@aws-sdk/client-sts 3.35.0 → 3.38.0

package/src/STSClient.ts

@@ -1,264 +0,0 @@
-import {
-  EndpointsInputConfig,
-  EndpointsResolvedConfig,
-  RegionInputConfig,
-  RegionResolvedConfig,
-  resolveEndpointsConfig,
-  resolveRegionConfig,
-} from "@aws-sdk/config-resolver";
-import { getContentLengthPlugin } from "@aws-sdk/middleware-content-length";
-import {
-  getHostHeaderPlugin,
-  HostHeaderInputConfig,
-  HostHeaderResolvedConfig,
-  resolveHostHeaderConfig,
-} from "@aws-sdk/middleware-host-header";
-import { getLoggerPlugin } from "@aws-sdk/middleware-logger";
-import { getRetryPlugin, resolveRetryConfig, RetryInputConfig, RetryResolvedConfig } from "@aws-sdk/middleware-retry";
-import { resolveStsAuthConfig, StsAuthInputConfig, StsAuthResolvedConfig } from "@aws-sdk/middleware-sdk-sts";
-import {
-  getUserAgentPlugin,
-  resolveUserAgentConfig,
-  UserAgentInputConfig,
-  UserAgentResolvedConfig,
-} from "@aws-sdk/middleware-user-agent";
-import { HttpHandler as __HttpHandler } from "@aws-sdk/protocol-http";
-import {
-  Client as __Client,
-  SmithyConfiguration as __SmithyConfiguration,
-  SmithyResolvedConfiguration as __SmithyResolvedConfiguration,
-} from "@aws-sdk/smithy-client";
-import {
-  Credentials as __Credentials,
-  Decoder as __Decoder,
-  Encoder as __Encoder,
-  Hash as __Hash,
-  HashConstructor as __HashConstructor,
-  HttpHandlerOptions as __HttpHandlerOptions,
-  Logger as __Logger,
-  Provider as __Provider,
-  Provider,
-  RegionInfoProvider,
-  StreamCollector as __StreamCollector,
-  UrlParser as __UrlParser,
-  UserAgent as __UserAgent,
-} from "@aws-sdk/types";
-
-import { AssumeRoleCommandInput, AssumeRoleCommandOutput } from "./commands/AssumeRoleCommand";
-import { AssumeRoleWithSAMLCommandInput, AssumeRoleWithSAMLCommandOutput } from "./commands/AssumeRoleWithSAMLCommand";
-import {
-  AssumeRoleWithWebIdentityCommandInput,
-  AssumeRoleWithWebIdentityCommandOutput,
-} from "./commands/AssumeRoleWithWebIdentityCommand";
-import {
-  DecodeAuthorizationMessageCommandInput,
-  DecodeAuthorizationMessageCommandOutput,
-} from "./commands/DecodeAuthorizationMessageCommand";
-import { GetAccessKeyInfoCommandInput, GetAccessKeyInfoCommandOutput } from "./commands/GetAccessKeyInfoCommand";
-import { GetCallerIdentityCommandInput, GetCallerIdentityCommandOutput } from "./commands/GetCallerIdentityCommand";
-import { GetFederationTokenCommandInput, GetFederationTokenCommandOutput } from "./commands/GetFederationTokenCommand";
-import { GetSessionTokenCommandInput, GetSessionTokenCommandOutput } from "./commands/GetSessionTokenCommand";
-import { getRuntimeConfig as __getRuntimeConfig } from "./runtimeConfig";
-
-export type ServiceInputTypes =
-  | AssumeRoleCommandInput
-  | AssumeRoleWithSAMLCommandInput
-  | AssumeRoleWithWebIdentityCommandInput
-  | DecodeAuthorizationMessageCommandInput
-  | GetAccessKeyInfoCommandInput
-  | GetCallerIdentityCommandInput
-  | GetFederationTokenCommandInput
-  | GetSessionTokenCommandInput;
-
-export type ServiceOutputTypes =
-  | AssumeRoleCommandOutput
-  | AssumeRoleWithSAMLCommandOutput
-  | AssumeRoleWithWebIdentityCommandOutput
-  | DecodeAuthorizationMessageCommandOutput
-  | GetAccessKeyInfoCommandOutput
-  | GetCallerIdentityCommandOutput
-  | GetFederationTokenCommandOutput
-  | GetSessionTokenCommandOutput;
-
-export interface ClientDefaults extends Partial<__SmithyResolvedConfiguration<__HttpHandlerOptions>> {
-  /**
-   * The HTTP handler to use. Fetch in browser and Https in Nodejs.
-   */
-  requestHandler?: __HttpHandler;
-
-  /**
-   * A constructor for a class implementing the {@link __Hash} interface
-   * that computes the SHA-256 HMAC or checksum of a string or binary buffer.
-   * @internal
-   */
-  sha256?: __HashConstructor;
-
-  /**
-   * The function that will be used to convert strings into HTTP endpoints.
-   * @internal
-   */
-  urlParser?: __UrlParser;
-
-  /**
-   * A function that can calculate the length of a request body.
-   * @internal
-   */
-  bodyLengthChecker?: (body: any) => number | undefined;
-
-  /**
-   * A function that converts a stream into an array of bytes.
-   * @internal
-   */
-  streamCollector?: __StreamCollector;
-
-  /**
-   * The function that will be used to convert a base64-encoded string to a byte array.
-   * @internal
-   */
-  base64Decoder?: __Decoder;
-
-  /**
-   * The function that will be used to convert binary data to a base64-encoded string.
-   * @internal
-   */
-  base64Encoder?: __Encoder;
-
-  /**
-   * The function that will be used to convert a UTF8-encoded string to a byte array.
-   * @internal
-   */
-  utf8Decoder?: __Decoder;
-
-  /**
-   * The function that will be used to convert binary data to a UTF-8 encoded string.
-   * @internal
-   */
-  utf8Encoder?: __Encoder;
-
-  /**
-   * The runtime environment.
-   * @internal
-   */
-  runtime?: string;
-
-  /**
-   * Disable dyanamically changing the endpoint of the client based on the hostPrefix
-   * trait of an operation.
-   */
-  disableHostPrefix?: boolean;
-
-  /**
-   * Value for how many times a request will be made at most in case of retry.
-   */
-  maxAttempts?: number | __Provider<number>;
-
-  /**
-   * Specifies which retry algorithm to use.
-   */
-  retryMode?: string | __Provider<string>;
-
-  /**
-   * Optional logger for logging debug/info/warn/error.
-   */
-  logger?: __Logger;
-
-  /**
-   * Unique service identifier.
-   * @internal
-   */
-  serviceId?: string;
-
-  /**
-   * The AWS region to which this client will send requests
-   */
-  region?: string | __Provider<string>;
-
-  /**
-   * Default credentials provider; Not available in browser runtime.
-   * @internal
-   */
-  credentialDefaultProvider?: (input: any) => __Provider<__Credentials>;
-
-  /**
-   * Fetch related hostname, signing name or signing region with given region.
-   * @internal
-   */
-  regionInfoProvider?: RegionInfoProvider;
-
-  /**
-   * The provider populating default tracking information to be sent with `user-agent`, `x-amz-user-agent` header
-   * @internal
-   */
-  defaultUserAgentProvider?: Provider<__UserAgent>;
-}
-
-type STSClientConfigType = Partial<__SmithyConfiguration<__HttpHandlerOptions>> &
-  ClientDefaults &
-  RegionInputConfig &
-  EndpointsInputConfig &
-  RetryInputConfig &
-  HostHeaderInputConfig &
-  StsAuthInputConfig &
-  UserAgentInputConfig;
-/**
- * The configuration interface of STSClient class constructor that set the region, credentials and other options.
- */
-export interface STSClientConfig extends STSClientConfigType {}
-
-type STSClientResolvedConfigType = __SmithyResolvedConfiguration<__HttpHandlerOptions> &
-  Required<ClientDefaults> &
-  RegionResolvedConfig &
-  EndpointsResolvedConfig &
-  RetryResolvedConfig &
-  HostHeaderResolvedConfig &
-  StsAuthResolvedConfig &
-  UserAgentResolvedConfig;
-/**
- * The resolved configuration interface of STSClient class. This is resolved and normalized from the {@link STSClientConfig | constructor configuration interface}.
- */
-export interface STSClientResolvedConfig extends STSClientResolvedConfigType {}
-
-/**
- * <fullname>Security Token Service</fullname>
- *          <p>Security Token Service (STS) enables you to request temporary, limited-privilege
- *       credentials for Identity and Access Management (IAM) users or for users that you
- *       authenticate (federated users). This guide provides descriptions of the STS API. For
- *       more information about using this service, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html">Temporary Security Credentials</a>.</p>
- */
-export class STSClient extends __Client<
-  __HttpHandlerOptions,
-  ServiceInputTypes,
-  ServiceOutputTypes,
-  STSClientResolvedConfig
-> {
-  /**
-   * The resolved configuration of STSClient class. This is resolved and normalized from the {@link STSClientConfig | constructor configuration interface}.
-   */
-  readonly config: STSClientResolvedConfig;
-
-  constructor(configuration: STSClientConfig) {
-    const _config_0 = __getRuntimeConfig(configuration);
-    const _config_1 = resolveRegionConfig(_config_0);
-    const _config_2 = resolveEndpointsConfig(_config_1);
-    const _config_3 = resolveRetryConfig(_config_2);
-    const _config_4 = resolveHostHeaderConfig(_config_3);
-    const _config_5 = resolveStsAuthConfig(_config_4, { stsClientCtor: STSClient });
-    const _config_6 = resolveUserAgentConfig(_config_5);
-    super(_config_6);
-    this.config = _config_6;
-    this.middlewareStack.use(getRetryPlugin(this.config));
-    this.middlewareStack.use(getContentLengthPlugin(this.config));
-    this.middlewareStack.use(getHostHeaderPlugin(this.config));
-    this.middlewareStack.use(getLoggerPlugin(this.config));
-    this.middlewareStack.use(getUserAgentPlugin(this.config));
-  }
-
-  /**
-   * Destroy underlying resources, like sockets. It's usually not necessary to do this.
-   * However in Node.js, it's best to explicitly shut down the client's agent when it is no longer needed.
-   * Otherwise, sockets might stay open for quite a long time before the server terminates them.
-   */
-  destroy(): void {
-    super.destroy();
-  }
-}

package/src/commands/AssumeRoleCommand.ts

@@ -1,177 +0,0 @@
-import { getSerdePlugin } from "@aws-sdk/middleware-serde";
-import { getAwsAuthPlugin } from "@aws-sdk/middleware-signing";
-import { HttpRequest as __HttpRequest, HttpResponse as __HttpResponse } from "@aws-sdk/protocol-http";
-import { Command as $Command } from "@aws-sdk/smithy-client";
-import {
-  FinalizeHandlerArguments,
-  Handler,
-  HandlerExecutionContext,
-  HttpHandlerOptions as __HttpHandlerOptions,
-  MetadataBearer as __MetadataBearer,
-  MiddlewareStack,
-  SerdeContext as __SerdeContext,
-} from "@aws-sdk/types";
-
-import { AssumeRoleRequest, AssumeRoleResponse } from "../models/models_0";
-import { deserializeAws_queryAssumeRoleCommand, serializeAws_queryAssumeRoleCommand } from "../protocols/Aws_query";
-import { ServiceInputTypes, ServiceOutputTypes, STSClientResolvedConfig } from "../STSClient";
-
-export interface AssumeRoleCommandInput extends AssumeRoleRequest {}
-export interface AssumeRoleCommandOutput extends AssumeRoleResponse, __MetadataBearer {}
-
-/**
- * <p>Returns a set of temporary security credentials that you can use to access Amazon Web Services
- *             resources that you might not normally have access to. These temporary credentials
- *             consist of an access key ID, a secret access key, and a security token. Typically, you
- *             use <code>AssumeRole</code> within your account or for cross-account access. For a
- *             comparison of <code>AssumeRole</code> with other API operations that produce temporary
- *             credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting Temporary Security
- *                 Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing
- *                 the STS API operations</a> in the
- *             <i>IAM User Guide</i>.</p>
- *          <p>
- *             <b>Permissions</b>
- *          </p>
- *          <p>The temporary security credentials created by <code>AssumeRole</code> can be used to
- *          make API calls to any Amazon Web Services service with the following exception: You cannot call the
- *          STS <code>GetFederationToken</code> or <code>GetSessionToken</code> API
- *          operations.</p>
- *          <p>(Optional) You can pass inline or managed <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">session policies</a> to
- *          this operation. You can pass a single JSON policy document to use as an inline session
- *          policy. You can also specify up to 10 managed policies to use as managed session policies.
- *          The plaintext that you use for both inline and managed session policies can't exceed 2,048
- *          characters. Passing policies to this operation returns new
- *          temporary credentials. The resulting session's permissions are the intersection of the
- *          role's identity-based policy and the session policies. You can use the role's temporary
- *          credentials in subsequent Amazon Web Services API calls to access resources in the account that owns
- *          the role. You cannot use session policies to grant more permissions than those allowed
- *          by the identity-based policy of the role that is being assumed. For more information, see
- *             <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session
- *             Policies</a> in the <i>IAM User Guide</i>.</p>
- *          <p>To assume a role from a different account, your account must be trusted by the
- *          role. The trust relationship is defined in the role's trust policy when the role is
- *          created. That trust policy states which accounts are allowed to delegate that access to
- *          users in the account. </p>
- *          <p>A user who wants to access a role in a different account must also have permissions that
- *          are delegated from the user account administrator. The administrator must attach a policy
- *          that allows the user to call <code>AssumeRole</code> for the ARN of the role in the other
- *          account. If the user is in the same account as the role, then you can do either of the
- *          following:</p>
- *          <ul>
- *             <li>
- *                <p>Attach a policy to the user (identical to the previous user in a different
- *                account).</p>
- *             </li>
- *             <li>
- *                <p>Add the user as a principal directly in the role's trust policy.</p>
- *             </li>
- *          </ul>
- *          <p>In this case, the trust policy acts as an IAM resource-based policy. Users in the same
- *          account as the role do not need explicit permission to assume the role. For more
- *          information about trust policies and resource-based policies, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html">IAM Policies</a> in
- *          the <i>IAM User Guide</i>.</p>
- *          <p>
- *             <b>Tags</b>
- *          </p>
- *          <p>(Optional) You can pass tag key-value pairs to your session. These tags are called
- *          session tags. For more information about session tags, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Passing Session Tags in STS</a> in the
- *             <i>IAM User Guide</i>.</p>
- *          <p>An administrator must grant you the permissions necessary to pass session tags. The
- *          administrator can also create granular permissions to allow you to pass only specific
- *          session tags. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html">Tutorial: Using Tags
- *             for Attribute-Based Access Control</a> in the
- *          <i>IAM User Guide</i>.</p>
- *          <p>You can set the session tags as transitive. Transitive tags persist during role
- *          chaining. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining">Chaining Roles
- *             with Session Tags</a> in the <i>IAM User Guide</i>.</p>
- *          <p>
- *             <b>Using MFA with AssumeRole</b>
- *          </p>
- *          <p>(Optional) You can include multi-factor authentication (MFA) information when you call
- *             <code>AssumeRole</code>. This is useful for cross-account scenarios to ensure that the
- *          user that assumes the role has been authenticated with an Amazon Web Services MFA device. In that
- *          scenario, the trust policy of the role being assumed includes a condition that tests for
- *          MFA authentication. If the caller does not include valid MFA information, the request to
- *          assume the role is denied. The condition in a trust policy that tests for MFA
- *          authentication might look like the following example.</p>
- *          <p>
- *             <code>"Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}</code>
- *          </p>
- *          <p>For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html">Configuring MFA-Protected API Access</a>
- *          in the <i>IAM User Guide</i> guide.</p>
- *          <p>To use MFA with <code>AssumeRole</code>, you pass values for the
- *             <code>SerialNumber</code> and <code>TokenCode</code> parameters. The
- *             <code>SerialNumber</code> value identifies the user's hardware or virtual MFA device.
- *          The <code>TokenCode</code> is the time-based one-time password (TOTP) that the MFA device
- *          produces. </p>
- * @example
- * Use a bare-bones client and the command you need to make an API call.
- * ```javascript
- * import { STSClient, AssumeRoleCommand } from "@aws-sdk/client-sts"; // ES Modules import
- * // const { STSClient, AssumeRoleCommand } = require("@aws-sdk/client-sts"); // CommonJS import
- * const client = new STSClient(config);
- * const command = new AssumeRoleCommand(input);
- * const response = await client.send(command);
- * ```
- *
- * @see {@link AssumeRoleCommandInput} for command's `input` shape.
- * @see {@link AssumeRoleCommandOutput} for command's `response` shape.
- * @see {@link STSClientResolvedConfig | config} for command's `input` shape.
- *
- */
-export class AssumeRoleCommand extends $Command<
-  AssumeRoleCommandInput,
-  AssumeRoleCommandOutput,
-  STSClientResolvedConfig
-> {
-  // Start section: command_properties
-  // End section: command_properties
-
-  constructor(readonly input: AssumeRoleCommandInput) {
-    // Start section: command_constructor
-    super();
-    // End section: command_constructor
-  }
-
-  /**
-   * @internal
-   */
-  resolveMiddleware(
-    clientStack: MiddlewareStack<ServiceInputTypes, ServiceOutputTypes>,
-    configuration: STSClientResolvedConfig,
-    options?: __HttpHandlerOptions
-  ): Handler<AssumeRoleCommandInput, AssumeRoleCommandOutput> {
-    this.middlewareStack.use(getSerdePlugin(configuration, this.serialize, this.deserialize));
-    this.middlewareStack.use(getAwsAuthPlugin(configuration));
-
-    const stack = clientStack.concat(this.middlewareStack);
-
-    const { logger } = configuration;
-    const clientName = "STSClient";
-    const commandName = "AssumeRoleCommand";
-    const handlerExecutionContext: HandlerExecutionContext = {
-      logger,
-      clientName,
-      commandName,
-      inputFilterSensitiveLog: AssumeRoleRequest.filterSensitiveLog,
-      outputFilterSensitiveLog: AssumeRoleResponse.filterSensitiveLog,
-    };
-    const { requestHandler } = configuration;
-    return stack.resolve(
-      (request: FinalizeHandlerArguments<any>) =>
-        requestHandler.handle(request.request as __HttpRequest, options || {}),
-      handlerExecutionContext
-    );
-  }
-
-  private serialize(input: AssumeRoleCommandInput, context: __SerdeContext): Promise<__HttpRequest> {
-    return serializeAws_queryAssumeRoleCommand(input, context);
-  }
-
-  private deserialize(output: __HttpResponse, context: __SerdeContext): Promise<AssumeRoleCommandOutput> {
-    return deserializeAws_queryAssumeRoleCommand(output, context);
-  }
-
-  // Start section: command_body_extra
-  // End section: command_body_extra
-}

package/src/commands/AssumeRoleWithSAMLCommand.ts

@@ -1,226 +0,0 @@
-import { getSerdePlugin } from "@aws-sdk/middleware-serde";
-import { HttpRequest as __HttpRequest, HttpResponse as __HttpResponse } from "@aws-sdk/protocol-http";
-import { Command as $Command } from "@aws-sdk/smithy-client";
-import {
-  FinalizeHandlerArguments,
-  Handler,
-  HandlerExecutionContext,
-  HttpHandlerOptions as __HttpHandlerOptions,
-  MetadataBearer as __MetadataBearer,
-  MiddlewareStack,
-  SerdeContext as __SerdeContext,
-} from "@aws-sdk/types";
-
-import { AssumeRoleWithSAMLRequest, AssumeRoleWithSAMLResponse } from "../models/models_0";
-import {
-  deserializeAws_queryAssumeRoleWithSAMLCommand,
-  serializeAws_queryAssumeRoleWithSAMLCommand,
-} from "../protocols/Aws_query";
-import { ServiceInputTypes, ServiceOutputTypes, STSClientResolvedConfig } from "../STSClient";
-
-export interface AssumeRoleWithSAMLCommandInput extends AssumeRoleWithSAMLRequest {}
-export interface AssumeRoleWithSAMLCommandOutput extends AssumeRoleWithSAMLResponse, __MetadataBearer {}
-
-/**
- * <p>Returns a set of temporary security credentials for users who have been authenticated
- *          via a SAML authentication response. This operation provides a mechanism for tying an
- *          enterprise identity store or directory to role-based Amazon Web Services access without user-specific
- *          credentials or configuration. For a comparison of <code>AssumeRoleWithSAML</code> with the
- *          other API operations that produce temporary credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting Temporary Security
- *             Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
- *             STS API operations</a> in the <i>IAM User Guide</i>.</p>
- *          <p>The temporary security credentials returned by this operation consist of an access key
- *          ID, a secret access key, and a security token. Applications can use these temporary
- *          security credentials to sign calls to Amazon Web Services services.</p>
- *          <p>
- *             <b>Session Duration</b>
- *          </p>
- *          <p>By default, the temporary security credentials created by
- *             <code>AssumeRoleWithSAML</code> last for one hour. However, you can use the optional
- *             <code>DurationSeconds</code> parameter to specify the duration of your session. Your
- *          role session lasts for the duration that you specify, or until the time specified in the
- *          SAML authentication response's <code>SessionNotOnOrAfter</code> value, whichever is
- *          shorter. You can provide a <code>DurationSeconds</code> value from 900 seconds (15 minutes)
- *          up to the maximum session duration setting for the role. This setting can have a value from
- *          1 hour to 12 hours. To learn how to view the maximum value for your role, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session">View the
- *             Maximum Session Duration Setting for a Role</a> in the
- *             <i>IAM User Guide</i>. The maximum session duration limit applies when
- *          you use the <code>AssumeRole*</code> API operations or the <code>assume-role*</code> CLI
- *          commands. However the limit does not apply when you use those operations to create a
- *          console URL. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html">Using IAM Roles</a> in the
- *             <i>IAM User Guide</i>.</p>
- *          <note>
- *            <p>
- *                <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining">Role chaining</a> limits your CLI or Amazon Web Services API
- *                role session to a maximum of one hour. When you use the <code>AssumeRole</code> API
- *                operation to assume a role, you can specify the duration of your role session with
- *                the <code>DurationSeconds</code> parameter. You can specify a parameter value of up
- *                to 43200 seconds (12 hours), depending on the maximum session duration setting for
- *                your role. However, if you assume a role using role chaining and provide a
- *                <code>DurationSeconds</code> parameter value greater than one hour, the
- *                operation fails.</p>
- *          </note>
- *          <p>
- *             <b>Permissions</b>
- *          </p>
- *          <p>The temporary security credentials created by <code>AssumeRoleWithSAML</code> can be
- *          used to make API calls to any Amazon Web Services service with the following exception: you cannot call
- *          the STS <code>GetFederationToken</code> or <code>GetSessionToken</code> API
- *          operations.</p>
- *          <p>(Optional) You can pass inline or managed <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">session policies</a> to
- *          this operation. You can pass a single JSON policy document to use as an inline session
- *          policy. You can also specify up to 10 managed policies to use as managed session policies.
- *          The plaintext that you use for both inline and managed session policies can't exceed 2,048
- *          characters. Passing policies to this operation returns new
- *          temporary credentials. The resulting session's permissions are the intersection of the
- *          role's identity-based policy and the session policies. You can use the role's temporary
- *          credentials in subsequent Amazon Web Services API calls to access resources in the account that owns
- *          the role. You cannot use session policies to grant more permissions than those allowed
- *          by the identity-based policy of the role that is being assumed. For more information, see
- *             <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session
- *             Policies</a> in the <i>IAM User Guide</i>.</p>
- *          <p>Calling <code>AssumeRoleWithSAML</code> does not require the use of Amazon Web Services security
- *          credentials. The identity of the caller is validated by using keys in the metadata document
- *          that is uploaded for the SAML provider entity for your identity provider. </p>
- *          <important>
- *             <p>Calling <code>AssumeRoleWithSAML</code> can result in an entry in your CloudTrail logs.
- *             The entry includes the value in the <code>NameID</code> element of the SAML assertion.
- *             We recommend that you use a <code>NameIDType</code> that is not associated with any
- *             personally identifiable information (PII). For example, you could instead use the
- *             persistent identifier
- *             (<code>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</code>).</p>
- *          </important>
- *          <p>
- *             <b>Tags</b>
- *          </p>
- *          <p>(Optional) You can configure your IdP to pass attributes into your SAML assertion as
- *          session tags. Each session tag consists of a key name and an associated value. For more
- *          information about session tags, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Passing Session Tags in STS</a> in the
- *             <i>IAM User Guide</i>.</p>
- *          <p>You can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128
- *          characters and the values can’t exceed 256 characters. For these and additional limits, see
- *             <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length">IAM
- *             and STS Character Limits</a> in the <i>IAM User Guide</i>.</p>
- *
- *          <note>
- *             <p>An Amazon Web Services conversion compresses the passed session policies and session tags into a
- *             packed binary format that has a separate limit. Your request can fail for this limit
- *             even if your plaintext meets the other requirements. The <code>PackedPolicySize</code>
- *             response element indicates by percentage how close the policies and tags for your
- *             request are to the upper size limit.
- *             </p>
- *          </note>
- *          <p>You can pass a session tag with the same key as a tag that is
- *          attached to the role. When you do, session tags override the role's tags with the same
- *          key.</p>
- *          <p>An administrator must grant you the permissions necessary to pass session tags. The
- *          administrator can also create granular permissions to allow you to pass only specific
- *          session tags. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html">Tutorial: Using Tags
- *             for Attribute-Based Access Control</a> in the
- *          <i>IAM User Guide</i>.</p>
- *          <p>You can set the session tags as transitive. Transitive tags persist during role
- *          chaining. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining">Chaining Roles
- *             with Session Tags</a> in the <i>IAM User Guide</i>.</p>
- *          <p>
- *             <b>SAML Configuration</b>
- *          </p>
- *          <p>Before your application can call <code>AssumeRoleWithSAML</code>, you must configure
- *          your SAML identity provider (IdP) to issue the claims required by Amazon Web Services. Additionally, you
- *          must use Identity and Access Management (IAM) to create a SAML provider entity in your Amazon Web Services account that
- *          represents your identity provider. You must also create an IAM role that specifies this
- *          SAML provider in its trust policy. </p>
- *          <p>For more information, see the following resources:</p>
- *          <ul>
- *             <li>
- *                <p>
- *                   <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html">About
- *                   SAML 2.0-based Federation</a> in the <i>IAM User Guide</i>.
- *             </p>
- *             </li>
- *             <li>
- *                <p>
- *                   <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html">Creating SAML Identity Providers</a> in the
- *                   <i>IAM User Guide</i>. </p>
- *             </li>
- *             <li>
- *                <p>
- *                   <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html">Configuring
- *                   a Relying Party and Claims</a> in the <i>IAM User Guide</i>.
- *             </p>
- *             </li>
- *             <li>
- *                <p>
- *                   <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html">Creating a Role for SAML 2.0 Federation</a> in the
- *                   <i>IAM User Guide</i>. </p>
- *             </li>
- *          </ul>
- * @example
- * Use a bare-bones client and the command you need to make an API call.
- * ```javascript
- * import { STSClient, AssumeRoleWithSAMLCommand } from "@aws-sdk/client-sts"; // ES Modules import
- * // const { STSClient, AssumeRoleWithSAMLCommand } = require("@aws-sdk/client-sts"); // CommonJS import
- * const client = new STSClient(config);
- * const command = new AssumeRoleWithSAMLCommand(input);
- * const response = await client.send(command);
- * ```
- *
- * @see {@link AssumeRoleWithSAMLCommandInput} for command's `input` shape.
- * @see {@link AssumeRoleWithSAMLCommandOutput} for command's `response` shape.
- * @see {@link STSClientResolvedConfig | config} for command's `input` shape.
- *
- */
-export class AssumeRoleWithSAMLCommand extends $Command<
-  AssumeRoleWithSAMLCommandInput,
-  AssumeRoleWithSAMLCommandOutput,
-  STSClientResolvedConfig
-> {
-  // Start section: command_properties
-  // End section: command_properties
-
-  constructor(readonly input: AssumeRoleWithSAMLCommandInput) {
-    // Start section: command_constructor
-    super();
-    // End section: command_constructor
-  }
-
-  /**
-   * @internal
-   */
-  resolveMiddleware(
-    clientStack: MiddlewareStack<ServiceInputTypes, ServiceOutputTypes>,
-    configuration: STSClientResolvedConfig,
-    options?: __HttpHandlerOptions
-  ): Handler<AssumeRoleWithSAMLCommandInput, AssumeRoleWithSAMLCommandOutput> {
-    this.middlewareStack.use(getSerdePlugin(configuration, this.serialize, this.deserialize));
-
-    const stack = clientStack.concat(this.middlewareStack);
-
-    const { logger } = configuration;
-    const clientName = "STSClient";
-    const commandName = "AssumeRoleWithSAMLCommand";
-    const handlerExecutionContext: HandlerExecutionContext = {
-      logger,
-      clientName,
-      commandName,
-      inputFilterSensitiveLog: AssumeRoleWithSAMLRequest.filterSensitiveLog,
-      outputFilterSensitiveLog: AssumeRoleWithSAMLResponse.filterSensitiveLog,
-    };
-    const { requestHandler } = configuration;
-    return stack.resolve(
-      (request: FinalizeHandlerArguments<any>) =>
-        requestHandler.handle(request.request as __HttpRequest, options || {}),
-      handlerExecutionContext
-    );
-  }
-
-  private serialize(input: AssumeRoleWithSAMLCommandInput, context: __SerdeContext): Promise<__HttpRequest> {
-    return serializeAws_queryAssumeRoleWithSAMLCommand(input, context);
-  }
-
-  private deserialize(output: __HttpResponse, context: __SerdeContext): Promise<AssumeRoleWithSAMLCommandOutput> {
-    return deserializeAws_queryAssumeRoleWithSAMLCommand(output, context);
-  }
-
-  // Start section: command_body_extra
-  // End section: command_body_extra
-}