@aws-sdk/client-sts 3.315.0 → 3.319.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. package/dist-cjs/STS.js +12 -112
  2. package/dist-es/STS.js +12 -112
  3. package/dist-types/STS.d.ts +19 -577
  4. package/dist-types/ts3.4/STS.d.ts +2 -1
  5. package/package.json +7 -7
package/dist-cjs/STS.js CHANGED
@@ -1,6 +1,7 @@
1
1
  "use strict";
2
2
  Object.defineProperty(exports, "__esModule", { value: true });
3
3
  exports.STS = void 0;
4
+ const smithy_client_1 = require("@aws-sdk/smithy-client");
4
5
  const AssumeRoleCommand_1 = require("./commands/AssumeRoleCommand");
5
6
  const AssumeRoleWithSAMLCommand_1 = require("./commands/AssumeRoleWithSAMLCommand");
6
7
  const AssumeRoleWithWebIdentityCommand_1 = require("./commands/AssumeRoleWithWebIdentityCommand");
@@ -10,118 +11,17 @@ const GetCallerIdentityCommand_1 = require("./commands/GetCallerIdentityCommand"
10
11
  const GetFederationTokenCommand_1 = require("./commands/GetFederationTokenCommand");
11
12
  const GetSessionTokenCommand_1 = require("./commands/GetSessionTokenCommand");
12
13
  const STSClient_1 = require("./STSClient");
14
+ const commands = {
15
+ AssumeRoleCommand: AssumeRoleCommand_1.AssumeRoleCommand,
16
+ AssumeRoleWithSAMLCommand: AssumeRoleWithSAMLCommand_1.AssumeRoleWithSAMLCommand,
17
+ AssumeRoleWithWebIdentityCommand: AssumeRoleWithWebIdentityCommand_1.AssumeRoleWithWebIdentityCommand,
18
+ DecodeAuthorizationMessageCommand: DecodeAuthorizationMessageCommand_1.DecodeAuthorizationMessageCommand,
19
+ GetAccessKeyInfoCommand: GetAccessKeyInfoCommand_1.GetAccessKeyInfoCommand,
20
+ GetCallerIdentityCommand: GetCallerIdentityCommand_1.GetCallerIdentityCommand,
21
+ GetFederationTokenCommand: GetFederationTokenCommand_1.GetFederationTokenCommand,
22
+ GetSessionTokenCommand: GetSessionTokenCommand_1.GetSessionTokenCommand,
23
+ };
13
24
  class STS extends STSClient_1.STSClient {
14
- assumeRole(args, optionsOrCb, cb) {
15
- const command = new AssumeRoleCommand_1.AssumeRoleCommand(args);
16
- if (typeof optionsOrCb === "function") {
17
- this.send(command, optionsOrCb);
18
- }
19
- else if (typeof cb === "function") {
20
- if (typeof optionsOrCb !== "object")
21
- throw new Error(`Expect http options but get ${typeof optionsOrCb}`);
22
- this.send(command, optionsOrCb || {}, cb);
23
- }
24
- else {
25
- return this.send(command, optionsOrCb);
26
- }
27
- }
28
- assumeRoleWithSAML(args, optionsOrCb, cb) {
29
- const command = new AssumeRoleWithSAMLCommand_1.AssumeRoleWithSAMLCommand(args);
30
- if (typeof optionsOrCb === "function") {
31
- this.send(command, optionsOrCb);
32
- }
33
- else if (typeof cb === "function") {
34
- if (typeof optionsOrCb !== "object")
35
- throw new Error(`Expect http options but get ${typeof optionsOrCb}`);
36
- this.send(command, optionsOrCb || {}, cb);
37
- }
38
- else {
39
- return this.send(command, optionsOrCb);
40
- }
41
- }
42
- assumeRoleWithWebIdentity(args, optionsOrCb, cb) {
43
- const command = new AssumeRoleWithWebIdentityCommand_1.AssumeRoleWithWebIdentityCommand(args);
44
- if (typeof optionsOrCb === "function") {
45
- this.send(command, optionsOrCb);
46
- }
47
- else if (typeof cb === "function") {
48
- if (typeof optionsOrCb !== "object")
49
- throw new Error(`Expect http options but get ${typeof optionsOrCb}`);
50
- this.send(command, optionsOrCb || {}, cb);
51
- }
52
- else {
53
- return this.send(command, optionsOrCb);
54
- }
55
- }
56
- decodeAuthorizationMessage(args, optionsOrCb, cb) {
57
- const command = new DecodeAuthorizationMessageCommand_1.DecodeAuthorizationMessageCommand(args);
58
- if (typeof optionsOrCb === "function") {
59
- this.send(command, optionsOrCb);
60
- }
61
- else if (typeof cb === "function") {
62
- if (typeof optionsOrCb !== "object")
63
- throw new Error(`Expect http options but get ${typeof optionsOrCb}`);
64
- this.send(command, optionsOrCb || {}, cb);
65
- }
66
- else {
67
- return this.send(command, optionsOrCb);
68
- }
69
- }
70
- getAccessKeyInfo(args, optionsOrCb, cb) {
71
- const command = new GetAccessKeyInfoCommand_1.GetAccessKeyInfoCommand(args);
72
- if (typeof optionsOrCb === "function") {
73
- this.send(command, optionsOrCb);
74
- }
75
- else if (typeof cb === "function") {
76
- if (typeof optionsOrCb !== "object")
77
- throw new Error(`Expect http options but get ${typeof optionsOrCb}`);
78
- this.send(command, optionsOrCb || {}, cb);
79
- }
80
- else {
81
- return this.send(command, optionsOrCb);
82
- }
83
- }
84
- getCallerIdentity(args, optionsOrCb, cb) {
85
- const command = new GetCallerIdentityCommand_1.GetCallerIdentityCommand(args);
86
- if (typeof optionsOrCb === "function") {
87
- this.send(command, optionsOrCb);
88
- }
89
- else if (typeof cb === "function") {
90
- if (typeof optionsOrCb !== "object")
91
- throw new Error(`Expect http options but get ${typeof optionsOrCb}`);
92
- this.send(command, optionsOrCb || {}, cb);
93
- }
94
- else {
95
- return this.send(command, optionsOrCb);
96
- }
97
- }
98
- getFederationToken(args, optionsOrCb, cb) {
99
- const command = new GetFederationTokenCommand_1.GetFederationTokenCommand(args);
100
- if (typeof optionsOrCb === "function") {
101
- this.send(command, optionsOrCb);
102
- }
103
- else if (typeof cb === "function") {
104
- if (typeof optionsOrCb !== "object")
105
- throw new Error(`Expect http options but get ${typeof optionsOrCb}`);
106
- this.send(command, optionsOrCb || {}, cb);
107
- }
108
- else {
109
- return this.send(command, optionsOrCb);
110
- }
111
- }
112
- getSessionToken(args, optionsOrCb, cb) {
113
- const command = new GetSessionTokenCommand_1.GetSessionTokenCommand(args);
114
- if (typeof optionsOrCb === "function") {
115
- this.send(command, optionsOrCb);
116
- }
117
- else if (typeof cb === "function") {
118
- if (typeof optionsOrCb !== "object")
119
- throw new Error(`Expect http options but get ${typeof optionsOrCb}`);
120
- this.send(command, optionsOrCb || {}, cb);
121
- }
122
- else {
123
- return this.send(command, optionsOrCb);
124
- }
125
- }
126
25
  }
127
26
  exports.STS = STS;
27
+ (0, smithy_client_1.createAggregatedClient)(commands, STS);
package/dist-es/STS.js CHANGED
@@ -1,3 +1,4 @@
1
+ import { createAggregatedClient } from "@aws-sdk/smithy-client";
1
2
  import { AssumeRoleCommand } from "./commands/AssumeRoleCommand";
2
3
  import { AssumeRoleWithSAMLCommand, } from "./commands/AssumeRoleWithSAMLCommand";
3
4
  import { AssumeRoleWithWebIdentityCommand, } from "./commands/AssumeRoleWithWebIdentityCommand";
@@ -7,117 +8,16 @@ import { GetCallerIdentityCommand, } from "./commands/GetCallerIdentityCommand";
7
8
  import { GetFederationTokenCommand, } from "./commands/GetFederationTokenCommand";
8
9
  import { GetSessionTokenCommand, } from "./commands/GetSessionTokenCommand";
9
10
  import { STSClient } from "./STSClient";
11
+ const commands = {
12
+ AssumeRoleCommand,
13
+ AssumeRoleWithSAMLCommand,
14
+ AssumeRoleWithWebIdentityCommand,
15
+ DecodeAuthorizationMessageCommand,
16
+ GetAccessKeyInfoCommand,
17
+ GetCallerIdentityCommand,
18
+ GetFederationTokenCommand,
19
+ GetSessionTokenCommand,
20
+ };
10
21
  export class STS extends STSClient {
11
- assumeRole(args, optionsOrCb, cb) {
12
- const command = new AssumeRoleCommand(args);
13
- if (typeof optionsOrCb === "function") {
14
- this.send(command, optionsOrCb);
15
- }
16
- else if (typeof cb === "function") {
17
- if (typeof optionsOrCb !== "object")
18
- throw new Error(`Expect http options but get ${typeof optionsOrCb}`);
19
- this.send(command, optionsOrCb || {}, cb);
20
- }
21
- else {
22
- return this.send(command, optionsOrCb);
23
- }
24
- }
25
- assumeRoleWithSAML(args, optionsOrCb, cb) {
26
- const command = new AssumeRoleWithSAMLCommand(args);
27
- if (typeof optionsOrCb === "function") {
28
- this.send(command, optionsOrCb);
29
- }
30
- else if (typeof cb === "function") {
31
- if (typeof optionsOrCb !== "object")
32
- throw new Error(`Expect http options but get ${typeof optionsOrCb}`);
33
- this.send(command, optionsOrCb || {}, cb);
34
- }
35
- else {
36
- return this.send(command, optionsOrCb);
37
- }
38
- }
39
- assumeRoleWithWebIdentity(args, optionsOrCb, cb) {
40
- const command = new AssumeRoleWithWebIdentityCommand(args);
41
- if (typeof optionsOrCb === "function") {
42
- this.send(command, optionsOrCb);
43
- }
44
- else if (typeof cb === "function") {
45
- if (typeof optionsOrCb !== "object")
46
- throw new Error(`Expect http options but get ${typeof optionsOrCb}`);
47
- this.send(command, optionsOrCb || {}, cb);
48
- }
49
- else {
50
- return this.send(command, optionsOrCb);
51
- }
52
- }
53
- decodeAuthorizationMessage(args, optionsOrCb, cb) {
54
- const command = new DecodeAuthorizationMessageCommand(args);
55
- if (typeof optionsOrCb === "function") {
56
- this.send(command, optionsOrCb);
57
- }
58
- else if (typeof cb === "function") {
59
- if (typeof optionsOrCb !== "object")
60
- throw new Error(`Expect http options but get ${typeof optionsOrCb}`);
61
- this.send(command, optionsOrCb || {}, cb);
62
- }
63
- else {
64
- return this.send(command, optionsOrCb);
65
- }
66
- }
67
- getAccessKeyInfo(args, optionsOrCb, cb) {
68
- const command = new GetAccessKeyInfoCommand(args);
69
- if (typeof optionsOrCb === "function") {
70
- this.send(command, optionsOrCb);
71
- }
72
- else if (typeof cb === "function") {
73
- if (typeof optionsOrCb !== "object")
74
- throw new Error(`Expect http options but get ${typeof optionsOrCb}`);
75
- this.send(command, optionsOrCb || {}, cb);
76
- }
77
- else {
78
- return this.send(command, optionsOrCb);
79
- }
80
- }
81
- getCallerIdentity(args, optionsOrCb, cb) {
82
- const command = new GetCallerIdentityCommand(args);
83
- if (typeof optionsOrCb === "function") {
84
- this.send(command, optionsOrCb);
85
- }
86
- else if (typeof cb === "function") {
87
- if (typeof optionsOrCb !== "object")
88
- throw new Error(`Expect http options but get ${typeof optionsOrCb}`);
89
- this.send(command, optionsOrCb || {}, cb);
90
- }
91
- else {
92
- return this.send(command, optionsOrCb);
93
- }
94
- }
95
- getFederationToken(args, optionsOrCb, cb) {
96
- const command = new GetFederationTokenCommand(args);
97
- if (typeof optionsOrCb === "function") {
98
- this.send(command, optionsOrCb);
99
- }
100
- else if (typeof cb === "function") {
101
- if (typeof optionsOrCb !== "object")
102
- throw new Error(`Expect http options but get ${typeof optionsOrCb}`);
103
- this.send(command, optionsOrCb || {}, cb);
104
- }
105
- else {
106
- return this.send(command, optionsOrCb);
107
- }
108
- }
109
- getSessionToken(args, optionsOrCb, cb) {
110
- const command = new GetSessionTokenCommand(args);
111
- if (typeof optionsOrCb === "function") {
112
- this.send(command, optionsOrCb);
113
- }
114
- else if (typeof cb === "function") {
115
- if (typeof optionsOrCb !== "object")
116
- throw new Error(`Expect http options but get ${typeof optionsOrCb}`);
117
- this.send(command, optionsOrCb || {}, cb);
118
- }
119
- else {
120
- return this.send(command, optionsOrCb);
121
- }
122
- }
123
22
  }
23
+ createAggregatedClient(commands, STS);
package/dist-types/STS.d.ts CHANGED
@@ -8,621 +8,63 @@ import { GetCallerIdentityCommandInput, GetCallerIdentityCommandOutput } from ".
8
8
  import { GetFederationTokenCommandInput, GetFederationTokenCommandOutput } from "./commands/GetFederationTokenCommand";
9
9
  import { GetSessionTokenCommandInput, GetSessionTokenCommandOutput } from "./commands/GetSessionTokenCommand";
10
10
  import { STSClient } from "./STSClient";
11
- /**
12
- * @public
13
- * <fullname>Security Token Service</fullname>
14
- * <p>Security Token Service (STS) enables you to request temporary, limited-privilege
15
- * credentials for Identity and Access Management (IAM) users or for users that you
16
- * authenticate (federated users). This guide provides descriptions of the STS API. For
17
- * more information about using this service, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html">Temporary Security Credentials</a>.</p>
18
- */
19
- export declare class STS extends STSClient {
11
+ export interface STS {
20
12
  /**
21
- * @public
22
- * <p>Returns a set of temporary security credentials that you can use to access Amazon Web Services
23
- * resources. These temporary credentials consist of an access key ID, a secret access key,
24
- * and a security token. Typically, you use <code>AssumeRole</code> within your account or for
25
- * cross-account access. For a comparison of <code>AssumeRole</code> with other API operations
26
- * that produce temporary credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting Temporary Security
27
- * Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
28
- * Amazon Web Services STS API operations</a> in the <i>IAM User Guide</i>.</p>
29
- * <p>
30
- * <b>Permissions</b>
31
- * </p>
32
- * <p>The temporary security credentials created by <code>AssumeRole</code> can be used to
33
- * make API calls to any Amazon Web Services service with the following exception: You cannot call the
34
- * Amazon Web Services STS <code>GetFederationToken</code> or <code>GetSessionToken</code> API
35
- * operations.</p>
36
- * <p>(Optional) You can pass inline or managed <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">session policies</a> to
37
- * this operation. You can pass a single JSON policy document to use as an inline session
38
- * policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as
39
- * managed session policies. The plaintext that you use for both inline and managed session
40
- * policies can't exceed 2,048 characters. Passing policies to this operation returns new
41
- * temporary credentials. The resulting session's permissions are the intersection of the
42
- * role's identity-based policy and the session policies. You can use the role's temporary
43
- * credentials in subsequent Amazon Web Services API calls to access resources in the account that owns
44
- * the role. You cannot use session policies to grant more permissions than those allowed
45
- * by the identity-based policy of the role that is being assumed. For more information, see
46
- * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session
47
- * Policies</a> in the <i>IAM User Guide</i>.</p>
48
- * <p>When you create a role, you create two policies: A role trust policy that specifies
49
- * <i>who</i> can assume the role and a permissions policy that specifies
50
- * <i>what</i> can be done with the role. You specify the trusted principal
51
- * who is allowed to assume the role in the role trust policy.</p>
52
- * <p>To assume a role from a different account, your Amazon Web Services account must be trusted by the
53
- * role. The trust relationship is defined in the role's trust policy when the role is
54
- * created. That trust policy states which accounts are allowed to delegate that access to
55
- * users in the account. </p>
56
- * <p>A user who wants to access a role in a different account must also have permissions that
57
- * are delegated from the user account administrator. The administrator must attach a policy
58
- * that allows the user to call <code>AssumeRole</code> for the ARN of the role in the other
59
- * account.</p>
60
- * <p>To allow a user to assume a role in the same account, you can do either of the
61
- * following:</p>
62
- * <ul>
63
- * <li>
64
- * <p>Attach a policy to the user that allows the user to call <code>AssumeRole</code>
65
- * (as long as the role's trust policy trusts the account).</p>
66
- * </li>
67
- * <li>
68
- * <p>Add the user as a principal directly in the role's trust policy.</p>
69
- * </li>
70
- * </ul>
71
- * <p>You can do either because the role’s trust policy acts as an IAM resource-based
72
- * policy. When a resource-based policy grants access to a principal in the same account, no
73
- * additional identity-based policy is required. For more information about trust policies and
74
- * resource-based policies, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html">IAM Policies</a> in the
75
- * <i>IAM User Guide</i>.</p>
76
- * <p>
77
- * <b>Tags</b>
78
- * </p>
79
- * <p>(Optional) You can pass tag key-value pairs to your session. These tags are called
80
- * session tags. For more information about session tags, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Passing Session Tags in STS</a> in the
81
- * <i>IAM User Guide</i>.</p>
82
- * <p>An administrator must grant you the permissions necessary to pass session tags. The
83
- * administrator can also create granular permissions to allow you to pass only specific
84
- * session tags. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html">Tutorial: Using Tags
85
- * for Attribute-Based Access Control</a> in the
86
- * <i>IAM User Guide</i>.</p>
87
- * <p>You can set the session tags as transitive. Transitive tags persist during role
88
- * chaining. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining">Chaining Roles
89
- * with Session Tags</a> in the <i>IAM User Guide</i>.</p>
90
- * <p>
91
- * <b>Using MFA with AssumeRole</b>
92
- * </p>
93
- * <p>(Optional) You can include multi-factor authentication (MFA) information when you call
94
- * <code>AssumeRole</code>. This is useful for cross-account scenarios to ensure that the
95
- * user that assumes the role has been authenticated with an Amazon Web Services MFA device. In that
96
- * scenario, the trust policy of the role being assumed includes a condition that tests for
97
- * MFA authentication. If the caller does not include valid MFA information, the request to
98
- * assume the role is denied. The condition in a trust policy that tests for MFA
99
- * authentication might look like the following example.</p>
100
- * <p>
101
- * <code>"Condition": \{"Bool": \{"aws:MultiFactorAuthPresent": true\}\}</code>
102
- * </p>
103
- * <p>For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html">Configuring MFA-Protected API Access</a>
104
- * in the <i>IAM User Guide</i> guide.</p>
105
- * <p>To use MFA with <code>AssumeRole</code>, you pass values for the
106
- * <code>SerialNumber</code> and <code>TokenCode</code> parameters. The
107
- * <code>SerialNumber</code> value identifies the user's hardware or virtual MFA device.
108
- * The <code>TokenCode</code> is the time-based one-time password (TOTP) that the MFA device
109
- * produces. </p>
13
+ * @see {@link AssumeRoleCommand}
110
14
  */
111
15
  assumeRole(args: AssumeRoleCommandInput, options?: __HttpHandlerOptions): Promise<AssumeRoleCommandOutput>;
112
16
  assumeRole(args: AssumeRoleCommandInput, cb: (err: any, data?: AssumeRoleCommandOutput) => void): void;
113
17
  assumeRole(args: AssumeRoleCommandInput, options: __HttpHandlerOptions, cb: (err: any, data?: AssumeRoleCommandOutput) => void): void;
114
18
  /**
115
- * @public
116
- * <p>Returns a set of temporary security credentials for users who have been authenticated
117
- * via a SAML authentication response. This operation provides a mechanism for tying an
118
- * enterprise identity store or directory to role-based Amazon Web Services access without user-specific
119
- * credentials or configuration. For a comparison of <code>AssumeRoleWithSAML</code> with the
120
- * other API operations that produce temporary credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting Temporary Security
121
- * Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
122
- * Amazon Web Services STS API operations</a> in the <i>IAM User Guide</i>.</p>
123
- * <p>The temporary security credentials returned by this operation consist of an access key
124
- * ID, a secret access key, and a security token. Applications can use these temporary
125
- * security credentials to sign calls to Amazon Web Services services.</p>
126
- * <p>
127
- * <b>Session Duration</b>
128
- * </p>
129
- * <p>By default, the temporary security credentials created by
130
- * <code>AssumeRoleWithSAML</code> last for one hour. However, you can use the optional
131
- * <code>DurationSeconds</code> parameter to specify the duration of your session. Your
132
- * role session lasts for the duration that you specify, or until the time specified in the
133
- * SAML authentication response's <code>SessionNotOnOrAfter</code> value, whichever is
134
- * shorter. You can provide a <code>DurationSeconds</code> value from 900 seconds (15 minutes)
135
- * up to the maximum session duration setting for the role. This setting can have a value from
136
- * 1 hour to 12 hours. To learn how to view the maximum value for your role, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session">View the
137
- * Maximum Session Duration Setting for a Role</a> in the
138
- * <i>IAM User Guide</i>. The maximum session duration limit applies when
139
- * you use the <code>AssumeRole*</code> API operations or the <code>assume-role*</code> CLI
140
- * commands. However the limit does not apply when you use those operations to create a
141
- * console URL. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html">Using IAM Roles</a> in the
142
- * <i>IAM User Guide</i>.</p>
143
- * <note>
144
- * <p>
145
- * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining">Role chaining</a> limits your CLI or Amazon Web Services API role
146
- * session to a maximum of one hour. When you use the <code>AssumeRole</code> API operation
147
- * to assume a role, you can specify the duration of your role session with the
148
- * <code>DurationSeconds</code> parameter. You can specify a parameter value of up to
149
- * 43200 seconds (12 hours), depending on the maximum session duration setting for your
150
- * role. However, if you assume a role using role chaining and provide a
151
- * <code>DurationSeconds</code> parameter value greater than one hour, the operation
152
- * fails.</p>
153
- * </note>
154
- * <p>
155
- * <b>Permissions</b>
156
- * </p>
157
- * <p>The temporary security credentials created by <code>AssumeRoleWithSAML</code> can be
158
- * used to make API calls to any Amazon Web Services service with the following exception: you cannot call
159
- * the STS <code>GetFederationToken</code> or <code>GetSessionToken</code> API
160
- * operations.</p>
161
- * <p>(Optional) You can pass inline or managed <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">session policies</a> to
162
- * this operation. You can pass a single JSON policy document to use as an inline session
163
- * policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as
164
- * managed session policies. The plaintext that you use for both inline and managed session
165
- * policies can't exceed 2,048 characters. Passing policies to this operation returns new
166
- * temporary credentials. The resulting session's permissions are the intersection of the
167
- * role's identity-based policy and the session policies. You can use the role's temporary
168
- * credentials in subsequent Amazon Web Services API calls to access resources in the account that owns
169
- * the role. You cannot use session policies to grant more permissions than those allowed
170
- * by the identity-based policy of the role that is being assumed. For more information, see
171
- * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session
172
- * Policies</a> in the <i>IAM User Guide</i>.</p>
173
- * <p>Calling <code>AssumeRoleWithSAML</code> does not require the use of Amazon Web Services security
174
- * credentials. The identity of the caller is validated by using keys in the metadata document
175
- * that is uploaded for the SAML provider entity for your identity provider. </p>
176
- * <important>
177
- * <p>Calling <code>AssumeRoleWithSAML</code> can result in an entry in your CloudTrail logs.
178
- * The entry includes the value in the <code>NameID</code> element of the SAML assertion.
179
- * We recommend that you use a <code>NameIDType</code> that is not associated with any
180
- * personally identifiable information (PII). For example, you could instead use the
181
- * persistent identifier
182
- * (<code>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</code>).</p>
183
- * </important>
184
- * <p>
185
- * <b>Tags</b>
186
- * </p>
187
- * <p>(Optional) You can configure your IdP to pass attributes into your SAML assertion as
188
- * session tags. Each session tag consists of a key name and an associated value. For more
189
- * information about session tags, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Passing Session Tags in STS</a> in the
190
- * <i>IAM User Guide</i>.</p>
191
- * <p>You can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128
192
- * characters and the values can’t exceed 256 characters. For these and additional limits, see
193
- * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length">IAM
194
- * and STS Character Limits</a> in the <i>IAM User Guide</i>.</p>
195
- * <note>
196
- * <p>An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,
197
- * and session tags into a packed binary format that has a separate limit. Your request can
198
- * fail for this limit even if your plaintext meets the other requirements. The
199
- * <code>PackedPolicySize</code> response element indicates by percentage how close the
200
- * policies and tags for your request are to the upper size limit.</p>
201
- * </note>
202
- * <p>You can pass a session tag with the same key as a tag that is attached to the role. When
203
- * you do, session tags override the role's tags with the same key.</p>
204
- * <p>An administrator must grant you the permissions necessary to pass session tags. The
205
- * administrator can also create granular permissions to allow you to pass only specific
206
- * session tags. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html">Tutorial: Using Tags
207
- * for Attribute-Based Access Control</a> in the
208
- * <i>IAM User Guide</i>.</p>
209
- * <p>You can set the session tags as transitive. Transitive tags persist during role
210
- * chaining. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining">Chaining Roles
211
- * with Session Tags</a> in the <i>IAM User Guide</i>.</p>
212
- * <p>
213
- * <b>SAML Configuration</b>
214
- * </p>
215
- * <p>Before your application can call <code>AssumeRoleWithSAML</code>, you must configure
216
- * your SAML identity provider (IdP) to issue the claims required by Amazon Web Services. Additionally, you
217
- * must use Identity and Access Management (IAM) to create a SAML provider entity in your Amazon Web Services account that
218
- * represents your identity provider. You must also create an IAM role that specifies this
219
- * SAML provider in its trust policy. </p>
220
- * <p>For more information, see the following resources:</p>
221
- * <ul>
222
- * <li>
223
- * <p>
224
- * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html">About
225
- * SAML 2.0-based Federation</a> in the <i>IAM User Guide</i>.
226
- * </p>
227
- * </li>
228
- * <li>
229
- * <p>
230
- * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html">Creating SAML Identity Providers</a> in the
231
- * <i>IAM User Guide</i>. </p>
232
- * </li>
233
- * <li>
234
- * <p>
235
- * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html">Configuring
236
- * a Relying Party and Claims</a> in the <i>IAM User Guide</i>.
237
- * </p>
238
- * </li>
239
- * <li>
240
- * <p>
241
- * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html">Creating a Role for SAML 2.0 Federation</a> in the
242
- * <i>IAM User Guide</i>. </p>
243
- * </li>
244
- * </ul>
19
+ * @see {@link AssumeRoleWithSAMLCommand}
245
20
  */
246
21
  assumeRoleWithSAML(args: AssumeRoleWithSAMLCommandInput, options?: __HttpHandlerOptions): Promise<AssumeRoleWithSAMLCommandOutput>;
247
22
  assumeRoleWithSAML(args: AssumeRoleWithSAMLCommandInput, cb: (err: any, data?: AssumeRoleWithSAMLCommandOutput) => void): void;
248
23
  assumeRoleWithSAML(args: AssumeRoleWithSAMLCommandInput, options: __HttpHandlerOptions, cb: (err: any, data?: AssumeRoleWithSAMLCommandOutput) => void): void;
249
24
  /**
250
- * @public
251
- * <p>Returns a set of temporary security credentials for users who have been authenticated in
252
- * a mobile or web application with a web identity provider. Example providers include the
253
- * OAuth 2.0 providers Login with Amazon and Facebook, or any OpenID Connect-compatible
254
- * identity provider such as Google or <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html">Amazon Cognito federated identities</a>.</p>
255
- * <note>
256
- * <p>For mobile applications, we recommend that you use Amazon Cognito. You can use Amazon Cognito with the
257
- * <a href="http://aws.amazon.com/sdkforios/">Amazon Web Services SDK for iOS Developer Guide</a> and the <a href="http://aws.amazon.com/sdkforandroid/">Amazon Web Services SDK for Android Developer Guide</a> to uniquely
258
- * identify a user. You can also supply the user with a consistent identity throughout the
259
- * lifetime of an application.</p>
260
- * <p>To learn more about Amazon Cognito, see <a href="https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840">Amazon Cognito Overview</a> in
261
- * <i>Amazon Web Services SDK for Android Developer Guide</i> and <a href="https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664">Amazon Cognito Overview</a> in the
262
- * <i>Amazon Web Services SDK for iOS Developer Guide</i>.</p>
263
- * </note>
264
- * <p>Calling <code>AssumeRoleWithWebIdentity</code> does not require the use of Amazon Web Services
265
- * security credentials. Therefore, you can distribute an application (for example, on mobile
266
- * devices) that requests temporary security credentials without including long-term Amazon Web Services
267
- * credentials in the application. You also don't need to deploy server-based proxy services
268
- * that use long-term Amazon Web Services credentials. Instead, the identity of the caller is validated by
269
- * using a token from the web identity provider. For a comparison of
270
- * <code>AssumeRoleWithWebIdentity</code> with the other API operations that produce
271
- * temporary credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting Temporary Security
272
- * Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
273
- * Amazon Web Services STS API operations</a> in the <i>IAM User Guide</i>.</p>
274
- * <p>The temporary security credentials returned by this API consist of an access key ID, a
275
- * secret access key, and a security token. Applications can use these temporary security
276
- * credentials to sign calls to Amazon Web Services service API operations.</p>
277
- * <p>
278
- * <b>Session Duration</b>
279
- * </p>
280
- * <p>By default, the temporary security credentials created by
281
- * <code>AssumeRoleWithWebIdentity</code> last for one hour. However, you can use the
282
- * optional <code>DurationSeconds</code> parameter to specify the duration of your session.
283
- * You can provide a value from 900 seconds (15 minutes) up to the maximum session duration
284
- * setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how
285
- * to view the maximum value for your role, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session">View the
286
- * Maximum Session Duration Setting for a Role</a> in the
287
- * <i>IAM User Guide</i>. The maximum session duration limit applies when
288
- * you use the <code>AssumeRole*</code> API operations or the <code>assume-role*</code> CLI
289
- * commands. However the limit does not apply when you use those operations to create a
290
- * console URL. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html">Using IAM Roles</a> in the
291
- * <i>IAM User Guide</i>. </p>
292
- * <p>
293
- * <b>Permissions</b>
294
- * </p>
295
- * <p>The temporary security credentials created by <code>AssumeRoleWithWebIdentity</code> can
296
- * be used to make API calls to any Amazon Web Services service with the following exception: you cannot
297
- * call the STS <code>GetFederationToken</code> or <code>GetSessionToken</code> API
298
- * operations.</p>
299
- * <p>(Optional) You can pass inline or managed <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">session policies</a> to
300
- * this operation. You can pass a single JSON policy document to use as an inline session
301
- * policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as
302
- * managed session policies. The plaintext that you use for both inline and managed session
303
- * policies can't exceed 2,048 characters. Passing policies to this operation returns new
304
- * temporary credentials. The resulting session's permissions are the intersection of the
305
- * role's identity-based policy and the session policies. You can use the role's temporary
306
- * credentials in subsequent Amazon Web Services API calls to access resources in the account that owns
307
- * the role. You cannot use session policies to grant more permissions than those allowed
308
- * by the identity-based policy of the role that is being assumed. For more information, see
309
- * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session
310
- * Policies</a> in the <i>IAM User Guide</i>.</p>
311
- * <p>
312
- * <b>Tags</b>
313
- * </p>
314
- * <p>(Optional) You can configure your IdP to pass attributes into your web identity token as
315
- * session tags. Each session tag consists of a key name and an associated value. For more
316
- * information about session tags, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Passing Session Tags in STS</a> in the
317
- * <i>IAM User Guide</i>.</p>
318
- * <p>You can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128
319
- * characters and the values can’t exceed 256 characters. For these and additional limits, see
320
- * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length">IAM
321
- * and STS Character Limits</a> in the <i>IAM User Guide</i>.</p>
322
- * <note>
323
- * <p>An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,
324
- * and session tags into a packed binary format that has a separate limit. Your request can
325
- * fail for this limit even if your plaintext meets the other requirements. The
326
- * <code>PackedPolicySize</code> response element indicates by percentage how close the
327
- * policies and tags for your request are to the upper size limit.</p>
328
- * </note>
329
- * <p>You can pass a session tag with the same key as a tag that is attached to the role. When
330
- * you do, the session tag overrides the role tag with the same key.</p>
331
- * <p>An administrator must grant you the permissions necessary to pass session tags. The
332
- * administrator can also create granular permissions to allow you to pass only specific
333
- * session tags. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html">Tutorial: Using Tags
334
- * for Attribute-Based Access Control</a> in the
335
- * <i>IAM User Guide</i>.</p>
336
- * <p>You can set the session tags as transitive. Transitive tags persist during role
337
- * chaining. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining">Chaining Roles
338
- * with Session Tags</a> in the <i>IAM User Guide</i>.</p>
339
- * <p>
340
- * <b>Identities</b>
341
- * </p>
342
- * <p>Before your application can call <code>AssumeRoleWithWebIdentity</code>, you must have
343
- * an identity token from a supported identity provider and create a role that the application
344
- * can assume. The role that your application assumes must trust the identity provider that is
345
- * associated with the identity token. In other words, the identity provider must be specified
346
- * in the role's trust policy. </p>
347
- * <important>
348
- * <p>Calling <code>AssumeRoleWithWebIdentity</code> can result in an entry in your
349
- * CloudTrail logs. The entry includes the <a href="http://openid.net/specs/openid-connect-core-1_0.html#Claims">Subject</a> of
350
- * the provided web identity token. We recommend that you avoid using any personally
351
- * identifiable information (PII) in this field. For example, you could instead use a GUID
352
- * or a pairwise identifier, as <a href="http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes">suggested
353
- * in the OIDC specification</a>.</p>
354
- * </important>
355
- * <p>For more information about how to use web identity federation and the
356
- * <code>AssumeRoleWithWebIdentity</code> API, see the following resources: </p>
357
- * <ul>
358
- * <li>
359
- * <p>
360
- * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html">Using Web Identity Federation API Operations for Mobile Apps</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity">Federation Through a Web-based Identity Provider</a>. </p>
361
- * </li>
362
- * <li>
363
- * <p>
364
- * <a href="https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/"> Web Identity Federation Playground</a>. Walk through the process of
365
- * authenticating through Login with Amazon, Facebook, or Google, getting temporary
366
- * security credentials, and then using those credentials to make a request to Amazon Web Services.
367
- * </p>
368
- * </li>
369
- * <li>
370
- * <p>
371
- * <a href="http://aws.amazon.com/sdkforios/">Amazon Web Services SDK for iOS Developer Guide</a> and <a href="http://aws.amazon.com/sdkforandroid/">Amazon Web Services SDK for Android Developer Guide</a>. These toolkits
372
- * contain sample apps that show how to invoke the identity providers. The toolkits then
373
- * show how to use the information from these providers to get and use temporary
374
- * security credentials. </p>
375
- * </li>
376
- * <li>
377
- * <p>
378
- * <a href="http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications">Web Identity
379
- * Federation with Mobile Applications</a>. This article discusses web identity
380
- * federation and shows an example of how to use web identity federation to get access
381
- * to content in Amazon S3. </p>
382
- * </li>
383
- * </ul>
25
+ * @see {@link AssumeRoleWithWebIdentityCommand}
384
26
  */
385
27
  assumeRoleWithWebIdentity(args: AssumeRoleWithWebIdentityCommandInput, options?: __HttpHandlerOptions): Promise<AssumeRoleWithWebIdentityCommandOutput>;
386
28
  assumeRoleWithWebIdentity(args: AssumeRoleWithWebIdentityCommandInput, cb: (err: any, data?: AssumeRoleWithWebIdentityCommandOutput) => void): void;
387
29
  assumeRoleWithWebIdentity(args: AssumeRoleWithWebIdentityCommandInput, options: __HttpHandlerOptions, cb: (err: any, data?: AssumeRoleWithWebIdentityCommandOutput) => void): void;
388
30
  /**
389
- * @public
390
- * <p>Decodes additional information about the authorization status of a request from an
391
- * encoded message returned in response to an Amazon Web Services request.</p>
392
- * <p>For example, if a user is not authorized to perform an operation that he or she has
393
- * requested, the request returns a <code>Client.UnauthorizedOperation</code> response (an
394
- * HTTP 403 response). Some Amazon Web Services operations additionally return an encoded message that can
395
- * provide details about this authorization failure. </p>
396
- * <note>
397
- * <p>Only certain Amazon Web Services operations return an encoded authorization message. The
398
- * documentation for an individual operation indicates whether that operation returns an
399
- * encoded message in addition to returning an HTTP code.</p>
400
- * </note>
401
- * <p>The message is encoded because the details of the authorization status can contain
402
- * privileged information that the user who requested the operation should not see. To decode
403
- * an authorization status message, a user must be granted permissions through an IAM <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html">policy</a> to
404
- * request the <code>DecodeAuthorizationMessage</code>
405
- * (<code>sts:DecodeAuthorizationMessage</code>) action. </p>
406
- * <p>The decoded message includes the following type of information:</p>
407
- * <ul>
408
- * <li>
409
- * <p>Whether the request was denied due to an explicit deny or due to the absence of an
410
- * explicit allow. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow">Determining Whether a Request is Allowed or Denied</a> in the
411
- * <i>IAM User Guide</i>. </p>
412
- * </li>
413
- * <li>
414
- * <p>The principal who made the request.</p>
415
- * </li>
416
- * <li>
417
- * <p>The requested action.</p>
418
- * </li>
419
- * <li>
420
- * <p>The requested resource.</p>
421
- * </li>
422
- * <li>
423
- * <p>The values of condition keys in the context of the user's request.</p>
424
- * </li>
425
- * </ul>
31
+ * @see {@link DecodeAuthorizationMessageCommand}
426
32
  */
427
33
  decodeAuthorizationMessage(args: DecodeAuthorizationMessageCommandInput, options?: __HttpHandlerOptions): Promise<DecodeAuthorizationMessageCommandOutput>;
428
34
  decodeAuthorizationMessage(args: DecodeAuthorizationMessageCommandInput, cb: (err: any, data?: DecodeAuthorizationMessageCommandOutput) => void): void;
429
35
  decodeAuthorizationMessage(args: DecodeAuthorizationMessageCommandInput, options: __HttpHandlerOptions, cb: (err: any, data?: DecodeAuthorizationMessageCommandOutput) => void): void;
430
36
  /**
431
- * @public
432
- * <p>Returns the account identifier for the specified access key ID.</p>
433
- * <p>Access keys consist of two parts: an access key ID (for example,
434
- * <code>AKIAIOSFODNN7EXAMPLE</code>) and a secret access key (for example,
435
- * <code>wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY</code>). For more information about
436
- * access keys, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html">Managing Access Keys for IAM
437
- * Users</a> in the <i>IAM User Guide</i>.</p>
438
- * <p>When you pass an access key ID to this operation, it returns the ID of the Amazon Web Services account
439
- * to which the keys belong. Access key IDs beginning with <code>AKIA</code> are long-term
440
- * credentials for an IAM user or the Amazon Web Services account root user. Access key IDs beginning with
441
- * <code>ASIA</code> are temporary credentials that are created using STS operations. If
442
- * the account in the response belongs to you, you can sign in as the root user and review
443
- * your root user access keys. Then, you can pull a <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html">credentials report</a> to
444
- * learn which IAM user owns the keys. To learn who requested the temporary credentials for
445
- * an <code>ASIA</code> access key, view the STS events in your <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html">CloudTrail logs</a> in the
446
- * <i>IAM User Guide</i>.</p>
447
- * <p>This operation does not indicate the state of the access key. The key might be active,
448
- * inactive, or deleted. Active keys might not have permissions to perform an operation.
449
- * Providing a deleted access key might return an error that the key doesn't exist.</p>
37
+ * @see {@link GetAccessKeyInfoCommand}
450
38
  */
451
39
  getAccessKeyInfo(args: GetAccessKeyInfoCommandInput, options?: __HttpHandlerOptions): Promise<GetAccessKeyInfoCommandOutput>;
452
40
  getAccessKeyInfo(args: GetAccessKeyInfoCommandInput, cb: (err: any, data?: GetAccessKeyInfoCommandOutput) => void): void;
453
41
  getAccessKeyInfo(args: GetAccessKeyInfoCommandInput, options: __HttpHandlerOptions, cb: (err: any, data?: GetAccessKeyInfoCommandOutput) => void): void;
454
42
  /**
455
- * @public
456
- * <p>Returns details about the IAM user or role whose credentials are used to call the
457
- * operation.</p>
458
- * <note>
459
- * <p>No permissions are required to perform this operation. If an administrator adds a
460
- * policy to your IAM user or role that explicitly denies access to the
461
- * <code>sts:GetCallerIdentity</code> action, you can still perform this operation.
462
- * Permissions are not required because the same information is returned when an IAM user
463
- * or role is denied access. To view an example response, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa">I Am Not Authorized to Perform: iam:DeleteVirtualMFADevice</a> in the
464
- * <i>IAM User Guide</i>.</p>
465
- * </note>
43
+ * @see {@link GetCallerIdentityCommand}
466
44
  */
467
45
  getCallerIdentity(args: GetCallerIdentityCommandInput, options?: __HttpHandlerOptions): Promise<GetCallerIdentityCommandOutput>;
468
46
  getCallerIdentity(args: GetCallerIdentityCommandInput, cb: (err: any, data?: GetCallerIdentityCommandOutput) => void): void;
469
47
  getCallerIdentity(args: GetCallerIdentityCommandInput, options: __HttpHandlerOptions, cb: (err: any, data?: GetCallerIdentityCommandOutput) => void): void;
470
48
  /**
471
- * @public
472
- * <p>Returns a set of temporary security credentials (consisting of an access key ID, a
473
- * secret access key, and a security token) for a federated user. A typical use is in a proxy
474
- * application that gets temporary security credentials on behalf of distributed applications
475
- * inside a corporate network. You must call the <code>GetFederationToken</code> operation
476
- * using the long-term security credentials of an IAM user. As a result, this call is
477
- * appropriate in contexts where those credentials can be safely stored, usually in a
478
- * server-based application. For a comparison of <code>GetFederationToken</code> with the
479
- * other API operations that produce temporary credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting Temporary Security
480
- * Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
481
- * Amazon Web Services STS API operations</a> in the <i>IAM User Guide</i>.</p>
482
- * <note>
483
- * <p>You can create a mobile-based or browser-based app that can authenticate users using
484
- * a web identity provider like Login with Amazon, Facebook, Google, or an OpenID
485
- * Connect-compatible identity provider. In this case, we recommend that you use <a href="http://aws.amazon.com/cognito/">Amazon Cognito</a> or
486
- * <code>AssumeRoleWithWebIdentity</code>. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity">Federation Through a Web-based Identity Provider</a> in the
487
- * <i>IAM User Guide</i>.</p>
488
- * </note>
489
- * <p>You can also call <code>GetFederationToken</code> using the security credentials of an
490
- * Amazon Web Services account root user, but we do not recommend it. Instead, we recommend that you create
491
- * an IAM user for the purpose of the proxy application. Then attach a policy to the IAM
492
- * user that limits federated users to only the actions and resources that they need to
493
- * access. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html">IAM Best Practices</a> in the
494
- * <i>IAM User Guide</i>. </p>
495
- * <p>
496
- * <b>Session duration</b>
497
- * </p>
498
- * <p>The temporary credentials are valid for the specified duration, from 900 seconds (15
499
- * minutes) up to a maximum of 129,600 seconds (36 hours). The default session duration is
500
- * 43,200 seconds (12 hours). Temporary credentials obtained by using the Amazon Web Services account root
501
- * user credentials have a maximum duration of 3,600 seconds (1 hour).</p>
502
- * <p>
503
- * <b>Permissions</b>
504
- * </p>
505
- * <p>You can use the temporary credentials created by <code>GetFederationToken</code> in any
506
- * Amazon Web Services service with the following exceptions:</p>
507
- * <ul>
508
- * <li>
509
- * <p>You cannot call any IAM operations using the CLI or the Amazon Web Services API. This limitation does not apply to console sessions.</p>
510
- * </li>
511
- * <li>
512
- * <p>You cannot call any STS operations except <code>GetCallerIdentity</code>.</p>
513
- * </li>
514
- * </ul>
515
- * <p>You can use temporary credentials for single sign-on (SSO) to the console.</p>
516
- * <p>You must pass an inline or managed <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">session policy</a> to
517
- * this operation. You can pass a single JSON policy document to use as an inline session
518
- * policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as
519
- * managed session policies. The plaintext that you use for both inline and managed session
520
- * policies can't exceed 2,048 characters.</p>
521
- * <p>Though the session policy parameters are optional, if you do not pass a policy, then the
522
- * resulting federated user session has no permissions. When you pass session policies, the
523
- * session permissions are the intersection of the IAM user policies and the session
524
- * policies that you pass. This gives you a way to further restrict the permissions for a
525
- * federated user. You cannot use session policies to grant more permissions than those that
526
- * are defined in the permissions policy of the IAM user. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session
527
- * Policies</a> in the <i>IAM User Guide</i>. For information about
528
- * using <code>GetFederationToken</code> to create temporary security credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken">GetFederationToken—Federation Through a Custom Identity Broker</a>. </p>
529
- * <p>You can use the credentials to access a resource that has a resource-based policy. If
530
- * that policy specifically references the federated user session in the
531
- * <code>Principal</code> element of the policy, the session has the permissions allowed by
532
- * the policy. These permissions are granted in addition to the permissions granted by the
533
- * session policies.</p>
534
- * <p>
535
- * <b>Tags</b>
536
- * </p>
537
- * <p>(Optional) You can pass tag key-value pairs to your session. These are called session
538
- * tags. For more information about session tags, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Passing Session Tags in STS</a> in the
539
- * <i>IAM User Guide</i>.</p>
540
- * <note>
541
- * <p>You can create a mobile-based or browser-based app that can authenticate users using
542
- * a web identity provider like Login with Amazon, Facebook, Google, or an OpenID
543
- * Connect-compatible identity provider. In this case, we recommend that you use <a href="http://aws.amazon.com/cognito/">Amazon Cognito</a> or
544
- * <code>AssumeRoleWithWebIdentity</code>. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity">Federation Through a Web-based Identity Provider</a> in the
545
- * <i>IAM User Guide</i>.</p>
546
- * </note>
547
- * <p>An administrator must grant you the permissions necessary to pass session tags. The
548
- * administrator can also create granular permissions to allow you to pass only specific
549
- * session tags. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html">Tutorial: Using Tags
550
- * for Attribute-Based Access Control</a> in the
551
- * <i>IAM User Guide</i>.</p>
552
- * <p>Tag key–value pairs are not case sensitive, but case is preserved. This means that you
553
- * cannot have separate <code>Department</code> and <code>department</code> tag keys. Assume
554
- * that the user that you are federating has the
555
- * <code>Department</code>=<code>Marketing</code> tag and you pass the
556
- * <code>department</code>=<code>engineering</code> session tag. <code>Department</code>
557
- * and <code>department</code> are not saved as separate tags, and the session tag passed in
558
- * the request takes precedence over the user tag.</p>
49
+ * @see {@link GetFederationTokenCommand}
559
50
  */
560
51
  getFederationToken(args: GetFederationTokenCommandInput, options?: __HttpHandlerOptions): Promise<GetFederationTokenCommandOutput>;
561
52
  getFederationToken(args: GetFederationTokenCommandInput, cb: (err: any, data?: GetFederationTokenCommandOutput) => void): void;
562
53
  getFederationToken(args: GetFederationTokenCommandInput, options: __HttpHandlerOptions, cb: (err: any, data?: GetFederationTokenCommandOutput) => void): void;
563
54
  /**
564
- * @public
565
- * <p>Returns a set of temporary credentials for an Amazon Web Services account or IAM user. The
566
- * credentials consist of an access key ID, a secret access key, and a security token.
567
- * Typically, you use <code>GetSessionToken</code> if you want to use MFA to protect
568
- * programmatic calls to specific Amazon Web Services API operations like Amazon EC2 <code>StopInstances</code>.
569
- * MFA-enabled IAM users would need to call <code>GetSessionToken</code> and submit an MFA
570
- * code that is associated with their MFA device. Using the temporary security credentials
571
- * that are returned from the call, IAM users can then make programmatic calls to API
572
- * operations that require MFA authentication. If you do not supply a correct MFA code, then
573
- * the API returns an access denied error. For a comparison of <code>GetSessionToken</code>
574
- * with the other API operations that produce temporary credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting
575
- * Temporary Security Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
576
- * Amazon Web Services STS API operations</a> in the <i>IAM User Guide</i>.</p>
577
- * <note>
578
- * <p>No permissions are required for users to perform this operation. The purpose of the
579
- * <code>sts:GetSessionToken</code> operation is to authenticate the user using MFA. You
580
- * cannot use policies to control authentication operations. For more information, see
581
- * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getsessiontoken.html">Permissions for GetSessionToken</a> in the
582
- * <i>IAM User Guide</i>.</p>
583
- * </note>
584
- * <p>
585
- * <b>Session Duration</b>
586
- * </p>
587
- * <p>The <code>GetSessionToken</code> operation must be called by using the long-term Amazon Web Services
588
- * security credentials of the Amazon Web Services account root user or an IAM user. Credentials that are
589
- * created by IAM users are valid for the duration that you specify. This duration can range
590
- * from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours), with a default
591
- * of 43,200 seconds (12 hours). Credentials based on account credentials can range from 900
592
- * seconds (15 minutes) up to 3,600 seconds (1 hour), with a default of 1 hour. </p>
593
- * <p>
594
- * <b>Permissions</b>
595
- * </p>
596
- * <p>The temporary security credentials created by <code>GetSessionToken</code> can be used
597
- * to make API calls to any Amazon Web Services service with the following exceptions:</p>
598
- * <ul>
599
- * <li>
600
- * <p>You cannot call any IAM API operations unless MFA authentication information is
601
- * included in the request.</p>
602
- * </li>
603
- * <li>
604
- * <p>You cannot call any STS API <i>except</i>
605
- * <code>AssumeRole</code> or <code>GetCallerIdentity</code>.</p>
606
- * </li>
607
- * </ul>
608
- * <note>
609
- * <p>We recommend that you do not call <code>GetSessionToken</code> with Amazon Web Services account
610
- * root user credentials. Instead, follow our <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users">best practices</a> by
611
- * creating one or more IAM users, giving them the necessary permissions, and using IAM
612
- * users for everyday interaction with Amazon Web Services. </p>
613
- * </note>
614
- * <p>The credentials that are returned by <code>GetSessionToken</code> are based on
615
- * permissions associated with the user whose credentials were used to call the operation. If
616
- * <code>GetSessionToken</code> is called using Amazon Web Services account root user credentials, the
617
- * temporary credentials have root user permissions. Similarly, if
618
- * <code>GetSessionToken</code> is called using the credentials of an IAM user, the
619
- * temporary credentials have the same permissions as the IAM user. </p>
620
- * <p>For more information about using <code>GetSessionToken</code> to create temporary
621
- * credentials, go to <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken">Temporary
622
- * Credentials for Users in Untrusted Environments</a> in the
623
- * <i>IAM User Guide</i>. </p>
55
+ * @see {@link GetSessionTokenCommand}
624
56
  */
625
57
  getSessionToken(args: GetSessionTokenCommandInput, options?: __HttpHandlerOptions): Promise<GetSessionTokenCommandOutput>;
626
58
  getSessionToken(args: GetSessionTokenCommandInput, cb: (err: any, data?: GetSessionTokenCommandOutput) => void): void;
627
59
  getSessionToken(args: GetSessionTokenCommandInput, options: __HttpHandlerOptions, cb: (err: any, data?: GetSessionTokenCommandOutput) => void): void;
628
60
  }
61
+ /**
62
+ * @public
63
+ * <fullname>Security Token Service</fullname>
64
+ * <p>Security Token Service (STS) enables you to request temporary, limited-privilege
65
+ * credentials for Identity and Access Management (IAM) users or for users that you
66
+ * authenticate (federated users). This guide provides descriptions of the STS API. For
67
+ * more information about using this service, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html">Temporary Security Credentials</a>.</p>
68
+ */
69
+ export declare class STS extends STSClient implements STS {
70
+ }
package/dist-types/ts3.4/STS.d.ts CHANGED
@@ -32,7 +32,7 @@ import {
32
32
  GetSessionTokenCommandOutput,
33
33
  } from "./commands/GetSessionTokenCommand";
34
34
  import { STSClient } from "./STSClient";
35
- export declare class STS extends STSClient {
35
+ export interface STS {
36
36
  assumeRole(
37
37
  args: AssumeRoleCommandInput,
38
38
  options?: __HttpHandlerOptions
@@ -138,3 +138,4 @@ export declare class STS extends STSClient {
138
138
  cb: (err: any, data?: GetSessionTokenCommandOutput) => void
139
139
  ): void;
140
140
  }
141
+ export declare class STS extends STSClient implements STS {}
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "@aws-sdk/client-sts",
3
3
  "description": "AWS SDK for JavaScript Sts Client for Node.js, Browser and React Native",
4
- "version": "3.315.0",
4
+ "version": "3.319.0",
5
5
  "scripts": {
6
6
  "build": "concurrently 'yarn:build:cjs' 'yarn:build:es' 'yarn:build:types'",
7
7
  "build:cjs": "tsc -p tsconfig.cjs.json",
@@ -24,7 +24,7 @@
24
24
  "@aws-crypto/sha256-browser": "3.0.0",
25
25
  "@aws-crypto/sha256-js": "3.0.0",
26
26
  "@aws-sdk/config-resolver": "3.310.0",
27
- "@aws-sdk/credential-provider-node": "3.315.0",
27
+ "@aws-sdk/credential-provider-node": "3.319.0",
28
28
  "@aws-sdk/fetch-http-handler": "3.310.0",
29
29
  "@aws-sdk/hash-node": "3.310.0",
30
30
  "@aws-sdk/invalid-dependency": "3.310.0",
@@ -38,19 +38,19 @@
38
38
  "@aws-sdk/middleware-serde": "3.310.0",
39
39
  "@aws-sdk/middleware-signing": "3.310.0",
40
40
  "@aws-sdk/middleware-stack": "3.310.0",
41
- "@aws-sdk/middleware-user-agent": "3.310.0",
41
+ "@aws-sdk/middleware-user-agent": "3.319.0",
42
42
  "@aws-sdk/node-config-provider": "3.310.0",
43
43
  "@aws-sdk/node-http-handler": "3.310.0",
44
44
  "@aws-sdk/protocol-http": "3.310.0",
45
- "@aws-sdk/smithy-client": "3.315.0",
45
+ "@aws-sdk/smithy-client": "3.316.0",
46
46
  "@aws-sdk/types": "3.310.0",
47
47
  "@aws-sdk/url-parser": "3.310.0",
48
48
  "@aws-sdk/util-base64": "3.310.0",
49
49
  "@aws-sdk/util-body-length-browser": "3.310.0",
50
50
  "@aws-sdk/util-body-length-node": "3.310.0",
51
- "@aws-sdk/util-defaults-mode-browser": "3.315.0",
52
- "@aws-sdk/util-defaults-mode-node": "3.315.0",
53
- "@aws-sdk/util-endpoints": "3.310.0",
51
+ "@aws-sdk/util-defaults-mode-browser": "3.316.0",
52
+ "@aws-sdk/util-defaults-mode-node": "3.316.0",
53
+ "@aws-sdk/util-endpoints": "3.319.0",
54
54
  "@aws-sdk/util-retry": "3.310.0",
55
55
  "@aws-sdk/util-user-agent-browser": "3.310.0",
56
56
  "@aws-sdk/util-user-agent-node": "3.310.0",