1 // THIS FILE IS AUTOMATICALLY GENERATED. DO NOT EDIT.
3 // Package sts provides a client for AWS Security Token Service.
9 "github.com/aws/aws-sdk-go/aws/awsutil"
10 "github.com/aws/aws-sdk-go/aws/request"
13 const opAssumeRole = "AssumeRole"
15 // AssumeRoleRequest generates a "aws/request.Request" representing the
16 // client's request for the AssumeRole operation. The "output" return
17 // value can be used to capture response data after the request's "Send" method
20 // See AssumeRole for usage and error information.
22 // Creating a request object using this method should be used when you want to inject
23 // custom logic into the request's lifecycle using a custom handler, or if you want to
24 // access properties on the request object before or after sending the request. If
25 // you just want the service response, call the AssumeRole method directly
28 // Note: You must call the "Send" method on the returned request object in order
29 // to execute the request.
31 // // Example sending a request using the AssumeRoleRequest method.
32 // req, resp := client.AssumeRoleRequest(params)
35 // if err == nil { // resp is now filled
39 func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, output *AssumeRoleOutput) {
40 op := &request.Operation{
47 input = &AssumeRoleInput{}
50 req = c.newRequest(op, input, output)
51 output = &AssumeRoleOutput{}
56 // AssumeRole API operation for AWS Security Token Service.
58 // Returns a set of temporary security credentials (consisting of an access
59 // key ID, a secret access key, and a security token) that you can use to access
60 // AWS resources that you might not normally have access to. Typically, you
61 // use AssumeRole for cross-account access or federation. For a comparison of
62 // AssumeRole with the other APIs that produce temporary credentials, see Requesting
63 // Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
64 // and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
65 // in the IAM User Guide.
67 // Important: You cannot call AssumeRole by using AWS root account credentials;
68 // access is denied. You must use credentials for an IAM user or an IAM role
69 // to call AssumeRole.
71 // For cross-account access, imagine that you own multiple accounts and need
72 // to access resources in each account. You could create long-term credentials
73 // in each account to access those resources. However, managing all those credentials
74 // and remembering which one can access which account can be time consuming.
75 // Instead, you can create one set of long-term credentials in one account and
76 // then use temporary security credentials to access all the other accounts
77 // by assuming roles in those accounts. For more information about roles, see
78 // IAM Roles (Delegation and Federation) (http://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html)
79 // in the IAM User Guide.
81 // For federation, you can, for example, grant single sign-on access to the
82 // AWS Management Console. If you already have an identity and authentication
83 // system in your corporate network, you don't have to recreate user identities
84 // in AWS in order to grant those user identities access to AWS. Instead, after
85 // a user has been authenticated, you call AssumeRole (and specify the role
86 // with the appropriate permissions) to get temporary security credentials for
87 // that user. With those temporary security credentials, you construct a sign-in
88 // URL that users can use to access the console. For more information, see Common
89 // Scenarios for Temporary Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html#sts-introduction)
90 // in the IAM User Guide.
92 // The temporary security credentials are valid for the duration that you specified
93 // when calling AssumeRole, which can be from 900 seconds (15 minutes) to a
94 // maximum of 3600 seconds (1 hour). The default is 1 hour.
96 // The temporary security credentials created by AssumeRole can be used to make
97 // API calls to any AWS service with the following exception: you cannot call
98 // the STS service's GetFederationToken or GetSessionToken APIs.
100 // Optionally, you can pass an IAM access policy to this operation. If you choose
101 // not to pass a policy, the temporary security credentials that are returned
102 // by the operation have the permissions that are defined in the access policy
103 // of the role that is being assumed. If you pass a policy to this operation,
104 // the temporary security credentials that are returned by the operation have
105 // the permissions that are allowed by both the access policy of the role that
106 // is being assumed, and the policy that you pass. This gives you a way to further
107 // restrict the permissions for the resulting temporary security credentials.
108 // You cannot use the passed policy to grant permissions that are in excess
109 // of those allowed by the access policy of the role that is being assumed.
110 // For more information, see Permissions for AssumeRole, AssumeRoleWithSAML,
111 // and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
112 // in the IAM User Guide.
114 // To assume a role, your AWS account must be trusted by the role. The trust
115 // relationship is defined in the role's trust policy when the role is created.
116 // That trust policy states which accounts are allowed to delegate access to
117 // this account's role.
119 // The user who wants to access the role must also have permissions delegated
120 // from the role's administrator. If the user is in a different account than
121 // the role, then the user's administrator must attach a policy that allows
122 // the user to call AssumeRole on the ARN of the role in the other account.
123 // If the user is in the same account as the role, then you can either attach
124 // a policy to the user (identical to the previous different account user),
125 // or you can add the user as a principal directly in the role's trust policy
127 // Using MFA with AssumeRole
129 // You can optionally include multi-factor authentication (MFA) information
130 // when you call AssumeRole. This is useful for cross-account scenarios in which
131 // you want to make sure that the user who is assuming the role has been authenticated
132 // using an AWS MFA device. In that scenario, the trust policy of the role being
133 // assumed includes a condition that tests for MFA authentication; if the caller
134 // does not include valid MFA information, the request to assume the role is
135 // denied. The condition in a trust policy that tests for MFA authentication
136 // might look like the following example.
138 // "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}
140 // For more information, see Configuring MFA-Protected API Access (http://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html)
141 // in the IAM User Guide guide.
143 // To use MFA with AssumeRole, you pass values for the SerialNumber and TokenCode
144 // parameters. The SerialNumber value identifies the user's hardware or virtual
145 // MFA device. The TokenCode is the time-based one-time password (TOTP) that
146 // the MFA devices produces.
148 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
149 // with awserr.Error's Code and Message methods to get detailed information about
152 // See the AWS API reference guide for AWS Security Token Service's
153 // API operation AssumeRole for usage and error information.
155 // Returned Error Codes:
156 // * MalformedPolicyDocument
157 // The request was rejected because the policy document was malformed. The error
158 // message describes the specific error.
160 // * PackedPolicyTooLarge
161 // The request was rejected because the policy document was too large. The error
162 // message describes how big the policy document is, in packed form, as a percentage
163 // of what the API allows.
165 // * RegionDisabledException
166 // STS is not activated in the requested region for the account that is being
167 // asked to generate credentials. The account administrator must use the IAM
168 // console to activate STS in that region. For more information, see Activating
169 // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
170 // in the IAM User Guide.
172 func (c *STS) AssumeRole(input *AssumeRoleInput) (*AssumeRoleOutput, error) {
173 req, out := c.AssumeRoleRequest(input)
178 const opAssumeRoleWithSAML = "AssumeRoleWithSAML"
180 // AssumeRoleWithSAMLRequest generates a "aws/request.Request" representing the
181 // client's request for the AssumeRoleWithSAML operation. The "output" return
182 // value can be used to capture response data after the request's "Send" method
185 // See AssumeRoleWithSAML for usage and error information.
187 // Creating a request object using this method should be used when you want to inject
188 // custom logic into the request's lifecycle using a custom handler, or if you want to
189 // access properties on the request object before or after sending the request. If
190 // you just want the service response, call the AssumeRoleWithSAML method directly
193 // Note: You must call the "Send" method on the returned request object in order
194 // to execute the request.
196 // // Example sending a request using the AssumeRoleWithSAMLRequest method.
197 // req, resp := client.AssumeRoleWithSAMLRequest(params)
200 // if err == nil { // resp is now filled
204 func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *request.Request, output *AssumeRoleWithSAMLOutput) {
205 op := &request.Operation{
206 Name: opAssumeRoleWithSAML,
212 input = &AssumeRoleWithSAMLInput{}
215 req = c.newRequest(op, input, output)
216 output = &AssumeRoleWithSAMLOutput{}
221 // AssumeRoleWithSAML API operation for AWS Security Token Service.
223 // Returns a set of temporary security credentials for users who have been authenticated
224 // via a SAML authentication response. This operation provides a mechanism for
225 // tying an enterprise identity store or directory to role-based AWS access
226 // without user-specific credentials or configuration. For a comparison of AssumeRoleWithSAML
227 // with the other APIs that produce temporary credentials, see Requesting Temporary
228 // Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
229 // and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
230 // in the IAM User Guide.
232 // The temporary security credentials returned by this operation consist of
233 // an access key ID, a secret access key, and a security token. Applications
234 // can use these temporary security credentials to sign calls to AWS services.
236 // The temporary security credentials are valid for the duration that you specified
237 // when calling AssumeRole, or until the time specified in the SAML authentication
238 // response's SessionNotOnOrAfter value, whichever is shorter. The duration
239 // can be from 900 seconds (15 minutes) to a maximum of 3600 seconds (1 hour).
240 // The default is 1 hour.
242 // The temporary security credentials created by AssumeRoleWithSAML can be used
243 // to make API calls to any AWS service with the following exception: you cannot
244 // call the STS service's GetFederationToken or GetSessionToken APIs.
246 // Optionally, you can pass an IAM access policy to this operation. If you choose
247 // not to pass a policy, the temporary security credentials that are returned
248 // by the operation have the permissions that are defined in the access policy
249 // of the role that is being assumed. If you pass a policy to this operation,
250 // the temporary security credentials that are returned by the operation have
251 // the permissions that are allowed by the intersection of both the access policy
252 // of the role that is being assumed, and the policy that you pass. This means
253 // that both policies must grant the permission for the action to be allowed.
254 // This gives you a way to further restrict the permissions for the resulting
255 // temporary security credentials. You cannot use the passed policy to grant
256 // permissions that are in excess of those allowed by the access policy of the
257 // role that is being assumed. For more information, see Permissions for AssumeRole,
258 // AssumeRoleWithSAML, and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
259 // in the IAM User Guide.
261 // Before your application can call AssumeRoleWithSAML, you must configure your
262 // SAML identity provider (IdP) to issue the claims required by AWS. Additionally,
263 // you must use AWS Identity and Access Management (IAM) to create a SAML provider
264 // entity in your AWS account that represents your identity provider, and create
265 // an IAM role that specifies this SAML provider in its trust policy.
267 // Calling AssumeRoleWithSAML does not require the use of AWS security credentials.
268 // The identity of the caller is validated by using keys in the metadata document
269 // that is uploaded for the SAML provider entity for your identity provider.
271 // Calling AssumeRoleWithSAML can result in an entry in your AWS CloudTrail
272 // logs. The entry includes the value in the NameID element of the SAML assertion.
273 // We recommend that you use a NameIDType that is not associated with any personally
274 // identifiable information (PII). For example, you could instead use the Persistent
275 // Identifier (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent).
277 // For more information, see the following resources:
279 // * About SAML 2.0-based Federation (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html)
280 // in the IAM User Guide.
282 // * Creating SAML Identity Providers (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)
283 // in the IAM User Guide.
285 // * Configuring a Relying Party and Claims (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html)
286 // in the IAM User Guide.
288 // * Creating a Role for SAML 2.0 Federation (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html)
289 // in the IAM User Guide.
291 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
292 // with awserr.Error's Code and Message methods to get detailed information about
295 // See the AWS API reference guide for AWS Security Token Service's
296 // API operation AssumeRoleWithSAML for usage and error information.
298 // Returned Error Codes:
299 // * MalformedPolicyDocument
300 // The request was rejected because the policy document was malformed. The error
301 // message describes the specific error.
303 // * PackedPolicyTooLarge
304 // The request was rejected because the policy document was too large. The error
305 // message describes how big the policy document is, in packed form, as a percentage
306 // of what the API allows.
308 // * IDPRejectedClaim
309 // The identity provider (IdP) reported that authentication failed. This might
310 // be because the claim is invalid.
312 // If this error is returned for the AssumeRoleWithWebIdentity operation, it
313 // can also mean that the claim has expired or has been explicitly revoked.
315 // * InvalidIdentityToken
316 // The web identity token that was passed could not be validated by AWS. Get
317 // a new identity token from the identity provider and then retry the request.
319 // * ExpiredTokenException
320 // The web identity token that was passed is expired or is not valid. Get a
321 // new identity token from the identity provider and then retry the request.
323 // * RegionDisabledException
324 // STS is not activated in the requested region for the account that is being
325 // asked to generate credentials. The account administrator must use the IAM
326 // console to activate STS in that region. For more information, see Activating
327 // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
328 // in the IAM User Guide.
330 func (c *STS) AssumeRoleWithSAML(input *AssumeRoleWithSAMLInput) (*AssumeRoleWithSAMLOutput, error) {
331 req, out := c.AssumeRoleWithSAMLRequest(input)
336 const opAssumeRoleWithWebIdentity = "AssumeRoleWithWebIdentity"
338 // AssumeRoleWithWebIdentityRequest generates a "aws/request.Request" representing the
339 // client's request for the AssumeRoleWithWebIdentity operation. The "output" return
340 // value can be used to capture response data after the request's "Send" method
343 // See AssumeRoleWithWebIdentity for usage and error information.
345 // Creating a request object using this method should be used when you want to inject
346 // custom logic into the request's lifecycle using a custom handler, or if you want to
347 // access properties on the request object before or after sending the request. If
348 // you just want the service response, call the AssumeRoleWithWebIdentity method directly
351 // Note: You must call the "Send" method on the returned request object in order
352 // to execute the request.
354 // // Example sending a request using the AssumeRoleWithWebIdentityRequest method.
355 // req, resp := client.AssumeRoleWithWebIdentityRequest(params)
358 // if err == nil { // resp is now filled
362 func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityInput) (req *request.Request, output *AssumeRoleWithWebIdentityOutput) {
363 op := &request.Operation{
364 Name: opAssumeRoleWithWebIdentity,
370 input = &AssumeRoleWithWebIdentityInput{}
373 req = c.newRequest(op, input, output)
374 output = &AssumeRoleWithWebIdentityOutput{}
379 // AssumeRoleWithWebIdentity API operation for AWS Security Token Service.
381 // Returns a set of temporary security credentials for users who have been authenticated
382 // in a mobile or web application with a web identity provider, such as Amazon
383 // Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible
384 // identity provider.
386 // For mobile applications, we recommend that you use Amazon Cognito. You can
387 // use Amazon Cognito with the AWS SDK for iOS (http://aws.amazon.com/sdkforios/)
388 // and the AWS SDK for Android (http://aws.amazon.com/sdkforandroid/) to uniquely
389 // identify a user and supply the user with a consistent identity throughout
390 // the lifetime of an application.
392 // To learn more about Amazon Cognito, see Amazon Cognito Overview (http://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840)
393 // in the AWS SDK for Android Developer Guide guide and Amazon Cognito Overview
394 // (http://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664)
395 // in the AWS SDK for iOS Developer Guide.
397 // Calling AssumeRoleWithWebIdentity does not require the use of AWS security
398 // credentials. Therefore, you can distribute an application (for example, on
399 // mobile devices) that requests temporary security credentials without including
400 // long-term AWS credentials in the application, and without deploying server-based
401 // proxy services that use long-term AWS credentials. Instead, the identity
402 // of the caller is validated by using a token from the web identity provider.
403 // For a comparison of AssumeRoleWithWebIdentity with the other APIs that produce
404 // temporary credentials, see Requesting Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
405 // and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
406 // in the IAM User Guide.
408 // The temporary security credentials returned by this API consist of an access
409 // key ID, a secret access key, and a security token. Applications can use these
410 // temporary security credentials to sign calls to AWS service APIs.
412 // The credentials are valid for the duration that you specified when calling
413 // AssumeRoleWithWebIdentity, which can be from 900 seconds (15 minutes) to
414 // a maximum of 3600 seconds (1 hour). The default is 1 hour.
416 // The temporary security credentials created by AssumeRoleWithWebIdentity can
417 // be used to make API calls to any AWS service with the following exception:
418 // you cannot call the STS service's GetFederationToken or GetSessionToken APIs.
420 // Optionally, you can pass an IAM access policy to this operation. If you choose
421 // not to pass a policy, the temporary security credentials that are returned
422 // by the operation have the permissions that are defined in the access policy
423 // of the role that is being assumed. If you pass a policy to this operation,
424 // the temporary security credentials that are returned by the operation have
425 // the permissions that are allowed by both the access policy of the role that
426 // is being assumed, and the policy that you pass. This gives you a way to further
427 // restrict the permissions for the resulting temporary security credentials.
428 // You cannot use the passed policy to grant permissions that are in excess
429 // of those allowed by the access policy of the role that is being assumed.
430 // For more information, see Permissions for AssumeRole, AssumeRoleWithSAML,
431 // and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
432 // in the IAM User Guide.
434 // Before your application can call AssumeRoleWithWebIdentity, you must have
435 // an identity token from a supported identity provider and create a role that
436 // the application can assume. The role that your application assumes must trust
437 // the identity provider that is associated with the identity token. In other
438 // words, the identity provider must be specified in the role's trust policy.
440 // Calling AssumeRoleWithWebIdentity can result in an entry in your AWS CloudTrail
441 // logs. The entry includes the Subject (http://openid.net/specs/openid-connect-core-1_0.html#Claims)
442 // of the provided Web Identity Token. We recommend that you avoid using any
443 // personally identifiable information (PII) in this field. For example, you
444 // could instead use a GUID or a pairwise identifier, as suggested in the OIDC
445 // specification (http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes).
447 // For more information about how to use web identity federation and the AssumeRoleWithWebIdentity
448 // API, see the following resources:
450 // * Using Web Identity Federation APIs for Mobile Apps (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual)
451 // and Federation Through a Web-based Identity Provider (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity).
454 // * Web Identity Federation Playground (https://web-identity-federation-playground.s3.amazonaws.com/index.html).
455 // This interactive website lets you walk through the process of authenticating
456 // via Login with Amazon, Facebook, or Google, getting temporary security
457 // credentials, and then using those credentials to make a request to AWS.
460 // * AWS SDK for iOS (http://aws.amazon.com/sdkforios/) and AWS SDK for Android
461 // (http://aws.amazon.com/sdkforandroid/). These toolkits contain sample
462 // apps that show how to invoke the identity providers, and then how to use
463 // the information from these providers to get and use temporary security
466 // * Web Identity Federation with Mobile Applications (http://aws.amazon.com/articles/4617974389850313).
467 // This article discusses web identity federation and shows an example of
468 // how to use web identity federation to get access to content in Amazon
471 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
472 // with awserr.Error's Code and Message methods to get detailed information about
475 // See the AWS API reference guide for AWS Security Token Service's
476 // API operation AssumeRoleWithWebIdentity for usage and error information.
478 // Returned Error Codes:
479 // * MalformedPolicyDocument
480 // The request was rejected because the policy document was malformed. The error
481 // message describes the specific error.
483 // * PackedPolicyTooLarge
484 // The request was rejected because the policy document was too large. The error
485 // message describes how big the policy document is, in packed form, as a percentage
486 // of what the API allows.
488 // * IDPRejectedClaim
489 // The identity provider (IdP) reported that authentication failed. This might
490 // be because the claim is invalid.
492 // If this error is returned for the AssumeRoleWithWebIdentity operation, it
493 // can also mean that the claim has expired or has been explicitly revoked.
495 // * IDPCommunicationError
496 // The request could not be fulfilled because the non-AWS identity provider
497 // (IDP) that was asked to verify the incoming identity token could not be reached.
498 // This is often a transient error caused by network conditions. Retry the request
499 // a limited number of times so that you don't exceed the request rate. If the
500 // error persists, the non-AWS identity provider might be down or not responding.
502 // * InvalidIdentityToken
503 // The web identity token that was passed could not be validated by AWS. Get
504 // a new identity token from the identity provider and then retry the request.
506 // * ExpiredTokenException
507 // The web identity token that was passed is expired or is not valid. Get a
508 // new identity token from the identity provider and then retry the request.
510 // * RegionDisabledException
511 // STS is not activated in the requested region for the account that is being
512 // asked to generate credentials. The account administrator must use the IAM
513 // console to activate STS in that region. For more information, see Activating
514 // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
515 // in the IAM User Guide.
517 func (c *STS) AssumeRoleWithWebIdentity(input *AssumeRoleWithWebIdentityInput) (*AssumeRoleWithWebIdentityOutput, error) {
518 req, out := c.AssumeRoleWithWebIdentityRequest(input)
523 const opDecodeAuthorizationMessage = "DecodeAuthorizationMessage"
525 // DecodeAuthorizationMessageRequest generates a "aws/request.Request" representing the
526 // client's request for the DecodeAuthorizationMessage operation. The "output" return
527 // value can be used to capture response data after the request's "Send" method
530 // See DecodeAuthorizationMessage for usage and error information.
532 // Creating a request object using this method should be used when you want to inject
533 // custom logic into the request's lifecycle using a custom handler, or if you want to
534 // access properties on the request object before or after sending the request. If
535 // you just want the service response, call the DecodeAuthorizationMessage method directly
538 // Note: You must call the "Send" method on the returned request object in order
539 // to execute the request.
541 // // Example sending a request using the DecodeAuthorizationMessageRequest method.
542 // req, resp := client.DecodeAuthorizationMessageRequest(params)
545 // if err == nil { // resp is now filled
549 func (c *STS) DecodeAuthorizationMessageRequest(input *DecodeAuthorizationMessageInput) (req *request.Request, output *DecodeAuthorizationMessageOutput) {
550 op := &request.Operation{
551 Name: opDecodeAuthorizationMessage,
557 input = &DecodeAuthorizationMessageInput{}
560 req = c.newRequest(op, input, output)
561 output = &DecodeAuthorizationMessageOutput{}
566 // DecodeAuthorizationMessage API operation for AWS Security Token Service.
568 // Decodes additional information about the authorization status of a request
569 // from an encoded message returned in response to an AWS request.
571 // For example, if a user is not authorized to perform an action that he or
572 // she has requested, the request returns a Client.UnauthorizedOperation response
573 // (an HTTP 403 response). Some AWS actions additionally return an encoded message
574 // that can provide details about this authorization failure.
576 // Only certain AWS actions return an encoded authorization message. The documentation
577 // for an individual action indicates whether that action returns an encoded
578 // message in addition to returning an HTTP code.
580 // The message is encoded because the details of the authorization status can
581 // constitute privileged information that the user who requested the action
582 // should not see. To decode an authorization status message, a user must be
583 // granted permissions via an IAM policy to request the DecodeAuthorizationMessage
584 // (sts:DecodeAuthorizationMessage) action.
586 // The decoded message includes the following type of information:
588 // * Whether the request was denied due to an explicit deny or due to the
589 // absence of an explicit allow. For more information, see Determining Whether
590 // a Request is Allowed or Denied (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow)
591 // in the IAM User Guide.
593 // * The principal who made the request.
595 // * The requested action.
597 // * The requested resource.
599 // * The values of condition keys in the context of the user's request.
601 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
602 // with awserr.Error's Code and Message methods to get detailed information about
605 // See the AWS API reference guide for AWS Security Token Service's
606 // API operation DecodeAuthorizationMessage for usage and error information.
608 // Returned Error Codes:
609 // * InvalidAuthorizationMessageException
610 // The error returned if the message passed to DecodeAuthorizationMessage was
611 // invalid. This can happen if the token contains invalid characters, such as
614 func (c *STS) DecodeAuthorizationMessage(input *DecodeAuthorizationMessageInput) (*DecodeAuthorizationMessageOutput, error) {
615 req, out := c.DecodeAuthorizationMessageRequest(input)
620 const opGetCallerIdentity = "GetCallerIdentity"
622 // GetCallerIdentityRequest generates a "aws/request.Request" representing the
623 // client's request for the GetCallerIdentity operation. The "output" return
624 // value can be used to capture response data after the request's "Send" method
627 // See GetCallerIdentity for usage and error information.
629 // Creating a request object using this method should be used when you want to inject
630 // custom logic into the request's lifecycle using a custom handler, or if you want to
631 // access properties on the request object before or after sending the request. If
632 // you just want the service response, call the GetCallerIdentity method directly
635 // Note: You must call the "Send" method on the returned request object in order
636 // to execute the request.
638 // // Example sending a request using the GetCallerIdentityRequest method.
639 // req, resp := client.GetCallerIdentityRequest(params)
642 // if err == nil { // resp is now filled
646 func (c *STS) GetCallerIdentityRequest(input *GetCallerIdentityInput) (req *request.Request, output *GetCallerIdentityOutput) {
647 op := &request.Operation{
648 Name: opGetCallerIdentity,
654 input = &GetCallerIdentityInput{}
657 req = c.newRequest(op, input, output)
658 output = &GetCallerIdentityOutput{}
663 // GetCallerIdentity API operation for AWS Security Token Service.
665 // Returns details about the IAM identity whose credentials are used to call
668 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
669 // with awserr.Error's Code and Message methods to get detailed information about
672 // See the AWS API reference guide for AWS Security Token Service's
673 // API operation GetCallerIdentity for usage and error information.
674 func (c *STS) GetCallerIdentity(input *GetCallerIdentityInput) (*GetCallerIdentityOutput, error) {
675 req, out := c.GetCallerIdentityRequest(input)
680 const opGetFederationToken = "GetFederationToken"
682 // GetFederationTokenRequest generates a "aws/request.Request" representing the
683 // client's request for the GetFederationToken operation. The "output" return
684 // value can be used to capture response data after the request's "Send" method
687 // See GetFederationToken for usage and error information.
689 // Creating a request object using this method should be used when you want to inject
690 // custom logic into the request's lifecycle using a custom handler, or if you want to
691 // access properties on the request object before or after sending the request. If
692 // you just want the service response, call the GetFederationToken method directly
695 // Note: You must call the "Send" method on the returned request object in order
696 // to execute the request.
698 // // Example sending a request using the GetFederationTokenRequest method.
699 // req, resp := client.GetFederationTokenRequest(params)
702 // if err == nil { // resp is now filled
706 func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *request.Request, output *GetFederationTokenOutput) {
707 op := &request.Operation{
708 Name: opGetFederationToken,
714 input = &GetFederationTokenInput{}
717 req = c.newRequest(op, input, output)
718 output = &GetFederationTokenOutput{}
723 // GetFederationToken API operation for AWS Security Token Service.
725 // Returns a set of temporary security credentials (consisting of an access
726 // key ID, a secret access key, and a security token) for a federated user.
727 // A typical use is in a proxy application that gets temporary security credentials
728 // on behalf of distributed applications inside a corporate network. Because
729 // you must call the GetFederationToken action using the long-term security
730 // credentials of an IAM user, this call is appropriate in contexts where those
731 // credentials can be safely stored, usually in a server-based application.
732 // For a comparison of GetFederationToken with the other APIs that produce temporary
733 // credentials, see Requesting Temporary Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
734 // and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
735 // in the IAM User Guide.
737 // If you are creating a mobile-based or browser-based app that can authenticate
738 // users using a web identity provider like Login with Amazon, Facebook, Google,
739 // or an OpenID Connect-compatible identity provider, we recommend that you
740 // use Amazon Cognito (http://aws.amazon.com/cognito/) or AssumeRoleWithWebIdentity.
741 // For more information, see Federation Through a Web-based Identity Provider
742 // (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity).
744 // The GetFederationToken action must be called by using the long-term AWS security
745 // credentials of an IAM user. You can also call GetFederationToken using the
746 // security credentials of an AWS root account, but we do not recommended it.
747 // Instead, we recommend that you create an IAM user for the purpose of the
748 // proxy application and then attach a policy to the IAM user that limits federated
749 // users to only the actions and resources that they need access to. For more
750 // information, see IAM Best Practices (http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
751 // in the IAM User Guide.
753 // The temporary security credentials that are obtained by using the long-term
754 // credentials of an IAM user are valid for the specified duration, from 900
755 // seconds (15 minutes) up to a maximium of 129600 seconds (36 hours). The default
756 // is 43200 seconds (12 hours). Temporary credentials that are obtained by using
757 // AWS root account credentials have a maximum duration of 3600 seconds (1 hour).
759 // The temporary security credentials created by GetFederationToken can be used
760 // to make API calls to any AWS service with the following exceptions:
762 // * You cannot use these credentials to call any IAM APIs.
764 // * You cannot call any STS APIs.
768 // The permissions for the temporary security credentials returned by GetFederationToken
769 // are determined by a combination of the following:
771 // * The policy or policies that are attached to the IAM user whose credentials
772 // are used to call GetFederationToken.
774 // * The policy that is passed as a parameter in the call.
776 // The passed policy is attached to the temporary security credentials that
777 // result from the GetFederationToken API call--that is, to the federated user.
778 // When the federated user makes an AWS request, AWS evaluates the policy attached
779 // to the federated user in combination with the policy or policies attached
780 // to the IAM user whose credentials were used to call GetFederationToken. AWS
781 // allows the federated user's request only when both the federated user and
782 // the IAM user are explicitly allowed to perform the requested action. The
783 // passed policy cannot grant more permissions than those that are defined in
784 // the IAM user policy.
786 // A typical use case is that the permissions of the IAM user whose credentials
787 // are used to call GetFederationToken are designed to allow access to all the
788 // actions and resources that any federated user will need. Then, for individual
789 // users, you pass a policy to the operation that scopes down the permissions
790 // to a level that's appropriate to that individual user, using a policy that
791 // allows only a subset of permissions that are granted to the IAM user.
793 // If you do not pass a policy, the resulting temporary security credentials
794 // have no effective permissions. The only exception is when the temporary security
795 // credentials are used to access a resource that has a resource-based policy
796 // that specifically allows the federated user to access the resource.
798 // For more information about how permissions work, see Permissions for GetFederationToken
799 // (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html).
800 // For information about using GetFederationToken to create temporary security
801 // credentials, see GetFederationToken—Federation Through a Custom Identity
802 // Broker (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken).
804 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
805 // with awserr.Error's Code and Message methods to get detailed information about
808 // See the AWS API reference guide for AWS Security Token Service's
809 // API operation GetFederationToken for usage and error information.
811 // Returned Error Codes:
812 // * MalformedPolicyDocument
813 // The request was rejected because the policy document was malformed. The error
814 // message describes the specific error.
816 // * PackedPolicyTooLarge
817 // The request was rejected because the policy document was too large. The error
818 // message describes how big the policy document is, in packed form, as a percentage
819 // of what the API allows.
821 // * RegionDisabledException
822 // STS is not activated in the requested region for the account that is being
823 // asked to generate credentials. The account administrator must use the IAM
824 // console to activate STS in that region. For more information, see Activating
825 // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
826 // in the IAM User Guide.
828 func (c *STS) GetFederationToken(input *GetFederationTokenInput) (*GetFederationTokenOutput, error) {
829 req, out := c.GetFederationTokenRequest(input)
834 const opGetSessionToken = "GetSessionToken"
836 // GetSessionTokenRequest generates a "aws/request.Request" representing the
837 // client's request for the GetSessionToken operation. The "output" return
838 // value can be used to capture response data after the request's "Send" method
841 // See GetSessionToken for usage and error information.
843 // Creating a request object using this method should be used when you want to inject
844 // custom logic into the request's lifecycle using a custom handler, or if you want to
845 // access properties on the request object before or after sending the request. If
846 // you just want the service response, call the GetSessionToken method directly
849 // Note: You must call the "Send" method on the returned request object in order
850 // to execute the request.
852 // // Example sending a request using the GetSessionTokenRequest method.
853 // req, resp := client.GetSessionTokenRequest(params)
856 // if err == nil { // resp is now filled
860 func (c *STS) GetSessionTokenRequest(input *GetSessionTokenInput) (req *request.Request, output *GetSessionTokenOutput) {
861 op := &request.Operation{
862 Name: opGetSessionToken,
868 input = &GetSessionTokenInput{}
871 req = c.newRequest(op, input, output)
872 output = &GetSessionTokenOutput{}
877 // GetSessionToken API operation for AWS Security Token Service.
879 // Returns a set of temporary credentials for an AWS account or IAM user. The
880 // credentials consist of an access key ID, a secret access key, and a security
881 // token. Typically, you use GetSessionToken if you want to use MFA to protect
882 // programmatic calls to specific AWS APIs like Amazon EC2 StopInstances. MFA-enabled
883 // IAM users would need to call GetSessionToken and submit an MFA code that
884 // is associated with their MFA device. Using the temporary security credentials
885 // that are returned from the call, IAM users can then make programmatic calls
886 // to APIs that require MFA authentication. If you do not supply a correct MFA
887 // code, then the API returns an access denied error. For a comparison of GetSessionToken
888 // with the other APIs that produce temporary credentials, see Requesting Temporary
889 // Security Credentials (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
890 // and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
891 // in the IAM User Guide.
893 // The GetSessionToken action must be called by using the long-term AWS security
894 // credentials of the AWS account or an IAM user. Credentials that are created
895 // by IAM users are valid for the duration that you specify, from 900 seconds
896 // (15 minutes) up to a maximum of 129600 seconds (36 hours), with a default
897 // of 43200 seconds (12 hours); credentials that are created by using account
898 // credentials can range from 900 seconds (15 minutes) up to a maximum of 3600
899 // seconds (1 hour), with a default of 1 hour.
901 // The temporary security credentials created by GetSessionToken can be used
902 // to make API calls to any AWS service with the following exceptions:
904 // * You cannot call any IAM APIs unless MFA authentication information is
905 // included in the request.
907 // * You cannot call any STS API exceptAssumeRole.
909 // We recommend that you do not call GetSessionToken with root account credentials.
910 // Instead, follow our best practices (http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users)
911 // by creating one or more IAM users, giving them the necessary permissions,
912 // and using IAM users for everyday interaction with AWS.
914 // The permissions associated with the temporary security credentials returned
915 // by GetSessionToken are based on the permissions associated with account or
916 // IAM user whose credentials are used to call the action. If GetSessionToken
917 // is called using root account credentials, the temporary credentials have
918 // root account permissions. Similarly, if GetSessionToken is called using the
919 // credentials of an IAM user, the temporary credentials have the same permissions
922 // For more information about using GetSessionToken to create temporary credentials,
923 // go to Temporary Credentials for Users in Untrusted Environments (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken)
924 // in the IAM User Guide.
926 // Returns awserr.Error for service API and SDK errors. Use runtime type assertions
927 // with awserr.Error's Code and Message methods to get detailed information about
930 // See the AWS API reference guide for AWS Security Token Service's
931 // API operation GetSessionToken for usage and error information.
933 // Returned Error Codes:
934 // * RegionDisabledException
935 // STS is not activated in the requested region for the account that is being
936 // asked to generate credentials. The account administrator must use the IAM
937 // console to activate STS in that region. For more information, see Activating
938 // and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
939 // in the IAM User Guide.
941 func (c *STS) GetSessionToken(input *GetSessionTokenInput) (*GetSessionTokenOutput, error) {
942 req, out := c.GetSessionTokenRequest(input)
947 type AssumeRoleInput struct {
948 _ struct{} `type:"structure"`
950 // The duration, in seconds, of the role session. The value can range from 900
951 // seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set
954 // This is separate from the duration of a console session that you might request
955 // using the returned credentials. The request to the federation endpoint for
956 // a console sign-in token takes a SessionDuration parameter that specifies
957 // the maximum length of the console session, separately from the DurationSeconds
958 // parameter on this API. For more information, see Creating a URL that Enables
959 // Federated Users to Access the AWS Management Console (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
960 // in the IAM User Guide.
961 DurationSeconds *int64 `min:"900" type:"integer"`
963 // A unique identifier that is used by third parties when assuming roles in
964 // their customers' accounts. For each role that the third party can assume,
965 // they should instruct their customers to ensure the role's trust policy checks
966 // for the external ID that the third party generated. Each time the third party
967 // assumes the role, they should pass the customer's external ID. The external
968 // ID is useful in order to help third parties bind a role to the customer who
969 // created it. For more information about the external ID, see How to Use an
970 // External ID When Granting Access to Your AWS Resources to a Third Party (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html)
971 // in the IAM User Guide.
973 // The format for this parameter, as described by its regex pattern, is a string
974 // of characters consisting of upper- and lower-case alphanumeric characters
975 // with no spaces. You can also include underscores or any of the following
976 // characters: =,.@:\/-
977 ExternalId *string `min:"2" type:"string"`
979 // An IAM policy in JSON format.
981 // This parameter is optional. If you pass a policy, the temporary security
982 // credentials that are returned by the operation have the permissions that
983 // are allowed by both (the intersection of) the access policy of the role that
984 // is being assumed, and the policy that you pass. This gives you a way to further
985 // restrict the permissions for the resulting temporary security credentials.
986 // You cannot use the passed policy to grant permissions that are in excess
987 // of those allowed by the access policy of the role that is being assumed.
988 // For more information, see Permissions for AssumeRole, AssumeRoleWithSAML,
989 // and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
990 // in the IAM User Guide.
992 // The format for this parameter, as described by its regex pattern, is a string
993 // of characters up to 2048 characters in length. The characters can be any
994 // ASCII character from the space character to the end of the valid character
995 // list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A),
996 // and carriage return (\u000D) characters.
998 // The policy plain text must be 2048 bytes or shorter. However, an internal
999 // conversion compresses it into a packed binary format with a separate limit.
1000 // The PackedPolicySize response element indicates by percentage how close to
1001 // the upper size limit the policy is, with 100% equaling the maximum allowed
1003 Policy *string `min:"1" type:"string"`
1005 // The Amazon Resource Name (ARN) of the role to assume.
1007 // RoleArn is a required field
1008 RoleArn *string `min:"20" type:"string" required:"true"`
1010 // An identifier for the assumed role session.
1012 // Use the role session name to uniquely identify a session when the same role
1013 // is assumed by different principals or for different reasons. In cross-account
1014 // scenarios, the role session name is visible to, and can be logged by the
1015 // account that owns the role. The role session name is also used in the ARN
1016 // of the assumed role principal. This means that subsequent cross-account API
1017 // requests using the temporary security credentials will expose the role session
1018 // name to the external account in their CloudTrail logs.
1020 // The format for this parameter, as described by its regex pattern, is a string
1021 // of characters consisting of upper- and lower-case alphanumeric characters
1022 // with no spaces. You can also include underscores or any of the following
1023 // characters: =,.@-
1025 // RoleSessionName is a required field
1026 RoleSessionName *string `min:"2" type:"string" required:"true"`
1028 // The identification number of the MFA device that is associated with the user
1029 // who is making the AssumeRole call. Specify this value if the trust policy
1030 // of the role being assumed includes a condition that requires MFA authentication.
1031 // The value is either the serial number for a hardware device (such as GAHT12345678)
1032 // or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user).
1034 // The format for this parameter, as described by its regex pattern, is a string
1035 // of characters consisting of upper- and lower-case alphanumeric characters
1036 // with no spaces. You can also include underscores or any of the following
1037 // characters: =,.@-
1038 SerialNumber *string `min:"9" type:"string"`
1040 // The value provided by the MFA device, if the trust policy of the role being
1041 // assumed requires MFA (that is, if the policy includes a condition that tests
1042 // for MFA). If the role being assumed requires MFA and if the TokenCode value
1043 // is missing or expired, the AssumeRole call returns an "access denied" error.
1045 // The format for this parameter, as described by its regex pattern, is a sequence
1046 // of six numeric digits.
1047 TokenCode *string `min:"6" type:"string"`
1050 // String returns the string representation
1051 func (s AssumeRoleInput) String() string {
1052 return awsutil.Prettify(s)
1055 // GoString returns the string representation
1056 func (s AssumeRoleInput) GoString() string {
1060 // Validate inspects the fields of the type to determine if they are valid.
1061 func (s *AssumeRoleInput) Validate() error {
1062 invalidParams := request.ErrInvalidParams{Context: "AssumeRoleInput"}
1063 if s.DurationSeconds != nil && *s.DurationSeconds < 900 {
1064 invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900))
1066 if s.ExternalId != nil && len(*s.ExternalId) < 2 {
1067 invalidParams.Add(request.NewErrParamMinLen("ExternalId", 2))
1069 if s.Policy != nil && len(*s.Policy) < 1 {
1070 invalidParams.Add(request.NewErrParamMinLen("Policy", 1))
1072 if s.RoleArn == nil {
1073 invalidParams.Add(request.NewErrParamRequired("RoleArn"))
1075 if s.RoleArn != nil && len(*s.RoleArn) < 20 {
1076 invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20))
1078 if s.RoleSessionName == nil {
1079 invalidParams.Add(request.NewErrParamRequired("RoleSessionName"))
1081 if s.RoleSessionName != nil && len(*s.RoleSessionName) < 2 {
1082 invalidParams.Add(request.NewErrParamMinLen("RoleSessionName", 2))
1084 if s.SerialNumber != nil && len(*s.SerialNumber) < 9 {
1085 invalidParams.Add(request.NewErrParamMinLen("SerialNumber", 9))
1087 if s.TokenCode != nil && len(*s.TokenCode) < 6 {
1088 invalidParams.Add(request.NewErrParamMinLen("TokenCode", 6))
1091 if invalidParams.Len() > 0 {
1092 return invalidParams
1097 // Contains the response to a successful AssumeRole request, including temporary
1098 // AWS credentials that can be used to make AWS requests.
1099 type AssumeRoleOutput struct {
1100 _ struct{} `type:"structure"`
1102 // The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers
1103 // that you can use to refer to the resulting temporary security credentials.
1104 // For example, you can reference these credentials as a principal in a resource-based
1105 // policy by using the ARN or assumed role ID. The ARN and ID include the RoleSessionName
1106 // that you specified when you called AssumeRole.
1107 AssumedRoleUser *AssumedRoleUser `type:"structure"`
1109 // The temporary security credentials, which include an access key ID, a secret
1110 // access key, and a security (or session) token.
1112 // Note: The size of the security token that STS APIs return is not fixed. We
1113 // strongly recommend that you make no assumptions about the maximum size. As
1114 // of this writing, the typical size is less than 4096 bytes, but that can vary.
1115 // Also, future updates to AWS might require larger sizes.
1116 Credentials *Credentials `type:"structure"`
1118 // A percentage value that indicates the size of the policy in packed form.
1119 // The service rejects any policy with a packed size greater than 100 percent,
1120 // which means the policy exceeded the allowed space.
1121 PackedPolicySize *int64 `type:"integer"`
1124 // String returns the string representation
1125 func (s AssumeRoleOutput) String() string {
1126 return awsutil.Prettify(s)
1129 // GoString returns the string representation
1130 func (s AssumeRoleOutput) GoString() string {
1134 type AssumeRoleWithSAMLInput struct {
1135 _ struct{} `type:"structure"`
1137 // The duration, in seconds, of the role session. The value can range from 900
1138 // seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set
1139 // to 3600 seconds. An expiration can also be specified in the SAML authentication
1140 // response's SessionNotOnOrAfter value. The actual expiration time is whichever
1141 // value is shorter.
1143 // This is separate from the duration of a console session that you might request
1144 // using the returned credentials. The request to the federation endpoint for
1145 // a console sign-in token takes a SessionDuration parameter that specifies
1146 // the maximum length of the console session, separately from the DurationSeconds
1147 // parameter on this API. For more information, see Enabling SAML 2.0 Federated
1148 // Users to Access the AWS Management Console (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html)
1149 // in the IAM User Guide.
1150 DurationSeconds *int64 `min:"900" type:"integer"`
1152 // An IAM policy in JSON format.
1154 // The policy parameter is optional. If you pass a policy, the temporary security
1155 // credentials that are returned by the operation have the permissions that
1156 // are allowed by both the access policy of the role that is being assumed,
1157 // and the policy that you pass. This gives you a way to further restrict the
1158 // permissions for the resulting temporary security credentials. You cannot
1159 // use the passed policy to grant permissions that are in excess of those allowed
1160 // by the access policy of the role that is being assumed. For more information,
1161 // Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity
1162 // (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
1163 // in the IAM User Guide.
1165 // The format for this parameter, as described by its regex pattern, is a string
1166 // of characters up to 2048 characters in length. The characters can be any
1167 // ASCII character from the space character to the end of the valid character
1168 // list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A),
1169 // and carriage return (\u000D) characters.
1171 // The policy plain text must be 2048 bytes or shorter. However, an internal
1172 // conversion compresses it into a packed binary format with a separate limit.
1173 // The PackedPolicySize response element indicates by percentage how close to
1174 // the upper size limit the policy is, with 100% equaling the maximum allowed
1176 Policy *string `min:"1" type:"string"`
1178 // The Amazon Resource Name (ARN) of the SAML provider in IAM that describes
1181 // PrincipalArn is a required field
1182 PrincipalArn *string `min:"20" type:"string" required:"true"`
1184 // The Amazon Resource Name (ARN) of the role that the caller is assuming.
1186 // RoleArn is a required field
1187 RoleArn *string `min:"20" type:"string" required:"true"`
1189 // The base-64 encoded SAML authentication response provided by the IdP.
1191 // For more information, see Configuring a Relying Party and Adding Claims (http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html)
1192 // in the Using IAM guide.
1194 // SAMLAssertion is a required field
1195 SAMLAssertion *string `min:"4" type:"string" required:"true"`
1198 // String returns the string representation
1199 func (s AssumeRoleWithSAMLInput) String() string {
1200 return awsutil.Prettify(s)
1203 // GoString returns the string representation
1204 func (s AssumeRoleWithSAMLInput) GoString() string {
1208 // Validate inspects the fields of the type to determine if they are valid.
1209 func (s *AssumeRoleWithSAMLInput) Validate() error {
1210 invalidParams := request.ErrInvalidParams{Context: "AssumeRoleWithSAMLInput"}
1211 if s.DurationSeconds != nil && *s.DurationSeconds < 900 {
1212 invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900))
1214 if s.Policy != nil && len(*s.Policy) < 1 {
1215 invalidParams.Add(request.NewErrParamMinLen("Policy", 1))
1217 if s.PrincipalArn == nil {
1218 invalidParams.Add(request.NewErrParamRequired("PrincipalArn"))
1220 if s.PrincipalArn != nil && len(*s.PrincipalArn) < 20 {
1221 invalidParams.Add(request.NewErrParamMinLen("PrincipalArn", 20))
1223 if s.RoleArn == nil {
1224 invalidParams.Add(request.NewErrParamRequired("RoleArn"))
1226 if s.RoleArn != nil && len(*s.RoleArn) < 20 {
1227 invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20))
1229 if s.SAMLAssertion == nil {
1230 invalidParams.Add(request.NewErrParamRequired("SAMLAssertion"))
1232 if s.SAMLAssertion != nil && len(*s.SAMLAssertion) < 4 {
1233 invalidParams.Add(request.NewErrParamMinLen("SAMLAssertion", 4))
1236 if invalidParams.Len() > 0 {
1237 return invalidParams
1242 // Contains the response to a successful AssumeRoleWithSAML request, including
1243 // temporary AWS credentials that can be used to make AWS requests.
1244 type AssumeRoleWithSAMLOutput struct {
1245 _ struct{} `type:"structure"`
1247 // The identifiers for the temporary security credentials that the operation
1249 AssumedRoleUser *AssumedRoleUser `type:"structure"`
1251 // The value of the Recipient attribute of the SubjectConfirmationData element
1252 // of the SAML assertion.
1253 Audience *string `type:"string"`
1255 // The temporary security credentials, which include an access key ID, a secret
1256 // access key, and a security (or session) token.
1258 // Note: The size of the security token that STS APIs return is not fixed. We
1259 // strongly recommend that you make no assumptions about the maximum size. As
1260 // of this writing, the typical size is less than 4096 bytes, but that can vary.
1261 // Also, future updates to AWS might require larger sizes.
1262 Credentials *Credentials `type:"structure"`
1264 // The value of the Issuer element of the SAML assertion.
1265 Issuer *string `type:"string"`
1267 // A hash value based on the concatenation of the Issuer response value, the
1268 // AWS account ID, and the friendly name (the last part of the ARN) of the SAML
1269 // provider in IAM. The combination of NameQualifier and Subject can be used
1270 // to uniquely identify a federated user.
1272 // The following pseudocode shows how the hash value is calculated:
1274 // BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP"
1276 NameQualifier *string `type:"string"`
1278 // A percentage value that indicates the size of the policy in packed form.
1279 // The service rejects any policy with a packed size greater than 100 percent,
1280 // which means the policy exceeded the allowed space.
1281 PackedPolicySize *int64 `type:"integer"`
1283 // The value of the NameID element in the Subject element of the SAML assertion.
1284 Subject *string `type:"string"`
1286 // The format of the name ID, as defined by the Format attribute in the NameID
1287 // element of the SAML assertion. Typical examples of the format are transient
1290 // If the format includes the prefix urn:oasis:names:tc:SAML:2.0:nameid-format,
1291 // that prefix is removed. For example, urn:oasis:names:tc:SAML:2.0:nameid-format:transient
1292 // is returned as transient. If the format includes any other prefix, the format
1293 // is returned with no modifications.
1294 SubjectType *string `type:"string"`
1297 // String returns the string representation
1298 func (s AssumeRoleWithSAMLOutput) String() string {
1299 return awsutil.Prettify(s)
1302 // GoString returns the string representation
1303 func (s AssumeRoleWithSAMLOutput) GoString() string {
1307 type AssumeRoleWithWebIdentityInput struct {
1308 _ struct{} `type:"structure"`
1310 // The duration, in seconds, of the role session. The value can range from 900
1311 // seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set
1314 // This is separate from the duration of a console session that you might request
1315 // using the returned credentials. The request to the federation endpoint for
1316 // a console sign-in token takes a SessionDuration parameter that specifies
1317 // the maximum length of the console session, separately from the DurationSeconds
1318 // parameter on this API. For more information, see Creating a URL that Enables
1319 // Federated Users to Access the AWS Management Console (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
1320 // in the IAM User Guide.
1321 DurationSeconds *int64 `min:"900" type:"integer"`
1323 // An IAM policy in JSON format.
1325 // The policy parameter is optional. If you pass a policy, the temporary security
1326 // credentials that are returned by the operation have the permissions that
1327 // are allowed by both the access policy of the role that is being assumed,
1328 // and the policy that you pass. This gives you a way to further restrict the
1329 // permissions for the resulting temporary security credentials. You cannot
1330 // use the passed policy to grant permissions that are in excess of those allowed
1331 // by the access policy of the role that is being assumed. For more information,
1332 // see Permissions for AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
1333 // in the IAM User Guide.
1335 // The format for this parameter, as described by its regex pattern, is a string
1336 // of characters up to 2048 characters in length. The characters can be any
1337 // ASCII character from the space character to the end of the valid character
1338 // list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A),
1339 // and carriage return (\u000D) characters.
1341 // The policy plain text must be 2048 bytes or shorter. However, an internal
1342 // conversion compresses it into a packed binary format with a separate limit.
1343 // The PackedPolicySize response element indicates by percentage how close to
1344 // the upper size limit the policy is, with 100% equaling the maximum allowed
1346 Policy *string `min:"1" type:"string"`
1348 // The fully qualified host component of the domain name of the identity provider.
1350 // Specify this value only for OAuth 2.0 access tokens. Currently www.amazon.com
1351 // and graph.facebook.com are the only supported identity providers for OAuth
1352 // 2.0 access tokens. Do not include URL schemes and port numbers.
1354 // Do not specify this value for OpenID Connect ID tokens.
1355 ProviderId *string `min:"4" type:"string"`
1357 // The Amazon Resource Name (ARN) of the role that the caller is assuming.
1359 // RoleArn is a required field
1360 RoleArn *string `min:"20" type:"string" required:"true"`
1362 // An identifier for the assumed role session. Typically, you pass the name
1363 // or identifier that is associated with the user who is using your application.
1364 // That way, the temporary security credentials that your application will use
1365 // are associated with that user. This session name is included as part of the
1366 // ARN and assumed role ID in the AssumedRoleUser response element.
1368 // The format for this parameter, as described by its regex pattern, is a string
1369 // of characters consisting of upper- and lower-case alphanumeric characters
1370 // with no spaces. You can also include underscores or any of the following
1371 // characters: =,.@-
1373 // RoleSessionName is a required field
1374 RoleSessionName *string `min:"2" type:"string" required:"true"`
1376 // The OAuth 2.0 access token or OpenID Connect ID token that is provided by
1377 // the identity provider. Your application must get this token by authenticating
1378 // the user who is using your application with a web identity provider before
1379 // the application makes an AssumeRoleWithWebIdentity call.
1381 // WebIdentityToken is a required field
1382 WebIdentityToken *string `min:"4" type:"string" required:"true"`
1385 // String returns the string representation
1386 func (s AssumeRoleWithWebIdentityInput) String() string {
1387 return awsutil.Prettify(s)
1390 // GoString returns the string representation
1391 func (s AssumeRoleWithWebIdentityInput) GoString() string {
1395 // Validate inspects the fields of the type to determine if they are valid.
1396 func (s *AssumeRoleWithWebIdentityInput) Validate() error {
1397 invalidParams := request.ErrInvalidParams{Context: "AssumeRoleWithWebIdentityInput"}
1398 if s.DurationSeconds != nil && *s.DurationSeconds < 900 {
1399 invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900))
1401 if s.Policy != nil && len(*s.Policy) < 1 {
1402 invalidParams.Add(request.NewErrParamMinLen("Policy", 1))
1404 if s.ProviderId != nil && len(*s.ProviderId) < 4 {
1405 invalidParams.Add(request.NewErrParamMinLen("ProviderId", 4))
1407 if s.RoleArn == nil {
1408 invalidParams.Add(request.NewErrParamRequired("RoleArn"))
1410 if s.RoleArn != nil && len(*s.RoleArn) < 20 {
1411 invalidParams.Add(request.NewErrParamMinLen("RoleArn", 20))
1413 if s.RoleSessionName == nil {
1414 invalidParams.Add(request.NewErrParamRequired("RoleSessionName"))
1416 if s.RoleSessionName != nil && len(*s.RoleSessionName) < 2 {
1417 invalidParams.Add(request.NewErrParamMinLen("RoleSessionName", 2))
1419 if s.WebIdentityToken == nil {
1420 invalidParams.Add(request.NewErrParamRequired("WebIdentityToken"))
1422 if s.WebIdentityToken != nil && len(*s.WebIdentityToken) < 4 {
1423 invalidParams.Add(request.NewErrParamMinLen("WebIdentityToken", 4))
1426 if invalidParams.Len() > 0 {
1427 return invalidParams
1432 // Contains the response to a successful AssumeRoleWithWebIdentity request,
1433 // including temporary AWS credentials that can be used to make AWS requests.
1434 type AssumeRoleWithWebIdentityOutput struct {
1435 _ struct{} `type:"structure"`
1437 // The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers
1438 // that you can use to refer to the resulting temporary security credentials.
1439 // For example, you can reference these credentials as a principal in a resource-based
1440 // policy by using the ARN or assumed role ID. The ARN and ID include the RoleSessionName
1441 // that you specified when you called AssumeRole.
1442 AssumedRoleUser *AssumedRoleUser `type:"structure"`
1444 // The intended audience (also known as client ID) of the web identity token.
1445 // This is traditionally the client identifier issued to the application that
1446 // requested the web identity token.
1447 Audience *string `type:"string"`
1449 // The temporary security credentials, which include an access key ID, a secret
1450 // access key, and a security token.
1452 // Note: The size of the security token that STS APIs return is not fixed. We
1453 // strongly recommend that you make no assumptions about the maximum size. As
1454 // of this writing, the typical size is less than 4096 bytes, but that can vary.
1455 // Also, future updates to AWS might require larger sizes.
1456 Credentials *Credentials `type:"structure"`
1458 // A percentage value that indicates the size of the policy in packed form.
1459 // The service rejects any policy with a packed size greater than 100 percent,
1460 // which means the policy exceeded the allowed space.
1461 PackedPolicySize *int64 `type:"integer"`
1463 // The issuing authority of the web identity token presented. For OpenID Connect
1464 // ID Tokens this contains the value of the iss field. For OAuth 2.0 access
1465 // tokens, this contains the value of the ProviderId parameter that was passed
1466 // in the AssumeRoleWithWebIdentity request.
1467 Provider *string `type:"string"`
1469 // The unique user identifier that is returned by the identity provider. This
1470 // identifier is associated with the WebIdentityToken that was submitted with
1471 // the AssumeRoleWithWebIdentity call. The identifier is typically unique to
1472 // the user and the application that acquired the WebIdentityToken (pairwise
1473 // identifier). For OpenID Connect ID tokens, this field contains the value
1474 // returned by the identity provider as the token's sub (Subject) claim.
1475 SubjectFromWebIdentityToken *string `min:"6" type:"string"`
1478 // String returns the string representation
1479 func (s AssumeRoleWithWebIdentityOutput) String() string {
1480 return awsutil.Prettify(s)
1483 // GoString returns the string representation
1484 func (s AssumeRoleWithWebIdentityOutput) GoString() string {
1488 // The identifiers for the temporary security credentials that the operation
1490 type AssumedRoleUser struct {
1491 _ struct{} `type:"structure"`
1493 // The ARN of the temporary security credentials that are returned from the
1494 // AssumeRole action. For more information about ARNs and how to use them in
1495 // policies, see IAM Identifiers (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
1498 // Arn is a required field
1499 Arn *string `min:"20" type:"string" required:"true"`
1501 // A unique identifier that contains the role ID and the role session name of
1502 // the role that is being assumed. The role ID is generated by AWS when the
1505 // AssumedRoleId is a required field
1506 AssumedRoleId *string `min:"2" type:"string" required:"true"`
1509 // String returns the string representation
1510 func (s AssumedRoleUser) String() string {
1511 return awsutil.Prettify(s)
1514 // GoString returns the string representation
1515 func (s AssumedRoleUser) GoString() string {
1519 // AWS credentials for API authentication.
1520 type Credentials struct {
1521 _ struct{} `type:"structure"`
1523 // The access key ID that identifies the temporary security credentials.
1525 // AccessKeyId is a required field
1526 AccessKeyId *string `min:"16" type:"string" required:"true"`
1528 // The date on which the current credentials expire.
1530 // Expiration is a required field
1531 Expiration *time.Time `type:"timestamp" timestampFormat:"iso8601" required:"true"`
1533 // The secret access key that can be used to sign requests.
1535 // SecretAccessKey is a required field
1536 SecretAccessKey *string `type:"string" required:"true"`
1538 // The token that users must pass to the service API to use the temporary credentials.
1540 // SessionToken is a required field
1541 SessionToken *string `type:"string" required:"true"`
1544 // String returns the string representation
1545 func (s Credentials) String() string {
1546 return awsutil.Prettify(s)
1549 // GoString returns the string representation
1550 func (s Credentials) GoString() string {
1554 type DecodeAuthorizationMessageInput struct {
1555 _ struct{} `type:"structure"`
1557 // The encoded message that was returned with the response.
1559 // EncodedMessage is a required field
1560 EncodedMessage *string `min:"1" type:"string" required:"true"`
1563 // String returns the string representation
1564 func (s DecodeAuthorizationMessageInput) String() string {
1565 return awsutil.Prettify(s)
1568 // GoString returns the string representation
1569 func (s DecodeAuthorizationMessageInput) GoString() string {
1573 // Validate inspects the fields of the type to determine if they are valid.
1574 func (s *DecodeAuthorizationMessageInput) Validate() error {
1575 invalidParams := request.ErrInvalidParams{Context: "DecodeAuthorizationMessageInput"}
1576 if s.EncodedMessage == nil {
1577 invalidParams.Add(request.NewErrParamRequired("EncodedMessage"))
1579 if s.EncodedMessage != nil && len(*s.EncodedMessage) < 1 {
1580 invalidParams.Add(request.NewErrParamMinLen("EncodedMessage", 1))
1583 if invalidParams.Len() > 0 {
1584 return invalidParams
1589 // A document that contains additional information about the authorization status
1590 // of a request from an encoded message that is returned in response to an AWS
1592 type DecodeAuthorizationMessageOutput struct {
1593 _ struct{} `type:"structure"`
1595 // An XML document that contains the decoded message.
1596 DecodedMessage *string `type:"string"`
1599 // String returns the string representation
1600 func (s DecodeAuthorizationMessageOutput) String() string {
1601 return awsutil.Prettify(s)
1604 // GoString returns the string representation
1605 func (s DecodeAuthorizationMessageOutput) GoString() string {
1609 // Identifiers for the federated user that is associated with the credentials.
1610 type FederatedUser struct {
1611 _ struct{} `type:"structure"`
1613 // The ARN that specifies the federated user that is associated with the credentials.
1614 // For more information about ARNs and how to use them in policies, see IAM
1615 // Identifiers (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html)
1618 // Arn is a required field
1619 Arn *string `min:"20" type:"string" required:"true"`
1621 // The string that identifies the federated user associated with the credentials,
1622 // similar to the unique ID of an IAM user.
1624 // FederatedUserId is a required field
1625 FederatedUserId *string `min:"2" type:"string" required:"true"`
1628 // String returns the string representation
1629 func (s FederatedUser) String() string {
1630 return awsutil.Prettify(s)
1633 // GoString returns the string representation
1634 func (s FederatedUser) GoString() string {
1638 type GetCallerIdentityInput struct {
1639 _ struct{} `type:"structure"`
1642 // String returns the string representation
1643 func (s GetCallerIdentityInput) String() string {
1644 return awsutil.Prettify(s)
1647 // GoString returns the string representation
1648 func (s GetCallerIdentityInput) GoString() string {
1652 // Contains the response to a successful GetCallerIdentity request, including
1653 // information about the entity making the request.
1654 type GetCallerIdentityOutput struct {
1655 _ struct{} `type:"structure"`
1657 // The AWS account ID number of the account that owns or contains the calling
1659 Account *string `type:"string"`
1661 // The AWS ARN associated with the calling entity.
1662 Arn *string `min:"20" type:"string"`
1664 // The unique identifier of the calling entity. The exact value depends on the
1665 // type of entity making the call. The values returned are those listed in the
1666 // aws:userid column in the Principal table (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable)
1667 // found on the Policy Variables reference page in the IAM User Guide.
1668 UserId *string `type:"string"`
1671 // String returns the string representation
1672 func (s GetCallerIdentityOutput) String() string {
1673 return awsutil.Prettify(s)
1676 // GoString returns the string representation
1677 func (s GetCallerIdentityOutput) GoString() string {
1681 type GetFederationTokenInput struct {
1682 _ struct{} `type:"structure"`
1684 // The duration, in seconds, that the session should last. Acceptable durations
1685 // for federation sessions range from 900 seconds (15 minutes) to 129600 seconds
1686 // (36 hours), with 43200 seconds (12 hours) as the default. Sessions obtained
1687 // using AWS account (root) credentials are restricted to a maximum of 3600
1688 // seconds (one hour). If the specified duration is longer than one hour, the
1689 // session obtained by using AWS account (root) credentials defaults to one
1691 DurationSeconds *int64 `min:"900" type:"integer"`
1693 // The name of the federated user. The name is used as an identifier for the
1694 // temporary security credentials (such as Bob). For example, you can reference
1695 // the federated user name in a resource-based policy, such as in an Amazon
1696 // S3 bucket policy.
1698 // The format for this parameter, as described by its regex pattern, is a string
1699 // of characters consisting of upper- and lower-case alphanumeric characters
1700 // with no spaces. You can also include underscores or any of the following
1701 // characters: =,.@-
1703 // Name is a required field
1704 Name *string `min:"2" type:"string" required:"true"`
1706 // An IAM policy in JSON format that is passed with the GetFederationToken call
1707 // and evaluated along with the policy or policies that are attached to the
1708 // IAM user whose credentials are used to call GetFederationToken. The passed
1709 // policy is used to scope down the permissions that are available to the IAM
1710 // user, by allowing only a subset of the permissions that are granted to the
1711 // IAM user. The passed policy cannot grant more permissions than those granted
1712 // to the IAM user. The final permissions for the federated user are the most
1713 // restrictive set based on the intersection of the passed policy and the IAM
1716 // If you do not pass a policy, the resulting temporary security credentials
1717 // have no effective permissions. The only exception is when the temporary security
1718 // credentials are used to access a resource that has a resource-based policy
1719 // that specifically allows the federated user to access the resource.
1721 // The format for this parameter, as described by its regex pattern, is a string
1722 // of characters up to 2048 characters in length. The characters can be any
1723 // ASCII character from the space character to the end of the valid character
1724 // list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A),
1725 // and carriage return (\u000D) characters.
1727 // The policy plain text must be 2048 bytes or shorter. However, an internal
1728 // conversion compresses it into a packed binary format with a separate limit.
1729 // The PackedPolicySize response element indicates by percentage how close to
1730 // the upper size limit the policy is, with 100% equaling the maximum allowed
1733 // For more information about how permissions work, see Permissions for GetFederationToken
1734 // (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html).
1735 Policy *string `min:"1" type:"string"`
1738 // String returns the string representation
1739 func (s GetFederationTokenInput) String() string {
1740 return awsutil.Prettify(s)
1743 // GoString returns the string representation
1744 func (s GetFederationTokenInput) GoString() string {
1748 // Validate inspects the fields of the type to determine if they are valid.
1749 func (s *GetFederationTokenInput) Validate() error {
1750 invalidParams := request.ErrInvalidParams{Context: "GetFederationTokenInput"}
1751 if s.DurationSeconds != nil && *s.DurationSeconds < 900 {
1752 invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900))
1755 invalidParams.Add(request.NewErrParamRequired("Name"))
1757 if s.Name != nil && len(*s.Name) < 2 {
1758 invalidParams.Add(request.NewErrParamMinLen("Name", 2))
1760 if s.Policy != nil && len(*s.Policy) < 1 {
1761 invalidParams.Add(request.NewErrParamMinLen("Policy", 1))
1764 if invalidParams.Len() > 0 {
1765 return invalidParams
1770 // Contains the response to a successful GetFederationToken request, including
1771 // temporary AWS credentials that can be used to make AWS requests.
1772 type GetFederationTokenOutput struct {
1773 _ struct{} `type:"structure"`
1775 // The temporary security credentials, which include an access key ID, a secret
1776 // access key, and a security (or session) token.
1778 // Note: The size of the security token that STS APIs return is not fixed. We
1779 // strongly recommend that you make no assumptions about the maximum size. As
1780 // of this writing, the typical size is less than 4096 bytes, but that can vary.
1781 // Also, future updates to AWS might require larger sizes.
1782 Credentials *Credentials `type:"structure"`
1784 // Identifiers for the federated user associated with the credentials (such
1785 // as arn:aws:sts::123456789012:federated-user/Bob or 123456789012:Bob). You
1786 // can use the federated user's ARN in your resource-based policies, such as
1787 // an Amazon S3 bucket policy.
1788 FederatedUser *FederatedUser `type:"structure"`
1790 // A percentage value indicating the size of the policy in packed form. The
1791 // service rejects policies for which the packed size is greater than 100 percent
1792 // of the allowed value.
1793 PackedPolicySize *int64 `type:"integer"`
1796 // String returns the string representation
1797 func (s GetFederationTokenOutput) String() string {
1798 return awsutil.Prettify(s)
1801 // GoString returns the string representation
1802 func (s GetFederationTokenOutput) GoString() string {
1806 type GetSessionTokenInput struct {
1807 _ struct{} `type:"structure"`
1809 // The duration, in seconds, that the credentials should remain valid. Acceptable
1810 // durations for IAM user sessions range from 900 seconds (15 minutes) to 129600
1811 // seconds (36 hours), with 43200 seconds (12 hours) as the default. Sessions
1812 // for AWS account owners are restricted to a maximum of 3600 seconds (one hour).
1813 // If the duration is longer than one hour, the session for AWS account owners
1814 // defaults to one hour.
1815 DurationSeconds *int64 `min:"900" type:"integer"`
1817 // The identification number of the MFA device that is associated with the IAM
1818 // user who is making the GetSessionToken call. Specify this value if the IAM
1819 // user has a policy that requires MFA authentication. The value is either the
1820 // serial number for a hardware device (such as GAHT12345678) or an Amazon Resource
1821 // Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user).
1822 // You can find the device for an IAM user by going to the AWS Management Console
1823 // and viewing the user's security credentials.
1825 // The format for this parameter, as described by its regex pattern, is a string
1826 // of characters consisting of upper- and lower-case alphanumeric characters
1827 // with no spaces. You can also include underscores or any of the following
1828 // characters: =,.@-
1829 SerialNumber *string `min:"9" type:"string"`
1831 // The value provided by the MFA device, if MFA is required. If any policy requires
1832 // the IAM user to submit an MFA code, specify this value. If MFA authentication
1833 // is required, and the user does not provide a code when requesting a set of
1834 // temporary security credentials, the user will receive an "access denied"
1835 // response when requesting resources that require MFA authentication.
1837 // The format for this parameter, as described by its regex pattern, is a sequence
1838 // of six numeric digits.
1839 TokenCode *string `min:"6" type:"string"`
1842 // String returns the string representation
1843 func (s GetSessionTokenInput) String() string {
1844 return awsutil.Prettify(s)
1847 // GoString returns the string representation
1848 func (s GetSessionTokenInput) GoString() string {
1852 // Validate inspects the fields of the type to determine if they are valid.
1853 func (s *GetSessionTokenInput) Validate() error {
1854 invalidParams := request.ErrInvalidParams{Context: "GetSessionTokenInput"}
1855 if s.DurationSeconds != nil && *s.DurationSeconds < 900 {
1856 invalidParams.Add(request.NewErrParamMinValue("DurationSeconds", 900))
1858 if s.SerialNumber != nil && len(*s.SerialNumber) < 9 {
1859 invalidParams.Add(request.NewErrParamMinLen("SerialNumber", 9))
1861 if s.TokenCode != nil && len(*s.TokenCode) < 6 {
1862 invalidParams.Add(request.NewErrParamMinLen("TokenCode", 6))
1865 if invalidParams.Len() > 0 {
1866 return invalidParams
1871 // Contains the response to a successful GetSessionToken request, including
1872 // temporary AWS credentials that can be used to make AWS requests.
1873 type GetSessionTokenOutput struct {
1874 _ struct{} `type:"structure"`
1876 // The temporary security credentials, which include an access key ID, a secret
1877 // access key, and a security (or session) token.
1879 // Note: The size of the security token that STS APIs return is not fixed. We
1880 // strongly recommend that you make no assumptions about the maximum size. As
1881 // of this writing, the typical size is less than 4096 bytes, but that can vary.
1882 // Also, future updates to AWS might require larger sizes.
1883 Credentials *Credentials `type:"structure"`
1886 // String returns the string representation
1887 func (s GetSessionTokenOutput) String() string {
1888 return awsutil.Prettify(s)
1891 // GoString returns the string representation
1892 func (s GetSessionTokenOutput) GoString() string {