diff options
Diffstat (limited to 'vendor/github.com/aws/aws-sdk-go/service/sts')
5 files changed, 2667 insertions, 0 deletions
diff --git a/vendor/github.com/aws/aws-sdk-go/service/sts/api.go b/vendor/github.com/aws/aws-sdk-go/service/sts/api.go new file mode 100644 index 0000000..2de6528 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/service/sts/api.go | |||
@@ -0,0 +1,2365 @@ | |||
1 | // Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT. | ||
2 | |||
3 | package sts | ||
4 | |||
5 | import ( | ||
6 | "time" | ||
7 | |||
8 | "github.com/aws/aws-sdk-go/aws" | ||
9 | "github.com/aws/aws-sdk-go/aws/awsutil" | ||
10 | "github.com/aws/aws-sdk-go/aws/request" | ||
11 | ) | ||
12 | |||
13 | const opAssumeRole = "AssumeRole" | ||
14 | |||
15 | // AssumeRoleRequest generates a "aws/request.Request" representing the | ||
16 | // client's request for the AssumeRole operation. The "output" return | ||
17 | // value can be used to capture response data after the request's "Send" method | ||
18 | // is called. | ||
19 | // | ||
20 | // See AssumeRole for usage and error information. | ||
21 | // | ||
22 | // Creating a request object using this method should be used when you want to inject | ||
23 | // custom logic into the request's lifecycle using a custom handler, or if you want to | ||
24 | // access properties on the request object before or after sending the request. If | ||
25 | // you just want the service response, call the AssumeRole method directly | ||
26 | // instead. | ||
27 | // | ||
28 | // Note: You must call the "Send" method on the returned request object in order | ||
29 | // to execute the request. | ||
30 | // | ||
31 | // // Example sending a request using the AssumeRoleRequest method. | ||
32 | // req, resp := client.AssumeRoleRequest(params) | ||
33 | // | ||
34 | // err := req.Send() | ||
35 | // if err == nil { // resp is now filled | ||
36 | // fmt.Println(resp) | ||
37 | // } | ||
38 | // | ||
39 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole | ||
40 | func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, output *AssumeRoleOutput) { | ||
41 | op := &request.Operation{ | ||
42 | Name: opAssumeRole, | ||
43 | HTTPMethod: "POST", | ||
44 | HTTPPath: "/", | ||
45 | } | ||
46 | |||
47 | if input == nil { | ||
48 | input = &AssumeRoleInput{} | ||
49 | } | ||
50 | |||
51 | output = &AssumeRoleOutput{} | ||
52 | req = c.newRequest(op, input, output) | ||
53 | return | ||
54 | } | ||
55 | |||
56 | // AssumeRole API operation for AWS Security Token Service. | ||
57 | // | ||
58 | // Returns a set of temporary security credentials (consisting of an access | ||
59 | // key ID, a secret access key, and a security token) that you can use to access | ||
60 | // AWS resources that you might not normally have access to. Typically, you | ||
61 | // use AssumeRole for cross-account access or federation. For a comparison of | ||
62 | // AssumeRole with the other APIs that produce temporary credentials, see Requesting | ||
63 | // Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) | ||
64 | // and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) | ||
65 | // in the IAM User Guide. | ||
66 | // | ||
67 | // Important: You cannot call AssumeRole by using AWS root account credentials; | ||
68 | // access is denied. You must use credentials for an IAM user or an IAM role | ||
69 | // to call AssumeRole. | ||
70 | // | ||
71 | // For cross-account access, imagine that you own multiple accounts and need | ||
72 | // to access resources in each account. You could create long-term credentials | ||
73 | // in each account to access those resources. However, managing all those credentials | ||
74 | // and remembering which one can access which account can be time consuming. | ||
75 | // Instead, you can create one set of long-term credentials in one account and | ||
76 | // then use temporary security credentials to access all the other accounts | ||
77 | // by assuming roles in those accounts. For more information about roles, see | ||
78 | // IAM Roles (Delegation and Federation) (http://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html) | ||
79 | // in the IAM User Guide. | ||
80 | // | ||
81 | // For federation, you can, for example, grant single sign-on access to the | ||
82 | // AWS Management Console. If you already have an identity and authentication | ||
83 | // system in your corporate network, you don't have to recreate user identities | ||
84 | // in AWS in order to grant those user identities access to AWS. Instead, after | ||
85 | // a user has been authenticated, you call AssumeRole (and specify the role | ||
86 | // with the appropriate permissions) to get temporary security credentials for | ||
87 | // that user. With those temporary security credentials, you construct a sign-in | ||
88 | // URL that users can use to access the console. For more information, see Common | ||
89 | // Scenarios for Temporary Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html#sts-introduction) | ||
90 | // in the IAM User Guide. | ||
91 | // | ||
92 | // The temporary security credentials are valid for the duration that you specified | ||
93 | // when calling AssumeRole, which can be from 900 seconds (15 minutes) to a | ||
94 | // maximum of 3600 seconds (1 hour). The default is 1 hour. | ||
95 | // | ||
96 | // The temporary security credentials created by AssumeRole can be used to make | ||
97 | // API calls to any AWS service with the following exception: you cannot call | ||
98 | // the STS service's GetFederationToken or GetSessionToken APIs. | ||
99 | // | ||
100 | // Optionally, you can pass an IAM access policy to this operation. If you choose | ||
101 | // not to pass a policy, the temporary security credentials that are returned | ||
102 | // by the operation have the permissions that are defined in the access policy | ||
103 | // of the role that is being assumed. If you pass a policy to this operation, | ||
104 | // the temporary security credentials that are returned by the operation have | ||
105 | // the permissions that are allowed by both the access policy of the role that | ||
106 | // is being assumed, and the policy that you pass. This gives you a way to further | ||
107 | // restrict the permissions for the resulting temporary security credentials. | ||
108 | // You cannot use the passed policy to grant permissions that are in excess | ||
109 | // of those allowed by the access policy of the role that is being assumed. | ||
110 | // For more information, see Permissions for AssumeRole, AssumeRoleWithSAML, | ||
111 | // and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html) | ||
112 | // in the IAM User Guide. | ||
113 | // | ||
114 | // To assume a role, your AWS account must be trusted by the role. The trust | ||
115 | // relationship is defined in the role's trust policy when the role is created. | ||
116 | // That trust policy states which accounts are allowed to delegate access to | ||
117 | // this account's role. | ||
118 | // | ||
119 | // The user who wants to access the role must also have permissions delegated | ||
120 | // from the role's administrator. If the user is in a different account than | ||
121 | // the role, then the user's administrator must attach a policy that allows | ||
122 | // the user to call AssumeRole on the ARN of the role in the other account. | ||
123 | // If the user is in the same account as the role, then you can either attach | ||
124 | // a policy to the user (identical to the previous different account user), | ||
125 | // or you can add the user as a principal directly in the role's trust policy | ||
126 | // | ||
127 | // Using MFA with AssumeRole | ||
128 | // | ||
129 | // You can optionally include multi-factor authentication (MFA) information | ||
130 | // when you call AssumeRole. This is useful for cross-account scenarios in which | ||
131 | // you want to make sure that the user who is assuming the role has been authenticated | ||
132 | // using an AWS MFA device. In that scenario, the trust policy of the role being | ||
133 | // assumed includes a condition that tests for MFA authentication; if the caller | ||
134 | // does not include valid MFA information, the request to assume the role is | ||
135 | // denied. The condition in a trust policy that tests for MFA authentication | ||
136 | // might look like the following example. | ||
137 | // | ||
138 | // "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}} | ||
139 | // | ||
140 | // For more information, see Configuring MFA-Protected API Access (http://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html) | ||
141 | // in the IAM User Guide guide. | ||
142 | // | ||
143 | // To use MFA with AssumeRole, you pass values for the SerialNumber and TokenCode | ||
144 | // parameters. The SerialNumber value identifies the user's hardware or virtual | ||
145 | // MFA device. The TokenCode is the time-based one-time password (TOTP) that | ||
146 | // the MFA devices produces. | ||
147 | // | ||
148 | // Returns awserr.Error for service API and SDK errors. Use runtime type assertions | ||
149 | // with awserr.Error's Code and Message methods to get detailed information about | ||
150 | // the error. | ||
151 | // | ||
152 | // See the AWS API reference guide for AWS Security Token Service's | ||
153 | // API operation AssumeRole for usage and error information. | ||
154 | // | ||
155 | // Returned Error Codes: | ||
156 | // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument" | ||
157 | // The request was rejected because the policy document was malformed. The error | ||
158 | // message describes the specific error. | ||
159 | // | ||
160 | // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" | ||
161 | // The request was rejected because the policy document was too large. The error | ||
162 | // message describes how big the policy document is, in packed form, as a percentage | ||
163 | // of what the API allows. | ||
164 | // | ||
165 | // * ErrCodeRegionDisabledException "RegionDisabledException" | ||
166 | // STS is not activated in the requested region for the account that is being | ||
167 | // asked to generate credentials. The account administrator must use the IAM | ||
168 | // console to activate STS in that region. For more information, see Activating | ||
169 | // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) | ||
170 | // in the IAM User Guide. | ||
171 | // | ||
172 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole | ||
173 | func (c *STS) AssumeRole(input *AssumeRoleInput) (*AssumeRoleOutput, error) { | ||
174 | req, out := c.AssumeRoleRequest(input) | ||
175 | return out, req.Send() | ||
176 | } | ||
177 | |||
178 | // AssumeRoleWithContext is the same as AssumeRole with the addition of | ||
179 | // the ability to pass a context and additional request options. | ||
180 | // | ||
181 | // See AssumeRole for details on how to use this API operation. | ||
182 | // | ||
183 | // The context must be non-nil and will be used for request cancellation. If | ||
184 | // the context is nil a panic will occur. In the future the SDK may create | ||
185 | // sub-contexts for http.Requests. See https://golang.org/pkg/context/ | ||
186 | // for more information on using Contexts. | ||
187 | func (c *STS) AssumeRoleWithContext(ctx aws.Context, input *AssumeRoleInput, opts ...request.Option) (*AssumeRoleOutput, error) { | ||
188 | req, out := c.AssumeRoleRequest(input) | ||
189 | req.SetContext(ctx) | ||
190 | req.ApplyOptions(opts...) | ||
191 | return out, req.Send() | ||
192 | } | ||
193 | |||
194 | const opAssumeRoleWithSAML = "AssumeRoleWithSAML" | ||
195 | |||
196 | // AssumeRoleWithSAMLRequest generates a "aws/request.Request" representing the | ||
197 | // client's request for the AssumeRoleWithSAML operation. The "output" return | ||
198 | // value can be used to capture response data after the request's "Send" method | ||
199 | // is called. | ||
200 | // | ||
201 | // See AssumeRoleWithSAML for usage and error information. | ||
202 | // | ||
203 | // Creating a request object using this method should be used when you want to inject | ||
204 | // custom logic into the request's lifecycle using a custom handler, or if you want to | ||
205 | // access properties on the request object before or after sending the request. If | ||
206 | // you just want the service response, call the AssumeRoleWithSAML method directly | ||
207 | // instead. | ||
208 | // | ||
209 | // Note: You must call the "Send" method on the returned request object in order | ||
210 | // to execute the request. | ||
211 | // | ||
212 | // // Example sending a request using the AssumeRoleWithSAMLRequest method. | ||
213 | // req, resp := client.AssumeRoleWithSAMLRequest(params) | ||
214 | // | ||
215 | // err := req.Send() | ||
216 | // if err == nil { // resp is now filled | ||
217 | // fmt.Println(resp) | ||
218 | // } | ||
219 | // | ||
220 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML | ||
221 | func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *request.Request, output *AssumeRoleWithSAMLOutput) { | ||
222 | op := &request.Operation{ | ||
223 | Name: opAssumeRoleWithSAML, | ||
224 | HTTPMethod: "POST", | ||
225 | HTTPPath: "/", | ||
226 | } | ||
227 | |||
228 | if input == nil { | ||
229 | input = &AssumeRoleWithSAMLInput{} | ||
230 | } | ||
231 | |||
232 | output = &AssumeRoleWithSAMLOutput{} | ||
233 | req = c.newRequest(op, input, output) | ||
234 | return | ||
235 | } | ||
236 | |||
237 | // AssumeRoleWithSAML API operation for AWS Security Token Service. | ||
238 | // | ||
239 | // Returns a set of temporary security credentials for users who have been authenticated | ||
240 | // via a SAML authentication response. This operation provides a mechanism for | ||
241 | // tying an enterprise identity store or directory to role-based AWS access | ||
242 | // without user-specific credentials or configuration. For a comparison of AssumeRoleWithSAML | ||
243 | // with the other APIs that produce temporary credentials, see Requesting Temporary | ||
244 | // Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) | ||
245 | // and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) | ||
246 | // in the IAM User Guide. | ||
247 | // | ||
248 | // The temporary security credentials returned by this operation consist of | ||
249 | // an access key ID, a secret access key, and a security token. Applications | ||
250 | // can use these temporary security credentials to sign calls to AWS services. | ||
251 | // | ||
252 | // The temporary security credentials are valid for the duration that you specified | ||
253 | // when calling AssumeRole, or until the time specified in the SAML authentication | ||
254 | // response's SessionNotOnOrAfter value, whichever is shorter. The duration | ||
255 | // can be from 900 seconds (15 minutes) to a maximum of 3600 seconds (1 hour). | ||
256 | // The default is 1 hour. | ||
257 | // | ||
258 | // The temporary security credentials created by AssumeRoleWithSAML can be used | ||
259 | // to make API calls to any AWS service with the following exception: you cannot | ||
260 | // call the STS service's GetFederationToken or GetSessionToken APIs. | ||
261 | // | ||
262 | // Optionally, you can pass an IAM access policy to this operation. If you choose | ||
263 | // not to pass a policy, the temporary security credentials that are returned | ||
264 | // by the operation have the permissions that are defined in the access policy | ||
265 | // of the role that is being assumed. If you pass a policy to this operation, | ||
266 | // the temporary security credentials that are returned by the operation have | ||
267 | // the permissions that are allowed by the intersection of both the access policy | ||
268 | // of the role that is being assumed, and the policy that you pass. This means | ||
269 | // that both policies must grant the permission for the action to be allowed. | ||
270 | // This gives you a way to further restrict the permissions for the resulting | ||
271 | // temporary security credentials. You cannot use the passed policy to grant | ||
272 | // permissions that are in excess of those allowed by the access policy of the | ||
273 | // role that is being assumed. For more information, see Permissions for AssumeRole, | ||
274 | // AssumeRoleWithSAML, and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html) | ||
275 | // in the IAM User Guide. | ||
276 | // | ||
277 | // Before your application can call AssumeRoleWithSAML, you must configure your | ||
278 | // SAML identity provider (IdP) to issue the claims required by AWS. Additionally, | ||
279 | // you must use AWS Identity and Access Management (IAM) to create a SAML provider | ||
280 | // entity in your AWS account that represents your identity provider, and create | ||
281 | // an IAM role that specifies this SAML provider in its trust policy. | ||
282 | // | ||
283 | // Calling AssumeRoleWithSAML does not require the use of AWS security credentials. | ||
284 | // The identity of the caller is validated by using keys in the metadata document | ||
285 | // that is uploaded for the SAML provider entity for your identity provider. | ||
286 | // | ||
287 | // Calling AssumeRoleWithSAML can result in an entry in your AWS CloudTrail | ||
288 | // logs. The entry includes the value in the NameID element of the SAML assertion. | ||
289 | // We recommend that you use a NameIDType that is not associated with any personally | ||
290 | // identifiable information (PII). For example, you could instead use the Persistent | ||
291 | // Identifier (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent). | ||
292 | // | ||
293 | // For more information, see the following resources: | ||
294 | // | ||
295 | // * About SAML 2.0-based Federation (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) | ||
296 | // in the IAM User Guide. | ||
297 | // | ||
298 | // * Creating SAML Identity Providers (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html) | ||
299 | // in the IAM User Guide. | ||
300 | // | ||
301 | // * Configuring a Relying Party and Claims (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html) | ||
302 | // in the IAM User Guide. | ||
303 | // | ||
304 | // * Creating a Role for SAML 2.0 Federation (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html) | ||
305 | // in the IAM User Guide. | ||
306 | // | ||
307 | // Returns awserr.Error for service API and SDK errors. Use runtime type assertions | ||
308 | // with awserr.Error's Code and Message methods to get detailed information about | ||
309 | // the error. | ||
310 | // | ||
311 | // See the AWS API reference guide for AWS Security Token Service's | ||
312 | // API operation AssumeRoleWithSAML for usage and error information. | ||
313 | // | ||
314 | // Returned Error Codes: | ||
315 | // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument" | ||
316 | // The request was rejected because the policy document was malformed. The error | ||
317 | // message describes the specific error. | ||
318 | // | ||
319 | // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" | ||
320 | // The request was rejected because the policy document was too large. The error | ||
321 | // message describes how big the policy document is, in packed form, as a percentage | ||
322 | // of what the API allows. | ||
323 | // | ||
324 | // * ErrCodeIDPRejectedClaimException "IDPRejectedClaim" | ||
325 | // The identity provider (IdP) reported that authentication failed. This might | ||
326 | // be because the claim is invalid. | ||
327 | // | ||
328 | // If this error is returned for the AssumeRoleWithWebIdentity operation, it | ||
329 | // can also mean that the claim has expired or has been explicitly revoked. | ||
330 | // | ||
331 | // * ErrCodeInvalidIdentityTokenException "InvalidIdentityToken" | ||
332 | // The web identity token that was passed could not be validated by AWS. Get | ||
333 | // a new identity token from the identity provider and then retry the request. | ||
334 | // | ||
335 | // * ErrCodeExpiredTokenException "ExpiredTokenException" | ||
336 | // The web identity token that was passed is expired or is not valid. Get a | ||
337 | // new identity token from the identity provider and then retry the request. | ||
338 | // | ||
339 | // * ErrCodeRegionDisabledException "RegionDisabledException" | ||
340 | // STS is not activated in the requested region for the account that is being | ||
341 | // asked to generate credentials. The account administrator must use the IAM | ||
342 | // console to activate STS in that region. For more information, see Activating | ||
343 | // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) | ||
344 | // in the IAM User Guide. | ||
345 | // | ||
346 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML | ||
347 | func (c *STS) AssumeRoleWithSAML(input *AssumeRoleWithSAMLInput) (*AssumeRoleWithSAMLOutput, error) { | ||
348 | req, out := c.AssumeRoleWithSAMLRequest(input) | ||
349 | return out, req.Send() | ||
350 | } | ||
351 | |||
352 | // AssumeRoleWithSAMLWithContext is the same as AssumeRoleWithSAML with the addition of | ||
353 | // the ability to pass a context and additional request options. | ||
354 | // | ||
355 | // See AssumeRoleWithSAML for details on how to use this API operation. | ||
356 | // | ||
357 | // The context must be non-nil and will be used for request cancellation. If | ||
358 | // the context is nil a panic will occur. In the future the SDK may create | ||
359 | // sub-contexts for http.Requests. See https://golang.org/pkg/context/ | ||
360 | // for more information on using Contexts. | ||
361 | func (c *STS) AssumeRoleWithSAMLWithContext(ctx aws.Context, input *AssumeRoleWithSAMLInput, opts ...request.Option) (*AssumeRoleWithSAMLOutput, error) { | ||
362 | req, out := c.AssumeRoleWithSAMLRequest(input) | ||
363 | req.SetContext(ctx) | ||
364 | req.ApplyOptions(opts...) | ||
365 | return out, req.Send() | ||
366 | } | ||
367 | |||
368 | const opAssumeRoleWithWebIdentity = "AssumeRoleWithWebIdentity" | ||
369 | |||
370 | // AssumeRoleWithWebIdentityRequest generates a "aws/request.Request" representing the | ||
371 | // client's request for the AssumeRoleWithWebIdentity operation. The "output" return | ||
372 | // value can be used to capture response data after the request's "Send" method | ||
373 | // is called. | ||
374 | // | ||
375 | // See AssumeRoleWithWebIdentity for usage and error information. | ||
376 | // | ||
377 | // Creating a request object using this method should be used when you want to inject | ||
378 | // custom logic into the request's lifecycle using a custom handler, or if you want to | ||
379 | // access properties on the request object before or after sending the request. If | ||
380 | // you just want the service response, call the AssumeRoleWithWebIdentity method directly | ||
381 | // instead. | ||
382 | // | ||
383 | // Note: You must call the "Send" method on the returned request object in order | ||
384 | // to execute the request. | ||
385 | // | ||
386 | // // Example sending a request using the AssumeRoleWithWebIdentityRequest method. | ||
387 | // req, resp := client.AssumeRoleWithWebIdentityRequest(params) | ||
388 | // | ||
389 | // err := req.Send() | ||
390 | // if err == nil { // resp is now filled | ||
391 | // fmt.Println(resp) | ||
392 | // } | ||
393 | // | ||
394 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity | ||
395 | func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityInput) (req *request.Request, output *AssumeRoleWithWebIdentityOutput) { | ||
396 | op := &request.Operation{ | ||
397 | Name: opAssumeRoleWithWebIdentity, | ||
398 | HTTPMethod: "POST", | ||
399 | HTTPPath: "/", | ||
400 | } | ||
401 | |||
402 | if input == nil { | ||
403 | input = &AssumeRoleWithWebIdentityInput{} | ||
404 | } | ||
405 | |||
406 | output = &AssumeRoleWithWebIdentityOutput{} | ||
407 | req = c.newRequest(op, input, output) | ||
408 | return | ||
409 | } | ||
410 | |||
411 | // AssumeRoleWithWebIdentity API operation for AWS Security Token Service. | ||
412 | // | ||
413 | // Returns a set of temporary security credentials for users who have been authenticated | ||
414 | // in a mobile or web application with a web identity provider, such as Amazon | ||
415 | // Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible | ||
416 | // identity provider. | ||
417 | // | ||
418 | // For mobile applications, we recommend that you use Amazon Cognito. You can | ||
419 | // use Amazon Cognito with the AWS SDK for iOS (http://aws.amazon.com/sdkforios/) | ||
420 | // and the AWS SDK for Android (http://aws.amazon.com/sdkforandroid/) to uniquely | ||
421 | // identify a user and supply the user with a consistent identity throughout | ||
422 | // the lifetime of an application. | ||
423 | // | ||
424 | // To learn more about Amazon Cognito, see Amazon Cognito Overview (http://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840) | ||
425 | // in the AWS SDK for Android Developer Guide guide and Amazon Cognito Overview | ||
426 | // (http://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664) | ||
427 | // in the AWS SDK for iOS Developer Guide. | ||
428 | // | ||
429 | // Calling AssumeRoleWithWebIdentity does not require the use of AWS security | ||
430 | // credentials. Therefore, you can distribute an application (for example, on | ||
431 | // mobile devices) that requests temporary security credentials without including | ||
432 | // long-term AWS credentials in the application, and without deploying server-based | ||
433 | // proxy services that use long-term AWS credentials. Instead, the identity | ||
434 | // of the caller is validated by using a token from the web identity provider. | ||
435 | // For a comparison of AssumeRoleWithWebIdentity with the other APIs that produce | ||
436 | // temporary credentials, see Requesting Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) | ||
437 | // and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) | ||
438 | // in the IAM User Guide. | ||
439 | // | ||
440 | // The temporary security credentials returned by this API consist of an access | ||
441 | // key ID, a secret access key, and a security token. Applications can use these | ||
442 | // temporary security credentials to sign calls to AWS service APIs. | ||
443 | // | ||
444 | // The credentials are valid for the duration that you specified when calling | ||
445 | // AssumeRoleWithWebIdentity, which can be from 900 seconds (15 minutes) to | ||
446 | // a maximum of 3600 seconds (1 hour). The default is 1 hour. | ||
447 | // | ||
448 | // The temporary security credentials created by AssumeRoleWithWebIdentity can | ||
449 | // be used to make API calls to any AWS service with the following exception: | ||
450 | // you cannot call the STS service's GetFederationToken or GetSessionToken APIs. | ||
451 | // | ||
452 | // Optionally, you can pass an IAM access policy to this operation. If you choose | ||
453 | // not to pass a policy, the temporary security credentials that are returned | ||
454 | // by the operation have the permissions that are defined in the access policy | ||
455 | // of the role that is being assumed. If you pass a policy to this operation, | ||
456 | // the temporary security credentials that are returned by the operation have | ||
457 | // the permissions that are allowed by both the access policy of the role that | ||
458 | // is being assumed, and the policy that you pass. This gives you a way to further | ||
459 | // restrict the permissions for the resulting temporary security credentials. | ||
460 | // You cannot use the passed policy to grant permissions that are in excess | ||
461 | // of those allowed by the access policy of the role that is being assumed. | ||
462 | // For more information, see Permissions for AssumeRole, AssumeRoleWithSAML, | ||
463 | // and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html) | ||
464 | // in the IAM User Guide. | ||
465 | // | ||
466 | // Before your application can call AssumeRoleWithWebIdentity, you must have | ||
467 | // an identity token from a supported identity provider and create a role that | ||
468 | // the application can assume. The role that your application assumes must trust | ||
469 | // the identity provider that is associated with the identity token. In other | ||
470 | // words, the identity provider must be specified in the role's trust policy. | ||
471 | // | ||
472 | // Calling AssumeRoleWithWebIdentity can result in an entry in your AWS CloudTrail | ||
473 | // logs. The entry includes the Subject (http://openid.net/specs/openid-connect-core-1_0.html#Claims) | ||
474 | // of the provided Web Identity Token. We recommend that you avoid using any | ||
475 | // personally identifiable information (PII) in this field. For example, you | ||
476 | // could instead use a GUID or a pairwise identifier, as suggested in the OIDC | ||
477 | // specification (http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes). | ||
478 | // | ||
479 | // For more information about how to use web identity federation and the AssumeRoleWithWebIdentity | ||
480 | // API, see the following resources: | ||
481 | // | ||
482 | // * Using Web Identity Federation APIs for Mobile Apps (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html) | ||
483 | // and Federation Through a Web-based Identity Provider (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity). | ||
484 | // | ||
485 | // | ||
486 | // * Web Identity Federation Playground (https://web-identity-federation-playground.s3.amazonaws.com/index.html). | ||
487 | // This interactive website lets you walk through the process of authenticating | ||
488 | // via Login with Amazon, Facebook, or Google, getting temporary security | ||
489 | // credentials, and then using those credentials to make a request to AWS. | ||
490 | // | ||
491 | // | ||
492 | // * AWS SDK for iOS (http://aws.amazon.com/sdkforios/) and AWS SDK for Android | ||
493 | // (http://aws.amazon.com/sdkforandroid/). These toolkits contain sample | ||
494 | // apps that show how to invoke the identity providers, and then how to use | ||
495 | // the information from these providers to get and use temporary security | ||
496 | // credentials. | ||
497 | // | ||
498 | // * Web Identity Federation with Mobile Applications (http://aws.amazon.com/articles/4617974389850313). | ||
499 | // This article discusses web identity federation and shows an example of | ||
500 | // how to use web identity federation to get access to content in Amazon | ||
501 | // S3. | ||
502 | // | ||
503 | // Returns awserr.Error for service API and SDK errors. Use runtime type assertions | ||
504 | // with awserr.Error's Code and Message methods to get detailed information about | ||
505 | // the error. | ||
506 | // | ||
507 | // See the AWS API reference guide for AWS Security Token Service's | ||
508 | // API operation AssumeRoleWithWebIdentity for usage and error information. | ||
509 | // | ||
510 | // Returned Error Codes: | ||
511 | // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument" | ||
512 | // The request was rejected because the policy document was malformed. The error | ||
513 | // message describes the specific error. | ||
514 | // | ||
515 | // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" | ||
516 | // The request was rejected because the policy document was too large. The error | ||
517 | // message describes how big the policy document is, in packed form, as a percentage | ||
518 | // of what the API allows. | ||
519 | // | ||
520 | // * ErrCodeIDPRejectedClaimException "IDPRejectedClaim" | ||
521 | // The identity provider (IdP) reported that authentication failed. This might | ||
522 | // be because the claim is invalid. | ||
523 | // | ||
524 | // If this error is returned for the AssumeRoleWithWebIdentity operation, it | ||
525 | // can also mean that the claim has expired or has been explicitly revoked. | ||
526 | // | ||
527 | // * ErrCodeIDPCommunicationErrorException "IDPCommunicationError" | ||
528 | // The request could not be fulfilled because the non-AWS identity provider | ||
529 | // (IDP) that was asked to verify the incoming identity token could not be reached. | ||
530 | // This is often a transient error caused by network conditions. Retry the request | ||
531 | // a limited number of times so that you don't exceed the request rate. If the | ||
532 | // error persists, the non-AWS identity provider might be down or not responding. | ||
533 | // | ||
534 | // * ErrCodeInvalidIdentityTokenException "InvalidIdentityToken" | ||
535 | // The web identity token that was passed could not be validated by AWS. Get | ||
536 | // a new identity token from the identity provider and then retry the request. | ||
537 | // | ||
538 | // * ErrCodeExpiredTokenException "ExpiredTokenException" | ||
539 | // The web identity token that was passed is expired or is not valid. Get a | ||
540 | // new identity token from the identity provider and then retry the request. | ||
541 | // | ||
542 | // * ErrCodeRegionDisabledException "RegionDisabledException" | ||
543 | // STS is not activated in the requested region for the account that is being | ||
544 | // asked to generate credentials. The account administrator must use the IAM | ||
545 | // console to activate STS in that region. For more information, see Activating | ||
546 | // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) | ||
547 | // in the IAM User Guide. | ||
548 | // | ||
549 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity | ||
550 | func (c *STS) AssumeRoleWithWebIdentity(input *AssumeRoleWithWebIdentityInput) (*AssumeRoleWithWebIdentityOutput, error) { | ||
551 | req, out := c.AssumeRoleWithWebIdentityRequest(input) | ||
552 | return out, req.Send() | ||
553 | } | ||
554 | |||
555 | // AssumeRoleWithWebIdentityWithContext is the same as AssumeRoleWithWebIdentity with the addition of | ||
556 | // the ability to pass a context and additional request options. | ||
557 | // | ||
558 | // See AssumeRoleWithWebIdentity for details on how to use this API operation. | ||
559 | // | ||
560 | // The context must be non-nil and will be used for request cancellation. If | ||
561 | // the context is nil a panic will occur. In the future the SDK may create | ||
562 | // sub-contexts for http.Requests. See https://golang.org/pkg/context/ | ||
563 | // for more information on using Contexts. | ||
564 | func (c *STS) AssumeRoleWithWebIdentityWithContext(ctx aws.Context, input *AssumeRoleWithWebIdentityInput, opts ...request.Option) (*AssumeRoleWithWebIdentityOutput, error) { | ||
565 | req, out := c.AssumeRoleWithWebIdentityRequest(input) | ||
566 | req.SetContext(ctx) | ||
567 | req.ApplyOptions(opts...) | ||
568 | return out, req.Send() | ||
569 | } | ||
570 | |||
571 | const opDecodeAuthorizationMessage = "DecodeAuthorizationMessage" | ||
572 | |||
573 | // DecodeAuthorizationMessageRequest generates a "aws/request.Request" representing the | ||
574 | // client's request for the DecodeAuthorizationMessage operation. The "output" return | ||
575 | // value can be used to capture response data after the request's "Send" method | ||
576 | // is called. | ||
577 | // | ||
578 | // See DecodeAuthorizationMessage for usage and error information. | ||
579 | // | ||
580 | // Creating a request object using this method should be used when you want to inject | ||
581 | // custom logic into the request's lifecycle using a custom handler, or if you want to | ||
582 | // access properties on the request object before or after sending the request. If | ||
583 | // you just want the service response, call the DecodeAuthorizationMessage method directly | ||
584 | // instead. | ||
585 | // | ||
586 | // Note: You must call the "Send" method on the returned request object in order | ||
587 | // to execute the request. | ||
588 | // | ||
589 | // // Example sending a request using the DecodeAuthorizationMessageRequest method. | ||
590 | // req, resp := client.DecodeAuthorizationMessageRequest(params) | ||
591 | // | ||
592 | // err := req.Send() | ||
593 | // if err == nil { // resp is now filled | ||
594 | // fmt.Println(resp) | ||
595 | // } | ||
596 | // | ||
597 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessage | ||
598 | func (c *STS) DecodeAuthorizationMessageRequest(input *DecodeAuthorizationMessageInput) (req *request.Request, output *DecodeAuthorizationMessageOutput) { | ||
599 | op := &request.Operation{ | ||
600 | Name: opDecodeAuthorizationMessage, | ||
601 | HTTPMethod: "POST", | ||
602 | HTTPPath: "/", | ||
603 | } | ||
604 | |||
605 | if input == nil { | ||
606 | input = &DecodeAuthorizationMessageInput{} | ||
607 | } | ||
608 | |||
609 | output = &DecodeAuthorizationMessageOutput{} | ||
610 | req = c.newRequest(op, input, output) | ||
611 | return | ||
612 | } | ||
613 | |||
614 | // DecodeAuthorizationMessage API operation for AWS Security Token Service. | ||
615 | // | ||
616 | // Decodes additional information about the authorization status of a request | ||
617 | // from an encoded message returned in response to an AWS request. | ||
618 | // | ||
619 | // For example, if a user is not authorized to perform an action that he or | ||
620 | // she has requested, the request returns a Client.UnauthorizedOperation response | ||
621 | // (an HTTP 403 response). Some AWS actions additionally return an encoded message | ||
622 | // that can provide details about this authorization failure. | ||
623 | // | ||
624 | // Only certain AWS actions return an encoded authorization message. The documentation | ||
625 | // for an individual action indicates whether that action returns an encoded | ||
626 | // message in addition to returning an HTTP code. | ||
627 | // | ||
628 | // The message is encoded because the details of the authorization status can | ||
629 | // constitute privileged information that the user who requested the action | ||
630 | // should not see. To decode an authorization status message, a user must be | ||
631 | // granted permissions via an IAM policy to request the DecodeAuthorizationMessage | ||
632 | // (sts:DecodeAuthorizationMessage) action. | ||
633 | // | ||
634 | // The decoded message includes the following type of information: | ||
635 | // | ||
636 | // * Whether the request was denied due to an explicit deny or due to the | ||
637 | // absence of an explicit allow. For more information, see Determining Whether | ||
638 | // a Request is Allowed or Denied (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow) | ||
639 | // in the IAM User Guide. | ||
640 | // | ||
641 | // * The principal who made the request. | ||
642 | // | ||
643 | // * The requested action. | ||
644 | // | ||
645 | // * The requested resource. | ||
646 | // | ||
647 | // * The values of condition keys in the context of the user's request. | ||
648 | // | ||
649 | // Returns awserr.Error for service API and SDK errors. Use runtime type assertions | ||
650 | // with awserr.Error's Code and Message methods to get detailed information about | ||
651 | // the error. | ||
652 | // | ||
653 | // See the AWS API reference guide for AWS Security Token Service's | ||
654 | // API operation DecodeAuthorizationMessage for usage and error information. | ||
655 | // | ||
656 | // Returned Error Codes: | ||
657 | // * ErrCodeInvalidAuthorizationMessageException "InvalidAuthorizationMessageException" | ||
658 | // The error returned if the message passed to DecodeAuthorizationMessage was | ||
659 | // invalid. This can happen if the token contains invalid characters, such as | ||
660 | // linebreaks. | ||
661 | // | ||
662 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessage | ||
663 | func (c *STS) DecodeAuthorizationMessage(input *DecodeAuthorizationMessageInput) (*DecodeAuthorizationMessageOutput, error) { | ||
664 | req, out := c.DecodeAuthorizationMessageRequest(input) | ||
665 | return out, req.Send() | ||
666 | } | ||
667 | |||
668 | // DecodeAuthorizationMessageWithContext is the same as DecodeAuthorizationMessage with the addition of | ||
669 | // the ability to pass a context and additional request options. | ||
670 | // | ||
671 | // See DecodeAuthorizationMessage for details on how to use this API operation. | ||
672 | // | ||
673 | // The context must be non-nil and will be used for request cancellation. If | ||
674 | // the context is nil a panic will occur. In the future the SDK may create | ||
675 | // sub-contexts for http.Requests. See https://golang.org/pkg/context/ | ||
676 | // for more information on using Contexts. | ||
677 | func (c *STS) DecodeAuthorizationMessageWithContext(ctx aws.Context, input *DecodeAuthorizationMessageInput, opts ...request.Option) (*DecodeAuthorizationMessageOutput, error) { | ||
678 | req, out := c.DecodeAuthorizationMessageRequest(input) | ||
679 | req.SetContext(ctx) | ||
680 | req.ApplyOptions(opts...) | ||
681 | return out, req.Send() | ||
682 | } | ||
683 | |||
684 | const opGetCallerIdentity = "GetCallerIdentity" | ||
685 | |||
686 | // GetCallerIdentityRequest generates a "aws/request.Request" representing the | ||
687 | // client's request for the GetCallerIdentity operation. The "output" return | ||
688 | // value can be used to capture response data after the request's "Send" method | ||
689 | // is called. | ||
690 | // | ||
691 | // See GetCallerIdentity for usage and error information. | ||
692 | // | ||
693 | // Creating a request object using this method should be used when you want to inject | ||
694 | // custom logic into the request's lifecycle using a custom handler, or if you want to | ||
695 | // access properties on the request object before or after sending the request. If | ||
696 | // you just want the service response, call the GetCallerIdentity method directly | ||
697 | // instead. | ||
698 | // | ||
699 | // Note: You must call the "Send" method on the returned request object in order | ||
700 | // to execute the request. | ||
701 | // | ||
702 | // // Example sending a request using the GetCallerIdentityRequest method. | ||
703 | // req, resp := client.GetCallerIdentityRequest(params) | ||
704 | // | ||
705 | // err := req.Send() | ||
706 | // if err == nil { // resp is now filled | ||
707 | // fmt.Println(resp) | ||
708 | // } | ||
709 | // | ||
710 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentity | ||
711 | func (c *STS) GetCallerIdentityRequest(input *GetCallerIdentityInput) (req *request.Request, output *GetCallerIdentityOutput) { | ||
712 | op := &request.Operation{ | ||
713 | Name: opGetCallerIdentity, | ||
714 | HTTPMethod: "POST", | ||
715 | HTTPPath: "/", | ||
716 | } | ||
717 | |||
718 | if input == nil { | ||
719 | input = &GetCallerIdentityInput{} | ||
720 | } | ||
721 | |||
722 | output = &GetCallerIdentityOutput{} | ||
723 | req = c.newRequest(op, input, output) | ||
724 | return | ||
725 | } | ||
726 | |||
727 | // GetCallerIdentity API operation for AWS Security Token Service. | ||
728 | // | ||
729 | // Returns details about the IAM identity whose credentials are used to call | ||
730 | // the API. | ||
731 | // | ||
732 | // Returns awserr.Error for service API and SDK errors. Use runtime type assertions | ||
733 | // with awserr.Error's Code and Message methods to get detailed information about | ||
734 | // the error. | ||
735 | // | ||
736 | // See the AWS API reference guide for AWS Security Token Service's | ||
737 | // API operation GetCallerIdentity for usage and error information. | ||
738 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentity | ||
739 | func (c *STS) GetCallerIdentity(input *GetCallerIdentityInput) (*GetCallerIdentityOutput, error) { | ||
740 | req, out := c.GetCallerIdentityRequest(input) | ||
741 | return out, req.Send() | ||
742 | } | ||
743 | |||
744 | // GetCallerIdentityWithContext is the same as GetCallerIdentity with the addition of | ||
745 | // the ability to pass a context and additional request options. | ||
746 | // | ||
747 | // See GetCallerIdentity for details on how to use this API operation. | ||
748 | // | ||
749 | // The context must be non-nil and will be used for request cancellation. If | ||
750 | // the context is nil a panic will occur. In the future the SDK may create | ||
751 | // sub-contexts for http.Requests. See https://golang.org/pkg/context/ | ||
752 | // for more information on using Contexts. | ||
753 | func (c *STS) GetCallerIdentityWithContext(ctx aws.Context, input *GetCallerIdentityInput, opts ...request.Option) (*GetCallerIdentityOutput, error) { | ||
754 | req, out := c.GetCallerIdentityRequest(input) | ||
755 | req.SetContext(ctx) | ||
756 | req.ApplyOptions(opts...) | ||
757 | return out, req.Send() | ||
758 | } | ||
759 | |||
760 | const opGetFederationToken = "GetFederationToken" | ||
761 | |||
762 | // GetFederationTokenRequest generates a "aws/request.Request" representing the | ||
763 | // client's request for the GetFederationToken operation. The "output" return | ||
764 | // value can be used to capture response data after the request's "Send" method | ||
765 | // is called. | ||
766 | // | ||
767 | // See GetFederationToken for usage and error information. | ||
768 | // | ||
769 | // Creating a request object using this method should be used when you want to inject | ||
770 | // custom logic into the request's lifecycle using a custom handler, or if you want to | ||
771 | // access properties on the request object before or after sending the request. If | ||
772 | // you just want the service response, call the GetFederationToken method directly | ||
773 | // instead. | ||
774 | // | ||
775 | // Note: You must call the "Send" method on the returned request object in order | ||
776 | // to execute the request. | ||
777 | // | ||
778 | // // Example sending a request using the GetFederationTokenRequest method. | ||
779 | // req, resp := client.GetFederationTokenRequest(params) | ||
780 | // | ||
781 | // err := req.Send() | ||
782 | // if err == nil { // resp is now filled | ||
783 | // fmt.Println(resp) | ||
784 | // } | ||
785 | // | ||
786 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationToken | ||
787 | func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *request.Request, output *GetFederationTokenOutput) { | ||
788 | op := &request.Operation{ | ||
789 | Name: opGetFederationToken, | ||
790 | HTTPMethod: "POST", | ||
791 | HTTPPath: "/", | ||
792 | } | ||
793 | |||
794 | if input == nil { | ||
795 | input = &GetFederationTokenInput{} | ||
796 | } | ||
797 | |||
798 | output = &GetFederationTokenOutput{} | ||
799 | req = c.newRequest(op, input, output) | ||
800 | return | ||
801 | } | ||
802 | |||
803 | // GetFederationToken API operation for AWS Security Token Service. | ||
804 | // | ||
805 | // Returns a set of temporary security credentials (consisting of an access | ||
806 | // key ID, a secret access key, and a security token) for a federated user. | ||
807 | // A typical use is in a proxy application that gets temporary security credentials | ||
808 | // on behalf of distributed applications inside a corporate network. Because | ||
809 | // you must call the GetFederationToken action using the long-term security | ||
810 | // credentials of an IAM user, this call is appropriate in contexts where those | ||
811 | // credentials can be safely stored, usually in a server-based application. | ||
812 | // For a comparison of GetFederationToken with the other APIs that produce temporary | ||
813 | // credentials, see Requesting Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) | ||
814 | // and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) | ||
815 | // in the IAM User Guide. | ||
816 | // | ||
817 | // If you are creating a mobile-based or browser-based app that can authenticate | ||
818 | // users using a web identity provider like Login with Amazon, Facebook, Google, | ||
819 | // or an OpenID Connect-compatible identity provider, we recommend that you | ||
820 | // use Amazon Cognito (http://aws.amazon.com/cognito/) or AssumeRoleWithWebIdentity. | ||
821 | // For more information, see Federation Through a Web-based Identity Provider | ||
822 | // (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity). | ||
823 | // | ||
824 | // The GetFederationToken action must be called by using the long-term AWS security | ||
825 | // credentials of an IAM user. You can also call GetFederationToken using the | ||
826 | // security credentials of an AWS root account, but we do not recommended it. | ||
827 | // Instead, we recommend that you create an IAM user for the purpose of the | ||
828 | // proxy application and then attach a policy to the IAM user that limits federated | ||
829 | // users to only the actions and resources that they need access to. For more | ||
830 | // information, see IAM Best Practices (http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) | ||
831 | // in the IAM User Guide. | ||
832 | // | ||
833 | // The temporary security credentials that are obtained by using the long-term | ||
834 | // credentials of an IAM user are valid for the specified duration, from 900 | ||
835 | // seconds (15 minutes) up to a maximium of 129600 seconds (36 hours). The default | ||
836 | // is 43200 seconds (12 hours). Temporary credentials that are obtained by using | ||
837 | // AWS root account credentials have a maximum duration of 3600 seconds (1 hour). | ||
838 | // | ||
839 | // The temporary security credentials created by GetFederationToken can be used | ||
840 | // to make API calls to any AWS service with the following exceptions: | ||
841 | // | ||
842 | // * You cannot use these credentials to call any IAM APIs. | ||
843 | // | ||
844 | // * You cannot call any STS APIs except GetCallerIdentity. | ||
845 | // | ||
846 | // Permissions | ||
847 | // | ||
848 | // The permissions for the temporary security credentials returned by GetFederationToken | ||
849 | // are determined by a combination of the following: | ||
850 | // | ||
851 | // * The policy or policies that are attached to the IAM user whose credentials | ||
852 | // are used to call GetFederationToken. | ||
853 | // | ||
854 | // * The policy that is passed as a parameter in the call. | ||
855 | // | ||
856 | // The passed policy is attached to the temporary security credentials that | ||
857 | // result from the GetFederationToken API call--that is, to the federated user. | ||
858 | // When the federated user makes an AWS request, AWS evaluates the policy attached | ||
859 | // to the federated user in combination with the policy or policies attached | ||
860 | // to the IAM user whose credentials were used to call GetFederationToken. AWS | ||
861 | // allows the federated user's request only when both the federated user and | ||
862 | // the IAM user are explicitly allowed to perform the requested action. The | ||
863 | // passed policy cannot grant more permissions than those that are defined in | ||
864 | // the IAM user policy. | ||
865 | // | ||
866 | // A typical use case is that the permissions of the IAM user whose credentials | ||
867 | // are used to call GetFederationToken are designed to allow access to all the | ||
868 | // actions and resources that any federated user will need. Then, for individual | ||
869 | // users, you pass a policy to the operation that scopes down the permissions | ||
870 | // to a level that's appropriate to that individual user, using a policy that | ||
871 | // allows only a subset of permissions that are granted to the IAM user. | ||
872 | // | ||
873 | // If you do not pass a policy, the resulting temporary security credentials | ||
874 | // have no effective permissions. The only exception is when the temporary security | ||
875 | // credentials are used to access a resource that has a resource-based policy | ||
876 | // that specifically allows the federated user to access the resource. | ||
877 | // | ||
878 | // For more information about how permissions work, see Permissions for GetFederationToken | ||
879 | // (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html). | ||
880 | // For information about using GetFederationToken to create temporary security | ||
881 | // credentials, see GetFederationToken—Federation Through a Custom Identity | ||
882 | // Broker (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken). | ||
883 | // | ||
884 | // Returns awserr.Error for service API and SDK errors. Use runtime type assertions | ||
885 | // with awserr.Error's Code and Message methods to get detailed information about | ||
886 | // the error. | ||
887 | // | ||
888 | // See the AWS API reference guide for AWS Security Token Service's | ||
889 | // API operation GetFederationToken for usage and error information. | ||
890 | // | ||
891 | // Returned Error Codes: | ||
892 | // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument" | ||
893 | // The request was rejected because the policy document was malformed. The error | ||
894 | // message describes the specific error. | ||
895 | // | ||
896 | // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" | ||
897 | // The request was rejected because the policy document was too large. The error | ||
898 | // message describes how big the policy document is, in packed form, as a percentage | ||
899 | // of what the API allows. | ||
900 | // | ||
901 | // * ErrCodeRegionDisabledException "RegionDisabledException" | ||
902 | // STS is not activated in the requested region for the account that is being | ||
903 | // asked to generate credentials. The account administrator must use the IAM | ||
904 | // console to activate STS in that region. For more information, see Activating | ||
905 | // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) | ||
906 | // in the IAM User Guide. | ||
907 | // | ||
908 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationToken | ||
909 | func (c *STS) GetFederationToken(input *GetFederationTokenInput) (*GetFederationTokenOutput, error) { | ||
910 | req, out := c.GetFederationTokenRequest(input) | ||
911 | return out, req.Send() | ||
912 | } | ||
913 | |||
914 | // GetFederationTokenWithContext is the same as GetFederationToken with the addition of | ||
915 | // the ability to pass a context and additional request options. | ||
916 | // | ||
917 | // See GetFederationToken for details on how to use this API operation. | ||
918 | // | ||
919 | // The context must be non-nil and will be used for request cancellation. If | ||
920 | // the context is nil a panic will occur. In the future the SDK may create | ||
921 | // sub-contexts for http.Requests. See https://golang.org/pkg/context/ | ||
922 | // for more information on using Contexts. | ||
923 | func (c *STS) GetFederationTokenWithContext(ctx aws.Context, input *GetFederationTokenInput, opts ...request.Option) (*GetFederationTokenOutput, error) { | ||
924 | req, out := c.GetFederationTokenRequest(input) | ||
925 | req.SetContext(ctx) | ||
926 | req.ApplyOptions(opts...) | ||
927 | return out, req.Send() | ||
928 | } | ||
929 | |||
930 | const opGetSessionToken = "GetSessionToken" | ||
931 | |||
932 | // GetSessionTokenRequest generates a "aws/request.Request" representing the | ||
933 | // client's request for the GetSessionToken operation. The "output" return | ||
934 | // value can be used to capture response data after the request's "Send" method | ||
935 | // is called. | ||
936 | // | ||
937 | // See GetSessionToken for usage and error information. | ||
938 | // | ||
939 | // Creating a request object using this method should be used when you want to inject | ||
940 | // custom logic into the request's lifecycle using a custom handler, or if you want to | ||
941 | // access properties on the request object before or after sending the request. If | ||
942 | // you just want the service response, call the GetSessionToken method directly | ||
943 | // instead. | ||
944 | // | ||
945 | // Note: You must call the "Send" method on the returned request object in order | ||
946 | // to execute the request. | ||
947 | // | ||
948 | // // Example sending a request using the GetSessionTokenRequest method. | ||
949 | // req, resp := client.GetSessionTokenRequest(params) | ||
950 | // | ||
951 | // err := req.Send() | ||
952 | // if err == nil { // resp is now filled | ||
953 | // fmt.Println(resp) | ||
954 | // } | ||
955 | // | ||
956 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionToken | ||
957 | func (c *STS) GetSessionTokenRequest(input *GetSessionTokenInput) (req *request.Request, output *GetSessionTokenOutput) { | ||
958 | op := &request.Operation{ | ||
959 | Name: opGetSessionToken, | ||
960 | HTTPMethod: "POST", | ||
961 | HTTPPath: "/", | ||
962 | } | ||
963 | |||
964 | if input == nil { | ||
965 | input = &GetSessionTokenInput{} | ||
966 | } | ||
967 | |||
968 | output = &GetSessionTokenOutput{} | ||
969 | req = c.newRequest(op, input, output) | ||
970 | return | ||
971 | } | ||
972 | |||
973 | // GetSessionToken API operation for AWS Security Token Service. | ||
974 | // | ||
975 | // Returns a set of temporary credentials for an AWS account or IAM user. The | ||
976 | // credentials consist of an access key ID, a secret access key, and a security | ||
977 | // token. Typically, you use GetSessionToken if you want to use MFA to protect | ||
978 | // programmatic calls to specific AWS APIs like Amazon EC2 StopInstances. MFA-enabled | ||
979 | // IAM users would need to call GetSessionToken and submit an MFA code that | ||
980 | // is associated with their MFA device. Using the temporary security credentials | ||
981 | // that are returned from the call, IAM users can then make programmatic calls | ||
982 | // to APIs that require MFA authentication. If you do not supply a correct MFA | ||
983 | // code, then the API returns an access denied error. For a comparison of GetSessionToken | ||
984 | // with the other APIs that produce temporary credentials, see Requesting Temporary | ||
985 | // Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) | ||
986 | // and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) | ||
987 | // in the IAM User Guide. | ||
988 | // | ||
989 | // The GetSessionToken action must be called by using the long-term AWS security | ||
990 | // credentials of the AWS account or an IAM user. Credentials that are created | ||
991 | // by IAM users are valid for the duration that you specify, from 900 seconds | ||
992 | // (15 minutes) up to a maximum of 129600 seconds (36 hours), with a default | ||
993 | // of 43200 seconds (12 hours); credentials that are created by using account | ||
994 | // credentials can range from 900 seconds (15 minutes) up to a maximum of 3600 | ||
995 | // seconds (1 hour), with a default of 1 hour. | ||
996 | // | ||
997 | // The temporary security credentials created by GetSessionToken can be used | ||
998 | // to make API calls to any AWS service with the following exceptions: | ||
999 | // | ||
1000 | // * You cannot call any IAM APIs unless MFA authentication information is | ||
1001 | // included in the request. | ||
1002 | // | ||
1003 | // * You cannot call any STS API exceptAssumeRole or GetCallerIdentity. | ||
1004 | // | ||
1005 | // We recommend that you do not call GetSessionToken with root account credentials. | ||
1006 | // Instead, follow our best practices (http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users) | ||
1007 | // by creating one or more IAM users, giving them the necessary permissions, | ||
1008 | // and using IAM users for everyday interaction with AWS. | ||
1009 | // | ||
1010 | // The permissions associated with the temporary security credentials returned | ||
1011 | // by GetSessionToken are based on the permissions associated with account or | ||
1012 | // IAM user whose credentials are used to call the action. If GetSessionToken | ||
1013 | // is called using root account credentials, the temporary credentials have | ||
1014 | // root account permissions. Similarly, if GetSessionToken is called using the | ||
1015 | // credentials of an IAM user, the temporary credentials have the same permissions | ||
1016 | // as the IAM user. | ||
1017 | // | ||
1018 | // For more information about using GetSessionToken to create temporary credentials, | ||
1019 | // go to Temporary Credentials for Users in Untrusted Environments (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken) | ||
1020 | // in the IAM User Guide. | ||
1021 | // | ||
1022 | // Returns awserr.Error for service API and SDK errors. Use runtime type assertions | ||
1023 | // with awserr.Error's Code and Message methods to get detailed information about | ||
1024 | // the error. | ||
1025 | // | ||
1026 | // See the AWS API reference guide for AWS Security Token Service's | ||
1027 | // API operation GetSessionToken for usage and error information. | ||
1028 | // | ||
1029 | // Returned Error Codes: | ||
1030 | // * ErrCodeRegionDisabledException "RegionDisabledException" | ||
1031 | // STS is not activated in the requested region for the account that is being | ||
1032 | // asked to generate credentials. The account administrator must use the IAM | ||
1033 | // console to activate STS in that region. For more information, see Activating | ||
1034 | // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) | ||
1035 | // in the IAM User Guide. | ||
1036 | // | ||
1037 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionToken | ||
1038 | func (c *STS) GetSessionToken(input *GetSessionTokenInput) (*GetSessionTokenOutput, error) { | ||
1039 | req, out := c.GetSessionTokenRequest(input) | ||
1040 | return out, req.Send() | ||
1041 | } | ||
1042 | |||
1043 | // GetSessionTokenWithContext is the same as GetSessionToken with the addition of | ||
1044 | // the ability to pass a context and additional request options. | ||
1045 | // | ||
1046 | // See GetSessionToken for details on how to use this API operation. | ||
1047 | // | ||
1048 | // The context must be non-nil and will be used for request cancellation. If | ||
1049 | // the context is nil a panic will occur. In the future the SDK may create | ||
1050 | // sub-contexts for http.Requests. See https://golang.org/pkg/context/ | ||
1051 | // for more information on using Contexts. | ||
1052 | func (c *STS) GetSessionTokenWithContext(ctx aws.Context, input *GetSessionTokenInput, opts ...request.Option) (*GetSessionTokenOutput, error) { | ||
1053 | req, out := c.GetSessionTokenRequest(input) | ||
1054 | req.SetContext(ctx) | ||
1055 | req.ApplyOptions(opts...) | ||
1056 | return out, req.Send() | ||
1057 | } | ||
1058 | |||
1059 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleRequest | ||
1060 | type AssumeRoleInput struct { | ||
1061 | _ struct{} `type:"structure"` | ||
1062 | |||
1063 | // The duration, in seconds, of the role session. The value can range from 900 | ||
1064 | // seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set | ||
1065 | // to 3600 seconds. | ||
1066 | // | ||
1067 | // This is separate from the duration of a console session that you might request | ||
1068 | // using the returned credentials. The request to the federation endpoint for | ||
1069 | // a console sign-in token takes a SessionDuration parameter that specifies | ||
1070 | // the maximum length of the console session, separately from the DurationSeconds | ||
1071 | // parameter on this API. For more information, see Creating a URL that Enables | ||
1072 | // Federated Users to Access the AWS Management Console (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) | ||
1073 | // in the IAM User Guide. | ||
1074 | DurationSeconds *int64 `min:"900" type:"integer"` | ||
1075 | |||
1076 | // A unique identifier that is used by third parties when assuming roles in | ||
1077 | // their customers' accounts. For each role that the third party can assume, | ||
1078 | // they should instruct their customers to ensure the role's trust policy checks | ||
1079 | // for the external ID that the third party generated. Each time the third party | ||
1080 | // assumes the role, they should pass the customer's external ID. The external | ||
1081 | // ID is useful in order to help third parties bind a role to the customer who | ||
1082 | // created it. For more information about the external ID, see How to Use an | ||
1083 | // External ID When Granting Access to Your AWS Resources to a Third Party (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html) | ||
1084 | // in the IAM User Guide. | ||
1085 | // | ||
1086 | // The regex used to validated this parameter is a string of characters consisting | ||
1087 | // of upper- and lower-case alphanumeric characters with no spaces. You can | ||
1088 | // also include underscores or any of the following characters: =,.@:\/- | ||
1089 | ExternalId *string `min:"2" type:"string"` | ||
1090 | |||
1091 | // An IAM policy in JSON format. | ||
1092 | // | ||
1093 | // This parameter is optional. If you pass a policy, the temporary security | ||
1094 | // credentials that are returned by the operation have the permissions that | ||
1095 | // are allowed by both (the intersection of) the access policy of the role that | ||
1096 | // is being assumed, and the policy that you pass. This gives you a way to further | ||
1097 | // restrict the permissions for the resulting temporary security credentials. | ||
1098 | // You cannot use the passed policy to grant permissions that are in excess | ||
1099 | // of those allowed by the access policy of the role that is being assumed. | ||
1100 | // For more information, see Permissions for AssumeRole, AssumeRoleWithSAML, | ||
1101 | // and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html) | ||
1102 | // in the IAM User Guide. | ||
1103 | // | ||
1104 | // The format for this parameter, as described by its regex pattern, is a string | ||
1105 | // of characters up to 2048 characters in length. The characters can be any | ||
1106 | // ASCII character from the space character to the end of the valid character | ||
1107 | // list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A), | ||
1108 | // and carriage return (\u000D) characters. | ||
1109 | // | ||
1110 | // The policy plain text must be 2048 bytes or shorter. However, an internal | ||
1111 | // conversion compresses it into a packed binary format with a separate limit. | ||
1112 | // The PackedPolicySize response element indicates by percentage how close to | ||
1113 | // the upper size limit the policy is, with 100% equaling the maximum allowed | ||
1114 | // size. | ||
1115 | Policy *string `min:"1" type:"string"` | ||
1116 | |||
1117 | // The Amazon Resource Name (ARN) of the role to assume. | ||
1118 | // | ||
1119 | // RoleArn is a required field | ||
1120 | RoleArn *string `min:"20" type:"string" required:"true"` | ||
1121 | |||
1122 | // An identifier for the assumed role session. | ||
1123 | // | ||
1124 | // Use the role session name to uniquely identify a session when the same role | ||
1125 | // is assumed by different principals or for different reasons. In cross-account | ||
1126 | // scenarios, the role session name is visible to, and can be logged by the | ||
1127 | // account that owns the role. The role session name is also used in the ARN | ||
1128 | // of the assumed role principal. This means that subsequent cross-account API | ||
1129 | // requests using the temporary security credentials will expose the role session | ||
1130 | // name to the external account in their CloudTrail logs. | ||
1131 | // | ||
1132 | // The regex used to validate this parameter is a string of characters consisting | ||
1133 | // of upper- and lower-case alphanumeric characters with no spaces. You can | ||
1134 | // also include underscores or any of the following characters: =,.@- | ||
1135 | // | ||
1136 | // RoleSessionName is a required field | ||
1137 | RoleSessionName *string `min:"2" type:"string" required:"true"` | ||
1138 | |||
1139 | // The identification number of the MFA device that is associated with the user | ||
1140 | // who is making the AssumeRole call. Specify this value if the trust policy | ||
1141 | // of the role being assumed includes a condition that requires MFA authentication. | ||
1142 | // The value is either the serial number for a hardware device (such as GAHT12345678) | ||
1143 | // or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user). | ||
1144 | // | ||
1145 | // The regex used to validate this parameter is a string of characters consisting | ||
1146 | // of upper- and lower-case alphanumeric characters with no spaces. You can | ||
1147 | // also include underscores or any of the following characters: =,.@- | ||
1148 | SerialNumber *string `min:"9" type:"string"` | ||
1149 | |||
1150 | // The value provided by the MFA device, if the trust policy of the role being | ||
1151 | // assumed requires MFA (that is, if the policy includes a condition that tests | ||
1152 | // for MFA). If the role being assumed requires MFA and if the TokenCode value | ||
1153 | // is missing or expired, the AssumeRole call returns an "access denied" error. | ||
1154 | // | ||
1155 | // The format for this parameter, as described by its regex pattern, is a sequence | ||
1156 | // of six numeric digits. | ||
1157 | TokenCode *string `min:"6" type:"string"` | ||
1158 | } | ||
1159 | |||
1160 | // String returns the string representation | ||
1161 | func (s AssumeRoleInput) String() string { | ||
1162 | return awsutil.Prettify(s) | ||
1163 | } | ||
1164 | |||
1165 | // GoString returns the string representation | ||
1166 | func (s AssumeRoleInput) GoString() string { | ||
1167 | return s.String() | ||
1168 | } | ||
1169 | |||
1170 | // Validate inspects the fields of the type to determine if they are valid. | ||
1171 | func (s *AssumeRoleInput) Validate() error { | ||
1172 | invalidParams := request.ErrInvalidParams{Context: "AssumeRoleInput"} | ||
1173 | if s.DurationSeconds != nil && *s.DurationSeconds < 900 { | ||
1174 | invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) | ||
1175 | } | ||
1176 | if s.ExternalId != nil && len(*s.ExternalId) < 2 { | ||
1177 | invalidParams.Add(request.NewErrParamMinLen("ExternalId", 2)) | ||
1178 | } | ||
1179 | if s.Policy != nil && len(*s.Policy) < 1 { | ||
1180 | invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) | ||
1181 | } | ||
1182 | if s.RoleArn == nil { | ||
1183 | invalidParams.Add(request.NewErrParamRequired("RoleArn")) | ||
1184 | } | ||
1185 | if s.RoleArn != nil && len(*s.RoleArn) < 20 { | ||
1186 | invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20)) | ||
1187 | } | ||
1188 | if s.RoleSessionName == nil { | ||
1189 | invalidParams.Add(request.NewErrParamRequired("RoleSessionName")) | ||
1190 | } | ||
1191 | if s.RoleSessionName != nil && len(*s.RoleSessionName) < 2 { | ||
1192 | invalidParams.Add(request.NewErrParamMinLen("RoleSessionName", 2)) | ||
1193 | } | ||
1194 | if s.SerialNumber != nil && len(*s.SerialNumber) < 9 { | ||
1195 | invalidParams.Add(request.NewErrParamMinLen("SerialNumber", 9)) | ||
1196 | } | ||
1197 | if s.TokenCode != nil && len(*s.TokenCode) < 6 { | ||
1198 | invalidParams.Add(request.NewErrParamMinLen("TokenCode", 6)) | ||
1199 | } | ||
1200 | |||
1201 | if invalidParams.Len() > 0 { | ||
1202 | return invalidParams | ||
1203 | } | ||
1204 | return nil | ||
1205 | } | ||
1206 | |||
1207 | // SetDurationSeconds sets the DurationSeconds field's value. | ||
1208 | func (s *AssumeRoleInput) SetDurationSeconds(v int64) *AssumeRoleInput { | ||
1209 | s.DurationSeconds = &v | ||
1210 | return s | ||
1211 | } | ||
1212 | |||
1213 | // SetExternalId sets the ExternalId field's value. | ||
1214 | func (s *AssumeRoleInput) SetExternalId(v string) *AssumeRoleInput { | ||
1215 | s.ExternalId = &v | ||
1216 | return s | ||
1217 | } | ||
1218 | |||
1219 | // SetPolicy sets the Policy field's value. | ||
1220 | func (s *AssumeRoleInput) SetPolicy(v string) *AssumeRoleInput { | ||
1221 | s.Policy = &v | ||
1222 | return s | ||
1223 | } | ||
1224 | |||
1225 | // SetRoleArn sets the RoleArn field's value. | ||
1226 | func (s *AssumeRoleInput) SetRoleArn(v string) *AssumeRoleInput { | ||
1227 | s.RoleArn = &v | ||
1228 | return s | ||
1229 | } | ||
1230 | |||
1231 | // SetRoleSessionName sets the RoleSessionName field's value. | ||
1232 | func (s *AssumeRoleInput) SetRoleSessionName(v string) *AssumeRoleInput { | ||
1233 | s.RoleSessionName = &v | ||
1234 | return s | ||
1235 | } | ||
1236 | |||
1237 | // SetSerialNumber sets the SerialNumber field's value. | ||
1238 | func (s *AssumeRoleInput) SetSerialNumber(v string) *AssumeRoleInput { | ||
1239 | s.SerialNumber = &v | ||
1240 | return s | ||
1241 | } | ||
1242 | |||
1243 | // SetTokenCode sets the TokenCode field's value. | ||
1244 | func (s *AssumeRoleInput) SetTokenCode(v string) *AssumeRoleInput { | ||
1245 | s.TokenCode = &v | ||
1246 | return s | ||
1247 | } | ||
1248 | |||
1249 | // Contains the response to a successful AssumeRole request, including temporary | ||
1250 | // AWS credentials that can be used to make AWS requests. | ||
1251 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleResponse | ||
1252 | type AssumeRoleOutput struct { | ||
1253 | _ struct{} `type:"structure"` | ||
1254 | |||
1255 | // The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers | ||
1256 | // that you can use to refer to the resulting temporary security credentials. | ||
1257 | // For example, you can reference these credentials as a principal in a resource-based | ||
1258 | // policy by using the ARN or assumed role ID. The ARN and ID include the RoleSessionName | ||
1259 | // that you specified when you called AssumeRole. | ||
1260 | AssumedRoleUser *AssumedRoleUser `type:"structure"` | ||
1261 | |||
1262 | // The temporary security credentials, which include an access key ID, a secret | ||
1263 | // access key, and a security (or session) token. | ||
1264 | // | ||
1265 | // Note: The size of the security token that STS APIs return is not fixed. We | ||
1266 | // strongly recommend that you make no assumptions about the maximum size. As | ||
1267 | // of this writing, the typical size is less than 4096 bytes, but that can vary. | ||
1268 | // Also, future updates to AWS might require larger sizes. | ||
1269 | Credentials *Credentials `type:"structure"` | ||
1270 | |||
1271 | // A percentage value that indicates the size of the policy in packed form. | ||
1272 | // The service rejects any policy with a packed size greater than 100 percent, | ||
1273 | // which means the policy exceeded the allowed space. | ||
1274 | PackedPolicySize *int64 `type:"integer"` | ||
1275 | } | ||
1276 | |||
1277 | // String returns the string representation | ||
1278 | func (s AssumeRoleOutput) String() string { | ||
1279 | return awsutil.Prettify(s) | ||
1280 | } | ||
1281 | |||
1282 | // GoString returns the string representation | ||
1283 | func (s AssumeRoleOutput) GoString() string { | ||
1284 | return s.String() | ||
1285 | } | ||
1286 | |||
1287 | // SetAssumedRoleUser sets the AssumedRoleUser field's value. | ||
1288 | func (s *AssumeRoleOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleOutput { | ||
1289 | s.AssumedRoleUser = v | ||
1290 | return s | ||
1291 | } | ||
1292 | |||
1293 | // SetCredentials sets the Credentials field's value. | ||
1294 | func (s *AssumeRoleOutput) SetCredentials(v *Credentials) *AssumeRoleOutput { | ||
1295 | s.Credentials = v | ||
1296 | return s | ||
1297 | } | ||
1298 | |||
1299 | // SetPackedPolicySize sets the PackedPolicySize field's value. | ||
1300 | func (s *AssumeRoleOutput) SetPackedPolicySize(v int64) *AssumeRoleOutput { | ||
1301 | s.PackedPolicySize = &v | ||
1302 | return s | ||
1303 | } | ||
1304 | |||
1305 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAMLRequest | ||
1306 | type AssumeRoleWithSAMLInput struct { | ||
1307 | _ struct{} `type:"structure"` | ||
1308 | |||
1309 | // The duration, in seconds, of the role session. The value can range from 900 | ||
1310 | // seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set | ||
1311 | // to 3600 seconds. An expiration can also be specified in the SAML authentication | ||
1312 | // response's SessionNotOnOrAfter value. The actual expiration time is whichever | ||
1313 | // value is shorter. | ||
1314 | // | ||
1315 | // This is separate from the duration of a console session that you might request | ||
1316 | // using the returned credentials. The request to the federation endpoint for | ||
1317 | // a console sign-in token takes a SessionDuration parameter that specifies | ||
1318 | // the maximum length of the console session, separately from the DurationSeconds | ||
1319 | // parameter on this API. For more information, see Enabling SAML 2.0 Federated | ||
1320 | // Users to Access the AWS Management Console (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html) | ||
1321 | // in the IAM User Guide. | ||
1322 | DurationSeconds *int64 `min:"900" type:"integer"` | ||
1323 | |||
1324 | // An IAM policy in JSON format. | ||
1325 | // | ||
1326 | // The policy parameter is optional. If you pass a policy, the temporary security | ||
1327 | // credentials that are returned by the operation have the permissions that | ||
1328 | // are allowed by both the access policy of the role that is being assumed, | ||
1329 | // and the policy that you pass. This gives you a way to further restrict the | ||
1330 | // permissions for the resulting temporary security credentials. You cannot | ||
1331 | // use the passed policy to grant permissions that are in excess of those allowed | ||
1332 | // by the access policy of the role that is being assumed. For more information, | ||
1333 | // Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity | ||
1334 | // (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html) | ||
1335 | // in the IAM User Guide. | ||
1336 | // | ||
1337 | // The format for this parameter, as described by its regex pattern, is a string | ||
1338 | // of characters up to 2048 characters in length. The characters can be any | ||
1339 | // ASCII character from the space character to the end of the valid character | ||
1340 | // list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A), | ||
1341 | // and carriage return (\u000D) characters. | ||
1342 | // | ||
1343 | // The policy plain text must be 2048 bytes or shorter. However, an internal | ||
1344 | // conversion compresses it into a packed binary format with a separate limit. | ||
1345 | // The PackedPolicySize response element indicates by percentage how close to | ||
1346 | // the upper size limit the policy is, with 100% equaling the maximum allowed | ||
1347 | // size. | ||
1348 | Policy *string `min:"1" type:"string"` | ||
1349 | |||
1350 | // The Amazon Resource Name (ARN) of the SAML provider in IAM that describes | ||
1351 | // the IdP. | ||
1352 | // | ||
1353 | // PrincipalArn is a required field | ||
1354 | PrincipalArn *string `min:"20" type:"string" required:"true"` | ||
1355 | |||
1356 | // The Amazon Resource Name (ARN) of the role that the caller is assuming. | ||
1357 | // | ||
1358 | // RoleArn is a required field | ||
1359 | RoleArn *string `min:"20" type:"string" required:"true"` | ||
1360 | |||
1361 | // The base-64 encoded SAML authentication response provided by the IdP. | ||
1362 | // | ||
1363 | // For more information, see Configuring a Relying Party and Adding Claims (http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html) | ||
1364 | // in the Using IAM guide. | ||
1365 | // | ||
1366 | // SAMLAssertion is a required field | ||
1367 | SAMLAssertion *string `min:"4" type:"string" required:"true"` | ||
1368 | } | ||
1369 | |||
1370 | // String returns the string representation | ||
1371 | func (s AssumeRoleWithSAMLInput) String() string { | ||
1372 | return awsutil.Prettify(s) | ||
1373 | } | ||
1374 | |||
1375 | // GoString returns the string representation | ||
1376 | func (s AssumeRoleWithSAMLInput) GoString() string { | ||
1377 | return s.String() | ||
1378 | } | ||
1379 | |||
1380 | // Validate inspects the fields of the type to determine if they are valid. | ||
1381 | func (s *AssumeRoleWithSAMLInput) Validate() error { | ||
1382 | invalidParams := request.ErrInvalidParams{Context: "AssumeRoleWithSAMLInput"} | ||
1383 | if s.DurationSeconds != nil && *s.DurationSeconds < 900 { | ||
1384 | invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) | ||
1385 | } | ||
1386 | if s.Policy != nil && len(*s.Policy) < 1 { | ||
1387 | invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) | ||
1388 | } | ||
1389 | if s.PrincipalArn == nil { | ||
1390 | invalidParams.Add(request.NewErrParamRequired("PrincipalArn")) | ||
1391 | } | ||
1392 | if s.PrincipalArn != nil && len(*s.PrincipalArn) < 20 { | ||
1393 | invalidParams.Add(request.NewErrParamMinLen("PrincipalArn", 20)) | ||
1394 | } | ||
1395 | if s.RoleArn == nil { | ||
1396 | invalidParams.Add(request.NewErrParamRequired("RoleArn")) | ||
1397 | } | ||
1398 | if s.RoleArn != nil && len(*s.RoleArn) < 20 { | ||
1399 | invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20)) | ||
1400 | } | ||
1401 | if s.SAMLAssertion == nil { | ||
1402 | invalidParams.Add(request.NewErrParamRequired("SAMLAssertion")) | ||
1403 | } | ||
1404 | if s.SAMLAssertion != nil && len(*s.SAMLAssertion) < 4 { | ||
1405 | invalidParams.Add(request.NewErrParamMinLen("SAMLAssertion", 4)) | ||
1406 | } | ||
1407 | |||
1408 | if invalidParams.Len() > 0 { | ||
1409 | return invalidParams | ||
1410 | } | ||
1411 | return nil | ||
1412 | } | ||
1413 | |||
1414 | // SetDurationSeconds sets the DurationSeconds field's value. | ||
1415 | func (s *AssumeRoleWithSAMLInput) SetDurationSeconds(v int64) *AssumeRoleWithSAMLInput { | ||
1416 | s.DurationSeconds = &v | ||
1417 | return s | ||
1418 | } | ||
1419 | |||
1420 | // SetPolicy sets the Policy field's value. | ||
1421 | func (s *AssumeRoleWithSAMLInput) SetPolicy(v string) *AssumeRoleWithSAMLInput { | ||
1422 | s.Policy = &v | ||
1423 | return s | ||
1424 | } | ||
1425 | |||
1426 | // SetPrincipalArn sets the PrincipalArn field's value. | ||
1427 | func (s *AssumeRoleWithSAMLInput) SetPrincipalArn(v string) *AssumeRoleWithSAMLInput { | ||
1428 | s.PrincipalArn = &v | ||
1429 | return s | ||
1430 | } | ||
1431 | |||
1432 | // SetRoleArn sets the RoleArn field's value. | ||
1433 | func (s *AssumeRoleWithSAMLInput) SetRoleArn(v string) *AssumeRoleWithSAMLInput { | ||
1434 | s.RoleArn = &v | ||
1435 | return s | ||
1436 | } | ||
1437 | |||
1438 | // SetSAMLAssertion sets the SAMLAssertion field's value. | ||
1439 | func (s *AssumeRoleWithSAMLInput) SetSAMLAssertion(v string) *AssumeRoleWithSAMLInput { | ||
1440 | s.SAMLAssertion = &v | ||
1441 | return s | ||
1442 | } | ||
1443 | |||
1444 | // Contains the response to a successful AssumeRoleWithSAML request, including | ||
1445 | // temporary AWS credentials that can be used to make AWS requests. | ||
1446 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAMLResponse | ||
1447 | type AssumeRoleWithSAMLOutput struct { | ||
1448 | _ struct{} `type:"structure"` | ||
1449 | |||
1450 | // The identifiers for the temporary security credentials that the operation | ||
1451 | // returns. | ||
1452 | AssumedRoleUser *AssumedRoleUser `type:"structure"` | ||
1453 | |||
1454 | // The value of the Recipient attribute of the SubjectConfirmationData element | ||
1455 | // of the SAML assertion. | ||
1456 | Audience *string `type:"string"` | ||
1457 | |||
1458 | // The temporary security credentials, which include an access key ID, a secret | ||
1459 | // access key, and a security (or session) token. | ||
1460 | // | ||
1461 | // Note: The size of the security token that STS APIs return is not fixed. We | ||
1462 | // strongly recommend that you make no assumptions about the maximum size. As | ||
1463 | // of this writing, the typical size is less than 4096 bytes, but that can vary. | ||
1464 | // Also, future updates to AWS might require larger sizes. | ||
1465 | Credentials *Credentials `type:"structure"` | ||
1466 | |||
1467 | // The value of the Issuer element of the SAML assertion. | ||
1468 | Issuer *string `type:"string"` | ||
1469 | |||
1470 | // A hash value based on the concatenation of the Issuer response value, the | ||
1471 | // AWS account ID, and the friendly name (the last part of the ARN) of the SAML | ||
1472 | // provider in IAM. The combination of NameQualifier and Subject can be used | ||
1473 | // to uniquely identify a federated user. | ||
1474 | // | ||
1475 | // The following pseudocode shows how the hash value is calculated: | ||
1476 | // | ||
1477 | // BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" | ||
1478 | // ) ) | ||
1479 | NameQualifier *string `type:"string"` | ||
1480 | |||
1481 | // A percentage value that indicates the size of the policy in packed form. | ||
1482 | // The service rejects any policy with a packed size greater than 100 percent, | ||
1483 | // which means the policy exceeded the allowed space. | ||
1484 | PackedPolicySize *int64 `type:"integer"` | ||
1485 | |||
1486 | // The value of the NameID element in the Subject element of the SAML assertion. | ||
1487 | Subject *string `type:"string"` | ||
1488 | |||
1489 | // The format of the name ID, as defined by the Format attribute in the NameID | ||
1490 | // element of the SAML assertion. Typical examples of the format are transient | ||
1491 | // or persistent. | ||
1492 | // | ||
1493 | // If the format includes the prefix urn:oasis:names:tc:SAML:2.0:nameid-format, | ||
1494 | // that prefix is removed. For example, urn:oasis:names:tc:SAML:2.0:nameid-format:transient | ||
1495 | // is returned as transient. If the format includes any other prefix, the format | ||
1496 | // is returned with no modifications. | ||
1497 | SubjectType *string `type:"string"` | ||
1498 | } | ||
1499 | |||
1500 | // String returns the string representation | ||
1501 | func (s AssumeRoleWithSAMLOutput) String() string { | ||
1502 | return awsutil.Prettify(s) | ||
1503 | } | ||
1504 | |||
1505 | // GoString returns the string representation | ||
1506 | func (s AssumeRoleWithSAMLOutput) GoString() string { | ||
1507 | return s.String() | ||
1508 | } | ||
1509 | |||
1510 | // SetAssumedRoleUser sets the AssumedRoleUser field's value. | ||
1511 | func (s *AssumeRoleWithSAMLOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleWithSAMLOutput { | ||
1512 | s.AssumedRoleUser = v | ||
1513 | return s | ||
1514 | } | ||
1515 | |||
1516 | // SetAudience sets the Audience field's value. | ||
1517 | func (s *AssumeRoleWithSAMLOutput) SetAudience(v string) *AssumeRoleWithSAMLOutput { | ||
1518 | s.Audience = &v | ||
1519 | return s | ||
1520 | } | ||
1521 | |||
1522 | // SetCredentials sets the Credentials field's value. | ||
1523 | func (s *AssumeRoleWithSAMLOutput) SetCredentials(v *Credentials) *AssumeRoleWithSAMLOutput { | ||
1524 | s.Credentials = v | ||
1525 | return s | ||
1526 | } | ||
1527 | |||
1528 | // SetIssuer sets the Issuer field's value. | ||
1529 | func (s *AssumeRoleWithSAMLOutput) SetIssuer(v string) *AssumeRoleWithSAMLOutput { | ||
1530 | s.Issuer = &v | ||
1531 | return s | ||
1532 | } | ||
1533 | |||
1534 | // SetNameQualifier sets the NameQualifier field's value. | ||
1535 | func (s *AssumeRoleWithSAMLOutput) SetNameQualifier(v string) *AssumeRoleWithSAMLOutput { | ||
1536 | s.NameQualifier = &v | ||
1537 | return s | ||
1538 | } | ||
1539 | |||
1540 | // SetPackedPolicySize sets the PackedPolicySize field's value. | ||
1541 | func (s *AssumeRoleWithSAMLOutput) SetPackedPolicySize(v int64) *AssumeRoleWithSAMLOutput { | ||
1542 | s.PackedPolicySize = &v | ||
1543 | return s | ||
1544 | } | ||
1545 | |||
1546 | // SetSubject sets the Subject field's value. | ||
1547 | func (s *AssumeRoleWithSAMLOutput) SetSubject(v string) *AssumeRoleWithSAMLOutput { | ||
1548 | s.Subject = &v | ||
1549 | return s | ||
1550 | } | ||
1551 | |||
1552 | // SetSubjectType sets the SubjectType field's value. | ||
1553 | func (s *AssumeRoleWithSAMLOutput) SetSubjectType(v string) *AssumeRoleWithSAMLOutput { | ||
1554 | s.SubjectType = &v | ||
1555 | return s | ||
1556 | } | ||
1557 | |||
1558 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentityRequest | ||
1559 | type AssumeRoleWithWebIdentityInput struct { | ||
1560 | _ struct{} `type:"structure"` | ||
1561 | |||
1562 | // The duration, in seconds, of the role session. The value can range from 900 | ||
1563 | // seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set | ||
1564 | // to 3600 seconds. | ||
1565 | // | ||
1566 | // This is separate from the duration of a console session that you might request | ||
1567 | // using the returned credentials. The request to the federation endpoint for | ||
1568 | // a console sign-in token takes a SessionDuration parameter that specifies | ||
1569 | // the maximum length of the console session, separately from the DurationSeconds | ||
1570 | // parameter on this API. For more information, see Creating a URL that Enables | ||
1571 | // Federated Users to Access the AWS Management Console (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) | ||
1572 | // in the IAM User Guide. | ||
1573 | DurationSeconds *int64 `min:"900" type:"integer"` | ||
1574 | |||
1575 | // An IAM policy in JSON format. | ||
1576 | // | ||
1577 | // The policy parameter is optional. If you pass a policy, the temporary security | ||
1578 | // credentials that are returned by the operation have the permissions that | ||
1579 | // are allowed by both the access policy of the role that is being assumed, | ||
1580 | // and the policy that you pass. This gives you a way to further restrict the | ||
1581 | // permissions for the resulting temporary security credentials. You cannot | ||
1582 | // use the passed policy to grant permissions that are in excess of those allowed | ||
1583 | // by the access policy of the role that is being assumed. For more information, | ||
1584 | // see Permissions for AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html) | ||
1585 | // in the IAM User Guide. | ||
1586 | // | ||
1587 | // The format for this parameter, as described by its regex pattern, is a string | ||
1588 | // of characters up to 2048 characters in length. The characters can be any | ||
1589 | // ASCII character from the space character to the end of the valid character | ||
1590 | // list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A), | ||
1591 | // and carriage return (\u000D) characters. | ||
1592 | // | ||
1593 | // The policy plain text must be 2048 bytes or shorter. However, an internal | ||
1594 | // conversion compresses it into a packed binary format with a separate limit. | ||
1595 | // The PackedPolicySize response element indicates by percentage how close to | ||
1596 | // the upper size limit the policy is, with 100% equaling the maximum allowed | ||
1597 | // size. | ||
1598 | Policy *string `min:"1" type:"string"` | ||
1599 | |||
1600 | // The fully qualified host component of the domain name of the identity provider. | ||
1601 | // | ||
1602 | // Specify this value only for OAuth 2.0 access tokens. Currently www.amazon.com | ||
1603 | // and graph.facebook.com are the only supported identity providers for OAuth | ||
1604 | // 2.0 access tokens. Do not include URL schemes and port numbers. | ||
1605 | // | ||
1606 | // Do not specify this value for OpenID Connect ID tokens. | ||
1607 | ProviderId *string `min:"4" type:"string"` | ||
1608 | |||
1609 | // The Amazon Resource Name (ARN) of the role that the caller is assuming. | ||
1610 | // | ||
1611 | // RoleArn is a required field | ||
1612 | RoleArn *string `min:"20" type:"string" required:"true"` | ||
1613 | |||
1614 | // An identifier for the assumed role session. Typically, you pass the name | ||
1615 | // or identifier that is associated with the user who is using your application. | ||
1616 | // That way, the temporary security credentials that your application will use | ||
1617 | // are associated with that user. This session name is included as part of the | ||
1618 | // ARN and assumed role ID in the AssumedRoleUser response element. | ||
1619 | // | ||
1620 | // The regex used to validate this parameter is a string of characters consisting | ||
1621 | // of upper- and lower-case alphanumeric characters with no spaces. You can | ||
1622 | // also include underscores or any of the following characters: =,.@- | ||
1623 | // | ||
1624 | // RoleSessionName is a required field | ||
1625 | RoleSessionName *string `min:"2" type:"string" required:"true"` | ||
1626 | |||
1627 | // The OAuth 2.0 access token or OpenID Connect ID token that is provided by | ||
1628 | // the identity provider. Your application must get this token by authenticating | ||
1629 | // the user who is using your application with a web identity provider before | ||
1630 | // the application makes an AssumeRoleWithWebIdentity call. | ||
1631 | // | ||
1632 | // WebIdentityToken is a required field | ||
1633 | WebIdentityToken *string `min:"4" type:"string" required:"true"` | ||
1634 | } | ||
1635 | |||
1636 | // String returns the string representation | ||
1637 | func (s AssumeRoleWithWebIdentityInput) String() string { | ||
1638 | return awsutil.Prettify(s) | ||
1639 | } | ||
1640 | |||
1641 | // GoString returns the string representation | ||
1642 | func (s AssumeRoleWithWebIdentityInput) GoString() string { | ||
1643 | return s.String() | ||
1644 | } | ||
1645 | |||
1646 | // Validate inspects the fields of the type to determine if they are valid. | ||
1647 | func (s *AssumeRoleWithWebIdentityInput) Validate() error { | ||
1648 | invalidParams := request.ErrInvalidParams{Context: "AssumeRoleWithWebIdentityInput"} | ||
1649 | if s.DurationSeconds != nil && *s.DurationSeconds < 900 { | ||
1650 | invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) | ||
1651 | } | ||
1652 | if s.Policy != nil && len(*s.Policy) < 1 { | ||
1653 | invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) | ||
1654 | } | ||
1655 | if s.ProviderId != nil && len(*s.ProviderId) < 4 { | ||
1656 | invalidParams.Add(request.NewErrParamMinLen("ProviderId", 4)) | ||
1657 | } | ||
1658 | if s.RoleArn == nil { | ||
1659 | invalidParams.Add(request.NewErrParamRequired("RoleArn")) | ||
1660 | } | ||
1661 | if s.RoleArn != nil && len(*s.RoleArn) < 20 { | ||
1662 | invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20)) | ||
1663 | } | ||
1664 | if s.RoleSessionName == nil { | ||
1665 | invalidParams.Add(request.NewErrParamRequired("RoleSessionName")) | ||
1666 | } | ||
1667 | if s.RoleSessionName != nil && len(*s.RoleSessionName) < 2 { | ||
1668 | invalidParams.Add(request.NewErrParamMinLen("RoleSessionName", 2)) | ||
1669 | } | ||
1670 | if s.WebIdentityToken == nil { | ||
1671 | invalidParams.Add(request.NewErrParamRequired("WebIdentityToken")) | ||
1672 | } | ||
1673 | if s.WebIdentityToken != nil && len(*s.WebIdentityToken) < 4 { | ||
1674 | invalidParams.Add(request.NewErrParamMinLen("WebIdentityToken", 4)) | ||
1675 | } | ||
1676 | |||
1677 | if invalidParams.Len() > 0 { | ||
1678 | return invalidParams | ||
1679 | } | ||
1680 | return nil | ||
1681 | } | ||
1682 | |||
1683 | // SetDurationSeconds sets the DurationSeconds field's value. | ||
1684 | func (s *AssumeRoleWithWebIdentityInput) SetDurationSeconds(v int64) *AssumeRoleWithWebIdentityInput { | ||
1685 | s.DurationSeconds = &v | ||
1686 | return s | ||
1687 | } | ||
1688 | |||
1689 | // SetPolicy sets the Policy field's value. | ||
1690 | func (s *AssumeRoleWithWebIdentityInput) SetPolicy(v string) *AssumeRoleWithWebIdentityInput { | ||
1691 | s.Policy = &v | ||
1692 | return s | ||
1693 | } | ||
1694 | |||
1695 | // SetProviderId sets the ProviderId field's value. | ||
1696 | func (s *AssumeRoleWithWebIdentityInput) SetProviderId(v string) *AssumeRoleWithWebIdentityInput { | ||
1697 | s.ProviderId = &v | ||
1698 | return s | ||
1699 | } | ||
1700 | |||
1701 | // SetRoleArn sets the RoleArn field's value. | ||
1702 | func (s *AssumeRoleWithWebIdentityInput) SetRoleArn(v string) *AssumeRoleWithWebIdentityInput { | ||
1703 | s.RoleArn = &v | ||
1704 | return s | ||
1705 | } | ||
1706 | |||
1707 | // SetRoleSessionName sets the RoleSessionName field's value. | ||
1708 | func (s *AssumeRoleWithWebIdentityInput) SetRoleSessionName(v string) *AssumeRoleWithWebIdentityInput { | ||
1709 | s.RoleSessionName = &v | ||
1710 | return s | ||
1711 | } | ||
1712 | |||
1713 | // SetWebIdentityToken sets the WebIdentityToken field's value. | ||
1714 | func (s *AssumeRoleWithWebIdentityInput) SetWebIdentityToken(v string) *AssumeRoleWithWebIdentityInput { | ||
1715 | s.WebIdentityToken = &v | ||
1716 | return s | ||
1717 | } | ||
1718 | |||
1719 | // Contains the response to a successful AssumeRoleWithWebIdentity request, | ||
1720 | // including temporary AWS credentials that can be used to make AWS requests. | ||
1721 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentityResponse | ||
1722 | type AssumeRoleWithWebIdentityOutput struct { | ||
1723 | _ struct{} `type:"structure"` | ||
1724 | |||
1725 | // The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers | ||
1726 | // that you can use to refer to the resulting temporary security credentials. | ||
1727 | // For example, you can reference these credentials as a principal in a resource-based | ||
1728 | // policy by using the ARN or assumed role ID. The ARN and ID include the RoleSessionName | ||
1729 | // that you specified when you called AssumeRole. | ||
1730 | AssumedRoleUser *AssumedRoleUser `type:"structure"` | ||
1731 | |||
1732 | // The intended audience (also known as client ID) of the web identity token. | ||
1733 | // This is traditionally the client identifier issued to the application that | ||
1734 | // requested the web identity token. | ||
1735 | Audience *string `type:"string"` | ||
1736 | |||
1737 | // The temporary security credentials, which include an access key ID, a secret | ||
1738 | // access key, and a security token. | ||
1739 | // | ||
1740 | // Note: The size of the security token that STS APIs return is not fixed. We | ||
1741 | // strongly recommend that you make no assumptions about the maximum size. As | ||
1742 | // of this writing, the typical size is less than 4096 bytes, but that can vary. | ||
1743 | // Also, future updates to AWS might require larger sizes. | ||
1744 | Credentials *Credentials `type:"structure"` | ||
1745 | |||
1746 | // A percentage value that indicates the size of the policy in packed form. | ||
1747 | // The service rejects any policy with a packed size greater than 100 percent, | ||
1748 | // which means the policy exceeded the allowed space. | ||
1749 | PackedPolicySize *int64 `type:"integer"` | ||
1750 | |||
1751 | // The issuing authority of the web identity token presented. For OpenID Connect | ||
1752 | // ID Tokens this contains the value of the iss field. For OAuth 2.0 access | ||
1753 | // tokens, this contains the value of the ProviderId parameter that was passed | ||
1754 | // in the AssumeRoleWithWebIdentity request. | ||
1755 | Provider *string `type:"string"` | ||
1756 | |||
1757 | // The unique user identifier that is returned by the identity provider. This | ||
1758 | // identifier is associated with the WebIdentityToken that was submitted with | ||
1759 | // the AssumeRoleWithWebIdentity call. The identifier is typically unique to | ||
1760 | // the user and the application that acquired the WebIdentityToken (pairwise | ||
1761 | // identifier). For OpenID Connect ID tokens, this field contains the value | ||
1762 | // returned by the identity provider as the token's sub (Subject) claim. | ||
1763 | SubjectFromWebIdentityToken *string `min:"6" type:"string"` | ||
1764 | } | ||
1765 | |||
1766 | // String returns the string representation | ||
1767 | func (s AssumeRoleWithWebIdentityOutput) String() string { | ||
1768 | return awsutil.Prettify(s) | ||
1769 | } | ||
1770 | |||
1771 | // GoString returns the string representation | ||
1772 | func (s AssumeRoleWithWebIdentityOutput) GoString() string { | ||
1773 | return s.String() | ||
1774 | } | ||
1775 | |||
1776 | // SetAssumedRoleUser sets the AssumedRoleUser field's value. | ||
1777 | func (s *AssumeRoleWithWebIdentityOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleWithWebIdentityOutput { | ||
1778 | s.AssumedRoleUser = v | ||
1779 | return s | ||
1780 | } | ||
1781 | |||
1782 | // SetAudience sets the Audience field's value. | ||
1783 | func (s *AssumeRoleWithWebIdentityOutput) SetAudience(v string) *AssumeRoleWithWebIdentityOutput { | ||
1784 | s.Audience = &v | ||
1785 | return s | ||
1786 | } | ||
1787 | |||
1788 | // SetCredentials sets the Credentials field's value. | ||
1789 | func (s *AssumeRoleWithWebIdentityOutput) SetCredentials(v *Credentials) *AssumeRoleWithWebIdentityOutput { | ||
1790 | s.Credentials = v | ||
1791 | return s | ||
1792 | } | ||
1793 | |||
1794 | // SetPackedPolicySize sets the PackedPolicySize field's value. | ||
1795 | func (s *AssumeRoleWithWebIdentityOutput) SetPackedPolicySize(v int64) *AssumeRoleWithWebIdentityOutput { | ||
1796 | s.PackedPolicySize = &v | ||
1797 | return s | ||
1798 | } | ||
1799 | |||
1800 | // SetProvider sets the Provider field's value. | ||
1801 | func (s *AssumeRoleWithWebIdentityOutput) SetProvider(v string) *AssumeRoleWithWebIdentityOutput { | ||
1802 | s.Provider = &v | ||
1803 | return s | ||
1804 | } | ||
1805 | |||
1806 | // SetSubjectFromWebIdentityToken sets the SubjectFromWebIdentityToken field's value. | ||
1807 | func (s *AssumeRoleWithWebIdentityOutput) SetSubjectFromWebIdentityToken(v string) *AssumeRoleWithWebIdentityOutput { | ||
1808 | s.SubjectFromWebIdentityToken = &v | ||
1809 | return s | ||
1810 | } | ||
1811 | |||
1812 | // The identifiers for the temporary security credentials that the operation | ||
1813 | // returns. | ||
1814 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumedRoleUser | ||
1815 | type AssumedRoleUser struct { | ||
1816 | _ struct{} `type:"structure"` | ||
1817 | |||
1818 | // The ARN of the temporary security credentials that are returned from the | ||
1819 | // AssumeRole action. For more information about ARNs and how to use them in | ||
1820 | // policies, see IAM Identifiers (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) | ||
1821 | // in Using IAM. | ||
1822 | // | ||
1823 | // Arn is a required field | ||
1824 | Arn *string `min:"20" type:"string" required:"true"` | ||
1825 | |||
1826 | // A unique identifier that contains the role ID and the role session name of | ||
1827 | // the role that is being assumed. The role ID is generated by AWS when the | ||
1828 | // role is created. | ||
1829 | // | ||
1830 | // AssumedRoleId is a required field | ||
1831 | AssumedRoleId *string `min:"2" type:"string" required:"true"` | ||
1832 | } | ||
1833 | |||
1834 | // String returns the string representation | ||
1835 | func (s AssumedRoleUser) String() string { | ||
1836 | return awsutil.Prettify(s) | ||
1837 | } | ||
1838 | |||
1839 | // GoString returns the string representation | ||
1840 | func (s AssumedRoleUser) GoString() string { | ||
1841 | return s.String() | ||
1842 | } | ||
1843 | |||
1844 | // SetArn sets the Arn field's value. | ||
1845 | func (s *AssumedRoleUser) SetArn(v string) *AssumedRoleUser { | ||
1846 | s.Arn = &v | ||
1847 | return s | ||
1848 | } | ||
1849 | |||
1850 | // SetAssumedRoleId sets the AssumedRoleId field's value. | ||
1851 | func (s *AssumedRoleUser) SetAssumedRoleId(v string) *AssumedRoleUser { | ||
1852 | s.AssumedRoleId = &v | ||
1853 | return s | ||
1854 | } | ||
1855 | |||
1856 | // AWS credentials for API authentication. | ||
1857 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/Credentials | ||
1858 | type Credentials struct { | ||
1859 | _ struct{} `type:"structure"` | ||
1860 | |||
1861 | // The access key ID that identifies the temporary security credentials. | ||
1862 | // | ||
1863 | // AccessKeyId is a required field | ||
1864 | AccessKeyId *string `min:"16" type:"string" required:"true"` | ||
1865 | |||
1866 | // The date on which the current credentials expire. | ||
1867 | // | ||
1868 | // Expiration is a required field | ||
1869 | Expiration *time.Time `type:"timestamp" timestampFormat:"iso8601" required:"true"` | ||
1870 | |||
1871 | // The secret access key that can be used to sign requests. | ||
1872 | // | ||
1873 | // SecretAccessKey is a required field | ||
1874 | SecretAccessKey *string `type:"string" required:"true"` | ||
1875 | |||
1876 | // The token that users must pass to the service API to use the temporary credentials. | ||
1877 | // | ||
1878 | // SessionToken is a required field | ||
1879 | SessionToken *string `type:"string" required:"true"` | ||
1880 | } | ||
1881 | |||
1882 | // String returns the string representation | ||
1883 | func (s Credentials) String() string { | ||
1884 | return awsutil.Prettify(s) | ||
1885 | } | ||
1886 | |||
1887 | // GoString returns the string representation | ||
1888 | func (s Credentials) GoString() string { | ||
1889 | return s.String() | ||
1890 | } | ||
1891 | |||
1892 | // SetAccessKeyId sets the AccessKeyId field's value. | ||
1893 | func (s *Credentials) SetAccessKeyId(v string) *Credentials { | ||
1894 | s.AccessKeyId = &v | ||
1895 | return s | ||
1896 | } | ||
1897 | |||
1898 | // SetExpiration sets the Expiration field's value. | ||
1899 | func (s *Credentials) SetExpiration(v time.Time) *Credentials { | ||
1900 | s.Expiration = &v | ||
1901 | return s | ||
1902 | } | ||
1903 | |||
1904 | // SetSecretAccessKey sets the SecretAccessKey field's value. | ||
1905 | func (s *Credentials) SetSecretAccessKey(v string) *Credentials { | ||
1906 | s.SecretAccessKey = &v | ||
1907 | return s | ||
1908 | } | ||
1909 | |||
1910 | // SetSessionToken sets the SessionToken field's value. | ||
1911 | func (s *Credentials) SetSessionToken(v string) *Credentials { | ||
1912 | s.SessionToken = &v | ||
1913 | return s | ||
1914 | } | ||
1915 | |||
1916 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessageRequest | ||
1917 | type DecodeAuthorizationMessageInput struct { | ||
1918 | _ struct{} `type:"structure"` | ||
1919 | |||
1920 | // The encoded message that was returned with the response. | ||
1921 | // | ||
1922 | // EncodedMessage is a required field | ||
1923 | EncodedMessage *string `min:"1" type:"string" required:"true"` | ||
1924 | } | ||
1925 | |||
1926 | // String returns the string representation | ||
1927 | func (s DecodeAuthorizationMessageInput) String() string { | ||
1928 | return awsutil.Prettify(s) | ||
1929 | } | ||
1930 | |||
1931 | // GoString returns the string representation | ||
1932 | func (s DecodeAuthorizationMessageInput) GoString() string { | ||
1933 | return s.String() | ||
1934 | } | ||
1935 | |||
1936 | // Validate inspects the fields of the type to determine if they are valid. | ||
1937 | func (s *DecodeAuthorizationMessageInput) Validate() error { | ||
1938 | invalidParams := request.ErrInvalidParams{Context: "DecodeAuthorizationMessageInput"} | ||
1939 | if s.EncodedMessage == nil { | ||
1940 | invalidParams.Add(request.NewErrParamRequired("EncodedMessage")) | ||
1941 | } | ||
1942 | if s.EncodedMessage != nil && len(*s.EncodedMessage) < 1 { | ||
1943 | invalidParams.Add(request.NewErrParamMinLen("EncodedMessage", 1)) | ||
1944 | } | ||
1945 | |||
1946 | if invalidParams.Len() > 0 { | ||
1947 | return invalidParams | ||
1948 | } | ||
1949 | return nil | ||
1950 | } | ||
1951 | |||
1952 | // SetEncodedMessage sets the EncodedMessage field's value. | ||
1953 | func (s *DecodeAuthorizationMessageInput) SetEncodedMessage(v string) *DecodeAuthorizationMessageInput { | ||
1954 | s.EncodedMessage = &v | ||
1955 | return s | ||
1956 | } | ||
1957 | |||
1958 | // A document that contains additional information about the authorization status | ||
1959 | // of a request from an encoded message that is returned in response to an AWS | ||
1960 | // request. | ||
1961 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessageResponse | ||
1962 | type DecodeAuthorizationMessageOutput struct { | ||
1963 | _ struct{} `type:"structure"` | ||
1964 | |||
1965 | // An XML document that contains the decoded message. | ||
1966 | DecodedMessage *string `type:"string"` | ||
1967 | } | ||
1968 | |||
1969 | // String returns the string representation | ||
1970 | func (s DecodeAuthorizationMessageOutput) String() string { | ||
1971 | return awsutil.Prettify(s) | ||
1972 | } | ||
1973 | |||
1974 | // GoString returns the string representation | ||
1975 | func (s DecodeAuthorizationMessageOutput) GoString() string { | ||
1976 | return s.String() | ||
1977 | } | ||
1978 | |||
1979 | // SetDecodedMessage sets the DecodedMessage field's value. | ||
1980 | func (s *DecodeAuthorizationMessageOutput) SetDecodedMessage(v string) *DecodeAuthorizationMessageOutput { | ||
1981 | s.DecodedMessage = &v | ||
1982 | return s | ||
1983 | } | ||
1984 | |||
1985 | // Identifiers for the federated user that is associated with the credentials. | ||
1986 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/FederatedUser | ||
1987 | type FederatedUser struct { | ||
1988 | _ struct{} `type:"structure"` | ||
1989 | |||
1990 | // The ARN that specifies the federated user that is associated with the credentials. | ||
1991 | // For more information about ARNs and how to use them in policies, see IAM | ||
1992 | // Identifiers (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) | ||
1993 | // in Using IAM. | ||
1994 | // | ||
1995 | // Arn is a required field | ||
1996 | Arn *string `min:"20" type:"string" required:"true"` | ||
1997 | |||
1998 | // The string that identifies the federated user associated with the credentials, | ||
1999 | // similar to the unique ID of an IAM user. | ||
2000 | // | ||
2001 | // FederatedUserId is a required field | ||
2002 | FederatedUserId *string `min:"2" type:"string" required:"true"` | ||
2003 | } | ||
2004 | |||
2005 | // String returns the string representation | ||
2006 | func (s FederatedUser) String() string { | ||
2007 | return awsutil.Prettify(s) | ||
2008 | } | ||
2009 | |||
2010 | // GoString returns the string representation | ||
2011 | func (s FederatedUser) GoString() string { | ||
2012 | return s.String() | ||
2013 | } | ||
2014 | |||
2015 | // SetArn sets the Arn field's value. | ||
2016 | func (s *FederatedUser) SetArn(v string) *FederatedUser { | ||
2017 | s.Arn = &v | ||
2018 | return s | ||
2019 | } | ||
2020 | |||
2021 | // SetFederatedUserId sets the FederatedUserId field's value. | ||
2022 | func (s *FederatedUser) SetFederatedUserId(v string) *FederatedUser { | ||
2023 | s.FederatedUserId = &v | ||
2024 | return s | ||
2025 | } | ||
2026 | |||
2027 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentityRequest | ||
2028 | type GetCallerIdentityInput struct { | ||
2029 | _ struct{} `type:"structure"` | ||
2030 | } | ||
2031 | |||
2032 | // String returns the string representation | ||
2033 | func (s GetCallerIdentityInput) String() string { | ||
2034 | return awsutil.Prettify(s) | ||
2035 | } | ||
2036 | |||
2037 | // GoString returns the string representation | ||
2038 | func (s GetCallerIdentityInput) GoString() string { | ||
2039 | return s.String() | ||
2040 | } | ||
2041 | |||
2042 | // Contains the response to a successful GetCallerIdentity request, including | ||
2043 | // information about the entity making the request. | ||
2044 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentityResponse | ||
2045 | type GetCallerIdentityOutput struct { | ||
2046 | _ struct{} `type:"structure"` | ||
2047 | |||
2048 | // The AWS account ID number of the account that owns or contains the calling | ||
2049 | // entity. | ||
2050 | Account *string `type:"string"` | ||
2051 | |||
2052 | // The AWS ARN associated with the calling entity. | ||
2053 | Arn *string `min:"20" type:"string"` | ||
2054 | |||
2055 | // The unique identifier of the calling entity. The exact value depends on the | ||
2056 | // type of entity making the call. The values returned are those listed in the | ||
2057 | // aws:userid column in the Principal table (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable) | ||
2058 | // found on the Policy Variables reference page in the IAM User Guide. | ||
2059 | UserId *string `type:"string"` | ||
2060 | } | ||
2061 | |||
2062 | // String returns the string representation | ||
2063 | func (s GetCallerIdentityOutput) String() string { | ||
2064 | return awsutil.Prettify(s) | ||
2065 | } | ||
2066 | |||
2067 | // GoString returns the string representation | ||
2068 | func (s GetCallerIdentityOutput) GoString() string { | ||
2069 | return s.String() | ||
2070 | } | ||
2071 | |||
2072 | // SetAccount sets the Account field's value. | ||
2073 | func (s *GetCallerIdentityOutput) SetAccount(v string) *GetCallerIdentityOutput { | ||
2074 | s.Account = &v | ||
2075 | return s | ||
2076 | } | ||
2077 | |||
2078 | // SetArn sets the Arn field's value. | ||
2079 | func (s *GetCallerIdentityOutput) SetArn(v string) *GetCallerIdentityOutput { | ||
2080 | s.Arn = &v | ||
2081 | return s | ||
2082 | } | ||
2083 | |||
2084 | // SetUserId sets the UserId field's value. | ||
2085 | func (s *GetCallerIdentityOutput) SetUserId(v string) *GetCallerIdentityOutput { | ||
2086 | s.UserId = &v | ||
2087 | return s | ||
2088 | } | ||
2089 | |||
2090 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationTokenRequest | ||
2091 | type GetFederationTokenInput struct { | ||
2092 | _ struct{} `type:"structure"` | ||
2093 | |||
2094 | // The duration, in seconds, that the session should last. Acceptable durations | ||
2095 | // for federation sessions range from 900 seconds (15 minutes) to 129600 seconds | ||
2096 | // (36 hours), with 43200 seconds (12 hours) as the default. Sessions obtained | ||
2097 | // using AWS account (root) credentials are restricted to a maximum of 3600 | ||
2098 | // seconds (one hour). If the specified duration is longer than one hour, the | ||
2099 | // session obtained by using AWS account (root) credentials defaults to one | ||
2100 | // hour. | ||
2101 | DurationSeconds *int64 `min:"900" type:"integer"` | ||
2102 | |||
2103 | // The name of the federated user. The name is used as an identifier for the | ||
2104 | // temporary security credentials (such as Bob). For example, you can reference | ||
2105 | // the federated user name in a resource-based policy, such as in an Amazon | ||
2106 | // S3 bucket policy. | ||
2107 | // | ||
2108 | // The regex used to validate this parameter is a string of characters consisting | ||
2109 | // of upper- and lower-case alphanumeric characters with no spaces. You can | ||
2110 | // also include underscores or any of the following characters: =,.@- | ||
2111 | // | ||
2112 | // Name is a required field | ||
2113 | Name *string `min:"2" type:"string" required:"true"` | ||
2114 | |||
2115 | // An IAM policy in JSON format that is passed with the GetFederationToken call | ||
2116 | // and evaluated along with the policy or policies that are attached to the | ||
2117 | // IAM user whose credentials are used to call GetFederationToken. The passed | ||
2118 | // policy is used to scope down the permissions that are available to the IAM | ||
2119 | // user, by allowing only a subset of the permissions that are granted to the | ||
2120 | // IAM user. The passed policy cannot grant more permissions than those granted | ||
2121 | // to the IAM user. The final permissions for the federated user are the most | ||
2122 | // restrictive set based on the intersection of the passed policy and the IAM | ||
2123 | // user policy. | ||
2124 | // | ||
2125 | // If you do not pass a policy, the resulting temporary security credentials | ||
2126 | // have no effective permissions. The only exception is when the temporary security | ||
2127 | // credentials are used to access a resource that has a resource-based policy | ||
2128 | // that specifically allows the federated user to access the resource. | ||
2129 | // | ||
2130 | // The format for this parameter, as described by its regex pattern, is a string | ||
2131 | // of characters up to 2048 characters in length. The characters can be any | ||
2132 | // ASCII character from the space character to the end of the valid character | ||
2133 | // list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A), | ||
2134 | // and carriage return (\u000D) characters. | ||
2135 | // | ||
2136 | // The policy plain text must be 2048 bytes or shorter. However, an internal | ||
2137 | // conversion compresses it into a packed binary format with a separate limit. | ||
2138 | // The PackedPolicySize response element indicates by percentage how close to | ||
2139 | // the upper size limit the policy is, with 100% equaling the maximum allowed | ||
2140 | // size. | ||
2141 | // | ||
2142 | // For more information about how permissions work, see Permissions for GetFederationToken | ||
2143 | // (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html). | ||
2144 | Policy *string `min:"1" type:"string"` | ||
2145 | } | ||
2146 | |||
2147 | // String returns the string representation | ||
2148 | func (s GetFederationTokenInput) String() string { | ||
2149 | return awsutil.Prettify(s) | ||
2150 | } | ||
2151 | |||
2152 | // GoString returns the string representation | ||
2153 | func (s GetFederationTokenInput) GoString() string { | ||
2154 | return s.String() | ||
2155 | } | ||
2156 | |||
2157 | // Validate inspects the fields of the type to determine if they are valid. | ||
2158 | func (s *GetFederationTokenInput) Validate() error { | ||
2159 | invalidParams := request.ErrInvalidParams{Context: "GetFederationTokenInput"} | ||
2160 | if s.DurationSeconds != nil && *s.DurationSeconds < 900 { | ||
2161 | invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) | ||
2162 | } | ||
2163 | if s.Name == nil { | ||
2164 | invalidParams.Add(request.NewErrParamRequired("Name")) | ||
2165 | } | ||
2166 | if s.Name != nil && len(*s.Name) < 2 { | ||
2167 | invalidParams.Add(request.NewErrParamMinLen("Name", 2)) | ||
2168 | } | ||
2169 | if s.Policy != nil && len(*s.Policy) < 1 { | ||
2170 | invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) | ||
2171 | } | ||
2172 | |||
2173 | if invalidParams.Len() > 0 { | ||
2174 | return invalidParams | ||
2175 | } | ||
2176 | return nil | ||
2177 | } | ||
2178 | |||
2179 | // SetDurationSeconds sets the DurationSeconds field's value. | ||
2180 | func (s *GetFederationTokenInput) SetDurationSeconds(v int64) *GetFederationTokenInput { | ||
2181 | s.DurationSeconds = &v | ||
2182 | return s | ||
2183 | } | ||
2184 | |||
2185 | // SetName sets the Name field's value. | ||
2186 | func (s *GetFederationTokenInput) SetName(v string) *GetFederationTokenInput { | ||
2187 | s.Name = &v | ||
2188 | return s | ||
2189 | } | ||
2190 | |||
2191 | // SetPolicy sets the Policy field's value. | ||
2192 | func (s *GetFederationTokenInput) SetPolicy(v string) *GetFederationTokenInput { | ||
2193 | s.Policy = &v | ||
2194 | return s | ||
2195 | } | ||
2196 | |||
2197 | // Contains the response to a successful GetFederationToken request, including | ||
2198 | // temporary AWS credentials that can be used to make AWS requests. | ||
2199 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationTokenResponse | ||
2200 | type GetFederationTokenOutput struct { | ||
2201 | _ struct{} `type:"structure"` | ||
2202 | |||
2203 | // The temporary security credentials, which include an access key ID, a secret | ||
2204 | // access key, and a security (or session) token. | ||
2205 | // | ||
2206 | // Note: The size of the security token that STS APIs return is not fixed. We | ||
2207 | // strongly recommend that you make no assumptions about the maximum size. As | ||
2208 | // of this writing, the typical size is less than 4096 bytes, but that can vary. | ||
2209 | // Also, future updates to AWS might require larger sizes. | ||
2210 | Credentials *Credentials `type:"structure"` | ||
2211 | |||
2212 | // Identifiers for the federated user associated with the credentials (such | ||
2213 | // as arn:aws:sts::123456789012:federated-user/Bob or 123456789012:Bob). You | ||
2214 | // can use the federated user's ARN in your resource-based policies, such as | ||
2215 | // an Amazon S3 bucket policy. | ||
2216 | FederatedUser *FederatedUser `type:"structure"` | ||
2217 | |||
2218 | // A percentage value indicating the size of the policy in packed form. The | ||
2219 | // service rejects policies for which the packed size is greater than 100 percent | ||
2220 | // of the allowed value. | ||
2221 | PackedPolicySize *int64 `type:"integer"` | ||
2222 | } | ||
2223 | |||
2224 | // String returns the string representation | ||
2225 | func (s GetFederationTokenOutput) String() string { | ||
2226 | return awsutil.Prettify(s) | ||
2227 | } | ||
2228 | |||
2229 | // GoString returns the string representation | ||
2230 | func (s GetFederationTokenOutput) GoString() string { | ||
2231 | return s.String() | ||
2232 | } | ||
2233 | |||
2234 | // SetCredentials sets the Credentials field's value. | ||
2235 | func (s *GetFederationTokenOutput) SetCredentials(v *Credentials) *GetFederationTokenOutput { | ||
2236 | s.Credentials = v | ||
2237 | return s | ||
2238 | } | ||
2239 | |||
2240 | // SetFederatedUser sets the FederatedUser field's value. | ||
2241 | func (s *GetFederationTokenOutput) SetFederatedUser(v *FederatedUser) *GetFederationTokenOutput { | ||
2242 | s.FederatedUser = v | ||
2243 | return s | ||
2244 | } | ||
2245 | |||
2246 | // SetPackedPolicySize sets the PackedPolicySize field's value. | ||
2247 | func (s *GetFederationTokenOutput) SetPackedPolicySize(v int64) *GetFederationTokenOutput { | ||
2248 | s.PackedPolicySize = &v | ||
2249 | return s | ||
2250 | } | ||
2251 | |||
2252 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionTokenRequest | ||
2253 | type GetSessionTokenInput struct { | ||
2254 | _ struct{} `type:"structure"` | ||
2255 | |||
2256 | // The duration, in seconds, that the credentials should remain valid. Acceptable | ||
2257 | // durations for IAM user sessions range from 900 seconds (15 minutes) to 129600 | ||
2258 | // seconds (36 hours), with 43200 seconds (12 hours) as the default. Sessions | ||
2259 | // for AWS account owners are restricted to a maximum of 3600 seconds (one hour). | ||
2260 | // If the duration is longer than one hour, the session for AWS account owners | ||
2261 | // defaults to one hour. | ||
2262 | DurationSeconds *int64 `min:"900" type:"integer"` | ||
2263 | |||
2264 | // The identification number of the MFA device that is associated with the IAM | ||
2265 | // user who is making the GetSessionToken call. Specify this value if the IAM | ||
2266 | // user has a policy that requires MFA authentication. The value is either the | ||
2267 | // serial number for a hardware device (such as GAHT12345678) or an Amazon Resource | ||
2268 | // Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user). | ||
2269 | // You can find the device for an IAM user by going to the AWS Management Console | ||
2270 | // and viewing the user's security credentials. | ||
2271 | // | ||
2272 | // The regex used to validate this parameter is a string of characters consisting | ||
2273 | // of upper- and lower-case alphanumeric characters with no spaces. You can | ||
2274 | // also include underscores or any of the following characters: =,.@- | ||
2275 | SerialNumber *string `min:"9" type:"string"` | ||
2276 | |||
2277 | // The value provided by the MFA device, if MFA is required. If any policy requires | ||
2278 | // the IAM user to submit an MFA code, specify this value. If MFA authentication | ||
2279 | // is required, and the user does not provide a code when requesting a set of | ||
2280 | // temporary security credentials, the user will receive an "access denied" | ||
2281 | // response when requesting resources that require MFA authentication. | ||
2282 | // | ||
2283 | // The format for this parameter, as described by its regex pattern, is a sequence | ||
2284 | // of six numeric digits. | ||
2285 | TokenCode *string `min:"6" type:"string"` | ||
2286 | } | ||
2287 | |||
2288 | // String returns the string representation | ||
2289 | func (s GetSessionTokenInput) String() string { | ||
2290 | return awsutil.Prettify(s) | ||
2291 | } | ||
2292 | |||
2293 | // GoString returns the string representation | ||
2294 | func (s GetSessionTokenInput) GoString() string { | ||
2295 | return s.String() | ||
2296 | } | ||
2297 | |||
2298 | // Validate inspects the fields of the type to determine if they are valid. | ||
2299 | func (s *GetSessionTokenInput) Validate() error { | ||
2300 | invalidParams := request.ErrInvalidParams{Context: "GetSessionTokenInput"} | ||
2301 | if s.DurationSeconds != nil && *s.DurationSeconds < 900 { | ||
2302 | invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) | ||
2303 | } | ||
2304 | if s.SerialNumber != nil && len(*s.SerialNumber) < 9 { | ||
2305 | invalidParams.Add(request.NewErrParamMinLen("SerialNumber", 9)) | ||
2306 | } | ||
2307 | if s.TokenCode != nil && len(*s.TokenCode) < 6 { | ||
2308 | invalidParams.Add(request.NewErrParamMinLen("TokenCode", 6)) | ||
2309 | } | ||
2310 | |||
2311 | if invalidParams.Len() > 0 { | ||
2312 | return invalidParams | ||
2313 | } | ||
2314 | return nil | ||
2315 | } | ||
2316 | |||
2317 | // SetDurationSeconds sets the DurationSeconds field's value. | ||
2318 | func (s *GetSessionTokenInput) SetDurationSeconds(v int64) *GetSessionTokenInput { | ||
2319 | s.DurationSeconds = &v | ||
2320 | return s | ||
2321 | } | ||
2322 | |||
2323 | // SetSerialNumber sets the SerialNumber field's value. | ||
2324 | func (s *GetSessionTokenInput) SetSerialNumber(v string) *GetSessionTokenInput { | ||
2325 | s.SerialNumber = &v | ||
2326 | return s | ||
2327 | } | ||
2328 | |||
2329 | // SetTokenCode sets the TokenCode field's value. | ||
2330 | func (s *GetSessionTokenInput) SetTokenCode(v string) *GetSessionTokenInput { | ||
2331 | s.TokenCode = &v | ||
2332 | return s | ||
2333 | } | ||
2334 | |||
2335 | // Contains the response to a successful GetSessionToken request, including | ||
2336 | // temporary AWS credentials that can be used to make AWS requests. | ||
2337 | // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionTokenResponse | ||
2338 | type GetSessionTokenOutput struct { | ||
2339 | _ struct{} `type:"structure"` | ||
2340 | |||
2341 | // The temporary security credentials, which include an access key ID, a secret | ||
2342 | // access key, and a security (or session) token. | ||
2343 | // | ||
2344 | // Note: The size of the security token that STS APIs return is not fixed. We | ||
2345 | // strongly recommend that you make no assumptions about the maximum size. As | ||
2346 | // of this writing, the typical size is less than 4096 bytes, but that can vary. | ||
2347 | // Also, future updates to AWS might require larger sizes. | ||
2348 | Credentials *Credentials `type:"structure"` | ||
2349 | } | ||
2350 | |||
2351 | // String returns the string representation | ||
2352 | func (s GetSessionTokenOutput) String() string { | ||
2353 | return awsutil.Prettify(s) | ||
2354 | } | ||
2355 | |||
2356 | // GoString returns the string representation | ||
2357 | func (s GetSessionTokenOutput) GoString() string { | ||
2358 | return s.String() | ||
2359 | } | ||
2360 | |||
2361 | // SetCredentials sets the Credentials field's value. | ||
2362 | func (s *GetSessionTokenOutput) SetCredentials(v *Credentials) *GetSessionTokenOutput { | ||
2363 | s.Credentials = v | ||
2364 | return s | ||
2365 | } | ||
diff --git a/vendor/github.com/aws/aws-sdk-go/service/sts/customizations.go b/vendor/github.com/aws/aws-sdk-go/service/sts/customizations.go new file mode 100644 index 0000000..4010cc7 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/service/sts/customizations.go | |||
@@ -0,0 +1,12 @@ | |||
1 | package sts | ||
2 | |||
3 | import "github.com/aws/aws-sdk-go/aws/request" | ||
4 | |||
5 | func init() { | ||
6 | initRequest = func(r *request.Request) { | ||
7 | switch r.Operation.Name { | ||
8 | case opAssumeRoleWithSAML, opAssumeRoleWithWebIdentity: | ||
9 | r.Handlers.Sign.Clear() // these operations are unsigned | ||
10 | } | ||
11 | } | ||
12 | } | ||
diff --git a/vendor/github.com/aws/aws-sdk-go/service/sts/doc.go b/vendor/github.com/aws/aws-sdk-go/service/sts/doc.go new file mode 100644 index 0000000..d2af518 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/service/sts/doc.go | |||
@@ -0,0 +1,124 @@ | |||
1 | // Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT. | ||
2 | |||
3 | // Package sts provides the client and types for making API | ||
4 | // requests to AWS Security Token Service. | ||
5 | // | ||
6 | // The AWS Security Token Service (STS) is a web service that enables you to | ||
7 | // request temporary, limited-privilege credentials for AWS Identity and Access | ||
8 | // Management (IAM) users or for users that you authenticate (federated users). | ||
9 | // This guide provides descriptions of the STS API. For more detailed information | ||
10 | // about using this service, go to Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html). | ||
11 | // | ||
12 | // As an alternative to using the API, you can use one of the AWS SDKs, which | ||
13 | // consist of libraries and sample code for various programming languages and | ||
14 | // platforms (Java, Ruby, .NET, iOS, Android, etc.). The SDKs provide a convenient | ||
15 | // way to create programmatic access to STS. For example, the SDKs take care | ||
16 | // of cryptographically signing requests, managing errors, and retrying requests | ||
17 | // automatically. For information about the AWS SDKs, including how to download | ||
18 | // and install them, see the Tools for Amazon Web Services page (http://aws.amazon.com/tools/). | ||
19 | // | ||
20 | // For information about setting up signatures and authorization through the | ||
21 | // API, go to Signing AWS API Requests (http://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html) | ||
22 | // in the AWS General Reference. For general information about the Query API, | ||
23 | // go to Making Query Requests (http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UsingQueryAPI.html) | ||
24 | // in Using IAM. For information about using security tokens with other AWS | ||
25 | // products, go to AWS Services That Work with IAM (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_aws-services-that-work-with-iam.html) | ||
26 | // in the IAM User Guide. | ||
27 | // | ||
28 | // If you're new to AWS and need additional technical information about a specific | ||
29 | // AWS product, you can find the product's technical documentation at http://aws.amazon.com/documentation/ | ||
30 | // (http://aws.amazon.com/documentation/). | ||
31 | // | ||
32 | // Endpoints | ||
33 | // | ||
34 | // The AWS Security Token Service (STS) has a default endpoint of https://sts.amazonaws.com | ||
35 | // that maps to the US East (N. Virginia) region. Additional regions are available | ||
36 | // and are activated by default. For more information, see Activating and Deactivating | ||
37 | // AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) | ||
38 | // in the IAM User Guide. | ||
39 | // | ||
40 | // For information about STS endpoints, see Regions and Endpoints (http://docs.aws.amazon.com/general/latest/gr/rande.html#sts_region) | ||
41 | // in the AWS General Reference. | ||
42 | // | ||
43 | // Recording API requests | ||
44 | // | ||
45 | // STS supports AWS CloudTrail, which is a service that records AWS calls for | ||
46 | // your AWS account and delivers log files to an Amazon S3 bucket. By using | ||
47 | // information collected by CloudTrail, you can determine what requests were | ||
48 | // successfully made to STS, who made the request, when it was made, and so | ||
49 | // on. To learn more about CloudTrail, including how to turn it on and find | ||
50 | // your log files, see the AWS CloudTrail User Guide (http://docs.aws.amazon.com/awscloudtrail/latest/userguide/what_is_cloud_trail_top_level.html). | ||
51 | // | ||
52 | // See https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15 for more information on this service. | ||
53 | // | ||
54 | // See sts package documentation for more information. | ||
55 | // https://docs.aws.amazon.com/sdk-for-go/api/service/sts/ | ||
56 | // | ||
57 | // Using the Client | ||
58 | // | ||
59 | // To use the client for AWS Security Token Service you will first need | ||
60 | // to create a new instance of it. | ||
61 | // | ||
62 | // When creating a client for an AWS service you'll first need to have a Session | ||
63 | // already created. The Session provides configuration that can be shared | ||
64 | // between multiple service clients. Additional configuration can be applied to | ||
65 | // the Session and service's client when they are constructed. The aws package's | ||
66 | // Config type contains several fields such as Region for the AWS Region the | ||
67 | // client should make API requests too. The optional Config value can be provided | ||
68 | // as the variadic argument for Sessions and client creation. | ||
69 | // | ||
70 | // Once the service's client is created you can use it to make API requests the | ||
71 | // AWS service. These clients are safe to use concurrently. | ||
72 | // | ||
73 | // // Create a session to share configuration, and load external configuration. | ||
74 | // sess := session.Must(session.NewSession()) | ||
75 | // | ||
76 | // // Create the service's client with the session. | ||
77 | // svc := sts.New(sess) | ||
78 | // | ||
79 | // See the SDK's documentation for more information on how to use service clients. | ||
80 | // https://docs.aws.amazon.com/sdk-for-go/api/ | ||
81 | // | ||
82 | // See aws package's Config type for more information on configuration options. | ||
83 | // https://docs.aws.amazon.com/sdk-for-go/api/aws/#Config | ||
84 | // | ||
85 | // See the AWS Security Token Service client STS for more | ||
86 | // information on creating the service's client. | ||
87 | // https://docs.aws.amazon.com/sdk-for-go/api/service/sts/#New | ||
88 | // | ||
89 | // Once the client is created you can make an API request to the service. | ||
90 | // Each API method takes a input parameter, and returns the service response | ||
91 | // and an error. | ||
92 | // | ||
93 | // The API method will document which error codes the service can be returned | ||
94 | // by the operation if the service models the API operation's errors. These | ||
95 | // errors will also be available as const strings prefixed with "ErrCode". | ||
96 | // | ||
97 | // result, err := svc.AssumeRole(params) | ||
98 | // if err != nil { | ||
99 | // // Cast err to awserr.Error to handle specific error codes. | ||
100 | // aerr, ok := err.(awserr.Error) | ||
101 | // if ok && aerr.Code() == <error code to check for> { | ||
102 | // // Specific error code handling | ||
103 | // } | ||
104 | // return err | ||
105 | // } | ||
106 | // | ||
107 | // fmt.Println("AssumeRole result:") | ||
108 | // fmt.Println(result) | ||
109 | // | ||
110 | // Using the Client with Context | ||
111 | // | ||
112 | // The service's client also provides methods to make API requests with a Context | ||
113 | // value. This allows you to control the timeout, and cancellation of pending | ||
114 | // requests. These methods also take request Option as variadic parameter to apply | ||
115 | // additional configuration to the API request. | ||
116 | // | ||
117 | // ctx := context.Background() | ||
118 | // | ||
119 | // result, err := svc.AssumeRoleWithContext(ctx, params) | ||
120 | // | ||
121 | // See the request package documentation for more information on using Context pattern | ||
122 | // with the SDK. | ||
123 | // https://docs.aws.amazon.com/sdk-for-go/api/aws/request/ | ||
124 | package sts | ||
diff --git a/vendor/github.com/aws/aws-sdk-go/service/sts/errors.go b/vendor/github.com/aws/aws-sdk-go/service/sts/errors.go new file mode 100644 index 0000000..e24884e --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/service/sts/errors.go | |||
@@ -0,0 +1,73 @@ | |||
1 | // Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT. | ||
2 | |||
3 | package sts | ||
4 | |||
5 | const ( | ||
6 | |||
7 | // ErrCodeExpiredTokenException for service response error code | ||
8 | // "ExpiredTokenException". | ||
9 | // | ||
10 | // The web identity token that was passed is expired or is not valid. Get a | ||
11 | // new identity token from the identity provider and then retry the request. | ||
12 | ErrCodeExpiredTokenException = "ExpiredTokenException" | ||
13 | |||
14 | // ErrCodeIDPCommunicationErrorException for service response error code | ||
15 | // "IDPCommunicationError". | ||
16 | // | ||
17 | // The request could not be fulfilled because the non-AWS identity provider | ||
18 | // (IDP) that was asked to verify the incoming identity token could not be reached. | ||
19 | // This is often a transient error caused by network conditions. Retry the request | ||
20 | // a limited number of times so that you don't exceed the request rate. If the | ||
21 | // error persists, the non-AWS identity provider might be down or not responding. | ||
22 | ErrCodeIDPCommunicationErrorException = "IDPCommunicationError" | ||
23 | |||
24 | // ErrCodeIDPRejectedClaimException for service response error code | ||
25 | // "IDPRejectedClaim". | ||
26 | // | ||
27 | // The identity provider (IdP) reported that authentication failed. This might | ||
28 | // be because the claim is invalid. | ||
29 | // | ||
30 | // If this error is returned for the AssumeRoleWithWebIdentity operation, it | ||
31 | // can also mean that the claim has expired or has been explicitly revoked. | ||
32 | ErrCodeIDPRejectedClaimException = "IDPRejectedClaim" | ||
33 | |||
34 | // ErrCodeInvalidAuthorizationMessageException for service response error code | ||
35 | // "InvalidAuthorizationMessageException". | ||
36 | // | ||
37 | // The error returned if the message passed to DecodeAuthorizationMessage was | ||
38 | // invalid. This can happen if the token contains invalid characters, such as | ||
39 | // linebreaks. | ||
40 | ErrCodeInvalidAuthorizationMessageException = "InvalidAuthorizationMessageException" | ||
41 | |||
42 | // ErrCodeInvalidIdentityTokenException for service response error code | ||
43 | // "InvalidIdentityToken". | ||
44 | // | ||
45 | // The web identity token that was passed could not be validated by AWS. Get | ||
46 | // a new identity token from the identity provider and then retry the request. | ||
47 | ErrCodeInvalidIdentityTokenException = "InvalidIdentityToken" | ||
48 | |||
49 | // ErrCodeMalformedPolicyDocumentException for service response error code | ||
50 | // "MalformedPolicyDocument". | ||
51 | // | ||
52 | // The request was rejected because the policy document was malformed. The error | ||
53 | // message describes the specific error. | ||
54 | ErrCodeMalformedPolicyDocumentException = "MalformedPolicyDocument" | ||
55 | |||
56 | // ErrCodePackedPolicyTooLargeException for service response error code | ||
57 | // "PackedPolicyTooLarge". | ||
58 | // | ||
59 | // The request was rejected because the policy document was too large. The error | ||
60 | // message describes how big the policy document is, in packed form, as a percentage | ||
61 | // of what the API allows. | ||
62 | ErrCodePackedPolicyTooLargeException = "PackedPolicyTooLarge" | ||
63 | |||
64 | // ErrCodeRegionDisabledException for service response error code | ||
65 | // "RegionDisabledException". | ||
66 | // | ||
67 | // STS is not activated in the requested region for the account that is being | ||
68 | // asked to generate credentials. The account administrator must use the IAM | ||
69 | // console to activate STS in that region. For more information, see Activating | ||
70 | // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) | ||
71 | // in the IAM User Guide. | ||
72 | ErrCodeRegionDisabledException = "RegionDisabledException" | ||
73 | ) | ||
diff --git a/vendor/github.com/aws/aws-sdk-go/service/sts/service.go b/vendor/github.com/aws/aws-sdk-go/service/sts/service.go new file mode 100644 index 0000000..1ee5839 --- /dev/null +++ b/vendor/github.com/aws/aws-sdk-go/service/sts/service.go | |||
@@ -0,0 +1,93 @@ | |||
1 | // Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT. | ||
2 | |||
3 | package sts | ||
4 | |||
5 | import ( | ||
6 | "github.com/aws/aws-sdk-go/aws" | ||
7 | "github.com/aws/aws-sdk-go/aws/client" | ||
8 | "github.com/aws/aws-sdk-go/aws/client/metadata" | ||
9 | "github.com/aws/aws-sdk-go/aws/request" | ||
10 | "github.com/aws/aws-sdk-go/aws/signer/v4" | ||
11 | "github.com/aws/aws-sdk-go/private/protocol/query" | ||
12 | ) | ||
13 | |||
14 | // STS provides the API operation methods for making requests to | ||
15 | // AWS Security Token Service. See this package's package overview docs | ||
16 | // for details on the service. | ||
17 | // | ||
18 | // STS methods are safe to use concurrently. It is not safe to | ||
19 | // modify mutate any of the struct's properties though. | ||
20 | type STS struct { | ||
21 | *client.Client | ||
22 | } | ||
23 | |||
24 | // Used for custom client initialization logic | ||
25 | var initClient func(*client.Client) | ||
26 | |||
27 | // Used for custom request initialization logic | ||
28 | var initRequest func(*request.Request) | ||
29 | |||
30 | // Service information constants | ||
31 | const ( | ||
32 | ServiceName = "sts" // Service endpoint prefix API calls made to. | ||
33 | EndpointsID = ServiceName // Service ID for Regions and Endpoints metadata. | ||
34 | ) | ||
35 | |||
36 | // New creates a new instance of the STS client with a session. | ||
37 | // If additional configuration is needed for the client instance use the optional | ||
38 | // aws.Config parameter to add your extra config. | ||
39 | // | ||
40 | // Example: | ||
41 | // // Create a STS client from just a session. | ||
42 | // svc := sts.New(mySession) | ||
43 | // | ||
44 | // // Create a STS client with additional configuration | ||
45 | // svc := sts.New(mySession, aws.NewConfig().WithRegion("us-west-2")) | ||
46 | func New(p client.ConfigProvider, cfgs ...*aws.Config) *STS { | ||
47 | c := p.ClientConfig(EndpointsID, cfgs...) | ||
48 | return newClient(*c.Config, c.Handlers, c.Endpoint, c.SigningRegion, c.SigningName) | ||
49 | } | ||
50 | |||
51 | // newClient creates, initializes and returns a new service client instance. | ||
52 | func newClient(cfg aws.Config, handlers request.Handlers, endpoint, signingRegion, signingName string) *STS { | ||
53 | svc := &STS{ | ||
54 | Client: client.New( | ||
55 | cfg, | ||
56 | metadata.ClientInfo{ | ||
57 | ServiceName: ServiceName, | ||
58 | SigningName: signingName, | ||
59 | SigningRegion: signingRegion, | ||
60 | Endpoint: endpoint, | ||
61 | APIVersion: "2011-06-15", | ||
62 | }, | ||
63 | handlers, | ||
64 | ), | ||
65 | } | ||
66 | |||
67 | // Handlers | ||
68 | svc.Handlers.Sign.PushBackNamed(v4.SignRequestHandler) | ||
69 | svc.Handlers.Build.PushBackNamed(query.BuildHandler) | ||
70 | svc.Handlers.Unmarshal.PushBackNamed(query.UnmarshalHandler) | ||
71 | svc.Handlers.UnmarshalMeta.PushBackNamed(query.UnmarshalMetaHandler) | ||
72 | svc.Handlers.UnmarshalError.PushBackNamed(query.UnmarshalErrorHandler) | ||
73 | |||
74 | // Run custom client initialization if present | ||
75 | if initClient != nil { | ||
76 | initClient(svc.Client) | ||
77 | } | ||
78 | |||
79 | return svc | ||
80 | } | ||
81 | |||
82 | // newRequest creates a new request for a STS operation and runs any | ||
83 | // custom request initialization. | ||
84 | func (c *STS) newRequest(op *request.Operation, params, data interface{}) *request.Request { | ||
85 | req := c.NewRequest(op, params, data) | ||
86 | |||
87 | // Run custom request initialization if present | ||
88 | if initRequest != nil { | ||
89 | initRequest(req) | ||
90 | } | ||
91 | |||
92 | return req | ||
93 | } | ||