// Code generated by private/model/cli/gen-api/main.go. DO NOT EDIT. package sts import ( "context" "fmt" "github.com/aws/aws-sdk-go-v2/aws" "github.com/aws/aws-sdk-go-v2/internal/awsutil" ) type AssumeRoleInput struct { _ struct{} `type:"structure"` // The duration, in seconds, of the role session. The value can range from 900 // seconds (15 minutes) up to the maximum session duration setting for the role. // This setting can have a value from 1 hour to 12 hours. If you specify a value // higher than this setting, the operation fails. For example, if you specify // a session duration of 12 hours, but your administrator set the maximum session // duration to 6 hours, your operation fails. To learn how to view the maximum // value for your role, see View the Maximum Session Duration Setting for a // Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) // in the IAM User Guide. // // By default, the value is set to 3600 seconds. // // The DurationSeconds parameter is separate from the duration of a console // session that you might request using the returned credentials. The request // to the federation endpoint for a console sign-in token takes a SessionDuration // parameter that specifies the maximum length of the console session. For more // information, see Creating a URL that Enables Federated Users to Access the // AWS Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) // in the IAM User Guide. DurationSeconds *int64 `min:"900" type:"integer"` // A unique identifier that might be required when you assume a role in another // account. If the administrator of the account to which the role belongs provided // you with an external ID, then provide that value in the ExternalId parameter. // This value can be any string, such as a passphrase or account number. A cross-account // role is usually set up to trust everyone in an account. Therefore, the administrator // of the trusting account might send an external ID to the administrator of // the trusted account. That way, only someone with the ID can assume the role, // rather than everyone in the account. For more information about the external // ID, see How to Use an External ID When Granting Access to Your AWS Resources // to a Third Party (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html) // in the IAM User Guide. // // The regex used to validate this parameter is a string of characters consisting // of upper- and lower-case alphanumeric characters with no spaces. You can // also include underscores or any of the following characters: =,.@:/- ExternalId *string `min:"2" type:"string"` // An IAM policy in JSON format that you want to use as an inline session policy. // // This parameter is optional. Passing policies to this operation returns new // temporary credentials. The resulting session's permissions are the intersection // of the role's identity-based policy and the session policies. You can use // the role's temporary credentials in subsequent AWS API calls to access resources // in the account that owns the role. You cannot use session policies to grant // more permissions than those allowed by the identity-based policy of the role // that is being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // in the IAM User Guide. // // The plain text that you use for both inline and managed session policies // can't exceed 2,048 characters. The JSON policy characters can be any ASCII // character from the space character to the end of the valid character list // (\u0020 through \u00FF). It can also include the tab (\u0009), linefeed (\u000A), // and carriage return (\u000D) characters. // // An AWS conversion compresses the passed session policies and session tags // into a packed binary format that has a separate limit. Your request can fail // for this limit even if your plain text meets the other requirements. The // PackedPolicySize response element indicates by percentage how close the policies // and tags for your request are to the upper size limit. Policy *string `min:"1" type:"string"` // The Amazon Resource Names (ARNs) of the IAM managed policies that you want // to use as managed session policies. The policies must exist in the same account // as the role. // // This parameter is optional. You can provide up to 10 managed policy ARNs. // However, the plain text that you use for both inline and managed session // policies can't exceed 2,048 characters. For more information about ARNs, // see Amazon Resource Names (ARNs) and AWS Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) // in the AWS General Reference. // // An AWS conversion compresses the passed session policies and session tags // into a packed binary format that has a separate limit. Your request can fail // for this limit even if your plain text meets the other requirements. The // PackedPolicySize response element indicates by percentage how close the policies // and tags for your request are to the upper size limit. // // Passing policies to this operation returns new temporary credentials. The // resulting session's permissions are the intersection of the role's identity-based // policy and the session policies. You can use the role's temporary credentials // in subsequent AWS API calls to access resources in the account that owns // the role. You cannot use session policies to grant more permissions than // those allowed by the identity-based policy of the role that is being assumed. // For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // in the IAM User Guide. PolicyArns []PolicyDescriptorType `type:"list"` // The Amazon Resource Name (ARN) of the role to assume. // // RoleArn is a required field RoleArn *string `min:"20" type:"string" required:"true"` // An identifier for the assumed role session. // // Use the role session name to uniquely identify a session when the same role // is assumed by different principals or for different reasons. In cross-account // scenarios, the role session name is visible to, and can be logged by the // account that owns the role. The role session name is also used in the ARN // of the assumed role principal. This means that subsequent cross-account API // requests that use the temporary security credentials will expose the role // session name to the external account in their AWS CloudTrail logs. // // The regex used to validate this parameter is a string of characters consisting // of upper- and lower-case alphanumeric characters with no spaces. You can // also include underscores or any of the following characters: =,.@- // // RoleSessionName is a required field RoleSessionName *string `min:"2" type:"string" required:"true"` // The identification number of the MFA device that is associated with the user // who is making the AssumeRole call. Specify this value if the trust policy // of the role being assumed includes a condition that requires MFA authentication. // The value is either the serial number for a hardware device (such as GAHT12345678) // or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user). // // The regex used to validate this parameter is a string of characters consisting // of upper- and lower-case alphanumeric characters with no spaces. You can // also include underscores or any of the following characters: =,.@- SerialNumber *string `min:"9" type:"string"` // A list of session tags that you want to pass. Each session tag consists of // a key name and an associated value. For more information about session tags, // see Tagging AWS STS Sessions (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) // in the IAM User Guide. // // This parameter is optional. You can pass up to 50 session tags. The plain // text session tag keys can’t exceed 128 characters, and the values can’t // exceed 256 characters. For these and additional limits, see IAM and STS Character // Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) // in the IAM User Guide. // // An AWS conversion compresses the passed session policies and session tags // into a packed binary format that has a separate limit. Your request can fail // for this limit even if your plain text meets the other requirements. The // PackedPolicySize response element indicates by percentage how close the policies // and tags for your request are to the upper size limit. // // You can pass a session tag with the same key as a tag that is already attached // to the role. When you do, session tags override a role tag with the same // key. // // Tag key–value pairs are not case sensitive, but case is preserved. This // means that you cannot have separate Department and department tag keys. Assume // that the role has the Department=Marketing tag and you pass the department=engineering // session tag. Department and department are not saved as separate tags, and // the session tag passed in the request takes precedence over the role tag. // // Additionally, if you used temporary credentials to perform this operation, // the new session inherits any transitive session tags from the calling session. // If you pass a session tag with the same key as an inherited tag, the operation // fails. To view the inherited tags for a session, see the AWS CloudTrail logs. // For more information, see Viewing Session Tags in CloudTrail (https://docs.aws.amazon.com/IAM/latest/UserGuide/session-tags.html#id_session-tags_ctlogs) // in the IAM User Guide. Tags []Tag `type:"list"` // The value provided by the MFA device, if the trust policy of the role being // assumed requires MFA (that is, if the policy includes a condition that tests // for MFA). If the role being assumed requires MFA and if the TokenCode value // is missing or expired, the AssumeRole call returns an "access denied" error. // // The format for this parameter, as described by its regex pattern, is a sequence // of six numeric digits. TokenCode *string `min:"6" type:"string"` // A list of keys for session tags that you want to set as transitive. If you // set a tag key as transitive, the corresponding key and value passes to subsequent // sessions in a role chain. For more information, see Chaining Roles with Session // Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining) // in the IAM User Guide. // // This parameter is optional. When you set session tags as transitive, the // session policy and session tags packed binary limit is not affected. // // If you choose not to specify a transitive tag key, then no tags are passed // from this session to any subsequent sessions. TransitiveTagKeys []string `type:"list"` } // String returns the string representation func (s AssumeRoleInput) String() string { return awsutil.Prettify(s) } // Validate inspects the fields of the type to determine if they are valid. func (s *AssumeRoleInput) Validate() error { invalidParams := aws.ErrInvalidParams{Context: "AssumeRoleInput"} if s.DurationSeconds != nil && *s.DurationSeconds < 900 { invalidParams.Add(aws.NewErrParamMinValue("DurationSeconds", 900)) } if s.ExternalId != nil && len(*s.ExternalId) < 2 { invalidParams.Add(aws.NewErrParamMinLen("ExternalId", 2)) } if s.Policy != nil && len(*s.Policy) < 1 { invalidParams.Add(aws.NewErrParamMinLen("Policy", 1)) } if s.RoleArn == nil { invalidParams.Add(aws.NewErrParamRequired("RoleArn")) } if s.RoleArn != nil && len(*s.RoleArn) < 20 { invalidParams.Add(aws.NewErrParamMinLen("RoleArn", 20)) } if s.RoleSessionName == nil { invalidParams.Add(aws.NewErrParamRequired("RoleSessionName")) } if s.RoleSessionName != nil && len(*s.RoleSessionName) < 2 { invalidParams.Add(aws.NewErrParamMinLen("RoleSessionName", 2)) } if s.SerialNumber != nil && len(*s.SerialNumber) < 9 { invalidParams.Add(aws.NewErrParamMinLen("SerialNumber", 9)) } if s.TokenCode != nil && len(*s.TokenCode) < 6 { invalidParams.Add(aws.NewErrParamMinLen("TokenCode", 6)) } if s.PolicyArns != nil { for i, v := range s.PolicyArns { if err := v.Validate(); err != nil { invalidParams.AddNested(fmt.Sprintf("%s[%v]", "PolicyArns", i), err.(aws.ErrInvalidParams)) } } } if s.Tags != nil { for i, v := range s.Tags { if err := v.Validate(); err != nil { invalidParams.AddNested(fmt.Sprintf("%s[%v]", "Tags", i), err.(aws.ErrInvalidParams)) } } } if invalidParams.Len() > 0 { return invalidParams } return nil } // Contains the response to a successful AssumeRole request, including temporary // AWS credentials that can be used to make AWS requests. type AssumeRoleOutput struct { _ struct{} `type:"structure"` // The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers // that you can use to refer to the resulting temporary security credentials. // For example, you can reference these credentials as a principal in a resource-based // policy by using the ARN or assumed role ID. The ARN and ID include the RoleSessionName // that you specified when you called AssumeRole. AssumedRoleUser *AssumedRoleUser `type:"structure"` // The temporary security credentials, which include an access key ID, a secret // access key, and a security (or session) token. // // The size of the security token that STS API operations return is not fixed. // We strongly recommend that you make no assumptions about the maximum size. Credentials *Credentials `type:"structure"` // A percentage value that indicates the packed size of the session policies // and session tags combined passed in the request. The request fails if the // packed size is greater than 100 percent, which means the policies and tags // exceeded the allowed space. PackedPolicySize *int64 `type:"integer"` } // String returns the string representation func (s AssumeRoleOutput) String() string { return awsutil.Prettify(s) } const opAssumeRole = "AssumeRole" // AssumeRoleRequest returns a request value for making API operation for // AWS Security Token Service. // // Returns a set of temporary security credentials that you can use to access // AWS resources that you might not normally have access to. These temporary // credentials consist of an access key ID, a secret access key, and a security // token. Typically, you use AssumeRole within your account or for cross-account // access. For a comparison of AssumeRole with other API operations that produce // temporary credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) // and Comparing the AWS STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) // in the IAM User Guide. // // You cannot use AWS account root user credentials to call AssumeRole. You // must use credentials for an IAM user or an IAM role to call AssumeRole. // // For cross-account access, imagine that you own multiple accounts and need // to access resources in each account. You could create long-term credentials // in each account to access those resources. However, managing all those credentials // and remembering which one can access which account can be time consuming. // Instead, you can create one set of long-term credentials in one account. // Then use temporary security credentials to access all the other accounts // by assuming roles in those accounts. For more information about roles, see // IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html) // in the IAM User Guide. // // Session Duration // // By default, the temporary security credentials created by AssumeRole last // for one hour. However, you can use the optional DurationSeconds parameter // to specify the duration of your session. You can provide a value from 900 // seconds (15 minutes) up to the maximum session duration setting for the role. // This setting can have a value from 1 hour to 12 hours. To learn how to view // the maximum value for your role, see View the Maximum Session Duration Setting // for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) // in the IAM User Guide. The maximum session duration limit applies when you // use the AssumeRole* API operations or the assume-role* CLI commands. However // the limit does not apply when you use those operations to create a console // URL. For more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) // in the IAM User Guide. // // Permissions // // The temporary security credentials created by AssumeRole can be used to make // API calls to any AWS service with the following exception: You cannot call // the AWS STS GetFederationToken or GetSessionToken API operations. // // (Optional) You can pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // to this operation. You can pass a single JSON policy document to use as an // inline session policy. You can also specify up to 10 managed policies to // use as managed session policies. The plain text that you use for both inline // and managed session policies can't exceed 2,048 characters. Passing policies // to this operation returns new temporary credentials. The resulting session's // permissions are the intersection of the role's identity-based policy and // the session policies. You can use the role's temporary credentials in subsequent // AWS API calls to access resources in the account that owns the role. You // cannot use session policies to grant more permissions than those allowed // by the identity-based policy of the role that is being assumed. For more // information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) // in the IAM User Guide. // // To assume a role from a different account, your AWS account must be trusted // by the role. The trust relationship is defined in the role's trust policy // when the role is created. That trust policy states which accounts are allowed // to delegate that access to users in the account. // // A user who wants to access a role in a different account must also have permissions // that are delegated from the user account administrator. The administrator // must attach a policy that allows the user to call AssumeRole for the ARN // of the role in the other account. If the user is in the same account as the // role, then you can do either of the following: // // * Attach a policy to the user (identical to the previous user in a different // account). // // * Add the user as a principal directly in the role's trust policy. // // In this case, the trust policy acts as an IAM resource-based policy. Users // in the same account as the role do not need explicit permission to assume // the role. For more information about trust policies and resource-based policies, // see IAM Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) // in the IAM User Guide. // // Tags // // (Optional) You can pass tag key-value pairs to your session. These tags are // called session tags. For more information about session tags, see Passing // Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) // in the IAM User Guide. // // An administrator must grant you the permissions necessary to pass session // tags. The administrator can also create granular permissions to allow you // to pass only specific session tags. For more information, see Tutorial: Using // Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) // in the IAM User Guide. // // You can set the session tags as transitive. Transitive tags persist during // role chaining. For more information, see Chaining Roles with Session Tags // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining) // in the IAM User Guide. // // Using MFA with AssumeRole // // (Optional) You can include multi-factor authentication (MFA) information // when you call AssumeRole. This is useful for cross-account scenarios to ensure // that the user that assumes the role has been authenticated with an AWS MFA // device. In that scenario, the trust policy of the role being assumed includes // a condition that tests for MFA authentication. If the caller does not include // valid MFA information, the request to assume the role is denied. The condition // in a trust policy that tests for MFA authentication might look like the following // example. // // "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}} // // For more information, see Configuring MFA-Protected API Access (https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html) // in the IAM User Guide guide. // // To use MFA with AssumeRole, you pass values for the SerialNumber and TokenCode // parameters. The SerialNumber value identifies the user's hardware or virtual // MFA device. The TokenCode is the time-based one-time password (TOTP) that // the MFA device produces. // // // Example sending a request using AssumeRoleRequest. // req := client.AssumeRoleRequest(params) // resp, err := req.Send(context.TODO()) // if err == nil { // fmt.Println(resp) // } // // Please also see https://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole func (c *Client) AssumeRoleRequest(input *AssumeRoleInput) AssumeRoleRequest { op := &aws.Operation{ Name: opAssumeRole, HTTPMethod: "POST", HTTPPath: "/", } if input == nil { input = &AssumeRoleInput{} } req := c.newRequest(op, input, &AssumeRoleOutput{}) return AssumeRoleRequest{Request: req, Input: input, Copy: c.AssumeRoleRequest} } // AssumeRoleRequest is the request type for the // AssumeRole API operation. type AssumeRoleRequest struct { *aws.Request Input *AssumeRoleInput Copy func(*AssumeRoleInput) AssumeRoleRequest } // Send marshals and sends the AssumeRole API request. func (r AssumeRoleRequest) Send(ctx context.Context) (*AssumeRoleResponse, error) { r.Request.SetContext(ctx) err := r.Request.Send() if err != nil { return nil, err } resp := &AssumeRoleResponse{ AssumeRoleOutput: r.Request.Data.(*AssumeRoleOutput), response: &aws.Response{Request: r.Request}, } return resp, nil } // AssumeRoleResponse is the response type for the // AssumeRole API operation. type AssumeRoleResponse struct { *AssumeRoleOutput response *aws.Response } // SDKResponseMetdata returns the response metadata for the // AssumeRole request. func (r *AssumeRoleResponse) SDKResponseMetdata() *aws.Response { return r.response }