duration, in seconds, of the role session. The value can range from 900
1750 // seconds (15 minutes) up to the maximum session duration setting for the role.
1751 // This setting can have a value from 1 hour to 12 hours. If you specify a value
1752 // higher than this setting, the operation fails. For example, if you specify
1753 // a session duration of 12 hours, but your administrator set the maximum session
1754 // duration to 6 hours, your operation fails. To learn how to view the maximum
1755 // value for your role, see View the Maximum Session Duration Setting for a
1756 // Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
1757 // in the IAM User Guide.
1758 //
1759 // By default, the value is set to 3600 seconds.
1760 //
1761 // The DurationSeconds parameter is separate from the duration of a console
1762 // session that you might request using the returned credentials. The request
1763 // to the federation endpoint for a console sign-in token takes a SessionDuration
1764 // parameter that specifies the maximum length of the console session. For more
1765 // information, see Creating a URL that Enables Federated Users to Access the
1766 // AWS Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
1767 // in the IAM User Guide.
1768 DurationSeconds *int64 `min:"900" type:"integer"`
1769
1770 // An IAM policy in JSON format that you want to use as an inline session policy.
1771 //
1772 // This parameter is optional. Passing policies to this operation returns new
1773 // temporary credentials. The resulting session's permissions are the intersection
1774 // of the role's identity-based policy and the session policies. You can use
1775 // the role's temporary credentials in subsequent AWS API calls to access resources
1776 // in the account that owns the role. You cannot use session policies to grant
1777 // more permissions than those allowed by the identity-based policy of the role
1778 // that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
1779 // in the IAM User Guide.
1780 //
1781 // The plain text that you use for both inline and managed session policies
1782 // shouldn't exceed 2048 characters. The JSON policy characters can be any ASCII
1783 // character from the space character to the end of the valid character list
1784 // (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A),
1785 // and carriage return (\u000D) characters.
1786 //
1787 // The characters in this parameter count towards the 2048 character session
1788 // policy guideline. However, an AWS conversion compresses the session policies
1789 // into a packed binary format that has a separate limit. This is the enforced
1790 // limit. The PackedPolicySize response element indicates by percentage how
1791 // close the policy is to the upper size limit.
1792 Policy *string `min:"1" type:"string"`
1793
1794 // The Amazon Resource Names (ARNs) of the IAM managed policies that you want
1795 // to use as managed session policies. The policies must exist in the same account
1796 // as the role.
1797 //
1798 // This parameter is optional. You can provide up to 10 managed policy ARNs.
1799 // However, the plain text that you use for both inline and managed session
1800 // policies shouldn't exceed 2048 characters. For more information about ARNs,
1801 // see Amazon Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
1802 // in the AWS General Reference.
1803 //
1804 // The characters in this parameter count towards the 2048 character session
1805 // policy guideline. However, an AWS conversion compresses the session policies
1806 // into a packed binary format that has a separate limit. This is the enforced
1807 // limit. The PackedPolicySize response element indicates by percentage how
1808 // close the policy is to the upper size limit.
1809 //
1810 // Passing policies to this operation returns new temporary credentials. The
1811 // resulting session's permissions are the intersection of the role's identity-based
1812 // policy and the session policies. You can use the role's temporary credentials
1813 // in subsequent AWS API calls to access resources in the account that owns
1814 // the role. You cannot use session policies to grant more permissions than
1815 // those allowed by the identity-based policy of the role that is being assumed.
1816 // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
1817 // in the IAM User Guide.
1818 PolicyArns []*PolicyDescriptorType `type:"list"`
1819
1820 // The fully qualified host component of the domain name of the identity provider.
1821 //
1822 // Specify this value only for OAuth 2.0 access tokens. Currently www.amazon.com
1823 // and graph.facebook.com are the only supported identity providers for OAuth
1824 // 2.0 access tokens. Do not include URL schemes and port numbers.
1825 //
1826 // Do not specify this value for OpenID Connect ID tokens.
1827 ProviderId *string `min:"4" type:"string"`
1828
1829 // The Amazon Resource Name (ARN) of the role that the caller is assuming.
1830 //
1831 // RoleArn is a required field
1832 RoleArn *string `min:"20" type:"string" required:"true"`
1833
1834 // An identifier for the assumed role session. Typically, you pass the name
1835 // or identifier that is associated with the user who is using your application.
1836 // That way, the temporary security credentials that your application will use
1837 // are associated with that user. This session name is included as part of the
1838 // ARN and assumed role ID in the AssumedRoleUser response element.
1839 //
1840 // The regex used to validate this parameter is a string of characters consisting
1841 // of upper- and lower-case alphanumeric characters with no spaces. You can
1842 // also include underscores or any of the following characters: =,.@-
1843 //
1844 // RoleSessionName is a required field
1845 RoleSessionName *string `min:"2" type:"string" required:"true"`
1846
1847 // The OAuth 2.0 access token or OpenID Connect ID token that is provided by
1848 // the identity provider. Your application must get this token by authenticating
1849 // the user who is using your application with a web identity provider before
1850 // the application makes an AssumeRoleWithWebIdentity call.
1851 //
1852 // WebIdentityToken is a required field
1853 WebIdentityToken *string `min:"4" type:"string" required:"true"`
1854 }
1855
1856 // String returns the string representation
1857 func (s AssumeRoleWithWebIdentityInput) String() string {
1858 return awsutil.Prettify(s)
1859 }
1860
1861 // GoString returns the string representation
1862 func (s AssumeRoleWithWebIdentityInput) GoString() string {
1863 return s.String()
1864 }
1865
1866 // Validate inspects the fields of the type to determine if they are valid.
1867 func (s *AssumeRoleWithWebIdentityInput) Validate() error {
1868 invalidParams := request.ErrInvalidParams{Context: "AssumeRoleWithWebIdentityInput"}
1869 if s.DurationSeconds != nil && *s.DurationSeconds < 900 {
1870 invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900))
1871 }
1872 if s.Policy != nil && len(*s.Policy) < 1 {
1873 invalidParams.Add(request.NewErrParamMinLen("Policy", 1))
1874 }
1875 if s.ProviderId != nil && len(*s.ProviderId) < 4 {
1876 invalidParams.Add(request.NewErrParamMinLen("ProviderId", 4))
1877 }
1878 if s.RoleArn == nil {
1879 invalidParams.Add(request.NewErrParamRequired("RoleArn"))
1880 }
1881 if s.RoleArn != nil && len(*s.RoleArn) < 20 {
1882 invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20))
1883 }
1884 if s.RoleSessionName == nil {
1885 invalidParams.Add(request.NewErrParamRequired("RoleSessionName"))
1886 }
1887 if s.RoleSessionName != nil && len(*s.RoleSessionName) < 2 {
1888 invalidParams.Add(request.NewErrParamMinLen("RoleSessionName", 2))
1889 }
1890 if s.WebIdentityToken == nil {
1891 invalidParams.Add(request.NewErrParamRequired("WebIdentityToken"))
1892 }
1893 if s.WebIdentityToken != nil && len(*s.WebIdentityToken) < 4 {
1894 invalidParams.Add(request.NewErrParamMinLen("WebIdentityToken", 4))
1895 }
1896 if s.PolicyArns != nil {
1897 for i, v := range s.PolicyArns {
1898 if v == nil {
1899 continue
1900 }
1901 if err := v.Validate(); err != nil {
1902 invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams))
1903 }
1904 }
1905 }
1906
1907 if invalidParams.Len() > 0 {
1908 return invalidParams
1909 }
1910 return nil
1911 }
1912
1913 // SetDurationSeconds sets the DurationSeconds field's value.
1914 func (s *AssumeRoleWithWebIdentityInput) SetDurationSeconds(v int64) *AssumeRoleWithWebIdentityInput {
1915 s.DurationSeconds = &v
1916 return s
1917 }
1918
1919 // SetPolicy sets the Policy field's value.
1920 func (s *AssumeRoleWithWebIdentityInput) SetPolicy(v string) *AssumeRoleWithWebIdentityInput {
1921 s.Policy = &v
1922 return s
1923 }
1924
1925 // SetPolicyArns sets the PolicyArns field's value.
1926 func (s *AssumeRoleWithWebIdentityInput) SetPolicyArns(v []*PolicyDescriptorType) *AssumeRoleWithWebIdentityInput {
1927 s.PolicyArns = v
1928 return s
1929 }
1930
1931 // SetProviderId sets the ProviderId field's value.
1932 func (s *AssumeRoleWithWebIdentityInput) SetProviderId(v string) *AssumeRoleWithWebIdentityInput {
1933 s.ProviderId = &v
1934 return s
1935 }
1936
1937 // SetRoleArn sets the RoleArn field's value.
1938 func (s *AssumeRoleWithWebIdentityInput) SetRoleArn(v string) *AssumeRoleWithWebIdentityInput {
1939 s.RoleArn = &v
1940 return s
1941 }
1942
1943 // SetRoleSessionName sets the RoleSessionName field's value.
1944 func (s *AssumeRoleWithWebIdentityInput) SetRoleSessionName(v string) *AssumeRoleWithWebIdentityInput {
1945 s.RoleSessionName = &v
1946 return s
1947 }
1948
1949 // SetWebIdentityToken sets the WebIdentityToken field's value.
1950 func (s *AssumeRoleWithWebIdentityInput) SetWebIdentityToken(v string) *AssumeRoleWithWebIdentityInput {
1951 s.WebIdentityToken = &v
1952 return s
1953 }
1954
1955 // Contains the response to a successful AssumeRoleWithWebIdentity request,
1956 // including temporary AWS credentials that can be used to make AWS requests.
1957 type AssumeRoleWithWebIdentityOutput struct {
1958 _ struct{} `type:"structure"`
1959
1960 // The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers
1961 // that you can use to refer to the resulting temporary security credentials.
1962 // For example, you can reference these credentials as a principal in a resource-based
1963 // policy by using the ARN or assumed role ID. The ARN and ID include the RoleSessionName
1964 // that you specified when you called AssumeRole.
1965 AssumedRoleUser *AssumedRoleUser `type:"structure"`
1966
1967 // The intended audience (also known as client ID) of the web identity token.
1968 // This is traditionally the client identifier issued to the application that
1969 // requested the web identity token.
1970 Audience *string `type:"string"`
1971
1972 // The temporary security credentials, which include an access key ID, a secret
1973 // access key, and a security token.
1974 //
1975 // The size of the security token that STS API operations return is not fixed.
1976 // We strongly recommend that you make no assumptions about the maximum size.
1977 Credentials *Credentials `type:"structure"`
1978
1979 // A percentage value that indicates the size of the policy in packed form.
1980 // The service rejects any policy with a packed size greater than 100 percent,
1981 // which means the policy exceeded the allowed space.
1982 PackedPolicySize *int64 `type:"integer"`
1983
1984 // The issuing authority of the web identity token presented. For OpenID Connect
1985 // ID tokens, this contains the value of the iss field. For OAuth 2.0 access
1986 // tokens, this contains the value of the ProviderId parameter that was passed
1987 // in the AssumeRoleWithWebIdentity request.
1988 Provider *string `type:"string"`
1989
1990 // The unique user identifier that is returned by the identity provider. This
1991 // identifier is associated with the WebIdentityToken that was submitted with
1992 // the AssumeRoleWithWebIdentity call. The identifier is typically unique to
1993 // the user and the application that acquired the WebIdentityToken (pairwise
1994 // identifier). For OpenID Connect ID tokens, this field contains the value
1995 // returned by the identity provider as the token's sub (Subject) claim.
1996 SubjectFromWebIdentityToken *string `min:"6" type:"string"`
1997 }
1998
1999 // String returns the string representation
2000 func (s AssumeRoleWithWebIdentityOutput) String() string {
2001 return awsutil.Prettify(s)
2002 }
2003
2004 // GoString returns the string representation
2005 func (s AssumeRoleWithWebIdentityOutput) GoString() string {
2006 return s.String()
2007 }
2008
2009 // SetAssumedRoleUser sets the AssumedRoleUser field's value.
2010 func (s *AssumeRoleWithWebIdentityOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleWithWebIdentityOutput {
2011 s.AssumedRoleUser = v
2012 return s
2013 }
2014
2015 // SetAudience sets the Audience field's value.
2016 func (s *AssumeRoleWithWebIdentityOutput) SetAudience(v string) *AssumeRoleWithWebIdentityOutput {
2017 s.Audience = &v
2018 return s
2019 }
2020
2021 // SetCredentials sets the Credentials field's value.
2022 func (s *AssumeRoleWithWebIdentityOutput) SetCredentials(v *Credentials) *AssumeRoleWithWebIdentityOutput {
2023 s.Credentials = v
2024 return s
2025 }
2026
2027 // SetPackedPolicySize sets the PackedPolicySize field's value.
2028 func (s *AssumeRoleWithWebIdentityOutput) SetPackedPolicySize(v int64) *AssumeRoleWithWebIdentityOutput {
2029 s.PackedPolicySize = &v
2030 return s
2031 }
2032
2033 // SetProvider sets the Provider field's value.
2034 func (s *AssumeRoleWithWebIdentityOutput) SetProvider(v string) *AssumeRoleWithWebIdentityOutput {
2035 s.Provider = &v
2036 return s
2037 }
2038
2039 // SetSubjectFromWebIdentityToken sets the SubjectFromWebIdentityToken field's value.
2040 func (s *AssumeRoleWithWebIdentityOutput) SetSubjectFromWebIdentityToken(v string) *AssumeRoleWithWebIdentityOutput {
2041 s.SubjectFromWebIdentityToken = &v
2042 return s
2043 }
2044
2045 // The identifiers for the temporary security credentials that the operation
2046 // returns.
2047 type AssumedRoleUser struct {
2048 _ struct{} `type:"structure"`
2049
2050 // The ARN of the temporary security credentials that are returned from the
2051 // AssumeRole action. For more information about ARNs and how to use them in
2052 // policies, see IAM Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
2053 // in Using IAM.
2054 //
2055 // Arn is a required field
2056 Arn *string `min:"20" type:"string" required:"true"`
2057
2058 // A unique identifier that contains the role ID and the role session name of
2059 // the role that is being assumed. The role ID is generated by AWS when the
2060 // role is created.
2061 //
2062 // AssumedRoleId is a required field
2063 AssumedRoleId *string `min:"2" type:"string" required:"true"`
2064 }
2065
2066 // String returns the string representation
2067 func (s AssumedRoleUser) String() string {
2068 return awsutil.Prettify(s)
2069 }
2070
2071 // GoString returns the string representation
2072 func (s AssumedRoleUser) GoString() string {
2073 return s.String()
2074 }
2075
2076 // SetArn sets the Arn field's value.
2077 func (s *AssumedRoleUser) SetArn(v string) *AssumedRoleUser {
2078 s.Arn = &v
2079 return s
2080 }
2081
2082 // SetAssumedRoleId sets the AssumedRoleId field's value.
2083 func (s *AssumedRoleUser) SetAssumedRoleId(v string) *AssumedRoleUser {
2084 s.AssumedRoleId = &v
2085 return s
2086 }
2087
2088 // AWS credentials for API authentication.
2089 type Credentials struct {
2090 _ struct{} `type:"structure"`
2091
2092 // The access key ID that identifies the temporary security credentials.
2093 //
2094 // AccessKeyId is a required field
2095 AccessKeyId *string `min:"16" type:"string" required:"true"`
2096
2097 // The date on which the current credentials expire.
2098 //
2099 // Expiration is a required field
2100 Expiration *time.Time `type:"timestamp" required:"true"`
2101
2102 // The secret access key that can be used to sign requests.
2103 //
2104 // SecretAccessKey is a required field
2105 SecretAccessKey *string `type:"string" required:"true"`
2106
2107 // The token that users must pass to the service API to use the temporary credentials.
2108 //
2109 // SessionToken is a required field
2110 SessionToken *string `type:"string" required:"true"`
2111 }
2112
2113 // String returns the string representation
2114 func (s Credentials) String() string {
2115 return awsutil.Prettify(s)
2116 }
2117
2118 // GoString returns the string representation
2119 func (s Credentials) GoString() string {
2120 return s.String()
2121 }
2122
2123 // SetAccessKeyId sets the AccessKeyId field's value.
2124 func (s *Credentials) SetAccessKeyId(v string) *Credentials {
2125 s.AccessKeyId = &v
2126 return s
2127 }
2128
2129 // SetExpiration sets the Expiration field's value.
2130 func (s *Credentials) SetExpiration(v time.Time) *Credentials {
2131 s.Expiration = &v
2132 return s
2133 }
2134
2135 // SetSecretAccessKey sets the SecretAccessKey field's value.
2136 func (s *Credentials) SetSecretAccessKey(v string) *Credentials {
2137 s.SecretAccessKey = &v
2138 return s
2139 }
2140
2141 // SetSessionToken sets the SessionToken field's value.
2142 func (s *Credentials) SetSessionToken(v string) *Credentials {
2143 s.SessionToken = &v
2144 return s
2145 }
2146
2147 type DecodeAuthorizationMessageInput struct {
2148 _ struct{} `type:"structure"`
2149
2150 // The encoded message that was returned with the response.
2151 //
2152 // EncodedMessage is a required field
2153 EncodedMessage *string `min:"1" type:"string" required:"true"`
2154 }
2155
2156 // String returns the string representation
2157 func (s DecodeAuthorizationMessageInput) String() string {
2158 return awsutil.Prettify(s)
2159 }
2160
2161 // GoString returns the string representation
2162 func (s DecodeAuthorizationMessageInput) GoString() string {
2163 return s.String()
2164 }
2165
2166 // Validate inspects the fields of the type to determine if they are valid.
2167 func (s *DecodeAuthorizationMessageInput) Validate() error {
2168 invalidParams := request.ErrInvalidParams{Context: "DecodeAuthorizationMessageInput"}
2169 if s.EncodedMessage == nil {
2170 invalidParams.Add(request.NewErrParamRequired("EncodedMessage"))
2171 }
2172 if s.EncodedMessage != nil && len(*s.EncodedMessage) < 1 {
2173 invalidParams.Add(request.NewErrParamMinLen("EncodedMessage", 1))
2174 }
2175
2176 if invalidParams.Len() > 0 {
2177 return invalidParams
2178 }
2179 return nil
2180 }
2181
2182 // SetEncodedMessage sets the EncodedMessage field's value.
2183 func (s *DecodeAuthorizationMessageInput) SetEncodedMessage(v string) *DecodeAuthorizationMessageInput {
2184 s.EncodedMessage = &v
2185 return s
2186 }
2187
2188 // A document that contains additional information about the authorization status
2189 // of a request from an encoded message that is returned in response to an AWS
2190 // request.
2191 type DecodeAuthorizationMessageOutput struct {
2192 _ struct{} `type:"structure"`
2193
2194 // An XML document that contains the decoded message.
2195 DecodedMessage *string `type:"string"`
2196 }
2197
2198 // String returns the string representation
2199 func (s DecodeAuthorizationMessageOutput) String() string {
2200 return awsutil.Prettify(s)
2201 }
2202
2203 // GoString returns the string representation
2204 func (s DecodeAuthorizationMessageOutput) GoString() string {
2205 return s.String()
2206 }
2207
2208 // SetDecodedMessage sets the DecodedMessage field's value.
2209 func (s *DecodeAuthorizationMessageOutput) SetDecodedMessage(v string) *DecodeAuthorizationMessageOutput {
2210 s.DecodedMessage = &v
2211 return s
2212 }
2213
2214 // Identifiers for the federated user that is associated with the credentials.
2215 type FederatedUser struct {
2216 _ struct{} `type:"structure"`
2217
2218 // The ARN that specifies the federated user that is associated with the credentials.
2219 // For more information about ARNs and how to use them in policies, see IAM
2220 // Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
2221 // in Using IAM.
2222 //
2223 // Arn is a required field
2224 Arn *string `min:"20" type:"string" required:"true"`
2225
2226 // The string that identifies the federated user associated with the credentials,
2227 // similar to the unique ID of an IAM user.
2228 //
2229 // FederatedUserId is a required field
2230 FederatedUserId *string `min:"2" type:"string" required:"true"`
2231 }
2232
2233 // String returns the string representation
2234 func (s FederatedUser) String() string {
2235 return awsutil.Prettify(s)
2236 }
2237
2238 // GoString returns the string representation
2239 func (s FederatedUser) GoString() string {
2240 return s.String()
2241 }
2242
2243 // SetArn sets the Arn field's value.
2244 func (s *FederatedUser) SetArn(v string) *FederatedUser {
2245 s.Arn = &v
2246 return s
2247 }
2248
2249 // SetFederatedUserId sets the FederatedUserId field's value.
2250 func (s *FederatedUser) SetFederatedUserId(v string) *FederatedUser {
2251 s.FederatedUserId = &v
2252 return s
2253 }
2254
2255 type GetAccessKeyInfoInput struct {
2256 _ struct{} `type:"structure"`
2257
2258 // The identifier of an access key.
2259 //
2260 // This parameter allows (through its regex pattern) a string of characters
2261 // that can consist of any upper- or lowercased letter or digit.
2262 //
2263 // AccessKeyId is a required field
2264 AccessKeyId *string `min:"16" type:"string" required:"true"`
2265 }
2266
2267 // String returns the string representation
2268 func (s GetAccessKeyInfoInput) String() string {
2269 return awsutil.Prettify(s)
2270 }
2271
2272 // GoString returns the string representation
2273 func (s GetAccessKeyInfoInput) GoString() string {
2274 return s.String()
2275 }
2276
2277 // Validate inspects the fields of the type to determine if they are valid.
2278 func (s *GetAccessKeyInfoInput) Validate() error {
2279 invalidParams := request.ErrInvalidParams{Context: "GetAccessKeyInfoInput"}
2280 if s.AccessKeyId == nil {
2281 invalidParams.Add(request.NewErrParamRequired("AccessKeyId"))
2282 }
2283 if s.AccessKeyId != nil && len(*s.AccessKeyId) < 16 {
2284 invalidParams.Add(request.NewErrParamMinLen("AccessKeyId", 16))
2285 }
2286
2287 if invalidParams.Len() > 0 {
2288 return invalidParams
2289 }
2290 return nil
2291 }
2292
2293 // SetAccessKeyId sets the AccessKeyId field's value.
2294 func (s *GetAccessKeyInfoInput) SetAccessKeyId(v string) *GetAccessKeyInfoInput {
2295 s.AccessKeyId = &v
2296 return s
2297 }
2298
2299 type GetAccessKeyInfoOutput struct {
2300 _ struct{} `type:"structure"`
2301
2302 // The number used to identify the AWS account.
2303 Account *string `type:"string"`
2304 }
2305
2306 // String returns the string representation
2307 func (s GetAccessKeyInfoOutput) String() string {
2308 return awsutil.Prettify(s)
2309 }
2310
2311 // GoString returns the string representation
2312 func (s GetAccessKeyInfoOutput) GoString() string {
2313 return s.String()
2314 }
2315
2316 // SetAccount sets the Account field's value.
2317 func (s *GetAccessKeyInfoOutput) SetAccount(v string) *GetAccessKeyInfoOutput {
2318 s.Account = &v
2319 return s
2320 }
2321
2322 type GetCallerIdentityInput struct {
2323 _ struct{} `type:"structure"`
2324 }
2325
2326 // String returns the string representation
2327 func (s GetCallerIdentityInput) String() string {
2328 return awsutil.Prettify(s)
2329 }
2330
2331 // GoString returns the string representation
2332 func (s GetCallerIdentityInput) GoString() string {
2333 return s.String()
2334 }
2335
2336 // Contains the response to a successful GetCallerIdentity request, including
2337 // information about the entity making the request.
2338 type GetCallerIdentityOutput struct {
2339 _ struct{} `type:"structure"`
2340
2341 // The AWS account ID number of the account that owns or contains the calling
2342 // entity.
2343 Account *string `type:"string"`
2344
2345 // The AWS ARN associated with the calling entity.
2346 Arn *string `min:"20" type:"string"`
2347
2348 // The unique identifier of the calling entity. The exact value depends on the
2349 // type of entity that is making the call. The values returned are those listed
2350 // in the aws:userid column in the Principal table (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable)
2351 // found on the Policy Variables reference page in the IAM User Guide.
2352 UserId *string `type:"string"`
2353 }
2354
2355 // String returns the string representation
2356 func (s GetCallerIdentityOutput) String() string {
2357 return awsutil.Prettify(s)
2358 }
2359
2360 // GoString returns the string representation
2361 func (s GetCallerIdentityOutput) GoString() string {
2362 return s.String()
2363 }
2364
2365 // SetAccount sets the Account field's value.
2366 func (s *GetCallerIdentityOutput) SetAccount(v string) *GetCallerIdentityOutput {
2367 s.Account = &v
2368 return s
2369 }
2370
2371 // SetArn sets the Arn field's value.
2372 func (s *GetCallerIdentityOutput) SetArn(v string) *GetCallerIdentityOutput {
2373 s.Arn = &v
2374 return s
2375 }
2376
2377 // SetUserId sets the UserId field's value.
2378 func (s *GetCallerIdentityOutput) SetUserId(v string) *GetCallerIdentityOutput {
2379 s.UserId = &v
2380 return s
2381 }
2382
2383 type GetFederationTokenInput struct {
2384 _ struct{} `type:"structure"`
2385
2386 // The duration, in seconds, that the session should last. Acceptable durations
2387 // for federation sessions range from 900 seconds (15 minutes) to 129,600 seconds
2388 // (36 hours), with 43,200 seconds (12 hours) as the default. Sessions obtained
2389 // using AWS account root user credentials are restricted to a maximum of 3,600
2390 // seconds (one hour). If the specified duration is longer than one hour, the
2391 // session obtained by using root user credentials defaults to one hour.
2392 DurationSeconds *int64 `min:"900" type:"integer"`
2393
2394 // The name of the federated user. The name is used as an identifier for the
2395 // temporary security credentials (such as Bob). For example, you can reference
2396 // the federated user name in a resource-based policy, such as in an Amazon
2397 // S3 bucket policy.
2398 //
2399 // The regex used to validate this parameter is a string of characters consisting
2400 // of upper- and lower-case alphanumeric characters with no spaces. You can
2401 // also include underscores or any of the following characters: =,.@-
2402 //
2403 // Name is a required field
2404 Name *string `min:"2" type:"string" required:"true"`
2405
2406 // An IAM policy in JSON format that you want to use as an inline session policy.
2407 //
2408 // You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
2409 // to this operation. You can pass a single JSON policy document to use as an
2410 // inline session policy. You can also specify up to 10 managed policies to
2411 // use as managed session policies.
2412 //
2413 // This parameter is optional. However, if you do not pass any session policies,
2414 // then the resulting federated user session has no permissions. The only exception
2415 // is when the credentials are used to access a resource that has a resource-based
2416 // policy that specifically references the federated user session in the Principal
2417 // element of the policy.
2418 //
2419 // When you pass session policies, the session permissions are the intersection
2420 // of the IAM user policies and the session policies that you pass. This gives
2421 // you a way to further restrict the permissions for a federated user. You cannot
2422 // use session policies to grant more permissions than those that are defined
2423 // in the permissions policy of the IAM user. For more information, see Session
2424 // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
2425 // in the IAM User Guide.
2426 //
2427 // The plain text that you use for both inline and managed session policies
2428 // shouldn't exceed 2048 characters. The JSON policy characters can be any ASCII
2429 // character from the space character to the end of the valid character list
2430 // (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A),
2431 // and carriage return (\u000D) characters.
2432 //
2433 // The characters in this parameter count towards the 2048 character session
2434 // policy guideline. However, an AWS conversion compresses the session policies
2435 // into a packed binary format that has a separate limit. This is the enforced
2436 // limit. The PackedPolicySize response element indicates by percentage how
2437 // close the policy is to the upper size limit.
2438 Policy *string `min:"1" type:"string"`
2439
2440 // The Amazon Resource Names (ARNs) of the IAM managed policies that you want
2441 // to use as a managed session policy. The policies must exist in the same account
2442 // as the IAM user that is requesting federated access.
2443 //
2444 // You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
2445 // to this operation. You can pass a single JSON policy document to use as an
2446 // inline session policy. You can also specify up to 10 managed policies to
2447 // use as managed session policies. The plain text that you use for both inline
2448 // and managed session policies shouldn't exceed 2048 characters. You can provide
2449 // up to 10 managed policy ARNs. For more information about ARNs, see Amazon
2450 // Resource Names (ARNs) and AWS Service Namespaces (general/latest/gr/aws-arns-and-namespaces.html)
2451 // in the AWS General Reference.
2452 //
2453 // This parameter is optional. However, if you do not pass any session policies,
2454 // then the resulting federated user session has no permissions. The only exception
2455 // is when the credentials are used to access a resource that has a resource-based
2456 // policy that specifically references the federated user session in the Principal
2457 // element of the policy.
2458 //
2459 // When you pass session policies, the session permissions are the intersection
2460 // of the IAM user policies and the session policies that you pass. This gives
2461 // you a way to further restrict the permissions for a federated user. You cannot
2462 // use session policies to grant more permissions than those that are defined
2463 // in the permissions policy of the IAM user. For more information, see Session
2464 // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
2465 // in the IAM User Guide.
2466 //
2467 // The characters in this parameter count towards the 2048 character session
2468 // policy guideline. However, an AWS conversion compresses the session policies
2469 // into a packed binary format that has a separate limit. This is the enforced
2470 // limit. The PackedPolicySize response element indicates by percentage how
2471 // close the policy is to the upper size limit.
2472 PolicyArns []*PolicyDescriptorType `type:"list"`
2473 }
2474
2475 // String returns the string representation
2476 func (s GetFederationTokenInput) String() string {
2477 return awsutil.Prettify(s)
2478 }
2479
2480 // GoString returns the string representation
2481 func (s GetFederationTokenInput) GoString() string {
2482 return s.String()
2483 }
2484
2485 // Validate inspects the fields of the type to determine if they are valid.
2486 func (s *GetFederationTokenInput) Validate() error {
2487 invalidParams := request.ErrInvalidParams{Context: "GetFederationTokenInput"}
2488 if s.DurationSeconds != nil && *s.DurationSeconds < 900 {
2489 invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900))
2490 }
2491 if s.Name == nil {
2492 invalidParams.Add(request.NewErrParamRequired("Name"))
2493 }
2494 if s.Name != nil && len(*s.Name) < 2 {
2495 invalidParams.Add(request.NewErrParamMinLen("Name", 2))
2496 }
2497 if s.Policy != nil && len(*s.Policy) < 1 {
2498 invalidParams.Add(request.NewErrParamMinLen("Policy", 1))
2499 }
2500 if s.PolicyArns != nil {
2501 for i, v := range s.PolicyArns {
2502 if v == nil {
2503 continue
2504 }
2505 if err := v.Validate(); err != nil {
2506 invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams))
2507 }
2508 }
2509 }
2510
2511 if invalidParams.Len() > 0 {
2512 return invalidParams
2513 }
2514 return nil
2515 }
2516
2517 // SetDurationSeconds sets the DurationSeconds field's value.
2518 func (s *GetFederationTokenInput) SetDurationSeconds(v int64) *GetFederationTokenInput {
2519 s.DurationSeconds = &v
2520 return s
2521 }
2522
2523 // SetName sets the Name field's value.
2524 func (s *GetFederationTokenInput) SetName(v string) *GetFederationTokenInput {
2525 s.Name = &v
2526 return s
2527 }
2528
2529 // SetPolicy sets the Policy field's value.
2530 func (s *GetFederationTokenInput) SetPolicy(v string) *GetFederationTokenInput {
2531 s.Policy = &v
2532 return s
2533 }
2534
2535 // SetPolicyArns sets the PolicyArns field's value.
2536 func (s *GetFederationTokenInput) SetPolicyArns(v []*PolicyDescriptorType) *GetFederationTokenInput {
2537 s.PolicyArns = v
2538 return s
2539 }
2540
2541 // Contains the response to a successful GetFederationToken request, including
2542 // temporary AWS credentials that can be used to make AWS requests.
2543 type GetFederationTokenOutput struct {
2544 _ struct{} `type:"structure"`
2545
2546 // The temporary security credentials, which include an access key ID, a secret
2547 // access key, and a security (or session) token.
2548 //
2549 // The size of the security token that STS API operations return is not fixed.
2550 // We strongly recommend that you make no assumptions about the maximum size.
2551 Credentials *Credentials `type:"structure"`
2552
2553 // Identifiers for the federated user associated with the credentials (such
2554 // as arn:aws:sts::123456789012:federated-user/Bob or 123456789012:Bob). You
2555 // can use the federated user's ARN in your resource-based policies, such as
2556 // an Amazon S3 bucket policy.
2557 FederatedUser *FederatedUser `type:"structure"`
2558
2559 // A percentage value indicating the size of the policy in packed form. The
2560 // service rejects policies for which the packed size is greater than 100 percent
2561 // of the allowed value.
2562 PackedPolicySize *int64 `type:"integer"`
2563 }
2564
2565 // String returns the string representation
2566 func (s GetFederationTokenOutput) String() string {
2567 return awsutil.Prettify(s)
2568 }
2569
2570 // GoString returns the string representation
2571 func (s GetFederationTokenOutput) GoString() string {
2572 return s.String()
2573 }
2574
2575 // SetCredentials sets the Credentials field's value.
2576 func (s *GetFederationTokenOutput) SetCredentials(v *Credentials) *GetFederationTokenOutput {
2577 s.Credentials = v
2578 return s
2579 }
2580
2581 // SetFederatedUser sets the FederatedUser field's value.
2582 func (s *GetFederationTokenOutput) SetFederatedUser(v *FederatedUser) *GetFederationTokenOutput {
2583 s.FederatedUser = v
2584 return s
2585 }
2586
2587 // SetPackedPolicySize sets the PackedPolicySize field's value.
2588 func (s *GetFederationTokenOutput) SetPackedPolicySize(v int64) *GetFederationTokenOutput {
2589 s.PackedPolicySize = &v
2590 return s
2591 }
2592
2593 type GetSessionTokenInput struct {
2594 _ struct{} `type:"structure"`
2595
2596 // The duration, in seconds, that the credentials should remain valid. Acceptable
2597 // durations for IAM user sessions range from 900 seconds (15 minutes) to 129,600
2598 // seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions
2599 // for AWS account owners are restricted to a maximum of 3,600 seconds (one
2600 // hour). If the duration is longer than one hour, the session for AWS account
2601 // owners defaults to one hour.
2602 DurationSeconds *int64 `min:"900" type:"integer"`
2603
2604 // The identification number of the MFA device that is associated with the IAM
2605 // user who is making the GetSessionToken call. Specify this value if the IAM
2606 // user has a policy that requires MFA authentication. The value is either the
2607 // serial number for a hardware device (such as GAHT12345678) or an Amazon Resource
2608 // Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user).
2609 // You can find the device for an IAM user by going to the AWS Management Console
2610 // and viewing the user's security credentials.
2611 //
2612 // The regex used to validate this parameter is a string of characters consisting
2613 // of upper- and lower-case alphanumeric characters with no spaces. You can
2614 // also include underscores or any of the following characters: =,.@:/-
2615 SerialNumber *string `min:"9" type:"string"`
2616
2617 // The value provided by the MFA device, if MFA is required. If any policy requires
2618 // the IAM user to submit an MFA code, specify this value. If MFA authentication
2619 // is required, the user must provide a code when requesting a set of temporary
2620 // security credentials. A user who fails to provide the code receives an "access
2621 // denied" response when requesting resources that require MFA authentication.
2622 //
2623 // The format for this parameter, as described by its regex pattern, is a sequence
2624 // of six numeric digits.
2625 TokenCode *string `min:"6" type:"string"`
2626 }
2627
2628 // String returns the string representation
2629 func (s GetSessionTokenInput) String() string {
2630 return awsutil.Prettify(s)
2631 }
2632
2633 // GoString returns the string representation
2634 func (s GetSessionTokenInput) GoString() string {
2635 return s.String()
2636 }
2637
2638 // Validate inspects the fields of the type to determine if they are valid.
2639 func (s *GetSessionTokenInput) Validate() error {
2640 invalidParams := request.ErrInvalidParams{Context: "GetSessionTokenInput"}
2641 if s.DurationSeconds != nil && *s.DurationSeconds < 900 {
2642 invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900))
2643 }
2644 if s.SerialNumber != nil && len(*s.SerialNumber) < 9 {
2645 invalidParams.Add(request.NewErrParamMinLen("SerialNumber", 9))
2646 }
2647 if s.TokenCode != nil && len(*s.TokenCode) < 6 {
2648 invalidParams.Add(request.NewErrParamMinLen("TokenCode", 6))
2649 }
2650
2651 if invalidParams.Len() > 0 {
2652 return invalidParams
2653 }
2654 return nil
2655 }
2656
2657 // SetDurationSeconds sets the DurationSeconds field's value.
2658 func (s *GetSessionTokenInput) SetDurationSeconds(v int64) *GetSessionTokenInput {
2659 s.DurationSeconds = &v
2660 return s
2661 }
2662
2663 // SetSerialNumber sets the SerialNumber field's value.
2664 func (s *GetSessionTokenInput) SetSerialNumber(v string) *GetSessionTokenInput {
2665 s.SerialNumber = &v
2666 return s
2667 }
2668
2669 // SetTokenCode sets the TokenCode field's value.
2670 func (s *GetSessionTokenInput) SetTokenCode(v string) *GetSessionTokenInput {
2671 s.TokenCode = &v
2672 return s
2673 }
2674
2675 // Contains the response to a successful GetSessionToken request, including
2676 // temporary AWS credentials that can be used to make AWS requests.
2677 type GetSessionTokenOutput struct {
2678 _ struct{} `type:"structure"`
2679
2680 // The temporary security credentials, which include an access key ID, a secret
2681 // access key, and a security (or session) token.
2682 //
2683 // The size of the security token that STS API operations return is not fixed.
2684 // We strongly recommend that you make no assumptions about the maximum size.
2685 Credentials *Credentials `type:"structure"`
2686 }
2687
2688 // String returns the string representation
2689 func (s GetSessionTokenOutput) String() string {
2690 return awsutil.Prettify(s)
2691 }
2692
2693 // GoString returns the string representation
2694 func (s GetSessionTokenOutput) GoString() string {
2695 return s.String()
2696 }
2697
2698 // SetCredentials sets the Credentials field's value.
2699 func (s *GetSessionTokenOutput) SetCredentials(v *Credentials) *GetSessionTokenOutput {
2700 s.Credentials = v
2701 return s
2702 }
2703
2704 // A reference to the IAM managed policy that is passed as a session policy
2705 // for a role session or a federated user session.
2706 type PolicyDescriptorType struct {
2707 _ struct{} `type:"structure"`
2708
2709 // The Amazon Resource Name (ARN) of the IAM managed policy to use as a session
2710 // policy for the role. For more information about ARNs, see Amazon Resource
2711 // Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html)
2712 // in the AWS General Reference.
2713 Arn *string `locationName:"arn" min:"20" type:"string"`
2714 }
2715
2716 // String returns the string representation
2717 func (s PolicyDescriptorType) String() string {
2718 return awsutil.Prettify(s)
2719 }
2720
2721 // GoString returns the string representation
2722 func (s PolicyDescriptorType) GoString() string {
2723 return s.String()
2724 }
2725
2726 // Validate inspects the fields of the type to determine if they are valid.
2727 func (s *PolicyDescriptorType) Validate() error {
2728 invalidParams := request.ErrInvalidParams{Context: "PolicyDescriptorType"}
2729 if s.Arn != nil && len(*s.Arn) < 20 {
2730 invalidParams.Add(request.NewErrParamMinLen("Arn", 20))
2731 }
2732
2733 if invalidParams.Len() > 0 {
2734 return invalidParams
2735 }
2736 return nil
2737 }
2738
2739 // SetArn sets the Arn field's value.
2740 func (s *PolicyDescriptorType) SetArn(v string) *PolicyDescriptorType {
2741 s.Arn = &v
2742 return s
2743 }