aws-sdk-core 3.46.0 → 3.94.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +5 -5
- data/VERSION +1 -1
- data/lib/aws-sdk-core.rb +7 -0
- data/lib/aws-sdk-core/arn.rb +77 -0
- data/lib/aws-sdk-core/arn_parser.rb +38 -0
- data/lib/aws-sdk-core/assume_role_web_identity_credentials.rb +102 -0
- data/lib/aws-sdk-core/async_client_stubs.rb +80 -0
- data/lib/aws-sdk-core/binary.rb +3 -0
- data/lib/aws-sdk-core/binary/decode_handler.rb +9 -1
- data/lib/aws-sdk-core/binary/encode_handler.rb +32 -0
- data/lib/aws-sdk-core/binary/event_builder.rb +122 -0
- data/lib/aws-sdk-core/binary/event_parser.rb +48 -18
- data/lib/aws-sdk-core/binary/event_stream_decoder.rb +5 -2
- data/lib/aws-sdk-core/binary/event_stream_encoder.rb +53 -0
- data/lib/aws-sdk-core/client_side_monitoring/publisher.rb +9 -1
- data/lib/aws-sdk-core/client_stubs.rb +10 -9
- data/lib/aws-sdk-core/credential_provider.rb +0 -31
- data/lib/aws-sdk-core/credential_provider_chain.rb +79 -39
- data/lib/aws-sdk-core/deprecations.rb +16 -10
- data/lib/aws-sdk-core/ecs_credentials.rb +12 -8
- data/lib/aws-sdk-core/endpoint_cache.rb +14 -11
- data/lib/aws-sdk-core/errors.rb +94 -6
- data/lib/aws-sdk-core/event_emitter.rb +42 -0
- data/lib/aws-sdk-core/instance_profile_credentials.rb +120 -38
- data/lib/aws-sdk-core/json.rb +13 -14
- data/lib/aws-sdk-core/json/error_handler.rb +19 -2
- data/lib/aws-sdk-core/json/handler.rb +19 -1
- data/lib/aws-sdk-core/log/formatter.rb +7 -1
- data/lib/aws-sdk-core/log/param_filter.rb +3 -3
- data/lib/aws-sdk-core/pageable_response.rb +34 -20
- data/lib/aws-sdk-core/param_validator.rb +11 -5
- data/lib/aws-sdk-core/plugins/client_metrics_plugin.rb +26 -1
- data/lib/aws-sdk-core/plugins/endpoint_discovery.rb +1 -1
- data/lib/aws-sdk-core/plugins/event_stream_configuration.rb +14 -0
- data/lib/aws-sdk-core/plugins/invocation_id.rb +33 -0
- data/lib/aws-sdk-core/plugins/regional_endpoint.rb +8 -1
- data/lib/aws-sdk-core/plugins/retries/client_rate_limiter.rb +137 -0
- data/lib/aws-sdk-core/plugins/retries/clock_skew.rb +98 -0
- data/lib/aws-sdk-core/plugins/retries/error_inspector.rb +142 -0
- data/lib/aws-sdk-core/plugins/retries/retry_quota.rb +57 -0
- data/lib/aws-sdk-core/plugins/retry_errors.rb +290 -106
- data/lib/aws-sdk-core/plugins/signature_v4.rb +13 -2
- data/lib/aws-sdk-core/plugins/stub_responses.rb +20 -7
- data/lib/aws-sdk-core/plugins/transfer_encoding.rb +51 -0
- data/lib/aws-sdk-core/plugins/user_agent.rb +4 -8
- data/lib/aws-sdk-core/process_credentials.rb +9 -3
- data/lib/aws-sdk-core/shared_config.rb +95 -125
- data/lib/aws-sdk-core/structure.rb +1 -2
- data/lib/aws-sdk-core/stubbing/protocols/rest.rb +19 -0
- data/lib/aws-sdk-core/stubbing/stub_data.rb +13 -4
- data/lib/aws-sdk-core/util.rb +4 -0
- data/lib/aws-sdk-core/waiters/waiter.rb +2 -2
- data/lib/aws-sdk-core/xml/error_handler.rb +26 -3
- data/lib/aws-sdk-sts.rb +7 -4
- data/lib/aws-sdk-sts/client.rb +1109 -459
- data/lib/aws-sdk-sts/client_api.rb +67 -0
- data/lib/aws-sdk-sts/customizations.rb +2 -0
- data/lib/aws-sdk-sts/errors.rb +150 -0
- data/lib/aws-sdk-sts/plugins/sts_regional_endpoints.rb +32 -0
- data/lib/aws-sdk-sts/presigner.rb +67 -0
- data/lib/aws-sdk-sts/resource.rb +1 -0
- data/lib/aws-sdk-sts/types.rb +736 -176
- data/lib/seahorse.rb +9 -0
- data/lib/seahorse/client/async_base.rb +50 -0
- data/lib/seahorse/client/async_response.rb +62 -0
- data/lib/seahorse/client/base.rb +4 -2
- data/lib/seahorse/client/configuration.rb +4 -2
- data/lib/seahorse/client/events.rb +1 -1
- data/lib/seahorse/client/h2/connection.rb +246 -0
- data/lib/seahorse/client/h2/handler.rb +151 -0
- data/lib/seahorse/client/handler_list_entry.rb +2 -2
- data/lib/seahorse/client/http/async_response.rb +42 -0
- data/lib/seahorse/client/http/response.rb +13 -8
- data/lib/seahorse/client/logging/formatter.rb +4 -2
- data/lib/seahorse/client/net_http/connection_pool.rb +19 -20
- data/lib/seahorse/client/net_http/handler.rb +7 -1
- data/lib/seahorse/client/net_http/patches.rb +7 -1
- data/lib/seahorse/client/networking_error.rb +28 -0
- data/lib/seahorse/client/plugin.rb +5 -4
- data/lib/seahorse/client/plugins/content_length.rb +5 -2
- data/lib/seahorse/client/plugins/h2.rb +64 -0
- data/lib/seahorse/client/response.rb +3 -5
- data/lib/seahorse/model/api.rb +4 -0
- data/lib/seahorse/model/operation.rb +4 -0
- data/lib/seahorse/model/shapes.rb +2 -2
- metadata +43 -10
@@ -29,8 +29,7 @@ module Aws
|
|
29
29
|
def to_h(obj = self)
|
30
30
|
case obj
|
31
31
|
when Struct
|
32
|
-
obj.
|
33
|
-
value = obj[member]
|
32
|
+
obj.each_pair.with_object({}) do |(member, value), hash|
|
34
33
|
hash[member] = to_hash(value) unless value.nil?
|
35
34
|
end
|
36
35
|
when Hash
|
@@ -118,6 +118,25 @@ module Aws
|
|
118
118
|
|
119
119
|
def encode_event(opts, rules, event_data, builder)
|
120
120
|
event_ref = rules.shape.member(event_data.delete(:event_type))
|
121
|
+
explicit_payload = false
|
122
|
+
implicit_payload_members = {}
|
123
|
+
event_ref.shape.members.each do |name, ref|
|
124
|
+
if ref.eventpayload
|
125
|
+
explicit_payload = true
|
126
|
+
else
|
127
|
+
implicit_payload_members[name] = ref
|
128
|
+
end
|
129
|
+
end
|
130
|
+
|
131
|
+
if !explicit_payload && !implicit_payload_members.empty?
|
132
|
+
unless implicit_payload_members.size > 1
|
133
|
+
m_name, _ = implicit_payload_members.first
|
134
|
+
value = {}
|
135
|
+
value[m_name] = event_data[m_name]
|
136
|
+
opts[:payload] = StringIO.new(builder.new(event_ref).serialize(value))
|
137
|
+
end
|
138
|
+
end
|
139
|
+
|
121
140
|
event_data.each do |k, v|
|
122
141
|
member_ref = event_ref.shape.member(k)
|
123
142
|
if member_ref.eventheader
|
@@ -20,17 +20,26 @@ module Aws
|
|
20
20
|
def remove_paging_tokens(stub)
|
21
21
|
if @pager
|
22
22
|
@pager.instance_variable_get("@tokens").keys.each do |path|
|
23
|
-
|
24
|
-
|
23
|
+
if divide = (path[' || '] || path[' or '])
|
24
|
+
path = path.split(divide)[0]
|
25
|
+
end
|
26
|
+
parts = path.split(/\b/)
|
27
|
+
# if nested struct/expression, EmptyStub auto-pop "string"
|
28
|
+
# currently not support remove "string" for nested/expression
|
29
|
+
# as it requires reverse JMESPATH search
|
30
|
+
stub[parts[0]] = nil if parts.size == 1
|
25
31
|
end
|
26
32
|
if more_results = @pager.instance_variable_get('@more_results')
|
27
|
-
|
33
|
+
parts = more_results.split(/\b/)
|
34
|
+
# if nested struct/expression, EmptyStub auto-pop false value
|
35
|
+
# no further work needed
|
36
|
+
stub[parts[0]] = false if parts.size == 1
|
28
37
|
end
|
29
38
|
end
|
30
39
|
end
|
31
40
|
|
32
41
|
def apply_data(data, stub)
|
33
|
-
ParamValidator.new(@rules, validate_required:false).validate!(data)
|
42
|
+
ParamValidator.new(@rules, validate_required: false, input: false).validate!(data)
|
34
43
|
DataApplicator.new(@rules).apply_data(data, stub)
|
35
44
|
end
|
36
45
|
end
|
data/lib/aws-sdk-core/util.rb
CHANGED
@@ -50,7 +50,7 @@ module Aws
|
|
50
50
|
#
|
51
51
|
# @yieldparam [Integer] attempts The number of attempts made.
|
52
52
|
def before_attempt(&block)
|
53
|
-
@before_attempt <<
|
53
|
+
@before_attempt << block if block_given?
|
54
54
|
end
|
55
55
|
|
56
56
|
# Register a callback that is invoked after an attempt but before
|
@@ -81,7 +81,7 @@ module Aws
|
|
81
81
|
# @yieldparam [Seahorse::Client::Response] response The response from
|
82
82
|
# the previous polling attempts.
|
83
83
|
def before_wait(&block)
|
84
|
-
@before_wait <<
|
84
|
+
@before_wait << block if block_given?
|
85
85
|
end
|
86
86
|
|
87
87
|
# @option options [Client] :client
|
@@ -18,20 +18,43 @@ module Aws
|
|
18
18
|
if body.empty?
|
19
19
|
code = http_status_error_code(context)
|
20
20
|
message = ''
|
21
|
+
data = EmptyStructure.new
|
21
22
|
else
|
22
|
-
code, message = extract_error(body, context)
|
23
|
+
code, message, data = extract_error(body, context)
|
23
24
|
end
|
24
25
|
errors_module = context.client.class.errors_module
|
25
|
-
errors_module.error_class(code).new(context, message)
|
26
|
+
error_class = errors_module.error_class(code).new(context, message, data)
|
27
|
+
error_class
|
26
28
|
end
|
27
29
|
|
28
30
|
def extract_error(body, context)
|
31
|
+
code = error_code(body, context)
|
29
32
|
[
|
30
|
-
|
33
|
+
code,
|
31
34
|
error_message(body),
|
35
|
+
error_data(context, code)
|
32
36
|
]
|
33
37
|
end
|
34
38
|
|
39
|
+
def error_data(context, code)
|
40
|
+
data = EmptyStructure.new
|
41
|
+
if error_rules = context.operation.errors
|
42
|
+
error_rules.each do |rule|
|
43
|
+
# for modeled shape with error trait
|
44
|
+
# match `code` in the error trait before
|
45
|
+
# match modeled shape name
|
46
|
+
error_shape_code = rule.shape['error']['code'] if rule.shape['error']
|
47
|
+
match = (code == error_shape_code || code == rule.shape.name)
|
48
|
+
if match && rule.shape.members.any?
|
49
|
+
data = Parser.new(rule).parse(context.http_response.body_contents)
|
50
|
+
end
|
51
|
+
end
|
52
|
+
end
|
53
|
+
data
|
54
|
+
rescue Xml::Parser::ParsingError
|
55
|
+
EmptyStructure.new
|
56
|
+
end
|
57
|
+
|
35
58
|
def error_code(body, context)
|
36
59
|
if matches = body.match(/<Code>(.+?)<\/Code>/)
|
37
60
|
remove_prefix(unescape(matches[1]), context)
|
data/lib/aws-sdk-sts.rb
CHANGED
@@ -22,17 +22,20 @@ require_relative 'aws-sdk-sts/customizations'
|
|
22
22
|
# methods each accept a hash of request parameters and return a response
|
23
23
|
# structure.
|
24
24
|
#
|
25
|
+
# sts = Aws::STS::Client.new
|
26
|
+
# resp = sts.assume_role(params)
|
27
|
+
#
|
25
28
|
# See {Client} for more information.
|
26
29
|
#
|
27
30
|
# # Errors
|
28
31
|
#
|
29
|
-
# Errors returned from AWS Security Token Service
|
30
|
-
# extend {Errors::ServiceError}.
|
32
|
+
# Errors returned from AWS Security Token Service are defined in the
|
33
|
+
# {Errors} module and all extend {Errors::ServiceError}.
|
31
34
|
#
|
32
35
|
# begin
|
33
36
|
# # do stuff
|
34
37
|
# rescue Aws::STS::Errors::ServiceError
|
35
|
-
# # rescues all
|
38
|
+
# # rescues all AWS Security Token Service API errors
|
36
39
|
# end
|
37
40
|
#
|
38
41
|
# See {Errors} for more information.
|
@@ -40,6 +43,6 @@ require_relative 'aws-sdk-sts/customizations'
|
|
40
43
|
# @service
|
41
44
|
module Aws::STS
|
42
45
|
|
43
|
-
GEM_VERSION = '3.
|
46
|
+
GEM_VERSION = '3.94.0'
|
44
47
|
|
45
48
|
end
|
data/lib/aws-sdk-sts/client.rb
CHANGED
@@ -23,12 +23,26 @@ require 'aws-sdk-core/plugins/idempotency_token.rb'
|
|
23
23
|
require 'aws-sdk-core/plugins/jsonvalue_converter.rb'
|
24
24
|
require 'aws-sdk-core/plugins/client_metrics_plugin.rb'
|
25
25
|
require 'aws-sdk-core/plugins/client_metrics_send_plugin.rb'
|
26
|
+
require 'aws-sdk-core/plugins/transfer_encoding.rb'
|
26
27
|
require 'aws-sdk-core/plugins/signature_v4.rb'
|
27
28
|
require 'aws-sdk-core/plugins/protocols/query.rb'
|
29
|
+
require 'aws-sdk-sts/plugins/sts_regional_endpoints.rb'
|
28
30
|
|
29
31
|
Aws::Plugins::GlobalConfiguration.add_identifier(:sts)
|
30
32
|
|
31
33
|
module Aws::STS
|
34
|
+
# An API client for STS. To construct a client, you need to configure a `:region` and `:credentials`.
|
35
|
+
#
|
36
|
+
# client = Aws::STS::Client.new(
|
37
|
+
# region: region_name,
|
38
|
+
# credentials: credentials,
|
39
|
+
# # ...
|
40
|
+
# )
|
41
|
+
#
|
42
|
+
# For details on configuring region and credentials see
|
43
|
+
# the [developer guide](/sdk-for-ruby/v3/developer-guide/setup-config.html).
|
44
|
+
#
|
45
|
+
# See {#initialize} for a full list of supported configuration options.
|
32
46
|
class Client < Seahorse::Client::Base
|
33
47
|
|
34
48
|
include Aws::ClientStubs
|
@@ -55,8 +69,10 @@ module Aws::STS
|
|
55
69
|
add_plugin(Aws::Plugins::JsonvalueConverter)
|
56
70
|
add_plugin(Aws::Plugins::ClientMetricsPlugin)
|
57
71
|
add_plugin(Aws::Plugins::ClientMetricsSendPlugin)
|
72
|
+
add_plugin(Aws::Plugins::TransferEncoding)
|
58
73
|
add_plugin(Aws::Plugins::SignatureV4)
|
59
74
|
add_plugin(Aws::Plugins::Protocols::Query)
|
75
|
+
add_plugin(Aws::STS::Plugins::STSRegionalEndpoints)
|
60
76
|
|
61
77
|
# @overload initialize(options)
|
62
78
|
# @param [Hash] options
|
@@ -106,6 +122,12 @@ module Aws::STS
|
|
106
122
|
# When set to `true`, a thread polling for endpoints will be running in
|
107
123
|
# the background every 60 secs (default). Defaults to `false`.
|
108
124
|
#
|
125
|
+
# @option options [Boolean] :adaptive_retry_wait_to_fill (true)
|
126
|
+
# Used only in `adaptive` retry mode. When true, the request will sleep
|
127
|
+
# until there is sufficent client side capacity to retry the request.
|
128
|
+
# When false, the request will raise a `RetryCapacityNotAvailableError` and will
|
129
|
+
# not retry instead of sleeping.
|
130
|
+
#
|
109
131
|
# @option options [Boolean] :client_side_monitoring (false)
|
110
132
|
# When `true`, client-side metrics will be collected for all API requests from
|
111
133
|
# this client.
|
@@ -114,6 +136,10 @@ module Aws::STS
|
|
114
136
|
# Allows you to provide an identifier for this client which will be attached to
|
115
137
|
# all generated client side metrics. Defaults to an empty string.
|
116
138
|
#
|
139
|
+
# @option options [String] :client_side_monitoring_host ("127.0.0.1")
|
140
|
+
# Allows you to specify the DNS hostname or IPv4 or IPv6 address that the client
|
141
|
+
# side monitoring agent is running on, where client metrics will be published via UDP.
|
142
|
+
#
|
117
143
|
# @option options [Integer] :client_side_monitoring_port (31000)
|
118
144
|
# Required for publishing client metrics. The port that the client side monitoring
|
119
145
|
# agent is running on, where client metrics will be published via UDP.
|
@@ -126,6 +152,10 @@ module Aws::STS
|
|
126
152
|
# When `true`, an attempt is made to coerce request parameters into
|
127
153
|
# the required types.
|
128
154
|
#
|
155
|
+
# @option options [Boolean] :correct_clock_skew (true)
|
156
|
+
# Used only in `standard` and adaptive retry modes. Specifies whether to apply
|
157
|
+
# a clock skew correction and retry requests with skewed client clocks.
|
158
|
+
#
|
129
159
|
# @option options [Boolean] :disable_host_prefix_injection (false)
|
130
160
|
# Set to true to disable SDK automatically adding host prefix
|
131
161
|
# to default service endpoint when available.
|
@@ -160,15 +190,29 @@ module Aws::STS
|
|
160
190
|
# The Logger instance to send log messages to. If this option
|
161
191
|
# is not set, logging will be disabled.
|
162
192
|
#
|
193
|
+
# @option options [Integer] :max_attempts (3)
|
194
|
+
# An integer representing the maximum number attempts that will be made for
|
195
|
+
# a single request, including the initial attempt. For example,
|
196
|
+
# setting this value to 5 will result in a request being retried up to
|
197
|
+
# 4 times. Used in `standard` and `adaptive` retry modes.
|
198
|
+
#
|
163
199
|
# @option options [String] :profile ("default")
|
164
200
|
# Used when loading credentials from the shared credentials file
|
165
201
|
# at HOME/.aws/credentials. When not specified, 'default' is used.
|
166
202
|
#
|
203
|
+
# @option options [Proc] :retry_backoff
|
204
|
+
# A proc or lambda used for backoff. Defaults to 2**retries * retry_base_delay.
|
205
|
+
# This option is only used in the `legacy` retry mode.
|
206
|
+
#
|
167
207
|
# @option options [Float] :retry_base_delay (0.3)
|
168
|
-
# The base delay in seconds used by the default backoff function.
|
208
|
+
# The base delay in seconds used by the default backoff function. This option
|
209
|
+
# is only used in the `legacy` retry mode.
|
169
210
|
#
|
170
211
|
# @option options [Symbol] :retry_jitter (:none)
|
171
|
-
# A delay randomiser function used by the default backoff function.
|
212
|
+
# A delay randomiser function used by the default backoff function.
|
213
|
+
# Some predefined functions can be referenced by name - :none, :equal, :full,
|
214
|
+
# otherwise a Proc that takes and returns a number. This option is only used
|
215
|
+
# in the `legacy` retry mode.
|
172
216
|
#
|
173
217
|
# @see https://www.awsarchitectureblog.com/2015/03/backoff.html
|
174
218
|
#
|
@@ -176,16 +220,40 @@ module Aws::STS
|
|
176
220
|
# The maximum number of times to retry failed requests. Only
|
177
221
|
# ~ 500 level server errors and certain ~ 400 level client errors
|
178
222
|
# are retried. Generally, these are throttling errors, data
|
179
|
-
# checksum errors, networking errors, timeout errors
|
180
|
-
# errors from expired credentials.
|
223
|
+
# checksum errors, networking errors, timeout errors, auth errors,
|
224
|
+
# endpoint discovery, and errors from expired credentials.
|
225
|
+
# This option is only used in the `legacy` retry mode.
|
181
226
|
#
|
182
227
|
# @option options [Integer] :retry_max_delay (0)
|
183
|
-
# The maximum number of seconds to delay between retries (0 for no limit)
|
228
|
+
# The maximum number of seconds to delay between retries (0 for no limit)
|
229
|
+
# used by the default backoff function. This option is only used in the
|
230
|
+
# `legacy` retry mode.
|
231
|
+
#
|
232
|
+
# @option options [String] :retry_mode ("legacy")
|
233
|
+
# Specifies which retry algorithm to use. Values are:
|
234
|
+
#
|
235
|
+
# * `legacy` - The pre-existing retry behavior. This is default value if
|
236
|
+
# no retry mode is provided.
|
237
|
+
#
|
238
|
+
# * `standard` - A standardized set of retry rules across the AWS SDKs.
|
239
|
+
# This includes support for retry quotas, which limit the number of
|
240
|
+
# unsuccessful retries a client can make.
|
241
|
+
#
|
242
|
+
# * `adaptive` - An experimental retry mode that includes all the
|
243
|
+
# functionality of `standard` mode along with automatic client side
|
244
|
+
# throttling. This is a provisional mode that may change behavior
|
245
|
+
# in the future.
|
246
|
+
#
|
184
247
|
#
|
185
248
|
# @option options [String] :secret_access_key
|
186
249
|
#
|
187
250
|
# @option options [String] :session_token
|
188
251
|
#
|
252
|
+
# @option options [String] :sts_regional_endpoints ("regional")
|
253
|
+
# Passing in 'regional' to enable regional endpoint for STS for all supported
|
254
|
+
# regions (except 'aws-global'). Using 'legacy' mode will force all legacy
|
255
|
+
# regions to resolve to the STS global endpoint.
|
256
|
+
#
|
189
257
|
# @option options [Boolean] :stub_responses (false)
|
190
258
|
# Causes the client to return stubbed responses. By default
|
191
259
|
# fake responses are generated and returned. You can specify
|
@@ -199,46 +267,78 @@ module Aws::STS
|
|
199
267
|
# When `true`, request parameters are validated before
|
200
268
|
# sending the request.
|
201
269
|
#
|
270
|
+
# @option options [URI::HTTP,String] :http_proxy A proxy to send
|
271
|
+
# requests through. Formatted like 'http://proxy.com:123'.
|
272
|
+
#
|
273
|
+
# @option options [Float] :http_open_timeout (15) The number of
|
274
|
+
# seconds to wait when opening a HTTP session before raising a
|
275
|
+
# `Timeout::Error`.
|
276
|
+
#
|
277
|
+
# @option options [Integer] :http_read_timeout (60) The default
|
278
|
+
# number of seconds to wait for response data. This value can
|
279
|
+
# safely be set per-request on the session.
|
280
|
+
#
|
281
|
+
# @option options [Float] :http_idle_timeout (5) The number of
|
282
|
+
# seconds a connection is allowed to sit idle before it is
|
283
|
+
# considered stale. Stale connections are closed and removed
|
284
|
+
# from the pool before making a request.
|
285
|
+
#
|
286
|
+
# @option options [Float] :http_continue_timeout (1) The number of
|
287
|
+
# seconds to wait for a 100-continue response before sending the
|
288
|
+
# request body. This option has no effect unless the request has
|
289
|
+
# "Expect" header set to "100-continue". Defaults to `nil` which
|
290
|
+
# disables this behaviour. This value can safely be set per
|
291
|
+
# request on the session.
|
292
|
+
#
|
293
|
+
# @option options [Boolean] :http_wire_trace (false) When `true`,
|
294
|
+
# HTTP debug output will be sent to the `:logger`.
|
295
|
+
#
|
296
|
+
# @option options [Boolean] :ssl_verify_peer (true) When `true`,
|
297
|
+
# SSL peer certificates are verified when establishing a
|
298
|
+
# connection.
|
299
|
+
#
|
300
|
+
# @option options [String] :ssl_ca_bundle Full path to the SSL
|
301
|
+
# certificate authority bundle file that should be used when
|
302
|
+
# verifying peer certificates. If you do not pass
|
303
|
+
# `:ssl_ca_bundle` or `:ssl_ca_directory` the the system default
|
304
|
+
# will be used if available.
|
305
|
+
#
|
306
|
+
# @option options [String] :ssl_ca_directory Full path of the
|
307
|
+
# directory that contains the unbundled SSL certificate
|
308
|
+
# authority files for verifying peer certificates. If you do
|
309
|
+
# not pass `:ssl_ca_bundle` or `:ssl_ca_directory` the the
|
310
|
+
# system default will be used if available.
|
311
|
+
#
|
202
312
|
def initialize(*args)
|
203
313
|
super
|
204
314
|
end
|
205
315
|
|
206
316
|
# @!group API Operations
|
207
317
|
|
208
|
-
# Returns a set of temporary security credentials
|
209
|
-
# access
|
210
|
-
#
|
211
|
-
#
|
212
|
-
#
|
213
|
-
# produce temporary credentials, see
|
214
|
-
# Credentials][1] and [Comparing the AWS
|
215
|
-
# Guide*.
|
216
|
-
#
|
217
|
-
#
|
218
|
-
#
|
219
|
-
#
|
318
|
+
# Returns a set of temporary security credentials that you can use to
|
319
|
+
# access AWS resources that you might not normally have access to. These
|
320
|
+
# temporary credentials consist of an access key ID, a secret access
|
321
|
+
# key, and a security token. Typically, you use `AssumeRole` within your
|
322
|
+
# account or for cross-account access. For a comparison of `AssumeRole`
|
323
|
+
# with other API operations that produce temporary credentials, see
|
324
|
+
# [Requesting Temporary Security Credentials][1] and [Comparing the AWS
|
325
|
+
# STS API operations][2] in the *IAM User Guide*.
|
326
|
+
#
|
327
|
+
# You cannot use AWS account root user credentials to call `AssumeRole`.
|
328
|
+
# You must use credentials for an IAM user or an IAM role to call
|
329
|
+
# `AssumeRole`.
|
220
330
|
#
|
221
331
|
# For cross-account access, imagine that you own multiple accounts and
|
222
332
|
# need to access resources in each account. You could create long-term
|
223
333
|
# credentials in each account to access those resources. However,
|
224
334
|
# managing all those credentials and remembering which one can access
|
225
335
|
# which account can be time consuming. Instead, you can create one set
|
226
|
-
# of long-term credentials in one account
|
227
|
-
#
|
228
|
-
#
|
229
|
-
#
|
230
|
-
#
|
231
|
-
#
|
232
|
-
# the AWS Management Console. If you already have an identity and
|
233
|
-
# authentication system in your corporate network, you don't have to
|
234
|
-
# recreate user identities in AWS in order to grant those user
|
235
|
-
# identities access to AWS. Instead, after a user has been
|
236
|
-
# authenticated, you call `AssumeRole` (and specify the role with the
|
237
|
-
# appropriate permissions) to get temporary security credentials for
|
238
|
-
# that user. With those temporary security credentials, you construct a
|
239
|
-
# sign-in URL that users can use to access the console. For more
|
240
|
-
# information, see [Common Scenarios for Temporary Credentials][4] in
|
241
|
-
# the *IAM User Guide*.
|
336
|
+
# of long-term credentials in one account. Then use temporary security
|
337
|
+
# credentials to access all the other accounts by assuming roles in
|
338
|
+
# those accounts. For more information about roles, see [IAM Roles][3]
|
339
|
+
# in the *IAM User Guide*.
|
340
|
+
#
|
341
|
+
# **Session Duration**
|
242
342
|
#
|
243
343
|
# By default, the temporary security credentials created by `AssumeRole`
|
244
344
|
# last for one hour. However, you can use the optional `DurationSeconds`
|
@@ -246,85 +346,108 @@ module Aws::STS
|
|
246
346
|
# value from 900 seconds (15 minutes) up to the maximum session duration
|
247
347
|
# setting for the role. This setting can have a value from 1 hour to 12
|
248
348
|
# hours. To learn how to view the maximum value for your role, see [View
|
249
|
-
# the Maximum Session Duration Setting for a Role][
|
349
|
+
# the Maximum Session Duration Setting for a Role][4] in the *IAM User
|
250
350
|
# Guide*. The maximum session duration limit applies when you use the
|
251
|
-
# `AssumeRole*` API operations or the `assume-role*` CLI
|
252
|
-
# does not apply when you use those operations to
|
253
|
-
# For more information, see [Using IAM Roles][
|
254
|
-
# Guide*.
|
351
|
+
# `AssumeRole*` API operations or the `assume-role*` CLI commands.
|
352
|
+
# However the limit does not apply when you use those operations to
|
353
|
+
# create a console URL. For more information, see [Using IAM Roles][5]
|
354
|
+
# in the *IAM User Guide*.
|
355
|
+
#
|
356
|
+
# **Permissions**
|
255
357
|
#
|
256
358
|
# The temporary security credentials created by `AssumeRole` can be used
|
257
|
-
# to make API calls to any AWS service with the following exception:
|
258
|
-
# cannot call the STS
|
259
|
-
#
|
260
|
-
#
|
261
|
-
#
|
262
|
-
#
|
263
|
-
#
|
264
|
-
#
|
265
|
-
#
|
266
|
-
#
|
267
|
-
#
|
268
|
-
#
|
269
|
-
#
|
270
|
-
#
|
271
|
-
#
|
272
|
-
# that is being assumed. For more
|
273
|
-
#
|
359
|
+
# to make API calls to any AWS service with the following exception: You
|
360
|
+
# cannot call the AWS STS `GetFederationToken` or `GetSessionToken` API
|
361
|
+
# operations.
|
362
|
+
#
|
363
|
+
# (Optional) You can pass inline or managed [session policies][6] to
|
364
|
+
# this operation. You can pass a single JSON policy document to use as
|
365
|
+
# an inline session policy. You can also specify up to 10 managed
|
366
|
+
# policies to use as managed session policies. The plain text that you
|
367
|
+
# use for both inline and managed session policies can't exceed 2,048
|
368
|
+
# characters. Passing policies to this operation returns new temporary
|
369
|
+
# credentials. The resulting session's permissions are the intersection
|
370
|
+
# of the role's identity-based policy and the session policies. You can
|
371
|
+
# use the role's temporary credentials in subsequent AWS API calls to
|
372
|
+
# access resources in the account that owns the role. You cannot use
|
373
|
+
# session policies to grant more permissions than those allowed by the
|
374
|
+
# identity-based policy of the role that is being assumed. For more
|
375
|
+
# information, see [Session Policies][6] in the *IAM User Guide*.
|
376
|
+
#
|
377
|
+
# To assume a role from a different account, your AWS account must be
|
378
|
+
# trusted by the role. The trust relationship is defined in the role's
|
379
|
+
# trust policy when the role is created. That trust policy states which
|
380
|
+
# accounts are allowed to delegate that access to users in the account.
|
381
|
+
#
|
382
|
+
# A user who wants to access a role in a different account must also
|
383
|
+
# have permissions that are delegated from the user account
|
384
|
+
# administrator. The administrator must attach a policy that allows the
|
385
|
+
# user to call `AssumeRole` for the ARN of the role in the other
|
386
|
+
# account. If the user is in the same account as the role, then you can
|
387
|
+
# do either of the following:
|
388
|
+
#
|
389
|
+
# * Attach a policy to the user (identical to the previous user in a
|
390
|
+
# different account).
|
391
|
+
#
|
392
|
+
# * Add the user as a principal directly in the role's trust policy.
|
393
|
+
#
|
394
|
+
# In this case, the trust policy acts as an IAM resource-based policy.
|
395
|
+
# Users in the same account as the role do not need explicit permission
|
396
|
+
# to assume the role. For more information about trust policies and
|
397
|
+
# resource-based policies, see [IAM Policies][7] in the *IAM User
|
398
|
+
# Guide*.
|
399
|
+
#
|
400
|
+
# **Tags**
|
401
|
+
#
|
402
|
+
# (Optional) You can pass tag key-value pairs to your session. These
|
403
|
+
# tags are called session tags. For more information about session tags,
|
404
|
+
# see [Passing Session Tags in STS][8] in the *IAM User Guide*.
|
405
|
+
#
|
406
|
+
# An administrator must grant you the permissions necessary to pass
|
407
|
+
# session tags. The administrator can also create granular permissions
|
408
|
+
# to allow you to pass only specific session tags. For more information,
|
409
|
+
# see [Tutorial: Using Tags for Attribute-Based Access Control][9] in
|
274
410
|
# the *IAM User Guide*.
|
275
411
|
#
|
276
|
-
#
|
277
|
-
#
|
278
|
-
#
|
279
|
-
# to delegate access to this account's role.
|
280
|
-
#
|
281
|
-
# The user who wants to access the role must also have permissions
|
282
|
-
# delegated from the role's administrator. If the user is in a
|
283
|
-
# different account than the role, then the user's administrator must
|
284
|
-
# attach a policy that allows the user to call AssumeRole on the ARN of
|
285
|
-
# the role in the other account. If the user is in the same account as
|
286
|
-
# the role, then you can either attach a policy to the user (identical
|
287
|
-
# to the previous different account user), or you can add the user as a
|
288
|
-
# principal directly in the role's trust policy. In this case, the
|
289
|
-
# trust policy acts as the only resource-based policy in IAM, and users
|
290
|
-
# in the same account as the role do not need explicit permission to
|
291
|
-
# assume the role. For more information about trust policies and
|
292
|
-
# resource-based policies, see [IAM Policies][8] in the *IAM User
|
293
|
-
# Guide*.
|
412
|
+
# You can set the session tags as transitive. Transitive tags persist
|
413
|
+
# during role chaining. For more information, see [Chaining Roles with
|
414
|
+
# Session Tags][10] in the *IAM User Guide*.
|
294
415
|
#
|
295
416
|
# **Using MFA with AssumeRole**
|
296
417
|
#
|
297
|
-
# You can
|
418
|
+
# (Optional) You can include multi-factor authentication (MFA)
|
298
419
|
# information when you call `AssumeRole`. This is useful for
|
299
|
-
# cross-account scenarios
|
300
|
-
#
|
301
|
-
#
|
302
|
-
#
|
303
|
-
#
|
304
|
-
#
|
305
|
-
#
|
420
|
+
# cross-account scenarios to ensure that the user that assumes the role
|
421
|
+
# has been authenticated with an AWS MFA device. In that scenario, the
|
422
|
+
# trust policy of the role being assumed includes a condition that tests
|
423
|
+
# for MFA authentication. If the caller does not include valid MFA
|
424
|
+
# information, the request to assume the role is denied. The condition
|
425
|
+
# in a trust policy that tests for MFA authentication might look like
|
426
|
+
# the following example.
|
306
427
|
#
|
307
428
|
# `"Condition": \{"Bool": \{"aws:MultiFactorAuthPresent": true\}\}`
|
308
429
|
#
|
309
|
-
# For more information, see [Configuring MFA-Protected API Access][
|
310
|
-
# the *IAM User Guide* guide.
|
430
|
+
# For more information, see [Configuring MFA-Protected API Access][11]
|
431
|
+
# in the *IAM User Guide* guide.
|
311
432
|
#
|
312
433
|
# To use MFA with `AssumeRole`, you pass values for the `SerialNumber`
|
313
434
|
# and `TokenCode` parameters. The `SerialNumber` value identifies the
|
314
435
|
# user's hardware or virtual MFA device. The `TokenCode` is the
|
315
|
-
# time-based one-time password (TOTP) that the MFA
|
436
|
+
# time-based one-time password (TOTP) that the MFA device produces.
|
316
437
|
#
|
317
438
|
#
|
318
439
|
#
|
319
|
-
# [1]:
|
320
|
-
# [2]:
|
321
|
-
# [3]:
|
322
|
-
# [4]:
|
323
|
-
# [5]:
|
324
|
-
# [6]:
|
325
|
-
# [7]:
|
326
|
-
# [8]:
|
327
|
-
# [9]:
|
440
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
441
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
442
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
|
443
|
+
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
|
444
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
|
445
|
+
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
446
|
+
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
|
447
|
+
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
448
|
+
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
|
449
|
+
# [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
|
450
|
+
# [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
|
328
451
|
#
|
329
452
|
# @option params [required, String] :role_arn
|
330
453
|
# The Amazon Resource Name (ARN) of the role to assume.
|
@@ -337,47 +460,82 @@ module Aws::STS
|
|
337
460
|
# cross-account scenarios, the role session name is visible to, and can
|
338
461
|
# be logged by the account that owns the role. The role session name is
|
339
462
|
# also used in the ARN of the assumed role principal. This means that
|
340
|
-
# subsequent cross-account API requests
|
463
|
+
# subsequent cross-account API requests that use the temporary security
|
341
464
|
# credentials will expose the role session name to the external account
|
342
|
-
# in their CloudTrail logs.
|
465
|
+
# in their AWS CloudTrail logs.
|
343
466
|
#
|
344
467
|
# The regex used to validate this parameter is a string of characters
|
345
468
|
# consisting of upper- and lower-case alphanumeric characters with no
|
346
469
|
# spaces. You can also include underscores or any of the following
|
347
470
|
# characters: =,.@-
|
348
471
|
#
|
349
|
-
# @option params [
|
350
|
-
#
|
351
|
-
#
|
352
|
-
#
|
353
|
-
# security credentials that are returned by the operation have the
|
354
|
-
# permissions that are allowed by both (the intersection of) the access
|
355
|
-
# policy of the role that is being assumed, *and* the policy that you
|
356
|
-
# pass. This gives you a way to further restrict the permissions for the
|
357
|
-
# resulting temporary security credentials. You cannot use the passed
|
358
|
-
# policy to grant permissions that are in excess of those allowed by the
|
359
|
-
# access policy of the role that is being assumed. For more information,
|
360
|
-
# see [Permissions for AssumeRole, AssumeRoleWithSAML, and
|
361
|
-
# AssumeRoleWithWebIdentity][1] in the *IAM User Guide*.
|
472
|
+
# @option params [Array<Types::PolicyDescriptorType>] :policy_arns
|
473
|
+
# The Amazon Resource Names (ARNs) of the IAM managed policies that you
|
474
|
+
# want to use as managed session policies. The policies must exist in
|
475
|
+
# the same account as the role.
|
362
476
|
#
|
363
|
-
#
|
364
|
-
#
|
477
|
+
# This parameter is optional. You can provide up to 10 managed policy
|
478
|
+
# ARNs. However, the plain text that you use for both inline and managed
|
479
|
+
# session policies can't exceed 2,048 characters. For more information
|
480
|
+
# about ARNs, see [Amazon Resource Names (ARNs) and AWS Service
|
481
|
+
# Namespaces][1] in the AWS General Reference.
|
482
|
+
#
|
483
|
+
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
484
|
+
# tags into a packed binary format that has a separate limit. Your
|
485
|
+
# request can fail for this limit even if your plain text meets the
|
486
|
+
# other requirements. The `PackedPolicySize` response element indicates
|
487
|
+
# by percentage how close the policies and tags for your request are to
|
488
|
+
# the upper size limit.
|
489
|
+
#
|
490
|
+
# </note>
|
491
|
+
#
|
492
|
+
# Passing policies to this operation returns new temporary credentials.
|
493
|
+
# The resulting session's permissions are the intersection of the
|
494
|
+
# role's identity-based policy and the session policies. You can use
|
495
|
+
# the role's temporary credentials in subsequent AWS API calls to
|
496
|
+
# access resources in the account that owns the role. You cannot use
|
497
|
+
# session policies to grant more permissions than those allowed by the
|
498
|
+
# identity-based policy of the role that is being assumed. For more
|
499
|
+
# information, see [Session Policies][2] in the *IAM User Guide*.
|
500
|
+
#
|
501
|
+
#
|
502
|
+
#
|
503
|
+
# [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
504
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
505
|
+
#
|
506
|
+
# @option params [String] :policy
|
507
|
+
# An IAM policy in JSON format that you want to use as an inline session
|
508
|
+
# policy.
|
509
|
+
#
|
510
|
+
# This parameter is optional. Passing policies to this operation returns
|
511
|
+
# new temporary credentials. The resulting session's permissions are
|
512
|
+
# the intersection of the role's identity-based policy and the session
|
513
|
+
# policies. You can use the role's temporary credentials in subsequent
|
514
|
+
# AWS API calls to access resources in the account that owns the role.
|
515
|
+
# You cannot use session policies to grant more permissions than those
|
516
|
+
# allowed by the identity-based policy of the role that is being
|
517
|
+
# assumed. For more information, see [Session Policies][1] in the *IAM
|
518
|
+
# User Guide*.
|
519
|
+
#
|
520
|
+
# The plain text that you use for both inline and managed session
|
521
|
+
# policies can't exceed 2,048 characters. The JSON policy characters
|
365
522
|
# can be any ASCII character from the space character to the end of the
|
366
|
-
# valid character list (\\u0020
|
367
|
-
# (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
523
|
+
# valid character list (\\u0020 through \\u00FF). It can also include
|
524
|
+
# the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
368
525
|
# characters.
|
369
526
|
#
|
370
|
-
# <note markdown="1">
|
371
|
-
#
|
372
|
-
#
|
373
|
-
#
|
374
|
-
#
|
527
|
+
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
528
|
+
# tags into a packed binary format that has a separate limit. Your
|
529
|
+
# request can fail for this limit even if your plain text meets the
|
530
|
+
# other requirements. The `PackedPolicySize` response element indicates
|
531
|
+
# by percentage how close the policies and tags for your request are to
|
532
|
+
# the upper size limit.
|
375
533
|
#
|
376
534
|
# </note>
|
377
535
|
#
|
378
536
|
#
|
379
537
|
#
|
380
|
-
# [1]:
|
538
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
381
539
|
#
|
382
540
|
# @option params [Integer] :duration_seconds
|
383
541
|
# The duration, in seconds, of the role session. The value can range
|
@@ -390,7 +548,7 @@ module Aws::STS
|
|
390
548
|
# see [View the Maximum Session Duration Setting for a Role][1] in the
|
391
549
|
# *IAM User Guide*.
|
392
550
|
#
|
393
|
-
# By default, the value is set to 3600 seconds.
|
551
|
+
# By default, the value is set to `3600` seconds.
|
394
552
|
#
|
395
553
|
# <note markdown="1"> The `DurationSeconds` parameter is separate from the duration of a
|
396
554
|
# console session that you might request using the returned credentials.
|
@@ -404,29 +562,91 @@ module Aws::STS
|
|
404
562
|
#
|
405
563
|
#
|
406
564
|
#
|
407
|
-
# [1]:
|
408
|
-
# [2]:
|
565
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
|
566
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
|
567
|
+
#
|
568
|
+
# @option params [Array<Types::Tag>] :tags
|
569
|
+
# A list of session tags that you want to pass. Each session tag
|
570
|
+
# consists of a key name and an associated value. For more information
|
571
|
+
# about session tags, see [Tagging AWS STS Sessions][1] in the *IAM User
|
572
|
+
# Guide*.
|
573
|
+
#
|
574
|
+
# This parameter is optional. You can pass up to 50 session tags. The
|
575
|
+
# plain text session tag keys can’t exceed 128 characters, and the
|
576
|
+
# values can’t exceed 256 characters. For these and additional limits,
|
577
|
+
# see [IAM and STS Character Limits][2] in the *IAM User Guide*.
|
578
|
+
#
|
579
|
+
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
580
|
+
# tags into a packed binary format that has a separate limit. Your
|
581
|
+
# request can fail for this limit even if your plain text meets the
|
582
|
+
# other requirements. The `PackedPolicySize` response element indicates
|
583
|
+
# by percentage how close the policies and tags for your request are to
|
584
|
+
# the upper size limit.
|
585
|
+
#
|
586
|
+
# </note>
|
587
|
+
#
|
588
|
+
# You can pass a session tag with the same key as a tag that is already
|
589
|
+
# attached to the role. When you do, session tags override a role tag
|
590
|
+
# with the same key.
|
591
|
+
#
|
592
|
+
# Tag key–value pairs are not case sensitive, but case is preserved.
|
593
|
+
# This means that you cannot have separate `Department` and `department`
|
594
|
+
# tag keys. Assume that the role has the `Department`=`Marketing` tag
|
595
|
+
# and you pass the `department`=`engineering` session tag. `Department`
|
596
|
+
# and `department` are not saved as separate tags, and the session tag
|
597
|
+
# passed in the request takes precedence over the role tag.
|
598
|
+
#
|
599
|
+
# Additionally, if you used temporary credentials to perform this
|
600
|
+
# operation, the new session inherits any transitive session tags from
|
601
|
+
# the calling session. If you pass a session tag with the same key as an
|
602
|
+
# inherited tag, the operation fails. To view the inherited tags for a
|
603
|
+
# session, see the AWS CloudTrail logs. For more information, see
|
604
|
+
# [Viewing Session Tags in CloudTrail][3] in the *IAM User Guide*.
|
605
|
+
#
|
606
|
+
#
|
607
|
+
#
|
608
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
609
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
|
610
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/session-tags.html#id_session-tags_ctlogs
|
611
|
+
#
|
612
|
+
# @option params [Array<String>] :transitive_tag_keys
|
613
|
+
# A list of keys for session tags that you want to set as transitive. If
|
614
|
+
# you set a tag key as transitive, the corresponding key and value
|
615
|
+
# passes to subsequent sessions in a role chain. For more information,
|
616
|
+
# see [Chaining Roles with Session Tags][1] in the *IAM User Guide*.
|
617
|
+
#
|
618
|
+
# This parameter is optional. When you set session tags as transitive,
|
619
|
+
# the session policy and session tags packed binary limit is not
|
620
|
+
# affected.
|
621
|
+
#
|
622
|
+
# If you choose not to specify a transitive tag key, then no tags are
|
623
|
+
# passed from this session to any subsequent sessions.
|
624
|
+
#
|
625
|
+
#
|
626
|
+
#
|
627
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
|
409
628
|
#
|
410
629
|
# @option params [String] :external_id
|
411
|
-
# A unique identifier that
|
412
|
-
#
|
413
|
-
#
|
414
|
-
#
|
415
|
-
#
|
416
|
-
#
|
417
|
-
#
|
418
|
-
#
|
419
|
-
#
|
420
|
-
#
|
630
|
+
# A unique identifier that might be required when you assume a role in
|
631
|
+
# another account. If the administrator of the account to which the role
|
632
|
+
# belongs provided you with an external ID, then provide that value in
|
633
|
+
# the `ExternalId` parameter. This value can be any string, such as a
|
634
|
+
# passphrase or account number. A cross-account role is usually set up
|
635
|
+
# to trust everyone in an account. Therefore, the administrator of the
|
636
|
+
# trusting account might send an external ID to the administrator of the
|
637
|
+
# trusted account. That way, only someone with the ID can assume the
|
638
|
+
# role, rather than everyone in the account. For more information about
|
639
|
+
# the external ID, see [How to Use an External ID When Granting Access
|
640
|
+
# to Your AWS Resources to a Third Party][1] in the *IAM User Guide*.
|
421
641
|
#
|
422
|
-
# The regex used to
|
642
|
+
# The regex used to validate this parameter is a string of characters
|
423
643
|
# consisting of upper- and lower-case alphanumeric characters with no
|
424
644
|
# spaces. You can also include underscores or any of the following
|
425
645
|
# characters: =,.@:/-
|
426
646
|
#
|
427
647
|
#
|
428
648
|
#
|
429
|
-
# [1]:
|
649
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
|
430
650
|
#
|
431
651
|
# @option params [String] :serial_number
|
432
652
|
# The identification number of the MFA device that is associated with
|
@@ -462,11 +682,28 @@ module Aws::STS
|
|
462
682
|
# @example Example: To assume a role
|
463
683
|
#
|
464
684
|
# resp = client.assume_role({
|
465
|
-
# duration_seconds: 3600,
|
466
685
|
# external_id: "123ABC",
|
467
|
-
# policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3
|
686
|
+
# policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:ListAllMyBuckets\",\"Resource\":\"*\"}]}",
|
468
687
|
# role_arn: "arn:aws:iam::123456789012:role/demo",
|
469
|
-
# role_session_name: "
|
688
|
+
# role_session_name: "testAssumeRoleSession",
|
689
|
+
# tags: [
|
690
|
+
# {
|
691
|
+
# key: "Project",
|
692
|
+
# value: "Unicorn",
|
693
|
+
# },
|
694
|
+
# {
|
695
|
+
# key: "Team",
|
696
|
+
# value: "Automation",
|
697
|
+
# },
|
698
|
+
# {
|
699
|
+
# key: "Cost-Center",
|
700
|
+
# value: "12345",
|
701
|
+
# },
|
702
|
+
# ],
|
703
|
+
# transitive_tag_keys: [
|
704
|
+
# "Project",
|
705
|
+
# "Cost-Center",
|
706
|
+
# ],
|
470
707
|
# })
|
471
708
|
#
|
472
709
|
# resp.to_h outputs the following:
|
@@ -481,7 +718,7 @@ module Aws::STS
|
|
481
718
|
# secret_access_key: "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY",
|
482
719
|
# session_token: "AQoDYXdzEPT//////////wEXAMPLEtc764bNrC9SAPBSM22wDOk4x4HIZ8j4FZTwdQWLWsKWHGBuFqwAeMicRXmxfpSPfIeoIYRqTflfKD8YUuwthAx7mSEI/qkPpKPi/kMcGdQrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz+scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA==",
|
483
720
|
# },
|
484
|
-
# packed_policy_size:
|
721
|
+
# packed_policy_size: 8,
|
485
722
|
# }
|
486
723
|
#
|
487
724
|
# @example Request syntax with placeholder values
|
@@ -489,8 +726,20 @@ module Aws::STS
|
|
489
726
|
# resp = client.assume_role({
|
490
727
|
# role_arn: "arnType", # required
|
491
728
|
# role_session_name: "roleSessionNameType", # required
|
729
|
+
# policy_arns: [
|
730
|
+
# {
|
731
|
+
# arn: "arnType",
|
732
|
+
# },
|
733
|
+
# ],
|
492
734
|
# policy: "sessionPolicyDocumentType",
|
493
735
|
# duration_seconds: 1,
|
736
|
+
# tags: [
|
737
|
+
# {
|
738
|
+
# key: "tagKeyType", # required
|
739
|
+
# value: "tagValueType", # required
|
740
|
+
# },
|
741
|
+
# ],
|
742
|
+
# transitive_tag_keys: ["tagKeyType"],
|
494
743
|
# external_id: "externalIdType",
|
495
744
|
# serial_number: "serialNumberType",
|
496
745
|
# token_code: "tokenCodeType",
|
@@ -520,15 +769,17 @@ module Aws::STS
|
|
520
769
|
# provides a mechanism for tying an enterprise identity store or
|
521
770
|
# directory to role-based AWS access without user-specific credentials
|
522
771
|
# or configuration. For a comparison of `AssumeRoleWithSAML` with the
|
523
|
-
# other
|
524
|
-
# Temporary Security Credentials][1] and [Comparing the AWS
|
525
|
-
# in the *IAM User Guide*.
|
772
|
+
# other API operations that produce temporary credentials, see
|
773
|
+
# [Requesting Temporary Security Credentials][1] and [Comparing the AWS
|
774
|
+
# STS API operations][2] in the *IAM User Guide*.
|
526
775
|
#
|
527
776
|
# The temporary security credentials returned by this operation consist
|
528
777
|
# of an access key ID, a secret access key, and a security token.
|
529
778
|
# Applications can use these temporary security credentials to sign
|
530
779
|
# calls to AWS services.
|
531
780
|
#
|
781
|
+
# **Session Duration**
|
782
|
+
#
|
532
783
|
# By default, the temporary security credentials created by
|
533
784
|
# `AssumeRoleWithSAML` last for one hour. However, you can use the
|
534
785
|
# optional `DurationSeconds` parameter to specify the duration of your
|
@@ -541,37 +792,30 @@ module Aws::STS
|
|
541
792
|
# for your role, see [View the Maximum Session Duration Setting for a
|
542
793
|
# Role][3] in the *IAM User Guide*. The maximum session duration limit
|
543
794
|
# applies when you use the `AssumeRole*` API operations or the
|
544
|
-
# `assume-role*` CLI
|
545
|
-
# operations to create a console URL. For more information,
|
546
|
-
# IAM Roles][4] in the *IAM User Guide*.
|
795
|
+
# `assume-role*` CLI commands. However the limit does not apply when you
|
796
|
+
# use those operations to create a console URL. For more information,
|
797
|
+
# see [Using IAM Roles][4] in the *IAM User Guide*.
|
798
|
+
#
|
799
|
+
# **Permissions**
|
547
800
|
#
|
548
801
|
# The temporary security credentials created by `AssumeRoleWithSAML` can
|
549
802
|
# be used to make API calls to any AWS service with the following
|
550
|
-
# exception: you cannot call the STS
|
551
|
-
# `GetSessionToken`
|
552
|
-
#
|
553
|
-
#
|
554
|
-
#
|
555
|
-
#
|
556
|
-
#
|
557
|
-
#
|
558
|
-
#
|
559
|
-
#
|
560
|
-
#
|
561
|
-
#
|
562
|
-
#
|
563
|
-
#
|
564
|
-
#
|
565
|
-
#
|
566
|
-
# information, see [Permissions for AssumeRole, AssumeRoleWithSAML, and
|
567
|
-
# AssumeRoleWithWebIdentity][5] in the *IAM User Guide*.
|
568
|
-
#
|
569
|
-
# Before your application can call `AssumeRoleWithSAML`, you must
|
570
|
-
# configure your SAML identity provider (IdP) to issue the claims
|
571
|
-
# required by AWS. Additionally, you must use AWS Identity and Access
|
572
|
-
# Management (IAM) to create a SAML provider entity in your AWS account
|
573
|
-
# that represents your identity provider, and create an IAM role that
|
574
|
-
# specifies this SAML provider in its trust policy.
|
803
|
+
# exception: you cannot call the STS `GetFederationToken` or
|
804
|
+
# `GetSessionToken` API operations.
|
805
|
+
#
|
806
|
+
# (Optional) You can pass inline or managed [session policies][5] to
|
807
|
+
# this operation. You can pass a single JSON policy document to use as
|
808
|
+
# an inline session policy. You can also specify up to 10 managed
|
809
|
+
# policies to use as managed session policies. The plain text that you
|
810
|
+
# use for both inline and managed session policies can't exceed 2,048
|
811
|
+
# characters. Passing policies to this operation returns new temporary
|
812
|
+
# credentials. The resulting session's permissions are the intersection
|
813
|
+
# of the role's identity-based policy and the session policies. You can
|
814
|
+
# use the role's temporary credentials in subsequent AWS API calls to
|
815
|
+
# access resources in the account that owns the role. You cannot use
|
816
|
+
# session policies to grant more permissions than those allowed by the
|
817
|
+
# identity-based policy of the role that is being assumed. For more
|
818
|
+
# information, see [Session Policies][5] in the *IAM User Guide*.
|
575
819
|
#
|
576
820
|
# Calling `AssumeRoleWithSAML` does not require the use of AWS security
|
577
821
|
# credentials. The identity of the caller is validated by using keys in
|
@@ -580,33 +824,82 @@ module Aws::STS
|
|
580
824
|
#
|
581
825
|
# Calling `AssumeRoleWithSAML` can result in an entry in your AWS
|
582
826
|
# CloudTrail logs. The entry includes the value in the `NameID` element
|
583
|
-
# of the SAML assertion. We recommend that you use a NameIDType that
|
584
|
-
# not associated with any personally identifiable information (PII).
|
585
|
-
# example, you could instead use the
|
827
|
+
# of the SAML assertion. We recommend that you use a `NameIDType` that
|
828
|
+
# is not associated with any personally identifiable information (PII).
|
829
|
+
# For example, you could instead use the persistent identifier
|
586
830
|
# (`urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`).
|
587
831
|
#
|
832
|
+
# **Tags**
|
833
|
+
#
|
834
|
+
# (Optional) You can configure your IdP to pass attributes into your
|
835
|
+
# SAML assertion as session tags. Each session tag consists of a key
|
836
|
+
# name and an associated value. For more information about session tags,
|
837
|
+
# see [Passing Session Tags in STS][6] in the *IAM User Guide*.
|
838
|
+
#
|
839
|
+
# You can pass up to 50 session tags. The plain text session tag keys
|
840
|
+
# can’t exceed 128 characters and the values can’t exceed 256
|
841
|
+
# characters. For these and additional limits, see [IAM and STS
|
842
|
+
# Character Limits][7] in the *IAM User Guide*.
|
843
|
+
#
|
844
|
+
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
845
|
+
# tags into a packed binary format that has a separate limit. Your
|
846
|
+
# request can fail for this limit even if your plain text meets the
|
847
|
+
# other requirements. The `PackedPolicySize` response element indicates
|
848
|
+
# by percentage how close the policies and tags for your request are to
|
849
|
+
# the upper size limit.
|
850
|
+
#
|
851
|
+
# </note>
|
852
|
+
#
|
853
|
+
# You can pass a session tag with the same key as a tag that is attached
|
854
|
+
# to the role. When you do, session tags override the role's tags with
|
855
|
+
# the same key.
|
856
|
+
#
|
857
|
+
# An administrator must grant you the permissions necessary to pass
|
858
|
+
# session tags. The administrator can also create granular permissions
|
859
|
+
# to allow you to pass only specific session tags. For more information,
|
860
|
+
# see [Tutorial: Using Tags for Attribute-Based Access Control][8] in
|
861
|
+
# the *IAM User Guide*.
|
862
|
+
#
|
863
|
+
# You can set the session tags as transitive. Transitive tags persist
|
864
|
+
# during role chaining. For more information, see [Chaining Roles with
|
865
|
+
# Session Tags][9] in the *IAM User Guide*.
|
866
|
+
#
|
867
|
+
# **SAML Configuration**
|
868
|
+
#
|
869
|
+
# Before your application can call `AssumeRoleWithSAML`, you must
|
870
|
+
# configure your SAML identity provider (IdP) to issue the claims
|
871
|
+
# required by AWS. Additionally, you must use AWS Identity and Access
|
872
|
+
# Management (IAM) to create a SAML provider entity in your AWS account
|
873
|
+
# that represents your identity provider. You must also create an IAM
|
874
|
+
# role that specifies this SAML provider in its trust policy.
|
875
|
+
#
|
588
876
|
# For more information, see the following resources:
|
589
877
|
#
|
590
|
-
# * [About SAML 2.0-based Federation][
|
878
|
+
# * [About SAML 2.0-based Federation][10] in the *IAM User Guide*.
|
591
879
|
#
|
592
|
-
# * [Creating SAML Identity Providers][
|
880
|
+
# * [Creating SAML Identity Providers][11] in the *IAM User Guide*.
|
593
881
|
#
|
594
|
-
# * [Configuring a Relying Party and Claims][
|
882
|
+
# * [Configuring a Relying Party and Claims][12] in the *IAM User
|
883
|
+
# Guide*.
|
595
884
|
#
|
596
|
-
# * [Creating a Role for SAML 2.0 Federation][
|
885
|
+
# * [Creating a Role for SAML 2.0 Federation][13] in the *IAM User
|
597
886
|
# Guide*.
|
598
887
|
#
|
599
888
|
#
|
600
889
|
#
|
601
|
-
# [1]:
|
602
|
-
# [2]:
|
603
|
-
# [3]:
|
604
|
-
# [4]:
|
605
|
-
# [5]:
|
606
|
-
# [6]:
|
607
|
-
# [7]:
|
608
|
-
# [8]:
|
609
|
-
# [9]:
|
890
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
891
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
892
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
|
893
|
+
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
|
894
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
895
|
+
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
896
|
+
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
|
897
|
+
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
|
898
|
+
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
|
899
|
+
# [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
|
900
|
+
# [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
|
901
|
+
# [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html
|
902
|
+
# [13]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
|
610
903
|
#
|
611
904
|
# @option params [required, String] :role_arn
|
612
905
|
# The Amazon Resource Name (ARN) of the role that the caller is
|
@@ -620,44 +913,79 @@ module Aws::STS
|
|
620
913
|
# The base-64 encoded SAML authentication response provided by the IdP.
|
621
914
|
#
|
622
915
|
# For more information, see [Configuring a Relying Party and Adding
|
623
|
-
# Claims][1] in the *
|
916
|
+
# Claims][1] in the *IAM User Guide*.
|
624
917
|
#
|
625
918
|
#
|
626
919
|
#
|
627
|
-
# [1]:
|
920
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html
|
628
921
|
#
|
629
|
-
# @option params [
|
630
|
-
#
|
631
|
-
#
|
632
|
-
#
|
633
|
-
# security credentials that are returned by the operation have the
|
634
|
-
# permissions that are allowed by both the access policy of the role
|
635
|
-
# that is being assumed, <i> <b>and</b> </i> the policy that you pass.
|
636
|
-
# This gives you a way to further restrict the permissions for the
|
637
|
-
# resulting temporary security credentials. You cannot use the passed
|
638
|
-
# policy to grant permissions that are in excess of those allowed by the
|
639
|
-
# access policy of the role that is being assumed. For more information,
|
640
|
-
# [Permissions for AssumeRole, AssumeRoleWithSAML, and
|
641
|
-
# AssumeRoleWithWebIdentity][1] in the *IAM User Guide*.
|
922
|
+
# @option params [Array<Types::PolicyDescriptorType>] :policy_arns
|
923
|
+
# The Amazon Resource Names (ARNs) of the IAM managed policies that you
|
924
|
+
# want to use as managed session policies. The policies must exist in
|
925
|
+
# the same account as the role.
|
642
926
|
#
|
643
|
-
#
|
644
|
-
#
|
927
|
+
# This parameter is optional. You can provide up to 10 managed policy
|
928
|
+
# ARNs. However, the plain text that you use for both inline and managed
|
929
|
+
# session policies can't exceed 2,048 characters. For more information
|
930
|
+
# about ARNs, see [Amazon Resource Names (ARNs) and AWS Service
|
931
|
+
# Namespaces][1] in the AWS General Reference.
|
932
|
+
#
|
933
|
+
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
934
|
+
# tags into a packed binary format that has a separate limit. Your
|
935
|
+
# request can fail for this limit even if your plain text meets the
|
936
|
+
# other requirements. The `PackedPolicySize` response element indicates
|
937
|
+
# by percentage how close the policies and tags for your request are to
|
938
|
+
# the upper size limit.
|
939
|
+
#
|
940
|
+
# </note>
|
941
|
+
#
|
942
|
+
# Passing policies to this operation returns new temporary credentials.
|
943
|
+
# The resulting session's permissions are the intersection of the
|
944
|
+
# role's identity-based policy and the session policies. You can use
|
945
|
+
# the role's temporary credentials in subsequent AWS API calls to
|
946
|
+
# access resources in the account that owns the role. You cannot use
|
947
|
+
# session policies to grant more permissions than those allowed by the
|
948
|
+
# identity-based policy of the role that is being assumed. For more
|
949
|
+
# information, see [Session Policies][2] in the *IAM User Guide*.
|
950
|
+
#
|
951
|
+
#
|
952
|
+
#
|
953
|
+
# [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
954
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
955
|
+
#
|
956
|
+
# @option params [String] :policy
|
957
|
+
# An IAM policy in JSON format that you want to use as an inline session
|
958
|
+
# policy.
|
959
|
+
#
|
960
|
+
# This parameter is optional. Passing policies to this operation returns
|
961
|
+
# new temporary credentials. The resulting session's permissions are
|
962
|
+
# the intersection of the role's identity-based policy and the session
|
963
|
+
# policies. You can use the role's temporary credentials in subsequent
|
964
|
+
# AWS API calls to access resources in the account that owns the role.
|
965
|
+
# You cannot use session policies to grant more permissions than those
|
966
|
+
# allowed by the identity-based policy of the role that is being
|
967
|
+
# assumed. For more information, see [Session Policies][1] in the *IAM
|
968
|
+
# User Guide*.
|
969
|
+
#
|
970
|
+
# The plain text that you use for both inline and managed session
|
971
|
+
# policies can't exceed 2,048 characters. The JSON policy characters
|
645
972
|
# can be any ASCII character from the space character to the end of the
|
646
|
-
# valid character list (\\u0020
|
647
|
-
# (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
973
|
+
# valid character list (\\u0020 through \\u00FF). It can also include
|
974
|
+
# the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
648
975
|
# characters.
|
649
976
|
#
|
650
|
-
# <note markdown="1">
|
651
|
-
#
|
652
|
-
#
|
653
|
-
#
|
654
|
-
#
|
977
|
+
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
978
|
+
# tags into a packed binary format that has a separate limit. Your
|
979
|
+
# request can fail for this limit even if your plain text meets the
|
980
|
+
# other requirements. The `PackedPolicySize` response element indicates
|
981
|
+
# by percentage how close the policies and tags for your request are to
|
982
|
+
# the upper size limit.
|
655
983
|
#
|
656
984
|
# </note>
|
657
985
|
#
|
658
986
|
#
|
659
987
|
#
|
660
|
-
# [1]:
|
988
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
661
989
|
#
|
662
990
|
# @option params [Integer] :duration_seconds
|
663
991
|
# The duration, in seconds, of the role session. Your role session lasts
|
@@ -673,7 +1001,7 @@ module Aws::STS
|
|
673
1001
|
# maximum value for your role, see [View the Maximum Session Duration
|
674
1002
|
# Setting for a Role][1] in the *IAM User Guide*.
|
675
1003
|
#
|
676
|
-
# By default, the value is set to 3600 seconds.
|
1004
|
+
# By default, the value is set to `3600` seconds.
|
677
1005
|
#
|
678
1006
|
# <note markdown="1"> The `DurationSeconds` parameter is separate from the duration of a
|
679
1007
|
# console session that you might request using the returned credentials.
|
@@ -687,8 +1015,8 @@ module Aws::STS
|
|
687
1015
|
#
|
688
1016
|
#
|
689
1017
|
#
|
690
|
-
# [1]:
|
691
|
-
# [2]:
|
1018
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
|
1019
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
|
692
1020
|
#
|
693
1021
|
# @return [Types::AssumeRoleWithSAMLResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
694
1022
|
#
|
@@ -701,12 +1029,47 @@ module Aws::STS
|
|
701
1029
|
# * {Types::AssumeRoleWithSAMLResponse#audience #audience} => String
|
702
1030
|
# * {Types::AssumeRoleWithSAMLResponse#name_qualifier #name_qualifier} => String
|
703
1031
|
#
|
1032
|
+
#
|
1033
|
+
# @example Example: To assume a role using a SAML assertion
|
1034
|
+
#
|
1035
|
+
# resp = client.assume_role_with_saml({
|
1036
|
+
# duration_seconds: 3600,
|
1037
|
+
# principal_arn: "arn:aws:iam::123456789012:saml-provider/SAML-test",
|
1038
|
+
# role_arn: "arn:aws:iam::123456789012:role/TestSaml",
|
1039
|
+
# saml_assertion: "VERYLONGENCODEDASSERTIONEXAMPLExzYW1sOkF1ZGllbmNlPmJsYW5rPC9zYW1sOkF1ZGllbmNlPjwvc2FtbDpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDpDb25kaXRpb25zPjxzYW1sOlN1YmplY3Q+PHNhbWw6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6dHJhbnNpZW50Ij5TYW1sRXhhbXBsZTwvc2FtbDpOYW1lSUQ+PHNhbWw6U3ViamVjdENvbmZpcm1hdGlvbiBNZXRob2Q9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDpjbTpiZWFyZXIiPjxzYW1sOlN1YmplY3RDb25maXJtYXRpb25EYXRhIE5vdE9uT3JBZnRlcj0iMjAxOS0xMS0wMVQyMDoyNTowNS4xNDVaIiBSZWNpcGllbnQ9Imh0dHBzOi8vc2lnbmluLmF3cy5hbWF6b24uY29tL3NhbWwiLz48L3NhbWw6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWw6U3ViamVjdD48c2FtbDpBdXRoblN0YXRlbWVudCBBdXRoPD94bWwgdmpSZXNwb25zZT4=",
|
1040
|
+
# })
|
1041
|
+
#
|
1042
|
+
# resp.to_h outputs the following:
|
1043
|
+
# {
|
1044
|
+
# assumed_role_user: {
|
1045
|
+
# arn: "arn:aws:sts::123456789012:assumed-role/TestSaml",
|
1046
|
+
# assumed_role_id: "ARO456EXAMPLE789:TestSaml",
|
1047
|
+
# },
|
1048
|
+
# audience: "https://signin.aws.amazon.com/saml",
|
1049
|
+
# credentials: {
|
1050
|
+
# access_key_id: "ASIAV3ZUEFP6EXAMPLE",
|
1051
|
+
# expiration: Time.parse("2019-11-01T20:26:47Z"),
|
1052
|
+
# secret_access_key: "8P+SQvWIuLnKhh8d++jpw0nNmQRBZvNEXAMPLEKEY",
|
1053
|
+
# session_token: "IQoJb3JpZ2luX2VjEOz////////////////////wEXAMPLEtMSJHMEUCIDoKK3JH9uGQE1z0sINr5M4jk+Na8KHDcCYRVjJCZEvOAiEA3OvJGtw1EcViOleS2vhs8VdCKFJQWPQrmGdeehM4IC1NtBmUpp2wUE8phUZampKsburEDy0KPkyQDYwT7WZ0wq5VSXDvp75YU9HFvlRd8Tx6q6fE8YQcHNVXAkiY9q6d+xo0rKwT38xVqr7ZD0u0iPPkUL64lIZbqBAz+scqKmlzm8FDrypNC9Yjc8fPOLn9FX9KSYvKTr4rvx3iSIlTJabIQwj2ICCR/oLxBA==",
|
1054
|
+
# },
|
1055
|
+
# issuer: "https://integ.example.com/idp/shibboleth",
|
1056
|
+
# name_qualifier: "SbdGOnUkh1i4+EXAMPLExL/jEvs=",
|
1057
|
+
# packed_policy_size: 6,
|
1058
|
+
# subject: "SamlExample",
|
1059
|
+
# subject_type: "transient",
|
1060
|
+
# }
|
1061
|
+
#
|
704
1062
|
# @example Request syntax with placeholder values
|
705
1063
|
#
|
706
1064
|
# resp = client.assume_role_with_saml({
|
707
1065
|
# role_arn: "arnType", # required
|
708
1066
|
# principal_arn: "arnType", # required
|
709
1067
|
# saml_assertion: "SAMLAssertionType", # required
|
1068
|
+
# policy_arns: [
|
1069
|
+
# {
|
1070
|
+
# arn: "arnType",
|
1071
|
+
# },
|
1072
|
+
# ],
|
710
1073
|
# policy: "sessionPolicyDocumentType",
|
711
1074
|
# duration_seconds: 1,
|
712
1075
|
# })
|
@@ -737,16 +1100,17 @@ module Aws::STS
|
|
737
1100
|
|
738
1101
|
# Returns a set of temporary security credentials for users who have
|
739
1102
|
# been authenticated in a mobile or web application with a web identity
|
740
|
-
# provider
|
741
|
-
# or any OpenID Connect-compatible identity provider.
|
1103
|
+
# provider. Example providers include Amazon Cognito, Login with Amazon,
|
1104
|
+
# Facebook, Google, or any OpenID Connect-compatible identity provider.
|
742
1105
|
#
|
743
1106
|
# <note markdown="1"> For mobile applications, we recommend that you use Amazon Cognito. You
|
744
|
-
# can use Amazon Cognito with the [AWS SDK for iOS][1]
|
745
|
-
# for Android][2] to uniquely identify
|
746
|
-
#
|
1107
|
+
# can use Amazon Cognito with the [AWS SDK for iOS Developer Guide][1]
|
1108
|
+
# and the [AWS SDK for Android Developer Guide][2] to uniquely identify
|
1109
|
+
# a user. You can also supply the user with a consistent identity
|
1110
|
+
# throughout the lifetime of an application.
|
747
1111
|
#
|
748
1112
|
# To learn more about Amazon Cognito, see [Amazon Cognito Overview][3]
|
749
|
-
# in
|
1113
|
+
# in *AWS SDK for Android Developer Guide* and [Amazon Cognito
|
750
1114
|
# Overview][4] in the *AWS SDK for iOS Developer Guide*.
|
751
1115
|
#
|
752
1116
|
# </note>
|
@@ -755,18 +1119,20 @@ module Aws::STS
|
|
755
1119
|
# security credentials. Therefore, you can distribute an application
|
756
1120
|
# (for example, on mobile devices) that requests temporary security
|
757
1121
|
# credentials without including long-term AWS credentials in the
|
758
|
-
# application
|
759
|
-
# use long-term AWS credentials. Instead, the identity of
|
760
|
-
# validated by using a token from the web identity
|
761
|
-
# comparison of `AssumeRoleWithWebIdentity` with the
|
762
|
-
# produce temporary credentials, see
|
763
|
-
# Credentials][5] and [Comparing the AWS
|
764
|
-
# Guide*.
|
1122
|
+
# application. You also don't need to deploy server-based proxy
|
1123
|
+
# services that use long-term AWS credentials. Instead, the identity of
|
1124
|
+
# the caller is validated by using a token from the web identity
|
1125
|
+
# provider. For a comparison of `AssumeRoleWithWebIdentity` with the
|
1126
|
+
# other API operations that produce temporary credentials, see
|
1127
|
+
# [Requesting Temporary Security Credentials][5] and [Comparing the AWS
|
1128
|
+
# STS API operations][6] in the *IAM User Guide*.
|
765
1129
|
#
|
766
1130
|
# The temporary security credentials returned by this API consist of an
|
767
1131
|
# access key ID, a secret access key, and a security token. Applications
|
768
1132
|
# can use these temporary security credentials to sign calls to AWS
|
769
|
-
# service
|
1133
|
+
# service API operations.
|
1134
|
+
#
|
1135
|
+
# **Session Duration**
|
770
1136
|
#
|
771
1137
|
# By default, the temporary security credentials created by
|
772
1138
|
# `AssumeRoleWithWebIdentity` last for one hour. However, you can use
|
@@ -777,30 +1143,68 @@ module Aws::STS
|
|
777
1143
|
# value for your role, see [View the Maximum Session Duration Setting
|
778
1144
|
# for a Role][7] in the *IAM User Guide*. The maximum session duration
|
779
1145
|
# limit applies when you use the `AssumeRole*` API operations or the
|
780
|
-
# `assume-role*` CLI
|
781
|
-
# operations to create a console URL. For more information,
|
782
|
-
# IAM Roles][8] in the *IAM User Guide*.
|
1146
|
+
# `assume-role*` CLI commands. However the limit does not apply when you
|
1147
|
+
# use those operations to create a console URL. For more information,
|
1148
|
+
# see [Using IAM Roles][8] in the *IAM User Guide*.
|
1149
|
+
#
|
1150
|
+
# **Permissions**
|
783
1151
|
#
|
784
1152
|
# The temporary security credentials created by
|
785
1153
|
# `AssumeRoleWithWebIdentity` can be used to make API calls to any AWS
|
786
1154
|
# service with the following exception: you cannot call the STS
|
787
|
-
#
|
788
|
-
#
|
789
|
-
#
|
790
|
-
#
|
791
|
-
#
|
792
|
-
#
|
793
|
-
#
|
794
|
-
#
|
795
|
-
#
|
796
|
-
#
|
797
|
-
#
|
798
|
-
#
|
799
|
-
#
|
800
|
-
# that is being assumed. For more
|
801
|
-
#
|
1155
|
+
# `GetFederationToken` or `GetSessionToken` API operations.
|
1156
|
+
#
|
1157
|
+
# (Optional) You can pass inline or managed [session policies][9] to
|
1158
|
+
# this operation. You can pass a single JSON policy document to use as
|
1159
|
+
# an inline session policy. You can also specify up to 10 managed
|
1160
|
+
# policies to use as managed session policies. The plain text that you
|
1161
|
+
# use for both inline and managed session policies can't exceed 2,048
|
1162
|
+
# characters. Passing policies to this operation returns new temporary
|
1163
|
+
# credentials. The resulting session's permissions are the intersection
|
1164
|
+
# of the role's identity-based policy and the session policies. You can
|
1165
|
+
# use the role's temporary credentials in subsequent AWS API calls to
|
1166
|
+
# access resources in the account that owns the role. You cannot use
|
1167
|
+
# session policies to grant more permissions than those allowed by the
|
1168
|
+
# identity-based policy of the role that is being assumed. For more
|
1169
|
+
# information, see [Session Policies][9] in the *IAM User Guide*.
|
1170
|
+
#
|
1171
|
+
# **Tags**
|
1172
|
+
#
|
1173
|
+
# (Optional) You can configure your IdP to pass attributes into your web
|
1174
|
+
# identity token as session tags. Each session tag consists of a key
|
1175
|
+
# name and an associated value. For more information about session tags,
|
1176
|
+
# see [Passing Session Tags in STS][10] in the *IAM User Guide*.
|
1177
|
+
#
|
1178
|
+
# You can pass up to 50 session tags. The plain text session tag keys
|
1179
|
+
# can’t exceed 128 characters and the values can’t exceed 256
|
1180
|
+
# characters. For these and additional limits, see [IAM and STS
|
1181
|
+
# Character Limits][11] in the *IAM User Guide*.
|
1182
|
+
#
|
1183
|
+
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
1184
|
+
# tags into a packed binary format that has a separate limit. Your
|
1185
|
+
# request can fail for this limit even if your plain text meets the
|
1186
|
+
# other requirements. The `PackedPolicySize` response element indicates
|
1187
|
+
# by percentage how close the policies and tags for your request are to
|
1188
|
+
# the upper size limit.
|
1189
|
+
#
|
1190
|
+
# </note>
|
1191
|
+
#
|
1192
|
+
# You can pass a session tag with the same key as a tag that is attached
|
1193
|
+
# to the role. When you do, the session tag overrides the role tag with
|
1194
|
+
# the same key.
|
1195
|
+
#
|
1196
|
+
# An administrator must grant you the permissions necessary to pass
|
1197
|
+
# session tags. The administrator can also create granular permissions
|
1198
|
+
# to allow you to pass only specific session tags. For more information,
|
1199
|
+
# see [Tutorial: Using Tags for Attribute-Based Access Control][12] in
|
802
1200
|
# the *IAM User Guide*.
|
803
1201
|
#
|
1202
|
+
# You can set the session tags as transitive. Transitive tags persist
|
1203
|
+
# during role chaining. For more information, see [Chaining Roles with
|
1204
|
+
# Session Tags][13] in the *IAM User Guide*.
|
1205
|
+
#
|
1206
|
+
# **Identities**
|
1207
|
+
#
|
804
1208
|
# Before your application can call `AssumeRoleWithWebIdentity`, you must
|
805
1209
|
# have an identity token from a supported identity provider and create a
|
806
1210
|
# role that the application can assume. The role that your application
|
@@ -809,29 +1213,30 @@ module Aws::STS
|
|
809
1213
|
# specified in the role's trust policy.
|
810
1214
|
#
|
811
1215
|
# Calling `AssumeRoleWithWebIdentity` can result in an entry in your AWS
|
812
|
-
# CloudTrail logs. The entry includes the [Subject][
|
1216
|
+
# CloudTrail logs. The entry includes the [Subject][14] of the provided
|
813
1217
|
# Web Identity Token. We recommend that you avoid using any personally
|
814
1218
|
# identifiable information (PII) in this field. For example, you could
|
815
1219
|
# instead use a GUID or a pairwise identifier, as [suggested in the OIDC
|
816
|
-
# specification][
|
1220
|
+
# specification][15].
|
817
1221
|
#
|
818
1222
|
# For more information about how to use web identity federation and the
|
819
1223
|
# `AssumeRoleWithWebIdentity` API, see the following resources:
|
820
1224
|
#
|
821
|
-
# * [Using Web Identity Federation
|
822
|
-
# [Federation Through a Web-based Identity Provider][
|
1225
|
+
# * [Using Web Identity Federation API Operations for Mobile Apps][16]
|
1226
|
+
# and [Federation Through a Web-based Identity Provider][17].
|
823
1227
|
#
|
824
|
-
# * [ Web Identity Federation Playground][
|
825
|
-
#
|
826
|
-
#
|
827
|
-
#
|
1228
|
+
# * [ Web Identity Federation Playground][18]. Walk through the process
|
1229
|
+
# of authenticating through Login with Amazon, Facebook, or Google,
|
1230
|
+
# getting temporary security credentials, and then using those
|
1231
|
+
# credentials to make a request to AWS.
|
828
1232
|
#
|
829
|
-
# * [AWS SDK for iOS][1] and [AWS SDK for Android
|
830
|
-
# contain sample apps that show
|
831
|
-
#
|
832
|
-
# use
|
1233
|
+
# * [AWS SDK for iOS Developer Guide][1] and [AWS SDK for Android
|
1234
|
+
# Developer Guide][2]. These toolkits contain sample apps that show
|
1235
|
+
# how to invoke the identity providers. The toolkits then show how to
|
1236
|
+
# use the information from these providers to get and use temporary
|
1237
|
+
# security credentials.
|
833
1238
|
#
|
834
|
-
# * [Web Identity Federation with Mobile Applications][
|
1239
|
+
# * [Web Identity Federation with Mobile Applications][19]. This article
|
835
1240
|
# discusses web identity federation and shows an example of how to use
|
836
1241
|
# web identity federation to get access to content in Amazon S3.
|
837
1242
|
#
|
@@ -839,19 +1244,23 @@ module Aws::STS
|
|
839
1244
|
#
|
840
1245
|
# [1]: http://aws.amazon.com/sdkforios/
|
841
1246
|
# [2]: http://aws.amazon.com/sdkforandroid/
|
842
|
-
# [3]:
|
843
|
-
# [4]:
|
844
|
-
# [5]:
|
845
|
-
# [6]:
|
846
|
-
# [7]:
|
847
|
-
# [8]:
|
848
|
-
# [9]:
|
849
|
-
# [10]:
|
850
|
-
# [11]:
|
851
|
-
# [12]:
|
852
|
-
# [13]:
|
853
|
-
# [14]:
|
854
|
-
# [15]: http://
|
1247
|
+
# [3]: https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840
|
1248
|
+
# [4]: https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664
|
1249
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
1250
|
+
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
1251
|
+
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
|
1252
|
+
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
|
1253
|
+
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
1254
|
+
# [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
1255
|
+
# [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
|
1256
|
+
# [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
|
1257
|
+
# [13]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
|
1258
|
+
# [14]: http://openid.net/specs/openid-connect-core-1_0.html#Claims
|
1259
|
+
# [15]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
|
1260
|
+
# [16]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
|
1261
|
+
# [17]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
|
1262
|
+
# [18]: https://web-identity-federation-playground.s3.amazonaws.com/index.html
|
1263
|
+
# [19]: http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications
|
855
1264
|
#
|
856
1265
|
# @option params [required, String] :role_arn
|
857
1266
|
# The Amazon Resource Name (ARN) of the role that the caller is
|
@@ -888,38 +1297,73 @@ module Aws::STS
|
|
888
1297
|
#
|
889
1298
|
# Do not specify this value for OpenID Connect ID tokens.
|
890
1299
|
#
|
891
|
-
# @option params [
|
892
|
-
#
|
893
|
-
#
|
894
|
-
#
|
895
|
-
# security credentials that are returned by the operation have the
|
896
|
-
# permissions that are allowed by both the access policy of the role
|
897
|
-
# that is being assumed, <i> <b>and</b> </i> the policy that you pass.
|
898
|
-
# This gives you a way to further restrict the permissions for the
|
899
|
-
# resulting temporary security credentials. You cannot use the passed
|
900
|
-
# policy to grant permissions that are in excess of those allowed by the
|
901
|
-
# access policy of the role that is being assumed. For more information,
|
902
|
-
# see [Permissions for AssumeRoleWithWebIdentity][1] in the *IAM User
|
903
|
-
# Guide*.
|
1300
|
+
# @option params [Array<Types::PolicyDescriptorType>] :policy_arns
|
1301
|
+
# The Amazon Resource Names (ARNs) of the IAM managed policies that you
|
1302
|
+
# want to use as managed session policies. The policies must exist in
|
1303
|
+
# the same account as the role.
|
904
1304
|
#
|
905
|
-
#
|
906
|
-
#
|
1305
|
+
# This parameter is optional. You can provide up to 10 managed policy
|
1306
|
+
# ARNs. However, the plain text that you use for both inline and managed
|
1307
|
+
# session policies can't exceed 2,048 characters. For more information
|
1308
|
+
# about ARNs, see [Amazon Resource Names (ARNs) and AWS Service
|
1309
|
+
# Namespaces][1] in the AWS General Reference.
|
1310
|
+
#
|
1311
|
+
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
1312
|
+
# tags into a packed binary format that has a separate limit. Your
|
1313
|
+
# request can fail for this limit even if your plain text meets the
|
1314
|
+
# other requirements. The `PackedPolicySize` response element indicates
|
1315
|
+
# by percentage how close the policies and tags for your request are to
|
1316
|
+
# the upper size limit.
|
1317
|
+
#
|
1318
|
+
# </note>
|
1319
|
+
#
|
1320
|
+
# Passing policies to this operation returns new temporary credentials.
|
1321
|
+
# The resulting session's permissions are the intersection of the
|
1322
|
+
# role's identity-based policy and the session policies. You can use
|
1323
|
+
# the role's temporary credentials in subsequent AWS API calls to
|
1324
|
+
# access resources in the account that owns the role. You cannot use
|
1325
|
+
# session policies to grant more permissions than those allowed by the
|
1326
|
+
# identity-based policy of the role that is being assumed. For more
|
1327
|
+
# information, see [Session Policies][2] in the *IAM User Guide*.
|
1328
|
+
#
|
1329
|
+
#
|
1330
|
+
#
|
1331
|
+
# [1]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
1332
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
1333
|
+
#
|
1334
|
+
# @option params [String] :policy
|
1335
|
+
# An IAM policy in JSON format that you want to use as an inline session
|
1336
|
+
# policy.
|
1337
|
+
#
|
1338
|
+
# This parameter is optional. Passing policies to this operation returns
|
1339
|
+
# new temporary credentials. The resulting session's permissions are
|
1340
|
+
# the intersection of the role's identity-based policy and the session
|
1341
|
+
# policies. You can use the role's temporary credentials in subsequent
|
1342
|
+
# AWS API calls to access resources in the account that owns the role.
|
1343
|
+
# You cannot use session policies to grant more permissions than those
|
1344
|
+
# allowed by the identity-based policy of the role that is being
|
1345
|
+
# assumed. For more information, see [Session Policies][1] in the *IAM
|
1346
|
+
# User Guide*.
|
1347
|
+
#
|
1348
|
+
# The plain text that you use for both inline and managed session
|
1349
|
+
# policies can't exceed 2,048 characters. The JSON policy characters
|
907
1350
|
# can be any ASCII character from the space character to the end of the
|
908
|
-
# valid character list (\\u0020
|
909
|
-
# (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
1351
|
+
# valid character list (\\u0020 through \\u00FF). It can also include
|
1352
|
+
# the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
910
1353
|
# characters.
|
911
1354
|
#
|
912
|
-
# <note markdown="1">
|
913
|
-
#
|
914
|
-
#
|
915
|
-
#
|
916
|
-
#
|
1355
|
+
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
1356
|
+
# tags into a packed binary format that has a separate limit. Your
|
1357
|
+
# request can fail for this limit even if your plain text meets the
|
1358
|
+
# other requirements. The `PackedPolicySize` response element indicates
|
1359
|
+
# by percentage how close the policies and tags for your request are to
|
1360
|
+
# the upper size limit.
|
917
1361
|
#
|
918
1362
|
# </note>
|
919
1363
|
#
|
920
1364
|
#
|
921
1365
|
#
|
922
|
-
# [1]:
|
1366
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
923
1367
|
#
|
924
1368
|
# @option params [Integer] :duration_seconds
|
925
1369
|
# The duration, in seconds, of the role session. The value can range
|
@@ -932,7 +1376,7 @@ module Aws::STS
|
|
932
1376
|
# see [View the Maximum Session Duration Setting for a Role][1] in the
|
933
1377
|
# *IAM User Guide*.
|
934
1378
|
#
|
935
|
-
# By default, the value is set to 3600 seconds.
|
1379
|
+
# By default, the value is set to `3600` seconds.
|
936
1380
|
#
|
937
1381
|
# <note markdown="1"> The `DurationSeconds` parameter is separate from the duration of a
|
938
1382
|
# console session that you might request using the returned credentials.
|
@@ -946,8 +1390,8 @@ module Aws::STS
|
|
946
1390
|
#
|
947
1391
|
#
|
948
1392
|
#
|
949
|
-
# [1]:
|
950
|
-
# [2]:
|
1393
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
|
1394
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
|
951
1395
|
#
|
952
1396
|
# @return [Types::AssumeRoleWithWebIdentityResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
953
1397
|
#
|
@@ -963,6 +1407,7 @@ module Aws::STS
|
|
963
1407
|
#
|
964
1408
|
# resp = client.assume_role_with_web_identity({
|
965
1409
|
# duration_seconds: 3600,
|
1410
|
+
# policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:ListAllMyBuckets\",\"Resource\":\"*\"}]}",
|
966
1411
|
# provider_id: "www.amazon.com",
|
967
1412
|
# role_arn: "arn:aws:iam::123456789012:role/FederatedWebIdentityRole",
|
968
1413
|
# role_session_name: "app1",
|
@@ -994,6 +1439,11 @@ module Aws::STS
|
|
994
1439
|
# role_session_name: "roleSessionNameType", # required
|
995
1440
|
# web_identity_token: "clientTokenType", # required
|
996
1441
|
# provider_id: "urlType",
|
1442
|
+
# policy_arns: [
|
1443
|
+
# {
|
1444
|
+
# arn: "arnType",
|
1445
|
+
# },
|
1446
|
+
# ],
|
997
1447
|
# policy: "sessionPolicyDocumentType",
|
998
1448
|
# duration_seconds: 1,
|
999
1449
|
# })
|
@@ -1024,21 +1474,22 @@ module Aws::STS
|
|
1024
1474
|
# request from an encoded message returned in response to an AWS
|
1025
1475
|
# request.
|
1026
1476
|
#
|
1027
|
-
# For example, if a user is not authorized to perform an
|
1028
|
-
# or she has requested, the request returns a
|
1477
|
+
# For example, if a user is not authorized to perform an operation that
|
1478
|
+
# he or she has requested, the request returns a
|
1029
1479
|
# `Client.UnauthorizedOperation` response (an HTTP 403 response). Some
|
1030
|
-
# AWS
|
1480
|
+
# AWS operations additionally return an encoded message that can provide
|
1031
1481
|
# details about this authorization failure.
|
1032
1482
|
#
|
1033
|
-
# <note markdown="1"> Only certain AWS
|
1034
|
-
# documentation for an individual
|
1035
|
-
# returns an encoded message in addition to returning an HTTP
|
1483
|
+
# <note markdown="1"> Only certain AWS operations return an encoded authorization message.
|
1484
|
+
# The documentation for an individual operation indicates whether that
|
1485
|
+
# operation returns an encoded message in addition to returning an HTTP
|
1486
|
+
# code.
|
1036
1487
|
#
|
1037
1488
|
# </note>
|
1038
1489
|
#
|
1039
1490
|
# The message is encoded because the details of the authorization status
|
1040
1491
|
# can constitute privileged information that the user who requested the
|
1041
|
-
#
|
1492
|
+
# operation should not see. To decode an authorization status message, a
|
1042
1493
|
# user must be granted permissions via an IAM policy to request the
|
1043
1494
|
# `DecodeAuthorizationMessage` (`sts:DecodeAuthorizationMessage`)
|
1044
1495
|
# action.
|
@@ -1059,7 +1510,7 @@ module Aws::STS
|
|
1059
1510
|
#
|
1060
1511
|
#
|
1061
1512
|
#
|
1062
|
-
# [1]:
|
1513
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow
|
1063
1514
|
#
|
1064
1515
|
# @option params [required, String] :encoded_message
|
1065
1516
|
# The encoded message that was returned with the response.
|
@@ -1099,8 +1550,82 @@ module Aws::STS
|
|
1099
1550
|
req.send_request(options)
|
1100
1551
|
end
|
1101
1552
|
|
1102
|
-
# Returns
|
1103
|
-
#
|
1553
|
+
# Returns the account identifier for the specified access key ID.
|
1554
|
+
#
|
1555
|
+
# Access keys consist of two parts: an access key ID (for example,
|
1556
|
+
# `AKIAIOSFODNN7EXAMPLE`) and a secret access key (for example,
|
1557
|
+
# `wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY`). For more information
|
1558
|
+
# about access keys, see [Managing Access Keys for IAM Users][1] in the
|
1559
|
+
# *IAM User Guide*.
|
1560
|
+
#
|
1561
|
+
# When you pass an access key ID to this operation, it returns the ID of
|
1562
|
+
# the AWS account to which the keys belong. Access key IDs beginning
|
1563
|
+
# with `AKIA` are long-term credentials for an IAM user or the AWS
|
1564
|
+
# account root user. Access key IDs beginning with `ASIA` are temporary
|
1565
|
+
# credentials that are created using STS operations. If the account in
|
1566
|
+
# the response belongs to you, you can sign in as the root user and
|
1567
|
+
# review your root user access keys. Then, you can pull a [credentials
|
1568
|
+
# report][2] to learn which IAM user owns the keys. To learn who
|
1569
|
+
# requested the temporary credentials for an `ASIA` access key, view the
|
1570
|
+
# STS events in your [CloudTrail logs][3] in the *IAM User Guide*.
|
1571
|
+
#
|
1572
|
+
# This operation does not indicate the state of the access key. The key
|
1573
|
+
# might be active, inactive, or deleted. Active keys might not have
|
1574
|
+
# permissions to perform an operation. Providing a deleted access key
|
1575
|
+
# might return an error that the key doesn't exist.
|
1576
|
+
#
|
1577
|
+
#
|
1578
|
+
#
|
1579
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html
|
1580
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html
|
1581
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html
|
1582
|
+
#
|
1583
|
+
# @option params [required, String] :access_key_id
|
1584
|
+
# The identifier of an access key.
|
1585
|
+
#
|
1586
|
+
# This parameter allows (through its regex pattern) a string of
|
1587
|
+
# characters that can consist of any upper- or lowercase letter or
|
1588
|
+
# digit.
|
1589
|
+
#
|
1590
|
+
# @return [Types::GetAccessKeyInfoResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1591
|
+
#
|
1592
|
+
# * {Types::GetAccessKeyInfoResponse#account #account} => String
|
1593
|
+
#
|
1594
|
+
# @example Request syntax with placeholder values
|
1595
|
+
#
|
1596
|
+
# resp = client.get_access_key_info({
|
1597
|
+
# access_key_id: "accessKeyIdType", # required
|
1598
|
+
# })
|
1599
|
+
#
|
1600
|
+
# @example Response structure
|
1601
|
+
#
|
1602
|
+
# resp.account #=> String
|
1603
|
+
#
|
1604
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfo AWS API Documentation
|
1605
|
+
#
|
1606
|
+
# @overload get_access_key_info(params = {})
|
1607
|
+
# @param [Hash] params ({})
|
1608
|
+
def get_access_key_info(params = {}, options = {})
|
1609
|
+
req = build_request(:get_access_key_info, params)
|
1610
|
+
req.send_request(options)
|
1611
|
+
end
|
1612
|
+
|
1613
|
+
# Returns details about the IAM user or role whose credentials are used
|
1614
|
+
# to call the operation.
|
1615
|
+
#
|
1616
|
+
# <note markdown="1"> No permissions are required to perform this operation. If an
|
1617
|
+
# administrator adds a policy to your IAM user or role that explicitly
|
1618
|
+
# denies access to the `sts:GetCallerIdentity` action, you can still
|
1619
|
+
# perform this operation. Permissions are not required because the same
|
1620
|
+
# information is returned when an IAM user or role is denied access. To
|
1621
|
+
# view an example response, see [I Am Not Authorized to Perform:
|
1622
|
+
# iam:DeleteVirtualMFADevice][1] in the *IAM User Guide*.
|
1623
|
+
#
|
1624
|
+
# </note>
|
1625
|
+
#
|
1626
|
+
#
|
1627
|
+
#
|
1628
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa
|
1104
1629
|
#
|
1105
1630
|
# @return [Types::GetCallerIdentityResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1106
1631
|
#
|
@@ -1173,97 +1698,106 @@ module Aws::STS
|
|
1173
1698
|
# access key ID, a secret access key, and a security token) for a
|
1174
1699
|
# federated user. A typical use is in a proxy application that gets
|
1175
1700
|
# temporary security credentials on behalf of distributed applications
|
1176
|
-
# inside a corporate network.
|
1177
|
-
#
|
1178
|
-
#
|
1179
|
-
#
|
1180
|
-
#
|
1181
|
-
#
|
1182
|
-
#
|
1701
|
+
# inside a corporate network. You must call the `GetFederationToken`
|
1702
|
+
# operation using the long-term security credentials of an IAM user. As
|
1703
|
+
# a result, this call is appropriate in contexts where those credentials
|
1704
|
+
# can be safely stored, usually in a server-based application. For a
|
1705
|
+
# comparison of `GetFederationToken` with the other API operations that
|
1706
|
+
# produce temporary credentials, see [Requesting Temporary Security
|
1707
|
+
# Credentials][1] and [Comparing the AWS STS API operations][2] in the
|
1183
1708
|
# *IAM User Guide*.
|
1184
1709
|
#
|
1185
|
-
# <note markdown="1">
|
1710
|
+
# <note markdown="1"> You can create a mobile-based or browser-based app that can
|
1186
1711
|
# authenticate users using a web identity provider like Login with
|
1187
1712
|
# Amazon, Facebook, Google, or an OpenID Connect-compatible identity
|
1188
|
-
# provider, we recommend that you use [Amazon Cognito][3]
|
1189
|
-
# `AssumeRoleWithWebIdentity`. For more information, see [Federation
|
1190
|
-
# Through a Web-based Identity Provider][4]
|
1713
|
+
# provider. In this case, we recommend that you use [Amazon Cognito][3]
|
1714
|
+
# or `AssumeRoleWithWebIdentity`. For more information, see [Federation
|
1715
|
+
# Through a Web-based Identity Provider][4] in the *IAM User Guide*.
|
1191
1716
|
#
|
1192
1717
|
# </note>
|
1193
1718
|
#
|
1194
|
-
#
|
1195
|
-
# AWS
|
1196
|
-
#
|
1197
|
-
#
|
1198
|
-
#
|
1199
|
-
#
|
1200
|
-
#
|
1201
|
-
# information, see [IAM Best Practices][5] in the *IAM User Guide*.
|
1202
|
-
#
|
1203
|
-
# The temporary security credentials that are obtained by using the
|
1204
|
-
# long-term credentials of an IAM user are valid for the specified
|
1205
|
-
# duration, from 900 seconds (15 minutes) up to a maximium of 129600
|
1206
|
-
# seconds (36 hours). The default is 43200 seconds (12 hours). Temporary
|
1207
|
-
# credentials that are obtained by using AWS root account credentials
|
1208
|
-
# have a maximum duration of 3600 seconds (1 hour).
|
1209
|
-
#
|
1210
|
-
# The temporary security credentials created by `GetFederationToken` can
|
1211
|
-
# be used to make API calls to any AWS service with the following
|
1212
|
-
# exceptions:
|
1719
|
+
# You can also call `GetFederationToken` using the security credentials
|
1720
|
+
# of an AWS account root user, but we do not recommend it. Instead, we
|
1721
|
+
# recommend that you create an IAM user for the purpose of the proxy
|
1722
|
+
# application. Then attach a policy to the IAM user that limits
|
1723
|
+
# federated users to only the actions and resources that they need to
|
1724
|
+
# access. For more information, see [IAM Best Practices][5] in the *IAM
|
1725
|
+
# User Guide*.
|
1213
1726
|
#
|
1214
|
-
#
|
1727
|
+
# **Session duration**
|
1215
1728
|
#
|
1216
|
-
#
|
1729
|
+
# The temporary credentials are valid for the specified duration, from
|
1730
|
+
# 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36
|
1731
|
+
# hours). The default session duration is 43,200 seconds (12 hours).
|
1732
|
+
# Temporary credentials that are obtained by using AWS account root user
|
1733
|
+
# credentials have a maximum duration of 3,600 seconds (1 hour).
|
1217
1734
|
#
|
1218
1735
|
# **Permissions**
|
1219
1736
|
#
|
1220
|
-
#
|
1221
|
-
#
|
1222
|
-
#
|
1223
|
-
# *
|
1224
|
-
#
|
1225
|
-
#
|
1226
|
-
#
|
1227
|
-
#
|
1228
|
-
#
|
1229
|
-
#
|
1230
|
-
#
|
1231
|
-
#
|
1232
|
-
#
|
1233
|
-
#
|
1234
|
-
#
|
1235
|
-
#
|
1236
|
-
#
|
1237
|
-
#
|
1238
|
-
#
|
1239
|
-
#
|
1240
|
-
#
|
1241
|
-
#
|
1242
|
-
#
|
1243
|
-
# operation that scopes down the permissions to a level that's
|
1244
|
-
# appropriate to that individual user, using a policy that allows only a
|
1245
|
-
# subset of permissions that are granted to the IAM user.
|
1246
|
-
#
|
1247
|
-
# If you do not pass a policy, the resulting temporary security
|
1248
|
-
# credentials have no effective permissions. The only exception is when
|
1249
|
-
# the temporary security credentials are used to access a resource that
|
1250
|
-
# has a resource-based policy that specifically allows the federated
|
1251
|
-
# user to access the resource.
|
1252
|
-
#
|
1253
|
-
# For more information about how permissions work, see [Permissions for
|
1254
|
-
# GetFederationToken][6]. For information about using
|
1737
|
+
# You can use the temporary credentials created by `GetFederationToken`
|
1738
|
+
# in any AWS service except the following:
|
1739
|
+
#
|
1740
|
+
# * You cannot call any IAM operations using the AWS CLI or the AWS API.
|
1741
|
+
#
|
1742
|
+
# * You cannot call any STS operations except `GetCallerIdentity`.
|
1743
|
+
#
|
1744
|
+
# You must pass an inline or managed [session policy][6] to this
|
1745
|
+
# operation. You can pass a single JSON policy document to use as an
|
1746
|
+
# inline session policy. You can also specify up to 10 managed policies
|
1747
|
+
# to use as managed session policies. The plain text that you use for
|
1748
|
+
# both inline and managed session policies can't exceed 2,048
|
1749
|
+
# characters.
|
1750
|
+
#
|
1751
|
+
# Though the session policy parameters are optional, if you do not pass
|
1752
|
+
# a policy, then the resulting federated user session has no
|
1753
|
+
# permissions. When you pass session policies, the session permissions
|
1754
|
+
# are the intersection of the IAM user policies and the session policies
|
1755
|
+
# that you pass. This gives you a way to further restrict the
|
1756
|
+
# permissions for a federated user. You cannot use session policies to
|
1757
|
+
# grant more permissions than those that are defined in the permissions
|
1758
|
+
# policy of the IAM user. For more information, see [Session
|
1759
|
+
# Policies][6] in the *IAM User Guide*. For information about using
|
1255
1760
|
# `GetFederationToken` to create temporary security credentials, see
|
1256
1761
|
# [GetFederationToken—Federation Through a Custom Identity Broker][7].
|
1257
1762
|
#
|
1763
|
+
# You can use the credentials to access a resource that has a
|
1764
|
+
# resource-based policy. If that policy specifically references the
|
1765
|
+
# federated user session in the `Principal` element of the policy, the
|
1766
|
+
# session has the permissions allowed by the policy. These permissions
|
1767
|
+
# are granted in addition to the permissions granted by the session
|
1768
|
+
# policies.
|
1258
1769
|
#
|
1770
|
+
# **Tags**
|
1771
|
+
#
|
1772
|
+
# (Optional) You can pass tag key-value pairs to your session. These are
|
1773
|
+
# called session tags. For more information about session tags, see
|
1774
|
+
# [Passing Session Tags in STS][8] in the *IAM User Guide*.
|
1775
|
+
#
|
1776
|
+
# An administrator must grant you the permissions necessary to pass
|
1777
|
+
# session tags. The administrator can also create granular permissions
|
1778
|
+
# to allow you to pass only specific session tags. For more information,
|
1779
|
+
# see [Tutorial: Using Tags for Attribute-Based Access Control][9] in
|
1780
|
+
# the *IAM User Guide*.
|
1259
1781
|
#
|
1260
|
-
#
|
1261
|
-
#
|
1782
|
+
# Tag key–value pairs are not case sensitive, but case is preserved.
|
1783
|
+
# This means that you cannot have separate `Department` and `department`
|
1784
|
+
# tag keys. Assume that the user that you are federating has the
|
1785
|
+
# `Department`=`Marketing` tag and you pass the
|
1786
|
+
# `department`=`engineering` session tag. `Department` and `department`
|
1787
|
+
# are not saved as separate tags, and the session tag passed in the
|
1788
|
+
# request takes precedence over the user tag.
|
1789
|
+
#
|
1790
|
+
#
|
1791
|
+
#
|
1792
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
1793
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
1262
1794
|
# [3]: http://aws.amazon.com/cognito/
|
1263
|
-
# [4]:
|
1264
|
-
# [5]:
|
1265
|
-
# [6]:
|
1266
|
-
# [7]:
|
1795
|
+
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
|
1796
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
|
1797
|
+
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
1798
|
+
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken
|
1799
|
+
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
1800
|
+
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
|
1267
1801
|
#
|
1268
1802
|
# @option params [required, String] :name
|
1269
1803
|
# The name of the federated user. The name is used as an identifier for
|
@@ -1277,53 +1811,143 @@ module Aws::STS
|
|
1277
1811
|
# characters: =,.@-
|
1278
1812
|
#
|
1279
1813
|
# @option params [String] :policy
|
1280
|
-
# An IAM policy in JSON format that
|
1281
|
-
#
|
1282
|
-
#
|
1283
|
-
#
|
1284
|
-
#
|
1285
|
-
#
|
1286
|
-
#
|
1287
|
-
#
|
1288
|
-
#
|
1289
|
-
#
|
1290
|
-
#
|
1291
|
-
#
|
1292
|
-
#
|
1293
|
-
#
|
1294
|
-
#
|
1295
|
-
# user to
|
1814
|
+
# An IAM policy in JSON format that you want to use as an inline session
|
1815
|
+
# policy.
|
1816
|
+
#
|
1817
|
+
# You must pass an inline or managed [session policy][1] to this
|
1818
|
+
# operation. You can pass a single JSON policy document to use as an
|
1819
|
+
# inline session policy. You can also specify up to 10 managed policies
|
1820
|
+
# to use as managed session policies.
|
1821
|
+
#
|
1822
|
+
# This parameter is optional. However, if you do not pass any session
|
1823
|
+
# policies, then the resulting federated user session has no
|
1824
|
+
# permissions.
|
1825
|
+
#
|
1826
|
+
# When you pass session policies, the session permissions are the
|
1827
|
+
# intersection of the IAM user policies and the session policies that
|
1828
|
+
# you pass. This gives you a way to further restrict the permissions for
|
1829
|
+
# a federated user. You cannot use session policies to grant more
|
1830
|
+
# permissions than those that are defined in the permissions policy of
|
1831
|
+
# the IAM user. For more information, see [Session Policies][1] in the
|
1832
|
+
# *IAM User Guide*.
|
1296
1833
|
#
|
1297
|
-
# The
|
1298
|
-
#
|
1834
|
+
# The resulting credentials can be used to access a resource that has a
|
1835
|
+
# resource-based policy. If that policy specifically references the
|
1836
|
+
# federated user session in the `Principal` element of the policy, the
|
1837
|
+
# session has the permissions allowed by the policy. These permissions
|
1838
|
+
# are granted in addition to the permissions that are granted by the
|
1839
|
+
# session policies.
|
1840
|
+
#
|
1841
|
+
# The plain text that you use for both inline and managed session
|
1842
|
+
# policies can't exceed 2,048 characters. The JSON policy characters
|
1299
1843
|
# can be any ASCII character from the space character to the end of the
|
1300
|
-
# valid character list (\\u0020
|
1301
|
-
# (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
1844
|
+
# valid character list (\\u0020 through \\u00FF). It can also include
|
1845
|
+
# the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
1302
1846
|
# characters.
|
1303
1847
|
#
|
1304
|
-
# <note markdown="1">
|
1305
|
-
#
|
1306
|
-
#
|
1307
|
-
#
|
1308
|
-
#
|
1848
|
+
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
1849
|
+
# tags into a packed binary format that has a separate limit. Your
|
1850
|
+
# request can fail for this limit even if your plain text meets the
|
1851
|
+
# other requirements. The `PackedPolicySize` response element indicates
|
1852
|
+
# by percentage how close the policies and tags for your request are to
|
1853
|
+
# the upper size limit.
|
1309
1854
|
#
|
1310
1855
|
# </note>
|
1311
1856
|
#
|
1312
|
-
# For more information about how permissions work, see [Permissions for
|
1313
|
-
# GetFederationToken][1].
|
1314
1857
|
#
|
1315
1858
|
#
|
1859
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
1316
1860
|
#
|
1317
|
-
#
|
1861
|
+
# @option params [Array<Types::PolicyDescriptorType>] :policy_arns
|
1862
|
+
# The Amazon Resource Names (ARNs) of the IAM managed policies that you
|
1863
|
+
# want to use as a managed session policy. The policies must exist in
|
1864
|
+
# the same account as the IAM user that is requesting federated access.
|
1865
|
+
#
|
1866
|
+
# You must pass an inline or managed [session policy][1] to this
|
1867
|
+
# operation. You can pass a single JSON policy document to use as an
|
1868
|
+
# inline session policy. You can also specify up to 10 managed policies
|
1869
|
+
# to use as managed session policies. The plain text that you use for
|
1870
|
+
# both inline and managed session policies can't exceed 2,048
|
1871
|
+
# characters. You can provide up to 10 managed policy ARNs. For more
|
1872
|
+
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
1873
|
+
# Service Namespaces][2] in the AWS General Reference.
|
1874
|
+
#
|
1875
|
+
# This parameter is optional. However, if you do not pass any session
|
1876
|
+
# policies, then the resulting federated user session has no
|
1877
|
+
# permissions.
|
1878
|
+
#
|
1879
|
+
# When you pass session policies, the session permissions are the
|
1880
|
+
# intersection of the IAM user policies and the session policies that
|
1881
|
+
# you pass. This gives you a way to further restrict the permissions for
|
1882
|
+
# a federated user. You cannot use session policies to grant more
|
1883
|
+
# permissions than those that are defined in the permissions policy of
|
1884
|
+
# the IAM user. For more information, see [Session Policies][1] in the
|
1885
|
+
# *IAM User Guide*.
|
1886
|
+
#
|
1887
|
+
# The resulting credentials can be used to access a resource that has a
|
1888
|
+
# resource-based policy. If that policy specifically references the
|
1889
|
+
# federated user session in the `Principal` element of the policy, the
|
1890
|
+
# session has the permissions allowed by the policy. These permissions
|
1891
|
+
# are granted in addition to the permissions that are granted by the
|
1892
|
+
# session policies.
|
1893
|
+
#
|
1894
|
+
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
1895
|
+
# tags into a packed binary format that has a separate limit. Your
|
1896
|
+
# request can fail for this limit even if your plain text meets the
|
1897
|
+
# other requirements. The `PackedPolicySize` response element indicates
|
1898
|
+
# by percentage how close the policies and tags for your request are to
|
1899
|
+
# the upper size limit.
|
1900
|
+
#
|
1901
|
+
# </note>
|
1902
|
+
#
|
1903
|
+
#
|
1904
|
+
#
|
1905
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
1906
|
+
# [2]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
|
1318
1907
|
#
|
1319
1908
|
# @option params [Integer] :duration_seconds
|
1320
1909
|
# The duration, in seconds, that the session should last. Acceptable
|
1321
1910
|
# durations for federation sessions range from 900 seconds (15 minutes)
|
1322
|
-
# to
|
1323
|
-
# default. Sessions obtained using AWS account
|
1324
|
-
# restricted to a maximum of
|
1325
|
-
# duration is longer than one hour, the session obtained by using
|
1326
|
-
#
|
1911
|
+
# to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the
|
1912
|
+
# default. Sessions obtained using AWS account root user credentials are
|
1913
|
+
# restricted to a maximum of 3,600 seconds (one hour). If the specified
|
1914
|
+
# duration is longer than one hour, the session obtained by using root
|
1915
|
+
# user credentials defaults to one hour.
|
1916
|
+
#
|
1917
|
+
# @option params [Array<Types::Tag>] :tags
|
1918
|
+
# A list of session tags. Each session tag consists of a key name and an
|
1919
|
+
# associated value. For more information about session tags, see
|
1920
|
+
# [Passing Session Tags in STS][1] in the *IAM User Guide*.
|
1921
|
+
#
|
1922
|
+
# This parameter is optional. You can pass up to 50 session tags. The
|
1923
|
+
# plain text session tag keys can’t exceed 128 characters and the values
|
1924
|
+
# can’t exceed 256 characters. For these and additional limits, see [IAM
|
1925
|
+
# and STS Character Limits][2] in the *IAM User Guide*.
|
1926
|
+
#
|
1927
|
+
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
1928
|
+
# tags into a packed binary format that has a separate limit. Your
|
1929
|
+
# request can fail for this limit even if your plain text meets the
|
1930
|
+
# other requirements. The `PackedPolicySize` response element indicates
|
1931
|
+
# by percentage how close the policies and tags for your request are to
|
1932
|
+
# the upper size limit.
|
1933
|
+
#
|
1934
|
+
# </note>
|
1935
|
+
#
|
1936
|
+
# You can pass a session tag with the same key as a tag that is already
|
1937
|
+
# attached to the user you are federating. When you do, session tags
|
1938
|
+
# override a user tag with the same key.
|
1939
|
+
#
|
1940
|
+
# Tag key–value pairs are not case sensitive, but case is preserved.
|
1941
|
+
# This means that you cannot have separate `Department` and `department`
|
1942
|
+
# tag keys. Assume that the role has the `Department`=`Marketing` tag
|
1943
|
+
# and you pass the `department`=`engineering` session tag. `Department`
|
1944
|
+
# and `department` are not saved as separate tags, and the session tag
|
1945
|
+
# passed in the request takes precedence over the role tag.
|
1946
|
+
#
|
1947
|
+
#
|
1948
|
+
#
|
1949
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
1950
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
|
1327
1951
|
#
|
1328
1952
|
# @return [Types::GetFederationTokenResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
1329
1953
|
#
|
@@ -1336,8 +1960,18 @@ module Aws::STS
|
|
1336
1960
|
#
|
1337
1961
|
# resp = client.get_federation_token({
|
1338
1962
|
# duration_seconds: 3600,
|
1339
|
-
# name: "
|
1340
|
-
# policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3
|
1963
|
+
# name: "testFedUserSession",
|
1964
|
+
# policy: "{\"Version\":\"2012-10-17\",\"Statement\":[{\"Sid\":\"Stmt1\",\"Effect\":\"Allow\",\"Action\":\"s3:ListAllMyBuckets\",\"Resource\":\"*\"}]}",
|
1965
|
+
# tags: [
|
1966
|
+
# {
|
1967
|
+
# key: "Project",
|
1968
|
+
# value: "Pegasus",
|
1969
|
+
# },
|
1970
|
+
# {
|
1971
|
+
# key: "Cost-Center",
|
1972
|
+
# value: "98765",
|
1973
|
+
# },
|
1974
|
+
# ],
|
1341
1975
|
# })
|
1342
1976
|
#
|
1343
1977
|
# resp.to_h outputs the following:
|
@@ -1352,7 +1986,7 @@ module Aws::STS
|
|
1352
1986
|
# arn: "arn:aws:sts::123456789012:federated-user/Bob",
|
1353
1987
|
# federated_user_id: "123456789012:Bob",
|
1354
1988
|
# },
|
1355
|
-
# packed_policy_size:
|
1989
|
+
# packed_policy_size: 8,
|
1356
1990
|
# }
|
1357
1991
|
#
|
1358
1992
|
# @example Request syntax with placeholder values
|
@@ -1360,7 +1994,18 @@ module Aws::STS
|
|
1360
1994
|
# resp = client.get_federation_token({
|
1361
1995
|
# name: "userNameType", # required
|
1362
1996
|
# policy: "sessionPolicyDocumentType",
|
1997
|
+
# policy_arns: [
|
1998
|
+
# {
|
1999
|
+
# arn: "arnType",
|
2000
|
+
# },
|
2001
|
+
# ],
|
1363
2002
|
# duration_seconds: 1,
|
2003
|
+
# tags: [
|
2004
|
+
# {
|
2005
|
+
# key: "tagKeyType", # required
|
2006
|
+
# value: "tagValueType", # required
|
2007
|
+
# },
|
2008
|
+
# ],
|
1364
2009
|
# })
|
1365
2010
|
#
|
1366
2011
|
# @example Response structure
|
@@ -1385,50 +2030,55 @@ module Aws::STS
|
|
1385
2030
|
# Returns a set of temporary credentials for an AWS account or IAM user.
|
1386
2031
|
# The credentials consist of an access key ID, a secret access key, and
|
1387
2032
|
# a security token. Typically, you use `GetSessionToken` if you want to
|
1388
|
-
# use MFA to protect programmatic calls to specific AWS
|
1389
|
-
# EC2 `StopInstances`. MFA-enabled IAM users would need to
|
1390
|
-
# `GetSessionToken` and submit an MFA code that is associated with
|
1391
|
-
# MFA device. Using the temporary security credentials that are
|
1392
|
-
# from the call, IAM users can then make programmatic calls to
|
1393
|
-
# require MFA authentication. If you do not supply a
|
1394
|
-
# then the API returns an access denied error. For a
|
1395
|
-
# `GetSessionToken` with the other
|
1396
|
-
# credentials, see [Requesting Temporary Security
|
1397
|
-
# [Comparing the AWS STS
|
1398
|
-
#
|
1399
|
-
#
|
1400
|
-
#
|
1401
|
-
#
|
1402
|
-
#
|
1403
|
-
#
|
1404
|
-
#
|
1405
|
-
#
|
1406
|
-
#
|
2033
|
+
# use MFA to protect programmatic calls to specific AWS API operations
|
2034
|
+
# like Amazon EC2 `StopInstances`. MFA-enabled IAM users would need to
|
2035
|
+
# call `GetSessionToken` and submit an MFA code that is associated with
|
2036
|
+
# their MFA device. Using the temporary security credentials that are
|
2037
|
+
# returned from the call, IAM users can then make programmatic calls to
|
2038
|
+
# API operations that require MFA authentication. If you do not supply a
|
2039
|
+
# correct MFA code, then the API returns an access denied error. For a
|
2040
|
+
# comparison of `GetSessionToken` with the other API operations that
|
2041
|
+
# produce temporary credentials, see [Requesting Temporary Security
|
2042
|
+
# Credentials][1] and [Comparing the AWS STS API operations][2] in the
|
2043
|
+
# *IAM User Guide*.
|
2044
|
+
#
|
2045
|
+
# **Session Duration**
|
2046
|
+
#
|
2047
|
+
# The `GetSessionToken` operation must be called by using the long-term
|
2048
|
+
# AWS security credentials of the AWS account root user or an IAM user.
|
2049
|
+
# Credentials that are created by IAM users are valid for the duration
|
2050
|
+
# that you specify. This duration can range from 900 seconds (15
|
2051
|
+
# minutes) up to a maximum of 129,600 seconds (36 hours), with a default
|
2052
|
+
# of 43,200 seconds (12 hours). Credentials based on account credentials
|
2053
|
+
# can range from 900 seconds (15 minutes) up to 3,600 seconds (1 hour),
|
2054
|
+
# with a default of 1 hour.
|
2055
|
+
#
|
2056
|
+
# **Permissions**
|
1407
2057
|
#
|
1408
2058
|
# The temporary security credentials created by `GetSessionToken` can be
|
1409
2059
|
# used to make API calls to any AWS service with the following
|
1410
2060
|
# exceptions:
|
1411
2061
|
#
|
1412
|
-
# * You cannot call any IAM
|
1413
|
-
# is included in the request.
|
2062
|
+
# * You cannot call any IAM API operations unless MFA authentication
|
2063
|
+
# information is included in the request.
|
1414
2064
|
#
|
1415
2065
|
# * You cannot call any STS API *except* `AssumeRole` or
|
1416
2066
|
# `GetCallerIdentity`.
|
1417
2067
|
#
|
1418
|
-
# <note markdown="1"> We recommend that you do not call `GetSessionToken` with
|
1419
|
-
# credentials. Instead, follow our [best practices][3] by
|
1420
|
-
# or more IAM users, giving them the necessary permissions,
|
1421
|
-
# IAM users for everyday interaction with AWS.
|
2068
|
+
# <note markdown="1"> We recommend that you do not call `GetSessionToken` with AWS account
|
2069
|
+
# root user credentials. Instead, follow our [best practices][3] by
|
2070
|
+
# creating one or more IAM users, giving them the necessary permissions,
|
2071
|
+
# and using IAM users for everyday interaction with AWS.
|
1422
2072
|
#
|
1423
2073
|
# </note>
|
1424
2074
|
#
|
1425
|
-
# The
|
1426
|
-
#
|
1427
|
-
#
|
1428
|
-
#
|
1429
|
-
#
|
1430
|
-
#
|
1431
|
-
#
|
2075
|
+
# The credentials that are returned by `GetSessionToken` are based on
|
2076
|
+
# permissions associated with the user whose credentials were used to
|
2077
|
+
# call the operation. If `GetSessionToken` is called using AWS account
|
2078
|
+
# root user credentials, the temporary credentials have root user
|
2079
|
+
# permissions. Similarly, if `GetSessionToken` is called using the
|
2080
|
+
# credentials of an IAM user, the temporary credentials have the same
|
2081
|
+
# permissions as the IAM user.
|
1432
2082
|
#
|
1433
2083
|
# For more information about using `GetSessionToken` to create temporary
|
1434
2084
|
# credentials, go to [Temporary Credentials for Users in Untrusted
|
@@ -1436,18 +2086,18 @@ module Aws::STS
|
|
1436
2086
|
#
|
1437
2087
|
#
|
1438
2088
|
#
|
1439
|
-
# [1]:
|
1440
|
-
# [2]:
|
1441
|
-
# [3]:
|
1442
|
-
# [4]:
|
2089
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
2090
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
2091
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users
|
2092
|
+
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken
|
1443
2093
|
#
|
1444
2094
|
# @option params [Integer] :duration_seconds
|
1445
2095
|
# The duration, in seconds, that the credentials should remain valid.
|
1446
2096
|
# Acceptable durations for IAM user sessions range from 900 seconds (15
|
1447
|
-
# minutes) to
|
2097
|
+
# minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12 hours)
|
1448
2098
|
# as the default. Sessions for AWS account owners are restricted to a
|
1449
|
-
# maximum of
|
1450
|
-
# hour, the session for AWS account owners defaults to one hour.
|
2099
|
+
# maximum of 3,600 seconds (one hour). If the duration is longer than
|
2100
|
+
# one hour, the session for AWS account owners defaults to one hour.
|
1451
2101
|
#
|
1452
2102
|
# @option params [String] :serial_number
|
1453
2103
|
# The identification number of the MFA device that is associated with
|
@@ -1459,7 +2109,7 @@ module Aws::STS
|
|
1459
2109
|
# device for an IAM user by going to the AWS Management Console and
|
1460
2110
|
# viewing the user's security credentials.
|
1461
2111
|
#
|
1462
|
-
# The regex used to
|
2112
|
+
# The regex used to validate this parameter is a string of characters
|
1463
2113
|
# consisting of upper- and lower-case alphanumeric characters with no
|
1464
2114
|
# spaces. You can also include underscores or any of the following
|
1465
2115
|
# characters: =,.@:/-
|
@@ -1467,9 +2117,9 @@ module Aws::STS
|
|
1467
2117
|
# @option params [String] :token_code
|
1468
2118
|
# The value provided by the MFA device, if MFA is required. If any
|
1469
2119
|
# policy requires the IAM user to submit an MFA code, specify this
|
1470
|
-
# value. If MFA authentication is required,
|
1471
|
-
#
|
1472
|
-
#
|
2120
|
+
# value. If MFA authentication is required, the user must provide a code
|
2121
|
+
# when requesting a set of temporary security credentials. A user who
|
2122
|
+
# fails to provide the code receives an "access denied" response when
|
1473
2123
|
# requesting resources that require MFA authentication.
|
1474
2124
|
#
|
1475
2125
|
# The format for this parameter, as described by its regex pattern, is a
|
@@ -1535,7 +2185,7 @@ module Aws::STS
|
|
1535
2185
|
params: params,
|
1536
2186
|
config: config)
|
1537
2187
|
context[:gem_name] = 'aws-sdk-core'
|
1538
|
-
context[:gem_version] = '3.
|
2188
|
+
context[:gem_version] = '3.94.0'
|
1539
2189
|
Seahorse::Client::Request.new(handlers, context)
|
1540
2190
|
end
|
1541
2191
|
|