// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT. package sts import ( "fmt" "time" "github.com/aws/aws-sdk-go/aws" "github.com/aws/aws-sdk-go/aws/awsutil" "github.com/aws/aws-sdk-go/aws/credentials" "github.com/aws/aws-sdk-go/aws/request" ) const opAssumeRole = "AssumeRole" // AssumeRoleRequest generates a "aws/request.Request" representing the // client's request for the AssumeRole operation. The "output" return // value will be populated with the request's response once the request completes // successfully. // // Use "Send" method on the returned Request to send the API call to the service. // the "output" return value is not valid until after Send returns without error. // // See AssumeRole for more information on using the AssumeRole // API call, and error handling. // // This method is useful when you want to inject custom logic or configuration // into the SDK's request lifecycle. Such as custom headers, or retry logic. // // // // Example sending a request using the AssumeRoleRequest method. // req, resp := client.AssumeRoleRequest(params) // // err := req.Send() // if err == nil { // resp is now filled // fmt.Println(resp) // } // // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, output *AssumeRoleOutput) { op := &request.Operation{ Name: opAssumeRole, HTTPMethod: "POST", HTTPPath: "/", } if input == nil { input = &AssumeRoleInput{} } output = &AssumeRoleOutput{} req = c.newRequest(op, input, output) return } // AssumeRole API operation for AWS Security Token Service. // // Returns a set of temporary security credentials that you can use to access // AWS resources that you might not normally have access to. These temporary // credentials consist of an access key ID, a secret access key, and a security // token. Typically, you use AssumeRole within your account or for cross-account // access. For a comparison of AssumeRole with other API operations that produce // temporary credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) // and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) // in the IAM User Guide. // // You cannot use AWS account root user credentials to call AssumeRole. You // must use credentials for an IAM user or an IAM role to call AssumeRole. // // For cross-account access, imagine that you own multiple accounts and need // to access resources in each account. You could create long-term credentials // in each account to access those resources. However, managing all those credentials // and remembering which one can access which account can be time consuming. // Instead, you can create one set of long-term credentials in one account. // Then use temporary security credentials to access all the other accounts // by assuming roles in those accounts. For more information about roles, see // IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) // in the IAM User Guide. // // By default, the temporary security credentials created by AssumeRole last // for one hour. However, you can use the optional DurationSeconds parameter // to specify the duration of your session. You can provide a value from 900 // seconds (15 minutes) up to the maximum session duration setting for the role. // This setting can have a value from 1 hour to 12 hours. To learn how to view // the maximum value for your role, see View the Maximum Session Duration Setting // for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) // in the IAM User Guide. The maximum session duration limit applies when you // use the AssumeRole* API operations or the assume-role* CLI commands. However // the limit does not apply when you use those operations to create a console // URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) // in the IAM User Guide. // // The temporary security credentials created by AssumeRole can be used to make // API calls to any AWS service with the following exception: You cannot call // the AWS STS GetFederationToken or GetSessionToken API operations. // // (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // to this operation. You can pass a single JSON policy document to use as an // inline session policy. You can also specify up to 10 managed policies to // use as managed session policies. The plain text that you use for both inline // and managed session policies shouldn't exceed 2048 characters. Passing policies // to this operation returns new temporary credentials. The resulting session's // permissions are the intersection of the role's identity-based policy and // the session policies. You can use the role's temporary credentials in subsequent // AWS API calls to access resources in the account that owns the role. You // cannot use session policies to grant more permissions than those allowed // by the identity-based policy of the role that is being assumed. For more // information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // in the IAM User Guide. // // To assume a role from a different account, your AWS account must be trusted // by the role. The trust relationship is defined in the role's trust policy // when the role is created. That trust policy states which accounts are allowed // to delegate that access to users in the account. // // A user who wants to access a role in a different account must also have permissions // that are delegated from the user account administrator. The administrator // must attach a policy that allows the user to call AssumeRole for the ARN // of the role in the other account. If the user is in the same account as the // role, then you can do either of the following: // // * Attach a policy to the user (identical to the previous user in a different // account). // // * Add the user as a principal directly in the role's trust policy. // // In this case, the trust policy acts as an IAM resource-based policy. Users // in the same account as the role do not need explicit permission to assume // the role. For more information about trust policies and resource-based policies, // see IAM Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) // in the IAM User Guide. // // Using MFA with AssumeRole // // (Optional) You can include multi-factor authentication (MFA) information // when you call AssumeRole. This is useful for cross-account scenarios to ensure // that the user that assumes the role has been authenticated with an AWS MFA // device. In that scenario, the trust policy of the role being assumed includes // a condition that tests for MFA authentication. If the caller does not include // valid MFA information, the request to assume the role is denied. The condition // in a trust policy that tests for MFA authentication might look like the following // example. // // "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}} // // For more information, see Configuring MFA-Protected API Access (https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html) // in the IAM User Guide guide. // // To use MFA with AssumeRole, you pass values for the SerialNumber and TokenCode // parameters. The SerialNumber value identifies the user's hardware or virtual // MFA device. The TokenCode is the time-based one-time password (TOTP) that // the MFA device produces. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. // // See the AWS API reference guide for AWS Security Token Service's // API operation AssumeRole for usage and error information. // // Returned Error Codes: // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument" // The request was rejected because the policy document was malformed. The error // message describes the specific error. // // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" // The request was rejected because the policy document was too large. The error // message describes how big the policy document is, in packed form, as a percentage // of what the API allows. // // * ErrCodeRegionDisabledException "RegionDisabledException" // STS is not activated in the requested region for the account that is being // asked to generate credentials. The account administrator must use the IAM // console to activate STS in that region. For more information, see Activating // and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) // in the IAM User Guide. // // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole func (c *STS) AssumeRole(input *AssumeRoleInput) (*AssumeRoleOutput, error) { req, out := c.AssumeRoleRequest(input) return out, req.Send() } // AssumeRoleWithContext is the same as AssumeRole with the addition of // the ability to pass a context and additional request options. // // See AssumeRole for details on how to use this API operation. // // The context must be non-nil and will be used for request cancellation. If // the context is nil a panic will occur. In the future the SDK may create // sub-contexts for http.Requests. See https://golang.org/pkg/context/ // for more information on using Contexts. func (c *STS) AssumeRoleWithContext(ctx aws.Context, input *AssumeRoleInput, opts ...request.Option) (*AssumeRoleOutput, error) { req, out := c.AssumeRoleRequest(input) req.SetContext(ctx) req.ApplyOptions(opts...) return out, req.Send() } const opAssumeRoleWithSAML = "AssumeRoleWithSAML" // AssumeRoleWithSAMLRequest generates a "aws/request.Request" representing the // client's request for the AssumeRoleWithSAML operation. The "output" return // value will be populated with the request's response once the request completes // successfully. // // Use "Send" method on the returned Request to send the API call to the service. // the "output" return value is not valid until after Send returns without error. // // See AssumeRoleWithSAML for more information on using the AssumeRoleWithSAML // API call, and error handling. // // This method is useful when you want to inject custom logic or configuration // into the SDK's request lifecycle. Such as custom headers, or retry logic. // // // // Example sending a request using the AssumeRoleWithSAMLRequest method. // req, resp := client.AssumeRoleWithSAMLRequest(params) // // err := req.Send() // if err == nil { // resp is now filled // fmt.Println(resp) // } // // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *request.Request, output *AssumeRoleWithSAMLOutput) { op := &request.Operation{ Name: opAssumeRoleWithSAML, HTTPMethod: "POST", HTTPPath: "/", } if input == nil { input = &AssumeRoleWithSAMLInput{} } output = &AssumeRoleWithSAMLOutput{} req = c.newRequest(op, input, output) req.Config.Credentials = credentials.AnonymousCredentials return } // AssumeRoleWithSAML API operation for AWS Security Token Service. // // Returns a set of temporary security credentials for users who have been authenticated // via a SAML authentication response. This operation provides a mechanism for // tying an enterprise identity store or directory to role-based AWS access // without user-specific credentials or configuration. For a comparison of AssumeRoleWithSAML // with the other API operations that produce temporary credentials, see Requesting // Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) // and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) // in the IAM User Guide. // // The temporary security credentials returned by this operation consist of // an access key ID, a secret access key, and a security token. Applications // can use these temporary security credentials to sign calls to AWS services. // // By default, the temporary security credentials created by AssumeRoleWithSAML // last for one hour. However, you can use the optional DurationSeconds parameter // to specify the duration of your session. Your role session lasts for the // duration that you specify, or until the time specified in the SAML authentication // response's SessionNotOnOrAfter value, whichever is shorter. You can provide // a DurationSeconds value from 900 seconds (15 minutes) up to the maximum session // duration setting for the role. This setting can have a value from 1 hour // to 12 hours. To learn how to view the maximum value for your role, see View // the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) // in the IAM User Guide. The maximum session duration limit applies when you // use the AssumeRole* API operations or the assume-role* CLI commands. However // the limit does not apply when you use those operations to create a console // URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) // in the IAM User Guide. // // The temporary security credentials created by AssumeRoleWithSAML can be used // to make API calls to any AWS service with the following exception: you cannot // call the STS GetFederationToken or GetSessionToken API operations. // // (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // to this operation. You can pass a single JSON policy document to use as an // inline session policy. You can also specify up to 10 managed policies to // use as managed session policies. The plain text that you use for both inline // and managed session policies shouldn't exceed 2048 characters. Passing policies // to this operation returns new temporary credentials. The resulting session's // permissions are the intersection of the role's identity-based policy and // the session policies. You can use the role's temporary credentials in subsequent // AWS API calls to access resources in the account that owns the role. You // cannot use session policies to grant more permissions than those allowed // by the identity-based policy of the role that is being assumed. For more // information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // in the IAM User Guide. // // Before your application can call AssumeRoleWithSAML, you must configure your // SAML identity provider (IdP) to issue the claims required by AWS. Additionally, // you must use AWS Identity and Access Management (IAM) to create a SAML provider // entity in your AWS account that represents your identity provider. You must // also create an IAM role that specifies this SAML provider in its trust policy. // // Calling AssumeRoleWithSAML does not require the use of AWS security credentials. // The identity of the caller is validated by using keys in the metadata document // that is uploaded for the SAML provider entity for your identity provider. // // Calling AssumeRoleWithSAML can result in an entry in your AWS CloudTrail // logs. The entry includes the value in the NameID element of the SAML assertion. // We recommend that you use a NameIDType that is not associated with any personally // identifiable information (PII). For example, you could instead use the Persistent // Identifier (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent). // // For more information, see the following resources: // // * About SAML 2.0-based Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) // in the IAM User Guide. // // * Creating SAML Identity Providers (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html) // in the IAM User Guide. // // * Configuring a Relying Party and Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html) // in the IAM User Guide. // // * Creating a Role for SAML 2.0 Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html) // in the IAM User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. // // See the AWS API reference guide for AWS Security Token Service's // API operation AssumeRoleWithSAML for usage and error information. // // Returned Error Codes: // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument" // The request was rejected because the policy document was malformed. The error // message describes the specific error. // // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" // The request was rejected because the policy document was too large. The error // message describes how big the policy document is, in packed form, as a percentage // of what the API allows. // // * ErrCodeIDPRejectedClaimException "IDPRejectedClaim" // The identity provider (IdP) reported that authentication failed. This might // be because the claim is invalid. // // If this error is returned for the AssumeRoleWithWebIdentity operation, it // can also mean that the claim has expired or has been explicitly revoked. // // * ErrCodeInvalidIdentityTokenException "InvalidIdentityToken" // The web identity token that was passed could not be validated by AWS. Get // a new identity token from the identity provider and then retry the request. // // * ErrCodeExpiredTokenException "ExpiredTokenException" // The web identity token that was passed is expired or is not valid. Get a // new identity token from the identity provider and then retry the request. // // * ErrCodeRegionDisabledException "RegionDisabledException" // STS is not activated in the requested region for the account that is being // asked to generate credentials. The account administrator must use the IAM // console to activate STS in that region. For more information, see Activating // and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) // in the IAM User Guide. // // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML func (c *STS) AssumeRoleWithSAML(input *AssumeRoleWithSAMLInput) (*AssumeRoleWithSAMLOutput, error) { req, out := c.AssumeRoleWithSAMLRequest(input) return out, req.Send() } // AssumeRoleWithSAMLWithContext is the same as AssumeRoleWithSAML with the addition of // the ability to pass a context and additional request options. // // See AssumeRoleWithSAML for details on how to use this API operation. // // The context must be non-nil and will be used for request cancellation. If // the context is nil a panic will occur. In the future the SDK may create // sub-contexts for http.Requests. See https://golang.org/pkg/context/ // for more information on using Contexts. func (c *STS) AssumeRoleWithSAMLWithContext(ctx aws.Context, input *AssumeRoleWithSAMLInput, opts ...request.Option) (*AssumeRoleWithSAMLOutput, error) { req, out := c.AssumeRoleWithSAMLRequest(input) req.SetContext(ctx) req.ApplyOptions(opts...) return out, req.Send() } const opAssumeRoleWithWebIdentity = "AssumeRoleWithWebIdentity" // AssumeRoleWithWebIdentityRequest generates a "aws/request.Request" representing the // client's request for the AssumeRoleWithWebIdentity operation. The "output" return // value will be populated with the request's response once the request completes // successfully. // // Use "Send" method on the returned Request to send the API call to the service. // the "output" return value is not valid until after Send returns without error. // // See AssumeRoleWithWebIdentity for more information on using the AssumeRoleWithWebIdentity // API call, and error handling. // // This method is useful when you want to inject custom logic or configuration // into the SDK's request lifecycle. Such as custom headers, or retry logic. // // // // Example sending a request using the AssumeRoleWithWebIdentityRequest method. // req, resp := client.AssumeRoleWithWebIdentityRequest(params) // // err := req.Send() // if err == nil { // resp is now filled // fmt.Println(resp) // } // // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityInput) (req *request.Request, output *AssumeRoleWithWebIdentityOutput) { op := &request.Operation{ Name: opAssumeRoleWithWebIdentity, HTTPMethod: "POST", HTTPPath: "/", } if input == nil { input = &AssumeRoleWithWebIdentityInput{} } output = &AssumeRoleWithWebIdentityOutput{} req = c.newRequest(op, input, output) req.Config.Credentials = credentials.AnonymousCredentials return } // AssumeRoleWithWebIdentity API operation for AWS Security Token Service. // // Returns a set of temporary security credentials for users who have been authenticated // in a mobile or web application with a web identity provider. Example providers // include Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID // Connect-compatible identity provider. // // For mobile applications, we recommend that you use Amazon Cognito. You can // use Amazon Cognito with the AWS SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/) // and the AWS SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/) // to uniquely identify a user. You can also supply the user with a consistent // identity throughout the lifetime of an application. // // To learn more about Amazon Cognito, see Amazon Cognito Overview (https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840) // in AWS SDK for Android Developer Guide and Amazon Cognito Overview (https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664) // in the AWS SDK for iOS Developer Guide. // // Calling AssumeRoleWithWebIdentity does not require the use of AWS security // credentials. Therefore, you can distribute an application (for example, on // mobile devices) that requests temporary security credentials without including // long-term AWS credentials in the application. You also don't need to deploy // server-based proxy services that use long-term AWS credentials. Instead, // the identity of the caller is validated by using a token from the web identity // provider. For a comparison of AssumeRoleWithWebIdentity with the other API // operations that produce temporary credentials, see Requesting Temporary Security // Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) // and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) // in the IAM User Guide. // // The temporary security credentials returned by this API consist of an access // key ID, a secret access key, and a security token. Applications can use these // temporary security credentials to sign calls to AWS service API operations. // // By default, the temporary security credentials created by AssumeRoleWithWebIdentity // last for one hour. However, you can use the optional DurationSeconds parameter // to specify the duration of your session. You can provide a value from 900 // seconds (15 minutes) up to the maximum session duration setting for the role. // This setting can have a value from 1 hour to 12 hours. To learn how to view // the maximum value for your role, see View the Maximum Session Duration Setting // for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) // in the IAM User Guide. The maximum session duration limit applies when you // use the AssumeRole* API operations or the assume-role* CLI commands. However // the limit does not apply when you use those operations to create a console // URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) // in the IAM User Guide. // // The temporary security credentials created by AssumeRoleWithWebIdentity can // be used to make API calls to any AWS service with the following exception: // you cannot call the STS GetFederationToken or GetSessionToken API operations. // // (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // to this operation. You can pass a single JSON policy document to use as an // inline session policy. You can also specify up to 10 managed policies to // use as managed session policies. The plain text that you use for both inline // and managed session policies shouldn't exceed 2048 characters. Passing policies // to this operation returns new temporary credentials. The resulting session's // permissions are the intersection of the role's identity-based policy and // the session policies. You can use the role's temporary credentials in subsequent // AWS API calls to access resources in the account that owns the role. You // cannot use session policies to grant more permissions than those allowed // by the identity-based policy of the role that is being assumed. For more // information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // in the IAM User Guide. // // Before your application can call AssumeRoleWithWebIdentity, you must have // an identity token from a supported identity provider and create a role that // the application can assume. The role that your application assumes must trust // the identity provider that is associated with the identity token. In other // words, the identity provider must be specified in the role's trust policy. // // Calling AssumeRoleWithWebIdentity can result in an entry in your AWS CloudTrail // logs. The entry includes the Subject (http://openid.net/specs/openid-connect-core-1_0.html#Claims) // of the provided Web Identity Token. We recommend that you avoid using any // personally identifiable information (PII) in this field. For example, you // could instead use a GUID or a pairwise identifier, as suggested in the OIDC // specification (http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes). // // For more information about how to use web identity federation and the AssumeRoleWithWebIdentity // API, see the following resources: // // * Using Web Identity Federation API Operations for Mobile Apps (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html) // and Federation Through a Web-based Identity Provider (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity). // // * Web Identity Federation Playground (https://web-identity-federation-playground.s3.amazonaws.com/index.html). // Walk through the process of authenticating through Login with Amazon, // Facebook, or Google, getting temporary security credentials, and then // using those credentials to make a request to AWS. // // * AWS SDK for iOS Developer Guide (http://aws.amazon.com/sdkforios/) and // AWS SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/). // These toolkits contain sample apps that show how to invoke the identity // providers, and then how to use the information from these providers to // get and use temporary security credentials. // // * Web Identity Federation with Mobile Applications (http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications). // This article discusses web identity federation and shows an example of // how to use web identity federation to get access to content in Amazon // S3. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. // // See the AWS API reference guide for AWS Security Token Service's // API operation AssumeRoleWithWebIdentity for usage and error information. // // Returned Error Codes: // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument" // The request was rejected because the policy document was malformed. The error // message describes the specific error. // // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" // The request was rejected because the policy document was too large. The error // message describes how big the policy document is, in packed form, as a percentage // of what the API allows. // // * ErrCodeIDPRejectedClaimException "IDPRejectedClaim" // The identity provider (IdP) reported that authentication failed. This might // be because the claim is invalid. // // If this error is returned for the AssumeRoleWithWebIdentity operation, it // can also mean that the claim has expired or has been explicitly revoked. // // * ErrCodeIDPCommunicationErrorException "IDPCommunicationError" // The request could not be fulfilled because the non-AWS identity provider // (IDP) that was asked to verify the incoming identity token could not be reached. // This is often a transient error caused by network conditions. Retry the request // a limited number of times so that you don't exceed the request rate. If the // error persists, the non-AWS identity provider might be down or not responding. // // * ErrCodeInvalidIdentityTokenException "InvalidIdentityToken" // The web identity token that was passed could not be validated by AWS. Get // a new identity token from the identity provider and then retry the request. // // * ErrCodeExpiredTokenException "ExpiredTokenException" // The web identity token that was passed is expired or is not valid. Get a // new identity token from the identity provider and then retry the request. // // * ErrCodeRegionDisabledException "RegionDisabledException" // STS is not activated in the requested region for the account that is being // asked to generate credentials. The account administrator must use the IAM // console to activate STS in that region. For more information, see Activating // and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) // in the IAM User Guide. // // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity func (c *STS) AssumeRoleWithWebIdentity(input *AssumeRoleWithWebIdentityInput) (*AssumeRoleWithWebIdentityOutput, error) { req, out := c.AssumeRoleWithWebIdentityRequest(input) return out, req.Send() } // AssumeRoleWithWebIdentityWithContext is the same as AssumeRoleWithWebIdentity with the addition of // the ability to pass a context and additional request options. // // See AssumeRoleWithWebIdentity for details on how to use this API operation. // // The context must be non-nil and will be used for request cancellation. If // the context is nil a panic will occur. In the future the SDK may create // sub-contexts for http.Requests. See https://golang.org/pkg/context/ // for more information on using Contexts. func (c *STS) AssumeRoleWithWebIdentityWithContext(ctx aws.Context, input *AssumeRoleWithWebIdentityInput, opts ...request.Option) (*AssumeRoleWithWebIdentityOutput, error) { req, out := c.AssumeRoleWithWebIdentityRequest(input) req.SetContext(ctx) req.ApplyOptions(opts...) return out, req.Send() } const opDecodeAuthorizationMessage = "DecodeAuthorizationMessage" // DecodeAuthorizationMessageRequest generates a "aws/request.Request" representing the // client's request for the DecodeAuthorizationMessage operation. The "output" return // value will be populated with the request's response once the request completes // successfully. // // Use "Send" method on the returned Request to send the API call to the service. // the "output" return value is not valid until after Send returns without error. // // See DecodeAuthorizationMessage for more information on using the DecodeAuthorizationMessage // API call, and error handling. // // This method is useful when you want to inject custom logic or configuration // into the SDK's request lifecycle. Such as custom headers, or retry logic. // // // // Example sending a request using the DecodeAuthorizationMessageRequest method. // req, resp := client.DecodeAuthorizationMessageRequest(params) // // err := req.Send() // if err == nil { // resp is now filled // fmt.Println(resp) // } // // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessage func (c *STS) DecodeAuthorizationMessageRequest(input *DecodeAuthorizationMessageInput) (req *request.Request, output *DecodeAuthorizationMessageOutput) { op := &request.Operation{ Name: opDecodeAuthorizationMessage, HTTPMethod: "POST", HTTPPath: "/", } if input == nil { input = &DecodeAuthorizationMessageInput{} } output = &DecodeAuthorizationMessageOutput{} req = c.newRequest(op, input, output) return } // DecodeAuthorizationMessage API operation for AWS Security Token Service. // // Decodes additional information about the authorization status of a request // from an encoded message returned in response to an AWS request. // // For example, if a user is not authorized to perform an operation that he // or she has requested, the request returns a Client.UnauthorizedOperation // response (an HTTP 403 response). Some AWS operations additionally return // an encoded message that can provide details about this authorization failure. // // Only certain AWS operations return an encoded authorization message. The // documentation for an individual operation indicates whether that operation // returns an encoded message in addition to returning an HTTP code. // // The message is encoded because the details of the authorization status can // constitute privileged information that the user who requested the operation // should not see. To decode an authorization status message, a user must be // granted permissions via an IAM policy to request the DecodeAuthorizationMessage // (sts:DecodeAuthorizationMessage) action. // // The decoded message includes the following type of information: // // * Whether the request was denied due to an explicit deny or due to the // absence of an explicit allow. For more information, see Determining Whether // a Request is Allowed or Denied (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow) // in the IAM User Guide. // // * The principal who made the request. // // * The requested action. // // * The requested resource. // // * The values of condition keys in the context of the user's request. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. // // See the AWS API reference guide for AWS Security Token Service's // API operation DecodeAuthorizationMessage for usage and error information. // // Returned Error Codes: // * ErrCodeInvalidAuthorizationMessageException "InvalidAuthorizationMessageException" // The error returned if the message passed to DecodeAuthorizationMessage was // invalid. This can happen if the token contains invalid characters, such as // linebreaks. // // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessage func (c *STS) DecodeAuthorizationMessage(input *DecodeAuthorizationMessageInput) (*DecodeAuthorizationMessageOutput, error) { req, out := c.DecodeAuthorizationMessageRequest(input) return out, req.Send() } // DecodeAuthorizationMessageWithContext is the same as DecodeAuthorizationMessage with the addition of // the ability to pass a context and additional request options. // // See DecodeAuthorizationMessage for details on how to use this API operation. // // The context must be non-nil and will be used for request cancellation. If // the context is nil a panic will occur. In the future the SDK may create // sub-contexts for http.Requests. See https://golang.org/pkg/context/ // for more information on using Contexts. func (c *STS) DecodeAuthorizationMessageWithContext(ctx aws.Context, input *DecodeAuthorizationMessageInput, opts ...request.Option) (*DecodeAuthorizationMessageOutput, error) { req, out := c.DecodeAuthorizationMessageRequest(input) req.SetContext(ctx) req.ApplyOptions(opts...) return out, req.Send() } const opGetAccessKeyInfo = "GetAccessKeyInfo" // GetAccessKeyInfoRequest generates a "aws/request.Request" representing the // client's request for the GetAccessKeyInfo operation. The "output" return // value will be populated with the request's response once the request completes // successfully. // // Use "Send" method on the returned Request to send the API call to the service. // the "output" return value is not valid until after Send returns without error. // // See GetAccessKeyInfo for more information on using the GetAccessKeyInfo // API call, and error handling. // // This method is useful when you want to inject custom logic or configuration // into the SDK's request lifecycle. Such as custom headers, or retry logic. // // // // Example sending a request using the GetAccessKeyInfoRequest method. // req, resp := client.GetAccessKeyInfoRequest(params) // // err := req.Send() // if err == nil { // resp is now filled // fmt.Println(resp) // } // // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfo func (c *STS) GetAccessKeyInfoRequest(input *GetAccessKeyInfoInput) (req *request.Request, output *GetAccessKeyInfoOutput) { op := &request.Operation{ Name: opGetAccessKeyInfo, HTTPMethod: "POST", HTTPPath: "/", } if input == nil { input = &GetAccessKeyInfoInput{} } output = &GetAccessKeyInfoOutput{} req = c.newRequest(op, input, output) return } // GetAccessKeyInfo API operation for AWS Security Token Service. // // Returns the account identifier for the specified access key ID. // // Access keys consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) // and a secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). // For more information about access keys, see Managing Access Keys for IAM // Users (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) // in the IAM User Guide. // // When you pass an access key ID to this operation, it returns the ID of the // AWS account to which the keys belong. Access key IDs beginning with AKIA // are long-term credentials for an IAM user or the AWS account root user. Access // key IDs beginning with ASIA are temporary credentials that are created using // STS operations. If the account in the response belongs to you, you can sign // in as the root user and review your root user access keys. Then, you can // pull a credentials report (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report) // to learn which IAM user owns the keys. To learn who requested the temporary // credentials for an ASIA access key, view the STS events in your CloudTrail // logs (https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration). // // This operation does not indicate the state of the access key. The key might // be active, inactive, or deleted. Active keys might not have permissions to // perform an operation. Providing a deleted keys might return an error that // the key doesn't exist. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. // // See the AWS API reference guide for AWS Security Token Service's // API operation GetAccessKeyInfo for usage and error information. // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfo func (c *STS) GetAccessKeyInfo(input *GetAccessKeyInfoInput) (*GetAccessKeyInfoOutput, error) { req, out := c.GetAccessKeyInfoRequest(input) return out, req.Send() } // GetAccessKeyInfoWithContext is the same as GetAccessKeyInfo with the addition of // the ability to pass a context and additional request options. // // See GetAccessKeyInfo for details on how to use this API operation. // // The context must be non-nil and will be used for request cancellation. If // the context is nil a panic will occur. In the future the SDK may create // sub-contexts for http.Requests. See https://golang.org/pkg/context/ // for more information on using Contexts. func (c *STS) GetAccessKeyInfoWithContext(ctx aws.Context, input *GetAccessKeyInfoInput, opts ...request.Option) (*GetAccessKeyInfoOutput, error) { req, out := c.GetAccessKeyInfoRequest(input) req.SetContext(ctx) req.ApplyOptions(opts...) return out, req.Send() } const opGetCallerIdentity = "GetCallerIdentity" // GetCallerIdentityRequest generates a "aws/request.Request" representing the // client's request for the GetCallerIdentity operation. The "output" return // value will be populated with the request's response once the request completes // successfully. // // Use "Send" method on the returned Request to send the API call to the service. // the "output" return value is not valid until after Send returns without error. // // See GetCallerIdentity for more information on using the GetCallerIdentity // API call, and error handling. // // This method is useful when you want to inject custom logic or configuration // into the SDK's request lifecycle. Such as custom headers, or retry logic. // // // // Example sending a request using the GetCallerIdentityRequest method. // req, resp := client.GetCallerIdentityRequest(params) // // err := req.Send() // if err == nil { // resp is now filled // fmt.Println(resp) // } // // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentity func (c *STS) GetCallerIdentityRequest(input *GetCallerIdentityInput) (req *request.Request, output *GetCallerIdentityOutput) { op := &request.Operation{ Name: opGetCallerIdentity, HTTPMethod: "POST", HTTPPath: "/", } if input == nil { input = &GetCallerIdentityInput{} } output = &GetCallerIdentityOutput{} req = c.newRequest(op, input, output) return } // GetCallerIdentity API operation for AWS Security Token Service. // // Returns details about the IAM identity whose credentials are used to call // the API. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. // // See the AWS API reference guide for AWS Security Token Service's // API operation GetCallerIdentity for usage and error information. // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentity func (c *STS) GetCallerIdentity(input *GetCallerIdentityInput) (*GetCallerIdentityOutput, error) { req, out := c.GetCallerIdentityRequest(input) return out, req.Send() } // GetCallerIdentityWithContext is the same as GetCallerIdentity with the addition of // the ability to pass a context and additional request options. // // See GetCallerIdentity for details on how to use this API operation. // // The context must be non-nil and will be used for request cancellation. If // the context is nil a panic will occur. In the future the SDK may create // sub-contexts for http.Requests. See https://golang.org/pkg/context/ // for more information on using Contexts. func (c *STS) GetCallerIdentityWithContext(ctx aws.Context, input *GetCallerIdentityInput, opts ...request.Option) (*GetCallerIdentityOutput, error) { req, out := c.GetCallerIdentityRequest(input) req.SetContext(ctx) req.ApplyOptions(opts...) return out, req.Send() } const opGetFederationToken = "GetFederationToken" // GetFederationTokenRequest generates a "aws/request.Request" representing the // client's request for the GetFederationToken operation. The "output" return // value will be populated with the request's response once the request completes // successfully. // // Use "Send" method on the returned Request to send the API call to the service. // the "output" return value is not valid until after Send returns without error. // // See GetFederationToken for more information on using the GetFederationToken // API call, and error handling. // // This method is useful when you want to inject custom logic or configuration // into the SDK's request lifecycle. Such as custom headers, or retry logic. // // // // Example sending a request using the GetFederationTokenRequest method. // req, resp := client.GetFederationTokenRequest(params) // // err := req.Send() // if err == nil { // resp is now filled // fmt.Println(resp) // } // // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationToken func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *request.Request, output *GetFederationTokenOutput) { op := &request.Operation{ Name: opGetFederationToken, HTTPMethod: "POST", HTTPPath: "/", } if input == nil { input = &GetFederationTokenInput{} } output = &GetFederationTokenOutput{} req = c.newRequest(op, input, output) return } // GetFederationToken API operation for AWS Security Token Service. // // Returns a set of temporary security credentials (consisting of an access // key ID, a secret access key, and a security token) for a federated user. // A typical use is in a proxy application that gets temporary security credentials // on behalf of distributed applications inside a corporate network. You must // call the GetFederationToken operation using the long-term security credentials // of an IAM user. As a result, this call is appropriate in contexts where those // credentials can be safely stored, usually in a server-based application. // For a comparison of GetFederationToken with the other API operations that // produce temporary credentials, see Requesting Temporary Security Credentials // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) // and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) // in the IAM User Guide. // // You can create a mobile-based or browser-based app that can authenticate // users using a web identity provider like Login with Amazon, Facebook, Google, // or an OpenID Connect-compatible identity provider. In this case, we recommend // that you use Amazon Cognito (http://aws.amazon.com/cognito/) or AssumeRoleWithWebIdentity. // For more information, see Federation Through a Web-based Identity Provider // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity). // // You can also call GetFederationToken using the security credentials of an // AWS account root user, but we do not recommend it. Instead, we recommend // that you create an IAM user for the purpose of the proxy application. Then // attach a policy to the IAM user that limits federated users to only the actions // and resources that they need to access. For more information, see IAM Best // Practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) // in the IAM User Guide. // // The temporary credentials are valid for the specified duration, from 900 // seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The default // is 43,200 seconds (12 hours). Temporary credentials that are obtained by // using AWS account root user credentials have a maximum duration of 3,600 // seconds (1 hour). // // The temporary security credentials created by GetFederationToken can be used // to make API calls to any AWS service with the following exceptions: // // * You cannot use these credentials to call any IAM API operations. // // * You cannot call any STS API operations except GetCallerIdentity. // // Permissions // // You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // to this operation. You can pass a single JSON policy document to use as an // inline session policy. You can also specify up to 10 managed policies to // use as managed session policies. The plain text that you use for both inline // and managed session policies shouldn't exceed 2048 characters. // // Though the session policy parameters are optional, if you do not pass a policy, // then the resulting federated user session has no permissions. The only exception // is when the credentials are used to access a resource that has a resource-based // policy that specifically references the federated user session in the Principal // element of the policy. When you pass session policies, the session permissions // are the intersection of the IAM user policies and the session policies that // you pass. This gives you a way to further restrict the permissions for a // federated user. You cannot use session policies to grant more permissions // than those that are defined in the permissions policy of the IAM user. For // more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // in the IAM User Guide. For information about using GetFederationToken to // create temporary security credentials, see GetFederationToken—Federation // Through a Custom Identity Broker (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken). // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. // // See the AWS API reference guide for AWS Security Token Service's // API operation GetFederationToken for usage and error information. // // Returned Error Codes: // * ErrCodeMalformedPolicyDocumentException "MalformedPolicyDocument" // The request was rejected because the policy document was malformed. The error // message describes the specific error. // // * ErrCodePackedPolicyTooLargeException "PackedPolicyTooLarge" // The request was rejected because the policy document was too large. The error // message describes how big the policy document is, in packed form, as a percentage // of what the API allows. // // * ErrCodeRegionDisabledException "RegionDisabledException" // STS is not activated in the requested region for the account that is being // asked to generate credentials. The account administrator must use the IAM // console to activate STS in that region. For more information, see Activating // and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) // in the IAM User Guide. // // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetFederationToken func (c *STS) GetFederationToken(input *GetFederationTokenInput) (*GetFederationTokenOutput, error) { req, out := c.GetFederationTokenRequest(input) return out, req.Send() } // GetFederationTokenWithContext is the same as GetFederationToken with the addition of // the ability to pass a context and additional request options. // // See GetFederationToken for details on how to use this API operation. // // The context must be non-nil and will be used for request cancellation. If // the context is nil a panic will occur. In the future the SDK may create // sub-contexts for http.Requests. See https://golang.org/pkg/context/ // for more information on using Contexts. func (c *STS) GetFederationTokenWithContext(ctx aws.Context, input *GetFederationTokenInput, opts ...request.Option) (*GetFederationTokenOutput, error) { req, out := c.GetFederationTokenRequest(input) req.SetContext(ctx) req.ApplyOptions(opts...) return out, req.Send() } const opGetSessionToken = "GetSessionToken" // GetSessionTokenRequest generates a "aws/request.Request" representing the // client's request for the GetSessionToken operation. The "output" return // value will be populated with the request's response once the request completes // successfully. // // Use "Send" method on the returned Request to send the API call to the service. // the "output" return value is not valid until after Send returns without error. // // See GetSessionToken for more information on using the GetSessionToken // API call, and error handling. // // This method is useful when you want to inject custom logic or configuration // into the SDK's request lifecycle. Such as custom headers, or retry logic. // // // // Example sending a request using the GetSessionTokenRequest method. // req, resp := client.GetSessionTokenRequest(params) // // err := req.Send() // if err == nil { // resp is now filled // fmt.Println(resp) // } // // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionToken func (c *STS) GetSessionTokenRequest(input *GetSessionTokenInput) (req *request.Request, output *GetSessionTokenOutput) { op := &request.Operation{ Name: opGetSessionToken, HTTPMethod: "POST", HTTPPath: "/", } if input == nil { input = &GetSessionTokenInput{} } output = &GetSessionTokenOutput{} req = c.newRequest(op, input, output) return } // GetSessionToken API operation for AWS Security Token Service. // // Returns a set of temporary credentials for an AWS account or IAM user. The // credentials consist of an access key ID, a secret access key, and a security // token. Typically, you use GetSessionToken if you want to use MFA to protect // programmatic calls to specific AWS API operations like Amazon EC2 StopInstances. // MFA-enabled IAM users would need to call GetSessionToken and submit an MFA // code that is associated with their MFA device. Using the temporary security // credentials that are returned from the call, IAM users can then make programmatic // calls to API operations that require MFA authentication. If you do not supply // a correct MFA code, then the API returns an access denied error. For a comparison // of GetSessionToken with the other API operations that produce temporary credentials, // see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) // and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) // in the IAM User Guide. // // The GetSessionToken operation must be called by using the long-term AWS security // credentials of the AWS account root user or an IAM user. Credentials that // are created by IAM users are valid for the duration that you specify. This // duration can range from 900 seconds (15 minutes) up to a maximum of 129,600 // seconds (36 hours), with a default of 43,200 seconds (12 hours). Credentials // based on account credentials can range from 900 seconds (15 minutes) up to // 3,600 seconds (1 hour), with a default of 1 hour. // // The temporary security credentials created by GetSessionToken can be used // to make API calls to any AWS service with the following exceptions: // // * You cannot call any IAM API operations unless MFA authentication information // is included in the request. // // * You cannot call any STS API except AssumeRole or GetCallerIdentity. // // We recommend that you do not call GetSessionToken with AWS account root user // credentials. Instead, follow our best practices (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users) // by creating one or more IAM users, giving them the necessary permissions, // and using IAM users for everyday interaction with AWS. // // The credentials that are returned by GetSessionToken are based on permissions // associated with the user whose credentials were used to call the operation. // If GetSessionToken is called using AWS account root user credentials, the // temporary credentials have root user permissions. Similarly, if GetSessionToken // is called using the credentials of an IAM user, the temporary credentials // have the same permissions as the IAM user. // // For more information about using GetSessionToken to create temporary credentials, // go to Temporary Credentials for Users in Untrusted Environments (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken) // in the IAM User Guide. // // Returns awserr.Error for service API and SDK errors. Use runtime type assertions // with awserr.Error's Code and Message methods to get detailed information about // the error. // // See the AWS API reference guide for AWS Security Token Service's // API operation GetSessionToken for usage and error information. // // Returned Error Codes: // * ErrCodeRegionDisabledException "RegionDisabledException" // STS is not activated in the requested region for the account that is being // asked to generate credentials. The account administrator must use the IAM // console to activate STS in that region. For more information, see Activating // and Deactivating AWS STS in an AWS Region (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html) // in the IAM User Guide. // // See also, https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetSessionToken func (c *STS) GetSessionToken(input *GetSessionTokenInput) (*GetSessionTokenOutput, error) { req, out := c.GetSessionTokenRequest(input) return out, req.Send() } // GetSessionTokenWithContext is the same as GetSessionToken with the addition of // the ability to pass a context and additional request options. // // See GetSessionToken for details on how to use this API operation. // // The context must be non-nil and will be used for request cancellation. If // the context is nil a panic will occur. In the future the SDK may create // sub-contexts for http.Requests. See https://golang.org/pkg/context/ // for more information on using Contexts. func (c *STS) GetSessionTokenWithContext(ctx aws.Context, input *GetSessionTokenInput, opts ...request.Option) (*GetSessionTokenOutput, error) { req, out := c.GetSessionTokenRequest(input) req.SetContext(ctx) req.ApplyOptions(opts...) return out, req.Send() } type AssumeRoleInput struct { _ struct{} `type:"structure"` // The duration, in seconds, of the role session. The value can range from 900 // seconds (15 minutes) up to the maximum session duration setting for the role. // This setting can have a value from 1 hour to 12 hours. If you specify a value // higher than this setting, the operation fails. For example, if you specify // a session duration of 12 hours, but your administrator set the maximum session // duration to 6 hours, your operation fails. To learn how to view the maximum // value for your role, see View the Maximum Session Duration Setting for a // Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) // in the IAM User Guide. // // By default, the value is set to 3600 seconds. // // The DurationSeconds parameter is separate from the duration of a console // session that you might request using the returned credentials. The request // to the federation endpoint for a console sign-in token takes a SessionDuration // parameter that specifies the maximum length of the console session. For more // information, see Creating a URL that Enables Federated Users to Access the // AWS Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) // in the IAM User Guide. DurationSeconds *int64 `min:"900" type:"integer"` // A unique identifier that might be required when you assume a role in another // account. If the administrator of the account to which the role belongs provided // you with an external ID, then provide that value in the ExternalId parameter. // This value can be any string, such as a passphrase or account number. A cross-account // role is usually set up to trust everyone in an account. Therefore, the administrator // of the trusting account might send an external ID to the administrator of // the trusted account. That way, only someone with the ID can assume the role, // rather than everyone in the account. For more information about the external // ID, see How to Use an External ID When Granting Access to Your AWS Resources // to a Third Party (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html) // in the IAM User Guide. // // The regex used to validate this parameter is a string of characters consisting // of upper- and lower-case alphanumeric characters with no spaces. You can // also include underscores or any of the following characters: =,.@:/- ExternalId *string `min:"2" type:"string"` // An IAM policy in JSON format that you want to use as an inline session policy. // // This parameter is optional. Passing policies to this operation returns new // temporary credentials. The resulting session's permissions are the intersection // of the role's identity-based policy and the session policies. You can use // the role's temporary credentials in subsequent AWS API calls to access resources // in the account that owns the role. You cannot use session policies to grant // more permissions than those allowed by the identity-based policy of the role // that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // in the IAM User Guide. // // The plain text that you use for both inline and managed session policies // shouldn't exceed 2048 characters. The JSON policy characters can be any ASCII // character from the space character to the end of the valid character list // (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A), // and carriage return (\u000D) characters. // // The characters in this parameter count towards the 2048 character session // policy guideline. However, an AWS conversion compresses the session policies // into a packed binary format that has a separate limit. This is the enforced // limit. The PackedPolicySize response element indicates by percentage how // close the policy is to the upper size limit. Policy *string `min:"1" type:"string"` // The Amazon Resource Names (ARNs) of the IAM managed policies that you want // to use as managed session policies. The policies must exist in the same account // as the role. // // This parameter is optional. You can provide up to 10 managed policy ARNs. // However, the plain text that you use for both inline and managed session // policies shouldn't exceed 2048 characters. For more information about ARNs, // see Amazon Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) // in the AWS General Reference. // // The characters in this parameter count towards the 2048 character session // policy guideline. However, an AWS conversion compresses the session policies // into a packed binary format that has a separate limit. This is the enforced // limit. The PackedPolicySize response element indicates by percentage how // close the policy is to the upper size limit. // // Passing policies to this operation returns new temporary credentials. The // resulting session's permissions are the intersection of the role's identity-based // policy and the session policies. You can use the role's temporary credentials // in subsequent AWS API calls to access resources in the account that owns // the role. You cannot use session policies to grant more permissions than // those allowed by the identity-based policy of the role that is being assumed. // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // in the IAM User Guide. PolicyArns []*PolicyDescriptorType `type:"list"` // The Amazon Resource Name (ARN) of the role to assume. // // RoleArn is a required field RoleArn *string `min:"20" type:"string" required:"true"` // An identifier for the assumed role session. // // Use the role session name to uniquely identify a session when the same role // is assumed by different principals or for different reasons. In cross-account // scenarios, the role session name is visible to, and can be logged by the // account that owns the role. The role session name is also used in the ARN // of the assumed role principal. This means that subsequent cross-account API // requests that use the temporary security credentials will expose the role // session name to the external account in their AWS CloudTrail logs. // // The regex used to validate this parameter is a string of characters consisting // of upper- and lower-case alphanumeric characters with no spaces. You can // also include underscores or any of the following characters: =,.@- // // RoleSessionName is a required field RoleSessionName *string `min:"2" type:"string" required:"true"` // The identification number of the MFA device that is associated with the user // who is making the AssumeRole call. Specify this value if the trust policy // of the role being assumed includes a condition that requires MFA authentication. // The value is either the serial number for a hardware device (such as GAHT12345678) // or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user). // // The regex used to validate this parameter is a string of characters consisting // of upper- and lower-case alphanumeric characters with no spaces. You can // also include underscores or any of the following characters: =,.@- SerialNumber *string `min:"9" type:"string"` // The value provided by the MFA device, if the trust policy of the role being // assumed requires MFA (that is, if the policy includes a condition that tests // for MFA). If the role being assumed requires MFA and if the TokenCode value // is missing or expired, the AssumeRole call returns an "access denied" error. // // The format for this parameter, as described by its regex pattern, is a sequence // of six numeric digits. TokenCode *string `min:"6" type:"string"` } // String returns the string representation func (s AssumeRoleInput) String() string { return awsutil.Prettify(s) } // GoString returns the string representation func (s AssumeRoleInput) GoString() string { return s.String() } // Validate inspects the fields of the type to determine if they are valid. func (s *AssumeRoleInput) Validate() error { invalidParams := request.ErrInvalidParams{Context: "AssumeRoleInput"} if s.DurationSeconds != nil && *s.DurationSeconds < 900 { invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) } if s.ExternalId != nil && len(*s.ExternalId) < 2 { invalidParams.Add(request.NewErrParamMinLen("ExternalId", 2)) } if s.Policy != nil && len(*s.Policy) < 1 { invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) } if s.RoleArn == nil { invalidParams.Add(request.NewErrParamRequired("RoleArn")) } if s.RoleArn != nil && len(*s.RoleArn) < 20 { invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20)) } if s.RoleSessionName == nil { invalidParams.Add(request.NewErrParamRequired("RoleSessionName")) } if s.RoleSessionName != nil && len(*s.RoleSessionName) < 2 { invalidParams.Add(request.NewErrParamMinLen("RoleSessionName", 2)) } if s.SerialNumber != nil && len(*s.SerialNumber) < 9 { invalidParams.Add(request.NewErrParamMinLen("SerialNumber", 9)) } if s.TokenCode != nil && len(*s.TokenCode) < 6 { invalidParams.Add(request.NewErrParamMinLen("TokenCode", 6)) } if s.PolicyArns != nil { for i, v := range s.PolicyArns { if v == nil { continue } if err := v.Validate(); err != nil { invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams)) } } } if invalidParams.Len() > 0 { return invalidParams } return nil } // SetDurationSeconds sets the DurationSeconds field's value. func (s *AssumeRoleInput) SetDurationSeconds(v int64) *AssumeRoleInput { s.DurationSeconds = &v return s } // SetExternalId sets the ExternalId field's value. func (s *AssumeRoleInput) SetExternalId(v string) *AssumeRoleInput { s.ExternalId = &v return s } // SetPolicy sets the Policy field's value. func (s *AssumeRoleInput) SetPolicy(v string) *AssumeRoleInput { s.Policy = &v return s } // SetPolicyArns sets the PolicyArns field's value. func (s *AssumeRoleInput) SetPolicyArns(v []*PolicyDescriptorType) *AssumeRoleInput { s.PolicyArns = v return s } // SetRoleArn sets the RoleArn field's value. func (s *AssumeRoleInput) SetRoleArn(v string) *AssumeRoleInput { s.RoleArn = &v return s } // SetRoleSessionName sets the RoleSessionName field's value. func (s *AssumeRoleInput) SetRoleSessionName(v string) *AssumeRoleInput { s.RoleSessionName = &v return s } // SetSerialNumber sets the SerialNumber field's value. func (s *AssumeRoleInput) SetSerialNumber(v string) *AssumeRoleInput { s.SerialNumber = &v return s } // SetTokenCode sets the TokenCode field's value. func (s *AssumeRoleInput) SetTokenCode(v string) *AssumeRoleInput { s.TokenCode = &v return s } // Contains the response to a successful AssumeRole request, including temporary // AWS credentials that can be used to make AWS requests. type AssumeRoleOutput struct { _ struct{} `type:"structure"` // The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers // that you can use to refer to the resulting temporary security credentials. // For example, you can reference these credentials as a principal in a resource-based // policy by using the ARN or assumed role ID. The ARN and ID include the RoleSessionName // that you specified when you called AssumeRole. AssumedRoleUser *AssumedRoleUser `type:"structure"` // The temporary security credentials, which include an access key ID, a secret // access key, and a security (or session) token. // // The size of the security token that STS API operations return is not fixed. // We strongly recommend that you make no assumptions about the maximum size. Credentials *Credentials `type:"structure"` // A percentage value that indicates the size of the policy in packed form. // The service rejects any policy with a packed size greater than 100 percent, // which means the policy exceeded the allowed space. PackedPolicySize *int64 `type:"integer"` } // String returns the string representation func (s AssumeRoleOutput) String() string { return awsutil.Prettify(s) } // GoString returns the string representation func (s AssumeRoleOutput) GoString() string { return s.String() } // SetAssumedRoleUser sets the AssumedRoleUser field's value. func (s *AssumeRoleOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleOutput { s.AssumedRoleUser = v return s } // SetCredentials sets the Credentials field's value. func (s *AssumeRoleOutput) SetCredentials(v *Credentials) *AssumeRoleOutput { s.Credentials = v return s } // SetPackedPolicySize sets the PackedPolicySize field's value. func (s *AssumeRoleOutput) SetPackedPolicySize(v int64) *AssumeRoleOutput { s.PackedPolicySize = &v return s } type AssumeRoleWithSAMLInput struct { _ struct{} `type:"structure"` // The duration, in seconds, of the role session. Your role session lasts for // the duration that you specify for the DurationSeconds parameter, or until // the time specified in the SAML authentication response's SessionNotOnOrAfter // value, whichever is shorter. You can provide a DurationSeconds value from // 900 seconds (15 minutes) up to the maximum session duration setting for the // role. This setting can have a value from 1 hour to 12 hours. If you specify // a value higher than this setting, the operation fails. For example, if you // specify a session duration of 12 hours, but your administrator set the maximum // session duration to 6 hours, your operation fails. To learn how to view the // maximum value for your role, see View the Maximum Session Duration Setting // for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) // in the IAM User Guide. // // By default, the value is set to 3600 seconds. // // The DurationSeconds parameter is separate from the duration of a console // session that you might request using the returned credentials. The request // to the federation endpoint for a console sign-in token takes a SessionDuration // parameter that specifies the maximum length of the console session. For more // information, see Creating a URL that Enables Federated Users to Access the // AWS Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) // in the IAM User Guide. DurationSeconds *int64 `min:"900" type:"integer"` // An IAM policy in JSON format that you want to use as an inline session policy. // // This parameter is optional. Passing policies to this operation returns new // temporary credentials. The resulting session's permissions are the intersection // of the role's identity-based policy and the session policies. You can use // the role's temporary credentials in subsequent AWS API calls to access resources // in the account that owns the role. You cannot use session policies to grant // more permissions than those allowed by the identity-based policy of the role // that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // in the IAM User Guide. // // The plain text that you use for both inline and managed session policies // shouldn't exceed 2048 characters. The JSON policy characters can be any ASCII // character from the space character to the end of the valid character list // (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A), // and carriage return (\u000D) characters. // // The characters in this parameter count towards the 2048 character session // policy guideline. However, an AWS conversion compresses the session policies // into a packed binary format that has a separate limit. This is the enforced // limit. The PackedPolicySize response element indicates by percentage how // close the policy is to the upper size limit. Policy *string `min:"1" type:"string"` // The Amazon Resource Names (ARNs) of the IAM managed policies that you want // to use as managed session policies. The policies must exist in the same account // as the role. // // This parameter is optional. You can provide up to 10 managed policy ARNs. // However, the plain text that you use for both inline and managed session // policies shouldn't exceed 2048 characters. For more information about ARNs, // see Amazon Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) // in the AWS General Reference. // // The characters in this parameter count towards the 2048 character session // policy guideline. However, an AWS conversion compresses the session policies // into a packed binary format that has a separate limit. This is the enforced // limit. The PackedPolicySize response element indicates by percentage how // close the policy is to the upper size limit. // // Passing policies to this operation returns new temporary credentials. The // resulting session's permissions are the intersection of the role's identity-based // policy and the session policies. You can use the role's temporary credentials // in subsequent AWS API calls to access resources in the account that owns // the role. You cannot use session policies to grant more permissions than // those allowed by the identity-based policy of the role that is being assumed. // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // in the IAM User Guide. PolicyArns []*PolicyDescriptorType `type:"list"` // The Amazon Resource Name (ARN) of the SAML provider in IAM that describes // the IdP. // // PrincipalArn is a required field PrincipalArn *string `min:"20" type:"string" required:"true"` // The Amazon Resource Name (ARN) of the role that the caller is assuming. // // RoleArn is a required field RoleArn *string `min:"20" type:"string" required:"true"` // The base-64 encoded SAML authentication response provided by the IdP. // // For more information, see Configuring a Relying Party and Adding Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html) // in the IAM User Guide. // // SAMLAssertion is a required field SAMLAssertion *string `min:"4" type:"string" required:"true"` } // String returns the string representation func (s AssumeRoleWithSAMLInput) String() string { return awsutil.Prettify(s) } // GoString returns the string representation func (s AssumeRoleWithSAMLInput) GoString() string { return s.String() } // Validate inspects the fields of the type to determine if they are valid. func (s *AssumeRoleWithSAMLInput) Validate() error { invalidParams := request.ErrInvalidParams{Context: "AssumeRoleWithSAMLInput"} if s.DurationSeconds != nil && *s.DurationSeconds < 900 { invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) } if s.Policy != nil && len(*s.Policy) < 1 { invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) } if s.PrincipalArn == nil { invalidParams.Add(request.NewErrParamRequired("PrincipalArn")) } if s.PrincipalArn != nil && len(*s.PrincipalArn) < 20 { invalidParams.Add(request.NewErrParamMinLen("PrincipalArn", 20)) } if s.RoleArn == nil { invalidParams.Add(request.NewErrParamRequired("RoleArn")) } if s.RoleArn != nil && len(*s.RoleArn) < 20 { invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20)) } if s.SAMLAssertion == nil { invalidParams.Add(request.NewErrParamRequired("SAMLAssertion")) } if s.SAMLAssertion != nil && len(*s.SAMLAssertion) < 4 { invalidParams.Add(request.NewErrParamMinLen("SAMLAssertion", 4)) } if s.PolicyArns != nil { for i, v := range s.PolicyArns { if v == nil { continue } if err := v.Validate(); err != nil { invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams)) } } } if invalidParams.Len() > 0 { return invalidParams } return nil } // SetDurationSeconds sets the DurationSeconds field's value. func (s *AssumeRoleWithSAMLInput) SetDurationSeconds(v int64) *AssumeRoleWithSAMLInput { s.DurationSeconds = &v return s } // SetPolicy sets the Policy field's value. func (s *AssumeRoleWithSAMLInput) SetPolicy(v string) *AssumeRoleWithSAMLInput { s.Policy = &v return s } // SetPolicyArns sets the PolicyArns field's value. func (s *AssumeRoleWithSAMLInput) SetPolicyArns(v []*PolicyDescriptorType) *AssumeRoleWithSAMLInput { s.PolicyArns = v return s } // SetPrincipalArn sets the PrincipalArn field's value. func (s *AssumeRoleWithSAMLInput) SetPrincipalArn(v string) *AssumeRoleWithSAMLInput { s.PrincipalArn = &v return s } // SetRoleArn sets the RoleArn field's value. func (s *AssumeRoleWithSAMLInput) SetRoleArn(v string) *AssumeRoleWithSAMLInput { s.RoleArn = &v return s } // SetSAMLAssertion sets the SAMLAssertion field's value. func (s *AssumeRoleWithSAMLInput) SetSAMLAssertion(v string) *AssumeRoleWithSAMLInput { s.SAMLAssertion = &v return s } // Contains the response to a successful AssumeRoleWithSAML request, including // temporary AWS credentials that can be used to make AWS requests. type AssumeRoleWithSAMLOutput struct { _ struct{} `type:"structure"` // The identifiers for the temporary security credentials that the operation // returns. AssumedRoleUser *AssumedRoleUser `type:"structure"` // The value of the Recipient attribute of the SubjectConfirmationData element // of the SAML assertion. Audience *string `type:"string"` // The temporary security credentials, which include an access key ID, a secret // access key, and a security (or session) token. // // The size of the security token that STS API operations return is not fixed. // We strongly recommend that you make no assumptions about the maximum size. Credentials *Credentials `type:"structure"` // The value of the Issuer element of the SAML assertion. Issuer *string `type:"string"` // A hash value based on the concatenation of the Issuer response value, the // AWS account ID, and the friendly name (the last part of the ARN) of the SAML // provider in IAM. The combination of NameQualifier and Subject can be used // to uniquely identify a federated user. // // The following pseudocode shows how the hash value is calculated: // // BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" // ) ) NameQualifier *string `type:"string"` // A percentage value that indicates the size of the policy in packed form. // The service rejects any policy with a packed size greater than 100 percent, // which means the policy exceeded the allowed space. PackedPolicySize *int64 `type:"integer"` // The value of the NameID element in the Subject element of the SAML assertion. Subject *string `type:"string"` // The format of the name ID, as defined by the Format attribute in the NameID // element of the SAML assertion. Typical examples of the format are transient // or persistent. // // If the format includes the prefix urn:oasis:names:tc:SAML:2.0:nameid-format, // that prefix is removed. For example, urn:oasis:names:tc:SAML:2.0:nameid-format:transient // is returned as transient. If the format includes any other prefix, the format // is returned with no modifications. SubjectType *string `type:"string"` } // String returns the string representation func (s AssumeRoleWithSAMLOutput) String() string { return awsutil.Prettify(s) } // GoString returns the string representation func (s AssumeRoleWithSAMLOutput) GoString() string { return s.String() } // SetAssumedRoleUser sets the AssumedRoleUser field's value. func (s *AssumeRoleWithSAMLOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleWithSAMLOutput { s.AssumedRoleUser = v return s } // SetAudience sets the Audience field's value. func (s *AssumeRoleWithSAMLOutput) SetAudience(v string) *AssumeRoleWithSAMLOutput { s.Audience = &v return s } // SetCredentials sets the Credentials field's value. func (s *AssumeRoleWithSAMLOutput) SetCredentials(v *Credentials) *AssumeRoleWithSAMLOutput { s.Credentials = v return s } // SetIssuer sets the Issuer field's value. func (s *AssumeRoleWithSAMLOutput) SetIssuer(v string) *AssumeRoleWithSAMLOutput { s.Issuer = &v return s } // SetNameQualifier sets the NameQualifier field's value. func (s *AssumeRoleWithSAMLOutput) SetNameQualifier(v string) *AssumeRoleWithSAMLOutput { s.NameQualifier = &v return s } // SetPackedPolicySize sets the PackedPolicySize field's value. func (s *AssumeRoleWithSAMLOutput) SetPackedPolicySize(v int64) *AssumeRoleWithSAMLOutput { s.PackedPolicySize = &v return s } // SetSubject sets the Subject field's value. func (s *AssumeRoleWithSAMLOutput) SetSubject(v string) *AssumeRoleWithSAMLOutput { s.Subject = &v return s } // SetSubjectType sets the SubjectType field's value. func (s *AssumeRoleWithSAMLOutput) SetSubjectType(v string) *AssumeRoleWithSAMLOutput { s.SubjectType = &v return s } type AssumeRoleWithWebIdentityInput struct { _ struct{} `type:"structure"` // The duration, in seconds, of the role session. The value can range from 900 // seconds (15 minutes) up to the maximum session duration setting for the role. // This setting can have a value from 1 hour to 12 hours. If you specify a value // higher than this setting, the operation fails. For example, if you specify // a session duration of 12 hours, but your administrator set the maximum session // duration to 6 hours, your operation fails. To learn how to view the maximum // value for your role, see View the Maximum Session Duration Setting for a // Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) // in the IAM User Guide. // // By default, the value is set to 3600 seconds. // // The DurationSeconds parameter is separate from the duration of a console // session that you might request using the returned credentials. The request // to the federation endpoint for a console sign-in token takes a SessionDuration // parameter that specifies the maximum length of the console session. For more // information, see Creating a URL that Enables Federated Users to Access the // AWS Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) // in the IAM User Guide. DurationSeconds *int64 `min:"900" type:"integer"` // An IAM policy in JSON format that you want to use as an inline session policy. // // This parameter is optional. Passing policies to this operation returns new // temporary credentials. The resulting session's permissions are the intersection // of the role's identity-based policy and the session policies. You can use // the role's temporary credentials in subsequent AWS API calls to access resources // in the account that owns the role. You cannot use session policies to grant // more permissions than those allowed by the identity-based policy of the role // that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // in the IAM User Guide. // // The plain text that you use for both inline and managed session policies // shouldn't exceed 2048 characters. The JSON policy characters can be any ASCII // character from the space character to the end of the valid character list // (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A), // and carriage return (\u000D) characters. // // The characters in this parameter count towards the 2048 character session // policy guideline. However, an AWS conversion compresses the session policies // into a packed binary format that has a separate limit. This is the enforced // limit. The PackedPolicySize response element indicates by percentage how // close the policy is to the upper size limit. Policy *string `min:"1" type:"string"` // The Amazon Resource Names (ARNs) of the IAM managed policies that you want // to use as managed session policies. The policies must exist in the same account // as the role. // // This parameter is optional. You can provide up to 10 managed policy ARNs. // However, the plain text that you use for both inline and managed session // policies shouldn't exceed 2048 characters. For more information about ARNs, // see Amazon Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) // in the AWS General Reference. // // The characters in this parameter count towards the 2048 character session // policy guideline. However, an AWS conversion compresses the session policies // into a packed binary format that has a separate limit. This is the enforced // limit. The PackedPolicySize response element indicates by percentage how // close the policy is to the upper size limit. // // Passing policies to this operation returns new temporary credentials. The // resulting session's permissions are the intersection of the role's identity-based // policy and the session policies. You can use the role's temporary credentials // in subsequent AWS API calls to access resources in the account that owns // the role. You cannot use session policies to grant more permissions than // those allowed by the identity-based policy of the role that is being assumed. // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // in the IAM User Guide. PolicyArns []*PolicyDescriptorType `type:"list"` // The fully qualified host component of the domain name of the identity provider. // // Specify this value only for OAuth 2.0 access tokens. Currently www.amazon.com // and graph.facebook.com are the only supported identity providers for OAuth // 2.0 access tokens. Do not include URL schemes and port numbers. // // Do not specify this value for OpenID Connect ID tokens. ProviderId *string `min:"4" type:"string"` // The Amazon Resource Name (ARN) of the role that the caller is assuming. // // RoleArn is a required field RoleArn *string `min:"20" type:"string" required:"true"` // An identifier for the assumed role session. Typically, you pass the name // or identifier that is associated with the user who is using your application. // That way, the temporary security credentials that your application will use // are associated with that user. This session name is included as part of the // ARN and assumed role ID in the AssumedRoleUser response element. // // The regex used to validate this parameter is a string of characters consisting // of upper- and lower-case alphanumeric characters with no spaces. You can // also include underscores or any of the following characters: =,.@- // // RoleSessionName is a required field RoleSessionName *string `min:"2" type:"string" required:"true"` // The OAuth 2.0 access token or OpenID Connect ID token that is provided by // the identity provider. Your application must get this token by authenticating // the user who is using your application with a web identity provider before // the application makes an AssumeRoleWithWebIdentity call. // // WebIdentityToken is a required field WebIdentityToken *string `min:"4" type:"string" required:"true"` } // String returns the string representation func (s AssumeRoleWithWebIdentityInput) String() string { return awsutil.Prettify(s) } // GoString returns the string representation func (s AssumeRoleWithWebIdentityInput) GoString() string { return s.String() } // Validate inspects the fields of the type to determine if they are valid. func (s *AssumeRoleWithWebIdentityInput) Validate() error { invalidParams := request.ErrInvalidParams{Context: "AssumeRoleWithWebIdentityInput"} if s.DurationSeconds != nil && *s.DurationSeconds < 900 { invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) } if s.Policy != nil && len(*s.Policy) < 1 { invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) } if s.ProviderId != nil && len(*s.ProviderId) < 4 { invalidParams.Add(request.NewErrParamMinLen("ProviderId", 4)) } if s.RoleArn == nil { invalidParams.Add(request.NewErrParamRequired("RoleArn")) } if s.RoleArn != nil && len(*s.RoleArn) < 20 { invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20)) } if s.RoleSessionName == nil { invalidParams.Add(request.NewErrParamRequired("RoleSessionName")) } if s.RoleSessionName != nil && len(*s.RoleSessionName) < 2 { invalidParams.Add(request.NewErrParamMinLen("RoleSessionName", 2)) } if s.WebIdentityToken == nil { invalidParams.Add(request.NewErrParamRequired("WebIdentityToken")) } if s.WebIdentityToken != nil && len(*s.WebIdentityToken) < 4 { invalidParams.Add(request.NewErrParamMinLen("WebIdentityToken", 4)) } if s.PolicyArns != nil { for i, v := range s.PolicyArns { if v == nil { continue } if err := v.Validate(); err != nil { invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams)) } } } if invalidParams.Len() > 0 { return invalidParams } return nil } // SetDurationSeconds sets the DurationSeconds field's value. func (s *AssumeRoleWithWebIdentityInput) SetDurationSeconds(v int64) *AssumeRoleWithWebIdentityInput { s.DurationSeconds = &v return s } // SetPolicy sets the Policy field's value. func (s *AssumeRoleWithWebIdentityInput) SetPolicy(v string) *AssumeRoleWithWebIdentityInput { s.Policy = &v return s } // SetPolicyArns sets the PolicyArns field's value. func (s *AssumeRoleWithWebIdentityInput) SetPolicyArns(v []*PolicyDescriptorType) *AssumeRoleWithWebIdentityInput { s.PolicyArns = v return s } // SetProviderId sets the ProviderId field's value. func (s *AssumeRoleWithWebIdentityInput) SetProviderId(v string) *AssumeRoleWithWebIdentityInput { s.ProviderId = &v return s } // SetRoleArn sets the RoleArn field's value. func (s *AssumeRoleWithWebIdentityInput) SetRoleArn(v string) *AssumeRoleWithWebIdentityInput { s.RoleArn = &v return s } // SetRoleSessionName sets the RoleSessionName field's value. func (s *AssumeRoleWithWebIdentityInput) SetRoleSessionName(v string) *AssumeRoleWithWebIdentityInput { s.RoleSessionName = &v return s } // SetWebIdentityToken sets the WebIdentityToken field's value. func (s *AssumeRoleWithWebIdentityInput) SetWebIdentityToken(v string) *AssumeRoleWithWebIdentityInput { s.WebIdentityToken = &v return s } // Contains the response to a successful AssumeRoleWithWebIdentity request, // including temporary AWS credentials that can be used to make AWS requests. type AssumeRoleWithWebIdentityOutput struct { _ struct{} `type:"structure"` // The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers // that you can use to refer to the resulting temporary security credentials. // For example, you can reference these credentials as a principal in a resource-based // policy by using the ARN or assumed role ID. The ARN and ID include the RoleSessionName // that you specified when you called AssumeRole. AssumedRoleUser *AssumedRoleUser `type:"structure"` // The intended audience (also known as client ID) of the web identity token. // This is traditionally the client identifier issued to the application that // requested the web identity token. Audience *string `type:"string"` // The temporary security credentials, which include an access key ID, a secret // access key, and a security token. // // The size of the security token that STS API operations return is not fixed. // We strongly recommend that you make no assumptions about the maximum size. Credentials *Credentials `type:"structure"` // A percentage value that indicates the size of the policy in packed form. // The service rejects any policy with a packed size greater than 100 percent, // which means the policy exceeded the allowed space. PackedPolicySize *int64 `type:"integer"` // The issuing authority of the web identity token presented. For OpenID Connect // ID tokens, this contains the value of the iss field. For OAuth 2.0 access // tokens, this contains the value of the ProviderId parameter that was passed // in the AssumeRoleWithWebIdentity request. Provider *string `type:"string"` // The unique user identifier that is returned by the identity provider. This // identifier is associated with the WebIdentityToken that was submitted with // the AssumeRoleWithWebIdentity call. The identifier is typically unique to // the user and the application that acquired the WebIdentityToken (pairwise // identifier). For OpenID Connect ID tokens, this field contains the value // returned by the identity provider as the token's sub (Subject) claim. SubjectFromWebIdentityToken *string `min:"6" type:"string"` } // String returns the string representation func (s AssumeRoleWithWebIdentityOutput) String() string { return awsutil.Prettify(s) } // GoString returns the string representation func (s AssumeRoleWithWebIdentityOutput) GoString() string { return s.String() } // SetAssumedRoleUser sets the AssumedRoleUser field's value. func (s *AssumeRoleWithWebIdentityOutput) SetAssumedRoleUser(v *AssumedRoleUser) *AssumeRoleWithWebIdentityOutput { s.AssumedRoleUser = v return s } // SetAudience sets the Audience field's value. func (s *AssumeRoleWithWebIdentityOutput) SetAudience(v string) *AssumeRoleWithWebIdentityOutput { s.Audience = &v return s } // SetCredentials sets the Credentials field's value. func (s *AssumeRoleWithWebIdentityOutput) SetCredentials(v *Credentials) *AssumeRoleWithWebIdentityOutput { s.Credentials = v return s } // SetPackedPolicySize sets the PackedPolicySize field's value. func (s *AssumeRoleWithWebIdentityOutput) SetPackedPolicySize(v int64) *AssumeRoleWithWebIdentityOutput { s.PackedPolicySize = &v return s } // SetProvider sets the Provider field's value. func (s *AssumeRoleWithWebIdentityOutput) SetProvider(v string) *AssumeRoleWithWebIdentityOutput { s.Provider = &v return s } // SetSubjectFromWebIdentityToken sets the SubjectFromWebIdentityToken field's value. func (s *AssumeRoleWithWebIdentityOutput) SetSubjectFromWebIdentityToken(v string) *AssumeRoleWithWebIdentityOutput { s.SubjectFromWebIdentityToken = &v return s } // The identifiers for the temporary security credentials that the operation // returns. type AssumedRoleUser struct { _ struct{} `type:"structure"` // The ARN of the temporary security credentials that are returned from the // AssumeRole action. For more information about ARNs and how to use them in // policies, see IAM Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) // in Using IAM. // // Arn is a required field Arn *string `min:"20" type:"string" required:"true"` // A unique identifier that contains the role ID and the role session name of // the role that is being assumed. The role ID is generated by AWS when the // role is created. // // AssumedRoleId is a required field AssumedRoleId *string `min:"2" type:"string" required:"true"` } // String returns the string representation func (s AssumedRoleUser) String() string { return awsutil.Prettify(s) } // GoString returns the string representation func (s AssumedRoleUser) GoString() string { return s.String() } // SetArn sets the Arn field's value. func (s *AssumedRoleUser) SetArn(v string) *AssumedRoleUser { s.Arn = &v return s } // SetAssumedRoleId sets the AssumedRoleId field's value. func (s *AssumedRoleUser) SetAssumedRoleId(v string) *AssumedRoleUser { s.AssumedRoleId = &v return s } // AWS credentials for API authentication. type Credentials struct { _ struct{} `type:"structure"` // The access key ID that identifies the temporary security credentials. // // AccessKeyId is a required field AccessKeyId *string `min:"16" type:"string" required:"true"` // The date on which the current credentials expire. // // Expiration is a required field Expiration *time.Time `type:"timestamp" required:"true"` // The secret access key that can be used to sign requests. // // SecretAccessKey is a required field SecretAccessKey *string `type:"string" required:"true"` // The token that users must pass to the service API to use the temporary credentials. // // SessionToken is a required field SessionToken *string `type:"string" required:"true"` } // String returns the string representation func (s Credentials) String() string { return awsutil.Prettify(s) } // GoString returns the string representation func (s Credentials) GoString() string { return s.String() } // SetAccessKeyId sets the AccessKeyId field's value. func (s *Credentials) SetAccessKeyId(v string) *Credentials { s.AccessKeyId = &v return s } // SetExpiration sets the Expiration field's value. func (s *Credentials) SetExpiration(v time.Time) *Credentials { s.Expiration = &v return s } // SetSecretAccessKey sets the SecretAccessKey field's value. func (s *Credentials) SetSecretAccessKey(v string) *Credentials { s.SecretAccessKey = &v return s } // SetSessionToken sets the SessionToken field's value. func (s *Credentials) SetSessionToken(v string) *Credentials { s.SessionToken = &v return s } type DecodeAuthorizationMessageInput struct { _ struct{} `type:"structure"` // The encoded message that was returned with the response. // // EncodedMessage is a required field EncodedMessage *string `min:"1" type:"string" required:"true"` } // String returns the string representation func (s DecodeAuthorizationMessageInput) String() string { return awsutil.Prettify(s) } // GoString returns the string representation func (s DecodeAuthorizationMessageInput) GoString() string { return s.String() } // Validate inspects the fields of the type to determine if they are valid. func (s *DecodeAuthorizationMessageInput) Validate() error { invalidParams := request.ErrInvalidParams{Context: "DecodeAuthorizationMessageInput"} if s.EncodedMessage == nil { invalidParams.Add(request.NewErrParamRequired("EncodedMessage")) } if s.EncodedMessage != nil && len(*s.EncodedMessage) < 1 { invalidParams.Add(request.NewErrParamMinLen("EncodedMessage", 1)) } if invalidParams.Len() > 0 { return invalidParams } return nil } // SetEncodedMessage sets the EncodedMessage field's value. func (s *DecodeAuthorizationMessageInput) SetEncodedMessage(v string) *DecodeAuthorizationMessageInput { s.EncodedMessage = &v return s } // A document that contains additional information about the authorization status // of a request from an encoded message that is returned in response to an AWS // request. type DecodeAuthorizationMessageOutput struct { _ struct{} `type:"structure"` // An XML document that contains the decoded message. DecodedMessage *string `type:"string"` } // String returns the string representation func (s DecodeAuthorizationMessageOutput) String() string { return awsutil.Prettify(s) } // GoString returns the string representation func (s DecodeAuthorizationMessageOutput) GoString() string { return s.String() } // SetDecodedMessage sets the DecodedMessage field's value. func (s *DecodeAuthorizationMessageOutput) SetDecodedMessage(v string) *DecodeAuthorizationMessageOutput { s.DecodedMessage = &v return s } // Identifiers for the federated user that is associated with the credentials. type FederatedUser struct { _ struct{} `type:"structure"` // The ARN that specifies the federated user that is associated with the credentials. // For more information about ARNs and how to use them in policies, see IAM // Identifiers (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html) // in Using IAM. // // Arn is a required field Arn *string `min:"20" type:"string" required:"true"` // The string that identifies the federated user associated with the credentials, // similar to the unique ID of an IAM user. // // FederatedUserId is a required field FederatedUserId *string `min:"2" type:"string" required:"true"` } // String returns the string representation func (s FederatedUser) String() string { return awsutil.Prettify(s) } // GoString returns the string representation func (s FederatedUser) GoString() string { return s.String() } // SetArn sets the Arn field's value. func (s *FederatedUser) SetArn(v string) *FederatedUser { s.Arn = &v return s } // SetFederatedUserId sets the FederatedUserId field's value. func (s *FederatedUser) SetFederatedUserId(v string) *FederatedUser { s.FederatedUserId = &v return s } type GetAccessKeyInfoInput struct { _ struct{} `type:"structure"` // The identifier of an access key. // // This parameter allows (through its regex pattern) a string of characters // that can consist of any upper- or lowercased letter or digit. // // AccessKeyId is a required field AccessKeyId *string `min:"16" type:"string" required:"true"` } // String returns the string representation func (s GetAccessKeyInfoInput) String() string { return awsutil.Prettify(s) } // GoString returns the string representation func (s GetAccessKeyInfoInput) GoString() string { return s.String() } // Validate inspects the fields of the type to determine if they are valid. func (s *GetAccessKeyInfoInput) Validate() error { invalidParams := request.ErrInvalidParams{Context: "GetAccessKeyInfoInput"} if s.AccessKeyId == nil { invalidParams.Add(request.NewErrParamRequired("AccessKeyId")) } if s.AccessKeyId != nil && len(*s.AccessKeyId) < 16 { invalidParams.Add(request.NewErrParamMinLen("AccessKeyId", 16)) } if invalidParams.Len() > 0 { return invalidParams } return nil } // SetAccessKeyId sets the AccessKeyId field's value. func (s *GetAccessKeyInfoInput) SetAccessKeyId(v string) *GetAccessKeyInfoInput { s.AccessKeyId = &v return s } type GetAccessKeyInfoOutput struct { _ struct{} `type:"structure"` // The number used to identify the AWS account. Account *string `type:"string"` } // String returns the string representation func (s GetAccessKeyInfoOutput) String() string { return awsutil.Prettify(s) } // GoString returns the string representation func (s GetAccessKeyInfoOutput) GoString() string { return s.String() } // SetAccount sets the Account field's value. func (s *GetAccessKeyInfoOutput) SetAccount(v string) *GetAccessKeyInfoOutput { s.Account = &v return s } type GetCallerIdentityInput struct { _ struct{} `type:"structure"` } // String returns the string representation func (s GetCallerIdentityInput) String() string { return awsutil.Prettify(s) } // GoString returns the string representation func (s GetCallerIdentityInput) GoString() string { return s.String() } // Contains the response to a successful GetCallerIdentity request, including // information about the entity making the request. type GetCallerIdentityOutput struct { _ struct{} `type:"structure"` // The AWS account ID number of the account that owns or contains the calling // entity. Account *string `type:"string"` // The AWS ARN associated with the calling entity. Arn *string `min:"20" type:"string"` // The unique identifier of the calling entity. The exact value depends on the // type of entity that is making the call. The values returned are those listed // in the aws:userid column in the Principal table (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable) // found on the Policy Variables reference page in the IAM User Guide. UserId *string `type:"string"` } // String returns the string representation func (s GetCallerIdentityOutput) String() string { return awsutil.Prettify(s) } // GoString returns the string representation func (s GetCallerIdentityOutput) GoString() string { return s.String() } // SetAccount sets the Account field's value. func (s *GetCallerIdentityOutput) SetAccount(v string) *GetCallerIdentityOutput { s.Account = &v return s } // SetArn sets the Arn field's value. func (s *GetCallerIdentityOutput) SetArn(v string) *GetCallerIdentityOutput { s.Arn = &v return s } // SetUserId sets the UserId field's value. func (s *GetCallerIdentityOutput) SetUserId(v string) *GetCallerIdentityOutput { s.UserId = &v return s } type GetFederationTokenInput struct { _ struct{} `type:"structure"` // The duration, in seconds, that the session should last. Acceptable durations // for federation sessions range from 900 seconds (15 minutes) to 129,600 seconds // (36 hours), with 43,200 seconds (12 hours) as the default. Sessions obtained // using AWS account root user credentials are restricted to a maximum of 3,600 // seconds (one hour). If the specified duration is longer than one hour, the // session obtained by using root user credentials defaults to one hour. DurationSeconds *int64 `min:"900" type:"integer"` // The name of the federated user. The name is used as an identifier for the // temporary security credentials (such as Bob). For example, you can reference // the federated user name in a resource-based policy, such as in an Amazon // S3 bucket policy. // // The regex used to validate this parameter is a string of characters consisting // of upper- and lower-case alphanumeric characters with no spaces. You can // also include underscores or any of the following characters: =,.@- // // Name is a required field Name *string `min:"2" type:"string" required:"true"` // An IAM policy in JSON format that you want to use as an inline session policy. // // You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // to this operation. You can pass a single JSON policy document to use as an // inline session policy. You can also specify up to 10 managed policies to // use as managed session policies. // // This parameter is optional. However, if you do not pass any session policies, // then the resulting federated user session has no permissions. The only exception // is when the credentials are used to access a resource that has a resource-based // policy that specifically references the federated user session in the Principal // element of the policy. // // When you pass session policies, the session permissions are the intersection // of the IAM user policies and the session policies that you pass. This gives // you a way to further restrict the permissions for a federated user. You cannot // use session policies to grant more permissions than those that are defined // in the permissions policy of the IAM user. For more information, see Session // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // in the IAM User Guide. // // The plain text that you use for both inline and managed session policies // shouldn't exceed 2048 characters. The JSON policy characters can be any ASCII // character from the space character to the end of the valid character list // (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A), // and carriage return (\u000D) characters. // // The characters in this parameter count towards the 2048 character session // policy guideline. However, an AWS conversion compresses the session policies // into a packed binary format that has a separate limit. This is the enforced // limit. The PackedPolicySize response element indicates by percentage how // close the policy is to the upper size limit. Policy *string `min:"1" type:"string"` // The Amazon Resource Names (ARNs) of the IAM managed policies that you want // to use as a managed session policy. The policies must exist in the same account // as the IAM user that is requesting federated access. // // You must pass an inline or managed session policy (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // to this operation. You can pass a single JSON policy document to use as an // inline session policy. You can also specify up to 10 managed policies to // use as managed session policies. The plain text that you use for both inline // and managed session policies shouldn't exceed 2048 characters. You can provide // up to 10 managed policy ARNs. For more information about ARNs, see Amazon // Resource Names (ARNs) and AWS Service Namespaces (general/latest/gr/aws-arns-and-namespaces.html) // in the AWS General Reference. // // This parameter is optional. However, if you do not pass any session policies, // then the resulting federated user session has no permissions. The only exception // is when the credentials are used to access a resource that has a resource-based // policy that specifically references the federated user session in the Principal // element of the policy. // // When you pass session policies, the session permissions are the intersection // of the IAM user policies and the session policies that you pass. This gives // you a way to further restrict the permissions for a federated user. You cannot // use session policies to grant more permissions than those that are defined // in the permissions policy of the IAM user. For more information, see Session // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // in the IAM User Guide. // // The characters in this parameter count towards the 2048 character session // policy guideline. However, an AWS conversion compresses the session policies // into a packed binary format that has a separate limit. This is the enforced // limit. The PackedPolicySize response element indicates by percentage how // close the policy is to the upper size limit. PolicyArns []*PolicyDescriptorType `type:"list"` } // String returns the string representation func (s GetFederationTokenInput) String() string { return awsutil.Prettify(s) } // GoString returns the string representation func (s GetFederationTokenInput) GoString() string { return s.String() } // Validate inspects the fields of the type to determine if they are valid. func (s *GetFederationTokenInput) Validate() error { invalidParams := request.ErrInvalidParams{Context: "GetFederationTokenInput"} if s.DurationSeconds != nil && *s.DurationSeconds < 900 { invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) } if s.Name == nil { invalidParams.Add(request.NewErrParamRequired("Name")) } if s.Name != nil && len(*s.Name) < 2 { invalidParams.Add(request.NewErrParamMinLen("Name", 2)) } if s.Policy != nil && len(*s.Policy) < 1 { invalidParams.Add(request.NewErrParamMinLen("Policy", 1)) } if s.PolicyArns != nil { for i, v := range s.PolicyArns { if v == nil { continue } if err := v.Validate(); err != nil { invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(request.ErrInvalidParams)) } } } if invalidParams.Len() > 0 { return invalidParams } return nil } // SetDurationSeconds sets the DurationSeconds field's value. func (s *GetFederationTokenInput) SetDurationSeconds(v int64) *GetFederationTokenInput { s.DurationSeconds = &v return s } // SetName sets the Name field's value. func (s *GetFederationTokenInput) SetName(v string) *GetFederationTokenInput { s.Name = &v return s } // SetPolicy sets the Policy field's value. func (s *GetFederationTokenInput) SetPolicy(v string) *GetFederationTokenInput { s.Policy = &v return s } // SetPolicyArns sets the PolicyArns field's value. func (s *GetFederationTokenInput) SetPolicyArns(v []*PolicyDescriptorType) *GetFederationTokenInput { s.PolicyArns = v return s } // Contains the response to a successful GetFederationToken request, including // temporary AWS credentials that can be used to make AWS requests. type GetFederationTokenOutput struct { _ struct{} `type:"structure"` // The temporary security credentials, which include an access key ID, a secret // access key, and a security (or session) token. // // The size of the security token that STS API operations return is not fixed. // We strongly recommend that you make no assumptions about the maximum size. Credentials *Credentials `type:"structure"` // Identifiers for the federated user associated with the credentials (such // as arn:aws:sts::123456789012:federated-user/Bob or 123456789012:Bob). You // can use the federated user's ARN in your resource-based policies, such as // an Amazon S3 bucket policy. FederatedUser *FederatedUser `type:"structure"` // A percentage value indicating the size of the policy in packed form. The // service rejects policies for which the packed size is greater than 100 percent // of the allowed value. PackedPolicySize *int64 `type:"integer"` } // String returns the string representation func (s GetFederationTokenOutput) String() string { return awsutil.Prettify(s) } // GoString returns the string representation func (s GetFederationTokenOutput) GoString() string { return s.String() } // SetCredentials sets the Credentials field's value. func (s *GetFederationTokenOutput) SetCredentials(v *Credentials) *GetFederationTokenOutput { s.Credentials = v return s } // SetFederatedUser sets the FederatedUser field's value. func (s *GetFederationTokenOutput) SetFederatedUser(v *FederatedUser) *GetFederationTokenOutput { s.FederatedUser = v return s } // SetPackedPolicySize sets the PackedPolicySize field's value. func (s *GetFederationTokenOutput) SetPackedPolicySize(v int64) *GetFederationTokenOutput { s.PackedPolicySize = &v return s } type GetSessionTokenInput struct { _ struct{} `type:"structure"` // The duration, in seconds, that the credentials should remain valid. Acceptable // durations for IAM user sessions range from 900 seconds (15 minutes) to 129,600 // seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions // for AWS account owners are restricted to a maximum of 3,600 seconds (one // hour). If the duration is longer than one hour, the session for AWS account // owners defaults to one hour. DurationSeconds *int64 `min:"900" type:"integer"` // The identification number of the MFA device that is associated with the IAM // user who is making the GetSessionToken call. Specify this value if the IAM // user has a policy that requires MFA authentication. The value is either the // serial number for a hardware device (such as GAHT12345678) or an Amazon Resource // Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user). // You can find the device for an IAM user by going to the AWS Management Console // and viewing the user's security credentials. // // The regex used to validate this parameter is a string of characters consisting // of upper- and lower-case alphanumeric characters with no spaces. You can // also include underscores or any of the following characters: =,.@:/- SerialNumber *string `min:"9" type:"string"` // The value provided by the MFA device, if MFA is required. If any policy requires // the IAM user to submit an MFA code, specify this value. If MFA authentication // is required, the user must provide a code when requesting a set of temporary // security credentials. A user who fails to provide the code receives an "access // denied" response when requesting resources that require MFA authentication. // // The format for this parameter, as described by its regex pattern, is a sequence // of six numeric digits. TokenCode *string `min:"6" type:"string"` } // String returns the string representation func (s GetSessionTokenInput) String() string { return awsutil.Prettify(s) } // GoString returns the string representation func (s GetSessionTokenInput) GoString() string { return s.String() } // Validate inspects the fields of the type to determine if they are valid. func (s *GetSessionTokenInput) Validate() error { invalidParams := request.ErrInvalidParams{Context: "GetSessionTokenInput"} if s.DurationSeconds != nil && *s.DurationSeconds < 900 { invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900)) } if s.SerialNumber != nil && len(*s.SerialNumber) < 9 { invalidParams.Add(request.NewErrParamMinLen("SerialNumber", 9)) } if s.TokenCode != nil && len(*s.TokenCode) < 6 { invalidParams.Add(request.NewErrParamMinLen("TokenCode", 6)) } if invalidParams.Len() > 0 { return invalidParams } return nil } // SetDurationSeconds sets the DurationSeconds field's value. func (s *GetSessionTokenInput) SetDurationSeconds(v int64) *GetSessionTokenInput { s.DurationSeconds = &v return s } // SetSerialNumber sets the SerialNumber field's value. func (s *GetSessionTokenInput) SetSerialNumber(v string) *GetSessionTokenInput { s.SerialNumber = &v return s } // SetTokenCode sets the TokenCode field's value. func (s *GetSessionTokenInput) SetTokenCode(v string) *GetSessionTokenInput { s.TokenCode = &v return s } // Contains the response to a successful GetSessionToken request, including // temporary AWS credentials that can be used to make AWS requests. type GetSessionTokenOutput struct { _ struct{} `type:"structure"` // The temporary security credentials, which include an access key ID, a secret // access key, and a security (or session) token. // // The size of the security token that STS API operations return is not fixed. // We strongly recommend that you make no assumptions about the maximum size. Credentials *Credentials `type:"structure"` } // String returns the string representation func (s GetSessionTokenOutput) String() string { return awsutil.Prettify(s) } // GoString returns the string representation func (s GetSessionTokenOutput) GoString() string { return s.String() } // SetCredentials sets the Credentials field's value. func (s *GetSessionTokenOutput) SetCredentials(v *Credentials) *GetSessionTokenOutput { s.Credentials = v return s } // A reference to the IAM managed policy that is passed as a session policy // for a role session or a federated user session. type PolicyDescriptorType struct { _ struct{} `type:"structure"` // The Amazon Resource Name (ARN) of the IAM managed policy to use as a session // policy for the role. For more information about ARNs, see Amazon Resource // Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) // in the AWS General Reference. Arn *string `locationName:"arn" min:"20" type:"string"` } // String returns the string representation func (s PolicyDescriptorType) String() string { return awsutil.Prettify(s) } // GoString returns the string representation func (s PolicyDescriptorType) GoString() string { return s.String() } // Validate inspects the fields of the type to determine if they are valid. func (s *PolicyDescriptorType) Validate() error { invalidParams := request.ErrInvalidParams{Context: "PolicyDescriptorType"} if s.Arn != nil && len(*s.Arn) < 20 { invalidParams.Add(request.NewErrParamMinLen("Arn", 20)) } if invalidParams.Len() > 0 { return invalidParams } return nil } // SetArn sets the Arn field's value. func (s *PolicyDescriptorType) SetArn(v string) *PolicyDescriptorType { s.Arn = &v return s }