aws-sdk-core 3.0.0.rc2 → 3.0.0.rc3
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/VERSION +1 -1
- data/lib/aws-sdk-core/log/param_filter.rb +1 -1
- data/lib/aws-sdk-core/plugins/retry_errors.rb +1 -0
- data/lib/aws-sdk-core/plugins/signature_v4.rb +1 -1
- data/lib/aws-sdk-core/rest/request/endpoint.rb +1 -1
- data/lib/aws-sdk-core/version.rb +1 -1
- data/lib/aws-sdk-sts.rb +1 -1
- data/lib/aws-sdk-sts/client.rb +1213 -1152
- data/lib/aws-sdk-sts/client_api.rb +254 -256
- data/lib/aws-sdk-sts/errors.rb +4 -13
- data/lib/aws-sdk-sts/resource.rb +12 -14
- data/lib/aws-sdk-sts/types.rb +859 -828
- data/lib/seahorse/client/net_http/handler.rb +5 -2
- data/lib/seahorse/client/plugin_list.rb +3 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
---
|
|
2
2
|
SHA1:
|
|
3
|
-
metadata.gz:
|
|
4
|
-
data.tar.gz:
|
|
3
|
+
metadata.gz: 2b367b9513d10af431235298f76327b90144a1fd
|
|
4
|
+
data.tar.gz: 921ca14ca28f4c5ef0a946eb3b3730bba5355f88
|
|
5
5
|
SHA512:
|
|
6
|
-
metadata.gz:
|
|
7
|
-
data.tar.gz:
|
|
6
|
+
metadata.gz: 994e0954d23f6130188b8b2087fffaf6c99cb8e0db2c6efd9dabb7ff62f4f4047a3923ce2a9a85270c34d696742cd752ce77b1573901b807d49941e632e8602d
|
|
7
|
+
data.tar.gz: 113c307ce0841a5bd8218d840c9da85ea26f75b8944f27a98d1820c3d237aac5b87cf8622bd6c31b33571b3a7d07edd4827fb8d97347984792fd6d7fccadd1f9
|
data/VERSION
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
3.0.0.
|
|
1
|
+
3.0.0.rc3
|
|
@@ -11,7 +11,7 @@ module Aws
|
|
|
11
11
|
#
|
|
12
12
|
# @api private
|
|
13
13
|
# begin
|
|
14
|
-
SENSITIVE = [:access_token, :admin_contact, :artifact_credentials, :auth_code, :base_32_string_seed, :client_id, :client_secret, :copy_source_sse_customer_key, :credentials, :id_token, :local_console_password, :message, :name, :new_password, :old_password, :owner_information, :parameters, :password, :payload, :plaintext, :previous_password, :private_key, :proposed_password, :public_key, :qr_code_png, :refresh_token, :registrant_contact, :secret_access_key, :secret_hash, :shared_secret, :sse_customer_key, :ssekms_key_id, :task_parameters, :tech_contact, :temporary_password, :trust_password, :upload_credentials, :username, :value, :values, :variables, :zip_file]
|
|
14
|
+
SENSITIVE = [:access_token, :admin_contact, :artifact_credentials, :auth_code, :base_32_string_seed, :client_id, :client_secret, :copy_source_sse_customer_key, :credentials, :id_token, :local_console_password, :message, :name, :new_password, :old_password, :owner_information, :parameters, :password, :payload, :plaintext, :previous_password, :private_key, :proposed_password, :public_key, :qr_code_png, :refresh_token, :registrant_contact, :secret_access_key, :secret_hash, :service_password, :shared_secret, :sse_customer_key, :ssekms_key_id, :task_parameters, :tech_contact, :temporary_password, :trust_password, :upload_credentials, :username, :value, :values, :variables, :zip_file]
|
|
15
15
|
# end
|
|
16
16
|
|
|
17
17
|
def initialize(options = {})
|
|
@@ -80,7 +80,7 @@ module Aws
|
|
|
80
80
|
service: cfg.sigv4_name,
|
|
81
81
|
region: cfg.sigv4_region,
|
|
82
82
|
credentials_provider: cfg.credentials,
|
|
83
|
-
unsigned_headers: ['content-length', 'user-agent']
|
|
83
|
+
unsigned_headers: ['content-length', 'user-agent', 'x-amzn-trace-id']
|
|
84
84
|
)
|
|
85
85
|
elsif cfg.credentials
|
|
86
86
|
raise Errors::MissingRegionError
|
|
@@ -29,7 +29,7 @@ module Aws
|
|
|
29
29
|
|
|
30
30
|
def apply_path_params(uri, params)
|
|
31
31
|
path = uri.path.sub(/\/$/, '') + @path_pattern.split('?')[0]
|
|
32
|
-
uri.path = path.gsub(/{
|
|
32
|
+
uri.path = path.gsub(/{.+?}/) do |placeholder|
|
|
33
33
|
param_value_for_placeholder(placeholder, params)
|
|
34
34
|
end
|
|
35
35
|
end
|
data/lib/aws-sdk-core/version.rb
CHANGED
data/lib/aws-sdk-sts.rb
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
# WARNING ABOUT GENERATED CODE
|
|
2
2
|
#
|
|
3
|
-
# This file is generated. See the contributing for
|
|
3
|
+
# This file is generated. See the contributing guide for more information:
|
|
4
4
|
# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
|
|
5
5
|
#
|
|
6
6
|
# WARNING ABOUT GENERATED CODE
|
data/lib/aws-sdk-sts/client.rb
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
# WARNING ABOUT GENERATED CODE
|
|
2
2
|
#
|
|
3
|
-
# This file is generated. See the contributing for
|
|
3
|
+
# This file is generated. See the contributing guide for more information:
|
|
4
4
|
# https://github.com/aws/aws-sdk-ruby/blob/master/CONTRIBUTING.md
|
|
5
5
|
#
|
|
6
6
|
# WARNING ABOUT GENERATED CODE
|
|
@@ -23,1177 +23,1238 @@ require 'aws-sdk-core/plugins/protocols/query.rb'
|
|
|
23
23
|
|
|
24
24
|
Aws::Plugins::GlobalConfiguration.add_identifier(:sts)
|
|
25
25
|
|
|
26
|
-
module Aws
|
|
27
|
-
|
|
28
|
-
class Client < Seahorse::Client::Base
|
|
26
|
+
module Aws::STS
|
|
27
|
+
class Client < Seahorse::Client::Base
|
|
29
28
|
|
|
30
|
-
|
|
29
|
+
include Aws::ClientStubs
|
|
31
30
|
|
|
32
|
-
|
|
31
|
+
@identifier = :sts
|
|
33
32
|
|
|
34
|
-
|
|
33
|
+
set_api(ClientApi::API)
|
|
35
34
|
|
|
36
|
-
|
|
37
|
-
|
|
38
|
-
|
|
39
|
-
|
|
40
|
-
|
|
41
|
-
|
|
42
|
-
|
|
43
|
-
|
|
44
|
-
|
|
45
|
-
|
|
46
|
-
|
|
47
|
-
|
|
48
|
-
|
|
49
|
-
|
|
50
|
-
|
|
35
|
+
add_plugin(Seahorse::Client::Plugins::ContentLength)
|
|
36
|
+
add_plugin(Aws::Plugins::CredentialsConfiguration)
|
|
37
|
+
add_plugin(Aws::Plugins::Logging)
|
|
38
|
+
add_plugin(Aws::Plugins::ParamConverter)
|
|
39
|
+
add_plugin(Aws::Plugins::ParamValidator)
|
|
40
|
+
add_plugin(Aws::Plugins::UserAgent)
|
|
41
|
+
add_plugin(Aws::Plugins::HelpfulSocketErrors)
|
|
42
|
+
add_plugin(Aws::Plugins::RetryErrors)
|
|
43
|
+
add_plugin(Aws::Plugins::GlobalConfiguration)
|
|
44
|
+
add_plugin(Aws::Plugins::RegionalEndpoint)
|
|
45
|
+
add_plugin(Aws::Plugins::ResponsePaging)
|
|
46
|
+
add_plugin(Aws::Plugins::StubResponses)
|
|
47
|
+
add_plugin(Aws::Plugins::IdempotencyToken)
|
|
48
|
+
add_plugin(Aws::Plugins::SignatureV4)
|
|
49
|
+
add_plugin(Aws::Plugins::Protocols::Query)
|
|
51
50
|
|
|
52
|
-
|
|
53
|
-
|
|
54
|
-
|
|
55
|
-
|
|
56
|
-
|
|
57
|
-
|
|
58
|
-
|
|
59
|
-
|
|
60
|
-
|
|
61
|
-
|
|
62
|
-
|
|
63
|
-
|
|
64
|
-
|
|
65
|
-
|
|
66
|
-
|
|
67
|
-
|
|
68
|
-
|
|
69
|
-
|
|
70
|
-
|
|
71
|
-
|
|
72
|
-
|
|
73
|
-
|
|
74
|
-
|
|
75
|
-
|
|
76
|
-
|
|
77
|
-
|
|
78
|
-
|
|
79
|
-
|
|
80
|
-
|
|
81
|
-
|
|
82
|
-
|
|
83
|
-
|
|
84
|
-
|
|
85
|
-
|
|
86
|
-
|
|
87
|
-
|
|
88
|
-
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
|
|
97
|
-
|
|
98
|
-
|
|
99
|
-
|
|
100
|
-
|
|
101
|
-
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
|
|
105
|
-
|
|
106
|
-
|
|
107
|
-
|
|
108
|
-
|
|
109
|
-
|
|
110
|
-
|
|
111
|
-
|
|
112
|
-
|
|
113
|
-
|
|
114
|
-
|
|
115
|
-
|
|
116
|
-
|
|
117
|
-
|
|
118
|
-
|
|
119
|
-
|
|
120
|
-
|
|
121
|
-
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
|
|
125
|
-
|
|
126
|
-
|
|
127
|
-
|
|
128
|
-
|
|
129
|
-
|
|
130
|
-
|
|
131
|
-
|
|
51
|
+
# @option options [required, Aws::CredentialProvider] :credentials
|
|
52
|
+
# Your AWS credentials. This can be an instance of any one of the
|
|
53
|
+
# following classes:
|
|
54
|
+
#
|
|
55
|
+
# * `Aws::Credentials` - Used for configuring static, non-refreshing
|
|
56
|
+
# credentials.
|
|
57
|
+
#
|
|
58
|
+
# * `Aws::InstanceProfileCredentials` - Used for loading credentials
|
|
59
|
+
# from an EC2 IMDS on an EC2 instance.
|
|
60
|
+
#
|
|
61
|
+
# * `Aws::SharedCredentials` - Used for loading credentials from a
|
|
62
|
+
# shared file, such as `~/.aws/config`.
|
|
63
|
+
#
|
|
64
|
+
# * `Aws::AssumeRoleCredentials` - Used when you need to assume a role.
|
|
65
|
+
#
|
|
66
|
+
# When `:credentials` are not configured directly, the following
|
|
67
|
+
# locations will be searched for credentials:
|
|
68
|
+
#
|
|
69
|
+
# * `Aws.config[:credentials]`
|
|
70
|
+
# * The `:access_key_id`, `:secret_access_key`, and `:session_token` options.
|
|
71
|
+
# * ENV['AWS_ACCESS_KEY_ID'], ENV['AWS_SECRET_ACCESS_KEY']
|
|
72
|
+
# * `~/.aws/credentials`
|
|
73
|
+
# * `~/.aws/config`
|
|
74
|
+
# * EC2 IMDS instance profile - When used by default, the timeouts are
|
|
75
|
+
# very aggressive. Construct and pass an instance of
|
|
76
|
+
# `Aws::InstanceProfileCredentails` to enable retries and extended
|
|
77
|
+
# timeouts.
|
|
78
|
+
#
|
|
79
|
+
# @option options [required, String] :region
|
|
80
|
+
# The AWS region to connect to. The configured `:region` is
|
|
81
|
+
# used to determine the service `:endpoint`. When not passed,
|
|
82
|
+
# a default `:region` is search for in the following locations:
|
|
83
|
+
#
|
|
84
|
+
# * `Aws.config[:region]`
|
|
85
|
+
# * `ENV['AWS_REGION']`
|
|
86
|
+
# * `ENV['AMAZON_REGION']`
|
|
87
|
+
# * `ENV['AWS_DEFAULT_REGION']`
|
|
88
|
+
# * `~/.aws/credentials`
|
|
89
|
+
# * `~/.aws/config`
|
|
90
|
+
#
|
|
91
|
+
# @option options [String] :access_key_id
|
|
92
|
+
#
|
|
93
|
+
# @option options [Boolean] :convert_params (true)
|
|
94
|
+
# When `true`, an attempt is made to coerce request parameters into
|
|
95
|
+
# the required types.
|
|
96
|
+
#
|
|
97
|
+
# @option options [String] :endpoint
|
|
98
|
+
# The client endpoint is normally constructed from the `:region`
|
|
99
|
+
# option. You should only configure an `:endpoint` when connecting
|
|
100
|
+
# to test endpoints. This should be avalid HTTP(S) URI.
|
|
101
|
+
#
|
|
102
|
+
# @option options [Aws::Log::Formatter] :log_formatter (Aws::Log::Formatter.default)
|
|
103
|
+
# The log formatter.
|
|
104
|
+
#
|
|
105
|
+
# @option options [Symbol] :log_level (:info)
|
|
106
|
+
# The log level to send messages to the `:logger` at.
|
|
107
|
+
#
|
|
108
|
+
# @option options [Logger] :logger
|
|
109
|
+
# The Logger instance to send log messages to. If this option
|
|
110
|
+
# is not set, logging will be disabled.
|
|
111
|
+
#
|
|
112
|
+
# @option options [String] :profile ("default")
|
|
113
|
+
# Used when loading credentials from the shared credentials file
|
|
114
|
+
# at HOME/.aws/credentials. When not specified, 'default' is used.
|
|
115
|
+
#
|
|
116
|
+
# @option options [Integer] :retry_limit (3)
|
|
117
|
+
# The maximum number of times to retry failed requests. Only
|
|
118
|
+
# ~ 500 level server errors and certain ~ 400 level client errors
|
|
119
|
+
# are retried. Generally, these are throttling errors, data
|
|
120
|
+
# checksum errors, networking errors, timeout errors and auth
|
|
121
|
+
# errors from expired credentials.
|
|
122
|
+
#
|
|
123
|
+
# @option options [String] :secret_access_key
|
|
124
|
+
#
|
|
125
|
+
# @option options [String] :session_token
|
|
126
|
+
#
|
|
127
|
+
# @option options [Boolean] :stub_responses (false)
|
|
128
|
+
# Causes the client to return stubbed responses. By default
|
|
129
|
+
# fake responses are generated and returned. You can specify
|
|
130
|
+
# the response data to return or errors to raise by calling
|
|
131
|
+
# {ClientStubs#stub_responses}. See {ClientStubs} for more information.
|
|
132
|
+
#
|
|
133
|
+
# ** Please note ** When response stubbing is enabled, no HTTP
|
|
134
|
+
# requests are made, and retries are disabled.
|
|
135
|
+
#
|
|
136
|
+
# @option options [Boolean] :validate_params (true)
|
|
137
|
+
# When `true`, request parameters are validated before
|
|
138
|
+
# sending the request.
|
|
139
|
+
#
|
|
140
|
+
def initialize(*args)
|
|
141
|
+
super
|
|
142
|
+
end
|
|
132
143
|
|
|
133
|
-
|
|
134
|
-
# access key ID, a secret access key, and a security token) that you can
|
|
135
|
-
# use to access AWS resources that you might not normally have access
|
|
136
|
-
# to. Typically, you use `AssumeRole` for cross-account access or
|
|
137
|
-
# federation. For a comparison of `AssumeRole` with the other APIs that
|
|
138
|
-
# produce temporary credentials, see [Requesting Temporary Security
|
|
139
|
-
# Credentials][1] and [Comparing the AWS STS APIs][2] in the *IAM User
|
|
140
|
-
# Guide*.
|
|
141
|
-
#
|
|
142
|
-
# **Important:** You cannot call `AssumeRole` by using AWS root account
|
|
143
|
-
# credentials; access is denied. You must use credentials for an IAM
|
|
144
|
-
# user or an IAM role to call `AssumeRole`.
|
|
145
|
-
#
|
|
146
|
-
# For cross-account access, imagine that you own multiple accounts and
|
|
147
|
-
# need to access resources in each account. You could create long-term
|
|
148
|
-
# credentials in each account to access those resources. However,
|
|
149
|
-
# managing all those credentials and remembering which one can access
|
|
150
|
-
# which account can be time consuming. Instead, you can create one set
|
|
151
|
-
# of long-term credentials in one account and then use temporary
|
|
152
|
-
# security credentials to access all the other accounts by assuming
|
|
153
|
-
# roles in those accounts. For more information about roles, see [IAM
|
|
154
|
-
# Roles (Delegation and Federation)][3] in the *IAM User Guide*.
|
|
155
|
-
#
|
|
156
|
-
# For federation, you can, for example, grant single sign-on access to
|
|
157
|
-
# the AWS Management Console. If you already have an identity and
|
|
158
|
-
# authentication system in your corporate network, you don't have to
|
|
159
|
-
# recreate user identities in AWS in order to grant those user
|
|
160
|
-
# identities access to AWS. Instead, after a user has been
|
|
161
|
-
# authenticated, you call `AssumeRole` (and specify the role with the
|
|
162
|
-
# appropriate permissions) to get temporary security credentials for
|
|
163
|
-
# that user. With those temporary security credentials, you construct a
|
|
164
|
-
# sign-in URL that users can use to access the console. For more
|
|
165
|
-
# information, see [Common Scenarios for Temporary Credentials][4] in
|
|
166
|
-
# the *IAM User Guide*.
|
|
167
|
-
#
|
|
168
|
-
# The temporary security credentials are valid for the duration that you
|
|
169
|
-
# specified when calling `AssumeRole`, which can be from 900 seconds (15
|
|
170
|
-
# minutes) to a maximum of 3600 seconds (1 hour). The default is 1 hour.
|
|
171
|
-
#
|
|
172
|
-
# The temporary security credentials created by `AssumeRole` can be used
|
|
173
|
-
# to make API calls to any AWS service with the following exception: you
|
|
174
|
-
# cannot call the STS service's `GetFederationToken` or
|
|
175
|
-
# `GetSessionToken` APIs.
|
|
176
|
-
#
|
|
177
|
-
# Optionally, you can pass an IAM access policy to this operation. If
|
|
178
|
-
# you choose not to pass a policy, the temporary security credentials
|
|
179
|
-
# that are returned by the operation have the permissions that are
|
|
180
|
-
# defined in the access policy of the role that is being assumed. If you
|
|
181
|
-
# pass a policy to this operation, the temporary security credentials
|
|
182
|
-
# that are returned by the operation have the permissions that are
|
|
183
|
-
# allowed by both the access policy of the role that is being assumed,
|
|
184
|
-
# <i> <b>and</b> </i> the policy that you pass. This gives you a way to
|
|
185
|
-
# further restrict the permissions for the resulting temporary security
|
|
186
|
-
# credentials. You cannot use the passed policy to grant permissions
|
|
187
|
-
# that are in excess of those allowed by the access policy of the role
|
|
188
|
-
# that is being assumed. For more information, see [Permissions for
|
|
189
|
-
# AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity][5] in
|
|
190
|
-
# the *IAM User Guide*.
|
|
191
|
-
#
|
|
192
|
-
# To assume a role, your AWS account must be trusted by the role. The
|
|
193
|
-
# trust relationship is defined in the role's trust policy when the
|
|
194
|
-
# role is created. That trust policy states which accounts are allowed
|
|
195
|
-
# to delegate access to this account's role.
|
|
196
|
-
#
|
|
197
|
-
# The user who wants to access the role must also have permissions
|
|
198
|
-
# delegated from the role's administrator. If the user is in a
|
|
199
|
-
# different account than the role, then the user's administrator must
|
|
200
|
-
# attach a policy that allows the user to call AssumeRole on the ARN of
|
|
201
|
-
# the role in the other account. If the user is in the same account as
|
|
202
|
-
# the role, then you can either attach a policy to the user (identical
|
|
203
|
-
# to the previous different account user), or you can add the user as a
|
|
204
|
-
# principal directly in the role's trust policy
|
|
205
|
-
#
|
|
206
|
-
# **Using MFA with AssumeRole**
|
|
207
|
-
#
|
|
208
|
-
# You can optionally include multi-factor authentication (MFA)
|
|
209
|
-
# information when you call `AssumeRole`. This is useful for
|
|
210
|
-
# cross-account scenarios in which you want to make sure that the user
|
|
211
|
-
# who is assuming the role has been authenticated using an AWS MFA
|
|
212
|
-
# device. In that scenario, the trust policy of the role being assumed
|
|
213
|
-
# includes a condition that tests for MFA authentication; if the caller
|
|
214
|
-
# does not include valid MFA information, the request to assume the role
|
|
215
|
-
# is denied. The condition in a trust policy that tests for MFA
|
|
216
|
-
# authentication might look like the following example.
|
|
217
|
-
#
|
|
218
|
-
# `"Condition": \{"Bool": \{"aws:MultiFactorAuthPresent": true\}\}`
|
|
219
|
-
#
|
|
220
|
-
# For more information, see [Configuring MFA-Protected API Access][6] in
|
|
221
|
-
# the *IAM User Guide* guide.
|
|
222
|
-
#
|
|
223
|
-
# To use MFA with `AssumeRole`, you pass values for the `SerialNumber`
|
|
224
|
-
# and `TokenCode` parameters. The `SerialNumber` value identifies the
|
|
225
|
-
# user's hardware or virtual MFA device. The `TokenCode` is the
|
|
226
|
-
# time-based one-time password (TOTP) that the MFA devices produces.
|
|
227
|
-
#
|
|
228
|
-
#
|
|
229
|
-
#
|
|
230
|
-
# [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
|
231
|
-
# [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
|
232
|
-
# [3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html
|
|
233
|
-
# [4]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html#sts-introduction
|
|
234
|
-
# [5]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
|
|
235
|
-
# [6]: http://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
|
|
236
|
-
# @option params [required, String] :role_arn
|
|
237
|
-
# The Amazon Resource Name (ARN) of the role to assume.
|
|
238
|
-
# @option params [required, String] :role_session_name
|
|
239
|
-
# An identifier for the assumed role session.
|
|
240
|
-
#
|
|
241
|
-
# Use the role session name to uniquely identify a session when the same
|
|
242
|
-
# role is assumed by different principals or for different reasons. In
|
|
243
|
-
# cross-account scenarios, the role session name is visible to, and can
|
|
244
|
-
# be logged by the account that owns the role. The role session name is
|
|
245
|
-
# also used in the ARN of the assumed role principal. This means that
|
|
246
|
-
# subsequent cross-account API requests using the temporary security
|
|
247
|
-
# credentials will expose the role session name to the external account
|
|
248
|
-
# in their CloudTrail logs.
|
|
249
|
-
#
|
|
250
|
-
# The format for this parameter, as described by its regex pattern, is a
|
|
251
|
-
# string of characters consisting of upper- and lower-case alphanumeric
|
|
252
|
-
# characters with no spaces. You can also include underscores or any of
|
|
253
|
-
# the following characters: =,.@-
|
|
254
|
-
# @option params [String] :policy
|
|
255
|
-
# An IAM policy in JSON format.
|
|
256
|
-
#
|
|
257
|
-
# This parameter is optional. If you pass a policy, the temporary
|
|
258
|
-
# security credentials that are returned by the operation have the
|
|
259
|
-
# permissions that are allowed by both (the intersection of) the access
|
|
260
|
-
# policy of the role that is being assumed, *and* the policy that you
|
|
261
|
-
# pass. This gives you a way to further restrict the permissions for the
|
|
262
|
-
# resulting temporary security credentials. You cannot use the passed
|
|
263
|
-
# policy to grant permissions that are in excess of those allowed by the
|
|
264
|
-
# access policy of the role that is being assumed. For more information,
|
|
265
|
-
# see [Permissions for AssumeRole, AssumeRoleWithSAML, and
|
|
266
|
-
# AssumeRoleWithWebIdentity][1] in the *IAM User Guide*.
|
|
267
|
-
#
|
|
268
|
-
# The format for this parameter, as described by its regex pattern, is a
|
|
269
|
-
# string of characters up to 2048 characters in length. The characters
|
|
270
|
-
# can be any ASCII character from the space character to the end of the
|
|
271
|
-
# valid character list (\\u0020-\\u00FF). It can also include the tab
|
|
272
|
-
# (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
|
273
|
-
# characters.
|
|
274
|
-
#
|
|
275
|
-
# <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
|
|
276
|
-
# internal conversion compresses it into a packed binary format with a
|
|
277
|
-
# separate limit. The PackedPolicySize response element indicates by
|
|
278
|
-
# percentage how close to the upper size limit the policy is, with 100%
|
|
279
|
-
# equaling the maximum allowed size.
|
|
280
|
-
#
|
|
281
|
-
# </note>
|
|
282
|
-
#
|
|
283
|
-
#
|
|
284
|
-
#
|
|
285
|
-
# [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
|
|
286
|
-
# @option params [Integer] :duration_seconds
|
|
287
|
-
# The duration, in seconds, of the role session. The value can range
|
|
288
|
-
# from 900 seconds (15 minutes) to 3600 seconds (1 hour). By default,
|
|
289
|
-
# the value is set to 3600 seconds.
|
|
290
|
-
#
|
|
291
|
-
# <note markdown="1"> This is separate from the duration of a console session that you might
|
|
292
|
-
# request using the returned credentials. The request to the federation
|
|
293
|
-
# endpoint for a console sign-in token takes a `SessionDuration`
|
|
294
|
-
# parameter that specifies the maximum length of the console session,
|
|
295
|
-
# separately from the `DurationSeconds` parameter on this API. For more
|
|
296
|
-
# information, see [Creating a URL that Enables Federated Users to
|
|
297
|
-
# Access the AWS Management Console][1] in the *IAM User Guide*.
|
|
298
|
-
#
|
|
299
|
-
# </note>
|
|
300
|
-
#
|
|
301
|
-
#
|
|
302
|
-
#
|
|
303
|
-
# [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
|
|
304
|
-
# @option params [String] :external_id
|
|
305
|
-
# A unique identifier that is used by third parties when assuming roles
|
|
306
|
-
# in their customers' accounts. For each role that the third party can
|
|
307
|
-
# assume, they should instruct their customers to ensure the role's
|
|
308
|
-
# trust policy checks for the external ID that the third party
|
|
309
|
-
# generated. Each time the third party assumes the role, they should
|
|
310
|
-
# pass the customer's external ID. The external ID is useful in order
|
|
311
|
-
# to help third parties bind a role to the customer who created it. For
|
|
312
|
-
# more information about the external ID, see [How to Use an External ID
|
|
313
|
-
# When Granting Access to Your AWS Resources to a Third Party][1] in the
|
|
314
|
-
# *IAM User Guide*.
|
|
315
|
-
#
|
|
316
|
-
# The format for this parameter, as described by its regex pattern, is a
|
|
317
|
-
# string of characters consisting of upper- and lower-case alphanumeric
|
|
318
|
-
# characters with no spaces. You can also include underscores or any of
|
|
319
|
-
# the following characters: =,.@:\\/-
|
|
320
|
-
#
|
|
321
|
-
#
|
|
322
|
-
#
|
|
323
|
-
# [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
|
|
324
|
-
# @option params [String] :serial_number
|
|
325
|
-
# The identification number of the MFA device that is associated with
|
|
326
|
-
# the user who is making the `AssumeRole` call. Specify this value if
|
|
327
|
-
# the trust policy of the role being assumed includes a condition that
|
|
328
|
-
# requires MFA authentication. The value is either the serial number for
|
|
329
|
-
# a hardware device (such as `GAHT12345678`) or an Amazon Resource Name
|
|
330
|
-
# (ARN) for a virtual device (such as
|
|
331
|
-
# `arn:aws:iam::123456789012:mfa/user`).
|
|
332
|
-
#
|
|
333
|
-
# The format for this parameter, as described by its regex pattern, is a
|
|
334
|
-
# string of characters consisting of upper- and lower-case alphanumeric
|
|
335
|
-
# characters with no spaces. You can also include underscores or any of
|
|
336
|
-
# the following characters: =,.@-
|
|
337
|
-
# @option params [String] :token_code
|
|
338
|
-
# The value provided by the MFA device, if the trust policy of the role
|
|
339
|
-
# being assumed requires MFA (that is, if the policy includes a
|
|
340
|
-
# condition that tests for MFA). If the role being assumed requires MFA
|
|
341
|
-
# and if the `TokenCode` value is missing or expired, the `AssumeRole`
|
|
342
|
-
# call returns an "access denied" error.
|
|
343
|
-
#
|
|
344
|
-
# The format for this parameter, as described by its regex pattern, is a
|
|
345
|
-
# sequence of six numeric digits.
|
|
346
|
-
# @return [Types::AssumeRoleResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
|
347
|
-
#
|
|
348
|
-
# * {Types::AssumeRoleResponse#credentials #Credentials} => Types::Credentials
|
|
349
|
-
# * {Types::AssumeRoleResponse#assumed_role_user #AssumedRoleUser} => Types::AssumedRoleUser
|
|
350
|
-
# * {Types::AssumeRoleResponse#packed_policy_size #PackedPolicySize} => Integer
|
|
351
|
-
#
|
|
352
|
-
# @example Request syntax with placeholder values
|
|
353
|
-
# resp = client.assume_role({
|
|
354
|
-
# role_arn: "arnType", # required
|
|
355
|
-
# role_session_name: "roleSessionNameType", # required
|
|
356
|
-
# policy: "sessionPolicyDocumentType",
|
|
357
|
-
# duration_seconds: 1,
|
|
358
|
-
# external_id: "externalIdType",
|
|
359
|
-
# serial_number: "serialNumberType",
|
|
360
|
-
# token_code: "tokenCodeType",
|
|
361
|
-
# })
|
|
362
|
-
#
|
|
363
|
-
# @example Response structure
|
|
364
|
-
# resp.credentials.access_key_id #=> String
|
|
365
|
-
# resp.credentials.secret_access_key #=> String
|
|
366
|
-
# resp.credentials.session_token #=> String
|
|
367
|
-
# resp.credentials.expiration #=> Time
|
|
368
|
-
# resp.assumed_role_user.assumed_role_id #=> String
|
|
369
|
-
# resp.assumed_role_user.arn #=> String
|
|
370
|
-
# resp.packed_policy_size #=> Integer
|
|
371
|
-
# @overload assume_role(params = {})
|
|
372
|
-
# @param [Hash] params ({})
|
|
373
|
-
def assume_role(params = {}, options = {})
|
|
374
|
-
req = build_request(:assume_role, params)
|
|
375
|
-
req.send_request(options)
|
|
376
|
-
end
|
|
144
|
+
# @!group API Operations
|
|
377
145
|
|
|
378
|
-
|
|
379
|
-
|
|
380
|
-
|
|
381
|
-
|
|
382
|
-
|
|
383
|
-
|
|
384
|
-
|
|
385
|
-
|
|
386
|
-
|
|
387
|
-
|
|
388
|
-
|
|
389
|
-
|
|
390
|
-
|
|
391
|
-
|
|
392
|
-
|
|
393
|
-
|
|
394
|
-
|
|
395
|
-
|
|
396
|
-
|
|
397
|
-
|
|
398
|
-
|
|
399
|
-
|
|
400
|
-
|
|
401
|
-
|
|
402
|
-
|
|
403
|
-
|
|
404
|
-
|
|
405
|
-
|
|
406
|
-
|
|
407
|
-
|
|
408
|
-
|
|
409
|
-
|
|
410
|
-
|
|
411
|
-
|
|
412
|
-
|
|
413
|
-
|
|
414
|
-
|
|
415
|
-
|
|
416
|
-
|
|
417
|
-
|
|
418
|
-
|
|
419
|
-
|
|
420
|
-
|
|
421
|
-
|
|
422
|
-
|
|
423
|
-
|
|
424
|
-
|
|
425
|
-
|
|
426
|
-
|
|
427
|
-
|
|
428
|
-
|
|
429
|
-
|
|
430
|
-
|
|
431
|
-
|
|
432
|
-
|
|
433
|
-
|
|
434
|
-
|
|
435
|
-
|
|
436
|
-
|
|
437
|
-
|
|
438
|
-
|
|
439
|
-
|
|
440
|
-
|
|
441
|
-
|
|
442
|
-
|
|
443
|
-
|
|
444
|
-
|
|
445
|
-
|
|
446
|
-
|
|
447
|
-
|
|
448
|
-
|
|
449
|
-
|
|
450
|
-
|
|
451
|
-
|
|
452
|
-
|
|
453
|
-
|
|
454
|
-
|
|
455
|
-
|
|
456
|
-
|
|
457
|
-
|
|
458
|
-
|
|
459
|
-
|
|
460
|
-
|
|
461
|
-
|
|
462
|
-
|
|
463
|
-
|
|
464
|
-
|
|
465
|
-
|
|
466
|
-
|
|
467
|
-
|
|
468
|
-
|
|
469
|
-
|
|
470
|
-
|
|
471
|
-
|
|
472
|
-
|
|
473
|
-
|
|
474
|
-
|
|
475
|
-
|
|
476
|
-
|
|
477
|
-
|
|
478
|
-
|
|
479
|
-
|
|
480
|
-
|
|
481
|
-
|
|
482
|
-
|
|
483
|
-
|
|
484
|
-
|
|
485
|
-
|
|
486
|
-
|
|
487
|
-
|
|
488
|
-
|
|
489
|
-
|
|
490
|
-
|
|
491
|
-
|
|
492
|
-
|
|
493
|
-
|
|
494
|
-
|
|
495
|
-
|
|
496
|
-
|
|
497
|
-
|
|
498
|
-
|
|
499
|
-
|
|
500
|
-
|
|
501
|
-
|
|
502
|
-
|
|
503
|
-
|
|
504
|
-
|
|
505
|
-
|
|
506
|
-
|
|
507
|
-
|
|
508
|
-
|
|
509
|
-
|
|
510
|
-
|
|
511
|
-
|
|
512
|
-
|
|
513
|
-
|
|
514
|
-
|
|
515
|
-
|
|
516
|
-
|
|
517
|
-
|
|
518
|
-
|
|
519
|
-
|
|
520
|
-
|
|
521
|
-
|
|
522
|
-
|
|
523
|
-
|
|
524
|
-
|
|
525
|
-
|
|
526
|
-
|
|
527
|
-
|
|
528
|
-
|
|
529
|
-
|
|
530
|
-
|
|
531
|
-
|
|
532
|
-
|
|
533
|
-
|
|
534
|
-
|
|
535
|
-
|
|
536
|
-
|
|
537
|
-
|
|
538
|
-
|
|
539
|
-
|
|
540
|
-
|
|
541
|
-
|
|
542
|
-
|
|
543
|
-
|
|
544
|
-
|
|
545
|
-
|
|
546
|
-
|
|
547
|
-
|
|
548
|
-
|
|
549
|
-
|
|
550
|
-
|
|
551
|
-
|
|
552
|
-
|
|
553
|
-
|
|
554
|
-
|
|
555
|
-
|
|
556
|
-
|
|
557
|
-
|
|
558
|
-
|
|
559
|
-
|
|
560
|
-
|
|
561
|
-
|
|
562
|
-
|
|
563
|
-
|
|
146
|
+
# Returns a set of temporary security credentials (consisting of an
|
|
147
|
+
# access key ID, a secret access key, and a security token) that you can
|
|
148
|
+
# use to access AWS resources that you might not normally have access
|
|
149
|
+
# to. Typically, you use `AssumeRole` for cross-account access or
|
|
150
|
+
# federation. For a comparison of `AssumeRole` with the other APIs that
|
|
151
|
+
# produce temporary credentials, see [Requesting Temporary Security
|
|
152
|
+
# Credentials][1] and [Comparing the AWS STS APIs][2] in the *IAM User
|
|
153
|
+
# Guide*.
|
|
154
|
+
#
|
|
155
|
+
# **Important:** You cannot call `AssumeRole` by using AWS root account
|
|
156
|
+
# credentials; access is denied. You must use credentials for an IAM
|
|
157
|
+
# user or an IAM role to call `AssumeRole`.
|
|
158
|
+
#
|
|
159
|
+
# For cross-account access, imagine that you own multiple accounts and
|
|
160
|
+
# need to access resources in each account. You could create long-term
|
|
161
|
+
# credentials in each account to access those resources. However,
|
|
162
|
+
# managing all those credentials and remembering which one can access
|
|
163
|
+
# which account can be time consuming. Instead, you can create one set
|
|
164
|
+
# of long-term credentials in one account and then use temporary
|
|
165
|
+
# security credentials to access all the other accounts by assuming
|
|
166
|
+
# roles in those accounts. For more information about roles, see [IAM
|
|
167
|
+
# Roles (Delegation and Federation)][3] in the *IAM User Guide*.
|
|
168
|
+
#
|
|
169
|
+
# For federation, you can, for example, grant single sign-on access to
|
|
170
|
+
# the AWS Management Console. If you already have an identity and
|
|
171
|
+
# authentication system in your corporate network, you don't have to
|
|
172
|
+
# recreate user identities in AWS in order to grant those user
|
|
173
|
+
# identities access to AWS. Instead, after a user has been
|
|
174
|
+
# authenticated, you call `AssumeRole` (and specify the role with the
|
|
175
|
+
# appropriate permissions) to get temporary security credentials for
|
|
176
|
+
# that user. With those temporary security credentials, you construct a
|
|
177
|
+
# sign-in URL that users can use to access the console. For more
|
|
178
|
+
# information, see [Common Scenarios for Temporary Credentials][4] in
|
|
179
|
+
# the *IAM User Guide*.
|
|
180
|
+
#
|
|
181
|
+
# The temporary security credentials are valid for the duration that you
|
|
182
|
+
# specified when calling `AssumeRole`, which can be from 900 seconds (15
|
|
183
|
+
# minutes) to a maximum of 3600 seconds (1 hour). The default is 1 hour.
|
|
184
|
+
#
|
|
185
|
+
# The temporary security credentials created by `AssumeRole` can be used
|
|
186
|
+
# to make API calls to any AWS service with the following exception: you
|
|
187
|
+
# cannot call the STS service's `GetFederationToken` or
|
|
188
|
+
# `GetSessionToken` APIs.
|
|
189
|
+
#
|
|
190
|
+
# Optionally, you can pass an IAM access policy to this operation. If
|
|
191
|
+
# you choose not to pass a policy, the temporary security credentials
|
|
192
|
+
# that are returned by the operation have the permissions that are
|
|
193
|
+
# defined in the access policy of the role that is being assumed. If you
|
|
194
|
+
# pass a policy to this operation, the temporary security credentials
|
|
195
|
+
# that are returned by the operation have the permissions that are
|
|
196
|
+
# allowed by both the access policy of the role that is being assumed,
|
|
197
|
+
# <i> <b>and</b> </i> the policy that you pass. This gives you a way to
|
|
198
|
+
# further restrict the permissions for the resulting temporary security
|
|
199
|
+
# credentials. You cannot use the passed policy to grant permissions
|
|
200
|
+
# that are in excess of those allowed by the access policy of the role
|
|
201
|
+
# that is being assumed. For more information, see [Permissions for
|
|
202
|
+
# AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity][5] in
|
|
203
|
+
# the *IAM User Guide*.
|
|
204
|
+
#
|
|
205
|
+
# To assume a role, your AWS account must be trusted by the role. The
|
|
206
|
+
# trust relationship is defined in the role's trust policy when the
|
|
207
|
+
# role is created. That trust policy states which accounts are allowed
|
|
208
|
+
# to delegate access to this account's role.
|
|
209
|
+
#
|
|
210
|
+
# The user who wants to access the role must also have permissions
|
|
211
|
+
# delegated from the role's administrator. If the user is in a
|
|
212
|
+
# different account than the role, then the user's administrator must
|
|
213
|
+
# attach a policy that allows the user to call AssumeRole on the ARN of
|
|
214
|
+
# the role in the other account. If the user is in the same account as
|
|
215
|
+
# the role, then you can either attach a policy to the user (identical
|
|
216
|
+
# to the previous different account user), or you can add the user as a
|
|
217
|
+
# principal directly in the role's trust policy
|
|
218
|
+
#
|
|
219
|
+
# **Using MFA with AssumeRole**
|
|
220
|
+
#
|
|
221
|
+
# You can optionally include multi-factor authentication (MFA)
|
|
222
|
+
# information when you call `AssumeRole`. This is useful for
|
|
223
|
+
# cross-account scenarios in which you want to make sure that the user
|
|
224
|
+
# who is assuming the role has been authenticated using an AWS MFA
|
|
225
|
+
# device. In that scenario, the trust policy of the role being assumed
|
|
226
|
+
# includes a condition that tests for MFA authentication; if the caller
|
|
227
|
+
# does not include valid MFA information, the request to assume the role
|
|
228
|
+
# is denied. The condition in a trust policy that tests for MFA
|
|
229
|
+
# authentication might look like the following example.
|
|
230
|
+
#
|
|
231
|
+
# `"Condition": \{"Bool": \{"aws:MultiFactorAuthPresent": true\}\}`
|
|
232
|
+
#
|
|
233
|
+
# For more information, see [Configuring MFA-Protected API Access][6] in
|
|
234
|
+
# the *IAM User Guide* guide.
|
|
235
|
+
#
|
|
236
|
+
# To use MFA with `AssumeRole`, you pass values for the `SerialNumber`
|
|
237
|
+
# and `TokenCode` parameters. The `SerialNumber` value identifies the
|
|
238
|
+
# user's hardware or virtual MFA device. The `TokenCode` is the
|
|
239
|
+
# time-based one-time password (TOTP) that the MFA devices produces.
|
|
240
|
+
#
|
|
241
|
+
#
|
|
242
|
+
#
|
|
243
|
+
# [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
|
244
|
+
# [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
|
245
|
+
# [3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html
|
|
246
|
+
# [4]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html#sts-introduction
|
|
247
|
+
# [5]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
|
|
248
|
+
# [6]: http://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
|
|
249
|
+
#
|
|
250
|
+
# @option params [required, String] :role_arn
|
|
251
|
+
# The Amazon Resource Name (ARN) of the role to assume.
|
|
252
|
+
#
|
|
253
|
+
# @option params [required, String] :role_session_name
|
|
254
|
+
# An identifier for the assumed role session.
|
|
255
|
+
#
|
|
256
|
+
# Use the role session name to uniquely identify a session when the same
|
|
257
|
+
# role is assumed by different principals or for different reasons. In
|
|
258
|
+
# cross-account scenarios, the role session name is visible to, and can
|
|
259
|
+
# be logged by the account that owns the role. The role session name is
|
|
260
|
+
# also used in the ARN of the assumed role principal. This means that
|
|
261
|
+
# subsequent cross-account API requests using the temporary security
|
|
262
|
+
# credentials will expose the role session name to the external account
|
|
263
|
+
# in their CloudTrail logs.
|
|
264
|
+
#
|
|
265
|
+
# The regex used to validate this parameter is a string of characters
|
|
266
|
+
# consisting of upper- and lower-case alphanumeric characters with no
|
|
267
|
+
# spaces. You can also include underscores or any of the following
|
|
268
|
+
# characters: =,.@-
|
|
269
|
+
#
|
|
270
|
+
# @option params [String] :policy
|
|
271
|
+
# An IAM policy in JSON format.
|
|
272
|
+
#
|
|
273
|
+
# This parameter is optional. If you pass a policy, the temporary
|
|
274
|
+
# security credentials that are returned by the operation have the
|
|
275
|
+
# permissions that are allowed by both (the intersection of) the access
|
|
276
|
+
# policy of the role that is being assumed, *and* the policy that you
|
|
277
|
+
# pass. This gives you a way to further restrict the permissions for the
|
|
278
|
+
# resulting temporary security credentials. You cannot use the passed
|
|
279
|
+
# policy to grant permissions that are in excess of those allowed by the
|
|
280
|
+
# access policy of the role that is being assumed. For more information,
|
|
281
|
+
# see [Permissions for AssumeRole, AssumeRoleWithSAML, and
|
|
282
|
+
# AssumeRoleWithWebIdentity][1] in the *IAM User Guide*.
|
|
283
|
+
#
|
|
284
|
+
# The format for this parameter, as described by its regex pattern, is a
|
|
285
|
+
# string of characters up to 2048 characters in length. The characters
|
|
286
|
+
# can be any ASCII character from the space character to the end of the
|
|
287
|
+
# valid character list (\\u0020-\\u00FF). It can also include the tab
|
|
288
|
+
# (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
|
289
|
+
# characters.
|
|
290
|
+
#
|
|
291
|
+
# <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
|
|
292
|
+
# internal conversion compresses it into a packed binary format with a
|
|
293
|
+
# separate limit. The PackedPolicySize response element indicates by
|
|
294
|
+
# percentage how close to the upper size limit the policy is, with 100%
|
|
295
|
+
# equaling the maximum allowed size.
|
|
296
|
+
#
|
|
297
|
+
# </note>
|
|
298
|
+
#
|
|
299
|
+
#
|
|
300
|
+
#
|
|
301
|
+
# [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
|
|
302
|
+
#
|
|
303
|
+
# @option params [Integer] :duration_seconds
|
|
304
|
+
# The duration, in seconds, of the role session. The value can range
|
|
305
|
+
# from 900 seconds (15 minutes) to 3600 seconds (1 hour). By default,
|
|
306
|
+
# the value is set to 3600 seconds.
|
|
307
|
+
#
|
|
308
|
+
# <note markdown="1"> This is separate from the duration of a console session that you might
|
|
309
|
+
# request using the returned credentials. The request to the federation
|
|
310
|
+
# endpoint for a console sign-in token takes a `SessionDuration`
|
|
311
|
+
# parameter that specifies the maximum length of the console session,
|
|
312
|
+
# separately from the `DurationSeconds` parameter on this API. For more
|
|
313
|
+
# information, see [Creating a URL that Enables Federated Users to
|
|
314
|
+
# Access the AWS Management Console][1] in the *IAM User Guide*.
|
|
315
|
+
#
|
|
316
|
+
# </note>
|
|
317
|
+
#
|
|
318
|
+
#
|
|
319
|
+
#
|
|
320
|
+
# [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
|
|
321
|
+
#
|
|
322
|
+
# @option params [String] :external_id
|
|
323
|
+
# A unique identifier that is used by third parties when assuming roles
|
|
324
|
+
# in their customers' accounts. For each role that the third party can
|
|
325
|
+
# assume, they should instruct their customers to ensure the role's
|
|
326
|
+
# trust policy checks for the external ID that the third party
|
|
327
|
+
# generated. Each time the third party assumes the role, they should
|
|
328
|
+
# pass the customer's external ID. The external ID is useful in order
|
|
329
|
+
# to help third parties bind a role to the customer who created it. For
|
|
330
|
+
# more information about the external ID, see [How to Use an External ID
|
|
331
|
+
# When Granting Access to Your AWS Resources to a Third Party][1] in the
|
|
332
|
+
# *IAM User Guide*.
|
|
333
|
+
#
|
|
334
|
+
# The regex used to validated this parameter is a string of characters
|
|
335
|
+
# consisting of upper- and lower-case alphanumeric characters with no
|
|
336
|
+
# spaces. You can also include underscores or any of the following
|
|
337
|
+
# characters: =,.@:\\/-
|
|
338
|
+
#
|
|
339
|
+
#
|
|
340
|
+
#
|
|
341
|
+
# [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
|
|
342
|
+
#
|
|
343
|
+
# @option params [String] :serial_number
|
|
344
|
+
# The identification number of the MFA device that is associated with
|
|
345
|
+
# the user who is making the `AssumeRole` call. Specify this value if
|
|
346
|
+
# the trust policy of the role being assumed includes a condition that
|
|
347
|
+
# requires MFA authentication. The value is either the serial number for
|
|
348
|
+
# a hardware device (such as `GAHT12345678`) or an Amazon Resource Name
|
|
349
|
+
# (ARN) for a virtual device (such as
|
|
350
|
+
# `arn:aws:iam::123456789012:mfa/user`).
|
|
351
|
+
#
|
|
352
|
+
# The regex used to validate this parameter is a string of characters
|
|
353
|
+
# consisting of upper- and lower-case alphanumeric characters with no
|
|
354
|
+
# spaces. You can also include underscores or any of the following
|
|
355
|
+
# characters: =,.@-
|
|
356
|
+
#
|
|
357
|
+
# @option params [String] :token_code
|
|
358
|
+
# The value provided by the MFA device, if the trust policy of the role
|
|
359
|
+
# being assumed requires MFA (that is, if the policy includes a
|
|
360
|
+
# condition that tests for MFA). If the role being assumed requires MFA
|
|
361
|
+
# and if the `TokenCode` value is missing or expired, the `AssumeRole`
|
|
362
|
+
# call returns an "access denied" error.
|
|
363
|
+
#
|
|
364
|
+
# The format for this parameter, as described by its regex pattern, is a
|
|
365
|
+
# sequence of six numeric digits.
|
|
366
|
+
#
|
|
367
|
+
# @return [Types::AssumeRoleResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
|
368
|
+
#
|
|
369
|
+
# * {Types::AssumeRoleResponse#credentials #credentials} => Types::Credentials
|
|
370
|
+
# * {Types::AssumeRoleResponse#assumed_role_user #assumed_role_user} => Types::AssumedRoleUser
|
|
371
|
+
# * {Types::AssumeRoleResponse#packed_policy_size #packed_policy_size} => Integer
|
|
372
|
+
#
|
|
373
|
+
# @example Request syntax with placeholder values
|
|
374
|
+
#
|
|
375
|
+
# resp = client.assume_role({
|
|
376
|
+
# role_arn: "arnType", # required
|
|
377
|
+
# role_session_name: "roleSessionNameType", # required
|
|
378
|
+
# policy: "sessionPolicyDocumentType",
|
|
379
|
+
# duration_seconds: 1,
|
|
380
|
+
# external_id: "externalIdType",
|
|
381
|
+
# serial_number: "serialNumberType",
|
|
382
|
+
# token_code: "tokenCodeType",
|
|
383
|
+
# })
|
|
384
|
+
#
|
|
385
|
+
# @example Response structure
|
|
386
|
+
#
|
|
387
|
+
# resp.credentials.access_key_id #=> String
|
|
388
|
+
# resp.credentials.secret_access_key #=> String
|
|
389
|
+
# resp.credentials.session_token #=> String
|
|
390
|
+
# resp.credentials.expiration #=> Time
|
|
391
|
+
# resp.assumed_role_user.assumed_role_id #=> String
|
|
392
|
+
# resp.assumed_role_user.arn #=> String
|
|
393
|
+
# resp.packed_policy_size #=> Integer
|
|
394
|
+
#
|
|
395
|
+
# @overload assume_role(params = {})
|
|
396
|
+
# @param [Hash] params ({})
|
|
397
|
+
def assume_role(params = {}, options = {})
|
|
398
|
+
req = build_request(:assume_role, params)
|
|
399
|
+
req.send_request(options)
|
|
400
|
+
end
|
|
564
401
|
|
|
565
|
-
|
|
566
|
-
|
|
567
|
-
|
|
568
|
-
|
|
569
|
-
|
|
570
|
-
|
|
571
|
-
|
|
572
|
-
|
|
573
|
-
|
|
574
|
-
|
|
575
|
-
|
|
576
|
-
|
|
577
|
-
|
|
578
|
-
|
|
579
|
-
|
|
580
|
-
|
|
581
|
-
|
|
582
|
-
|
|
583
|
-
|
|
584
|
-
|
|
585
|
-
|
|
586
|
-
|
|
587
|
-
|
|
588
|
-
|
|
589
|
-
|
|
590
|
-
|
|
591
|
-
|
|
592
|
-
|
|
593
|
-
|
|
594
|
-
|
|
595
|
-
|
|
596
|
-
|
|
597
|
-
|
|
598
|
-
|
|
599
|
-
|
|
600
|
-
|
|
601
|
-
|
|
602
|
-
|
|
603
|
-
|
|
604
|
-
|
|
605
|
-
|
|
606
|
-
|
|
607
|
-
|
|
608
|
-
|
|
609
|
-
|
|
610
|
-
|
|
611
|
-
|
|
612
|
-
|
|
613
|
-
|
|
614
|
-
|
|
615
|
-
|
|
616
|
-
|
|
617
|
-
|
|
618
|
-
|
|
619
|
-
|
|
620
|
-
|
|
621
|
-
|
|
622
|
-
|
|
623
|
-
|
|
624
|
-
|
|
625
|
-
|
|
626
|
-
|
|
627
|
-
|
|
628
|
-
|
|
629
|
-
|
|
630
|
-
|
|
631
|
-
|
|
632
|
-
|
|
633
|
-
|
|
634
|
-
|
|
635
|
-
|
|
636
|
-
|
|
637
|
-
|
|
638
|
-
|
|
639
|
-
|
|
640
|
-
|
|
641
|
-
|
|
642
|
-
|
|
643
|
-
|
|
644
|
-
|
|
645
|
-
|
|
646
|
-
|
|
647
|
-
|
|
648
|
-
|
|
649
|
-
|
|
650
|
-
|
|
651
|
-
|
|
652
|
-
|
|
653
|
-
|
|
654
|
-
|
|
655
|
-
|
|
656
|
-
|
|
657
|
-
|
|
658
|
-
|
|
659
|
-
|
|
660
|
-
|
|
661
|
-
|
|
662
|
-
|
|
663
|
-
|
|
664
|
-
|
|
665
|
-
|
|
666
|
-
|
|
667
|
-
|
|
668
|
-
|
|
669
|
-
|
|
670
|
-
|
|
671
|
-
|
|
672
|
-
|
|
673
|
-
|
|
674
|
-
|
|
675
|
-
|
|
676
|
-
|
|
677
|
-
|
|
678
|
-
|
|
679
|
-
|
|
680
|
-
|
|
681
|
-
|
|
682
|
-
|
|
683
|
-
|
|
684
|
-
|
|
685
|
-
|
|
686
|
-
|
|
687
|
-
|
|
688
|
-
|
|
689
|
-
|
|
690
|
-
|
|
691
|
-
|
|
692
|
-
|
|
693
|
-
|
|
694
|
-
|
|
695
|
-
|
|
696
|
-
|
|
697
|
-
|
|
698
|
-
|
|
699
|
-
|
|
700
|
-
|
|
701
|
-
|
|
702
|
-
|
|
703
|
-
|
|
704
|
-
|
|
705
|
-
|
|
706
|
-
|
|
707
|
-
|
|
708
|
-
|
|
709
|
-
|
|
710
|
-
|
|
711
|
-
|
|
712
|
-
|
|
713
|
-
|
|
714
|
-
|
|
715
|
-
|
|
716
|
-
|
|
717
|
-
|
|
718
|
-
|
|
719
|
-
|
|
720
|
-
|
|
721
|
-
|
|
722
|
-
|
|
723
|
-
|
|
724
|
-
|
|
725
|
-
|
|
726
|
-
|
|
727
|
-
|
|
728
|
-
|
|
729
|
-
|
|
730
|
-
|
|
731
|
-
|
|
732
|
-
|
|
733
|
-
|
|
734
|
-
|
|
735
|
-
|
|
736
|
-
|
|
737
|
-
|
|
738
|
-
|
|
739
|
-
|
|
740
|
-
|
|
741
|
-
|
|
742
|
-
|
|
743
|
-
|
|
744
|
-
|
|
745
|
-
|
|
746
|
-
|
|
747
|
-
|
|
748
|
-
|
|
749
|
-
|
|
750
|
-
|
|
751
|
-
|
|
752
|
-
|
|
753
|
-
|
|
754
|
-
|
|
755
|
-
|
|
756
|
-
|
|
757
|
-
|
|
758
|
-
|
|
759
|
-
|
|
760
|
-
#
|
|
761
|
-
# @example Request syntax with placeholder values
|
|
762
|
-
# resp = client.assume_role_with_web_identity({
|
|
763
|
-
# role_arn: "arnType", # required
|
|
764
|
-
# role_session_name: "roleSessionNameType", # required
|
|
765
|
-
# web_identity_token: "clientTokenType", # required
|
|
766
|
-
# provider_id: "urlType",
|
|
767
|
-
# policy: "sessionPolicyDocumentType",
|
|
768
|
-
# duration_seconds: 1,
|
|
769
|
-
# })
|
|
770
|
-
#
|
|
771
|
-
# @example Response structure
|
|
772
|
-
# resp.credentials.access_key_id #=> String
|
|
773
|
-
# resp.credentials.secret_access_key #=> String
|
|
774
|
-
# resp.credentials.session_token #=> String
|
|
775
|
-
# resp.credentials.expiration #=> Time
|
|
776
|
-
# resp.subject_from_web_identity_token #=> String
|
|
777
|
-
# resp.assumed_role_user.assumed_role_id #=> String
|
|
778
|
-
# resp.assumed_role_user.arn #=> String
|
|
779
|
-
# resp.packed_policy_size #=> Integer
|
|
780
|
-
# resp.provider #=> String
|
|
781
|
-
# resp.audience #=> String
|
|
782
|
-
# @overload assume_role_with_web_identity(params = {})
|
|
783
|
-
# @param [Hash] params ({})
|
|
784
|
-
def assume_role_with_web_identity(params = {}, options = {})
|
|
785
|
-
req = build_request(:assume_role_with_web_identity, params)
|
|
786
|
-
req.send_request(options)
|
|
787
|
-
end
|
|
402
|
+
# Returns a set of temporary security credentials for users who have
|
|
403
|
+
# been authenticated via a SAML authentication response. This operation
|
|
404
|
+
# provides a mechanism for tying an enterprise identity store or
|
|
405
|
+
# directory to role-based AWS access without user-specific credentials
|
|
406
|
+
# or configuration. For a comparison of `AssumeRoleWithSAML` with the
|
|
407
|
+
# other APIs that produce temporary credentials, see [Requesting
|
|
408
|
+
# Temporary Security Credentials][1] and [Comparing the AWS STS APIs][2]
|
|
409
|
+
# in the *IAM User Guide*.
|
|
410
|
+
#
|
|
411
|
+
# The temporary security credentials returned by this operation consist
|
|
412
|
+
# of an access key ID, a secret access key, and a security token.
|
|
413
|
+
# Applications can use these temporary security credentials to sign
|
|
414
|
+
# calls to AWS services.
|
|
415
|
+
#
|
|
416
|
+
# The temporary security credentials are valid for the duration that you
|
|
417
|
+
# specified when calling `AssumeRole`, or until the time specified in
|
|
418
|
+
# the SAML authentication response's `SessionNotOnOrAfter` value,
|
|
419
|
+
# whichever is shorter. The duration can be from 900 seconds (15
|
|
420
|
+
# minutes) to a maximum of 3600 seconds (1 hour). The default is 1 hour.
|
|
421
|
+
#
|
|
422
|
+
# The temporary security credentials created by `AssumeRoleWithSAML` can
|
|
423
|
+
# be used to make API calls to any AWS service with the following
|
|
424
|
+
# exception: you cannot call the STS service's `GetFederationToken` or
|
|
425
|
+
# `GetSessionToken` APIs.
|
|
426
|
+
#
|
|
427
|
+
# Optionally, you can pass an IAM access policy to this operation. If
|
|
428
|
+
# you choose not to pass a policy, the temporary security credentials
|
|
429
|
+
# that are returned by the operation have the permissions that are
|
|
430
|
+
# defined in the access policy of the role that is being assumed. If you
|
|
431
|
+
# pass a policy to this operation, the temporary security credentials
|
|
432
|
+
# that are returned by the operation have the permissions that are
|
|
433
|
+
# allowed by the intersection of both the access policy of the role that
|
|
434
|
+
# is being assumed, <i> <b>and</b> </i> the policy that you pass. This
|
|
435
|
+
# means that both policies must grant the permission for the action to
|
|
436
|
+
# be allowed. This gives you a way to further restrict the permissions
|
|
437
|
+
# for the resulting temporary security credentials. You cannot use the
|
|
438
|
+
# passed policy to grant permissions that are in excess of those allowed
|
|
439
|
+
# by the access policy of the role that is being assumed. For more
|
|
440
|
+
# information, see [Permissions for AssumeRole, AssumeRoleWithSAML, and
|
|
441
|
+
# AssumeRoleWithWebIdentity][3] in the *IAM User Guide*.
|
|
442
|
+
#
|
|
443
|
+
# Before your application can call `AssumeRoleWithSAML`, you must
|
|
444
|
+
# configure your SAML identity provider (IdP) to issue the claims
|
|
445
|
+
# required by AWS. Additionally, you must use AWS Identity and Access
|
|
446
|
+
# Management (IAM) to create a SAML provider entity in your AWS account
|
|
447
|
+
# that represents your identity provider, and create an IAM role that
|
|
448
|
+
# specifies this SAML provider in its trust policy.
|
|
449
|
+
#
|
|
450
|
+
# Calling `AssumeRoleWithSAML` does not require the use of AWS security
|
|
451
|
+
# credentials. The identity of the caller is validated by using keys in
|
|
452
|
+
# the metadata document that is uploaded for the SAML provider entity
|
|
453
|
+
# for your identity provider.
|
|
454
|
+
#
|
|
455
|
+
# Calling `AssumeRoleWithSAML` can result in an entry in your AWS
|
|
456
|
+
# CloudTrail logs. The entry includes the value in the `NameID` element
|
|
457
|
+
# of the SAML assertion. We recommend that you use a NameIDType that is
|
|
458
|
+
# not associated with any personally identifiable information (PII). For
|
|
459
|
+
# example, you could instead use the Persistent Identifier
|
|
460
|
+
# (`urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`).
|
|
461
|
+
#
|
|
462
|
+
# For more information, see the following resources:
|
|
463
|
+
#
|
|
464
|
+
# * [About SAML 2.0-based Federation][4] in the *IAM User Guide*.
|
|
465
|
+
#
|
|
466
|
+
# * [Creating SAML Identity Providers][5] in the *IAM User Guide*.
|
|
467
|
+
#
|
|
468
|
+
# * [Configuring a Relying Party and Claims][6] in the *IAM User Guide*.
|
|
469
|
+
#
|
|
470
|
+
# * [Creating a Role for SAML 2.0 Federation][7] in the *IAM User
|
|
471
|
+
# Guide*.
|
|
472
|
+
#
|
|
473
|
+
#
|
|
474
|
+
#
|
|
475
|
+
# [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
|
476
|
+
# [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
|
477
|
+
# [3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
|
|
478
|
+
# [4]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
|
|
479
|
+
# [5]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
|
|
480
|
+
# [6]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html
|
|
481
|
+
# [7]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
|
|
482
|
+
#
|
|
483
|
+
# @option params [required, String] :role_arn
|
|
484
|
+
# The Amazon Resource Name (ARN) of the role that the caller is
|
|
485
|
+
# assuming.
|
|
486
|
+
#
|
|
487
|
+
# @option params [required, String] :principal_arn
|
|
488
|
+
# The Amazon Resource Name (ARN) of the SAML provider in IAM that
|
|
489
|
+
# describes the IdP.
|
|
490
|
+
#
|
|
491
|
+
# @option params [required, String] :saml_assertion
|
|
492
|
+
# The base-64 encoded SAML authentication response provided by the IdP.
|
|
493
|
+
#
|
|
494
|
+
# For more information, see [Configuring a Relying Party and Adding
|
|
495
|
+
# Claims][1] in the *Using IAM* guide.
|
|
496
|
+
#
|
|
497
|
+
#
|
|
498
|
+
#
|
|
499
|
+
# [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html
|
|
500
|
+
#
|
|
501
|
+
# @option params [String] :policy
|
|
502
|
+
# An IAM policy in JSON format.
|
|
503
|
+
#
|
|
504
|
+
# The policy parameter is optional. If you pass a policy, the temporary
|
|
505
|
+
# security credentials that are returned by the operation have the
|
|
506
|
+
# permissions that are allowed by both the access policy of the role
|
|
507
|
+
# that is being assumed, <i> <b>and</b> </i> the policy that you pass.
|
|
508
|
+
# This gives you a way to further restrict the permissions for the
|
|
509
|
+
# resulting temporary security credentials. You cannot use the passed
|
|
510
|
+
# policy to grant permissions that are in excess of those allowed by the
|
|
511
|
+
# access policy of the role that is being assumed. For more information,
|
|
512
|
+
# [Permissions for AssumeRole, AssumeRoleWithSAML, and
|
|
513
|
+
# AssumeRoleWithWebIdentity][1] in the *IAM User Guide*.
|
|
514
|
+
#
|
|
515
|
+
# The format for this parameter, as described by its regex pattern, is a
|
|
516
|
+
# string of characters up to 2048 characters in length. The characters
|
|
517
|
+
# can be any ASCII character from the space character to the end of the
|
|
518
|
+
# valid character list (\\u0020-\\u00FF). It can also include the tab
|
|
519
|
+
# (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
|
520
|
+
# characters.
|
|
521
|
+
#
|
|
522
|
+
# <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
|
|
523
|
+
# internal conversion compresses it into a packed binary format with a
|
|
524
|
+
# separate limit. The PackedPolicySize response element indicates by
|
|
525
|
+
# percentage how close to the upper size limit the policy is, with 100%
|
|
526
|
+
# equaling the maximum allowed size.
|
|
527
|
+
#
|
|
528
|
+
# </note>
|
|
529
|
+
#
|
|
530
|
+
#
|
|
531
|
+
#
|
|
532
|
+
# [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
|
|
533
|
+
#
|
|
534
|
+
# @option params [Integer] :duration_seconds
|
|
535
|
+
# The duration, in seconds, of the role session. The value can range
|
|
536
|
+
# from 900 seconds (15 minutes) to 3600 seconds (1 hour). By default,
|
|
537
|
+
# the value is set to 3600 seconds. An expiration can also be specified
|
|
538
|
+
# in the SAML authentication response's `SessionNotOnOrAfter` value.
|
|
539
|
+
# The actual expiration time is whichever value is shorter.
|
|
540
|
+
#
|
|
541
|
+
# <note markdown="1"> This is separate from the duration of a console session that you might
|
|
542
|
+
# request using the returned credentials. The request to the federation
|
|
543
|
+
# endpoint for a console sign-in token takes a `SessionDuration`
|
|
544
|
+
# parameter that specifies the maximum length of the console session,
|
|
545
|
+
# separately from the `DurationSeconds` parameter on this API. For more
|
|
546
|
+
# information, see [Enabling SAML 2.0 Federated Users to Access the AWS
|
|
547
|
+
# Management Console][1] in the *IAM User Guide*.
|
|
548
|
+
#
|
|
549
|
+
# </note>
|
|
550
|
+
#
|
|
551
|
+
#
|
|
552
|
+
#
|
|
553
|
+
# [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html
|
|
554
|
+
#
|
|
555
|
+
# @return [Types::AssumeRoleWithSAMLResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
|
556
|
+
#
|
|
557
|
+
# * {Types::AssumeRoleWithSAMLResponse#credentials #credentials} => Types::Credentials
|
|
558
|
+
# * {Types::AssumeRoleWithSAMLResponse#assumed_role_user #assumed_role_user} => Types::AssumedRoleUser
|
|
559
|
+
# * {Types::AssumeRoleWithSAMLResponse#packed_policy_size #packed_policy_size} => Integer
|
|
560
|
+
# * {Types::AssumeRoleWithSAMLResponse#subject #subject} => String
|
|
561
|
+
# * {Types::AssumeRoleWithSAMLResponse#subject_type #subject_type} => String
|
|
562
|
+
# * {Types::AssumeRoleWithSAMLResponse#issuer #issuer} => String
|
|
563
|
+
# * {Types::AssumeRoleWithSAMLResponse#audience #audience} => String
|
|
564
|
+
# * {Types::AssumeRoleWithSAMLResponse#name_qualifier #name_qualifier} => String
|
|
565
|
+
#
|
|
566
|
+
# @example Request syntax with placeholder values
|
|
567
|
+
#
|
|
568
|
+
# resp = client.assume_role_with_saml({
|
|
569
|
+
# role_arn: "arnType", # required
|
|
570
|
+
# principal_arn: "arnType", # required
|
|
571
|
+
# saml_assertion: "SAMLAssertionType", # required
|
|
572
|
+
# policy: "sessionPolicyDocumentType",
|
|
573
|
+
# duration_seconds: 1,
|
|
574
|
+
# })
|
|
575
|
+
#
|
|
576
|
+
# @example Response structure
|
|
577
|
+
#
|
|
578
|
+
# resp.credentials.access_key_id #=> String
|
|
579
|
+
# resp.credentials.secret_access_key #=> String
|
|
580
|
+
# resp.credentials.session_token #=> String
|
|
581
|
+
# resp.credentials.expiration #=> Time
|
|
582
|
+
# resp.assumed_role_user.assumed_role_id #=> String
|
|
583
|
+
# resp.assumed_role_user.arn #=> String
|
|
584
|
+
# resp.packed_policy_size #=> Integer
|
|
585
|
+
# resp.subject #=> String
|
|
586
|
+
# resp.subject_type #=> String
|
|
587
|
+
# resp.issuer #=> String
|
|
588
|
+
# resp.audience #=> String
|
|
589
|
+
# resp.name_qualifier #=> String
|
|
590
|
+
#
|
|
591
|
+
# @overload assume_role_with_saml(params = {})
|
|
592
|
+
# @param [Hash] params ({})
|
|
593
|
+
def assume_role_with_saml(params = {}, options = {})
|
|
594
|
+
req = build_request(:assume_role_with_saml, params)
|
|
595
|
+
req.send_request(options)
|
|
596
|
+
end
|
|
788
597
|
|
|
789
|
-
|
|
790
|
-
|
|
791
|
-
|
|
792
|
-
|
|
793
|
-
|
|
794
|
-
|
|
795
|
-
|
|
796
|
-
|
|
797
|
-
|
|
798
|
-
|
|
799
|
-
|
|
800
|
-
|
|
801
|
-
|
|
802
|
-
|
|
803
|
-
|
|
804
|
-
|
|
805
|
-
|
|
806
|
-
|
|
807
|
-
|
|
808
|
-
|
|
809
|
-
|
|
810
|
-
|
|
811
|
-
|
|
812
|
-
|
|
813
|
-
|
|
814
|
-
|
|
815
|
-
|
|
816
|
-
|
|
817
|
-
|
|
818
|
-
|
|
819
|
-
|
|
820
|
-
|
|
821
|
-
|
|
822
|
-
|
|
823
|
-
|
|
824
|
-
|
|
825
|
-
|
|
826
|
-
|
|
827
|
-
|
|
828
|
-
|
|
829
|
-
|
|
830
|
-
|
|
831
|
-
|
|
832
|
-
|
|
833
|
-
|
|
834
|
-
|
|
835
|
-
|
|
836
|
-
|
|
837
|
-
|
|
838
|
-
|
|
839
|
-
|
|
840
|
-
|
|
841
|
-
|
|
842
|
-
|
|
843
|
-
|
|
844
|
-
|
|
845
|
-
|
|
846
|
-
|
|
847
|
-
|
|
598
|
+
# Returns a set of temporary security credentials for users who have
|
|
599
|
+
# been authenticated in a mobile or web application with a web identity
|
|
600
|
+
# provider, such as Amazon Cognito, Login with Amazon, Facebook, Google,
|
|
601
|
+
# or any OpenID Connect-compatible identity provider.
|
|
602
|
+
#
|
|
603
|
+
# <note markdown="1"> For mobile applications, we recommend that you use Amazon Cognito. You
|
|
604
|
+
# can use Amazon Cognito with the [AWS SDK for iOS][1] and the [AWS SDK
|
|
605
|
+
# for Android][2] to uniquely identify a user and supply the user with a
|
|
606
|
+
# consistent identity throughout the lifetime of an application.
|
|
607
|
+
#
|
|
608
|
+
# To learn more about Amazon Cognito, see [Amazon Cognito Overview][3]
|
|
609
|
+
# in the *AWS SDK for Android Developer Guide* guide and [Amazon Cognito
|
|
610
|
+
# Overview][4] in the *AWS SDK for iOS Developer Guide*.
|
|
611
|
+
#
|
|
612
|
+
# </note>
|
|
613
|
+
#
|
|
614
|
+
# Calling `AssumeRoleWithWebIdentity` does not require the use of AWS
|
|
615
|
+
# security credentials. Therefore, you can distribute an application
|
|
616
|
+
# (for example, on mobile devices) that requests temporary security
|
|
617
|
+
# credentials without including long-term AWS credentials in the
|
|
618
|
+
# application, and without deploying server-based proxy services that
|
|
619
|
+
# use long-term AWS credentials. Instead, the identity of the caller is
|
|
620
|
+
# validated by using a token from the web identity provider. For a
|
|
621
|
+
# comparison of `AssumeRoleWithWebIdentity` with the other APIs that
|
|
622
|
+
# produce temporary credentials, see [Requesting Temporary Security
|
|
623
|
+
# Credentials][5] and [Comparing the AWS STS APIs][6] in the *IAM User
|
|
624
|
+
# Guide*.
|
|
625
|
+
#
|
|
626
|
+
# The temporary security credentials returned by this API consist of an
|
|
627
|
+
# access key ID, a secret access key, and a security token. Applications
|
|
628
|
+
# can use these temporary security credentials to sign calls to AWS
|
|
629
|
+
# service APIs.
|
|
630
|
+
#
|
|
631
|
+
# The credentials are valid for the duration that you specified when
|
|
632
|
+
# calling `AssumeRoleWithWebIdentity`, which can be from 900 seconds (15
|
|
633
|
+
# minutes) to a maximum of 3600 seconds (1 hour). The default is 1 hour.
|
|
634
|
+
#
|
|
635
|
+
# The temporary security credentials created by
|
|
636
|
+
# `AssumeRoleWithWebIdentity` can be used to make API calls to any AWS
|
|
637
|
+
# service with the following exception: you cannot call the STS
|
|
638
|
+
# service's `GetFederationToken` or `GetSessionToken` APIs.
|
|
639
|
+
#
|
|
640
|
+
# Optionally, you can pass an IAM access policy to this operation. If
|
|
641
|
+
# you choose not to pass a policy, the temporary security credentials
|
|
642
|
+
# that are returned by the operation have the permissions that are
|
|
643
|
+
# defined in the access policy of the role that is being assumed. If you
|
|
644
|
+
# pass a policy to this operation, the temporary security credentials
|
|
645
|
+
# that are returned by the operation have the permissions that are
|
|
646
|
+
# allowed by both the access policy of the role that is being assumed,
|
|
647
|
+
# <i> <b>and</b> </i> the policy that you pass. This gives you a way to
|
|
648
|
+
# further restrict the permissions for the resulting temporary security
|
|
649
|
+
# credentials. You cannot use the passed policy to grant permissions
|
|
650
|
+
# that are in excess of those allowed by the access policy of the role
|
|
651
|
+
# that is being assumed. For more information, see [Permissions for
|
|
652
|
+
# AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity][7] in
|
|
653
|
+
# the *IAM User Guide*.
|
|
654
|
+
#
|
|
655
|
+
# Before your application can call `AssumeRoleWithWebIdentity`, you must
|
|
656
|
+
# have an identity token from a supported identity provider and create a
|
|
657
|
+
# role that the application can assume. The role that your application
|
|
658
|
+
# assumes must trust the identity provider that is associated with the
|
|
659
|
+
# identity token. In other words, the identity provider must be
|
|
660
|
+
# specified in the role's trust policy.
|
|
661
|
+
#
|
|
662
|
+
# Calling `AssumeRoleWithWebIdentity` can result in an entry in your AWS
|
|
663
|
+
# CloudTrail logs. The entry includes the [Subject][8] of the provided
|
|
664
|
+
# Web Identity Token. We recommend that you avoid using any personally
|
|
665
|
+
# identifiable information (PII) in this field. For example, you could
|
|
666
|
+
# instead use a GUID or a pairwise identifier, as [suggested in the OIDC
|
|
667
|
+
# specification][9].
|
|
668
|
+
#
|
|
669
|
+
# For more information about how to use web identity federation and the
|
|
670
|
+
# `AssumeRoleWithWebIdentity` API, see the following resources:
|
|
671
|
+
#
|
|
672
|
+
# * [Using Web Identity Federation APIs for Mobile Apps][10] and
|
|
673
|
+
# [Federation Through a Web-based Identity Provider][11].
|
|
674
|
+
#
|
|
675
|
+
# * [ Web Identity Federation Playground][12]. This interactive website
|
|
676
|
+
# lets you walk through the process of authenticating via Login with
|
|
677
|
+
# Amazon, Facebook, or Google, getting temporary security credentials,
|
|
678
|
+
# and then using those credentials to make a request to AWS.
|
|
679
|
+
#
|
|
680
|
+
# * [AWS SDK for iOS][1] and [AWS SDK for Android][2]. These toolkits
|
|
681
|
+
# contain sample apps that show how to invoke the identity providers,
|
|
682
|
+
# and then how to use the information from these providers to get and
|
|
683
|
+
# use temporary security credentials.
|
|
684
|
+
#
|
|
685
|
+
# * [Web Identity Federation with Mobile Applications][13]. This article
|
|
686
|
+
# discusses web identity federation and shows an example of how to use
|
|
687
|
+
# web identity federation to get access to content in Amazon S3.
|
|
688
|
+
#
|
|
689
|
+
#
|
|
690
|
+
#
|
|
691
|
+
# [1]: http://aws.amazon.com/sdkforios/
|
|
692
|
+
# [2]: http://aws.amazon.com/sdkforandroid/
|
|
693
|
+
# [3]: http://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840
|
|
694
|
+
# [4]: http://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664
|
|
695
|
+
# [5]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
|
696
|
+
# [6]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
|
697
|
+
# [7]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
|
|
698
|
+
# [8]: http://openid.net/specs/openid-connect-core-1_0.html#Claims
|
|
699
|
+
# [9]: http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes
|
|
700
|
+
# [10]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html
|
|
701
|
+
# [11]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
|
|
702
|
+
# [12]: https://web-identity-federation-playground.s3.amazonaws.com/index.html
|
|
703
|
+
# [13]: http://aws.amazon.com/articles/4617974389850313
|
|
704
|
+
#
|
|
705
|
+
# @option params [required, String] :role_arn
|
|
706
|
+
# The Amazon Resource Name (ARN) of the role that the caller is
|
|
707
|
+
# assuming.
|
|
708
|
+
#
|
|
709
|
+
# @option params [required, String] :role_session_name
|
|
710
|
+
# An identifier for the assumed role session. Typically, you pass the
|
|
711
|
+
# name or identifier that is associated with the user who is using your
|
|
712
|
+
# application. That way, the temporary security credentials that your
|
|
713
|
+
# application will use are associated with that user. This session name
|
|
714
|
+
# is included as part of the ARN and assumed role ID in the
|
|
715
|
+
# `AssumedRoleUser` response element.
|
|
716
|
+
#
|
|
717
|
+
# The regex used to validate this parameter is a string of characters
|
|
718
|
+
# consisting of upper- and lower-case alphanumeric characters with no
|
|
719
|
+
# spaces. You can also include underscores or any of the following
|
|
720
|
+
# characters: =,.@-
|
|
721
|
+
#
|
|
722
|
+
# @option params [required, String] :web_identity_token
|
|
723
|
+
# The OAuth 2.0 access token or OpenID Connect ID token that is provided
|
|
724
|
+
# by the identity provider. Your application must get this token by
|
|
725
|
+
# authenticating the user who is using your application with a web
|
|
726
|
+
# identity provider before the application makes an
|
|
727
|
+
# `AssumeRoleWithWebIdentity` call.
|
|
728
|
+
#
|
|
729
|
+
# @option params [String] :provider_id
|
|
730
|
+
# The fully qualified host component of the domain name of the identity
|
|
731
|
+
# provider.
|
|
732
|
+
#
|
|
733
|
+
# Specify this value only for OAuth 2.0 access tokens. Currently
|
|
734
|
+
# `www.amazon.com` and `graph.facebook.com` are the only supported
|
|
735
|
+
# identity providers for OAuth 2.0 access tokens. Do not include URL
|
|
736
|
+
# schemes and port numbers.
|
|
737
|
+
#
|
|
738
|
+
# Do not specify this value for OpenID Connect ID tokens.
|
|
739
|
+
#
|
|
740
|
+
# @option params [String] :policy
|
|
741
|
+
# An IAM policy in JSON format.
|
|
742
|
+
#
|
|
743
|
+
# The policy parameter is optional. If you pass a policy, the temporary
|
|
744
|
+
# security credentials that are returned by the operation have the
|
|
745
|
+
# permissions that are allowed by both the access policy of the role
|
|
746
|
+
# that is being assumed, <i> <b>and</b> </i> the policy that you pass.
|
|
747
|
+
# This gives you a way to further restrict the permissions for the
|
|
748
|
+
# resulting temporary security credentials. You cannot use the passed
|
|
749
|
+
# policy to grant permissions that are in excess of those allowed by the
|
|
750
|
+
# access policy of the role that is being assumed. For more information,
|
|
751
|
+
# see [Permissions for AssumeRoleWithWebIdentity][1] in the *IAM User
|
|
752
|
+
# Guide*.
|
|
753
|
+
#
|
|
754
|
+
# The format for this parameter, as described by its regex pattern, is a
|
|
755
|
+
# string of characters up to 2048 characters in length. The characters
|
|
756
|
+
# can be any ASCII character from the space character to the end of the
|
|
757
|
+
# valid character list (\\u0020-\\u00FF). It can also include the tab
|
|
758
|
+
# (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
|
759
|
+
# characters.
|
|
760
|
+
#
|
|
761
|
+
# <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
|
|
762
|
+
# internal conversion compresses it into a packed binary format with a
|
|
763
|
+
# separate limit. The PackedPolicySize response element indicates by
|
|
764
|
+
# percentage how close to the upper size limit the policy is, with 100%
|
|
765
|
+
# equaling the maximum allowed size.
|
|
766
|
+
#
|
|
767
|
+
# </note>
|
|
768
|
+
#
|
|
769
|
+
#
|
|
770
|
+
#
|
|
771
|
+
# [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html
|
|
772
|
+
#
|
|
773
|
+
# @option params [Integer] :duration_seconds
|
|
774
|
+
# The duration, in seconds, of the role session. The value can range
|
|
775
|
+
# from 900 seconds (15 minutes) to 3600 seconds (1 hour). By default,
|
|
776
|
+
# the value is set to 3600 seconds.
|
|
777
|
+
#
|
|
778
|
+
# <note markdown="1"> This is separate from the duration of a console session that you might
|
|
779
|
+
# request using the returned credentials. The request to the federation
|
|
780
|
+
# endpoint for a console sign-in token takes a `SessionDuration`
|
|
781
|
+
# parameter that specifies the maximum length of the console session,
|
|
782
|
+
# separately from the `DurationSeconds` parameter on this API. For more
|
|
783
|
+
# information, see [Creating a URL that Enables Federated Users to
|
|
784
|
+
# Access the AWS Management Console][1] in the *IAM User Guide*.
|
|
785
|
+
#
|
|
786
|
+
# </note>
|
|
787
|
+
#
|
|
788
|
+
#
|
|
789
|
+
#
|
|
790
|
+
# [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
|
|
791
|
+
#
|
|
792
|
+
# @return [Types::AssumeRoleWithWebIdentityResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
|
793
|
+
#
|
|
794
|
+
# * {Types::AssumeRoleWithWebIdentityResponse#credentials #credentials} => Types::Credentials
|
|
795
|
+
# * {Types::AssumeRoleWithWebIdentityResponse#subject_from_web_identity_token #subject_from_web_identity_token} => String
|
|
796
|
+
# * {Types::AssumeRoleWithWebIdentityResponse#assumed_role_user #assumed_role_user} => Types::AssumedRoleUser
|
|
797
|
+
# * {Types::AssumeRoleWithWebIdentityResponse#packed_policy_size #packed_policy_size} => Integer
|
|
798
|
+
# * {Types::AssumeRoleWithWebIdentityResponse#provider #provider} => String
|
|
799
|
+
# * {Types::AssumeRoleWithWebIdentityResponse#audience #audience} => String
|
|
800
|
+
#
|
|
801
|
+
# @example Request syntax with placeholder values
|
|
802
|
+
#
|
|
803
|
+
# resp = client.assume_role_with_web_identity({
|
|
804
|
+
# role_arn: "arnType", # required
|
|
805
|
+
# role_session_name: "roleSessionNameType", # required
|
|
806
|
+
# web_identity_token: "clientTokenType", # required
|
|
807
|
+
# provider_id: "urlType",
|
|
808
|
+
# policy: "sessionPolicyDocumentType",
|
|
809
|
+
# duration_seconds: 1,
|
|
810
|
+
# })
|
|
811
|
+
#
|
|
812
|
+
# @example Response structure
|
|
813
|
+
#
|
|
814
|
+
# resp.credentials.access_key_id #=> String
|
|
815
|
+
# resp.credentials.secret_access_key #=> String
|
|
816
|
+
# resp.credentials.session_token #=> String
|
|
817
|
+
# resp.credentials.expiration #=> Time
|
|
818
|
+
# resp.subject_from_web_identity_token #=> String
|
|
819
|
+
# resp.assumed_role_user.assumed_role_id #=> String
|
|
820
|
+
# resp.assumed_role_user.arn #=> String
|
|
821
|
+
# resp.packed_policy_size #=> Integer
|
|
822
|
+
# resp.provider #=> String
|
|
823
|
+
# resp.audience #=> String
|
|
824
|
+
#
|
|
825
|
+
# @overload assume_role_with_web_identity(params = {})
|
|
826
|
+
# @param [Hash] params ({})
|
|
827
|
+
def assume_role_with_web_identity(params = {}, options = {})
|
|
828
|
+
req = build_request(:assume_role_with_web_identity, params)
|
|
829
|
+
req.send_request(options)
|
|
830
|
+
end
|
|
848
831
|
|
|
849
|
-
|
|
850
|
-
|
|
851
|
-
|
|
852
|
-
|
|
853
|
-
|
|
854
|
-
|
|
855
|
-
|
|
856
|
-
|
|
857
|
-
|
|
858
|
-
|
|
859
|
-
|
|
860
|
-
|
|
861
|
-
|
|
862
|
-
|
|
863
|
-
|
|
864
|
-
|
|
865
|
-
|
|
866
|
-
|
|
867
|
-
|
|
868
|
-
|
|
869
|
-
|
|
832
|
+
# Decodes additional information about the authorization status of a
|
|
833
|
+
# request from an encoded message returned in response to an AWS
|
|
834
|
+
# request.
|
|
835
|
+
#
|
|
836
|
+
# For example, if a user is not authorized to perform an action that he
|
|
837
|
+
# or she has requested, the request returns a
|
|
838
|
+
# `Client.UnauthorizedOperation` response (an HTTP 403 response). Some
|
|
839
|
+
# AWS actions additionally return an encoded message that can provide
|
|
840
|
+
# details about this authorization failure.
|
|
841
|
+
#
|
|
842
|
+
# <note markdown="1"> Only certain AWS actions return an encoded authorization message. The
|
|
843
|
+
# documentation for an individual action indicates whether that action
|
|
844
|
+
# returns an encoded message in addition to returning an HTTP code.
|
|
845
|
+
#
|
|
846
|
+
# </note>
|
|
847
|
+
#
|
|
848
|
+
# The message is encoded because the details of the authorization status
|
|
849
|
+
# can constitute privileged information that the user who requested the
|
|
850
|
+
# action should not see. To decode an authorization status message, a
|
|
851
|
+
# user must be granted permissions via an IAM policy to request the
|
|
852
|
+
# `DecodeAuthorizationMessage` (`sts:DecodeAuthorizationMessage`)
|
|
853
|
+
# action.
|
|
854
|
+
#
|
|
855
|
+
# The decoded message includes the following type of information:
|
|
856
|
+
#
|
|
857
|
+
# * Whether the request was denied due to an explicit deny or due to the
|
|
858
|
+
# absence of an explicit allow. For more information, see [Determining
|
|
859
|
+
# Whether a Request is Allowed or Denied][1] in the *IAM User Guide*.
|
|
860
|
+
#
|
|
861
|
+
# * The principal who made the request.
|
|
862
|
+
#
|
|
863
|
+
# * The requested action.
|
|
864
|
+
#
|
|
865
|
+
# * The requested resource.
|
|
866
|
+
#
|
|
867
|
+
# * The values of condition keys in the context of the user's request.
|
|
868
|
+
#
|
|
869
|
+
#
|
|
870
|
+
#
|
|
871
|
+
# [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow
|
|
872
|
+
#
|
|
873
|
+
# @option params [required, String] :encoded_message
|
|
874
|
+
# The encoded message that was returned with the response.
|
|
875
|
+
#
|
|
876
|
+
# @return [Types::DecodeAuthorizationMessageResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
|
877
|
+
#
|
|
878
|
+
# * {Types::DecodeAuthorizationMessageResponse#decoded_message #decoded_message} => String
|
|
879
|
+
#
|
|
880
|
+
# @example Request syntax with placeholder values
|
|
881
|
+
#
|
|
882
|
+
# resp = client.decode_authorization_message({
|
|
883
|
+
# encoded_message: "encodedMessageType", # required
|
|
884
|
+
# })
|
|
885
|
+
#
|
|
886
|
+
# @example Response structure
|
|
887
|
+
#
|
|
888
|
+
# resp.decoded_message #=> String
|
|
889
|
+
#
|
|
890
|
+
# @overload decode_authorization_message(params = {})
|
|
891
|
+
# @param [Hash] params ({})
|
|
892
|
+
def decode_authorization_message(params = {}, options = {})
|
|
893
|
+
req = build_request(:decode_authorization_message, params)
|
|
894
|
+
req.send_request(options)
|
|
895
|
+
end
|
|
870
896
|
|
|
871
|
-
|
|
872
|
-
|
|
873
|
-
|
|
874
|
-
|
|
875
|
-
|
|
876
|
-
|
|
877
|
-
|
|
878
|
-
|
|
879
|
-
|
|
880
|
-
|
|
881
|
-
|
|
882
|
-
|
|
883
|
-
|
|
884
|
-
|
|
885
|
-
|
|
886
|
-
|
|
887
|
-
|
|
888
|
-
|
|
889
|
-
|
|
890
|
-
|
|
891
|
-
|
|
892
|
-
#
|
|
893
|
-
# The `GetFederationToken` action must be called by using the long-term
|
|
894
|
-
# AWS security credentials of an IAM user. You can also call
|
|
895
|
-
# `GetFederationToken` using the security credentials of an AWS root
|
|
896
|
-
# account, but we do not recommended it. Instead, we recommend that you
|
|
897
|
-
# create an IAM user for the purpose of the proxy application and then
|
|
898
|
-
# attach a policy to the IAM user that limits federated users to only
|
|
899
|
-
# the actions and resources that they need access to. For more
|
|
900
|
-
# information, see [IAM Best Practices][5] in the *IAM User Guide*.
|
|
901
|
-
#
|
|
902
|
-
# The temporary security credentials that are obtained by using the
|
|
903
|
-
# long-term credentials of an IAM user are valid for the specified
|
|
904
|
-
# duration, from 900 seconds (15 minutes) up to a maximium of 129600
|
|
905
|
-
# seconds (36 hours). The default is 43200 seconds (12 hours). Temporary
|
|
906
|
-
# credentials that are obtained by using AWS root account credentials
|
|
907
|
-
# have a maximum duration of 3600 seconds (1 hour).
|
|
908
|
-
#
|
|
909
|
-
# The temporary security credentials created by `GetFederationToken` can
|
|
910
|
-
# be used to make API calls to any AWS service with the following
|
|
911
|
-
# exceptions:
|
|
912
|
-
#
|
|
913
|
-
# * You cannot use these credentials to call any IAM APIs.
|
|
914
|
-
#
|
|
915
|
-
# * You cannot call any STS APIs except `GetCallerIdentity`.
|
|
916
|
-
#
|
|
917
|
-
# **Permissions**
|
|
918
|
-
#
|
|
919
|
-
# The permissions for the temporary security credentials returned by
|
|
920
|
-
# `GetFederationToken` are determined by a combination of the following:
|
|
921
|
-
#
|
|
922
|
-
# * The policy or policies that are attached to the IAM user whose
|
|
923
|
-
# credentials are used to call `GetFederationToken`.
|
|
924
|
-
#
|
|
925
|
-
# * The policy that is passed as a parameter in the call.
|
|
926
|
-
#
|
|
927
|
-
# The passed policy is attached to the temporary security credentials
|
|
928
|
-
# that result from the `GetFederationToken` API call--that is, to the
|
|
929
|
-
# *federated user*. When the federated user makes an AWS request, AWS
|
|
930
|
-
# evaluates the policy attached to the federated user in combination
|
|
931
|
-
# with the policy or policies attached to the IAM user whose credentials
|
|
932
|
-
# were used to call `GetFederationToken`. AWS allows the federated
|
|
933
|
-
# user's request only when both the federated user <i> <b>and</b> </i>
|
|
934
|
-
# the IAM user are explicitly allowed to perform the requested action.
|
|
935
|
-
# The passed policy cannot grant more permissions than those that are
|
|
936
|
-
# defined in the IAM user policy.
|
|
937
|
-
#
|
|
938
|
-
# A typical use case is that the permissions of the IAM user whose
|
|
939
|
-
# credentials are used to call `GetFederationToken` are designed to
|
|
940
|
-
# allow access to all the actions and resources that any federated user
|
|
941
|
-
# will need. Then, for individual users, you pass a policy to the
|
|
942
|
-
# operation that scopes down the permissions to a level that's
|
|
943
|
-
# appropriate to that individual user, using a policy that allows only a
|
|
944
|
-
# subset of permissions that are granted to the IAM user.
|
|
945
|
-
#
|
|
946
|
-
# If you do not pass a policy, the resulting temporary security
|
|
947
|
-
# credentials have no effective permissions. The only exception is when
|
|
948
|
-
# the temporary security credentials are used to access a resource that
|
|
949
|
-
# has a resource-based policy that specifically allows the federated
|
|
950
|
-
# user to access the resource.
|
|
951
|
-
#
|
|
952
|
-
# For more information about how permissions work, see [Permissions for
|
|
953
|
-
# GetFederationToken][6]. For information about using
|
|
954
|
-
# `GetFederationToken` to create temporary security credentials, see
|
|
955
|
-
# [GetFederationToken—Federation Through a Custom Identity Broker][7].
|
|
956
|
-
#
|
|
957
|
-
#
|
|
958
|
-
#
|
|
959
|
-
# [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
|
960
|
-
# [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
|
961
|
-
# [3]: http://aws.amazon.com/cognito/
|
|
962
|
-
# [4]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
|
|
963
|
-
# [5]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
|
|
964
|
-
# [6]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html
|
|
965
|
-
# [7]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken
|
|
966
|
-
# @option params [required, String] :name
|
|
967
|
-
# The name of the federated user. The name is used as an identifier for
|
|
968
|
-
# the temporary security credentials (such as `Bob`). For example, you
|
|
969
|
-
# can reference the federated user name in a resource-based policy, such
|
|
970
|
-
# as in an Amazon S3 bucket policy.
|
|
971
|
-
#
|
|
972
|
-
# The format for this parameter, as described by its regex pattern, is a
|
|
973
|
-
# string of characters consisting of upper- and lower-case alphanumeric
|
|
974
|
-
# characters with no spaces. You can also include underscores or any of
|
|
975
|
-
# the following characters: =,.@-
|
|
976
|
-
# @option params [String] :policy
|
|
977
|
-
# An IAM policy in JSON format that is passed with the
|
|
978
|
-
# `GetFederationToken` call and evaluated along with the policy or
|
|
979
|
-
# policies that are attached to the IAM user whose credentials are used
|
|
980
|
-
# to call `GetFederationToken`. The passed policy is used to scope down
|
|
981
|
-
# the permissions that are available to the IAM user, by allowing only a
|
|
982
|
-
# subset of the permissions that are granted to the IAM user. The passed
|
|
983
|
-
# policy cannot grant more permissions than those granted to the IAM
|
|
984
|
-
# user. The final permissions for the federated user are the most
|
|
985
|
-
# restrictive set based on the intersection of the passed policy and the
|
|
986
|
-
# IAM user policy.
|
|
987
|
-
#
|
|
988
|
-
# If you do not pass a policy, the resulting temporary security
|
|
989
|
-
# credentials have no effective permissions. The only exception is when
|
|
990
|
-
# the temporary security credentials are used to access a resource that
|
|
991
|
-
# has a resource-based policy that specifically allows the federated
|
|
992
|
-
# user to access the resource.
|
|
993
|
-
#
|
|
994
|
-
# The format for this parameter, as described by its regex pattern, is a
|
|
995
|
-
# string of characters up to 2048 characters in length. The characters
|
|
996
|
-
# can be any ASCII character from the space character to the end of the
|
|
997
|
-
# valid character list (\\u0020-\\u00FF). It can also include the tab
|
|
998
|
-
# (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
|
999
|
-
# characters.
|
|
1000
|
-
#
|
|
1001
|
-
# <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
|
|
1002
|
-
# internal conversion compresses it into a packed binary format with a
|
|
1003
|
-
# separate limit. The PackedPolicySize response element indicates by
|
|
1004
|
-
# percentage how close to the upper size limit the policy is, with 100%
|
|
1005
|
-
# equaling the maximum allowed size.
|
|
1006
|
-
#
|
|
1007
|
-
# </note>
|
|
1008
|
-
#
|
|
1009
|
-
# For more information about how permissions work, see [Permissions for
|
|
1010
|
-
# GetFederationToken][1].
|
|
1011
|
-
#
|
|
1012
|
-
#
|
|
1013
|
-
#
|
|
1014
|
-
# [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html
|
|
1015
|
-
# @option params [Integer] :duration_seconds
|
|
1016
|
-
# The duration, in seconds, that the session should last. Acceptable
|
|
1017
|
-
# durations for federation sessions range from 900 seconds (15 minutes)
|
|
1018
|
-
# to 129600 seconds (36 hours), with 43200 seconds (12 hours) as the
|
|
1019
|
-
# default. Sessions obtained using AWS account (root) credentials are
|
|
1020
|
-
# restricted to a maximum of 3600 seconds (one hour). If the specified
|
|
1021
|
-
# duration is longer than one hour, the session obtained by using AWS
|
|
1022
|
-
# account (root) credentials defaults to one hour.
|
|
1023
|
-
# @return [Types::GetFederationTokenResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
|
1024
|
-
#
|
|
1025
|
-
# * {Types::GetFederationTokenResponse#credentials #Credentials} => Types::Credentials
|
|
1026
|
-
# * {Types::GetFederationTokenResponse#federated_user #FederatedUser} => Types::FederatedUser
|
|
1027
|
-
# * {Types::GetFederationTokenResponse#packed_policy_size #PackedPolicySize} => Integer
|
|
1028
|
-
#
|
|
1029
|
-
# @example Request syntax with placeholder values
|
|
1030
|
-
# resp = client.get_federation_token({
|
|
1031
|
-
# name: "userNameType", # required
|
|
1032
|
-
# policy: "sessionPolicyDocumentType",
|
|
1033
|
-
# duration_seconds: 1,
|
|
1034
|
-
# })
|
|
1035
|
-
#
|
|
1036
|
-
# @example Response structure
|
|
1037
|
-
# resp.credentials.access_key_id #=> String
|
|
1038
|
-
# resp.credentials.secret_access_key #=> String
|
|
1039
|
-
# resp.credentials.session_token #=> String
|
|
1040
|
-
# resp.credentials.expiration #=> Time
|
|
1041
|
-
# resp.federated_user.federated_user_id #=> String
|
|
1042
|
-
# resp.federated_user.arn #=> String
|
|
1043
|
-
# resp.packed_policy_size #=> Integer
|
|
1044
|
-
# @overload get_federation_token(params = {})
|
|
1045
|
-
# @param [Hash] params ({})
|
|
1046
|
-
def get_federation_token(params = {}, options = {})
|
|
1047
|
-
req = build_request(:get_federation_token, params)
|
|
1048
|
-
req.send_request(options)
|
|
1049
|
-
end
|
|
897
|
+
# Returns details about the IAM identity whose credentials are used to
|
|
898
|
+
# call the API.
|
|
899
|
+
#
|
|
900
|
+
# @return [Types::GetCallerIdentityResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
|
901
|
+
#
|
|
902
|
+
# * {Types::GetCallerIdentityResponse#user_id #user_id} => String
|
|
903
|
+
# * {Types::GetCallerIdentityResponse#account #account} => String
|
|
904
|
+
# * {Types::GetCallerIdentityResponse#arn #arn} => String
|
|
905
|
+
#
|
|
906
|
+
# @example Response structure
|
|
907
|
+
#
|
|
908
|
+
# resp.user_id #=> String
|
|
909
|
+
# resp.account #=> String
|
|
910
|
+
# resp.arn #=> String
|
|
911
|
+
#
|
|
912
|
+
# @overload get_caller_identity(params = {})
|
|
913
|
+
# @param [Hash] params ({})
|
|
914
|
+
def get_caller_identity(params = {}, options = {})
|
|
915
|
+
req = build_request(:get_caller_identity, params)
|
|
916
|
+
req.send_request(options)
|
|
917
|
+
end
|
|
1050
918
|
|
|
1051
|
-
|
|
1052
|
-
|
|
1053
|
-
|
|
1054
|
-
|
|
1055
|
-
|
|
1056
|
-
|
|
1057
|
-
|
|
1058
|
-
|
|
1059
|
-
|
|
1060
|
-
|
|
1061
|
-
|
|
1062
|
-
|
|
1063
|
-
|
|
1064
|
-
|
|
1065
|
-
|
|
1066
|
-
|
|
1067
|
-
|
|
1068
|
-
|
|
1069
|
-
|
|
1070
|
-
|
|
1071
|
-
|
|
1072
|
-
|
|
1073
|
-
|
|
1074
|
-
|
|
1075
|
-
|
|
1076
|
-
|
|
1077
|
-
|
|
1078
|
-
|
|
1079
|
-
|
|
1080
|
-
|
|
1081
|
-
|
|
1082
|
-
|
|
1083
|
-
|
|
1084
|
-
|
|
1085
|
-
|
|
1086
|
-
|
|
1087
|
-
|
|
1088
|
-
|
|
1089
|
-
|
|
1090
|
-
|
|
1091
|
-
|
|
1092
|
-
|
|
1093
|
-
|
|
1094
|
-
|
|
1095
|
-
|
|
1096
|
-
|
|
1097
|
-
|
|
1098
|
-
|
|
1099
|
-
|
|
1100
|
-
|
|
1101
|
-
|
|
1102
|
-
|
|
1103
|
-
|
|
1104
|
-
|
|
1105
|
-
|
|
1106
|
-
|
|
1107
|
-
|
|
1108
|
-
|
|
1109
|
-
|
|
1110
|
-
|
|
1111
|
-
|
|
1112
|
-
|
|
1113
|
-
|
|
1114
|
-
|
|
1115
|
-
|
|
1116
|
-
|
|
1117
|
-
|
|
1118
|
-
|
|
1119
|
-
|
|
1120
|
-
|
|
1121
|
-
|
|
1122
|
-
|
|
1123
|
-
|
|
1124
|
-
|
|
1125
|
-
|
|
1126
|
-
|
|
1127
|
-
|
|
1128
|
-
|
|
1129
|
-
|
|
1130
|
-
|
|
1131
|
-
|
|
1132
|
-
|
|
1133
|
-
|
|
1134
|
-
|
|
1135
|
-
|
|
1136
|
-
|
|
1137
|
-
|
|
1138
|
-
|
|
1139
|
-
|
|
1140
|
-
|
|
1141
|
-
|
|
1142
|
-
|
|
1143
|
-
|
|
1144
|
-
|
|
1145
|
-
|
|
1146
|
-
|
|
1147
|
-
|
|
1148
|
-
|
|
1149
|
-
|
|
1150
|
-
|
|
1151
|
-
|
|
1152
|
-
|
|
1153
|
-
|
|
1154
|
-
|
|
1155
|
-
|
|
1156
|
-
|
|
1157
|
-
|
|
1158
|
-
|
|
1159
|
-
|
|
1160
|
-
|
|
1161
|
-
|
|
919
|
+
# Returns a set of temporary security credentials (consisting of an
|
|
920
|
+
# access key ID, a secret access key, and a security token) for a
|
|
921
|
+
# federated user. A typical use is in a proxy application that gets
|
|
922
|
+
# temporary security credentials on behalf of distributed applications
|
|
923
|
+
# inside a corporate network. Because you must call the
|
|
924
|
+
# `GetFederationToken` action using the long-term security credentials
|
|
925
|
+
# of an IAM user, this call is appropriate in contexts where those
|
|
926
|
+
# credentials can be safely stored, usually in a server-based
|
|
927
|
+
# application. For a comparison of `GetFederationToken` with the other
|
|
928
|
+
# APIs that produce temporary credentials, see [Requesting Temporary
|
|
929
|
+
# Security Credentials][1] and [Comparing the AWS STS APIs][2] in the
|
|
930
|
+
# *IAM User Guide*.
|
|
931
|
+
#
|
|
932
|
+
# <note markdown="1"> If you are creating a mobile-based or browser-based app that can
|
|
933
|
+
# authenticate users using a web identity provider like Login with
|
|
934
|
+
# Amazon, Facebook, Google, or an OpenID Connect-compatible identity
|
|
935
|
+
# provider, we recommend that you use [Amazon Cognito][3] or
|
|
936
|
+
# `AssumeRoleWithWebIdentity`. For more information, see [Federation
|
|
937
|
+
# Through a Web-based Identity Provider][4].
|
|
938
|
+
#
|
|
939
|
+
# </note>
|
|
940
|
+
#
|
|
941
|
+
# The `GetFederationToken` action must be called by using the long-term
|
|
942
|
+
# AWS security credentials of an IAM user. You can also call
|
|
943
|
+
# `GetFederationToken` using the security credentials of an AWS root
|
|
944
|
+
# account, but we do not recommended it. Instead, we recommend that you
|
|
945
|
+
# create an IAM user for the purpose of the proxy application and then
|
|
946
|
+
# attach a policy to the IAM user that limits federated users to only
|
|
947
|
+
# the actions and resources that they need access to. For more
|
|
948
|
+
# information, see [IAM Best Practices][5] in the *IAM User Guide*.
|
|
949
|
+
#
|
|
950
|
+
# The temporary security credentials that are obtained by using the
|
|
951
|
+
# long-term credentials of an IAM user are valid for the specified
|
|
952
|
+
# duration, from 900 seconds (15 minutes) up to a maximium of 129600
|
|
953
|
+
# seconds (36 hours). The default is 43200 seconds (12 hours). Temporary
|
|
954
|
+
# credentials that are obtained by using AWS root account credentials
|
|
955
|
+
# have a maximum duration of 3600 seconds (1 hour).
|
|
956
|
+
#
|
|
957
|
+
# The temporary security credentials created by `GetFederationToken` can
|
|
958
|
+
# be used to make API calls to any AWS service with the following
|
|
959
|
+
# exceptions:
|
|
960
|
+
#
|
|
961
|
+
# * You cannot use these credentials to call any IAM APIs.
|
|
962
|
+
#
|
|
963
|
+
# * You cannot call any STS APIs except `GetCallerIdentity`.
|
|
964
|
+
#
|
|
965
|
+
# **Permissions**
|
|
966
|
+
#
|
|
967
|
+
# The permissions for the temporary security credentials returned by
|
|
968
|
+
# `GetFederationToken` are determined by a combination of the following:
|
|
969
|
+
#
|
|
970
|
+
# * The policy or policies that are attached to the IAM user whose
|
|
971
|
+
# credentials are used to call `GetFederationToken`.
|
|
972
|
+
#
|
|
973
|
+
# * The policy that is passed as a parameter in the call.
|
|
974
|
+
#
|
|
975
|
+
# The passed policy is attached to the temporary security credentials
|
|
976
|
+
# that result from the `GetFederationToken` API call--that is, to the
|
|
977
|
+
# *federated user*. When the federated user makes an AWS request, AWS
|
|
978
|
+
# evaluates the policy attached to the federated user in combination
|
|
979
|
+
# with the policy or policies attached to the IAM user whose credentials
|
|
980
|
+
# were used to call `GetFederationToken`. AWS allows the federated
|
|
981
|
+
# user's request only when both the federated user <i> <b>and</b> </i>
|
|
982
|
+
# the IAM user are explicitly allowed to perform the requested action.
|
|
983
|
+
# The passed policy cannot grant more permissions than those that are
|
|
984
|
+
# defined in the IAM user policy.
|
|
985
|
+
#
|
|
986
|
+
# A typical use case is that the permissions of the IAM user whose
|
|
987
|
+
# credentials are used to call `GetFederationToken` are designed to
|
|
988
|
+
# allow access to all the actions and resources that any federated user
|
|
989
|
+
# will need. Then, for individual users, you pass a policy to the
|
|
990
|
+
# operation that scopes down the permissions to a level that's
|
|
991
|
+
# appropriate to that individual user, using a policy that allows only a
|
|
992
|
+
# subset of permissions that are granted to the IAM user.
|
|
993
|
+
#
|
|
994
|
+
# If you do not pass a policy, the resulting temporary security
|
|
995
|
+
# credentials have no effective permissions. The only exception is when
|
|
996
|
+
# the temporary security credentials are used to access a resource that
|
|
997
|
+
# has a resource-based policy that specifically allows the federated
|
|
998
|
+
# user to access the resource.
|
|
999
|
+
#
|
|
1000
|
+
# For more information about how permissions work, see [Permissions for
|
|
1001
|
+
# GetFederationToken][6]. For information about using
|
|
1002
|
+
# `GetFederationToken` to create temporary security credentials, see
|
|
1003
|
+
# [GetFederationToken—Federation Through a Custom Identity Broker][7].
|
|
1004
|
+
#
|
|
1005
|
+
#
|
|
1006
|
+
#
|
|
1007
|
+
# [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
|
1008
|
+
# [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
|
1009
|
+
# [3]: http://aws.amazon.com/cognito/
|
|
1010
|
+
# [4]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity
|
|
1011
|
+
# [5]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
|
|
1012
|
+
# [6]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html
|
|
1013
|
+
# [7]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken
|
|
1014
|
+
#
|
|
1015
|
+
# @option params [required, String] :name
|
|
1016
|
+
# The name of the federated user. The name is used as an identifier for
|
|
1017
|
+
# the temporary security credentials (such as `Bob`). For example, you
|
|
1018
|
+
# can reference the federated user name in a resource-based policy, such
|
|
1019
|
+
# as in an Amazon S3 bucket policy.
|
|
1020
|
+
#
|
|
1021
|
+
# The regex used to validate this parameter is a string of characters
|
|
1022
|
+
# consisting of upper- and lower-case alphanumeric characters with no
|
|
1023
|
+
# spaces. You can also include underscores or any of the following
|
|
1024
|
+
# characters: =,.@-
|
|
1025
|
+
#
|
|
1026
|
+
# @option params [String] :policy
|
|
1027
|
+
# An IAM policy in JSON format that is passed with the
|
|
1028
|
+
# `GetFederationToken` call and evaluated along with the policy or
|
|
1029
|
+
# policies that are attached to the IAM user whose credentials are used
|
|
1030
|
+
# to call `GetFederationToken`. The passed policy is used to scope down
|
|
1031
|
+
# the permissions that are available to the IAM user, by allowing only a
|
|
1032
|
+
# subset of the permissions that are granted to the IAM user. The passed
|
|
1033
|
+
# policy cannot grant more permissions than those granted to the IAM
|
|
1034
|
+
# user. The final permissions for the federated user are the most
|
|
1035
|
+
# restrictive set based on the intersection of the passed policy and the
|
|
1036
|
+
# IAM user policy.
|
|
1037
|
+
#
|
|
1038
|
+
# If you do not pass a policy, the resulting temporary security
|
|
1039
|
+
# credentials have no effective permissions. The only exception is when
|
|
1040
|
+
# the temporary security credentials are used to access a resource that
|
|
1041
|
+
# has a resource-based policy that specifically allows the federated
|
|
1042
|
+
# user to access the resource.
|
|
1043
|
+
#
|
|
1044
|
+
# The format for this parameter, as described by its regex pattern, is a
|
|
1045
|
+
# string of characters up to 2048 characters in length. The characters
|
|
1046
|
+
# can be any ASCII character from the space character to the end of the
|
|
1047
|
+
# valid character list (\\u0020-\\u00FF). It can also include the tab
|
|
1048
|
+
# (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
|
1049
|
+
# characters.
|
|
1050
|
+
#
|
|
1051
|
+
# <note markdown="1"> The policy plain text must be 2048 bytes or shorter. However, an
|
|
1052
|
+
# internal conversion compresses it into a packed binary format with a
|
|
1053
|
+
# separate limit. The PackedPolicySize response element indicates by
|
|
1054
|
+
# percentage how close to the upper size limit the policy is, with 100%
|
|
1055
|
+
# equaling the maximum allowed size.
|
|
1056
|
+
#
|
|
1057
|
+
# </note>
|
|
1058
|
+
#
|
|
1059
|
+
# For more information about how permissions work, see [Permissions for
|
|
1060
|
+
# GetFederationToken][1].
|
|
1061
|
+
#
|
|
1062
|
+
#
|
|
1063
|
+
#
|
|
1064
|
+
# [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html
|
|
1065
|
+
#
|
|
1066
|
+
# @option params [Integer] :duration_seconds
|
|
1067
|
+
# The duration, in seconds, that the session should last. Acceptable
|
|
1068
|
+
# durations for federation sessions range from 900 seconds (15 minutes)
|
|
1069
|
+
# to 129600 seconds (36 hours), with 43200 seconds (12 hours) as the
|
|
1070
|
+
# default. Sessions obtained using AWS account (root) credentials are
|
|
1071
|
+
# restricted to a maximum of 3600 seconds (one hour). If the specified
|
|
1072
|
+
# duration is longer than one hour, the session obtained by using AWS
|
|
1073
|
+
# account (root) credentials defaults to one hour.
|
|
1074
|
+
#
|
|
1075
|
+
# @return [Types::GetFederationTokenResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
|
1076
|
+
#
|
|
1077
|
+
# * {Types::GetFederationTokenResponse#credentials #credentials} => Types::Credentials
|
|
1078
|
+
# * {Types::GetFederationTokenResponse#federated_user #federated_user} => Types::FederatedUser
|
|
1079
|
+
# * {Types::GetFederationTokenResponse#packed_policy_size #packed_policy_size} => Integer
|
|
1080
|
+
#
|
|
1081
|
+
# @example Request syntax with placeholder values
|
|
1082
|
+
#
|
|
1083
|
+
# resp = client.get_federation_token({
|
|
1084
|
+
# name: "userNameType", # required
|
|
1085
|
+
# policy: "sessionPolicyDocumentType",
|
|
1086
|
+
# duration_seconds: 1,
|
|
1087
|
+
# })
|
|
1088
|
+
#
|
|
1089
|
+
# @example Response structure
|
|
1090
|
+
#
|
|
1091
|
+
# resp.credentials.access_key_id #=> String
|
|
1092
|
+
# resp.credentials.secret_access_key #=> String
|
|
1093
|
+
# resp.credentials.session_token #=> String
|
|
1094
|
+
# resp.credentials.expiration #=> Time
|
|
1095
|
+
# resp.federated_user.federated_user_id #=> String
|
|
1096
|
+
# resp.federated_user.arn #=> String
|
|
1097
|
+
# resp.packed_policy_size #=> Integer
|
|
1098
|
+
#
|
|
1099
|
+
# @overload get_federation_token(params = {})
|
|
1100
|
+
# @param [Hash] params ({})
|
|
1101
|
+
def get_federation_token(params = {}, options = {})
|
|
1102
|
+
req = build_request(:get_federation_token, params)
|
|
1103
|
+
req.send_request(options)
|
|
1104
|
+
end
|
|
1162
1105
|
|
|
1163
|
-
|
|
1106
|
+
# Returns a set of temporary credentials for an AWS account or IAM user.
|
|
1107
|
+
# The credentials consist of an access key ID, a secret access key, and
|
|
1108
|
+
# a security token. Typically, you use `GetSessionToken` if you want to
|
|
1109
|
+
# use MFA to protect programmatic calls to specific AWS APIs like Amazon
|
|
1110
|
+
# EC2 `StopInstances`. MFA-enabled IAM users would need to call
|
|
1111
|
+
# `GetSessionToken` and submit an MFA code that is associated with their
|
|
1112
|
+
# MFA device. Using the temporary security credentials that are returned
|
|
1113
|
+
# from the call, IAM users can then make programmatic calls to APIs that
|
|
1114
|
+
# require MFA authentication. If you do not supply a correct MFA code,
|
|
1115
|
+
# then the API returns an access denied error. For a comparison of
|
|
1116
|
+
# `GetSessionToken` with the other APIs that produce temporary
|
|
1117
|
+
# credentials, see [Requesting Temporary Security Credentials][1] and
|
|
1118
|
+
# [Comparing the AWS STS APIs][2] in the *IAM User Guide*.
|
|
1119
|
+
#
|
|
1120
|
+
# The `GetSessionToken` action must be called by using the long-term AWS
|
|
1121
|
+
# security credentials of the AWS account or an IAM user. Credentials
|
|
1122
|
+
# that are created by IAM users are valid for the duration that you
|
|
1123
|
+
# specify, from 900 seconds (15 minutes) up to a maximum of 129600
|
|
1124
|
+
# seconds (36 hours), with a default of 43200 seconds (12 hours);
|
|
1125
|
+
# credentials that are created by using account credentials can range
|
|
1126
|
+
# from 900 seconds (15 minutes) up to a maximum of 3600 seconds (1
|
|
1127
|
+
# hour), with a default of 1 hour.
|
|
1128
|
+
#
|
|
1129
|
+
# The temporary security credentials created by `GetSessionToken` can be
|
|
1130
|
+
# used to make API calls to any AWS service with the following
|
|
1131
|
+
# exceptions:
|
|
1132
|
+
#
|
|
1133
|
+
# * You cannot call any IAM APIs unless MFA authentication information
|
|
1134
|
+
# is included in the request.
|
|
1135
|
+
#
|
|
1136
|
+
# * You cannot call any STS API *except* `AssumeRole` or
|
|
1137
|
+
# `GetCallerIdentity`.
|
|
1138
|
+
#
|
|
1139
|
+
# <note markdown="1"> We recommend that you do not call `GetSessionToken` with root account
|
|
1140
|
+
# credentials. Instead, follow our [best practices][3] by creating one
|
|
1141
|
+
# or more IAM users, giving them the necessary permissions, and using
|
|
1142
|
+
# IAM users for everyday interaction with AWS.
|
|
1143
|
+
#
|
|
1144
|
+
# </note>
|
|
1145
|
+
#
|
|
1146
|
+
# The permissions associated with the temporary security credentials
|
|
1147
|
+
# returned by `GetSessionToken` are based on the permissions associated
|
|
1148
|
+
# with account or IAM user whose credentials are used to call the
|
|
1149
|
+
# action. If `GetSessionToken` is called using root account credentials,
|
|
1150
|
+
# the temporary credentials have root account permissions. Similarly, if
|
|
1151
|
+
# `GetSessionToken` is called using the credentials of an IAM user, the
|
|
1152
|
+
# temporary credentials have the same permissions as the IAM user.
|
|
1153
|
+
#
|
|
1154
|
+
# For more information about using `GetSessionToken` to create temporary
|
|
1155
|
+
# credentials, go to [Temporary Credentials for Users in Untrusted
|
|
1156
|
+
# Environments][4] in the *IAM User Guide*.
|
|
1157
|
+
#
|
|
1158
|
+
#
|
|
1159
|
+
#
|
|
1160
|
+
# [1]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
|
1161
|
+
# [2]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
|
1162
|
+
# [3]: http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users
|
|
1163
|
+
# [4]: http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken
|
|
1164
|
+
#
|
|
1165
|
+
# @option params [Integer] :duration_seconds
|
|
1166
|
+
# The duration, in seconds, that the credentials should remain valid.
|
|
1167
|
+
# Acceptable durations for IAM user sessions range from 900 seconds (15
|
|
1168
|
+
# minutes) to 129600 seconds (36 hours), with 43200 seconds (12 hours)
|
|
1169
|
+
# as the default. Sessions for AWS account owners are restricted to a
|
|
1170
|
+
# maximum of 3600 seconds (one hour). If the duration is longer than one
|
|
1171
|
+
# hour, the session for AWS account owners defaults to one hour.
|
|
1172
|
+
#
|
|
1173
|
+
# @option params [String] :serial_number
|
|
1174
|
+
# The identification number of the MFA device that is associated with
|
|
1175
|
+
# the IAM user who is making the `GetSessionToken` call. Specify this
|
|
1176
|
+
# value if the IAM user has a policy that requires MFA authentication.
|
|
1177
|
+
# The value is either the serial number for a hardware device (such as
|
|
1178
|
+
# `GAHT12345678`) or an Amazon Resource Name (ARN) for a virtual device
|
|
1179
|
+
# (such as `arn:aws:iam::123456789012:mfa/user`). You can find the
|
|
1180
|
+
# device for an IAM user by going to the AWS Management Console and
|
|
1181
|
+
# viewing the user's security credentials.
|
|
1182
|
+
#
|
|
1183
|
+
# The regex used to validate this parameter is a string of characters
|
|
1184
|
+
# consisting of upper- and lower-case alphanumeric characters with no
|
|
1185
|
+
# spaces. You can also include underscores or any of the following
|
|
1186
|
+
# characters: =,.@-
|
|
1187
|
+
#
|
|
1188
|
+
# @option params [String] :token_code
|
|
1189
|
+
# The value provided by the MFA device, if MFA is required. If any
|
|
1190
|
+
# policy requires the IAM user to submit an MFA code, specify this
|
|
1191
|
+
# value. If MFA authentication is required, and the user does not
|
|
1192
|
+
# provide a code when requesting a set of temporary security
|
|
1193
|
+
# credentials, the user will receive an "access denied" response when
|
|
1194
|
+
# requesting resources that require MFA authentication.
|
|
1195
|
+
#
|
|
1196
|
+
# The format for this parameter, as described by its regex pattern, is a
|
|
1197
|
+
# sequence of six numeric digits.
|
|
1198
|
+
#
|
|
1199
|
+
# @return [Types::GetSessionTokenResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
|
1200
|
+
#
|
|
1201
|
+
# * {Types::GetSessionTokenResponse#credentials #credentials} => Types::Credentials
|
|
1202
|
+
#
|
|
1203
|
+
# @example Request syntax with placeholder values
|
|
1204
|
+
#
|
|
1205
|
+
# resp = client.get_session_token({
|
|
1206
|
+
# duration_seconds: 1,
|
|
1207
|
+
# serial_number: "serialNumberType",
|
|
1208
|
+
# token_code: "tokenCodeType",
|
|
1209
|
+
# })
|
|
1210
|
+
#
|
|
1211
|
+
# @example Response structure
|
|
1212
|
+
#
|
|
1213
|
+
# resp.credentials.access_key_id #=> String
|
|
1214
|
+
# resp.credentials.secret_access_key #=> String
|
|
1215
|
+
# resp.credentials.session_token #=> String
|
|
1216
|
+
# resp.credentials.expiration #=> Time
|
|
1217
|
+
#
|
|
1218
|
+
# @overload get_session_token(params = {})
|
|
1219
|
+
# @param [Hash] params ({})
|
|
1220
|
+
def get_session_token(params = {}, options = {})
|
|
1221
|
+
req = build_request(:get_session_token, params)
|
|
1222
|
+
req.send_request(options)
|
|
1223
|
+
end
|
|
1164
1224
|
|
|
1165
|
-
|
|
1166
|
-
# @api private
|
|
1167
|
-
def build_request(operation_name, params = {})
|
|
1168
|
-
handlers = @handlers.for(operation_name)
|
|
1169
|
-
context = Seahorse::Client::RequestContext.new(
|
|
1170
|
-
operation_name: operation_name,
|
|
1171
|
-
operation: config.api.operation(operation_name),
|
|
1172
|
-
client: self,
|
|
1173
|
-
params: params,
|
|
1174
|
-
config: config)
|
|
1175
|
-
context[:gem_name] = 'aws-sdk-core'
|
|
1176
|
-
context[:gem_version] = '3.0.0.rc2'
|
|
1177
|
-
Seahorse::Client::Request.new(handlers, context)
|
|
1178
|
-
end
|
|
1225
|
+
# @!endgroup
|
|
1179
1226
|
|
|
1180
|
-
|
|
1181
|
-
|
|
1182
|
-
|
|
1183
|
-
|
|
1184
|
-
|
|
1227
|
+
# @param params ({})
|
|
1228
|
+
# @api private
|
|
1229
|
+
def build_request(operation_name, params = {})
|
|
1230
|
+
handlers = @handlers.for(operation_name)
|
|
1231
|
+
context = Seahorse::Client::RequestContext.new(
|
|
1232
|
+
operation_name: operation_name,
|
|
1233
|
+
operation: config.api.operation(operation_name),
|
|
1234
|
+
client: self,
|
|
1235
|
+
params: params,
|
|
1236
|
+
config: config)
|
|
1237
|
+
context[:gem_name] = 'aws-sdk-core'
|
|
1238
|
+
context[:gem_version] = '3.0.0.rc2'
|
|
1239
|
+
Seahorse::Client::Request.new(handlers, context)
|
|
1240
|
+
end
|
|
1185
1241
|
|
|
1186
|
-
|
|
1242
|
+
# @api private
|
|
1243
|
+
# @deprecated
|
|
1244
|
+
def waiter_names
|
|
1245
|
+
[]
|
|
1246
|
+
end
|
|
1187
1247
|
|
|
1188
|
-
|
|
1189
|
-
attr_reader :identifier
|
|
1248
|
+
class << self
|
|
1190
1249
|
|
|
1191
|
-
|
|
1192
|
-
|
|
1193
|
-
Errors
|
|
1194
|
-
end
|
|
1250
|
+
# @api private
|
|
1251
|
+
attr_reader :identifier
|
|
1195
1252
|
|
|
1253
|
+
# @api private
|
|
1254
|
+
def errors_module
|
|
1255
|
+
Errors
|
|
1196
1256
|
end
|
|
1257
|
+
|
|
1197
1258
|
end
|
|
1198
1259
|
end
|
|
1199
1260
|
end
|