1 // Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT.
8 "github.com/aws/aws-sdk-go/aws"
9 "github.com/aws/aws-sdk-go/aws/awsutil"
10 "github.com/aws/aws-sdk-go/aws/credentials"
11 "github.com/aws/aws-sdk-go/aws/request"
14 const opAssumeRole = "AssumeRole"
16 // AssumeRoleRequest generates a "aws/request.Request" representing the
17 // client's request for the AssumeRole operation. The "output" return
18 // value will be populated with the request's response once the request completes
21 // Use "Send" method on the returned Request to send the API call to the service.
22 // the "output" return value is not valid until after Send returns without error.
24 // See AssumeRole for more information on using the AssumeRole
25 // API call, and error handling.
27 // This method is useful when you want to inject custom logic or configuration
28 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
31 // // Example sending a request using the AssumeRoleRequest method.
32 // req, resp := client.AssumeRoleRequest(params)
35 // if err == nil { // resp is now filled
39 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole
40 func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, output *AssumeRoleOutput) {
41 op := &request.Operation{
48 input = &AssumeRoleInput{}
51 output = &AssumeRoleOutput{}
52 req = c.newRequest(op, input, output)
56 // AssumeRole API operation for AWS Security Token Service.
58 // Returns a set of temporary security credentials (consisting of an access
59 // key ID, a secret access key, and a security token) that you can use to access
60 // AWS resources that you might not normally have access to. Typically, you
61 // use AssumeRole for cross-account access or federation. For a comparison of
62 // AssumeRole with the other APIs that produce temporary credentials, see Requesting
63 // Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
64 // and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
65 // in the IAM User Guide.
67 // Important: You cannot call AssumeRole by using AWS root account credentials;
68 // access is denied. You must use credentials for an IAM user or an IAM role
69 // to call AssumeRole.
71 // For cross-account access, imagine that you own multiple accounts and need
72 // to access resources in each account. You could create long-term credentials
73 // in each account to access those resources. However, managing all those credentials
74 // and remembering which one can access which account can be time consuming.
75 // Instead, you can create one set of long-term credentials in one account and
76 // then use temporary security credentials to access all the other accounts
77 // by assuming roles in those accounts. For more information about roles, see
78 // IAM Roles (Delegation and Federation) (http://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html)
79 // in the IAM User Guide.
81 // For federation, you can, for example, grant single sign-on access to the
82 // AWS Management Console. If you already have an identity and authentication
83 // system in your corporate network, you don't have to recreate user identities
84 // in AWS in order to grant those user identities access to AWS. Instead, after
85 // a user has been authenticated, you call AssumeRole (and specify the role
86 // with the appropriate permissions) to get temporary security credentials for
87 // that user. With those temporary security credentials, you construct a sign-in
88 // URL that users can use to access the console. For more information, see Common
89 // Scenarios for Temporary Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html#sts-introduction)
90 // in the IAM User Guide.
92 // By default, the temporary security credentials created by AssumeRole last
93 // for one hour. However, you can use the optional DurationSeconds parameter
94 // to specify the duration of your session. You can provide a value from 900
95 // seconds (15 minutes) up to the maximum session duration setting for the role.
96 // This setting can have a value from 1 hour to 12 hours. To learn how to view
97 // the maximum value for your role, see View the Maximum Session Duration Setting
98 // for a Role (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
99 // in the IAM User Guide. The maximum session duration limit applies when you
100 // use the AssumeRole* API operations or the assume-role* CLI operations but
101 // does not apply when you use those operations to create a console URL. For
102 // more information, see Using IAM Roles (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
103 // in the IAM User Guide.
105 // The temporary security credentials created by AssumeRole can be used to make
106 // API calls to any AWS service with the following exception: you cannot call
107 // the STS service's GetFederationToken or GetSessionToken APIs.
109 // Optionally, you can pass an IAM access policy to this operation. If you choose
110 // not to pass a policy, the temporary security credentials that are returned
111 // by the operation have the permissions that are defined in the access policy
112 // of the role that is being assumed. If you pass a policy to this operation,
113 // the temporary security credentials that are returned by the operation have
114 // the permissions that are allowed by both the access policy of the role that
115 // is being assumed, and the policy that you pass. This gives you a way to further
116 // restrict the permissions for the resulting temporary security credentials.
117 // You cannot use the passed policy to grant permissions that are in excess
118 // of those allowed by the access policy of the role that is being assumed.
119 // For more information, see Permissions for AssumeRole, AssumeRoleWithSAML,
120 // and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
121 // in the IAM User Guide.
123 // To assume a role, your AWS account must be trusted by the role. The trust
124 // relationship is defined in the role's trust policy when the role is created.
125 // That trust policy states which accounts are allowed to delegate access to
126 // this account's role.
128 // The user who wants to access the role must also have permissions delegated
129 // from the role's administrator. If the user is in a different account than
130 // the role, then the user's administrator must attach a policy that allows
131 // the user to call AssumeRole on the ARN of the role in the other account.
132 // If the user is in the same account as the role, then you can either attach
133 // a policy to the user (identical to the previous different account user),
134 // or you can add the user as a principal directly in the role's trust policy.
135 // In this case, the trust policy acts as the only resource-based policy in
136 // IAM, and users in the same account as the role do not need explicit permission
137 // to assume the role. For more information about trust policies and resource-based
138 // policies, see IAM Policies (http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html)
139 // in the IAM User Guide.
141 // Using MFA with AssumeRole
143 // You can optionally include multi-factor authentication (MFA) information
144 // when you call AssumeRole. This is useful for cross-account scenarios in which
145 // you want to make sure that the user who is assuming the role has been authenticated
146 // using an AWS MFA device. In that scenario, the trust policy of the role being
147 // assumed includes a condition that tests for MFA authentication; if the caller
148 // does not include valid MFA information, the request to assume the role is
149 // denied. The condition in a trust policy that tests for MFA authentication
150 // might look like the following example.
152 // "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}
154 // For more information, see Configuring MFA-Protected API Access (http://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html)
155 // in the IAM User Guide guide.
157 // To use MFA with AssumeRole, you pass values for the SerialNumber and TokenCode
158 // parameters. The SerialNumber value identifies the user's hardware or virtual
159 // MFA device. The TokenCode is the time-based one-time password (TOTP) that
160 // the MFA devices produces.
162 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
163 // with awserr.Error's Code and Message methods to get detailed information about
166 // See the AWS API reference guide for AWS Security Token Service's
167 // API operation AssumeRole for usage and error information.
169 // Returned Error Codes:
170 // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument"
171 // The request was rejected because the policy document was malformed. The error
172 // message describes the specific error.
174 // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge"
175 // The request was rejected because the policy document was too large. The error
176 // message describes how big the policy document is, in packed form, as a percentage
177 // of what the API allows.
179 // * ErrCodeRegionDisabledException "RegionDisabledException"
180 // STS is not activated in the requested region for the account that is being
181 // asked to generate credentials. The account administrator must use the IAM
182 // console to activate STS in that region. For more information, see Activating
183 // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
184 // in the IAM User Guide.
186 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole
187 func (c *STS) AssumeRole(input *AssumeRoleInput) (*AssumeRoleOutput, error) {
188 req, out := c.AssumeRoleRequest(input)
189 return out, req.Send()
192 // AssumeRoleWithContext is the same as AssumeRole with the addition of
193 // the ability to pass a context and additional request options.
195 // See AssumeRole for details on how to use this API operation.
197 // The context must be non-nil and will be used for request cancellation. If
198 // the context is nil a panic will occur. In the future the SDK may create
199 // sub-contexts for http.Requests. See https://golang.org/pkg/context/
200 // for more information on using Contexts.
201 func (c *STS) AssumeRoleWithContext(ctx aws.Context, input *AssumeRoleInput, opts ...request.Option) (*AssumeRoleOutput, error) {
202 req, out := c.AssumeRoleRequest(input)
204 req.ApplyOptions(opts...)
205 return out, req.Send()
208 const opAssumeRoleWithSAML = "AssumeRoleWithSAML"
210 // AssumeRoleWithSAMLRequest generates a "aws/request.Request" representing the
211 // client's request for the AssumeRoleWithSAML operation. The "output" return
212 // value will be populated with the request's response once the request completes
215 // Use "Send" method on the returned Request to send the API call to the service.
216 // the "output" return value is not valid until after Send returns without error.
218 // See AssumeRoleWithSAML for more information on using the AssumeRoleWithSAML
219 // API call, and error handling.
221 // This method is useful when you want to inject custom logic or configuration
222 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
225 // // Example sending a request using the AssumeRoleWithSAMLRequest method.
226 // req, resp := client.AssumeRoleWithSAMLRequest(params)
229 // if err == nil { // resp is now filled
233 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML
234 func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *request.Request, output *AssumeRoleWithSAMLOutput) {
235 op := &request.Operation{
236 Name: opAssumeRoleWithSAML,
242 input = &AssumeRoleWithSAMLInput{}
245 output = &AssumeRoleWithSAMLOutput{}
246 req = c.newRequest(op, input, output)
247 req.Config.Credentials = credentials.AnonymousCredentials
251 // AssumeRoleWithSAML API operation for AWS Security Token Service.
253 // Returns a set of temporary security credentials for users who have been authenticated
254 // via a SAML authentication response. This operation provides a mechanism for
255 // tying an enterprise identity store or directory to role-based AWS access
256 // without user-specific credentials or configuration. For a comparison of AssumeRoleWithSAML
257 // with the other APIs that produce temporary credentials, see Requesting Temporary
258 // Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
259 // and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
260 // in the IAM User Guide.
262 // The temporary security credentials returned by this operation consist of
263 // an access key ID, a secret access key, and a security token. Applications
264 // can use these temporary security credentials to sign calls to AWS services.
266 // By default, the temporary security credentials created by AssumeRoleWithSAML
267 // last for one hour. However, you can use the optional DurationSeconds parameter
268 // to specify the duration of your session. Your role session lasts for the
269 // duration that you specify, or until the time specified in the SAML authentication
270 // response's SessionNotOnOrAfter value, whichever is shorter. You can provide
271 // a DurationSeconds value from 900 seconds (15 minutes) up to the maximum session
272 // duration setting for the role. This setting can have a value from 1 hour
273 // to 12 hours. To learn how to view the maximum value for your role, see View
274 // the Maximum Session Duration Setting for a Role (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
275 // in the IAM User Guide. The maximum session duration limit applies when you
276 // use the AssumeRole* API operations or the assume-role* CLI operations but
277 // does not apply when you use those operations to create a console URL. For
278 // more information, see Using IAM Roles (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
279 // in the IAM User Guide.
281 // The temporary security credentials created by AssumeRoleWithSAML can be used
282 // to make API calls to any AWS service with the following exception: you cannot
283 // call the STS service's GetFederationToken or GetSessionToken APIs.
285 // Optionally, you can pass an IAM access policy to this operation. If you choose
286 // not to pass a policy, the temporary security credentials that are returned
287 // by the operation have the permissions that are defined in the access policy
288 // of the role that is being assumed. If you pass a policy to this operation,
289 // the temporary security credentials that are returned by the operation have
290 // the permissions that are allowed by the intersection of both the access policy
291 // of the role that is being assumed, and the policy that you pass. This means
292 // that both policies must grant the permission for the action to be allowed.
293 // This gives you a way to further restrict the permissions for the resulting
294 // temporary security credentials. You cannot use the passed policy to grant
295 // permissions that are in excess of those allowed by the access policy of the
296 // role that is being assumed. For more information, see Permissions for AssumeRole,
297 // AssumeRoleWithSAML, and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
298 // in the IAM User Guide.
300 // Before your application can call AssumeRoleWithSAML, you must configure your
301 // SAML identity provider (IdP) to issue the claims required by AWS. Additionally,
302 // you must use AWS Identity and Access Management (IAM) to create a SAML provider
303 // entity in your AWS account that represents your identity provider, and create
304 // an IAM role that specifies this SAML provider in its trust policy.
306 // Calling AssumeRoleWithSAML does not require the use of AWS security credentials.
307 // The identity of the caller is validated by using keys in the metadata document
308 // that is uploaded for the SAML provider entity for your identity provider.
310 // Calling AssumeRoleWithSAML can result in an entry in your AWS CloudTrail
311 // logs. The entry includes the value in the NameID element of the SAML assertion.
312 // We recommend that you use a NameIDType that is not associated with any personally
313 // identifiable information (PII). For example, you could instead use the Persistent
314 // Identifier (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent).
316 // For more information, see the following resources:
318 // * About SAML 2.0-based Federation (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html)
319 // in the IAM User Guide.
321 // * Creating SAML Identity Providers (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)
322 // in the IAM User Guide.
324 // * Configuring a Relying Party and Claims (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html)
325 // in the IAM User Guide.
327 // * Creating a Role for SAML 2.0 Federation (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html)
328 // in the IAM User Guide.
330 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
331 // with awserr.Error's Code and Message methods to get detailed information about
334 // See the AWS API reference guide for AWS Security Token Service's
335 // API operation AssumeRoleWithSAML for usage and error information.
337 // Returned Error Codes:
338 // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument"
339 // The request was rejected because the policy document was malformed. The error
340 // message describes the specific error.
342 // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge"
343 // The request was rejected because the policy document was too large. The error
344 // message describes how big the policy document is, in packed form, as a percentage
345 // of what the API allows.
347 // * ErrCodeIDPRejectedClaimException "IDPRejectedClaim"
348 // The identity provider (IdP) reported that authentication failed. This might
349 // be because the claim is invalid.
351 // If this error is returned for the AssumeRoleWithWebIdentity operation, it
352 // can also mean that the claim has expired or has been explicitly revoked.
354 // * ErrCodeInvalidIdentityTokenException "InvalidIdentityToken"
355 // The web identity token that was passed could not be validated by AWS. Get
356 // a new identity token from the identity provider and then retry the request.
358 // * ErrCodeExpiredTokenException "ExpiredTokenException"
359 // The web identity token that was passed is expired or is not valid. Get a
360 // new identity token from the identity provider and then retry the request.
362 // * ErrCodeRegionDisabledException "RegionDisabledException"
363 // STS is not activated in the requested region for the account that is being
364 // asked to generate credentials. The account administrator must use the IAM
365 // console to activate STS in that region. For more information, see Activating
366 // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
367 // in the IAM User Guide.
369 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML
370 func (c *STS) AssumeRoleWithSAML(input *AssumeRoleWithSAMLInput) (*AssumeRoleWithSAMLOutput, error) {
371 req, out := c.AssumeRoleWithSAMLRequest(input)
372 return out, req.Send()
375 // AssumeRoleWithSAMLWithContext is the same as AssumeRoleWithSAML with the addition of
376 // the ability to pass a context and additional request options.
378 // See AssumeRoleWithSAML for details on how to use this API operation.
380 // The context must be non-nil and will be used for request cancellation. If
381 // the context is nil a panic will occur. In the future the SDK may create
382 // sub-contexts for http.Requests. See https://golang.org/pkg/context/
383 // for more information on using Contexts.
384 func (c *STS) AssumeRoleWithSAMLWithContext(ctx aws.Context, input *AssumeRoleWithSAMLInput, opts ...request.Option) (*AssumeRoleWithSAMLOutput, error) {
385 req, out := c.AssumeRoleWithSAMLRequest(input)
387 req.ApplyOptions(opts...)
388 return out, req.Send()
391 const opAssumeRoleWithWebIdentity = "AssumeRoleWithWebIdentity"
393 // AssumeRoleWithWebIdentityRequest generates a "aws/request.Request" representing the
394 // client's request for the AssumeRoleWithWebIdentity operation. The "output" return
395 // value will be populated with the request's response once the request completes
398 // Use "Send" method on the returned Request to send the API call to the service.
399 // the "output" return value is not valid until after Send returns without error.
401 // See AssumeRoleWithWebIdentity for more information on using the AssumeRoleWithWebIdentity
402 // API call, and error handling.
404 // This method is useful when you want to inject custom logic or configuration
405 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
408 // // Example sending a request using the AssumeRoleWithWebIdentityRequest method.
409 // req, resp := client.AssumeRoleWithWebIdentityRequest(params)
412 // if err == nil { // resp is now filled
416 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity
417 func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityInput) (req *request.Request, output *AssumeRoleWithWebIdentityOutput) {
418 op := &request.Operation{
419 Name: opAssumeRoleWithWebIdentity,
425 input = &AssumeRoleWithWebIdentityInput{}
428 output = &AssumeRoleWithWebIdentityOutput{}
429 req = c.newRequest(op, input, output)
430 req.Config.Credentials = credentials.AnonymousCredentials
434 // AssumeRoleWithWebIdentity API operation for AWS Security Token Service.
436 // Returns a set of temporary security credentials for users who have been authenticated
437 // in a mobile or web application with a web identity provider, such as Amazon
438 // Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible
439 // identity provider.
441 // For mobile applications, we recommend that you use Amazon Cognito. You can
442 // use Amazon Cognito with the AWS SDK for iOS (http://aws.amazon.com/sdkforios/)
443 // and the AWS SDK for Android (http://aws.amazon.com/sdkforandroid/) to uniquely
444 // identify a user and supply the user with a consistent identity throughout
445 // the lifetime of an application.
447 // To learn more about Amazon Cognito, see Amazon Cognito Overview (http://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840)
448 // in the AWS SDK for Android Developer Guide guide and Amazon Cognito Overview
449 // (http://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664)
450 // in the AWS SDK for iOS Developer Guide.
452 // Calling AssumeRoleWithWebIdentity does not require the use of AWS security
453 // credentials. Therefore, you can distribute an application (for example, on
454 // mobile devices) that requests temporary security credentials without including
455 // long-term AWS credentials in the application, and without deploying server-based
456 // proxy services that use long-term AWS credentials. Instead, the identity
457 // of the caller is validated by using a token from the web identity provider.
458 // For a comparison of AssumeRoleWithWebIdentity with the other APIs that produce
459 // temporary credentials, see Requesting Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
460 // and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
461 // in the IAM User Guide.
463 // The temporary security credentials returned by this API consist of an access
464 // key ID, a secret access key, and a security token. Applications can use these
465 // temporary security credentials to sign calls to AWS service APIs.
467 // By default, the temporary security credentials created by AssumeRoleWithWebIdentity
468 // last for one hour. However, you can use the optional DurationSeconds parameter
469 // to specify the duration of your session. You can provide a value from 900
470 // seconds (15 minutes) up to the maximum session duration setting for the role.
471 // This setting can have a value from 1 hour to 12 hours. To learn how to view
472 // the maximum value for your role, see View the Maximum Session Duration Setting
473 // for a Role (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
474 // in the IAM User Guide. The maximum session duration limit applies when you
475 // use the AssumeRole* API operations or the assume-role* CLI operations but
476 // does not apply when you use those operations to create a console URL. For
477 // more information, see Using IAM Roles (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html)
478 // in the IAM User Guide.
480 // The temporary security credentials created by AssumeRoleWithWebIdentity can
481 // be used to make API calls to any AWS service with the following exception:
482 // you cannot call the STS service's GetFederationToken or GetSessionToken APIs.
484 // Optionally, you can pass an IAM access policy to this operation. If you choose
485 // not to pass a policy, the temporary security credentials that are returned
486 // by the operation have the permissions that are defined in the access policy
487 // of the role that is being assumed. If you pass a policy to this operation,
488 // the temporary security credentials that are returned by the operation have
489 // the permissions that are allowed by both the access policy of the role that
490 // is being assumed, and the policy that you pass. This gives you a way to further
491 // restrict the permissions for the resulting temporary security credentials.
492 // You cannot use the passed policy to grant permissions that are in excess
493 // of those allowed by the access policy of the role that is being assumed.
494 // For more information, see Permissions for AssumeRole, AssumeRoleWithSAML,
495 // and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
496 // in the IAM User Guide.
498 // Before your application can call AssumeRoleWithWebIdentity, you must have
499 // an identity token from a supported identity provider and create a role that
500 // the application can assume. The role that your application assumes must trust
501 // the identity provider that is associated with the identity token. In other
502 // words, the identity provider must be specified in the role's trust policy.
504 // Calling AssumeRoleWithWebIdentity can result in an entry in your AWS CloudTrail
505 // logs. The entry includes the Subject (http://openid.net/specs/openid-connect-core-1_0.html#Claims)
506 // of the provided Web Identity Token. We recommend that you avoid using any
507 // personally identifiable information (PII) in this field. For example, you
508 // could instead use a GUID or a pairwise identifier, as suggested in the OIDC
509 // specification (http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes).
511 // For more information about how to use web identity federation and the AssumeRoleWithWebIdentity
512 // API, see the following resources:
514 // * Using Web Identity Federation APIs for Mobile Apps (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html)
515 // and Federation Through a Web-based Identity Provider (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity).
518 // * Web Identity Federation Playground (https://web-identity-federation-playground.s3.amazonaws.com/index.html).
519 // This interactive website lets you walk through the process of authenticating
520 // via Login with Amazon, Facebook, or Google, getting temporary security
521 // credentials, and then using those credentials to make a request to AWS.
524 // * AWS SDK for iOS (http://aws.amazon.com/sdkforios/) and AWS SDK for Android
525 // (http://aws.amazon.com/sdkforandroid/). These toolkits contain sample
526 // apps that show how to invoke the identity providers, and then how to use
527 // the information from these providers to get and use temporary security
530 // * Web Identity Federation with Mobile Applications (http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications).
531 // This article discusses web identity federation and shows an example of
532 // how to use web identity federation to get access to content in Amazon
535 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
536 // with awserr.Error's Code and Message methods to get detailed information about
539 // See the AWS API reference guide for AWS Security Token Service's
540 // API operation AssumeRoleWithWebIdentity for usage and error information.
542 // Returned Error Codes:
543 // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument"
544 // The request was rejected because the policy document was malformed. The error
545 // message describes the specific error.
547 // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge"
548 // The request was rejected because the policy document was too large. The error
549 // message describes how big the policy document is, in packed form, as a percentage
550 // of what the API allows.
552 // * ErrCodeIDPRejectedClaimException "IDPRejectedClaim"
553 // The identity provider (IdP) reported that authentication failed. This might
554 // be because the claim is invalid.
556 // If this error is returned for the AssumeRoleWithWebIdentity operation, it
557 // can also mean that the claim has expired or has been explicitly revoked.
559 // * ErrCodeIDPCommunicationErrorException "IDPCommunicationError"
560 // The request could not be fulfilled because the non-AWS identity provider
561 // (IDP) that was asked to verify the incoming identity token could not be reached.
562 // This is often a transient error caused by network conditions. Retry the request
563 // a limited number of times so that you don't exceed the request rate. If the
564 // error persists, the non-AWS identity provider might be down or not responding.
566 // * ErrCodeInvalidIdentityTokenException "InvalidIdentityToken"
567 // The web identity token that was passed could not be validated by AWS. Get
568 // a new identity token from the identity provider and then retry the request.
570 // * ErrCodeExpiredTokenException "ExpiredTokenException"
571 // The web identity token that was passed is expired or is not valid. Get a
572 // new identity token from the identity provider and then retry the request.
574 // * ErrCodeRegionDisabledException "RegionDisabledException"
575 // STS is not activated in the requested region for the account that is being
576 // asked to generate credentials. The account administrator must use the IAM
577 // console to activate STS in that region. For more information, see Activating
578 // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
579 // in the IAM User Guide.
581 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity
582 func (c *STS) AssumeRoleWithWebIdentity(input *AssumeRoleWithWebIdentityInput) (*AssumeRoleWithWebIdentityOutput, error) {
583 req, out := c.AssumeRoleWithWebIdentityRequest(input)
584 return out, req.Send()
587 // AssumeRoleWithWebIdentityWithContext is the same as AssumeRoleWithWebIdentity with the addition of
588 // the ability to pass a context and additional request options.
590 // See AssumeRoleWithWebIdentity for details on how to use this API operation.
592 // The context must be non-nil and will be used for request cancellation. If
593 // the context is nil a panic will occur. In the future the SDK may create
594 // sub-contexts for http.Requests. See https://golang.org/pkg/context/
595 // for more information on using Contexts.
596 func (c *STS) AssumeRoleWithWebIdentityWithContext(ctx aws.Context, input *AssumeRoleWithWebIdentityInput, opts ...request.Option) (*AssumeRoleWithWebIdentityOutput, error) {
597 req, out := c.AssumeRoleWithWebIdentityRequest(input)
599 req.ApplyOptions(opts...)
600 return out, req.Send()
603 const opDecodeAuthorizationMessage = "DecodeAuthorizationMessage"
605 // DecodeAuthorizationMessageRequest generates a "aws/request.Request" representing the
606 // client's request for the DecodeAuthorizationMessage operation. The "output" return
607 // value will be populated with the request's response once the request completes
610 // Use "Send" method on the returned Request to send the API call to the service.
611 // the "output" return value is not valid until after Send returns without error.
613 // See DecodeAuthorizationMessage for more information on using the DecodeAuthorizationMessage
614 // API call, and error handling.
616 // This method is useful when you want to inject custom logic or configuration
617 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
620 // // Example sending a request using the DecodeAuthorizationMessageRequest method.
621 // req, resp := client.DecodeAuthorizationMessageRequest(params)
624 // if err == nil { // resp is now filled
628 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessage
629 func (c *STS) DecodeAuthorizationMessageRequest(input *DecodeAuthorizationMessageInput) (req *request.Request, output *DecodeAuthorizationMessageOutput) {
630 op := &request.Operation{
631 Name: opDecodeAuthorizationMessage,
637 input = &DecodeAuthorizationMessageInput{}
640 output = &DecodeAuthorizationMessageOutput{}
641 req = c.newRequest(op, input, output)
645 // DecodeAuthorizationMessage API operation for AWS Security Token Service.
647 // Decodes additional information about the authorization status of a request
648 // from an encoded message returned in response to an AWS request.
650 // For example, if a user is not authorized to perform an action that he or
651 // she has requested, the request returns a Client.UnauthorizedOperation response
652 // (an HTTP 403 response). Some AWS actions additionally return an encoded message
653 // that can provide details about this authorization failure.
655 // Only certain AWS actions return an encoded authorization message. The documentation
656 // for an individual action indicates whether that action returns an encoded
657 // message in addition to returning an HTTP code.
659 // The message is encoded because the details of the authorization status can
660 // constitute privileged information that the user who requested the action
661 // should not see. To decode an authorization status message, a user must be
662 // granted permissions via an IAM policy to request the DecodeAuthorizationMessage
663 // (sts:DecodeAuthorizationMessage) action.
665 // The decoded message includes the following type of information:
667 // * Whether the request was denied due to an explicit deny or due to the
668 // absence of an explicit allow. For more information, see Determining Whether
669 // a Request is Allowed or Denied (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow)
670 // in the IAM User Guide.
672 // * The principal who made the request.
674 // * The requested action.
676 // * The requested resource.
678 // * The values of condition keys in the context of the user's request.
680 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
681 // with awserr.Error's Code and Message methods to get detailed information about
684 // See the AWS API reference guide for AWS Security Token Service's
685 // API operation DecodeAuthorizationMessage for usage and error information.
687 // Returned Error Codes:
688 // * ErrCodeInvalidAuthorizationMessageException "InvalidAuthorizationMessageException"
689 // The error returned if the message passed to DecodeAuthorizationMessage was
690 // invalid. This can happen if the token contains invalid characters, such as
693 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessage
694 func (c *STS) DecodeAuthorizationMessage(input *DecodeAuthorizationMessageInput) (*DecodeAuthorizationMessageOutput, error) {
695 req, out := c.DecodeAuthorizationMessageRequest(input)
696 return out, req.Send()
699 // DecodeAuthorizationMessageWithContext is the same as DecodeAuthorizationMessage with the addition of
700 // the ability to pass a context and additional request options.
702 // See DecodeAuthorizationMessage for details on how to use this API operation.
704 // The context must be non-nil and will be used for request cancellation. If
705 // the context is nil a panic will occur. In the future the SDK may create
706 // sub-contexts for http.Requests. See https://golang.org/pkg/context/
707 // for more information on using Contexts.
708 func (c *STS) DecodeAuthorizationMessageWithContext(ctx aws.Context, input *DecodeAuthorizationMessageInput, opts ...request.Option) (*DecodeAuthorizationMessageOutput, error) {
709 req, out := c.DecodeAuthorizationMessageRequest(input)
711 req.ApplyOptions(opts...)
712 return out, req.Send()
715 const opGetCallerIdentity = "GetCallerIdentity"
717 // GetCallerIdentityRequest generates a "aws/request.Request" representing the
718 // client's request for the GetCallerIdentity operation. The "output" return
719 // value will be populated with the request's response once the request completes
722 // Use "Send" method on the returned Request to send the API call to the service.
723 // the "output" return value is not valid until after Send returns without error.
725 // See GetCallerIdentity for more information on using the GetCallerIdentity
726 // API call, and error handling.
728 // This method is useful when you want to inject custom logic or configuration
729 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
732 // // Example sending a request using the GetCallerIdentityRequest method.
733 // req, resp := client.GetCallerIdentityRequest(params)
736 // if err == nil { // resp is now filled
740 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentity
741 func (c *STS) GetCallerIdentityRequest(input *GetCallerIdentityInput) (req *request.Request, output *GetCallerIdentityOutput) {
742 op := &request.Operation{
743 Name: opGetCallerIdentity,
749 input = &GetCallerIdentityInput{}
752 output = &GetCallerIdentityOutput{}
753 req = c.newRequest(op, input, output)
757 // GetCallerIdentity API operation for AWS Security Token Service.
759 // Returns details about the IAM identity whose credentials are used to call
762 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
763 // with awserr.Error's Code and Message methods to get detailed information about
766 // See the AWS API reference guide for AWS Security Token Service's
767 // API operation GetCallerIdentity for usage and error information.
768 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentity
769 func (c *STS) GetCallerIdentity(input *GetCallerIdentityInput) (*GetCallerIdentityOutput, error) {
770 req, out := c.GetCallerIdentityRequest(input)
771 return out, req.Send()
774 // GetCallerIdentityWithContext is the same as GetCallerIdentity with the addition of
775 // the ability to pass a context and additional request options.
777 // See GetCallerIdentity for details on how to use this API operation.
779 // The context must be non-nil and will be used for request cancellation. If
780 // the context is nil a panic will occur. In the future the SDK may create
781 // sub-contexts for http.Requests. See https://golang.org/pkg/context/
782 // for more information on using Contexts.
783 func (c *STS) GetCallerIdentityWithContext(ctx aws.Context, input *GetCallerIdentityInput, opts ...request.Option) (*GetCallerIdentityOutput, error) {
784 req, out := c.GetCallerIdentityRequest(input)
786 req.ApplyOptions(opts...)
787 return out, req.Send()
790 const opGetFederationToken = "GetFederationToken"
792 // GetFederationTokenRequest generates a "aws/request.Request" representing the
793 // client's request for the GetFederationToken operation. The "output" return
794 // value will be populated with the request's response once the request completes
797 // Use "Send" method on the returned Request to send the API call to the service.
798 // the "output" return value is not valid until after Send returns without error.
800 // See GetFederationToken for more information on using the GetFederationToken
801 // API call, and error handling.
803 // This method is useful when you want to inject custom logic or configuration
804 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
807 // // Example sending a request using the GetFederationTokenRequest method.
808 // req, resp := client.GetFederationTokenRequest(params)
811 // if err == nil { // resp is now filled
815 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationToken
816 func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *request.Request, output *GetFederationTokenOutput) {
817 op := &request.Operation{
818 Name: opGetFederationToken,
824 input = &GetFederationTokenInput{}
827 output = &GetFederationTokenOutput{}
828 req = c.newRequest(op, input, output)
832 // GetFederationToken API operation for AWS Security Token Service.
834 // Returns a set of temporary security credentials (consisting of an access
835 // key ID, a secret access key, and a security token) for a federated user.
836 // A typical use is in a proxy application that gets temporary security credentials
837 // on behalf of distributed applications inside a corporate network. Because
838 // you must call the GetFederationToken action using the long-term security
839 // credentials of an IAM user, this call is appropriate in contexts where those
840 // credentials can be safely stored, usually in a server-based application.
841 // For a comparison of GetFederationToken with the other APIs that produce temporary
842 // credentials, see Requesting Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
843 // and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
844 // in the IAM User Guide.
846 // If you are creating a mobile-based or browser-based app that can authenticate
847 // users using a web identity provider like Login with Amazon, Facebook, Google,
848 // or an OpenID Connect-compatible identity provider, we recommend that you
849 // use Amazon Cognito (http://aws.amazon.com/cognito/) or AssumeRoleWithWebIdentity.
850 // For more information, see Federation Through a Web-based Identity Provider
851 // (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity).
853 // The GetFederationToken action must be called by using the long-term AWS security
854 // credentials of an IAM user. You can also call GetFederationToken using the
855 // security credentials of an AWS root account, but we do not recommended it.
856 // Instead, we recommend that you create an IAM user for the purpose of the
857 // proxy application and then attach a policy to the IAM user that limits federated
858 // users to only the actions and resources that they need access to. For more
859 // information, see IAM Best Practices (http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
860 // in the IAM User Guide.
862 // The temporary security credentials that are obtained by using the long-term
863 // credentials of an IAM user are valid for the specified duration, from 900
864 // seconds (15 minutes) up to a maximium of 129600 seconds (36 hours). The default
865 // is 43200 seconds (12 hours). Temporary credentials that are obtained by using
866 // AWS root account credentials have a maximum duration of 3600 seconds (1 hour).
868 // The temporary security credentials created by GetFederationToken can be used
869 // to make API calls to any AWS service with the following exceptions:
871 // * You cannot use these credentials to call any IAM APIs.
873 // * You cannot call any STS APIs except GetCallerIdentity.
877 // The permissions for the temporary security credentials returned by GetFederationToken
878 // are determined by a combination of the following:
880 // * The policy or policies that are attached to the IAM user whose credentials
881 // are used to call GetFederationToken.
883 // * The policy that is passed as a parameter in the call.
885 // The passed policy is attached to the temporary security credentials that
886 // result from the GetFederationToken API call--that is, to the federated user.
887 // When the federated user makes an AWS request, AWS evaluates the policy attached
888 // to the federated user in combination with the policy or policies attached
889 // to the IAM user whose credentials were used to call GetFederationToken. AWS
890 // allows the federated user's request only when both the federated user and
891 // the IAM user are explicitly allowed to perform the requested action. The
892 // passed policy cannot grant more permissions than those that are defined in
893 // the IAM user policy.
895 // A typical use case is that the permissions of the IAM user whose credentials
896 // are used to call GetFederationToken are designed to allow access to all the
897 // actions and resources that any federated user will need. Then, for individual
898 // users, you pass a policy to the operation that scopes down the permissions
899 // to a level that's appropriate to that individual user, using a policy that
900 // allows only a subset of permissions that are granted to the IAM user.
902 // If you do not pass a policy, the resulting temporary security credentials
903 // have no effective permissions. The only exception is when the temporary security
904 // credentials are used to access a resource that has a resource-based policy
905 // that specifically allows the federated user to access the resource.
907 // For more information about how permissions work, see Permissions for GetFederationToken
908 // (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html).
909 // For information about using GetFederationToken to create temporary security
910 // credentials, see GetFederationToken—Federation Through a Custom Identity
911 // Broker (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken).
913 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
914 // with awserr.Error's Code and Message methods to get detailed information about
917 // See the AWS API reference guide for AWS Security Token Service's
918 // API operation GetFederationToken for usage and error information.
920 // Returned Error Codes:
921 // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument"
922 // The request was rejected because the policy document was malformed. The error
923 // message describes the specific error.
925 // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge"
926 // The request was rejected because the policy document was too large. The error
927 // message describes how big the policy document is, in packed form, as a percentage
928 // of what the API allows.
930 // * ErrCodeRegionDisabledException "RegionDisabledException"
931 // STS is not activated in the requested region for the account that is being
932 // asked to generate credentials. The account administrator must use the IAM
933 // console to activate STS in that region. For more information, see Activating
934 // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
935 // in the IAM User Guide.
937 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationToken
938 func (c *STS) GetFederationToken(input *GetFederationTokenInput) (*GetFederationTokenOutput, error) {
939 req, out := c.GetFederationTokenRequest(input)
940 return out, req.Send()
943 // GetFederationTokenWithContext is the same as GetFederationToken with the addition of
944 // the ability to pass a context and additional request options.
946 // See GetFederationToken for details on how to use this API operation.
948 // The context must be non-nil and will be used for request cancellation. If
949 // the context is nil a panic will occur. In the future the SDK may create
950 // sub-contexts for http.Requests. See https://golang.org/pkg/context/
951 // for more information on using Contexts.
952 func (c *STS) GetFederationTokenWithContext(ctx aws.Context, input *GetFederationTokenInput, opts ...request.Option) (*GetFederationTokenOutput, error) {
953 req, out := c.GetFederationTokenRequest(input)
955 req.ApplyOptions(opts...)
956 return out, req.Send()
959 const opGetSessionToken = "GetSessionToken"
961 // GetSessionTokenRequest generates a "aws/request.Request" representing the
962 // client's request for the GetSessionToken operation. The "output" return
963 // value will be populated with the request's response once the request completes
966 // Use "Send" method on the returned Request to send the API call to the service.
967 // the "output" return value is not valid until after Send returns without error.
969 // See GetSessionToken for more information on using the GetSessionToken
970 // API call, and error handling.
972 // This method is useful when you want to inject custom logic or configuration
973 // into the SDK's request lifecycle. Such as custom headers, or retry logic.
976 // // Example sending a request using the GetSessionTokenRequest method.
977 // req, resp := client.GetSessionTokenRequest(params)
980 // if err == nil { // resp is now filled
984 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionToken
985 func (c *STS) GetSessionTokenRequest(input *GetSessionTokenInput) (req *request.Request, output *GetSessionTokenOutput) {
986 op := &request.Operation{
987 Name: opGetSessionToken,
993 input = &GetSessionTokenInput{}
996 output = &GetSessionTokenOutput{}
997 req = c.newRequest(op, input, output)
1001 // GetSessionToken API operation for AWS Security Token Service.
1003 // Returns a set of temporary credentials for an AWS account or IAM user. The
1004 // credentials consist of an access key ID, a secret access key, and a security
1005 // token. Typically, you use GetSessionToken if you want to use MFA to protect
1006 // programmatic calls to specific AWS APIs like Amazon EC2 StopInstances. MFA-enabled
1007 // IAM users would need to call GetSessionToken and submit an MFA code that
1008 // is associated with their MFA device. Using the temporary security credentials
1009 // that are returned from the call, IAM users can then make programmatic calls
1010 // to APIs that require MFA authentication. If you do not supply a correct MFA
1011 // code, then the API returns an access denied error. For a comparison of GetSessionToken
1012 // with the other APIs that produce temporary credentials, see Requesting Temporary
1013 // Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
1014 // and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
1015 // in the IAM User Guide.
1017 // The GetSessionToken action must be called by using the long-term AWS security
1018 // credentials of the AWS account or an IAM user. Credentials that are created
1019 // by IAM users are valid for the duration that you specify, from 900 seconds
1020 // (15 minutes) up to a maximum of 129600 seconds (36 hours), with a default
1021 // of 43200 seconds (12 hours); credentials that are created by using account
1022 // credentials can range from 900 seconds (15 minutes) up to a maximum of 3600
1023 // seconds (1 hour), with a default of 1 hour.
1025 // The temporary security credentials created by GetSessionToken can be used
1026 // to make API calls to any AWS service with the following exceptions:
1028 // * You cannot call any IAM APIs unless MFA authentication information is
1029 // included in the request.
1031 // * You cannot call any STS API exceptAssumeRole or GetCallerIdentity.
1033 // We recommend that you do not call GetSessionToken with root account credentials.
1034 // Instead, follow our best practices (http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users)
1035 // by creating one or more IAM users, giving them the necessary permissions,
1036 // and using IAM users for everyday interaction with AWS.
1038 // The permissions associated with the temporary security credentials returned
1039 // by GetSessionToken are based on the permissions associated with account or
1040 // IAM user whose credentials are used to call the action. If GetSessionToken
1041 // is called using root account credentials, the temporary credentials have
1042 // root account permissions. Similarly, if GetSessionToken is called using the
1043 // credentials of an IAM user, the temporary credentials have the same permissions
1046 // For more information about using GetSessionToken to create temporary credentials,
1047 // go to Temporary Credentials for Users in Untrusted Environments (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken)
1048 // in the IAM User Guide.
1050 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
1051 // with awserr.Error's Code and Message methods to get detailed information about
1054 // See the AWS API reference guide for AWS Security Token Service's
1055 // API operation GetSessionToken for usage and error information.
1057 // Returned Error Codes:
1058 // * ErrCodeRegionDisabledException "RegionDisabledException"
1059 // STS is not activated in the requested region for the account that is being
1060 // asked to generate credentials. The account administrator must use the IAM
1061 // console to activate STS in that region. For more information, see Activating
1062 // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
1063 // in the IAM User Guide.
1065 // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionToken
1066 func (c *STS) GetSessionToken(input *GetSessionTokenInput) (*GetSessionTokenOutput, error) {
1067 req, out := c.GetSessionTokenRequest(input)
1068 return out, req.Send()
1071 // GetSessionTokenWithContext is the same as GetSessionToken with the addition of
1072 // the ability to pass a context and additional request options.
1074 // See GetSessionToken for details on how to use this API operation.
1076 // The context must be non-nil and will be used for request cancellation. If
1077 // the context is nil a panic will occur. In the future the SDK may create
1078 // sub-contexts for http.Requests. See https://golang.org/pkg/context/
1079 // for more information on using Contexts.
1080 func (c *STS) GetSessionTokenWithContext(ctx aws.Context, input *GetSessionTokenInput, opts ...request.Option) (*GetSessionTokenOutput, error) {
1081 req, out := c.GetSessionTokenRequest(input)
1083 req.ApplyOptions(opts...)
1084 return out, req.Send()
1087 type AssumeRoleInput struct {
1088 _ struct{} `type:"structure"`
1090 // The duration, in seconds, of the role session. The value can range from 900
1091 // seconds (15 minutes) up to the maximum session duration setting for the role.
1092 // This setting can have a value from 1 hour to 12 hours. If you specify a value
1093 // higher than this setting, the operation fails. For example, if you specify
1094 // a session duration of 12 hours, but your administrator set the maximum session
1095 // duration to 6 hours, your operation fails. To learn how to view the maximum
1096 // value for your role, see View the Maximum Session Duration Setting for a
1097 // Role (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
1098 // in the IAM User Guide.
1100 // By default, the value is set to 3600 seconds.
1102 // The DurationSeconds parameter is separate from the duration of a console
1103 // session that you might request using the returned credentials. The request
1104 // to the federation endpoint for a console sign-in token takes a SessionDuration
1105 // parameter that specifies the maximum length of the console session. For more
1106 // information, see Creating a URL that Enables Federated Users to Access the
1107 // AWS Management Console (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
1108 // in the IAM User Guide.
1109 DurationSeconds *int64 `min:"900" type:"integer"`
1111 // A unique identifier that is used by third parties when assuming roles in
1112 // their customers' accounts. For each role that the third party can assume,
1113 // they should instruct their customers to ensure the role's trust policy checks
1114 // for the external ID that the third party generated. Each time the third party
1115 // assumes the role, they should pass the customer's external ID. The external
1116 // ID is useful in order to help third parties bind a role to the customer who
1117 // created it. For more information about the external ID, see How to Use an
1118 // External ID When Granting Access to Your AWS Resources to a Third Party (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html)
1119 // in the IAM User Guide.
1121 // The regex used to validated this parameter is a string of characters consisting
1122 // of upper- and lower-case alphanumeric characters with no spaces. You can
1123 // also include underscores or any of the following characters: =,.@:/-
1124 ExternalId *string `min:"2" type:"string"`
1126 // An IAM policy in JSON format.
1128 // This parameter is optional. If you pass a policy, the temporary security
1129 // credentials that are returned by the operation have the permissions that
1130 // are allowed by both (the intersection of) the access policy of the role that
1131 // is being assumed, and the policy that you pass. This gives you a way to further
1132 // restrict the permissions for the resulting temporary security credentials.
1133 // You cannot use the passed policy to grant permissions that are in excess
1134 // of those allowed by the access policy of the role that is being assumed.
1135 // For more information, see Permissions for AssumeRole, AssumeRoleWithSAML,
1136 // and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
1137 // in the IAM User Guide.
1139 // The format for this parameter, as described by its regex pattern, is a string
1140 // of characters up to 2048 characters in length. The characters can be any
1141 // ASCII character from the space character to the end of the valid character
1142 // list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A),
1143 // and carriage return (\u000D) characters.
1145 // The policy plain text must be 2048 bytes or shorter. However, an internal
1146 // conversion compresses it into a packed binary format with a separate limit.
1147 // The PackedPolicySize response element indicates by percentage how close to
1148 // the upper size limit the policy is, with 100% equaling the maximum allowed
1150 Policy *string `min:"1" type:"string"`
1152 // The Amazon Resource Name (ARN) of the role to assume.
1154 // RoleArn is a required field
1155 RoleArn *string `min:"20" type:"string" required:"true"`
1157 // An identifier for the assumed role session.
1159 // Use the role session name to uniquely identify a session when the same role
1160 // is assumed by different principals or for different reasons. In cross-account
1161 // scenarios, the role session name is visible to, and can be logged by the
1162 // account that owns the role. The role session name is also used in the ARN
1163 // of the assumed role principal. This means that subsequent cross-account API
1164 // requests using the temporary security credentials will expose the role session
1165 // name to the external account in their CloudTrail logs.
1167 // The regex used to validate this parameter is a string of characters consisting
1168 // of upper- and lower-case alphanumeric characters with no spaces. You can
1169 // also include underscores or any of the following characters: =,.@-
1171 // RoleSessionName is a required field
1172 RoleSessionName *string `min:"2" type:"string" required:"true"`
1174 // The identification number of the MFA device that is associated with the user
1175 // who is making the AssumeRole call. Specify this value if the trust policy
1176 // of the role being assumed includes a condition that requires MFA authentication.
1177 // The value is either the serial number for a hardware device (such as GAHT12345678)
1178 // or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user).
1180 // The regex used to validate this parameter is a string of characters consisting
1181 // of upper- and lower-case alphanumeric characters with no spaces. You can
1182 // also include underscores or any of the following characters: =,.@-
1183 SerialNumber *string `min:"9" type:"string"`
1185 // The value provided by the MFA device, if the trust policy of the role being
1186 // assumed requires MFA (that is, if the policy includes a condition that tests
1187 // for MFA). If the role being assumed requires MFA and if the TokenCode value
1188 // is missing or expired, the AssumeRole call returns an "access denied" error.
1190 // The format for this parameter, as described by its regex pattern, is a sequence
1191 // of six numeric digits.
1192 TokenCode *string `min:"6" type:"string"`
1195 // String returns the string representation
1196 func (s AssumeRoleInput) String() string {
1197 return awsutil.Prettify(s)
1200 // GoString returns the string representation
1201 func (s AssumeRoleInput) GoString() string {
1205 // Validate inspects the fields of the type to determine if they are valid.
1206 func (s *AssumeRoleInput) Validate() error {
1207 invalidParams := request.ErrInvalidParams{Context: "AssumeRoleInput"}
1208 if s.DurationSeconds != nil && *s.DurationSeconds < 900 {
1209 invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900))
1211 if s.ExternalId != nil && len(*s.ExternalId) < 2 {
1212 invalidParams.Add(request.NewErrParamMinLen("ExternalId", 2))
1214 if s.Policy != nil && len(*s.Policy) < 1 {
1215 invalidParams.Add(request.NewErrParamMinLen("Policy", 1))
1217 if s.RoleArn == nil {
1218 invalidParams.Add(request.NewErrParamRequired("RoleArn"))
1220 if s.RoleArn != nil && len(*s.RoleArn) < 20 {
1221 invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20))
1223 if s.RoleSessionName == nil {
1224 invalidParams.Add(request.NewErrParamRequired("RoleSessionName"))
1226 if s.RoleSessionName != nil && len(*s.RoleSessionName) < 2 {
1227 invalidParams.Add(request.NewErrParamMinLen("RoleSessionName", 2))
1229 if s.SerialNumber != nil && len(*s.SerialNumber) < 9 {
1230 invalidParams.Add(request.NewErrParamMinLen("SerialNumber", 9))
1232 if s.TokenCode != nil && len(*s.TokenCode) < 6 {
1233 invalidParams.Add(request.NewErrParamMinLen("TokenCode", 6))
1236 if invalidParams.Len() > 0 {
1237 return invalidParams
1242 // SetDurationSeconds sets the DurationSeconds field's value.
1243 func (s *AssumeRoleInput) SetDurationSeconds(v int64) *AssumeRoleInput {
1244 s.DurationSeconds = &v
1248 // SetExternalId sets the ExternalId field's value.
1249 func (s *AssumeRoleInput) SetExternalId(v string) *AssumeRoleInput {
1254 // SetPolicy sets the Policy field's value.
1255 func (s *AssumeRoleInput) SetPolicy(v string) *AssumeRoleInput {
1260 // SetRoleArn sets the RoleArn field's value.
1261 func (s *AssumeRoleInput) SetRoleArn(v string) *AssumeRoleInput {
1266 // SetRoleSessionName sets the RoleSessionName field's value.
1267 func (s *AssumeRoleInput) SetRoleSessionName(v string) *AssumeRoleInput {
1268 s.RoleSessionName = &v
1272 // SetSerialNumber sets the SerialNumber field's value.
1273 func (s *AssumeRoleInput) SetSerialNumber(v string) *AssumeRoleInput {
1278 // SetTokenCode sets the TokenCode field's value.
1279 func (s *AssumeRoleInput) SetTokenCode(v string) *AssumeRoleInput {
1284 // Contains the response to a successful AssumeRole request, including temporary
1285 // AWS credentials that can be used to make AWS requests.
1286 type AssumeRoleOutput struct {
1287 _ struct{} `type:"structure"`
1289 // The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers
1290 // that you can use to refer to the resulting temporary security credentials.
1291 // For example, you can reference these credentials as a principal in a resource-based
1292 // policy by using the ARN or assumed role ID. The ARN and ID include the RoleSessionName
1293 // that you specified when you called AssumeRole.
1294 AssumedRoleUser *AssumedRoleUser `type:"structure"`
1296 // The temporary security credentials, which include an access key ID, a secret
1297 // access key, and a security (or session) token.
1299 // Note: The size of the security token that STS APIs return is not fixed. We
1300 // strongly recommend that you make no assumptions about the maximum size. As
1301 // of this writing, the typical size is less than 4096 bytes, but that can vary.
1302 // Also, future updates to AWS might require larger sizes.
1303 Credentials *Credentials `type:"structure"`
1305 // A percentage value that indicates the size of the policy in packed form.
1306 // The service rejects any policy with a packed size greater than 100 percent,
1307 // which means the policy exceeded the allowed space.
1308 PackedPolicySize *int64 `type:"integer"`
1311 // String returns the string representation
1312 func (s AssumeRoleOutput) String() string {
1313 return awsutil.Prettify(s)
1316 // GoString returns the string representation
1317 func (s AssumeRoleOutput) GoString() string {
1321 // SetAssumedRoleUser sets the AssumedRoleUser field's value.
1322 func (s *AssumeRoleOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleOutput {
1323 s.AssumedRoleUser = v
1327 // SetCredentials sets the Credentials field's value.
1328 func (s *AssumeRoleOutput) SetCredentials(v *Credentials) *AssumeRoleOutput {
1333 // SetPackedPolicySize sets the PackedPolicySize field's value.
1334 func (s *AssumeRoleOutput) SetPackedPolicySize(v int64) *AssumeRoleOutput {
1335 s.PackedPolicySize = &v
1339 type AssumeRoleWithSAMLInput struct {
1340 _ struct{} `type:"structure"`
1342 // The duration, in seconds, of the role session. Your role session lasts for
1343 // the duration that you specify for the DurationSeconds parameter, or until
1344 // the time specified in the SAML authentication response's SessionNotOnOrAfter
1345 // value, whichever is shorter. You can provide a DurationSeconds value from
1346 // 900 seconds (15 minutes) up to the maximum session duration setting for the
1347 // role. This setting can have a value from 1 hour to 12 hours. If you specify
1348 // a value higher than this setting, the operation fails. For example, if you
1349 // specify a session duration of 12 hours, but your administrator set the maximum
1350 // session duration to 6 hours, your operation fails. To learn how to view the
1351 // maximum value for your role, see View the Maximum Session Duration Setting
1352 // for a Role (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
1353 // in the IAM User Guide.
1355 // By default, the value is set to 3600 seconds.
1357 // The DurationSeconds parameter is separate from the duration of a console
1358 // session that you might request using the returned credentials. The request
1359 // to the federation endpoint for a console sign-in token takes a SessionDuration
1360 // parameter that specifies the maximum length of the console session. For more
1361 // information, see Creating a URL that Enables Federated Users to Access the
1362 // AWS Management Console (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
1363 // in the IAM User Guide.
1364 DurationSeconds *int64 `min:"900" type:"integer"`
1366 // An IAM policy in JSON format.
1368 // The policy parameter is optional. If you pass a policy, the temporary security
1369 // credentials that are returned by the operation have the permissions that
1370 // are allowed by both the access policy of the role that is being assumed,
1371 // and the policy that you pass. This gives you a way to further restrict the
1372 // permissions for the resulting temporary security credentials. You cannot
1373 // use the passed policy to grant permissions that are in excess of those allowed
1374 // by the access policy of the role that is being assumed. For more information,
1375 // Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity
1376 // (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
1377 // in the IAM User Guide.
1379 // The format for this parameter, as described by its regex pattern, is a string
1380 // of characters up to 2048 characters in length. The characters can be any
1381 // ASCII character from the space character to the end of the valid character
1382 // list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A),
1383 // and carriage return (\u000D) characters.
1385 // The policy plain text must be 2048 bytes or shorter. However, an internal
1386 // conversion compresses it into a packed binary format with a separate limit.
1387 // The PackedPolicySize response element indicates by percentage how close to
1388 // the upper size limit the policy is, with 100% equaling the maximum allowed
1390 Policy *string `min:"1" type:"string"`
1392 // The Amazon Resource Name (ARN) of the SAML provider in IAM that describes
1395 // PrincipalArn is a required field
1396 PrincipalArn *string `min:"20" type:"string" required:"true"`
1398 // The Amazon Resource Name (ARN) of the role that the caller is assuming.
1400 // RoleArn is a required field
1401 RoleArn *string `min:"20" type:"string" required:"true"`
1403 // The base-64 encoded SAML authentication response provided by the IdP.
1405 // For more information, see Configuring a Relying Party and Adding Claims (http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html)
1406 // in the Using IAM guide.
1408 // SAMLAssertion is a required field
1409 SAMLAssertion *string `min:"4" type:"string" required:"true"`
1412 // String returns the string representation
1413 func (s AssumeRoleWithSAMLInput) String() string {
1414 return awsutil.Prettify(s)
1417 // GoString returns the string representation
1418 func (s AssumeRoleWithSAMLInput) GoString() string {
1422 // Validate inspects the fields of the type to determine if they are valid.
1423 func (s *AssumeRoleWithSAMLInput) Validate() error {
1424 invalidParams := request.ErrInvalidParams{Context: "AssumeRoleWithSAMLInput"}
1425 if s.DurationSeconds != nil && *s.DurationSeconds < 900 {
1426 invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900))
1428 if s.Policy != nil && len(*s.Policy) < 1 {
1429 invalidParams.Add(request.NewErrParamMinLen("Policy", 1))
1431 if s.PrincipalArn == nil {
1432 invalidParams.Add(request.NewErrParamRequired("PrincipalArn"))
1434 if s.PrincipalArn != nil && len(*s.PrincipalArn) < 20 {
1435 invalidParams.Add(request.NewErrParamMinLen("PrincipalArn", 20))
1437 if s.RoleArn == nil {
1438 invalidParams.Add(request.NewErrParamRequired("RoleArn"))
1440 if s.RoleArn != nil && len(*s.RoleArn) < 20 {
1441 invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20))
1443 if s.SAMLAssertion == nil {
1444 invalidParams.Add(request.NewErrParamRequired("SAMLAssertion"))
1446 if s.SAMLAssertion != nil && len(*s.SAMLAssertion) < 4 {
1447 invalidParams.Add(request.NewErrParamMinLen("SAMLAssertion", 4))
1450 if invalidParams.Len() > 0 {
1451 return invalidParams
1456 // SetDurationSeconds sets the DurationSeconds field's value.
1457 func (s *AssumeRoleWithSAMLInput) SetDurationSeconds(v int64) *AssumeRoleWithSAMLInput {
1458 s.DurationSeconds = &v
1462 // SetPolicy sets the Policy field's value.
1463 func (s *AssumeRoleWithSAMLInput) SetPolicy(v string) *AssumeRoleWithSAMLInput {
1468 // SetPrincipalArn sets the PrincipalArn field's value.
1469 func (s *AssumeRoleWithSAMLInput) SetPrincipalArn(v string) *AssumeRoleWithSAMLInput {
1474 // SetRoleArn sets the RoleArn field's value.
1475 func (s *AssumeRoleWithSAMLInput) SetRoleArn(v string) *AssumeRoleWithSAMLInput {
1480 // SetSAMLAssertion sets the SAMLAssertion field's value.
1481 func (s *AssumeRoleWithSAMLInput) SetSAMLAssertion(v string) *AssumeRoleWithSAMLInput {
1482 s.SAMLAssertion = &v
1486 // Contains the response to a successful AssumeRoleWithSAML request, including
1487 // temporary AWS credentials that can be used to make AWS requests.
1488 type AssumeRoleWithSAMLOutput struct {
1489 _ struct{} `type:"structure"`
1491 // The identifiers for the temporary security credentials that the operation
1493 AssumedRoleUser *AssumedRoleUser `type:"structure"`
1495 // The value of the Recipient attribute of the SubjectConfirmationData element
1496 // of the SAML assertion.
1497 Audience *string `type:"string"`
1499 // The temporary security credentials, which include an access key ID, a secret
1500 // access key, and a security (or session) token.
1502 // Note: The size of the security token that STS APIs return is not fixed. We
1503 // strongly recommend that you make no assumptions about the maximum size. As
1504 // of this writing, the typical size is less than 4096 bytes, but that can vary.
1505 // Also, future updates to AWS might require larger sizes.
1506 Credentials *Credentials `type:"structure"`
1508 // The value of the Issuer element of the SAML assertion.
1509 Issuer *string `type:"string"`
1511 // A hash value based on the concatenation of the Issuer response value, the
1512 // AWS account ID, and the friendly name (the last part of the ARN) of the SAML
1513 // provider in IAM. The combination of NameQualifier and Subject can be used
1514 // to uniquely identify a federated user.
1516 // The following pseudocode shows how the hash value is calculated:
1518 // BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP"
1520 NameQualifier *string `type:"string"`
1522 // A percentage value that indicates the size of the policy in packed form.
1523 // The service rejects any policy with a packed size greater than 100 percent,
1524 // which means the policy exceeded the allowed space.
1525 PackedPolicySize *int64 `type:"integer"`
1527 // The value of the NameID element in the Subject element of the SAML assertion.
1528 Subject *string `type:"string"`
1530 // The format of the name ID, as defined by the Format attribute in the NameID
1531 // element of the SAML assertion. Typical examples of the format are transient
1534 // If the format includes the prefix urn:oasis:names:tc:SAML:2.0:nameid-format,
1535 // that prefix is removed. For example, urn:oasis:names:tc:SAML:2.0:nameid-format:transient
1536 // is returned as transient. If the format includes any other prefix, the format
1537 // is returned with no modifications.
1538 SubjectType *string `type:"string"`
1541 // String returns the string representation
1542 func (s AssumeRoleWithSAMLOutput) String() string {
1543 return awsutil.Prettify(s)
1546 // GoString returns the string representation
1547 func (s AssumeRoleWithSAMLOutput) GoString() string {
1551 // SetAssumedRoleUser sets the AssumedRoleUser field's value.
1552 func (s *AssumeRoleWithSAMLOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleWithSAMLOutput {
1553 s.AssumedRoleUser = v
1557 // SetAudience sets the Audience field's value.
1558 func (s *AssumeRoleWithSAMLOutput) SetAudience(v string) *AssumeRoleWithSAMLOutput {
1563 // SetCredentials sets the Credentials field's value.
1564 func (s *AssumeRoleWithSAMLOutput) SetCredentials(v *Credentials) *AssumeRoleWithSAMLOutput {
1569 // SetIssuer sets the Issuer field's value.
1570 func (s *AssumeRoleWithSAMLOutput) SetIssuer(v string) *AssumeRoleWithSAMLOutput {
1575 // SetNameQualifier sets the NameQualifier field's value.
1576 func (s *AssumeRoleWithSAMLOutput) SetNameQualifier(v string) *AssumeRoleWithSAMLOutput {
1577 s.NameQualifier = &v
1581 // SetPackedPolicySize sets the PackedPolicySize field's value.
1582 func (s *AssumeRoleWithSAMLOutput) SetPackedPolicySize(v int64) *AssumeRoleWithSAMLOutput {
1583 s.PackedPolicySize = &v
1587 // SetSubject sets the Subject field's value.
1588 func (s *AssumeRoleWithSAMLOutput) SetSubject(v string) *AssumeRoleWithSAMLOutput {
1593 // SetSubjectType sets the SubjectType field's value.
1594 func (s *AssumeRoleWithSAMLOutput) SetSubjectType(v string) *AssumeRoleWithSAMLOutput {
1599 type AssumeRoleWithWebIdentityInput struct {
1600 _ struct{} `type:"structure"`
1602 // The duration, in seconds, of the role session. The value can range from 900
1603 // seconds (15 minutes) up to the maximum session duration setting for the role.
1604 // This setting can have a value from 1 hour to 12 hours. If you specify a value
1605 // higher than this setting, the operation fails. For example, if you specify
1606 // a session duration of 12 hours, but your administrator set the maximum session
1607 // duration to 6 hours, your operation fails. To learn how to view the maximum
1608 // value for your role, see View the Maximum Session Duration Setting for a
1609 // Role (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
1610 // in the IAM User Guide.
1612 // By default, the value is set to 3600 seconds.
1614 // The DurationSeconds parameter is separate from the duration of a console
1615 // session that you might request using the returned credentials. The request
1616 // to the federation endpoint for a console sign-in token takes a SessionDuration
1617 // parameter that specifies the maximum length of the console session. For more
1618 // information, see Creating a URL that Enables Federated Users to Access the
1619 // AWS Management Console (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
1620 // in the IAM User Guide.
1621 DurationSeconds *int64 `min:"900" type:"integer"`
1623 // An IAM policy in JSON format.
1625 // The policy parameter is optional. If you pass a policy, the temporary security
1626 // credentials that are returned by the operation have the permissions that
1627 // are allowed by both the access policy of the role that is being assumed,
1628 // and the policy that you pass. This gives you a way to further restrict the
1629 // permissions for the resulting temporary security credentials. You cannot
1630 // use the passed policy to grant permissions that are in excess of those allowed
1631 // by the access policy of the role that is being assumed. For more information,
1632 // see Permissions for AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
1633 // in the IAM User Guide.
1635 // The format for this parameter, as described by its regex pattern, is a string
1636 // of characters up to 2048 characters in length. The characters can be any
1637 // ASCII character from the space character to the end of the valid character
1638 // list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A),
1639 // and carriage return (\u000D) characters.
1641 // The policy plain text must be 2048 bytes or shorter. However, an internal
1642 // conversion compresses it into a packed binary format with a separate limit.
1643 // The PackedPolicySize response element indicates by percentage how close to
1644 // the upper size limit the policy is, with 100% equaling the maximum allowed
1646 Policy *string `min:"1" type:"string"`
1648 // The fully qualified host component of the domain name of the identity provider.
1650 // Specify this value only for OAuth 2.0 access tokens. Currently www.amazon.com
1651 // and graph.facebook.com are the only supported identity providers for OAuth
1652 // 2.0 access tokens. Do not include URL schemes and port numbers.
1654 // Do not specify this value for OpenID Connect ID tokens.
1655 ProviderId *string `min:"4" type:"string"`
1657 // The Amazon Resource Name (ARN) of the role that the caller is assuming.
1659 // RoleArn is a required field
1660 RoleArn *string `min:"20" type:"string" required:"true"`
1662 // An identifier for the assumed role session. Typically, you pass the name
1663 // or identifier that is associated with the user who is using your application.
1664 // That way, the temporary security credentials that your application will use
1665 // are associated with that user. This session name is included as part of the
1666 // ARN and assumed role ID in the AssumedRoleUser response element.
1668 // The regex used to validate this parameter is a string of characters consisting
1669 // of upper- and lower-case alphanumeric characters with no spaces. You can
1670 // also include underscores or any of the following characters: =,.@-
1672 // RoleSessionName is a required field
1673 RoleSessionName *string `min:"2" type:"string" required:"true"`
1675 // The OAuth 2.0 access token or OpenID Connect ID token that is provided by
1676 // the identity provider. Your application must get this token by authenticating
1677 // the user who is using your application with a web identity provider before
1678 // the application makes an AssumeRoleWithWebIdentity call.
1680 // WebIdentityToken is a required field
1681 WebIdentityToken *string `min:"4" type:"string" required:"true"`
1684 // String returns the string representation
1685 func (s AssumeRoleWithWebIdentityInput) String() string {
1686 return awsutil.Prettify(s)
1689 // GoString returns the string representation
1690 func (s AssumeRoleWithWebIdentityInput) GoString() string {
1694 // Validate inspects the fields of the type to determine if they are valid.
1695 func (s *AssumeRoleWithWebIdentityInput) Validate() error {
1696 invalidParams := request.ErrInvalidParams{Context: "AssumeRoleWithWebIdentityInput"}
1697 if s.DurationSeconds != nil && *s.DurationSeconds < 900 {
1698 invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900))
1700 if s.Policy != nil && len(*s.Policy) < 1 {
1701 invalidParams.Add(request.NewErrParamMinLen("Policy", 1))
1703 if s.ProviderId != nil && len(*s.ProviderId) < 4 {
1704 invalidParams.Add(request.NewErrParamMinLen("ProviderId", 4))
1706 if s.RoleArn == nil {
1707 invalidParams.Add(request.NewErrParamRequired("RoleArn"))
1709 if s.RoleArn != nil && len(*s.RoleArn) < 20 {
1710 invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20))
1712 if s.RoleSessionName == nil {
1713 invalidParams.Add(request.NewErrParamRequired("RoleSessionName"))
1715 if s.RoleSessionName != nil && len(*s.RoleSessionName) < 2 {
1716 invalidParams.Add(request.NewErrParamMinLen("RoleSessionName", 2))
1718 if s.WebIdentityToken == nil {
1719 invalidParams.Add(request.NewErrParamRequired("WebIdentityToken"))
1721 if s.WebIdentityToken != nil && len(*s.WebIdentityToken) < 4 {
1722 invalidParams.Add(request.NewErrParamMinLen("WebIdentityToken", 4))
1725 if invalidParams.Len() > 0 {
1726 return invalidParams
1731 // SetDurationSeconds sets the DurationSeconds field's value.
1732 func (s *AssumeRoleWithWebIdentityInput) SetDurationSeconds(v int64) *AssumeRoleWithWebIdentityInput {
1733 s.DurationSeconds = &v
1737 // SetPolicy sets the Policy field's value.
1738 func (s *AssumeRoleWithWebIdentityInput) SetPolicy(v string) *AssumeRoleWithWebIdentityInput {
1743 // SetProviderId sets the ProviderId field's value.
1744 func (s *AssumeRoleWithWebIdentityInput) SetProviderId(v string) *AssumeRoleWithWebIdentityInput {
1749 // SetRoleArn sets the RoleArn field's value.
1750 func (s *AssumeRoleWithWebIdentityInput) SetRoleArn(v string) *AssumeRoleWithWebIdentityInput {
1755 // SetRoleSessionName sets the RoleSessionName field's value.
1756 func (s *AssumeRoleWithWebIdentityInput) SetRoleSessionName(v string) *AssumeRoleWithWebIdentityInput {
1757 s.RoleSessionName = &v
1761 // SetWebIdentityToken sets the WebIdentityToken field's value.
1762 func (s *AssumeRoleWithWebIdentityInput) SetWebIdentityToken(v string) *AssumeRoleWithWebIdentityInput {
1763 s.WebIdentityToken = &v
1767 // Contains the response to a successful AssumeRoleWithWebIdentity request,
1768 // including temporary AWS credentials that can be used to make AWS requests.
1769 type AssumeRoleWithWebIdentityOutput struct {
1770 _ struct{} `type:"structure"`
1772 // The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers
1773 // that you can use to refer to the resulting temporary security credentials.
1774 // For example, you can reference these credentials as a principal in a resource-based
1775 // policy by using the ARN or assumed role ID. The ARN and ID include the RoleSessionName
1776 // that you specified when you called AssumeRole.
1777 AssumedRoleUser *AssumedRoleUser `type:"structure"`
1779 // The intended audience (also known as client ID) of the web identity token.
1780 // This is traditionally the client identifier issued to the application that
1781 // requested the web identity token.
1782 Audience *string `type:"string"`
1784 // The temporary security credentials, which include an access key ID, a secret
1785 // access key, and a security token.
1787 // Note: The size of the security token that STS APIs return is not fixed. We
1788 // strongly recommend that you make no assumptions about the maximum size. As
1789 // of this writing, the typical size is less than 4096 bytes, but that can vary.
1790 // Also, future updates to AWS might require larger sizes.
1791 Credentials *Credentials `type:"structure"`
1793 // A percentage value that indicates the size of the policy in packed form.
1794 // The service rejects any policy with a packed size greater than 100 percent,
1795 // which means the policy exceeded the allowed space.
1796 PackedPolicySize *int64 `type:"integer"`
1798 // The issuing authority of the web identity token presented. For OpenID Connect
1799 // ID Tokens this contains the value of the iss field. For OAuth 2.0 access
1800 // tokens, this contains the value of the ProviderId parameter that was passed
1801 // in the AssumeRoleWithWebIdentity request.
1802 Provider *string `type:"string"`
1804 // The unique user identifier that is returned by the identity provider. This
1805 // identifier is associated with the WebIdentityToken that was submitted with
1806 // the AssumeRoleWithWebIdentity call. The identifier is typically unique to
1807 // the user and the application that acquired the WebIdentityToken (pairwise
1808 // identifier). For OpenID Connect ID tokens, this field contains the value
1809 // returned by the identity provider as the token's sub (Subject) claim.
1810 SubjectFromWebIdentityToken *string `min:"6" type:"string"`
1813 // String returns the string representation
1814 func (s AssumeRoleWithWebIdentityOutput) String() string {
1815 return awsutil.Prettify(s)
1818 // GoString returns the string representation
1819 func (s AssumeRoleWithWebIdentityOutput) GoString() string {
1823 // SetAssumedRoleUser sets the AssumedRoleUser field's value.
1824 func (s *AssumeRoleWithWebIdentityOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleWithWebIdentityOutput {
1825 s.AssumedRoleUser = v
1829 // SetAudience sets the Audience field's value.
1830 func (s *AssumeRoleWithWebIdentityOutput) SetAudience(v string) *AssumeRoleWithWebIdentityOutput {
1835 // SetCredentials sets the Credentials field's value.
1836 func (s *AssumeRoleWithWebIdentityOutput) SetCredentials(v *Credentials) *AssumeRoleWithWebIdentityOutput {
1841 // SetPackedPolicySize sets the PackedPolicySize field's value.
1842 func (s *AssumeRoleWithWebIdentityOutput) SetPackedPolicySize(v int64) *AssumeRoleWithWebIdentityOutput {
1843 s.PackedPolicySize = &v
1847 // SetProvider sets the Provider field's value.
1848 func (s *AssumeRoleWithWebIdentityOutput) SetProvider(v string) *AssumeRoleWithWebIdentityOutput {
1853 // SetSubjectFromWebIdentityToken sets the SubjectFromWebIdentityToken field's value.
1854 func (s *AssumeRoleWithWebIdentityOutput) SetSubjectFromWebIdentityToken(v string) *AssumeRoleWithWebIdentityOutput {
1855 s.SubjectFromWebIdentityToken = &v
1859 // The identifiers for the temporary security credentials that the operation
1861 type AssumedRoleUser struct {
1862 _ struct{} `type:"structure"`
1864 // The ARN of the temporary security credentials that are returned from the
1865 // AssumeRole action. For more information about ARNs and how to use them in
1866 // policies, see IAM Identifiers (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
1869 // Arn is a required field
1870 Arn *string `min:"20" type:"string" required:"true"`
1872 // A unique identifier that contains the role ID and the role session name of
1873 // the role that is being assumed. The role ID is generated by AWS when the
1876 // AssumedRoleId is a required field
1877 AssumedRoleId *string `min:"2" type:"string" required:"true"`
1880 // String returns the string representation
1881 func (s AssumedRoleUser) String() string {
1882 return awsutil.Prettify(s)
1885 // GoString returns the string representation
1886 func (s AssumedRoleUser) GoString() string {
1890 // SetArn sets the Arn field's value.
1891 func (s *AssumedRoleUser) SetArn(v string) *AssumedRoleUser {
1896 // SetAssumedRoleId sets the AssumedRoleId field's value.
1897 func (s *AssumedRoleUser) SetAssumedRoleId(v string) *AssumedRoleUser {
1898 s.AssumedRoleId = &v
1902 // AWS credentials for API authentication.
1903 type Credentials struct {
1904 _ struct{} `type:"structure"`
1906 // The access key ID that identifies the temporary security credentials.
1908 // AccessKeyId is a required field
1909 AccessKeyId *string `min:"16" type:"string" required:"true"`
1911 // The date on which the current credentials expire.
1913 // Expiration is a required field
1914 Expiration *time.Time `type:"timestamp" required:"true"`
1916 // The secret access key that can be used to sign requests.
1918 // SecretAccessKey is a required field
1919 SecretAccessKey *string `type:"string" required:"true"`
1921 // The token that users must pass to the service API to use the temporary credentials.
1923 // SessionToken is a required field
1924 SessionToken *string `type:"string" required:"true"`
1927 // String returns the string representation
1928 func (s Credentials) String() string {
1929 return awsutil.Prettify(s)
1932 // GoString returns the string representation
1933 func (s Credentials) GoString() string {
1937 // SetAccessKeyId sets the AccessKeyId field's value.
1938 func (s *Credentials) SetAccessKeyId(v string) *Credentials {
1943 // SetExpiration sets the Expiration field's value.
1944 func (s *Credentials) SetExpiration(v time.Time) *Credentials {
1949 // SetSecretAccessKey sets the SecretAccessKey field's value.
1950 func (s *Credentials) SetSecretAccessKey(v string) *Credentials {
1951 s.SecretAccessKey = &v
1955 // SetSessionToken sets the SessionToken field's value.
1956 func (s *Credentials) SetSessionToken(v string) *Credentials {
1961 type DecodeAuthorizationMessageInput struct {
1962 _ struct{} `type:"structure"`
1964 // The encoded message that was returned with the response.
1966 // EncodedMessage is a required field
1967 EncodedMessage *string `min:"1" type:"string" required:"true"`
1970 // String returns the string representation
1971 func (s DecodeAuthorizationMessageInput) String() string {
1972 return awsutil.Prettify(s)
1975 // GoString returns the string representation
1976 func (s DecodeAuthorizationMessageInput) GoString() string {
1980 // Validate inspects the fields of the type to determine if they are valid.
1981 func (s *DecodeAuthorizationMessageInput) Validate() error {
1982 invalidParams := request.ErrInvalidParams{Context: "DecodeAuthorizationMessageInput"}
1983 if s.EncodedMessage == nil {
1984 invalidParams.Add(request.NewErrParamRequired("EncodedMessage"))
1986 if s.EncodedMessage != nil && len(*s.EncodedMessage) < 1 {
1987 invalidParams.Add(request.NewErrParamMinLen("EncodedMessage", 1))
1990 if invalidParams.Len() > 0 {
1991 return invalidParams
1996 // SetEncodedMessage sets the EncodedMessage field's value.
1997 func (s *DecodeAuthorizationMessageInput) SetEncodedMessage(v string) *DecodeAuthorizationMessageInput {
1998 s.EncodedMessage = &v
2002 // A document that contains additional information about the authorization status
2003 // of a request from an encoded message that is returned in response to an AWS
2005 type DecodeAuthorizationMessageOutput struct {
2006 _ struct{} `type:"structure"`
2008 // An XML document that contains the decoded message.
2009 DecodedMessage *string `type:"string"`
2012 // String returns the string representation
2013 func (s DecodeAuthorizationMessageOutput) String() string {
2014 return awsutil.Prettify(s)
2017 // GoString returns the string representation
2018 func (s DecodeAuthorizationMessageOutput) GoString() string {
2022 // SetDecodedMessage sets the DecodedMessage field's value.
2023 func (s *DecodeAuthorizationMessageOutput) SetDecodedMessage(v string) *DecodeAuthorizationMessageOutput {
2024 s.DecodedMessage = &v
2028 // Identifiers for the federated user that is associated with the credentials.
2029 type FederatedUser struct {
2030 _ struct{} `type:"structure"`
2032 // The ARN that specifies the federated user that is associated with the credentials.
2033 // For more information about ARNs and how to use them in policies, see IAM
2034 // Identifiers (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
2037 // Arn is a required field
2038 Arn *string `min:"20" type:"string" required:"true"`
2040 // The string that identifies the federated user associated with the credentials,
2041 // similar to the unique ID of an IAM user.
2043 // FederatedUserId is a required field
2044 FederatedUserId *string `min:"2" type:"string" required:"true"`
2047 // String returns the string representation
2048 func (s FederatedUser) String() string {
2049 return awsutil.Prettify(s)
2052 // GoString returns the string representation
2053 func (s FederatedUser) GoString() string {
2057 // SetArn sets the Arn field's value.
2058 func (s *FederatedUser) SetArn(v string) *FederatedUser {
2063 // SetFederatedUserId sets the FederatedUserId field's value.
2064 func (s *FederatedUser) SetFederatedUserId(v string) *FederatedUser {
2065 s.FederatedUserId = &v
2069 type GetCallerIdentityInput struct {
2070 _ struct{} `type:"structure"`
2073 // String returns the string representation
2074 func (s GetCallerIdentityInput) String() string {
2075 return awsutil.Prettify(s)
2078 // GoString returns the string representation
2079 func (s GetCallerIdentityInput) GoString() string {
2083 // Contains the response to a successful GetCallerIdentity request, including
2084 // information about the entity making the request.
2085 type GetCallerIdentityOutput struct {
2086 _ struct{} `type:"structure"`
2088 // The AWS account ID number of the account that owns or contains the calling
2090 Account *string `type:"string"`
2092 // The AWS ARN associated with the calling entity.
2093 Arn *string `min:"20" type:"string"`
2095 // The unique identifier of the calling entity. The exact value depends on the
2096 // type of entity making the call. The values returned are those listed in the
2097 // aws:userid column in the Principal table (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable)
2098 // found on the Policy Variables reference page in the IAM User Guide.
2099 UserId *string `type:"string"`
2102 // String returns the string representation
2103 func (s GetCallerIdentityOutput) String() string {
2104 return awsutil.Prettify(s)
2107 // GoString returns the string representation
2108 func (s GetCallerIdentityOutput) GoString() string {
2112 // SetAccount sets the Account field's value.
2113 func (s *GetCallerIdentityOutput) SetAccount(v string) *GetCallerIdentityOutput {
2118 // SetArn sets the Arn field's value.
2119 func (s *GetCallerIdentityOutput) SetArn(v string) *GetCallerIdentityOutput {
2124 // SetUserId sets the UserId field's value.
2125 func (s *GetCallerIdentityOutput) SetUserId(v string) *GetCallerIdentityOutput {
2130 type GetFederationTokenInput struct {
2131 _ struct{} `type:"structure"`
2133 // The duration, in seconds, that the session should last. Acceptable durations
2134 // for federation sessions range from 900 seconds (15 minutes) to 129600 seconds
2135 // (36 hours), with 43200 seconds (12 hours) as the default. Sessions obtained
2136 // using AWS account (root) credentials are restricted to a maximum of 3600
2137 // seconds (one hour). If the specified duration is longer than one hour, the
2138 // session obtained by using AWS account (root) credentials defaults to one
2140 DurationSeconds *int64 `min:"900" type:"integer"`
2142 // The name of the federated user. The name is used as an identifier for the
2143 // temporary security credentials (such as Bob). For example, you can reference
2144 // the federated user name in a resource-based policy, such as in an Amazon
2145 // S3 bucket policy.
2147 // The regex used to validate this parameter is a string of characters consisting
2148 // of upper- and lower-case alphanumeric characters with no spaces. You can
2149 // also include underscores or any of the following characters: =,.@-
2151 // Name is a required field
2152 Name *string `min:"2" type:"string" required:"true"`
2154 // An IAM policy in JSON format that is passed with the GetFederationToken call
2155 // and evaluated along with the policy or policies that are attached to the
2156 // IAM user whose credentials are used to call GetFederationToken. The passed
2157 // policy is used to scope down the permissions that are available to the IAM
2158 // user, by allowing only a subset of the permissions that are granted to the
2159 // IAM user. The passed policy cannot grant more permissions than those granted
2160 // to the IAM user. The final permissions for the federated user are the most
2161 // restrictive set based on the intersection of the passed policy and the IAM
2164 // If you do not pass a policy, the resulting temporary security credentials
2165 // have no effective permissions. The only exception is when the temporary security
2166 // credentials are used to access a resource that has a resource-based policy
2167 // that specifically allows the federated user to access the resource.
2169 // The format for this parameter, as described by its regex pattern, is a string
2170 // of characters up to 2048 characters in length. The characters can be any
2171 // ASCII character from the space character to the end of the valid character
2172 // list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A),
2173 // and carriage return (\u000D) characters.
2175 // The policy plain text must be 2048 bytes or shorter. However, an internal
2176 // conversion compresses it into a packed binary format with a separate limit.
2177 // The PackedPolicySize response element indicates by percentage how close to
2178 // the upper size limit the policy is, with 100% equaling the maximum allowed
2181 // For more information about how permissions work, see Permissions for GetFederationToken
2182 // (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html).
2183 Policy *string `min:"1" type:"string"`
2186 // String returns the string representation
2187 func (s GetFederationTokenInput) String() string {
2188 return awsutil.Prettify(s)
2191 // GoString returns the string representation
2192 func (s GetFederationTokenInput) GoString() string {
2196 // Validate inspects the fields of the type to determine if they are valid.
2197 func (s *GetFederationTokenInput) Validate() error {
2198 invalidParams := request.ErrInvalidParams{Context: "GetFederationTokenInput"}
2199 if s.DurationSeconds != nil && *s.DurationSeconds < 900 {
2200 invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900))
2203 invalidParams.Add(request.NewErrParamRequired("Name"))
2205 if s.Name != nil && len(*s.Name) < 2 {
2206 invalidParams.Add(request.NewErrParamMinLen("Name", 2))
2208 if s.Policy != nil && len(*s.Policy) < 1 {
2209 invalidParams.Add(request.NewErrParamMinLen("Policy", 1))
2212 if invalidParams.Len() > 0 {
2213 return invalidParams
2218 // SetDurationSeconds sets the DurationSeconds field's value.
2219 func (s *GetFederationTokenInput) SetDurationSeconds(v int64) *GetFederationTokenInput {
2220 s.DurationSeconds = &v
2224 // SetName sets the Name field's value.
2225 func (s *GetFederationTokenInput) SetName(v string) *GetFederationTokenInput {
2230 // SetPolicy sets the Policy field's value.
2231 func (s *GetFederationTokenInput) SetPolicy(v string) *GetFederationTokenInput {
2236 // Contains the response to a successful GetFederationToken request, including
2237 // temporary AWS credentials that can be used to make AWS requests.
2238 type GetFederationTokenOutput struct {
2239 _ struct{} `type:"structure"`
2241 // The temporary security credentials, which include an access key ID, a secret
2242 // access key, and a security (or session) token.
2244 // Note: The size of the security token that STS APIs return is not fixed. We
2245 // strongly recommend that you make no assumptions about the maximum size. As
2246 // of this writing, the typical size is less than 4096 bytes, but that can vary.
2247 // Also, future updates to AWS might require larger sizes.
2248 Credentials *Credentials `type:"structure"`
2250 // Identifiers for the federated user associated with the credentials (such
2251 // as arn:aws:sts::123456789012:federated-user/Bob or 123456789012:Bob). You
2252 // can use the federated user's ARN in your resource-based policies, such as
2253 // an Amazon S3 bucket policy.
2254 FederatedUser *FederatedUser `type:"structure"`
2256 // A percentage value indicating the size of the policy in packed form. The
2257 // service rejects policies for which the packed size is greater than 100 percent
2258 // of the allowed value.
2259 PackedPolicySize *int64 `type:"integer"`
2262 // String returns the string representation
2263 func (s GetFederationTokenOutput) String() string {
2264 return awsutil.Prettify(s)
2267 // GoString returns the string representation
2268 func (s GetFederationTokenOutput) GoString() string {
2272 // SetCredentials sets the Credentials field's value.
2273 func (s *GetFederationTokenOutput) SetCredentials(v *Credentials) *GetFederationTokenOutput {
2278 // SetFederatedUser sets the FederatedUser field's value.
2279 func (s *GetFederationTokenOutput) SetFederatedUser(v *FederatedUser) *GetFederationTokenOutput {
2284 // SetPackedPolicySize sets the PackedPolicySize field's value.
2285 func (s *GetFederationTokenOutput) SetPackedPolicySize(v int64) *GetFederationTokenOutput {
2286 s.PackedPolicySize = &v
2290 type GetSessionTokenInput struct {
2291 _ struct{} `type:"structure"`
2293 // The duration, in seconds, that the credentials should remain valid. Acceptable
2294 // durations for IAM user sessions range from 900 seconds (15 minutes) to 129600
2295 // seconds (36 hours), with 43200 seconds (12 hours) as the default. Sessions
2296 // for AWS account owners are restricted to a maximum of 3600 seconds (one hour).
2297 // If the duration is longer than one hour, the session for AWS account owners
2298 // defaults to one hour.
2299 DurationSeconds *int64 `min:"900" type:"integer"`
2301 // The identification number of the MFA device that is associated with the IAM
2302 // user who is making the GetSessionToken call. Specify this value if the IAM
2303 // user has a policy that requires MFA authentication. The value is either the
2304 // serial number for a hardware device (such as GAHT12345678) or an Amazon Resource
2305 // Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user).
2306 // You can find the device for an IAM user by going to the AWS Management Console
2307 // and viewing the user's security credentials.
2309 // The regex used to validated this parameter is a string of characters consisting
2310 // of upper- and lower-case alphanumeric characters with no spaces. You can
2311 // also include underscores or any of the following characters: =,.@:/-
2312 SerialNumber *string `min:"9" type:"string"`
2314 // The value provided by the MFA device, if MFA is required. If any policy requires
2315 // the IAM user to submit an MFA code, specify this value. If MFA authentication
2316 // is required, and the user does not provide a code when requesting a set of
2317 // temporary security credentials, the user will receive an "access denied"
2318 // response when requesting resources that require MFA authentication.
2320 // The format for this parameter, as described by its regex pattern, is a sequence
2321 // of six numeric digits.
2322 TokenCode *string `min:"6" type:"string"`
2325 // String returns the string representation
2326 func (s GetSessionTokenInput) String() string {
2327 return awsutil.Prettify(s)
2330 // GoString returns the string representation
2331 func (s GetSessionTokenInput) GoString() string {
2335 // Validate inspects the fields of the type to determine if they are valid.
2336 func (s *GetSessionTokenInput) Validate() error {
2337 invalidParams := request.ErrInvalidParams{Context: "GetSessionTokenInput"}
2338 if s.DurationSeconds != nil && *s.DurationSeconds < 900 {
2339 invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900))
2341 if s.SerialNumber != nil && len(*s.SerialNumber) < 9 {
2342 invalidParams.Add(request.NewErrParamMinLen("SerialNumber", 9))
2344 if s.TokenCode != nil && len(*s.TokenCode) < 6 {
2345 invalidParams.Add(request.NewErrParamMinLen("TokenCode", 6))
2348 if invalidParams.Len() > 0 {
2349 return invalidParams
2354 // SetDurationSeconds sets the DurationSeconds field's value.
2355 func (s *GetSessionTokenInput) SetDurationSeconds(v int64) *GetSessionTokenInput {
2356 s.DurationSeconds = &v
2360 // SetSerialNumber sets the SerialNumber field's value.
2361 func (s *GetSessionTokenInput) SetSerialNumber(v string) *GetSessionTokenInput {
2366 // SetTokenCode sets the TokenCode field's value.
2367 func (s *GetSessionTokenInput) SetTokenCode(v string) *GetSessionTokenInput {
2372 // Contains the response to a successful GetSessionToken request, including
2373 // temporary AWS credentials that can be used to make AWS requests.
2374 type GetSessionTokenOutput struct {
2375 _ struct{} `type:"structure"`
2377 // The temporary security credentials, which include an access key ID, a secret
2378 // access key, and a security (or session) token.
2380 // Note: The size of the security token that STS APIs return is not fixed. We
2381 // strongly recommend that you make no assumptions about the maximum size. As
2382 // of this writing, the typical size is less than 4096 bytes, but that can vary.
2383 // Also, future updates to AWS might require larger sizes.
2384 Credentials *Credentials `type:"structure"`
2387 // String returns the string representation
2388 func (s GetSessionTokenOutput) String() string {
2389 return awsutil.Prettify(s)
2392 // GoString returns the string representation
2393 func (s GetSessionTokenOutput) GoString() string {
2397 // SetCredentials sets the Credentials field's value.
2398 func (s *GetSessionTokenOutput) SetCredentials(v *Credentials) *GetSessionTokenOutput {