diff options
Diffstat (limited to 'vendor/github.com/aws/aws-sdk-go/service/sts/api.go')
-rw-r--r-- | vendor/github.com/aws/aws-sdk-go/service/sts/api.go | 1126 |
1 files changed, 734 insertions, 392 deletions
diff --git a/vendor/github.com/aws/aws-sdk-go/service/sts/api.go b/vendor/github.com/aws/aws-sdk-go/service/sts/api.go index 8113089..d22c38b 100644 --- a/vendor/github.com/aws/aws-sdk-go/service/sts/api.go +++ b/vendor/github.com/aws/aws-sdk-go/service/sts/api.go | |||
@@ -3,6 +3,7 @@ | |||
3 | package sts | 3 | package sts |
4 | 4 | ||
5 | import ( | 5 | import ( |
6 | "fmt" | ||
6 | "time" | 7 | "time" |
7 | 8 | ||
8 | "github.com/aws/aws-sdk-go/aws" | 9 | "github.com/aws/aws-sdk-go/aws" |
@@ -55,38 +56,26 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o | |||
55 | 56 | ||
56 | // AssumeRole API operation for AWS Security Token Service. | 57 | // AssumeRole API operation for AWS Security Token Service. |
57 | // | 58 | // |
58 | // Returns a set of temporary security credentials (consisting of an access | 59 | // Returns a set of temporary security credentials that you can use to access |
59 | // key ID, a secret access key, and a security token) that you can use to access | 60 | // AWS resources that you might not normally have access to. These temporary |
60 | // AWS resources that you might not normally have access to. Typically, you | 61 | // credentials consist of an access key ID, a secret access key, and a security |
61 | // use AssumeRole for cross-account access or federation. For a comparison of | 62 | // token. Typically, you use AssumeRole within your account or for cross-account |
62 | // AssumeRole with the other APIs that produce temporary credentials, see Requesting | 63 | // access. For a comparison of AssumeRole with other API operations that produce |
63 | // Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) | 64 | // temporary credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) |
64 | // and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) | 65 | // and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) |
65 | // in the IAM User Guide. | 66 | // in the IAM User Guide. |
66 | // | 67 | // |
67 | // Important: You cannot call AssumeRole by using AWS root account credentials; | 68 | // You cannot use AWS account root user credentials to call AssumeRole. You |
68 | // access is denied. You must use credentials for an IAM user or an IAM role | 69 | // must use credentials for an IAM user or an IAM role to call AssumeRole. |
69 | // to call AssumeRole. | ||
70 | // | 70 | // |
71 | // For cross-account access, imagine that you own multiple accounts and need | 71 | // For cross-account access, imagine that you own multiple accounts and need |
72 | // to access resources in each account. You could create long-term credentials | 72 | // to access resources in each account. You could create long-term credentials |
73 | // in each account to access those resources. However, managing all those credentials | 73 | // in each account to access those resources. However, managing all those credentials |
74 | // and remembering which one can access which account can be time consuming. | 74 | // and remembering which one can access which account can be time consuming. |
75 | // Instead, you can create one set of long-term credentials in one account and | 75 | // Instead, you can create one set of long-term credentials in one account. |
76 | // then use temporary security credentials to access all the other accounts | 76 | // Then use temporary security credentials to access all the other accounts |
77 | // by assuming roles in those accounts. For more information about roles, see | 77 | // by assuming roles in those accounts. For more information about roles, see |
78 | // IAM Roles (Delegation and Federation) (http://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html) | 78 | // IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) |
79 | // in the IAM User Guide. | ||
80 | // | ||
81 | // For federation, you can, for example, grant single sign-on access to the | ||
82 | // AWS Management Console. If you already have an identity and authentication | ||
83 | // system in your corporate network, you don't have to recreate user identities | ||
84 | // in AWS in order to grant those user identities access to AWS. Instead, after | ||
85 | // a user has been authenticated, you call AssumeRole (and specify the role | ||
86 | // with the appropriate permissions) to get temporary security credentials for | ||
87 | // that user. With those temporary security credentials, you construct a sign-in | ||
88 | // URL that users can use to access the console. For more information, see Common | ||
89 | // Scenarios for Temporary Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html#sts-introduction) | ||
90 | // in the IAM User Guide. | 79 | // in the IAM User Guide. |
91 | // | 80 | // |
92 | // By default, the temporary security credentials created by AssumeRole last | 81 | // By default, the temporary security credentials created by AssumeRole last |
@@ -95,69 +84,73 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o | |||
95 | // seconds (15 minutes) up to the maximum session duration setting for the role. | 84 | // seconds (15 minutes) up to the maximum session duration setting for the role. |
96 | // This setting can have a value from 1 hour to 12 hours. To learn how to view | 85 | // This setting can have a value from 1 hour to 12 hours. To learn how to view |
97 | // the maximum value for your role, see View the Maximum Session Duration Setting | 86 | // the maximum value for your role, see View the Maximum Session Duration Setting |
98 | // for a Role (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) | 87 | // for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) |
99 | // in the IAM User Guide. The maximum session duration limit applies when you | 88 | // in the IAM User Guide. The maximum session duration limit applies when you |
100 | // use the AssumeRole* API operations or the assume-role* CLI operations but | 89 | // use the AssumeRole* API operations or the assume-role* CLI commands. However |
101 | // does not apply when you use those operations to create a console URL. For | 90 | // the limit does not apply when you use those operations to create a console |
102 | // more information, see Using IAM Roles (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) | 91 | // URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) |
103 | // in the IAM User Guide. | 92 | // in the IAM User Guide. |
104 | // | 93 | // |
105 | // The temporary security credentials created by AssumeRole can be used to make | 94 | // The temporary security credentials created by AssumeRole can be used to make |
106 | // API calls to any AWS service with the following exception: you cannot call | 95 | // API calls to any AWS service with the following exception: You cannot call |
107 | // the STS service's GetFederationToken or GetSessionToken APIs. | 96 | // the AWS STS GetFederationToken or GetSessionToken API operations. |
108 | // | 97 | // |
109 | // Optionally, you can pass an IAM access policy to this operation. If you choose | 98 | // (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) |
110 | // not to pass a policy, the temporary security credentials that are returned | 99 | // to this operation. You can pass a single JSON policy document to use as an |
111 | // by the operation have the permissions that are defined in the access policy | 100 | // inline session policy. You can also specify up to 10 managed policies to |
112 | // of the role that is being assumed. If you pass a policy to this operation, | 101 | // use as managed session policies. The plain text that you use for both inline |
113 | // the temporary security credentials that are returned by the operation have | 102 | // and managed session policies shouldn't exceed 2048 characters. Passing policies |
114 | // the permissions that are allowed by both the access policy of the role that | 103 | // to this operation returns new temporary credentials. The resulting session's |
115 | // is being assumed, and the policy that you pass. This gives you a way to further | 104 | // permissions are the intersection of the role's identity-based policy and |
116 | // restrict the permissions for the resulting temporary security credentials. | 105 | // the session policies. You can use the role's temporary credentials in subsequent |
117 | // You cannot use the passed policy to grant permissions that are in excess | 106 | // AWS API calls to access resources in the account that owns the role. You |
118 | // of those allowed by the access policy of the role that is being assumed. | 107 | // cannot use session policies to grant more permissions than those allowed |
119 | // For more information, see Permissions for AssumeRole, AssumeRoleWithSAML, | 108 | // by the identity-based policy of the role that is being assumed. For more |
120 | // and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html) | 109 | // information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) |
121 | // in the IAM User Guide. | 110 | // in the IAM User Guide. |
122 | // | 111 | // |
123 | // To assume a role, your AWS account must be trusted by the role. The trust | 112 | // To assume a role from a different account, your AWS account must be trusted |
124 | // relationship is defined in the role's trust policy when the role is created. | 113 | // by the role. The trust relationship is defined in the role's trust policy |
125 | // That trust policy states which accounts are allowed to delegate access to | 114 | // when the role is created. That trust policy states which accounts are allowed |
126 | // this account's role. | 115 | // to delegate that access to users in the account. |
127 | // | 116 | // |
128 | // The user who wants to access the role must also have permissions delegated | 117 | // A user who wants to access a role in a different account must also have permissions |
129 | // from the role's administrator. If the user is in a different account than | 118 | // that are delegated from the user account administrator. The administrator |
130 | // the role, then the user's administrator must attach a policy that allows | 119 | // must attach a policy that allows the user to call AssumeRole for the ARN |
131 | // the user to call AssumeRole on the ARN of the role in the other account. | 120 | // of the role in the other account. If the user is in the same account as the |
132 | // If the user is in the same account as the role, then you can either attach | 121 | // role, then you can do either of the following: |
133 | // a policy to the user (identical to the previous different account user), | 122 | // |
134 | // or you can add the user as a principal directly in the role's trust policy. | 123 | // * Attach a policy to the user (identical to the previous user in a different |
135 | // In this case, the trust policy acts as the only resource-based policy in | 124 | // account). |
136 | // IAM, and users in the same account as the role do not need explicit permission | 125 | // |
137 | // to assume the role. For more information about trust policies and resource-based | 126 | // * Add the user as a principal directly in the role's trust policy. |
138 | // policies, see IAM Policies (http://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) | 127 | // |
128 | // In this case, the trust policy acts as an IAM resource-based policy. Users | ||
129 | // in the same account as the role do not need explicit permission to assume | ||
130 | // the role. For more information about trust policies and resource-based policies, | ||
131 | // see IAM Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) | ||
139 | // in the IAM User Guide. | 132 | // in the IAM User Guide. |
140 | // | 133 | // |
141 | // Using MFA with AssumeRole | 134 | // Using MFA with AssumeRole |
142 | // | 135 | // |
143 | // You can optionally include multi-factor authentication (MFA) information | 136 | // (Optional) You can include multi-factor authentication (MFA) information |
144 | // when you call AssumeRole. This is useful for cross-account scenarios in which | 137 | // when you call AssumeRole. This is useful for cross-account scenarios to ensure |
145 | // you want to make sure that the user who is assuming the role has been authenticated | 138 | // that the user that assumes the role has been authenticated with an AWS MFA |
146 | // using an AWS MFA device. In that scenario, the trust policy of the role being | 139 | // device. In that scenario, the trust policy of the role being assumed includes |
147 | // assumed includes a condition that tests for MFA authentication; if the caller | 140 | // a condition that tests for MFA authentication. If the caller does not include |
148 | // does not include valid MFA information, the request to assume the role is | 141 | // valid MFA information, the request to assume the role is denied. The condition |
149 | // denied. The condition in a trust policy that tests for MFA authentication | 142 | // in a trust policy that tests for MFA authentication might look like the following |
150 | // might look like the following example. | 143 | // example. |
151 | // | 144 | // |
152 | // "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}} | 145 | // "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}} |
153 | // | 146 | // |
154 | // For more information, see Configuring MFA-Protected API Access (http://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html) | 147 | // For more information, see Configuring MFA-Protected API Access (https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html) |
155 | // in the IAM User Guide guide. | 148 | // in the IAM User Guide guide. |
156 | // | 149 | // |
157 | // To use MFA with AssumeRole, you pass values for the SerialNumber and TokenCode | 150 | // To use MFA with AssumeRole, you pass values for the SerialNumber and TokenCode |
158 | // parameters. The SerialNumber value identifies the user's hardware or virtual | 151 | // parameters. The SerialNumber value identifies the user's hardware or virtual |
159 | // MFA device. The TokenCode is the time-based one-time password (TOTP) that | 152 | // MFA device. The TokenCode is the time-based one-time password (TOTP) that |
160 | // the MFA devices produces. | 153 | // the MFA device produces. |
161 | // | 154 | // |
162 | // Returns awserr.Error for service API and SDK errors. Use runtime type assertions | 155 | // Returns awserr.Error for service API and SDK errors. Use runtime type assertions |
163 | // with awserr.Error's Code and Message methods to get detailed information about | 156 | // with awserr.Error's Code and Message methods to get detailed information about |
@@ -180,7 +173,7 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o | |||
180 | // STS is not activated in the requested region for the account that is being | 173 | // STS is not activated in the requested region for the account that is being |
181 | // asked to generate credentials. The account administrator must use the IAM | 174 | // asked to generate credentials. The account administrator must use the IAM |
182 | // console to activate STS in that region. For more information, see Activating | 175 | // console to activate STS in that region. For more information, see Activating |
183 | // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) | 176 | // and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) |
184 | // in the IAM User Guide. | 177 | // in the IAM User Guide. |
185 | // | 178 | // |
186 | // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole | 179 | // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole |
@@ -254,9 +247,9 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re | |||
254 | // via a SAML authentication response. This operation provides a mechanism for | 247 | // via a SAML authentication response. This operation provides a mechanism for |
255 | // tying an enterprise identity store or directory to role-based AWS access | 248 | // tying an enterprise identity store or directory to role-based AWS access |
256 | // without user-specific credentials or configuration. For a comparison of AssumeRoleWithSAML | 249 | // without user-specific credentials or configuration. For a comparison of AssumeRoleWithSAML |
257 | // with the other APIs that produce temporary credentials, see Requesting Temporary | 250 | // with the other API operations that produce temporary credentials, see Requesting |
258 | // Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) | 251 | // Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) |
259 | // and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) | 252 | // and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) |
260 | // in the IAM User Guide. | 253 | // in the IAM User Guide. |
261 | // | 254 | // |
262 | // The temporary security credentials returned by this operation consist of | 255 | // The temporary security credentials returned by this operation consist of |
@@ -271,37 +264,36 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re | |||
271 | // a DurationSeconds value from 900 seconds (15 minutes) up to the maximum session | 264 | // a DurationSeconds value from 900 seconds (15 minutes) up to the maximum session |
272 | // duration setting for the role. This setting can have a value from 1 hour | 265 | // duration setting for the role. This setting can have a value from 1 hour |
273 | // to 12 hours. To learn how to view the maximum value for your role, see View | 266 | // to 12 hours. To learn how to view the maximum value for your role, see View |
274 | // the Maximum Session Duration Setting for a Role (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) | 267 | // the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) |
275 | // in the IAM User Guide. The maximum session duration limit applies when you | 268 | // in the IAM User Guide. The maximum session duration limit applies when you |
276 | // use the AssumeRole* API operations or the assume-role* CLI operations but | 269 | // use the AssumeRole* API operations or the assume-role* CLI commands. However |
277 | // does not apply when you use those operations to create a console URL. For | 270 | // the limit does not apply when you use those operations to create a console |
278 | // more information, see Using IAM Roles (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) | 271 | // URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) |
279 | // in the IAM User Guide. | 272 | // in the IAM User Guide. |
280 | // | 273 | // |
281 | // The temporary security credentials created by AssumeRoleWithSAML can be used | 274 | // The temporary security credentials created by AssumeRoleWithSAML can be used |
282 | // to make API calls to any AWS service with the following exception: you cannot | 275 | // to make API calls to any AWS service with the following exception: you cannot |
283 | // call the STS service's GetFederationToken or GetSessionToken APIs. | 276 | // call the STS GetFederationToken or GetSessionToken API operations. |
284 | // | 277 | // |
285 | // Optionally, you can pass an IAM access policy to this operation. If you choose | 278 | // (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) |
286 | // not to pass a policy, the temporary security credentials that are returned | 279 | // to this operation. You can pass a single JSON policy document to use as an |
287 | // by the operation have the permissions that are defined in the access policy | 280 | // inline session policy. You can also specify up to 10 managed policies to |
288 | // of the role that is being assumed. If you pass a policy to this operation, | 281 | // use as managed session policies. The plain text that you use for both inline |
289 | // the temporary security credentials that are returned by the operation have | 282 | // and managed session policies shouldn't exceed 2048 characters. Passing policies |
290 | // the permissions that are allowed by the intersection of both the access policy | 283 | // to this operation returns new temporary credentials. The resulting session's |
291 | // of the role that is being assumed, and the policy that you pass. This means | 284 | // permissions are the intersection of the role's identity-based policy and |
292 | // that both policies must grant the permission for the action to be allowed. | 285 | // the session policies. You can use the role's temporary credentials in subsequent |
293 | // This gives you a way to further restrict the permissions for the resulting | 286 | // AWS API calls to access resources in the account that owns the role. You |
294 | // temporary security credentials. You cannot use the passed policy to grant | 287 | // cannot use session policies to grant more permissions than those allowed |
295 | // permissions that are in excess of those allowed by the access policy of the | 288 | // by the identity-based policy of the role that is being assumed. For more |
296 | // role that is being assumed. For more information, see Permissions for AssumeRole, | 289 | // information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) |
297 | // AssumeRoleWithSAML, and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html) | ||
298 | // in the IAM User Guide. | 290 | // in the IAM User Guide. |
299 | // | 291 | // |
300 | // Before your application can call AssumeRoleWithSAML, you must configure your | 292 | // Before your application can call AssumeRoleWithSAML, you must configure your |
301 | // SAML identity provider (IdP) to issue the claims required by AWS. Additionally, | 293 | // SAML identity provider (IdP) to issue the claims required by AWS. Additionally, |
302 | // you must use AWS Identity and Access Management (IAM) to create a SAML provider | 294 | // you must use AWS Identity and Access Management (IAM) to create a SAML provider |
303 | // entity in your AWS account that represents your identity provider, and create | 295 | // entity in your AWS account that represents your identity provider. You must |
304 | // an IAM role that specifies this SAML provider in its trust policy. | 296 | // also create an IAM role that specifies this SAML provider in its trust policy. |
305 | // | 297 | // |
306 | // Calling AssumeRoleWithSAML does not require the use of AWS security credentials. | 298 | // Calling AssumeRoleWithSAML does not require the use of AWS security credentials. |
307 | // The identity of the caller is validated by using keys in the metadata document | 299 | // The identity of the caller is validated by using keys in the metadata document |
@@ -315,16 +307,16 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re | |||
315 | // | 307 | // |
316 | // For more information, see the following resources: | 308 | // For more information, see the following resources: |
317 | // | 309 | // |
318 | // * About SAML 2.0-based Federation (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) | 310 | // * About SAML 2.0-based Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) |
319 | // in the IAM User Guide. | 311 | // in the IAM User Guide. |
320 | // | 312 | // |
321 | // * Creating SAML Identity Providers (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html) | 313 | // * Creating SAML Identity Providers (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html) |
322 | // in the IAM User Guide. | 314 | // in the IAM User Guide. |
323 | // | 315 | // |
324 | // * Configuring a Relying Party and Claims (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html) | 316 | // * Configuring a Relying Party and Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html) |
325 | // in the IAM User Guide. | 317 | // in the IAM User Guide. |
326 | // | 318 | // |
327 | // * Creating a Role for SAML 2.0 Federation (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html) | 319 | // * Creating a Role for SAML 2.0 Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html) |
328 | // in the IAM User Guide. | 320 | // in the IAM User Guide. |
329 | // | 321 | // |
330 | // Returns awserr.Error for service API and SDK errors. Use runtime type assertions | 322 | // Returns awserr.Error for service API and SDK errors. Use runtime type assertions |
@@ -363,7 +355,7 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re | |||
363 | // STS is not activated in the requested region for the account that is being | 355 | // STS is not activated in the requested region for the account that is being |
364 | // asked to generate credentials. The account administrator must use the IAM | 356 | // asked to generate credentials. The account administrator must use the IAM |
365 | // console to activate STS in that region. For more information, see Activating | 357 | // console to activate STS in that region. For more information, see Activating |
366 | // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) | 358 | // and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) |
367 | // in the IAM User Guide. | 359 | // in the IAM User Guide. |
368 | // | 360 | // |
369 | // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML | 361 | // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML |
@@ -434,35 +426,35 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI | |||
434 | // AssumeRoleWithWebIdentity API operation for AWS Security Token Service. | 426 | // AssumeRoleWithWebIdentity API operation for AWS Security Token Service. |
435 | // | 427 | // |
436 | // Returns a set of temporary security credentials for users who have been authenticated | 428 | // Returns a set of temporary security credentials for users who have been authenticated |
437 | // in a mobile or web application with a web identity provider, such as Amazon | 429 | // in a mobile or web application with a web identity provider. Example providers |
438 | // Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible | 430 | // include Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID |
439 | // identity provider. | 431 | // Connect-compatible identity provider. |
440 | // | 432 | // |
441 | // For mobile applications, we recommend that you use Amazon Cognito. You can | 433 | // For mobile applications, we recommend that you use Amazon Cognito. You can |
442 | // use Amazon Cognito with the AWS SDK for iOS (http://aws.amazon.com/sdkforios/) | 434 | // use Amazon Cognito with the AWS SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/) |
443 | // and the AWS SDK for Android (http://aws.amazon.com/sdkforandroid/) to uniquely | 435 | // and the AWS SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/) |
444 | // identify a user and supply the user with a consistent identity throughout | 436 | // to uniquely identify a user. You can also supply the user with a consistent |
445 | // the lifetime of an application. | 437 | // identity throughout the lifetime of an application. |
446 | // | 438 | // |
447 | // To learn more about Amazon Cognito, see Amazon Cognito Overview (http://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840) | 439 | // To learn more about Amazon Cognito, see Amazon Cognito Overview (https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840) |
448 | // in the AWS SDK for Android Developer Guide guide and Amazon Cognito Overview | 440 | // in AWS SDK for Android Developer Guide and Amazon Cognito Overview (https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664) |
449 | // (http://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664) | ||
450 | // in the AWS SDK for iOS Developer Guide. | 441 | // in the AWS SDK for iOS Developer Guide. |
451 | // | 442 | // |
452 | // Calling AssumeRoleWithWebIdentity does not require the use of AWS security | 443 | // Calling AssumeRoleWithWebIdentity does not require the use of AWS security |
453 | // credentials. Therefore, you can distribute an application (for example, on | 444 | // credentials. Therefore, you can distribute an application (for example, on |
454 | // mobile devices) that requests temporary security credentials without including | 445 | // mobile devices) that requests temporary security credentials without including |
455 | // long-term AWS credentials in the application, and without deploying server-based | 446 | // long-term AWS credentials in the application. You also don't need to deploy |
456 | // proxy services that use long-term AWS credentials. Instead, the identity | 447 | // server-based proxy services that use long-term AWS credentials. Instead, |
457 | // of the caller is validated by using a token from the web identity provider. | 448 | // the identity of the caller is validated by using a token from the web identity |
458 | // For a comparison of AssumeRoleWithWebIdentity with the other APIs that produce | 449 | // provider. For a comparison of AssumeRoleWithWebIdentity with the other API |
459 | // temporary credentials, see Requesting Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) | 450 | // operations that produce temporary credentials, see Requesting Temporary Security |
460 | // and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) | 451 | // Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) |
452 | // and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) | ||
461 | // in the IAM User Guide. | 453 | // in the IAM User Guide. |
462 | // | 454 | // |
463 | // The temporary security credentials returned by this API consist of an access | 455 | // The temporary security credentials returned by this API consist of an access |
464 | // key ID, a secret access key, and a security token. Applications can use these | 456 | // key ID, a secret access key, and a security token. Applications can use these |
465 | // temporary security credentials to sign calls to AWS service APIs. | 457 | // temporary security credentials to sign calls to AWS service API operations. |
466 | // | 458 | // |
467 | // By default, the temporary security credentials created by AssumeRoleWithWebIdentity | 459 | // By default, the temporary security credentials created by AssumeRoleWithWebIdentity |
468 | // last for one hour. However, you can use the optional DurationSeconds parameter | 460 | // last for one hour. However, you can use the optional DurationSeconds parameter |
@@ -470,29 +462,29 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI | |||
470 | // seconds (15 minutes) up to the maximum session duration setting for the role. | 462 | // seconds (15 minutes) up to the maximum session duration setting for the role. |
471 | // This setting can have a value from 1 hour to 12 hours. To learn how to view | 463 | // This setting can have a value from 1 hour to 12 hours. To learn how to view |
472 | // the maximum value for your role, see View the Maximum Session Duration Setting | 464 | // the maximum value for your role, see View the Maximum Session Duration Setting |
473 | // for a Role (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) | 465 | // for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) |
474 | // in the IAM User Guide. The maximum session duration limit applies when you | 466 | // in the IAM User Guide. The maximum session duration limit applies when you |
475 | // use the AssumeRole* API operations or the assume-role* CLI operations but | 467 | // use the AssumeRole* API operations or the assume-role* CLI commands. However |
476 | // does not apply when you use those operations to create a console URL. For | 468 | // the limit does not apply when you use those operations to create a console |
477 | // more information, see Using IAM Roles (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) | 469 | // URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) |
478 | // in the IAM User Guide. | 470 | // in the IAM User Guide. |
479 | // | 471 | // |
480 | // The temporary security credentials created by AssumeRoleWithWebIdentity can | 472 | // The temporary security credentials created by AssumeRoleWithWebIdentity can |
481 | // be used to make API calls to any AWS service with the following exception: | 473 | // be used to make API calls to any AWS service with the following exception: |
482 | // you cannot call the STS service's GetFederationToken or GetSessionToken APIs. | 474 | // you cannot call the STS GetFederationToken or GetSessionToken API operations. |
483 | // | 475 | // |
484 | // Optionally, you can pass an IAM access policy to this operation. If you choose | 476 | // (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) |
485 | // not to pass a policy, the temporary security credentials that are returned | 477 | // to this operation. You can pass a single JSON policy document to use as an |
486 | // by the operation have the permissions that are defined in the access policy | 478 | // inline session policy. You can also specify up to 10 managed policies to |
487 | // of the role that is being assumed. If you pass a policy to this operation, | 479 | // use as managed session policies. The plain text that you use for both inline |
488 | // the temporary security credentials that are returned by the operation have | 480 | // and managed session policies shouldn't exceed 2048 characters. Passing policies |
489 | // the permissions that are allowed by both the access policy of the role that | 481 | // to this operation returns new temporary credentials. The resulting session's |
490 | // is being assumed, and the policy that you pass. This gives you a way to further | 482 | // permissions are the intersection of the role's identity-based policy and |
491 | // restrict the permissions for the resulting temporary security credentials. | 483 | // the session policies. You can use the role's temporary credentials in subsequent |
492 | // You cannot use the passed policy to grant permissions that are in excess | 484 | // AWS API calls to access resources in the account that owns the role. You |
493 | // of those allowed by the access policy of the role that is being assumed. | 485 | // cannot use session policies to grant more permissions than those allowed |
494 | // For more information, see Permissions for AssumeRole, AssumeRoleWithSAML, | 486 | // by the identity-based policy of the role that is being assumed. For more |
495 | // and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html) | 487 | // information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) |
496 | // in the IAM User Guide. | 488 | // in the IAM User Guide. |
497 | // | 489 | // |
498 | // Before your application can call AssumeRoleWithWebIdentity, you must have | 490 | // Before your application can call AssumeRoleWithWebIdentity, you must have |
@@ -511,21 +503,19 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI | |||
511 | // For more information about how to use web identity federation and the AssumeRoleWithWebIdentity | 503 | // For more information about how to use web identity federation and the AssumeRoleWithWebIdentity |
512 | // API, see the following resources: | 504 | // API, see the following resources: |
513 | // | 505 | // |
514 | // * Using Web Identity Federation APIs for Mobile Apps (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html) | 506 | // * Using Web Identity Federation API Operations for Mobile Apps (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html) |
515 | // and Federation Through a Web-based Identity Provider (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity). | 507 | // and Federation Through a Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity). |
516 | // | 508 | // |
509 | // * Web Identity Federation Playground (https://web-identity-federation-playground.s3.amazonaws.com/index.html). | ||
510 | // Walk through the process of authenticating through Login with Amazon, | ||
511 | // Facebook, or Google, getting temporary security credentials, and then | ||
512 | // using those credentials to make a request to AWS. | ||
517 | // | 513 | // |
518 | // * Web Identity Federation Playground (https://web-identity-federation-playground.s3.amazonaws.com/index.html). | 514 | // * AWS SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/) and |
519 | // This interactive website lets you walk through the process of authenticating | 515 | // AWS SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/). |
520 | // via Login with Amazon, Facebook, or Google, getting temporary security | 516 | // These toolkits contain sample apps that show how to invoke the identity |
521 | // credentials, and then using those credentials to make a request to AWS. | 517 | // providers, and then how to use the information from these providers to |
522 | // | 518 | // get and use temporary security credentials. |
523 | // | ||
524 | // * AWS SDK for iOS (http://aws.amazon.com/sdkforios/) and AWS SDK for Android | ||
525 | // (http://aws.amazon.com/sdkforandroid/). These toolkits contain sample | ||
526 | // apps that show how to invoke the identity providers, and then how to use | ||
527 | // the information from these providers to get and use temporary security | ||
528 | // credentials. | ||
529 | // | 519 | // |
530 | // * Web Identity Federation with Mobile Applications (http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications). | 520 | // * Web Identity Federation with Mobile Applications (http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications). |
531 | // This article discusses web identity federation and shows an example of | 521 | // This article discusses web identity federation and shows an example of |
@@ -575,7 +565,7 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI | |||
575 | // STS is not activated in the requested region for the account that is being | 565 | // STS is not activated in the requested region for the account that is being |
576 | // asked to generate credentials. The account administrator must use the IAM | 566 | // asked to generate credentials. The account administrator must use the IAM |
577 | // console to activate STS in that region. For more information, see Activating | 567 | // console to activate STS in that region. For more information, see Activating |
578 | // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) | 568 | // and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) |
579 | // in the IAM User Guide. | 569 | // in the IAM User Guide. |
580 | // | 570 | // |
581 | // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity | 571 | // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity |
@@ -647,17 +637,17 @@ func (c *STS) DecodeAuthorizationMessageRequest(input *DecodeAuthorizationMessag | |||
647 | // Decodes additional information about the authorization status of a request | 637 | // Decodes additional information about the authorization status of a request |
648 | // from an encoded message returned in response to an AWS request. | 638 | // from an encoded message returned in response to an AWS request. |
649 | // | 639 | // |
650 | // For example, if a user is not authorized to perform an action that he or | 640 | // For example, if a user is not authorized to perform an operation that he |
651 | // she has requested, the request returns a Client.UnauthorizedOperation response | 641 | // or she has requested, the request returns a Client.UnauthorizedOperation |
652 | // (an HTTP 403 response). Some AWS actions additionally return an encoded message | 642 | // response (an HTTP 403 response). Some AWS operations additionally return |
653 | // that can provide details about this authorization failure. | 643 | // an encoded message that can provide details about this authorization failure. |
654 | // | 644 | // |
655 | // Only certain AWS actions return an encoded authorization message. The documentation | 645 | // Only certain AWS operations return an encoded authorization message. The |
656 | // for an individual action indicates whether that action returns an encoded | 646 | // documentation for an individual operation indicates whether that operation |
657 | // message in addition to returning an HTTP code. | 647 | // returns an encoded message in addition to returning an HTTP code. |
658 | // | 648 | // |
659 | // The message is encoded because the details of the authorization status can | 649 | // The message is encoded because the details of the authorization status can |
660 | // constitute privileged information that the user who requested the action | 650 | // constitute privileged information that the user who requested the operation |
661 | // should not see. To decode an authorization status message, a user must be | 651 | // should not see. To decode an authorization status message, a user must be |
662 | // granted permissions via an IAM policy to request the DecodeAuthorizationMessage | 652 | // granted permissions via an IAM policy to request the DecodeAuthorizationMessage |
663 | // (sts:DecodeAuthorizationMessage) action. | 653 | // (sts:DecodeAuthorizationMessage) action. |
@@ -666,7 +656,7 @@ func (c *STS) DecodeAuthorizationMessageRequest(input *DecodeAuthorizationMessag | |||
666 | // | 656 | // |
667 | // * Whether the request was denied due to an explicit deny or due to the | 657 | // * Whether the request was denied due to an explicit deny or due to the |
668 | // absence of an explicit allow. For more information, see Determining Whether | 658 | // absence of an explicit allow. For more information, see Determining Whether |
669 | // a Request is Allowed or Denied (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow) | 659 | // a Request is Allowed or Denied (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow) |
670 | // in the IAM User Guide. | 660 | // in the IAM User Guide. |
671 | // | 661 | // |
672 | // * The principal who made the request. | 662 | // * The principal who made the request. |
@@ -712,6 +702,102 @@ func (c *STS) DecodeAuthorizationMessageWithContext(ctx aws.Context, input *Deco | |||
712 | return out, req.Send() | 702 | return out, req.Send() |
713 | } | 703 | } |
714 | 704 | ||
705 | const opGetAccessKeyInfo = "GetAccessKeyInfo" | ||
706 | |||
707 | // GetAccessKeyInfoRequest generates a "aws/request.Request" representing the | ||
708 | // client's request for the GetAccessKeyInfo operation. The "output" return | ||
709 | // value will be populated with the request's response once the request completes | ||
710 | // successfully. | ||
711 | // | ||
712 | // Use "Send" method on the returned Request to send the API call to the service. | ||
713 | // the "output" return value is not valid until after Send returns without error. | ||
714 | // | ||
715 | // See GetAccessKeyInfo for more information on using the GetAccessKeyInfo | ||
716 | // API call, and error handling. | ||
717 | // | ||
718 | // This method is useful when you want to inject custom logic or configuration | ||
719 | // into the SDK's request lifecycle. Such as custom headers, or retry logic. | ||
720 | // | ||
721 | // | ||
722 | // // Example sending a request using the GetAccessKeyInfoRequest method. | ||
723 | // req, resp := client.GetAccessKeyInfoRequest(params) | ||
724 | // | ||
725 | // err := req.Send() | ||
726 | // if err == nil { // resp is now filled | ||
727 | // fmt.Println(resp) | ||
728 | // } | ||
729 | // | ||
730 | // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfo | ||
731 | func (c *STS) GetAccessKeyInfoRequest(input *GetAccessKeyInfoInput) (req *request.Request, output *GetAccessKeyInfoOutput) { | ||
732 | op := &request.Operation{ | ||
733 | Name: opGetAccessKeyInfo, | ||
734 | HTTPMethod: "POST", | ||
735 | HTTPPath: "/", | ||
736 | } | ||
737 | |||
738 | if input == nil { | ||
739 | input = &GetAccessKeyInfoInput{} | ||
740 | } | ||
741 | |||
742 | output = &GetAccessKeyInfoOutput{} | ||
743 | req = c.newRequest(op, input, output) | ||
744 | return | ||
745 | } | ||
746 | |||
747 | // GetAccessKeyInfo API operation for AWS Security Token Service. | ||
748 | // | ||
749 | // Returns the account identifier for the specified access key ID. | ||
750 | // | ||
751 | // Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) | ||
752 | // and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). | ||
753 | // For more information about access keys, see Managing Access Keys for IAM | ||
754 | // Users (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) | ||
755 | // in the IAM User Guide. | ||
756 | // | ||
757 | // When you pass an access key ID to this operation, it returns the ID of the | ||
758 | // AWS account to which the keys belong. Access key IDs beginning with AKIA | ||
759 | // are long-term credentials for an IAM user or the AWS account root user. Access | ||
760 | // key IDs beginning with ASIA are temporary credentials that are created using | ||
761 | // STS operations. If the account in the response belongs to you, you can sign | ||
762 | // in as the root user and review your root user access keys. Then, you can | ||
763 | // pull a credentials report (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report) | ||
764 | // to learn which IAM user owns the keys. To learn who requested the temporary | ||
765 | // credentials for an ASIA access key, view the STS events in your CloudTrail | ||
766 | // logs (https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration). | ||
767 | // | ||
768 | // This operation does not indicate the state of the access key. The key might | ||
769 | // be active, inactive, or deleted. Active keys might not have permissions to | ||
770 | // perform an operation. Providing a deleted keys might return an error that | ||
771 | // the key doesn't exist. | ||
772 | // | ||
773 | // Returns awserr.Error for service API and SDK errors. Use runtime type assertions | ||
774 | // with awserr.Error's Code and Message methods to get detailed information about | ||
775 | // the error. | ||
776 | // | ||
777 | // See the AWS API reference guide for AWS Security Token Service's | ||
778 | // API operation GetAccessKeyInfo for usage and error information. | ||
779 | // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfo | ||
780 | func (c *STS) GetAccessKeyInfo(input *GetAccessKeyInfoInput) (*GetAccessKeyInfoOutput, error) { | ||
781 | req, out := c.GetAccessKeyInfoRequest(input) | ||
782 | return out, req.Send() | ||
783 | } | ||
784 | |||
785 | // GetAccessKeyInfoWithContext is the same as GetAccessKeyInfo with the addition of | ||
786 | // the ability to pass a context and additional request options. | ||
787 | // | ||
788 | // See GetAccessKeyInfo for details on how to use this API operation. | ||
789 | // | ||
790 | // The context must be non-nil and will be used for request cancellation. If | ||
791 | // the context is nil a panic will occur. In the future the SDK may create | ||
792 | // sub-contexts for http.Requests. See https://golang.org/pkg/context/ | ||
793 | // for more information on using Contexts. | ||
794 | func (c *STS) GetAccessKeyInfoWithContext(ctx aws.Context, input *GetAccessKeyInfoInput, opts ...request.Option) (*GetAccessKeyInfoOutput, error) { | ||
795 | req, out := c.GetAccessKeyInfoRequest(input) | ||
796 | req.SetContext(ctx) | ||
797 | req.ApplyOptions(opts...) | ||
798 | return out, req.Send() | ||
799 | } | ||
800 | |||
715 | const opGetCallerIdentity = "GetCallerIdentity" | 801 | const opGetCallerIdentity = "GetCallerIdentity" |
716 | 802 | ||
717 | // GetCallerIdentityRequest generates a "aws/request.Request" representing the | 803 | // GetCallerIdentityRequest generates a "aws/request.Request" representing the |
@@ -834,81 +920,65 @@ func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *re | |||
834 | // Returns a set of temporary security credentials (consisting of an access | 920 | // Returns a set of temporary security credentials (consisting of an access |
835 | // key ID, a secret access key, and a security token) for a federated user. | 921 | // key ID, a secret access key, and a security token) for a federated user. |
836 | // A typical use is in a proxy application that gets temporary security credentials | 922 | // A typical use is in a proxy application that gets temporary security credentials |
837 | // on behalf of distributed applications inside a corporate network. Because | 923 | // on behalf of distributed applications inside a corporate network. You must |
838 | // you must call the GetFederationToken action using the long-term security | 924 | // call the GetFederationToken operation using the long-term security credentials |
839 | // credentials of an IAM user, this call is appropriate in contexts where those | 925 | // of an IAM user. As a result, this call is appropriate in contexts where those |
840 | // credentials can be safely stored, usually in a server-based application. | 926 | // credentials can be safely stored, usually in a server-based application. |
841 | // For a comparison of GetFederationToken with the other APIs that produce temporary | 927 | // For a comparison of GetFederationToken with the other API operations that |
842 | // credentials, see Requesting Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) | 928 | // produce temporary credentials, see Requesting Temporary Security Credentials |
843 | // and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) | 929 | // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) |
930 | // and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) | ||
844 | // in the IAM User Guide. | 931 | // in the IAM User Guide. |
845 | // | 932 | // |
846 | // If you are creating a mobile-based or browser-based app that can authenticate | 933 | // You can create a mobile-based or browser-based app that can authenticate |
847 | // users using a web identity provider like Login with Amazon, Facebook, Google, | 934 | // users using a web identity provider like Login with Amazon, Facebook, Google, |
848 | // or an OpenID Connect-compatible identity provider, we recommend that you | 935 | // or an OpenID Connect-compatible identity provider. In this case, we recommend |
849 | // use Amazon Cognito (http://aws.amazon.com/cognito/) or AssumeRoleWithWebIdentity. | 936 | // that you use Amazon Cognito (http://aws.amazon.com/cognito/) or AssumeRoleWithWebIdentity. |
850 | // For more information, see Federation Through a Web-based Identity Provider | 937 | // For more information, see Federation Through a Web-based Identity Provider |
851 | // (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity). | 938 | // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity). |
852 | // | 939 | // |
853 | // The GetFederationToken action must be called by using the long-term AWS security | 940 | // You can also call GetFederationToken using the security credentials of an |
854 | // credentials of an IAM user. You can also call GetFederationToken using the | 941 | // AWS account root user, but we do not recommend it. Instead, we recommend |
855 | // security credentials of an AWS root account, but we do not recommended it. | 942 | // that you create an IAM user for the purpose of the proxy application. Then |
856 | // Instead, we recommend that you create an IAM user for the purpose of the | 943 | // attach a policy to the IAM user that limits federated users to only the actions |
857 | // proxy application and then attach a policy to the IAM user that limits federated | 944 | // and resources that they need to access. For more information, see IAM Best |
858 | // users to only the actions and resources that they need access to. For more | 945 | // Practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) |
859 | // information, see IAM Best Practices (http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) | ||
860 | // in the IAM User Guide. | 946 | // in the IAM User Guide. |
861 | // | 947 | // |
862 | // The temporary security credentials that are obtained by using the long-term | 948 | // The temporary credentials are valid for the specified duration, from 900 |
863 | // credentials of an IAM user are valid for the specified duration, from 900 | 949 | // seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default |
864 | // seconds (15 minutes) up to a maximium of 129600 seconds (36 hours). The default | 950 | // is 43,200 seconds (12 hours). Temporary credentials that are obtained by |
865 | // is 43200 seconds (12 hours). Temporary credentials that are obtained by using | 951 | // using AWS account root user credentials have a maximum duration of 3,600 |
866 | // AWS root account credentials have a maximum duration of 3600 seconds (1 hour). | 952 | // seconds (1 hour). |
867 | // | 953 | // |
868 | // The temporary security credentials created by GetFederationToken can be used | 954 | // The temporary security credentials created by GetFederationToken can be used |
869 | // to make API calls to any AWS service with the following exceptions: | 955 | // to make API calls to any AWS service with the following exceptions: |
870 | // | 956 | // |
871 | // * You cannot use these credentials to call any IAM APIs. | 957 | // * You cannot use these credentials to call any IAM API operations. |
872 | // | 958 | // |
873 | // * You cannot call any STS APIs except GetCallerIdentity. | 959 | // * You cannot call any STS API operations except GetCallerIdentity. |
874 | // | 960 | // |
875 | // Permissions | 961 | // Permissions |
876 | // | 962 | // |
877 | // The permissions for the temporary security credentials returned by GetFederationToken | 963 | // You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) |
878 | // are determined by a combination of the following: | 964 | // to this operation. You can pass a single JSON policy document to use as an |
879 | // | 965 | // inline session policy. You can also specify up to 10 managed policies to |
880 | // * The policy or policies that are attached to the IAM user whose credentials | 966 | // use as managed session policies. The plain text that you use for both inline |
881 | // are used to call GetFederationToken. | 967 | // and managed session policies shouldn't exceed 2048 characters. |
882 | // | 968 | // |
883 | // * The policy that is passed as a parameter in the call. | 969 | // Though the session policy parameters are optional, if you do not pass a policy, |
884 | // | 970 | // then the resulting federated user session has no permissions. The only exception |
885 | // The passed policy is attached to the temporary security credentials that | 971 | // is when the credentials are used to access a resource that has a resource-based |
886 | // result from the GetFederationToken API call--that is, to the federated user. | 972 | // policy that specifically references the federated user session in the Principal |
887 | // When the federated user makes an AWS request, AWS evaluates the policy attached | 973 | // element of the policy. When you pass session policies, the session permissions |
888 | // to the federated user in combination with the policy or policies attached | 974 | // are the intersection of the IAM user policies and the session policies that |
889 | // to the IAM user whose credentials were used to call GetFederationToken. AWS | 975 | // you pass. This gives you a way to further restrict the permissions for a |
890 | // allows the federated user's request only when both the federated user and | 976 | // federated user. You cannot use session policies to grant more permissions |
891 | // the IAM user are explicitly allowed to perform the requested action. The | 977 | // than those that are defined in the permissions policy of the IAM user. For |
892 | // passed policy cannot grant more permissions than those that are defined in | 978 | // more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) |
893 | // the IAM user policy. | 979 | // in the IAM User Guide. For information about using GetFederationToken to |
894 | // | 980 | // create temporary security credentials, see GetFederationToken—Federation |
895 | // A typical use case is that the permissions of the IAM user whose credentials | 981 | // Through a Custom Identity Broker (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken). |
896 | // are used to call GetFederationToken are designed to allow access to all the | ||
897 | // actions and resources that any federated user will need. Then, for individual | ||
898 | // users, you pass a policy to the operation that scopes down the permissions | ||
899 | // to a level that's appropriate to that individual user, using a policy that | ||
900 | // allows only a subset of permissions that are granted to the IAM user. | ||
901 | // | ||
902 | // If you do not pass a policy, the resulting temporary security credentials | ||
903 | // have no effective permissions. The only exception is when the temporary security | ||
904 | // credentials are used to access a resource that has a resource-based policy | ||
905 | // that specifically allows the federated user to access the resource. | ||
906 | // | ||
907 | // For more information about how permissions work, see Permissions for GetFederationToken | ||
908 | // (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html). | ||
909 | // For information about using GetFederationToken to create temporary security | ||
910 | // credentials, see GetFederationToken—Federation Through a Custom Identity | ||
911 | // Broker (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken). | ||
912 | // | 982 | // |
913 | // Returns awserr.Error for service API and SDK errors. Use runtime type assertions | 983 | // Returns awserr.Error for service API and SDK errors. Use runtime type assertions |
914 | // with awserr.Error's Code and Message methods to get detailed information about | 984 | // with awserr.Error's Code and Message methods to get detailed information about |
@@ -931,7 +1001,7 @@ func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *re | |||
931 | // STS is not activated in the requested region for the account that is being | 1001 | // STS is not activated in the requested region for the account that is being |
932 | // asked to generate credentials. The account administrator must use the IAM | 1002 | // asked to generate credentials. The account administrator must use the IAM |
933 | // console to activate STS in that region. For more information, see Activating | 1003 | // console to activate STS in that region. For more information, see Activating |
934 | // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) | 1004 | // and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) |
935 | // in the IAM User Guide. | 1005 | // in the IAM User Guide. |
936 | // | 1006 | // |
937 | // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationToken | 1007 | // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationToken |
@@ -1003,48 +1073,47 @@ func (c *STS) GetSessionTokenRequest(input *GetSessionTokenInput) (req *request. | |||
1003 | // Returns a set of temporary credentials for an AWS account or IAM user. The | 1073 | // Returns a set of temporary credentials for an AWS account or IAM user. The |
1004 | // credentials consist of an access key ID, a secret access key, and a security | 1074 | // credentials consist of an access key ID, a secret access key, and a security |
1005 | // token. Typically, you use GetSessionToken if you want to use MFA to protect | 1075 | // token. Typically, you use GetSessionToken if you want to use MFA to protect |
1006 | // programmatic calls to specific AWS APIs like Amazon EC2 StopInstances. MFA-enabled | 1076 | // programmatic calls to specific AWS API operations like Amazon EC2 StopInstances. |
1007 | // IAM users would need to call GetSessionToken and submit an MFA code that | 1077 | // MFA-enabled IAM users would need to call GetSessionToken and submit an MFA |
1008 | // is associated with their MFA device. Using the temporary security credentials | 1078 | // code that is associated with their MFA device. Using the temporary security |
1009 | // that are returned from the call, IAM users can then make programmatic calls | 1079 | // credentials that are returned from the call, IAM users can then make programmatic |
1010 | // to APIs that require MFA authentication. If you do not supply a correct MFA | 1080 | // calls to API operations that require MFA authentication. If you do not supply |
1011 | // code, then the API returns an access denied error. For a comparison of GetSessionToken | 1081 | // a correct MFA code, then the API returns an access denied error. For a comparison |
1012 | // with the other APIs that produce temporary credentials, see Requesting Temporary | 1082 | // of GetSessionToken with the other API operations that produce temporary credentials, |
1013 | // Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) | 1083 | // see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) |
1014 | // and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) | 1084 | // and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) |
1015 | // in the IAM User Guide. | 1085 | // in the IAM User Guide. |
1016 | // | 1086 | // |
1017 | // The GetSessionToken action must be called by using the long-term AWS security | 1087 | // The GetSessionToken operation must be called by using the long-term AWS security |
1018 | // credentials of the AWS account or an IAM user. Credentials that are created | 1088 | // credentials of the AWS account root user or an IAM user. Credentials that |
1019 | // by IAM users are valid for the duration that you specify, from 900 seconds | 1089 | // are created by IAM users are valid for the duration that you specify. This |
1020 | // (15 minutes) up to a maximum of 129600 seconds (36 hours), with a default | 1090 | // duration can range from 900 seconds (15 minutes) up to a maximum of 129,600 |
1021 | // of 43200 seconds (12 hours); credentials that are created by using account | 1091 | // seconds (36 hours), with a default of 43,200 seconds (12 hours). Credentials |
1022 | // credentials can range from 900 seconds (15 minutes) up to a maximum of 3600 | 1092 | // based on account credentials can range from 900 seconds (15 minutes) up to |
1023 | // seconds (1 hour), with a default of 1 hour. | 1093 | // 3,600 seconds (1 hour), with a default of 1 hour. |
1024 | // | 1094 | // |
1025 | // The temporary security credentials created by GetSessionToken can be used | 1095 | // The temporary security credentials created by GetSessionToken can be used |
1026 | // to make API calls to any AWS service with the following exceptions: | 1096 | // to make API calls to any AWS service with the following exceptions: |
1027 | // | 1097 | // |
1028 | // * You cannot call any IAM APIs unless MFA authentication information is | 1098 | // * You cannot call any IAM API operations unless MFA authentication information |
1029 | // included in the request. | 1099 | // is included in the request. |
1030 | // | 1100 | // |
1031 | // * You cannot call any STS API exceptAssumeRole or GetCallerIdentity. | 1101 | // * You cannot call any STS API except AssumeRole or GetCallerIdentity. |
1032 | // | 1102 | // |
1033 | // We recommend that you do not call GetSessionToken with root account credentials. | 1103 | // We recommend that you do not call GetSessionToken with AWS account root user |
1034 | // Instead, follow our best practices (http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users) | 1104 | // credentials. Instead, follow our best practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users) |
1035 | // by creating one or more IAM users, giving them the necessary permissions, | 1105 | // by creating one or more IAM users, giving them the necessary permissions, |
1036 | // and using IAM users for everyday interaction with AWS. | 1106 | // and using IAM users for everyday interaction with AWS. |
1037 | // | 1107 | // |
1038 | // The permissions associated with the temporary security credentials returned | 1108 | // The credentials that are returned by GetSessionToken are based on permissions |
1039 | // by GetSessionToken are based on the permissions associated with account or | 1109 | // associated with the user whose credentials were used to call the operation. |
1040 | // IAM user whose credentials are used to call the action. If GetSessionToken | 1110 | // If GetSessionToken is called using AWS account root user credentials, the |
1041 | // is called using root account credentials, the temporary credentials have | 1111 | // temporary credentials have root user permissions. Similarly, if GetSessionToken |
1042 | // root account permissions. Similarly, if GetSessionToken is called using the | 1112 | // is called using the credentials of an IAM user, the temporary credentials |
1043 | // credentials of an IAM user, the temporary credentials have the same permissions | 1113 | // have the same permissions as the IAM user. |
1044 | // as the IAM user. | ||
1045 | // | 1114 | // |
1046 | // For more information about using GetSessionToken to create temporary credentials, | 1115 | // For more information about using GetSessionToken to create temporary credentials, |
1047 | // go to Temporary Credentials for Users in Untrusted Environments (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken) | 1116 | // go to Temporary Credentials for Users in Untrusted Environments (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken) |
1048 | // in the IAM User Guide. | 1117 | // in the IAM User Guide. |
1049 | // | 1118 | // |
1050 | // Returns awserr.Error for service API and SDK errors. Use runtime type assertions | 1119 | // Returns awserr.Error for service API and SDK errors. Use runtime type assertions |
@@ -1059,7 +1128,7 @@ func (c *STS) GetSessionTokenRequest(input *GetSessionTokenInput) (req *request. | |||
1059 | // STS is not activated in the requested region for the account that is being | 1128 | // STS is not activated in the requested region for the account that is being |
1060 | // asked to generate credentials. The account administrator must use the IAM | 1129 | // asked to generate credentials. The account administrator must use the IAM |
1061 | // console to activate STS in that region. For more information, see Activating | 1130 | // console to activate STS in that region. For more information, see Activating |
1062 | // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) | 1131 | // and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) |
1063 | // in the IAM User Guide. | 1132 | // in the IAM User Guide. |
1064 | // | 1133 | // |
1065 | // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionToken | 1134 | // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionToken |
@@ -1094,7 +1163,7 @@ type AssumeRoleInput struct { | |||
1094 | // a session duration of 12 hours, but your administrator set the maximum session | 1163 | // a session duration of 12 hours, but your administrator set the maximum session |
1095 | // duration to 6 hours, your operation fails. To learn how to view the maximum | 1164 | // duration to 6 hours, your operation fails. To learn how to view the maximum |
1096 | // value for your role, see View the Maximum Session Duration Setting for a | 1165 | // value for your role, see View the Maximum Session Duration Setting for a |
1097 | // Role (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) | 1166 | // Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) |
1098 | // in the IAM User Guide. | 1167 | // in the IAM User Guide. |
1099 | // | 1168 | // |
1100 | // By default, the value is set to 3600 seconds. | 1169 | // By default, the value is set to 3600 seconds. |
@@ -1104,51 +1173,77 @@ type AssumeRoleInput struct { | |||
1104 | // to the federation endpoint for a console sign-in token takes a SessionDuration | 1173 | // to the federation endpoint for a console sign-in token takes a SessionDuration |
1105 | // parameter that specifies the maximum length of the console session. For more | 1174 | // parameter that specifies the maximum length of the console session. For more |
1106 | // information, see Creating a URL that Enables Federated Users to Access the | 1175 | // information, see Creating a URL that Enables Federated Users to Access the |
1107 | // AWS Management Console (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) | 1176 | // AWS Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) |
1108 | // in the IAM User Guide. | 1177 | // in the IAM User Guide. |
1109 | DurationSeconds *int64 `min:"900" type:"integer"` | 1178 | DurationSeconds *int64 `min:"900" type:"integer"` |
1110 | 1179 | ||
1111 | // A unique identifier that is used by third parties when assuming roles in | 1180 | // A unique identifier that might be required when you assume a role in another |
1112 | // their customers' accounts. For each role that the third party can assume, | 1181 | // account. If the administrator of the account to which the role belongs provided |
1113 | // they should instruct their customers to ensure the role's trust policy checks | 1182 | // you with an external ID, then provide that value in the ExternalId parameter. |
1114 | // for the external ID that the third party generated. Each time the third party | 1183 | // This value can be any string, such as a passphrase or account number. A cross-account |
1115 | // assumes the role, they should pass the customer's external ID. The external | 1184 | // role is usually set up to trust everyone in an account. Therefore, the administrator |
1116 | // ID is useful in order to help third parties bind a role to the customer who | 1185 | // of the trusting account might send an external ID to the administrator of |
1117 | // created it. For more information about the external ID, see How to Use an | 1186 | // the trusted account. That way, only someone with the ID can assume the role, |
1118 | // External ID When Granting Access to Your AWS Resources to a Third Party (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html) | 1187 | // rather than everyone in the account. For more information about the external |
1188 | // ID, see How to Use an External ID When Granting Access to Your AWS Resources | ||
1189 | // to a Third Party (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html) | ||
1119 | // in the IAM User Guide. | 1190 | // in the IAM User Guide. |
1120 | // | 1191 | // |
1121 | // The regex used to validated this parameter is a string of characters consisting | 1192 | // The regex used to validate this parameter is a string of characters consisting |
1122 | // of upper- and lower-case alphanumeric characters with no spaces. You can | 1193 | // of upper- and lower-case alphanumeric characters with no spaces. You can |
1123 | // also include underscores or any of the following characters: =,.@:/- | 1194 | // also include underscores or any of the following characters: =,.@:/- |
1124 | ExternalId *string `min:"2" type:"string"` | 1195 | ExternalId *string `min:"2" type:"string"` |
1125 | 1196 | ||
1126 | // An IAM policy in JSON format. | 1197 | // An IAM policy in JSON format that you want to use as an inline session policy. |
1127 | // | 1198 | // |
1128 | // This parameter is optional. If you pass a policy, the temporary security | 1199 | // This parameter is optional. Passing policies to this operation returns new |
1129 | // credentials that are returned by the operation have the permissions that | 1200 | // temporary credentials. The resulting session's permissions are the intersection |
1130 | // are allowed by both (the intersection of) the access policy of the role that | 1201 | // of the role's identity-based policy and the session policies. You can use |
1131 | // is being assumed, and the policy that you pass. This gives you a way to further | 1202 | // the role's temporary credentials in subsequent AWS API calls to access resources |
1132 | // restrict the permissions for the resulting temporary security credentials. | 1203 | // in the account that owns the role. You cannot use session policies to grant |
1133 | // You cannot use the passed policy to grant permissions that are in excess | 1204 | // more permissions than those allowed by the identity-based policy of the role |
1134 | // of those allowed by the access policy of the role that is being assumed. | 1205 | // that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) |
1135 | // For more information, see Permissions for AssumeRole, AssumeRoleWithSAML, | ||
1136 | // and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html) | ||
1137 | // in the IAM User Guide. | 1206 | // in the IAM User Guide. |
1138 | // | 1207 | // |
1139 | // The format for this parameter, as described by its regex pattern, is a string | 1208 | // The plain text that you use for both inline and managed session policies |
1140 | // of characters up to 2048 characters in length. The characters can be any | 1209 | // shouldn't exceed 2048 characters. The JSON policy characters can be any ASCII |
1141 | // ASCII character from the space character to the end of the valid character | 1210 | // character from the space character to the end of the valid character list |
1142 | // list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A), | 1211 | // (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A), |
1143 | // and carriage return (\u000D) characters. | 1212 | // and carriage return (\u000D) characters. |
1144 | // | 1213 | // |
1145 | // The policy plain text must be 2048 bytes or shorter. However, an internal | 1214 | // The characters in this parameter count towards the 2048 character session |
1146 | // conversion compresses it into a packed binary format with a separate limit. | 1215 | // policy guideline. However, an AWS conversion compresses the session policies |
1147 | // The PackedPolicySize response element indicates by percentage how close to | 1216 | // into a packed binary format that has a separate limit. This is the enforced |
1148 | // the upper size limit the policy is, with 100% equaling the maximum allowed | 1217 | // limit. The PackedPolicySize response element indicates by percentage how |
1149 | // size. | 1218 | // close the policy is to the upper size limit. |
1150 | Policy *string `min:"1" type:"string"` | 1219 | Policy *string `min:"1" type:"string"` |
1151 | 1220 | ||
1221 | // The Amazon Resource Names (ARNs) of the IAM managed policies that you want | ||
1222 | // to use as managed session policies. The policies must exist in the same account | ||
1223 | // as the role. | ||
1224 | // | ||
1225 | // This parameter is optional. You can provide up to 10 managed policy ARNs. | ||
1226 | // However, the plain text that you use for both inline and managed session | ||
1227 | // policies shouldn't exceed 2048 characters. For more information about ARNs, | ||
1228 | // see Amazon Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) | ||
1229 | // in the AWS General Reference. | ||
1230 | // | ||
1231 | // The characters in this parameter count towards the 2048 character session | ||
1232 | // policy guideline. However, an AWS conversion compresses the session policies | ||
1233 | // into a packed binary format that has a separate limit. This is the enforced | ||
1234 | // limit. The PackedPolicySize response element indicates by percentage how | ||
1235 | // close the policy is to the upper size limit. | ||
1236 | // | ||
1237 | // Passing policies to this operation returns new temporary credentials. The | ||
1238 | // resulting session's permissions are the intersection of the role's identity-based | ||
1239 | // policy and the session policies. You can use the role's temporary credentials | ||
1240 | // in subsequent AWS API calls to access resources in the account that owns | ||
1241 | // the role. You cannot use session policies to grant more permissions than | ||
1242 | // those allowed by the identity-based policy of the role that is being assumed. | ||
1243 | // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) | ||
1244 | // in the IAM User Guide. | ||
1245 | PolicyArns []*PolicyDescriptorType `type:"list"` | ||
1246 | |||
1152 | // The Amazon Resource Name (ARN) of the role to assume. | 1247 | // The Amazon Resource Name (ARN) of the role to assume. |
1153 | // | 1248 | // |
1154 | // RoleArn is a required field | 1249 | // RoleArn is a required field |
@@ -1161,8 +1256,8 @@ type AssumeRoleInput struct { | |||
1161 | // scenarios, the role session name is visible to, and can be logged by the | 1256 | // scenarios, the role session name is visible to, and can be logged by the |
1162 | // account that owns the role. The role session name is also used in the ARN | 1257 | // account that owns the role. The role session name is also used in the ARN |
1163 | // of the assumed role principal. This means that subsequent cross-account API | 1258 | // of the assumed role principal. This means that subsequent cross-account API |
1164 | // requests using the temporary security credentials will expose the role session | 1259 | // requests that use the temporary security credentials will expose the role |
1165 | // name to the external account in their CloudTrail logs. | 1260 | // session name to the external account in their AWS CloudTrail logs. |
1166 | // | 1261 | // |
1167 | // The regex used to validate this parameter is a string of characters consisting | 1262 | // The regex used to validate this parameter is a string of characters consisting |
1168 | // of upper- and lower-case alphanumeric characters with no spaces. You can | 1263 | // of upper- and lower-case alphanumeric characters with no spaces. You can |
@@ -1232,6 +1327,16 @@ func (s *AssumeRoleInput) Validate() error { | |||
1232 | if s.TokenCode != nil && len(*s.TokenCode) < 6 { | 1327 | if s.TokenCode != nil && len(*s.TokenCode) < 6 { |
1233 | invalidParams.Add(request.NewErrParamMinLen("TokenCode", 6)) | 1328 | invalidParams.Add(request.NewErrParamMinLen("TokenCode", 6)) |
1234 | } | 1329 | } |
1330 | if s.PolicyArns != nil { | ||
1331 | for i, v := range s.PolicyArns { | ||
1332 | if v == nil { | ||
1333 | continue | ||
1334 | } | ||
1335 | if err := v.Validate(); err != nil { | ||
1336 | invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams)) | ||
1337 | } | ||
1338 | } | ||
1339 | } | ||
1235 | 1340 | ||
1236 | if invalidParams.Len() > 0 { | 1341 | if invalidParams.Len() > 0 { |
1237 | return invalidParams | 1342 | return invalidParams |
@@ -1257,6 +1362,12 @@ func (s *AssumeRoleInput) SetPolicy(v string) *AssumeRoleInput { | |||
1257 | return s | 1362 | return s |
1258 | } | 1363 | } |
1259 | 1364 | ||
1365 | // SetPolicyArns sets the PolicyArns field's value. | ||
1366 | func (s *AssumeRoleInput) SetPolicyArns(v []*PolicyDescriptorType) *AssumeRoleInput { | ||
1367 | s.PolicyArns = v | ||
1368 | return s | ||
1369 | } | ||
1370 | |||
1260 | // SetRoleArn sets the RoleArn field's value. | 1371 | // SetRoleArn sets the RoleArn field's value. |
1261 | func (s *AssumeRoleInput) SetRoleArn(v string) *AssumeRoleInput { | 1372 | func (s *AssumeRoleInput) SetRoleArn(v string) *AssumeRoleInput { |
1262 | s.RoleArn = &v | 1373 | s.RoleArn = &v |
@@ -1296,10 +1407,8 @@ type AssumeRoleOutput struct { | |||
1296 | // The temporary security credentials, which include an access key ID, a secret | 1407 | // The temporary security credentials, which include an access key ID, a secret |
1297 | // access key, and a security (or session) token. | 1408 | // access key, and a security (or session) token. |
1298 | // | 1409 | // |
1299 | // Note: The size of the security token that STS APIs return is not fixed. We | 1410 | // The size of the security token that STS API operations return is not fixed. |
1300 | // strongly recommend that you make no assumptions about the maximum size. As | 1411 | // We strongly recommend that you make no assumptions about the maximum size. |
1301 | // of this writing, the typical size is less than 4096 bytes, but that can vary. | ||
1302 | // Also, future updates to AWS might require larger sizes. | ||
1303 | Credentials *Credentials `type:"structure"` | 1412 | Credentials *Credentials `type:"structure"` |
1304 | 1413 | ||
1305 | // A percentage value that indicates the size of the policy in packed form. | 1414 | // A percentage value that indicates the size of the policy in packed form. |
@@ -1349,7 +1458,7 @@ type AssumeRoleWithSAMLInput struct { | |||
1349 | // specify a session duration of 12 hours, but your administrator set the maximum | 1458 | // specify a session duration of 12 hours, but your administrator set the maximum |
1350 | // session duration to 6 hours, your operation fails. To learn how to view the | 1459 | // session duration to 6 hours, your operation fails. To learn how to view the |
1351 | // maximum value for your role, see View the Maximum Session Duration Setting | 1460 | // maximum value for your role, see View the Maximum Session Duration Setting |
1352 | // for a Role (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) | 1461 | // for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) |
1353 | // in the IAM User Guide. | 1462 | // in the IAM User Guide. |
1354 | // | 1463 | // |
1355 | // By default, the value is set to 3600 seconds. | 1464 | // By default, the value is set to 3600 seconds. |
@@ -1359,36 +1468,60 @@ type AssumeRoleWithSAMLInput struct { | |||
1359 | // to the federation endpoint for a console sign-in token takes a SessionDuration | 1468 | // to the federation endpoint for a console sign-in token takes a SessionDuration |
1360 | // parameter that specifies the maximum length of the console session. For more | 1469 | // parameter that specifies the maximum length of the console session. For more |
1361 | // information, see Creating a URL that Enables Federated Users to Access the | 1470 | // information, see Creating a URL that Enables Federated Users to Access the |
1362 | // AWS Management Console (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) | 1471 | // AWS Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) |
1363 | // in the IAM User Guide. | 1472 | // in the IAM User Guide. |
1364 | DurationSeconds *int64 `min:"900" type:"integer"` | 1473 | DurationSeconds *int64 `min:"900" type:"integer"` |
1365 | 1474 | ||
1366 | // An IAM policy in JSON format. | 1475 | // An IAM policy in JSON format that you want to use as an inline session policy. |
1367 | // | 1476 | // |
1368 | // The policy parameter is optional. If you pass a policy, the temporary security | 1477 | // This parameter is optional. Passing policies to this operation returns new |
1369 | // credentials that are returned by the operation have the permissions that | 1478 | // temporary credentials. The resulting session's permissions are the intersection |
1370 | // are allowed by both the access policy of the role that is being assumed, | 1479 | // of the role's identity-based policy and the session policies. You can use |
1371 | // and the policy that you pass. This gives you a way to further restrict the | 1480 | // the role's temporary credentials in subsequent AWS API calls to access resources |
1372 | // permissions for the resulting temporary security credentials. You cannot | 1481 | // in the account that owns the role. You cannot use session policies to grant |
1373 | // use the passed policy to grant permissions that are in excess of those allowed | 1482 | // more permissions than those allowed by the identity-based policy of the role |
1374 | // by the access policy of the role that is being assumed. For more information, | 1483 | // that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) |
1375 | // Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity | ||
1376 | // (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html) | ||
1377 | // in the IAM User Guide. | 1484 | // in the IAM User Guide. |
1378 | // | 1485 | // |
1379 | // The format for this parameter, as described by its regex pattern, is a string | 1486 | // The plain text that you use for both inline and managed session policies |
1380 | // of characters up to 2048 characters in length. The characters can be any | 1487 | // shouldn't exceed 2048 characters. The JSON policy characters can be any ASCII |
1381 | // ASCII character from the space character to the end of the valid character | 1488 | // character from the space character to the end of the valid character list |
1382 | // list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A), | 1489 | // (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A), |
1383 | // and carriage return (\u000D) characters. | 1490 | // and carriage return (\u000D) characters. |
1384 | // | 1491 | // |
1385 | // The policy plain text must be 2048 bytes or shorter. However, an internal | 1492 | // The characters in this parameter count towards the 2048 character session |
1386 | // conversion compresses it into a packed binary format with a separate limit. | 1493 | // policy guideline. However, an AWS conversion compresses the session policies |
1387 | // The PackedPolicySize response element indicates by percentage how close to | 1494 | // into a packed binary format that has a separate limit. This is the enforced |
1388 | // the upper size limit the policy is, with 100% equaling the maximum allowed | 1495 | // limit. The PackedPolicySize response element indicates by percentage how |
1389 | // size. | 1496 | // close the policy is to the upper size limit. |
1390 | Policy *string `min:"1" type:"string"` | 1497 | Policy *string `min:"1" type:"string"` |
1391 | 1498 | ||
1499 | // The Amazon Resource Names (ARNs) of the IAM managed policies that you want | ||
1500 | // to use as managed session policies. The policies must exist in the same account | ||
1501 | // as the role. | ||
1502 | // | ||
1503 | // This parameter is optional. You can provide up to 10 managed policy ARNs. | ||
1504 | // However, the plain text that you use for both inline and managed session | ||
1505 | // policies shouldn't exceed 2048 characters. For more information about ARNs, | ||
1506 | // see Amazon Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) | ||
1507 | // in the AWS General Reference. | ||
1508 | // | ||
1509 | // The characters in this parameter count towards the 2048 character session | ||
1510 | // policy guideline. However, an AWS conversion compresses the session policies | ||
1511 | // into a packed binary format that has a separate limit. This is the enforced | ||
1512 | // limit. The PackedPolicySize response element indicates by percentage how | ||
1513 | // close the policy is to the upper size limit. | ||
1514 | // | ||
1515 | // Passing policies to this operation returns new temporary credentials. The | ||
1516 | // resulting session's permissions are the intersection of the role's identity-based | ||
1517 | // policy and the session policies. You can use the role's temporary credentials | ||
1518 | // in subsequent AWS API calls to access resources in the account that owns | ||
1519 | // the role. You cannot use session policies to grant more permissions than | ||
1520 | // those allowed by the identity-based policy of the role that is being assumed. | ||
1521 | // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) | ||
1522 | // in the IAM User Guide. | ||
1523 | PolicyArns []*PolicyDescriptorType `type:"list"` | ||
1524 | |||
1392 | // The Amazon Resource Name (ARN) of the SAML provider in IAM that describes | 1525 | // The Amazon Resource Name (ARN) of the SAML provider in IAM that describes |
1393 | // the IdP. | 1526 | // the IdP. |
1394 | // | 1527 | // |
@@ -1402,8 +1535,8 @@ type AssumeRoleWithSAMLInput struct { | |||
1402 | 1535 | ||
1403 | // The base-64 encoded SAML authentication response provided by the IdP. | 1536 | // The base-64 encoded SAML authentication response provided by the IdP. |
1404 | // | 1537 | // |
1405 | // For more information, see Configuring a Relying Party and Adding Claims (http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html) | 1538 | // For more information, see Configuring a Relying Party and Adding Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html) |
1406 | // in the Using IAM guide. | 1539 | // in the IAM User Guide. |
1407 | // | 1540 | // |
1408 | // SAMLAssertion is a required field | 1541 | // SAMLAssertion is a required field |
1409 | SAMLAssertion *string `min:"4" type:"string" required:"true"` | 1542 | SAMLAssertion *string `min:"4" type:"string" required:"true"` |
@@ -1446,6 +1579,16 @@ func (s *AssumeRoleWithSAMLInput) Validate() error { | |||
1446 | if s.SAMLAssertion != nil && len(*s.SAMLAssertion) < 4 { | 1579 | if s.SAMLAssertion != nil && len(*s.SAMLAssertion) < 4 { |
1447 | invalidParams.Add(request.NewErrParamMinLen("SAMLAssertion", 4)) | 1580 | invalidParams.Add(request.NewErrParamMinLen("SAMLAssertion", 4)) |
1448 | } | 1581 | } |
1582 | if s.PolicyArns != nil { | ||
1583 | for i, v := range s.PolicyArns { | ||
1584 | if v == nil { | ||
1585 | continue | ||
1586 | } | ||
1587 | if err := v.Validate(); err != nil { | ||
1588 | invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams)) | ||
1589 | } | ||
1590 | } | ||
1591 | } | ||
1449 | 1592 | ||
1450 | if invalidParams.Len() > 0 { | 1593 | if invalidParams.Len() > 0 { |
1451 | return invalidParams | 1594 | return invalidParams |
@@ -1465,6 +1608,12 @@ func (s *AssumeRoleWithSAMLInput) SetPolicy(v string) *AssumeRoleWithSAMLInput { | |||
1465 | return s | 1608 | return s |
1466 | } | 1609 | } |
1467 | 1610 | ||
1611 | // SetPolicyArns sets the PolicyArns field's value. | ||
1612 | func (s *AssumeRoleWithSAMLInput) SetPolicyArns(v []*PolicyDescriptorType) *AssumeRoleWithSAMLInput { | ||
1613 | s.PolicyArns = v | ||
1614 | return s | ||
1615 | } | ||
1616 | |||
1468 | // SetPrincipalArn sets the PrincipalArn field's value. | 1617 | // SetPrincipalArn sets the PrincipalArn field's value. |
1469 | func (s *AssumeRoleWithSAMLInput) SetPrincipalArn(v string) *AssumeRoleWithSAMLInput { | 1618 | func (s *AssumeRoleWithSAMLInput) SetPrincipalArn(v string) *AssumeRoleWithSAMLInput { |
1470 | s.PrincipalArn = &v | 1619 | s.PrincipalArn = &v |
@@ -1499,10 +1648,8 @@ type AssumeRoleWithSAMLOutput struct { | |||
1499 | // The temporary security credentials, which include an access key ID, a secret | 1648 | // The temporary security credentials, which include an access key ID, a secret |
1500 | // access key, and a security (or session) token. | 1649 | // access key, and a security (or session) token. |
1501 | // | 1650 | // |
1502 | // Note: The size of the security token that STS APIs return is not fixed. We | 1651 | // The size of the security token that STS API operations return is not fixed. |
1503 | // strongly recommend that you make no assumptions about the maximum size. As | 1652 | // We strongly recommend that you make no assumptions about the maximum size. |
1504 | // of this writing, the typical size is less than 4096 bytes, but that can vary. | ||
1505 | // Also, future updates to AWS might require larger sizes. | ||
1506 | Credentials *Credentials `type:"structure"` | 1653 | Credentials *Credentials `type:"structure"` |
1507 | 1654 | ||
1508 | // The value of the Issuer element of the SAML assertion. | 1655 | // The value of the Issuer element of the SAML assertion. |
@@ -1606,7 +1753,7 @@ type AssumeRoleWithWebIdentityInput struct { | |||
1606 | // a session duration of 12 hours, but your administrator set the maximum session | 1753 | // a session duration of 12 hours, but your administrator set the maximum session |
1607 | // duration to 6 hours, your operation fails. To learn how to view the maximum | 1754 | // duration to 6 hours, your operation fails. To learn how to view the maximum |
1608 | // value for your role, see View the Maximum Session Duration Setting for a | 1755 | // value for your role, see View the Maximum Session Duration Setting for a |
1609 | // Role (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) | 1756 | // Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) |
1610 | // in the IAM User Guide. | 1757 | // in the IAM User Guide. |
1611 | // | 1758 | // |
1612 | // By default, the value is set to 3600 seconds. | 1759 | // By default, the value is set to 3600 seconds. |
@@ -1616,35 +1763,60 @@ type AssumeRoleWithWebIdentityInput struct { | |||
1616 | // to the federation endpoint for a console sign-in token takes a SessionDuration | 1763 | // to the federation endpoint for a console sign-in token takes a SessionDuration |
1617 | // parameter that specifies the maximum length of the console session. For more | 1764 | // parameter that specifies the maximum length of the console session. For more |
1618 | // information, see Creating a URL that Enables Federated Users to Access the | 1765 | // information, see Creating a URL that Enables Federated Users to Access the |
1619 | // AWS Management Console (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) | 1766 | // AWS Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) |
1620 | // in the IAM User Guide. | 1767 | // in the IAM User Guide. |
1621 | DurationSeconds *int64 `min:"900" type:"integer"` | 1768 | DurationSeconds *int64 `min:"900" type:"integer"` |
1622 | 1769 | ||
1623 | // An IAM policy in JSON format. | 1770 | // An IAM policy in JSON format that you want to use as an inline session policy. |
1624 | // | 1771 | // |
1625 | // The policy parameter is optional. If you pass a policy, the temporary security | 1772 | // This parameter is optional. Passing policies to this operation returns new |
1626 | // credentials that are returned by the operation have the permissions that | 1773 | // temporary credentials. The resulting session's permissions are the intersection |
1627 | // are allowed by both the access policy of the role that is being assumed, | 1774 | // of the role's identity-based policy and the session policies. You can use |
1628 | // and the policy that you pass. This gives you a way to further restrict the | 1775 | // the role's temporary credentials in subsequent AWS API calls to access resources |
1629 | // permissions for the resulting temporary security credentials. You cannot | 1776 | // in the account that owns the role. You cannot use session policies to grant |
1630 | // use the passed policy to grant permissions that are in excess of those allowed | 1777 | // more permissions than those allowed by the identity-based policy of the role |
1631 | // by the access policy of the role that is being assumed. For more information, | 1778 | // that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) |
1632 | // see Permissions for AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html) | ||
1633 | // in the IAM User Guide. | 1779 | // in the IAM User Guide. |
1634 | // | 1780 | // |
1635 | // The format for this parameter, as described by its regex pattern, is a string | 1781 | // The plain text that you use for both inline and managed session policies |
1636 | // of characters up to 2048 characters in length. The characters can be any | 1782 | // shouldn't exceed 2048 characters. The JSON policy characters can be any ASCII |
1637 | // ASCII character from the space character to the end of the valid character | 1783 | // character from the space character to the end of the valid character list |
1638 | // list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A), | 1784 | // (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A), |
1639 | // and carriage return (\u000D) characters. | 1785 | // and carriage return (\u000D) characters. |
1640 | // | 1786 | // |
1641 | // The policy plain text must be 2048 bytes or shorter. However, an internal | 1787 | // The characters in this parameter count towards the 2048 character session |
1642 | // conversion compresses it into a packed binary format with a separate limit. | 1788 | // policy guideline. However, an AWS conversion compresses the session policies |
1643 | // The PackedPolicySize response element indicates by percentage how close to | 1789 | // into a packed binary format that has a separate limit. This is the enforced |
1644 | // the upper size limit the policy is, with 100% equaling the maximum allowed | 1790 | // limit. The PackedPolicySize response element indicates by percentage how |
1645 | // size. | 1791 | // close the policy is to the upper size limit. |
1646 | Policy *string `min:"1" type:"string"` | 1792 | Policy *string `min:"1" type:"string"` |
1647 | 1793 | ||
1794 | // The Amazon Resource Names (ARNs) of the IAM managed policies that you want | ||
1795 | // to use as managed session policies. The policies must exist in the same account | ||
1796 | // as the role. | ||
1797 | // | ||
1798 | // This parameter is optional. You can provide up to 10 managed policy ARNs. | ||
1799 | // However, the plain text that you use for both inline and managed session | ||
1800 | // policies shouldn't exceed 2048 characters. For more information about ARNs, | ||
1801 | // see Amazon Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) | ||
1802 | // in the AWS General Reference. | ||
1803 | // | ||
1804 | // The characters in this parameter count towards the 2048 character session | ||
1805 | // policy guideline. However, an AWS conversion compresses the session policies | ||
1806 | // into a packed binary format that has a separate limit. This is the enforced | ||
1807 | // limit. The PackedPolicySize response element indicates by percentage how | ||
1808 | // close the policy is to the upper size limit. | ||
1809 | // | ||
1810 | // Passing policies to this operation returns new temporary credentials. The | ||
1811 | // resulting session's permissions are the intersection of the role's identity-based | ||
1812 | // policy and the session policies. You can use the role's temporary credentials | ||
1813 | // in subsequent AWS API calls to access resources in the account that owns | ||
1814 | // the role. You cannot use session policies to grant more permissions than | ||
1815 | // those allowed by the identity-based policy of the role that is being assumed. | ||
1816 | // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) | ||
1817 | // in the IAM User Guide. | ||
1818 | PolicyArns []*PolicyDescriptorType `type:"list"` | ||
1819 | |||
1648 | // The fully qualified host component of the domain name of the identity provider. | 1820 | // The fully qualified host component of the domain name of the identity provider. |
1649 | // | 1821 | // |
1650 | // Specify this value only for OAuth 2.0 access tokens. Currently www.amazon.com | 1822 | // Specify this value only for OAuth 2.0 access tokens. Currently www.amazon.com |
@@ -1721,6 +1893,16 @@ func (s *AssumeRoleWithWebIdentityInput) Validate() error { | |||
1721 | if s.WebIdentityToken != nil && len(*s.WebIdentityToken) < 4 { | 1893 | if s.WebIdentityToken != nil && len(*s.WebIdentityToken) < 4 { |
1722 | invalidParams.Add(request.NewErrParamMinLen("WebIdentityToken", 4)) | 1894 | invalidParams.Add(request.NewErrParamMinLen("WebIdentityToken", 4)) |
1723 | } | 1895 | } |
1896 | if s.PolicyArns != nil { | ||
1897 | for i, v := range s.PolicyArns { | ||
1898 | if v == nil { | ||
1899 | continue | ||
1900 | } | ||
1901 | if err := v.Validate(); err != nil { | ||
1902 | invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams)) | ||
1903 | } | ||
1904 | } | ||
1905 | } | ||
1724 | 1906 | ||
1725 | if invalidParams.Len() > 0 { | 1907 | if invalidParams.Len() > 0 { |
1726 | return invalidParams | 1908 | return invalidParams |
@@ -1740,6 +1922,12 @@ func (s *AssumeRoleWithWebIdentityInput) SetPolicy(v string) *AssumeRoleWithWebI | |||
1740 | return s | 1922 | return s |
1741 | } | 1923 | } |
1742 | 1924 | ||
1925 | // SetPolicyArns sets the PolicyArns field's value. | ||
1926 | func (s *AssumeRoleWithWebIdentityInput) SetPolicyArns(v []*PolicyDescriptorType) *AssumeRoleWithWebIdentityInput { | ||
1927 | s.PolicyArns = v | ||
1928 | return s | ||
1929 | } | ||
1930 | |||
1743 | // SetProviderId sets the ProviderId field's value. | 1931 | // SetProviderId sets the ProviderId field's value. |
1744 | func (s *AssumeRoleWithWebIdentityInput) SetProviderId(v string) *AssumeRoleWithWebIdentityInput { | 1932 | func (s *AssumeRoleWithWebIdentityInput) SetProviderId(v string) *AssumeRoleWithWebIdentityInput { |
1745 | s.ProviderId = &v | 1933 | s.ProviderId = &v |
@@ -1784,10 +1972,8 @@ type AssumeRoleWithWebIdentityOutput struct { | |||
1784 | // The temporary security credentials, which include an access key ID, a secret | 1972 | // The temporary security credentials, which include an access key ID, a secret |
1785 | // access key, and a security token. | 1973 | // access key, and a security token. |
1786 | // | 1974 | // |
1787 | // Note: The size of the security token that STS APIs return is not fixed. We | 1975 | // The size of the security token that STS API operations return is not fixed. |
1788 | // strongly recommend that you make no assumptions about the maximum size. As | 1976 | // We strongly recommend that you make no assumptions about the maximum size. |
1789 | // of this writing, the typical size is less than 4096 bytes, but that can vary. | ||
1790 | // Also, future updates to AWS might require larger sizes. | ||
1791 | Credentials *Credentials `type:"structure"` | 1977 | Credentials *Credentials `type:"structure"` |
1792 | 1978 | ||
1793 | // A percentage value that indicates the size of the policy in packed form. | 1979 | // A percentage value that indicates the size of the policy in packed form. |
@@ -1796,7 +1982,7 @@ type AssumeRoleWithWebIdentityOutput struct { | |||
1796 | PackedPolicySize *int64 `type:"integer"` | 1982 | PackedPolicySize *int64 `type:"integer"` |
1797 | 1983 | ||
1798 | // The issuing authority of the web identity token presented. For OpenID Connect | 1984 | // The issuing authority of the web identity token presented. For OpenID Connect |
1799 | // ID Tokens this contains the value of the iss field. For OAuth 2.0 access | 1985 | // ID tokens, this contains the value of the iss field. For OAuth 2.0 access |
1800 | // tokens, this contains the value of the ProviderId parameter that was passed | 1986 | // tokens, this contains the value of the ProviderId parameter that was passed |
1801 | // in the AssumeRoleWithWebIdentity request. | 1987 | // in the AssumeRoleWithWebIdentity request. |
1802 | Provider *string `type:"string"` | 1988 | Provider *string `type:"string"` |
@@ -1863,7 +2049,7 @@ type AssumedRoleUser struct { | |||
1863 | 2049 | ||
1864 | // The ARN of the temporary security credentials that are returned from the | 2050 | // The ARN of the temporary security credentials that are returned from the |
1865 | // AssumeRole action. For more information about ARNs and how to use them in | 2051 | // AssumeRole action. For more information about ARNs and how to use them in |
1866 | // policies, see IAM Identifiers (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) | 2052 | // policies, see IAM Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) |
1867 | // in Using IAM. | 2053 | // in Using IAM. |
1868 | // | 2054 | // |
1869 | // Arn is a required field | 2055 | // Arn is a required field |
@@ -2031,7 +2217,7 @@ type FederatedUser struct { | |||
2031 | 2217 | ||
2032 | // The ARN that specifies the federated user that is associated with the credentials. | 2218 | // The ARN that specifies the federated user that is associated with the credentials. |
2033 | // For more information about ARNs and how to use them in policies, see IAM | 2219 | // For more information about ARNs and how to use them in policies, see IAM |
2034 | // Identifiers (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) | 2220 | // Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) |
2035 | // in Using IAM. | 2221 | // in Using IAM. |
2036 | // | 2222 | // |
2037 | // Arn is a required field | 2223 | // Arn is a required field |
@@ -2066,6 +2252,73 @@ func (s *FederatedUser) SetFederatedUserId(v string) *FederatedUser { | |||
2066 | return s | 2252 | return s |
2067 | } | 2253 | } |
2068 | 2254 | ||
2255 | type GetAccessKeyInfoInput struct { | ||
2256 | _ struct{} `type:"structure"` | ||
2257 | |||
2258 | // The identifier of an access key. | ||
2259 | // | ||
2260 | // This parameter allows (through its regex pattern) a string of characters | ||
2261 | // that can consist of any upper- or lowercased letter or digit. | ||
2262 | // | ||
2263 | // AccessKeyId is a required field | ||
2264 | AccessKeyId *string `min:"16" type:"string" required:"true"` | ||
2265 | } | ||
2266 | |||
2267 | // String returns the string representation | ||
2268 | func (s GetAccessKeyInfoInput) String() string { | ||
2269 | return awsutil.Prettify(s) | ||
2270 | } | ||
2271 | |||
2272 | // GoString returns the string representation | ||
2273 | func (s GetAccessKeyInfoInput) GoString() string { | ||
2274 | return s.String() | ||
2275 | } | ||
2276 | |||
2277 | // Validate inspects the fields of the type to determine if they are valid. | ||
2278 | func (s *GetAccessKeyInfoInput) Validate() error { | ||
2279 | invalidParams := request.ErrInvalidParams{Context: "GetAccessKeyInfoInput"} | ||
2280 | if s.AccessKeyId == nil { | ||
2281 | invalidParams.Add(request.NewErrParamRequired("AccessKeyId")) | ||
2282 | } | ||
2283 | if s.AccessKeyId != nil && len(*s.AccessKeyId) < 16 { | ||
2284 | invalidParams.Add(request.NewErrParamMinLen("AccessKeyId", 16)) | ||
2285 | } | ||
2286 | |||
2287 | if invalidParams.Len() > 0 { | ||
2288 | return invalidParams | ||
2289 | } | ||
2290 | return nil | ||
2291 | } | ||
2292 | |||
2293 | // SetAccessKeyId sets the AccessKeyId field's value. | ||
2294 | func (s *GetAccessKeyInfoInput) SetAccessKeyId(v string) *GetAccessKeyInfoInput { | ||
2295 | s.AccessKeyId = &v | ||
2296 | return s | ||
2297 | } | ||
2298 | |||
2299 | type GetAccessKeyInfoOutput struct { | ||
2300 | _ struct{} `type:"structure"` | ||
2301 | |||
2302 | // The number used to identify the AWS account. | ||
2303 | Account *string `type:"string"` | ||
2304 | } | ||
2305 | |||
2306 | // String returns the string representation | ||
2307 | func (s GetAccessKeyInfoOutput) String() string { | ||
2308 | return awsutil.Prettify(s) | ||
2309 | } | ||
2310 | |||
2311 | // GoString returns the string representation | ||
2312 | func (s GetAccessKeyInfoOutput) GoString() string { | ||
2313 | return s.String() | ||
2314 | } | ||
2315 | |||
2316 | // SetAccount sets the Account field's value. | ||
2317 | func (s *GetAccessKeyInfoOutput) SetAccount(v string) *GetAccessKeyInfoOutput { | ||
2318 | s.Account = &v | ||
2319 | return s | ||
2320 | } | ||
2321 | |||
2069 | type GetCallerIdentityInput struct { | 2322 | type GetCallerIdentityInput struct { |
2070 | _ struct{} `type:"structure"` | 2323 | _ struct{} `type:"structure"` |
2071 | } | 2324 | } |
@@ -2093,8 +2346,8 @@ type GetCallerIdentityOutput struct { | |||
2093 | Arn *string `min:"20" type:"string"` | 2346 | Arn *string `min:"20" type:"string"` |
2094 | 2347 | ||
2095 | // The unique identifier of the calling entity. The exact value depends on the | 2348 | // The unique identifier of the calling entity. The exact value depends on the |
2096 | // type of entity making the call. The values returned are those listed in the | 2349 | // type of entity that is making the call. The values returned are those listed |
2097 | // aws:userid column in the Principal table (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable) | 2350 | // in the aws:userid column in the Principal table (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable) |
2098 | // found on the Policy Variables reference page in the IAM User Guide. | 2351 | // found on the Policy Variables reference page in the IAM User Guide. |
2099 | UserId *string `type:"string"` | 2352 | UserId *string `type:"string"` |
2100 | } | 2353 | } |
@@ -2131,12 +2384,11 @@ type GetFederationTokenInput struct { | |||
2131 | _ struct{} `type:"structure"` | 2384 | _ struct{} `type:"structure"` |
2132 | 2385 | ||
2133 | // The duration, in seconds, that the session should last. Acceptable durations | 2386 | // The duration, in seconds, that the session should last. Acceptable durations |
2134 | // for federation sessions range from 900 seconds (15 minutes) to 129600 seconds | 2387 | // for federation sessions range from 900 seconds (15 minutes) to 129,600 seconds |
2135 | // (36 hours), with 43200 seconds (12 hours) as the default. Sessions obtained | 2388 | // (36 hours), with 43,200 seconds (12 hours) as the default. Sessions obtained |
2136 | // using AWS account (root) credentials are restricted to a maximum of 3600 | 2389 | // using AWS account root user credentials are restricted to a maximum of 3,600 |
2137 | // seconds (one hour). If the specified duration is longer than one hour, the | 2390 | // seconds (one hour). If the specified duration is longer than one hour, the |
2138 | // session obtained by using AWS account (root) credentials defaults to one | 2391 | // session obtained by using root user credentials defaults to one hour. |
2139 | // hour. | ||
2140 | DurationSeconds *int64 `min:"900" type:"integer"` | 2392 | DurationSeconds *int64 `min:"900" type:"integer"` |
2141 | 2393 | ||
2142 | // The name of the federated user. The name is used as an identifier for the | 2394 | // The name of the federated user. The name is used as an identifier for the |
@@ -2151,36 +2403,73 @@ type GetFederationTokenInput struct { | |||
2151 | // Name is a required field | 2403 | // Name is a required field |
2152 | Name *string `min:"2" type:"string" required:"true"` | 2404 | Name *string `min:"2" type:"string" required:"true"` |
2153 | 2405 | ||
2154 | // An IAM policy in JSON format that is passed with the GetFederationToken call | 2406 | // An IAM policy in JSON format that you want to use as an inline session policy. |
2155 | // and evaluated along with the policy or policies that are attached to the | 2407 | // |
2156 | // IAM user whose credentials are used to call GetFederationToken. The passed | 2408 | // You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) |
2157 | // policy is used to scope down the permissions that are available to the IAM | 2409 | // to this operation. You can pass a single JSON policy document to use as an |
2158 | // user, by allowing only a subset of the permissions that are granted to the | 2410 | // inline session policy. You can also specify up to 10 managed policies to |
2159 | // IAM user. The passed policy cannot grant more permissions than those granted | 2411 | // use as managed session policies. |
2160 | // to the IAM user. The final permissions for the federated user are the most | ||
2161 | // restrictive set based on the intersection of the passed policy and the IAM | ||
2162 | // user policy. | ||
2163 | // | ||
2164 | // If you do not pass a policy, the resulting temporary security credentials | ||
2165 | // have no effective permissions. The only exception is when the temporary security | ||
2166 | // credentials are used to access a resource that has a resource-based policy | ||
2167 | // that specifically allows the federated user to access the resource. | ||
2168 | // | ||
2169 | // The format for this parameter, as described by its regex pattern, is a string | ||
2170 | // of characters up to 2048 characters in length. The characters can be any | ||
2171 | // ASCII character from the space character to the end of the valid character | ||
2172 | // list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A), | ||
2173 | // and carriage return (\u000D) characters. | ||
2174 | // | 2412 | // |
2175 | // The policy plain text must be 2048 bytes or shorter. However, an internal | 2413 | // This parameter is optional. However, if you do not pass any session policies, |
2176 | // conversion compresses it into a packed binary format with a separate limit. | 2414 | // then the resulting federated user session has no permissions. The only exception |
2177 | // The PackedPolicySize response element indicates by percentage how close to | 2415 | // is when the credentials are used to access a resource that has a resource-based |
2178 | // the upper size limit the policy is, with 100% equaling the maximum allowed | 2416 | // policy that specifically references the federated user session in the Principal |
2179 | // size. | 2417 | // element of the policy. |
2180 | // | 2418 | // |
2181 | // For more information about how permissions work, see Permissions for GetFederationToken | 2419 | // When you pass session policies, the session permissions are the intersection |
2182 | // (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html). | 2420 | // of the IAM user policies and the session policies that you pass. This gives |
2421 | // you a way to further restrict the permissions for a federated user. You cannot | ||
2422 | // use session policies to grant more permissions than those that are defined | ||
2423 | // in the permissions policy of the IAM user. For more information, see Session | ||
2424 | // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) | ||
2425 | // in the IAM User Guide. | ||
2426 | // | ||
2427 | // The plain text that you use for both inline and managed session policies | ||
2428 | // shouldn't exceed 2048 characters. The JSON policy characters can be any ASCII | ||
2429 | // character from the space character to the end of the valid character list | ||
2430 | // (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A), | ||
2431 | // and carriage return (\u000D) characters. | ||
2432 | // | ||
2433 | // The characters in this parameter count towards the 2048 character session | ||
2434 | // policy guideline. However, an AWS conversion compresses the session policies | ||
2435 | // into a packed binary format that has a separate limit. This is the enforced | ||
2436 | // limit. The PackedPolicySize response element indicates by percentage how | ||
2437 | // close the policy is to the upper size limit. | ||
2183 | Policy *string `min:"1" type:"string"` | 2438 | Policy *string `min:"1" type:"string"` |
2439 | |||
2440 | // The Amazon Resource Names (ARNs) of the IAM managed policies that you want | ||
2441 | // to use as a managed session policy. The policies must exist in the same account | ||
2442 | // as the IAM user that is requesting federated access. | ||
2443 | // | ||
2444 | // You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) | ||
2445 | // to this operation. You can pass a single JSON policy document to use as an | ||
2446 | // inline session policy. You can also specify up to 10 managed policies to | ||
2447 | // use as managed session policies. The plain text that you use for both inline | ||
2448 | // and managed session policies shouldn't exceed 2048 characters. You can provide | ||
2449 | // up to 10 managed policy ARNs. For more information about ARNs, see Amazon | ||
2450 | // Resource Names (ARNs) and AWS Service Namespaces (general/latest/gr/aws-arns-and-namespaces.html) | ||
2451 | // in the AWS General Reference. | ||
2452 | // | ||
2453 | // This parameter is optional. However, if you do not pass any session policies, | ||
2454 | // then the resulting federated user session has no permissions. The only exception | ||
2455 | // is when the credentials are used to access a resource that has a resource-based | ||
2456 | // policy that specifically references the federated user session in the Principal | ||
2457 | // element of the policy. | ||
2458 | // | ||
2459 | // When you pass session policies, the session permissions are the intersection | ||
2460 | // of the IAM user policies and the session policies that you pass. This gives | ||
2461 | // you a way to further restrict the permissions for a federated user. You cannot | ||
2462 | // use session policies to grant more permissions than those that are defined | ||
2463 | // in the permissions policy of the IAM user. For more information, see Session | ||
2464 | // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) | ||
2465 | // in the IAM User Guide. | ||
2466 | // | ||
2467 | // The characters in this parameter count towards the 2048 character session | ||
2468 | // policy guideline. However, an AWS conversion compresses the session policies | ||
2469 | // into a packed binary format that has a separate limit. This is the enforced | ||
2470 | // limit. The PackedPolicySize response element indicates by percentage how | ||
2471 | // close the policy is to the upper size limit. | ||
2472 | PolicyArns []*PolicyDescriptorType `type:"list"` | ||
2184 | } | 2473 | } |
2185 | 2474 | ||
2186 | // String returns the string representation | 2475 | // String returns the string representation |
@@ -2208,6 +2497,16 @@ func (s *GetFederationTokenInput) Validate() error { | |||
2208 | if s.Policy != nil && len(*s.Policy) < 1 { | 2497 | if s.Policy != nil && len(*s.Policy) < 1 { |
2209 | invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) | 2498 | invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) |
2210 | } | 2499 | } |
2500 | if s.PolicyArns != nil { | ||
2501 | for i, v := range s.PolicyArns { | ||
2502 | if v == nil { | ||
2503 | continue | ||
2504 | } | ||
2505 | if err := v.Validate(); err != nil { | ||
2506 | invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams)) | ||
2507 | } | ||
2508 | } | ||
2509 | } | ||
2211 | 2510 | ||
2212 | if invalidParams.Len() > 0 { | 2511 | if invalidParams.Len() > 0 { |
2213 | return invalidParams | 2512 | return invalidParams |
@@ -2233,6 +2532,12 @@ func (s *GetFederationTokenInput) SetPolicy(v string) *GetFederationTokenInput { | |||
2233 | return s | 2532 | return s |
2234 | } | 2533 | } |
2235 | 2534 | ||
2535 | // SetPolicyArns sets the PolicyArns field's value. | ||
2536 | func (s *GetFederationTokenInput) SetPolicyArns(v []*PolicyDescriptorType) *GetFederationTokenInput { | ||
2537 | s.PolicyArns = v | ||
2538 | return s | ||
2539 | } | ||
2540 | |||
2236 | // Contains the response to a successful GetFederationToken request, including | 2541 | // Contains the response to a successful GetFederationToken request, including |
2237 | // temporary AWS credentials that can be used to make AWS requests. | 2542 | // temporary AWS credentials that can be used to make AWS requests. |
2238 | type GetFederationTokenOutput struct { | 2543 | type GetFederationTokenOutput struct { |
@@ -2241,10 +2546,8 @@ type GetFederationTokenOutput struct { | |||
2241 | // The temporary security credentials, which include an access key ID, a secret | 2546 | // The temporary security credentials, which include an access key ID, a secret |
2242 | // access key, and a security (or session) token. | 2547 | // access key, and a security (or session) token. |
2243 | // | 2548 | // |
2244 | // Note: The size of the security token that STS APIs return is not fixed. We | 2549 | // The size of the security token that STS API operations return is not fixed. |
2245 | // strongly recommend that you make no assumptions about the maximum size. As | 2550 | // We strongly recommend that you make no assumptions about the maximum size. |
2246 | // of this writing, the typical size is less than 4096 bytes, but that can vary. | ||
2247 | // Also, future updates to AWS might require larger sizes. | ||
2248 | Credentials *Credentials `type:"structure"` | 2551 | Credentials *Credentials `type:"structure"` |
2249 | 2552 | ||
2250 | // Identifiers for the federated user associated with the credentials (such | 2553 | // Identifiers for the federated user associated with the credentials (such |
@@ -2291,11 +2594,11 @@ type GetSessionTokenInput struct { | |||
2291 | _ struct{} `type:"structure"` | 2594 | _ struct{} `type:"structure"` |
2292 | 2595 | ||
2293 | // The duration, in seconds, that the credentials should remain valid. Acceptable | 2596 | // The duration, in seconds, that the credentials should remain valid. Acceptable |
2294 | // durations for IAM user sessions range from 900 seconds (15 minutes) to 129600 | 2597 | // durations for IAM user sessions range from 900 seconds (15 minutes) to 129,600 |
2295 | // seconds (36 hours), with 43200 seconds (12 hours) as the default. Sessions | 2598 | // seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions |
2296 | // for AWS account owners are restricted to a maximum of 3600 seconds (one hour). | 2599 | // for AWS account owners are restricted to a maximum of 3,600 seconds (one |
2297 | // If the duration is longer than one hour, the session for AWS account owners | 2600 | // hour). If the duration is longer than one hour, the session for AWS account |
2298 | // defaults to one hour. | 2601 | // owners defaults to one hour. |
2299 | DurationSeconds *int64 `min:"900" type:"integer"` | 2602 | DurationSeconds *int64 `min:"900" type:"integer"` |
2300 | 2603 | ||
2301 | // The identification number of the MFA device that is associated with the IAM | 2604 | // The identification number of the MFA device that is associated with the IAM |
@@ -2306,16 +2609,16 @@ type GetSessionTokenInput struct { | |||
2306 | // You can find the device for an IAM user by going to the AWS Management Console | 2609 | // You can find the device for an IAM user by going to the AWS Management Console |
2307 | // and viewing the user's security credentials. | 2610 | // and viewing the user's security credentials. |
2308 | // | 2611 | // |
2309 | // The regex used to validated this parameter is a string of characters consisting | 2612 | // The regex used to validate this parameter is a string of characters consisting |
2310 | // of upper- and lower-case alphanumeric characters with no spaces. You can | 2613 | // of upper- and lower-case alphanumeric characters with no spaces. You can |
2311 | // also include underscores or any of the following characters: =,.@:/- | 2614 | // also include underscores or any of the following characters: =,.@:/- |
2312 | SerialNumber *string `min:"9" type:"string"` | 2615 | SerialNumber *string `min:"9" type:"string"` |
2313 | 2616 | ||
2314 | // The value provided by the MFA device, if MFA is required. If any policy requires | 2617 | // The value provided by the MFA device, if MFA is required. If any policy requires |
2315 | // the IAM user to submit an MFA code, specify this value. If MFA authentication | 2618 | // the IAM user to submit an MFA code, specify this value. If MFA authentication |
2316 | // is required, and the user does not provide a code when requesting a set of | 2619 | // is required, the user must provide a code when requesting a set of temporary |
2317 | // temporary security credentials, the user will receive an "access denied" | 2620 | // security credentials. A user who fails to provide the code receives an "access |
2318 | // response when requesting resources that require MFA authentication. | 2621 | // denied" response when requesting resources that require MFA authentication. |
2319 | // | 2622 | // |
2320 | // The format for this parameter, as described by its regex pattern, is a sequence | 2623 | // The format for this parameter, as described by its regex pattern, is a sequence |
2321 | // of six numeric digits. | 2624 | // of six numeric digits. |
@@ -2377,10 +2680,8 @@ type GetSessionTokenOutput struct { | |||
2377 | // The temporary security credentials, which include an access key ID, a secret | 2680 | // The temporary security credentials, which include an access key ID, a secret |
2378 | // access key, and a security (or session) token. | 2681 | // access key, and a security (or session) token. |
2379 | // | 2682 | // |
2380 | // Note: The size of the security token that STS APIs return is not fixed. We | 2683 | // The size of the security token that STS API operations return is not fixed. |
2381 | // strongly recommend that you make no assumptions about the maximum size. As | 2684 | // We strongly recommend that you make no assumptions about the maximum size. |
2382 | // of this writing, the typical size is less than 4096 bytes, but that can vary. | ||
2383 | // Also, future updates to AWS might require larger sizes. | ||
2384 | Credentials *Credentials `type:"structure"` | 2685 | Credentials *Credentials `type:"structure"` |
2385 | } | 2686 | } |
2386 | 2687 | ||
@@ -2399,3 +2700,44 @@ func (s *GetSessionTokenOutput) SetCredentials(v *Credentials) *GetSessionTokenO | |||
2399 | s.Credentials = v | 2700 | s.Credentials = v |
2400 | return s | 2701 | return s |
2401 | } | 2702 | } |
2703 | |||
2704 | // A reference to the IAM managed policy that is passed as a session policy | ||
2705 | // for a role session or a federated user session. | ||
2706 | type PolicyDescriptorType struct { | ||
2707 | _ struct{} `type:"structure"` | ||
2708 | |||
2709 | // The Amazon Resource Name (ARN) of the IAM managed policy to use as a session | ||
2710 | // policy for the role. For more information about ARNs, see Amazon Resource | ||
2711 | // Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) | ||
2712 | // in the AWS General Reference. | ||
2713 | Arn *string `locationName:"arn" min:"20" type:"string"` | ||
2714 | } | ||
2715 | |||
2716 | // String returns the string representation | ||
2717 | func (s PolicyDescriptorType) String() string { | ||
2718 | return awsutil.Prettify(s) | ||
2719 | } | ||
2720 | |||
2721 | // GoString returns the string representation | ||
2722 | func (s PolicyDescriptorType) GoString() string { | ||
2723 | return s.String() | ||
2724 | } | ||
2725 | |||
2726 | // Validate inspects the fields of the type to determine if they are valid. | ||
2727 | func (s *PolicyDescriptorType) Validate() error { | ||
2728 | invalidParams := request.ErrInvalidParams{Context: "PolicyDescriptorType"} | ||
2729 | if s.Arn != nil && len(*s.Arn) < 20 { | ||
2730 | invalidParams.Add(request.NewErrParamMinLen("Arn", 20)) | ||
2731 | } | ||
2732 | |||
2733 | if invalidParams.Len() > 0 { | ||
2734 | return invalidParams | ||
2735 | } | ||
2736 | return nil | ||
2737 | } | ||
2738 | |||
2739 | // SetArn sets the Arn field's value. | ||
2740 | func (s *PolicyDescriptorType) SetArn(v string) *PolicyDescriptorType { | ||
2741 | s.Arn = &v | ||
2742 | return s | ||
2743 | } | ||