@aws-sdk/client-sts 3.33.0 → 3.36.1

package/defaultStsRoleAssumers.ts

@@ -1,126 +0,0 @@
-// Please do not touch this file. It's generated from template in:
-// https://github.com/aws/aws-sdk-js-v3/blob/main/codegen/smithy-aws-typescript-codegen/src/main/resources/software/amazon/smithy/aws/typescript/codegen/sts-client-defaultStsRoleAssumers.ts
-import { Credentials, Provider } from "@aws-sdk/types";
-
-import { AssumeRoleCommand, AssumeRoleCommandInput } from "./commands/AssumeRoleCommand";
-import {
-  AssumeRoleWithWebIdentityCommand,
-  AssumeRoleWithWebIdentityCommandInput,
-} from "./commands/AssumeRoleWithWebIdentityCommand";
-import type { STSClient, STSClientConfig, STSClientResolvedConfig } from "./STSClient";
-
-/**
- * @internal
- */
-export type RoleAssumer = (sourceCreds: Credentials, params: AssumeRoleCommandInput) => Promise<Credentials>;
-
-const ASSUME_ROLE_DEFAULT_REGION = "us-east-1";
-
-/**
- * Inject the fallback STS region of us-east-1.
- */
-const decorateDefaultRegion = (region: string | Provider<string> | undefined): string | Provider<string> => {
-  if (typeof region !== "function") {
-    return region === undefined ? ASSUME_ROLE_DEFAULT_REGION : region;
-  }
-  return async () => {
-    try {
-      return await region();
-    } catch (e) {
-      return ASSUME_ROLE_DEFAULT_REGION;
-    }
-  };
-};
-
-/**
- * The default role assumer that used by credential providers when sts:AssumeRole API is needed.
- * @internal
- */
-export const getDefaultRoleAssumer = (
-  stsOptions: Pick<STSClientConfig, "logger" | "region" | "requestHandler">,
-  stsClientCtor: new (options: STSClientConfig) => STSClient
-): RoleAssumer => {
-  let stsClient: STSClient;
-  let closureSourceCreds: Credentials;
-  return async (sourceCreds, params) => {
-    closureSourceCreds = sourceCreds;
-    if (!stsClient) {
-      const { logger, region, requestHandler } = stsOptions;
-      stsClient = new stsClientCtor({
-        logger,
-        // A hack to make sts client uses the credential in current closure.
-        credentialDefaultProvider: () => async () => closureSourceCreds,
-        region: decorateDefaultRegion(region || stsOptions.region),
-        ...(requestHandler ? { requestHandler } : {}),
-      });
-    }
-    const { Credentials } = await stsClient.send(new AssumeRoleCommand(params));
-    if (!Credentials || !Credentials.AccessKeyId || !Credentials.SecretAccessKey) {
-      throw new Error(`Invalid response from STS.assumeRole call with role ${params.RoleArn}`);
-    }
-    return {
-      accessKeyId: Credentials.AccessKeyId,
-      secretAccessKey: Credentials.SecretAccessKey,
-      sessionToken: Credentials.SessionToken,
-      expiration: Credentials.Expiration,
-    };
-  };
-};
-
-/**
- * @internal
- */
-export type RoleAssumerWithWebIdentity = (params: AssumeRoleWithWebIdentityCommandInput) => Promise<Credentials>;
-
-/**
- * The default role assumer that used by credential providers when sts:AssumeRoleWithWebIdentity API is needed.
- * @internal
- */
-export const getDefaultRoleAssumerWithWebIdentity = (
-  stsOptions: Pick<STSClientConfig, "logger" | "region" | "requestHandler">,
-  stsClientCtor: new (options: STSClientConfig) => STSClient
-): RoleAssumerWithWebIdentity => {
-  let stsClient: STSClient;
-  return async (params) => {
-    if (!stsClient) {
-      const { logger, region, requestHandler } = stsOptions;
-      stsClient = new stsClientCtor({
-        logger,
-        region: decorateDefaultRegion(region || stsOptions.region),
-        ...(requestHandler ? { requestHandler } : {}),
-      });
-    }
-    const { Credentials } = await stsClient.send(new AssumeRoleWithWebIdentityCommand(params));
-    if (!Credentials || !Credentials.AccessKeyId || !Credentials.SecretAccessKey) {
-      throw new Error(`Invalid response from STS.assumeRoleWithWebIdentity call with role ${params.RoleArn}`);
-    }
-    return {
-      accessKeyId: Credentials.AccessKeyId,
-      secretAccessKey: Credentials.SecretAccessKey,
-      sessionToken: Credentials.SessionToken,
-      expiration: Credentials.Expiration,
-    };
-  };
-};
-
-/**
- * @internal
- */
-export type DefaultCredentialProvider = (input: any) => Provider<Credentials>;
-
-/**
- * The default credential providers depend STS client to assume role with desired API: sts:assumeRole,
- * sts:assumeRoleWithWebIdentity, etc. This function decorates the default credential provider with role assumers which
- * encapsulates the process of calling STS commands. This can only be imported by AWS client packages to avoid circular
- * dependencies.
- *
- * @internal
- */
-export const decorateDefaultCredentialProvider =
-  (provider: DefaultCredentialProvider): DefaultCredentialProvider =>
-  (input: STSClientResolvedConfig) =>
-    provider({
-      roleAssumer: getDefaultRoleAssumer(input, input.stsClientCtor),
-      roleAssumerWithWebIdentity: getDefaultRoleAssumerWithWebIdentity(input, input.stsClientCtor),
-      ...input,
-    });

package/dist/cjs/STS.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"STS.js","sourceRoot":"","sources":["../../STS.ts"],"names":[],"mappings":";;;AAAA,2CAAwC;AACxC,oEAAkH;AAClH,oFAI8C;AAC9C,kGAIqD;AACrD,oGAIsD;AACtD,gFAI4C;AAC5C,kFAI6C;AAC7C,oFAI8C;AAC9C,8EAI2C;AAG3C;;;;;;GAMG;AACH,MAAa,GAAI,SAAQ,qBAAS;IA8FzB,UAAU,CACf,IAA4B,EAC5B,WAAyF,EACzF,EAAuD;QAEvD,MAAM,OAAO,GAAG,IAAI,qCAAiB,CAAC,IAAI,CAAC,CAAC;QAC5C,IAAI,OAAO,WAAW,KAAK,UAAU,EAAE;YACrC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;SACjC;aAAM,IAAI,OAAO,EAAE,KAAK,UAAU,EAAE;YACnC,IAAI,OAAO,WAAW,KAAK,QAAQ;gBAAE,MAAM,IAAI,KAAK,CAAC,+BAA+B,OAAO,WAAW,EAAE,CAAC,CAAC;YAC1G,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;SAC3C;aAAM;YACL,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;SACxC;IACH,CAAC;IAqJM,kBAAkB,CACvB,IAAoC,EACpC,WAAiG,EACjG,EAA+D;QAE/D,MAAM,OAAO,GAAG,IAAI,qDAAyB,CAAC,IAAI,CAAC,CAAC;QACpD,IAAI,OAAO,WAAW,KAAK,UAAU,EAAE;YACrC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;SACjC;aAAM,IAAI,OAAO,EAAE,KAAK,UAAU,EAAE;YACnC,IAAI,OAAO,WAAW,KAAK,QAAQ;gBAAE,MAAM,IAAI,KAAK,CAAC,+BAA+B,OAAO,WAAW,EAAE,CAAC,CAAC;YAC1G,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;SAC3C;aAAM;YACL,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;SACxC;IACH,CAAC;IAyJM,yBAAyB,CAC9B,IAA2C,EAC3C,WAAwG,EACxG,EAAsE;QAEtE,MAAM,OAAO,GAAG,IAAI,mEAAgC,CAAC,IAAI,CAAC,CAAC;QAC3D,IAAI,OAAO,WAAW,KAAK,UAAU,EAAE;YACrC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;SACjC;aAAM,IAAI,OAAO,EAAE,KAAK,UAAU,EAAE;YACnC,IAAI,OAAO,WAAW,KAAK,QAAQ;gBAAE,MAAM,IAAI,KAAK,CAAC,+BAA+B,OAAO,WAAW,EAAE,CAAC,CAAC;YAC1G,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;SAC3C;aAAM;YACL,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;SACxC;IACH,CAAC;IAqDM,0BAA0B,CAC/B,IAA4C,EAC5C,WAAyG,EACzG,EAAuE;QAEvE,MAAM,OAAO,GAAG,IAAI,qEAAiC,CAAC,IAAI,CAAC,CAAC;QAC5D,IAAI,OAAO,WAAW,KAAK,UAAU,EAAE;YACrC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;SACjC;aAAM,IAAI,OAAO,EAAE,KAAK,UAAU,EAAE;YACnC,IAAI,OAAO,WAAW,KAAK,QAAQ;gBAAE,MAAM,IAAI,KAAK,CAAC,+BAA+B,OAAO,WAAW,EAAE,CAAC,CAAC;YAC1G,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;SAC3C;aAAM;YACL,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;SACxC;IACH,CAAC;IAmCM,gBAAgB,CACrB,IAAkC,EAClC,WAA+F,EAC/F,EAA6D;QAE7D,MAAM,OAAO,GAAG,IAAI,iDAAuB,CAAC,IAAI,CAAC,CAAC;QAClD,IAAI,OAAO,WAAW,KAAK,UAAU,EAAE;YACrC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;SACjC;aAAM,IAAI,OAAO,EAAE,KAAK,UAAU,EAAE;YACnC,IAAI,OAAO,WAAW,KAAK,QAAQ;gBAAE,MAAM,IAAI,KAAK,CAAC,+BAA+B,OAAO,WAAW,EAAE,CAAC,CAAC;YAC1G,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;SAC3C;aAAM;YACL,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;SACxC;IACH,CAAC;IA2BM,iBAAiB,CACtB,IAAmC,EACnC,WAAgG,EAChG,EAA8D;QAE9D,MAAM,OAAO,GAAG,IAAI,mDAAwB,CAAC,IAAI,CAAC,CAAC;QACnD,IAAI,OAAO,WAAW,KAAK,UAAU,EAAE;YACrC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;SACjC;aAAM,IAAI,OAAO,EAAE,KAAK,UAAU,EAAE;YACnC,IAAI,OAAO,WAAW,KAAK,QAAQ;gBAAE,MAAM,IAAI,KAAK,CAAC,+BAA+B,OAAO,WAAW,EAAE,CAAC,CAAC;YAC1G,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;SAC3C;aAAM;YACL,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;SACxC;IACH,CAAC;IA4JM,kBAAkB,CACvB,IAAoC,EACpC,WAAiG,EACjG,EAA+D;QAE/D,MAAM,OAAO,GAAG,IAAI,qDAAyB,CAAC,IAAI,CAAC,CAAC;QACpD,IAAI,OAAO,WAAW,KAAK,UAAU,EAAE;YACrC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;SACjC;aAAM,IAAI,OAAO,EAAE,KAAK,UAAU,EAAE;YACnC,IAAI,OAAO,WAAW,KAAK,QAAQ;gBAAE,MAAM,IAAI,KAAK,CAAC,+BAA+B,OAAO,WAAW,EAAE,CAAC,CAAC;YAC1G,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;SAC3C;aAAM;YACL,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;SACxC;IACH,CAAC;IAqEM,eAAe,CACpB,IAAiC,EACjC,WAA8F,EAC9F,EAA4D;QAE5D,MAAM,OAAO,GAAG,IAAI,+CAAsB,CAAC,IAAI,CAAC,CAAC;QACjD,IAAI,OAAO,WAAW,KAAK,UAAU,EAAE;YACrC,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;SACjC;aAAM,IAAI,OAAO,EAAE,KAAK,UAAU,EAAE;YACnC,IAAI,OAAO,WAAW,KAAK,QAAQ;gBAAE,MAAM,IAAI,KAAK,CAAC,+BAA+B,OAAO,WAAW,EAAE,CAAC,CAAC;YAC1G,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,IAAI,EAAE,EAAE,EAAE,CAAC,CAAC;SAC3C;aAAM;YACL,OAAO,IAAI,CAAC,IAAI,CAAC,OAAO,EAAE,WAAW,CAAC,CAAC;SACxC;IACH,CAAC;CACF;AAj1BD,kBAi1BC"}

package/dist/cjs/STSClient.js

@@ -1,47 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.STSClient = void 0;
-const runtimeConfig_1 = require("./runtimeConfig");
-const config_resolver_1 = require("@aws-sdk/config-resolver");
-const middleware_content_length_1 = require("@aws-sdk/middleware-content-length");
-const middleware_host_header_1 = require("@aws-sdk/middleware-host-header");
-const middleware_logger_1 = require("@aws-sdk/middleware-logger");
-const middleware_retry_1 = require("@aws-sdk/middleware-retry");
-const middleware_sdk_sts_1 = require("@aws-sdk/middleware-sdk-sts");
-const middleware_user_agent_1 = require("@aws-sdk/middleware-user-agent");
-const smithy_client_1 = require("@aws-sdk/smithy-client");
-/**
- * <fullname>Security Token Service</fullname>
- *          <p>Security Token Service (STS) enables you to request temporary, limited-privilege
- *       credentials for Identity and Access Management (IAM) users or for users that you
- *       authenticate (federated users). This guide provides descriptions of the STS API. For
- *       more information about using this service, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html">Temporary Security Credentials</a>.</p>
- */
-class STSClient extends smithy_client_1.Client {
-    constructor(configuration) {
-        let _config_0 = runtimeConfig_1.getRuntimeConfig(configuration);
-        let _config_1 = config_resolver_1.resolveRegionConfig(_config_0);
-        let _config_2 = config_resolver_1.resolveEndpointsConfig(_config_1);
-        let _config_3 = middleware_retry_1.resolveRetryConfig(_config_2);
-        let _config_4 = middleware_host_header_1.resolveHostHeaderConfig(_config_3);
-        let _config_5 = middleware_sdk_sts_1.resolveStsAuthConfig(_config_4, { stsClientCtor: STSClient });
-        let _config_6 = middleware_user_agent_1.resolveUserAgentConfig(_config_5);
-        super(_config_6);
-        this.config = _config_6;
-        this.middlewareStack.use(middleware_retry_1.getRetryPlugin(this.config));
-        this.middlewareStack.use(middleware_content_length_1.getContentLengthPlugin(this.config));
-        this.middlewareStack.use(middleware_host_header_1.getHostHeaderPlugin(this.config));
-        this.middlewareStack.use(middleware_logger_1.getLoggerPlugin(this.config));
-        this.middlewareStack.use(middleware_user_agent_1.getUserAgentPlugin(this.config));
-    }
-    /**
-     * Destroy underlying resources, like sockets. It's usually not necessary to do this.
-     * However in Node.js, it's best to explicitly shut down the client's agent when it is no longer needed.
-     * Otherwise, sockets might stay open for quite a long time before the server terminates them.
-     */
-    destroy() {
-        super.destroy();
-    }
-}
-exports.STSClient = STSClient;
-//# sourceMappingURL=STSClient.js.map

package/dist/cjs/STSClient.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"STSClient.js","sourceRoot":"","sources":["../../STSClient.ts"],"names":[],"mappings":";;;AAcA,mDAAyE;AACzE,8DAOkC;AAClC,kFAA4E;AAC5E,4EAKyC;AACzC,kEAA6D;AAC7D,gEAAsH;AACtH,oEAA8G;AAC9G,0EAKwC;AAExC,0DAIgC;AA+KhC;;;;;;GAMG;AACH,MAAa,SAAU,SAAQ,sBAK9B;IAMC,YAAY,aAA8B;QACxC,IAAI,SAAS,GAAG,gCAAkB,CAAC,aAAa,CAAC,CAAC;QAClD,IAAI,SAAS,GAAG,qCAAmB,CAAC,SAAS,CAAC,CAAC;QAC/C,IAAI,SAAS,GAAG,wCAAsB,CAAC,SAAS,CAAC,CAAC;QAClD,IAAI,SAAS,GAAG,qCAAkB,CAAC,SAAS,CAAC,CAAC;QAC9C,IAAI,SAAS,GAAG,gDAAuB,CAAC,SAAS,CAAC,CAAC;QACnD,IAAI,SAAS,GAAG,yCAAoB,CAAC,SAAS,EAAE,EAAE,aAAa,EAAE,SAAS,EAAE,CAAC,CAAC;QAC9E,IAAI,SAAS,GAAG,8CAAsB,CAAC,SAAS,CAAC,CAAC;QAClD,KAAK,CAAC,SAAS,CAAC,CAAC;QACjB,IAAI,CAAC,MAAM,GAAG,SAAS,CAAC;QACxB,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,iCAAc,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;QACtD,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,kDAAsB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;QAC9D,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,4CAAmB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;QAC3D,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,mCAAe,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;QACvD,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,0CAAkB,CAAC,IAAI,CAAC,MAAM,CAAC,CAAC,CAAC;IAC5D,CAAC;IAED;;;;OAIG;IACH,OAAO;QACL,KAAK,CAAC,OAAO,EAAE,CAAC;IAClB,CAAC;CACF;AApCD,8BAoCC"}

package/dist/cjs/commands/AssumeRoleCommand.js

@@ -1,146 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AssumeRoleCommand = void 0;
-const models_0_1 = require("../models/models_0");
-const Aws_query_1 = require("../protocols/Aws_query");
-const middleware_serde_1 = require("@aws-sdk/middleware-serde");
-const middleware_signing_1 = require("@aws-sdk/middleware-signing");
-const smithy_client_1 = require("@aws-sdk/smithy-client");
-/**
- * <p>Returns a set of temporary security credentials that you can use to access Amazon Web Services
- *             resources that you might not normally have access to. These temporary credentials
- *             consist of an access key ID, a secret access key, and a security token. Typically, you
- *             use <code>AssumeRole</code> within your account or for cross-account access. For a
- *             comparison of <code>AssumeRole</code> with other API operations that produce temporary
- *             credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting Temporary Security
- *                 Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing
- *                 the STS API operations</a> in the
- *             <i>IAM User Guide</i>.</p>
- *          <p>
- *             <b>Permissions</b>
- *          </p>
- *          <p>The temporary security credentials created by <code>AssumeRole</code> can be used to
- *          make API calls to any Amazon Web Services service with the following exception: You cannot call the
- *          STS <code>GetFederationToken</code> or <code>GetSessionToken</code> API
- *          operations.</p>
- *          <p>(Optional) You can pass inline or managed <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">session policies</a> to
- *          this operation. You can pass a single JSON policy document to use as an inline session
- *          policy. You can also specify up to 10 managed policies to use as managed session policies.
- *          The plaintext that you use for both inline and managed session policies can't exceed 2,048
- *          characters. Passing policies to this operation returns new
- *          temporary credentials. The resulting session's permissions are the intersection of the
- *          role's identity-based policy and the session policies. You can use the role's temporary
- *          credentials in subsequent Amazon Web Services API calls to access resources in the account that owns
- *          the role. You cannot use session policies to grant more permissions than those allowed
- *          by the identity-based policy of the role that is being assumed. For more information, see
- *             <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session
- *             Policies</a> in the <i>IAM User Guide</i>.</p>
- *          <p>To assume a role from a different account, your account must be trusted by the
- *          role. The trust relationship is defined in the role's trust policy when the role is
- *          created. That trust policy states which accounts are allowed to delegate that access to
- *          users in the account. </p>
- *          <p>A user who wants to access a role in a different account must also have permissions that
- *          are delegated from the user account administrator. The administrator must attach a policy
- *          that allows the user to call <code>AssumeRole</code> for the ARN of the role in the other
- *          account. If the user is in the same account as the role, then you can do either of the
- *          following:</p>
- *          <ul>
- *             <li>
- *                <p>Attach a policy to the user (identical to the previous user in a different
- *                account).</p>
- *             </li>
- *             <li>
- *                <p>Add the user as a principal directly in the role's trust policy.</p>
- *             </li>
- *          </ul>
- *          <p>In this case, the trust policy acts as an IAM resource-based policy. Users in the same
- *          account as the role do not need explicit permission to assume the role. For more
- *          information about trust policies and resource-based policies, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html">IAM Policies</a> in
- *          the <i>IAM User Guide</i>.</p>
- *          <p>
- *             <b>Tags</b>
- *          </p>
- *          <p>(Optional) You can pass tag key-value pairs to your session. These tags are called
- *          session tags. For more information about session tags, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Passing Session Tags in STS</a> in the
- *             <i>IAM User Guide</i>.</p>
- *          <p>An administrator must grant you the permissions necessary to pass session tags. The
- *          administrator can also create granular permissions to allow you to pass only specific
- *          session tags. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html">Tutorial: Using Tags
- *             for Attribute-Based Access Control</a> in the
- *          <i>IAM User Guide</i>.</p>
- *          <p>You can set the session tags as transitive. Transitive tags persist during role
- *          chaining. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining">Chaining Roles
- *             with Session Tags</a> in the <i>IAM User Guide</i>.</p>
- *          <p>
- *             <b>Using MFA with AssumeRole</b>
- *          </p>
- *          <p>(Optional) You can include multi-factor authentication (MFA) information when you call
- *             <code>AssumeRole</code>. This is useful for cross-account scenarios to ensure that the
- *          user that assumes the role has been authenticated with an Amazon Web Services MFA device. In that
- *          scenario, the trust policy of the role being assumed includes a condition that tests for
- *          MFA authentication. If the caller does not include valid MFA information, the request to
- *          assume the role is denied. The condition in a trust policy that tests for MFA
- *          authentication might look like the following example.</p>
- *          <p>
- *             <code>"Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}</code>
- *          </p>
- *          <p>For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html">Configuring MFA-Protected API Access</a>
- *          in the <i>IAM User Guide</i> guide.</p>
- *          <p>To use MFA with <code>AssumeRole</code>, you pass values for the
- *             <code>SerialNumber</code> and <code>TokenCode</code> parameters. The
- *             <code>SerialNumber</code> value identifies the user's hardware or virtual MFA device.
- *          The <code>TokenCode</code> is the time-based one-time password (TOTP) that the MFA device
- *          produces. </p>
- * @example
- * Use a bare-bones client and the command you need to make an API call.
- * ```javascript
- * import { STSClient, AssumeRoleCommand } from "@aws-sdk/client-sts"; // ES Modules import
- * // const { STSClient, AssumeRoleCommand } = require("@aws-sdk/client-sts"); // CommonJS import
- * const client = new STSClient(config);
- * const command = new AssumeRoleCommand(input);
- * const response = await client.send(command);
- * ```
- *
- * @see {@link AssumeRoleCommandInput} for command's `input` shape.
- * @see {@link AssumeRoleCommandOutput} for command's `response` shape.
- * @see {@link STSClientResolvedConfig | config} for command's `input` shape.
- *
- */
-class AssumeRoleCommand extends smithy_client_1.Command {
-    // Start section: command_properties
-    // End section: command_properties
-    constructor(input) {
-        // Start section: command_constructor
-        super();
-        this.input = input;
-        // End section: command_constructor
-    }
-    /**
-     * @internal
-     */
-    resolveMiddleware(clientStack, configuration, options) {
-        this.middlewareStack.use(middleware_serde_1.getSerdePlugin(configuration, this.serialize, this.deserialize));
-        this.middlewareStack.use(middleware_signing_1.getAwsAuthPlugin(configuration));
-        const stack = clientStack.concat(this.middlewareStack);
-        const { logger } = configuration;
-        const clientName = "STSClient";
-        const commandName = "AssumeRoleCommand";
-        const handlerExecutionContext = {
-            logger,
-            clientName,
-            commandName,
-            inputFilterSensitiveLog: models_0_1.AssumeRoleRequest.filterSensitiveLog,
-            outputFilterSensitiveLog: models_0_1.AssumeRoleResponse.filterSensitiveLog,
-        };
-        const { requestHandler } = configuration;
-        return stack.resolve((request) => requestHandler.handle(request.request, options || {}), handlerExecutionContext);
-    }
-    serialize(input, context) {
-        return Aws_query_1.serializeAws_queryAssumeRoleCommand(input, context);
-    }
-    deserialize(output, context) {
-        return Aws_query_1.deserializeAws_queryAssumeRoleCommand(output, context);
-    }
-}
-exports.AssumeRoleCommand = AssumeRoleCommand;
-//# sourceMappingURL=AssumeRoleCommand.js.map

package/dist/cjs/commands/AssumeRoleCommand.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"AssumeRoleCommand.js","sourceRoot":"","sources":["../../../commands/AssumeRoleCommand.ts"],"names":[],"mappings":";;;AACA,iDAA2E;AAC3E,sDAAoH;AACpH,gEAA2D;AAC3D,oEAA+D;AAE/D,0DAA6D;AAc7D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmGG;AACH,MAAa,iBAAkB,SAAQ,uBAItC;IACC,oCAAoC;IACpC,kCAAkC;IAElC,YAAqB,KAA6B;QAChD,qCAAqC;QACrC,KAAK,EAAE,CAAC;QAFW,UAAK,GAAL,KAAK,CAAwB;QAGhD,mCAAmC;IACrC,CAAC;IAED;;OAEG;IACH,iBAAiB,CACf,WAAmE,EACnE,aAAsC,EACtC,OAA8B;QAE9B,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,iCAAc,CAAC,aAAa,EAAE,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC;QAC1F,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,qCAAgB,CAAC,aAAa,CAAC,CAAC,CAAC;QAE1D,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QAEvD,MAAM,EAAE,MAAM,EAAE,GAAG,aAAa,CAAC;QACjC,MAAM,UAAU,GAAG,WAAW,CAAC;QAC/B,MAAM,WAAW,GAAG,mBAAmB,CAAC;QACxC,MAAM,uBAAuB,GAA4B;YACvD,MAAM;YACN,UAAU;YACV,WAAW;YACX,uBAAuB,EAAE,4BAAiB,CAAC,kBAAkB;YAC7D,wBAAwB,EAAE,6BAAkB,CAAC,kBAAkB;SAChE,CAAC;QACF,MAAM,EAAE,cAAc,EAAE,GAAG,aAAa,CAAC;QACzC,OAAO,KAAK,CAAC,OAAO,CAClB,CAAC,OAAsC,EAAE,EAAE,CACzC,cAAc,CAAC,MAAM,CAAC,OAAO,CAAC,OAAwB,EAAE,OAAO,IAAI,EAAE,CAAC,EACxE,uBAAuB,CACxB,CAAC;IACJ,CAAC;IAEO,SAAS,CAAC,KAA6B,EAAE,OAAuB;QACtE,OAAO,+CAAmC,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IAC7D,CAAC;IAEO,WAAW,CAAC,MAAsB,EAAE,OAAuB;QACjE,OAAO,iDAAqC,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IAChE,CAAC;CAIF;AAvDD,8CAuDC"}

package/dist/cjs/commands/AssumeRoleWithSAMLCommand.js

@@ -1,192 +0,0 @@
-"use strict";
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.AssumeRoleWithSAMLCommand = void 0;
-const models_0_1 = require("../models/models_0");
-const Aws_query_1 = require("../protocols/Aws_query");
-const middleware_serde_1 = require("@aws-sdk/middleware-serde");
-const smithy_client_1 = require("@aws-sdk/smithy-client");
-/**
- * <p>Returns a set of temporary security credentials for users who have been authenticated
- *          via a SAML authentication response. This operation provides a mechanism for tying an
- *          enterprise identity store or directory to role-based Amazon Web Services access without user-specific
- *          credentials or configuration. For a comparison of <code>AssumeRoleWithSAML</code> with the
- *          other API operations that produce temporary credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting Temporary Security
- *             Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
- *             STS API operations</a> in the <i>IAM User Guide</i>.</p>
- *          <p>The temporary security credentials returned by this operation consist of an access key
- *          ID, a secret access key, and a security token. Applications can use these temporary
- *          security credentials to sign calls to Amazon Web Services services.</p>
- *          <p>
- *             <b>Session Duration</b>
- *          </p>
- *          <p>By default, the temporary security credentials created by
- *             <code>AssumeRoleWithSAML</code> last for one hour. However, you can use the optional
- *             <code>DurationSeconds</code> parameter to specify the duration of your session. Your
- *          role session lasts for the duration that you specify, or until the time specified in the
- *          SAML authentication response's <code>SessionNotOnOrAfter</code> value, whichever is
- *          shorter. You can provide a <code>DurationSeconds</code> value from 900 seconds (15 minutes)
- *          up to the maximum session duration setting for the role. This setting can have a value from
- *          1 hour to 12 hours. To learn how to view the maximum value for your role, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session">View the
- *             Maximum Session Duration Setting for a Role</a> in the
- *             <i>IAM User Guide</i>. The maximum session duration limit applies when
- *          you use the <code>AssumeRole*</code> API operations or the <code>assume-role*</code> CLI
- *          commands. However the limit does not apply when you use those operations to create a
- *          console URL. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html">Using IAM Roles</a> in the
- *             <i>IAM User Guide</i>.</p>
- *          <note>
- *            <p>
- *                <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining">Role chaining</a> limits your CLI or Amazon Web Services API
- *                role session to a maximum of one hour. When you use the <code>AssumeRole</code> API
- *                operation to assume a role, you can specify the duration of your role session with
- *                the <code>DurationSeconds</code> parameter. You can specify a parameter value of up
- *                to 43200 seconds (12 hours), depending on the maximum session duration setting for
- *                your role. However, if you assume a role using role chaining and provide a
- *                <code>DurationSeconds</code> parameter value greater than one hour, the
- *                operation fails.</p>
- *          </note>
- *          <p>
- *             <b>Permissions</b>
- *          </p>
- *          <p>The temporary security credentials created by <code>AssumeRoleWithSAML</code> can be
- *          used to make API calls to any Amazon Web Services service with the following exception: you cannot call
- *          the STS <code>GetFederationToken</code> or <code>GetSessionToken</code> API
- *          operations.</p>
- *          <p>(Optional) You can pass inline or managed <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">session policies</a> to
- *          this operation. You can pass a single JSON policy document to use as an inline session
- *          policy. You can also specify up to 10 managed policies to use as managed session policies.
- *          The plaintext that you use for both inline and managed session policies can't exceed 2,048
- *          characters. Passing policies to this operation returns new
- *          temporary credentials. The resulting session's permissions are the intersection of the
- *          role's identity-based policy and the session policies. You can use the role's temporary
- *          credentials in subsequent Amazon Web Services API calls to access resources in the account that owns
- *          the role. You cannot use session policies to grant more permissions than those allowed
- *          by the identity-based policy of the role that is being assumed. For more information, see
- *             <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session
- *             Policies</a> in the <i>IAM User Guide</i>.</p>
- *          <p>Calling <code>AssumeRoleWithSAML</code> does not require the use of Amazon Web Services security
- *          credentials. The identity of the caller is validated by using keys in the metadata document
- *          that is uploaded for the SAML provider entity for your identity provider. </p>
- *          <important>
- *             <p>Calling <code>AssumeRoleWithSAML</code> can result in an entry in your CloudTrail logs.
- *             The entry includes the value in the <code>NameID</code> element of the SAML assertion.
- *             We recommend that you use a <code>NameIDType</code> that is not associated with any
- *             personally identifiable information (PII). For example, you could instead use the
- *             persistent identifier
- *             (<code>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</code>).</p>
- *          </important>
- *          <p>
- *             <b>Tags</b>
- *          </p>
- *          <p>(Optional) You can configure your IdP to pass attributes into your SAML assertion as
- *          session tags. Each session tag consists of a key name and an associated value. For more
- *          information about session tags, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Passing Session Tags in STS</a> in the
- *             <i>IAM User Guide</i>.</p>
- *          <p>You can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128
- *          characters and the values can’t exceed 256 characters. For these and additional limits, see
- *             <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length">IAM
- *             and STS Character Limits</a> in the <i>IAM User Guide</i>.</p>
- *
- *          <note>
- *             <p>An Amazon Web Services conversion compresses the passed session policies and session tags into a
- *             packed binary format that has a separate limit. Your request can fail for this limit
- *             even if your plaintext meets the other requirements. The <code>PackedPolicySize</code>
- *             response element indicates by percentage how close the policies and tags for your
- *             request are to the upper size limit.
- *             </p>
- *          </note>
- *          <p>You can pass a session tag with the same key as a tag that is
- *          attached to the role. When you do, session tags override the role's tags with the same
- *          key.</p>
- *          <p>An administrator must grant you the permissions necessary to pass session tags. The
- *          administrator can also create granular permissions to allow you to pass only specific
- *          session tags. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html">Tutorial: Using Tags
- *             for Attribute-Based Access Control</a> in the
- *          <i>IAM User Guide</i>.</p>
- *          <p>You can set the session tags as transitive. Transitive tags persist during role
- *          chaining. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining">Chaining Roles
- *             with Session Tags</a> in the <i>IAM User Guide</i>.</p>
- *          <p>
- *             <b>SAML Configuration</b>
- *          </p>
- *          <p>Before your application can call <code>AssumeRoleWithSAML</code>, you must configure
- *          your SAML identity provider (IdP) to issue the claims required by Amazon Web Services. Additionally, you
- *          must use Identity and Access Management (IAM) to create a SAML provider entity in your Amazon Web Services account that
- *          represents your identity provider. You must also create an IAM role that specifies this
- *          SAML provider in its trust policy. </p>
- *          <p>For more information, see the following resources:</p>
- *          <ul>
- *             <li>
- *                <p>
- *                   <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html">About
- *                   SAML 2.0-based Federation</a> in the <i>IAM User Guide</i>.
- *             </p>
- *             </li>
- *             <li>
- *                <p>
- *                   <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html">Creating SAML Identity Providers</a> in the
- *                   <i>IAM User Guide</i>. </p>
- *             </li>
- *             <li>
- *                <p>
- *                   <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html">Configuring
- *                   a Relying Party and Claims</a> in the <i>IAM User Guide</i>.
- *             </p>
- *             </li>
- *             <li>
- *                <p>
- *                   <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html">Creating a Role for SAML 2.0 Federation</a> in the
- *                   <i>IAM User Guide</i>. </p>
- *             </li>
- *          </ul>
- * @example
- * Use a bare-bones client and the command you need to make an API call.
- * ```javascript
- * import { STSClient, AssumeRoleWithSAMLCommand } from "@aws-sdk/client-sts"; // ES Modules import
- * // const { STSClient, AssumeRoleWithSAMLCommand } = require("@aws-sdk/client-sts"); // CommonJS import
- * const client = new STSClient(config);
- * const command = new AssumeRoleWithSAMLCommand(input);
- * const response = await client.send(command);
- * ```
- *
- * @see {@link AssumeRoleWithSAMLCommandInput} for command's `input` shape.
- * @see {@link AssumeRoleWithSAMLCommandOutput} for command's `response` shape.
- * @see {@link STSClientResolvedConfig | config} for command's `input` shape.
- *
- */
-class AssumeRoleWithSAMLCommand extends smithy_client_1.Command {
-    // Start section: command_properties
-    // End section: command_properties
-    constructor(input) {
-        // Start section: command_constructor
-        super();
-        this.input = input;
-        // End section: command_constructor
-    }
-    /**
-     * @internal
-     */
-    resolveMiddleware(clientStack, configuration, options) {
-        this.middlewareStack.use(middleware_serde_1.getSerdePlugin(configuration, this.serialize, this.deserialize));
-        const stack = clientStack.concat(this.middlewareStack);
-        const { logger } = configuration;
-        const clientName = "STSClient";
-        const commandName = "AssumeRoleWithSAMLCommand";
-        const handlerExecutionContext = {
-            logger,
-            clientName,
-            commandName,
-            inputFilterSensitiveLog: models_0_1.AssumeRoleWithSAMLRequest.filterSensitiveLog,
-            outputFilterSensitiveLog: models_0_1.AssumeRoleWithSAMLResponse.filterSensitiveLog,
-        };
-        const { requestHandler } = configuration;
-        return stack.resolve((request) => requestHandler.handle(request.request, options || {}), handlerExecutionContext);
-    }
-    serialize(input, context) {
-        return Aws_query_1.serializeAws_queryAssumeRoleWithSAMLCommand(input, context);
-    }
-    deserialize(output, context) {
-        return Aws_query_1.deserializeAws_queryAssumeRoleWithSAMLCommand(output, context);
-    }
-}
-exports.AssumeRoleWithSAMLCommand = AssumeRoleWithSAMLCommand;
-//# sourceMappingURL=AssumeRoleWithSAMLCommand.js.map

package/dist/cjs/commands/AssumeRoleWithSAMLCommand.js.map

@@ -1 +0,0 @@
-{"version":3,"file":"AssumeRoleWithSAMLCommand.js","sourceRoot":"","sources":["../../../commands/AssumeRoleWithSAMLCommand.ts"],"names":[],"mappings":";;;AACA,iDAA2F;AAC3F,sDAGgC;AAChC,gEAA2D;AAE3D,0DAA6D;AAc7D;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;GAmJG;AACH,MAAa,yBAA0B,SAAQ,uBAI9C;IACC,oCAAoC;IACpC,kCAAkC;IAElC,YAAqB,KAAqC;QACxD,qCAAqC;QACrC,KAAK,EAAE,CAAC;QAFW,UAAK,GAAL,KAAK,CAAgC;QAGxD,mCAAmC;IACrC,CAAC;IAED;;OAEG;IACH,iBAAiB,CACf,WAAmE,EACnE,aAAsC,EACtC,OAA8B;QAE9B,IAAI,CAAC,eAAe,CAAC,GAAG,CAAC,iCAAc,CAAC,aAAa,EAAE,IAAI,CAAC,SAAS,EAAE,IAAI,CAAC,WAAW,CAAC,CAAC,CAAC;QAE1F,MAAM,KAAK,GAAG,WAAW,CAAC,MAAM,CAAC,IAAI,CAAC,eAAe,CAAC,CAAC;QAEvD,MAAM,EAAE,MAAM,EAAE,GAAG,aAAa,CAAC;QACjC,MAAM,UAAU,GAAG,WAAW,CAAC;QAC/B,MAAM,WAAW,GAAG,2BAA2B,CAAC;QAChD,MAAM,uBAAuB,GAA4B;YACvD,MAAM;YACN,UAAU;YACV,WAAW;YACX,uBAAuB,EAAE,oCAAyB,CAAC,kBAAkB;YACrE,wBAAwB,EAAE,qCAA0B,CAAC,kBAAkB;SACxE,CAAC;QACF,MAAM,EAAE,cAAc,EAAE,GAAG,aAAa,CAAC;QACzC,OAAO,KAAK,CAAC,OAAO,CAClB,CAAC,OAAsC,EAAE,EAAE,CACzC,cAAc,CAAC,MAAM,CAAC,OAAO,CAAC,OAAwB,EAAE,OAAO,IAAI,EAAE,CAAC,EACxE,uBAAuB,CACxB,CAAC;IACJ,CAAC;IAEO,SAAS,CAAC,KAAqC,EAAE,OAAuB;QAC9E,OAAO,uDAA2C,CAAC,KAAK,EAAE,OAAO,CAAC,CAAC;IACrE,CAAC;IAEO,WAAW,CAAC,MAAsB,EAAE,OAAuB;QACjE,OAAO,yDAA6C,CAAC,MAAM,EAAE,OAAO,CAAC,CAAC;IACxE,CAAC;CAIF;AAtDD,8DAsDC"}