The identifiers for the temporary security credentials that the operation * returns.
*/ export interface AssumedRoleUser { /** *A unique identifier that contains the role ID and the role session name of the role that * is being assumed. The role ID is generated by Amazon Web Services when the role is created.
*/ AssumedRoleId: string | undefined; /** *The ARN of the temporary security credentials that are returned from the AssumeRole action. For more information about ARNs and how to use them in * policies, see IAM Identifiers in the * IAM User Guide.
*/ Arn: string | undefined; } export namespace AssumedRoleUser { /** * @internal */ export const filterSensitiveLog = (obj: AssumedRoleUser): any => ({ ...obj, }); } /** *A reference to the IAM managed policy that is passed as a session policy for a role * session or a federated user session.
*/ export interface PolicyDescriptorType { /** *The Amazon Resource Name (ARN) of the IAM managed policy to use as a session policy * for the role. For more information about ARNs, see Amazon Resource Names (ARNs) and Amazon Web Services * Service Namespaces in the Amazon Web Services General Reference.
*/ arn?: string; } export namespace PolicyDescriptorType { /** * @internal */ export const filterSensitiveLog = (obj: PolicyDescriptorType): any => ({ ...obj, }); } /** *You can pass custom key-value pair attributes when you assume a role or federate a user. * These are called session tags. You can then use the session tags to control access to * resources. For more information, see Tagging STS Sessions in the * IAM User Guide.
*/ export interface Tag { /** *The key for a session tag.
*You can pass up to 50 session tags. The plain text session tag keys can’t exceed 128 * characters. For these and additional limits, see IAM * and STS Character Limits in the IAM User Guide.
*/ Key: string | undefined; /** *The value for a session tag.
*You can pass up to 50 session tags. The plain text session tag values can’t exceed 256 * characters. For these and additional limits, see IAM * and STS Character Limits in the IAM User Guide.
*/ Value: string | undefined; } export namespace Tag { /** * @internal */ export const filterSensitiveLog = (obj: Tag): any => ({ ...obj, }); } export interface AssumeRoleRequest { /** *The Amazon Resource Name (ARN) of the role to assume.
*/ RoleArn: string | undefined; /** *An identifier for the assumed role session.
*Use the role session name to uniquely identify a session when the same role is assumed * by different principals or for different reasons. In cross-account scenarios, the role * session name is visible to, and can be logged by the account that owns the role. The role * session name is also used in the ARN of the assumed role principal. This means that * subsequent cross-account API requests that use the temporary security credentials will * expose the role session name to the external account in their CloudTrail logs.
*The regex used to validate this parameter is a string of characters * consisting of upper- and lower-case alphanumeric characters with no spaces. You can * also include underscores or any of the following characters: =,.@-
*/ RoleSessionName: string | undefined; /** *The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as * managed session policies. The policies must exist in the same account as the role.
*This parameter is optional. You can provide up to 10 managed policy ARNs. However, the * plaintext that you use for both inline and managed session policies can't exceed 2,048 * characters. For more information about ARNs, see Amazon Resource Names (ARNs) and Amazon Web Services * Service Namespaces in the Amazon Web Services General Reference.
*An Amazon Web Services conversion compresses the passed session policies and session tags into a
* packed binary format that has a separate limit. Your request can fail for this limit
* even if your plaintext meets the other requirements. The PackedPolicySize
* response element indicates by percentage how close the policies and tags for your
* request are to the upper size limit.
*
Passing policies to this operation returns new * temporary credentials. The resulting session's permissions are the intersection of the * role's identity-based policy and the session policies. You can use the role's temporary * credentials in subsequent Amazon Web Services API calls to access resources in the account that owns * the role. You cannot use session policies to grant more permissions than those allowed * by the identity-based policy of the role that is being assumed. For more information, see * Session * Policies in the IAM User Guide.
*/ PolicyArns?: PolicyDescriptorType[]; /** *An IAM policy in JSON format that you want to use as an inline session policy.
*This parameter is optional. Passing policies to this operation returns new * temporary credentials. The resulting session's permissions are the intersection of the * role's identity-based policy and the session policies. You can use the role's temporary * credentials in subsequent Amazon Web Services API calls to access resources in the account that owns * the role. You cannot use session policies to grant more permissions than those allowed * by the identity-based policy of the role that is being assumed. For more information, see * Session * Policies in the IAM User Guide.
*The plaintext that you use for both inline and managed session policies can't exceed * 2,048 characters. The JSON policy characters can be any ASCII character from the space * character to the end of the valid character list (\u0020 through \u00FF). It can also * include the tab (\u0009), linefeed (\u000A), and carriage return (\u000D) * characters.
*An Amazon Web Services conversion compresses the passed session policies and session tags into a
* packed binary format that has a separate limit. Your request can fail for this limit
* even if your plaintext meets the other requirements. The PackedPolicySize
* response element indicates by percentage how close the policies and tags for your
* request are to the upper size limit.
*
The duration, in seconds, of the role session. The value specified can can range from * 900 seconds (15 minutes) up to the maximum session duration that is set for the role. The * maximum session duration setting can have a value from 1 hour to 12 hours. If you specify a * value higher than this setting or the administrator setting (whichever is lower), the * operation fails. For example, if you specify a session duration of 12 hours, but your * administrator set the maximum session duration to 6 hours, your operation fails. To learn * how to view the maximum value for your role, see View the * Maximum Session Duration Setting for a Role in the * IAM User Guide.
*By default, the value is set to 3600 seconds.
The DurationSeconds parameter is separate from the duration of a console
* session that you might request using the returned credentials. The request to the
* federation endpoint for a console sign-in token takes a SessionDuration
* parameter that specifies the maximum length of the console session. For more
* information, see Creating a URL
* that Enables Federated Users to Access the Management Console in the
* IAM User Guide.
A list of session tags that you want to pass. Each session tag consists of a key name * and an associated value. For more information about session tags, see Tagging STS * Sessions in the IAM User Guide.
*This parameter is optional. You can pass up to 50 session tags. The plaintext session * tag keys can’t exceed 128 characters, and the values can’t exceed 256 characters. For these * and additional limits, see IAM * and STS Character Limits in the IAM User Guide.
* *An Amazon Web Services conversion compresses the passed session policies and session tags into a
* packed binary format that has a separate limit. Your request can fail for this limit
* even if your plaintext meets the other requirements. The PackedPolicySize
* response element indicates by percentage how close the policies and tags for your
* request are to the upper size limit.
*
You can pass a session tag with the same key as a tag that is already * attached to the role. When you do, session tags override a role tag with the same key.
*Tag key–value pairs are not case sensitive, but case is preserved. This means that you
* cannot have separate Department and department tag keys. Assume
* that the role has the Department=Marketing tag and you pass the
* department=engineering session tag. Department
* and department are not saved as separate tags, and the session tag passed in
* the request takes precedence over the role tag.
Additionally, if you used temporary credentials to perform this operation, the new * session inherits any transitive session tags from the calling session. If you pass a * session tag with the same key as an inherited tag, the operation fails. To view the * inherited tags for a session, see the CloudTrail logs. For more information, see Viewing Session Tags in CloudTrail in the * IAM User Guide.
*/ Tags?: Tag[]; /** *A list of keys for session tags that you want to set as transitive. If you set a tag key * as transitive, the corresponding key and value passes to subsequent sessions in a role * chain. For more information, see Chaining Roles * with Session Tags in the IAM User Guide.
*This parameter is optional. When you set session tags as transitive, the session policy * and session tags packed binary limit is not affected.
*If you choose not to specify a transitive tag key, then no tags are passed from this * session to any subsequent sessions.
*/ TransitiveTagKeys?: string[]; /** *A unique identifier that might be required when you assume a role in another account. If
* the administrator of the account to which the role belongs provided you with an external
* ID, then provide that value in the ExternalId parameter. This value can be any
* string, such as a passphrase or account number. A cross-account role is usually set up to
* trust everyone in an account. Therefore, the administrator of the trusting account might
* send an external ID to the administrator of the trusted account. That way, only someone
* with the ID can assume the role, rather than everyone in the account. For more information
* about the external ID, see How to Use an External ID
* When Granting Access to Your Amazon Web Services Resources to a Third Party in the
* IAM User Guide.
The regex used to validate this parameter is a string of * characters consisting of upper- and lower-case alphanumeric characters with no spaces. * You can also include underscores or any of the following characters: =,.@:/-
*/ ExternalId?: string; /** *The identification number of the MFA device that is associated with the user who is
* making the AssumeRole call. Specify this value if the trust policy of the role
* being assumed includes a condition that requires MFA authentication. The value is either
* the serial number for a hardware device (such as GAHT12345678) or an Amazon
* Resource Name (ARN) for a virtual device (such as
* arn:aws:iam::123456789012:mfa/user).
The regex used to validate this parameter is a string of characters * consisting of upper- and lower-case alphanumeric characters with no spaces. You can * also include underscores or any of the following characters: =,.@-
*/ SerialNumber?: string; /** *The value provided by the MFA device, if the trust policy of the role being assumed
* requires MFA. (In other words, if the policy includes a condition that tests for MFA). If
* the role being assumed requires MFA and if the TokenCode value is missing or
* expired, the AssumeRole call returns an "access denied" error.
The format for this parameter, as described by its regex pattern, is a sequence of six * numeric digits.
*/ TokenCode?: string; /** *The source identity specified by the principal that is calling the
* AssumeRole operation.
You can require users to specify a source identity when they assume a role. You do this
* by using the sts:SourceIdentity condition key in a role trust policy. You can
* use source identity information in CloudTrail logs to determine who took actions with a role.
* You can use the aws:SourceIdentity condition key to further control access to
* Amazon Web Services resources based on the value of source identity. For more information about using
* source identity, see Monitor and control
* actions taken with assumed roles in the
* IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper-
* and lower-case alphanumeric characters with no spaces. You can also include underscores or
* any of the following characters: =,.@-. You cannot use a value that begins with the text
* aws:. This prefix is reserved for Amazon Web Services internal
* use.
Amazon Web Services credentials for API authentication.
*/ export interface Credentials { /** *The access key ID that identifies the temporary security credentials.
*/ AccessKeyId: string | undefined; /** *The secret access key that can be used to sign requests.
*/ SecretAccessKey: string | undefined; /** *The token that users must pass to the service API to use the temporary * credentials.
*/ SessionToken: string | undefined; /** *The date on which the current credentials expire.
*/ Expiration: Date | undefined; } export namespace Credentials { /** * @internal */ export const filterSensitiveLog = (obj: Credentials): any => ({ ...obj, }); } /** *Contains the response to a successful AssumeRole request, including * temporary Amazon Web Services credentials that can be used to make Amazon Web Services requests.
*/ export interface AssumeRoleResponse { /** *The temporary security credentials, which include an access key ID, a secret access key, * and a security (or session) token.
*The size of the security token that STS API operations return is not fixed. We * strongly recommend that you make no assumptions about the maximum size.
*The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers that you
* can use to refer to the resulting temporary security credentials. For example, you can
* reference these credentials as a principal in a resource-based policy by using the ARN or
* assumed role ID. The ARN and ID include the RoleSessionName that you specified
* when you called AssumeRole.
A percentage value that indicates the packed size of the session policies and session * tags combined passed in the request. The request fails if the packed size is greater than 100 percent, * which means the policies and tags exceeded the allowed space.
*/ PackedPolicySize?: number; /** *The source identity specified by the principal that is calling the
* AssumeRole operation.
You can require users to specify a source identity when they assume a role. You do this
* by using the sts:SourceIdentity condition key in a role trust policy. You can
* use source identity information in CloudTrail logs to determine who took actions with a role.
* You can use the aws:SourceIdentity condition key to further control access to
* Amazon Web Services resources based on the value of source identity. For more information about using
* source identity, see Monitor and control
* actions taken with assumed roles in the
* IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- * and lower-case alphanumeric characters with no spaces. You can also include underscores or * any of the following characters: =,.@-
*/ SourceIdentity?: string; } export namespace AssumeRoleResponse { /** * @internal */ export const filterSensitiveLog = (obj: AssumeRoleResponse): any => ({ ...obj, }); } /** *The web identity token that was passed is expired or is not valid. Get a new identity * token from the identity provider and then retry the request.
*/ export interface ExpiredTokenException extends __SmithyException, $MetadataBearer { name: "ExpiredTokenException"; $fault: "client"; message?: string; } export namespace ExpiredTokenException { /** * @internal */ export const filterSensitiveLog = (obj: ExpiredTokenException): any => ({ ...obj, }); } /** *The request was rejected because the policy document was malformed. The error message * describes the specific error.
*/ export interface MalformedPolicyDocumentException extends __SmithyException, $MetadataBearer { name: "MalformedPolicyDocumentException"; $fault: "client"; message?: string; } export namespace MalformedPolicyDocumentException { /** * @internal */ export const filterSensitiveLog = (obj: MalformedPolicyDocumentException): any => ({ ...obj, }); } /** *The request was rejected because the total packed size of the session policies and * session tags combined was too large. An Amazon Web Services conversion compresses the session policy * document, session policy ARNs, and session tags into a packed binary format that has a * separate limit. The error message indicates by percentage how close the policies and * tags are to the upper size limit. For more information, see Passing Session Tags in STS in * the IAM User Guide.
*You could receive this error even though you meet other defined session policy and * session tag limits. For more information, see IAM and STS Entity * Character Limits in the IAM User Guide.
*/ export interface PackedPolicyTooLargeException extends __SmithyException, $MetadataBearer { name: "PackedPolicyTooLargeException"; $fault: "client"; message?: string; } export namespace PackedPolicyTooLargeException { /** * @internal */ export const filterSensitiveLog = (obj: PackedPolicyTooLargeException): any => ({ ...obj, }); } /** *STS is not activated in the requested region for the account that is being asked to * generate credentials. The account administrator must use the IAM console to activate STS * in that region. For more information, see Activating and * Deactivating Amazon Web Services STS in an Amazon Web Services Region in the IAM User * Guide.
*/ export interface RegionDisabledException extends __SmithyException, $MetadataBearer { name: "RegionDisabledException"; $fault: "client"; message?: string; } export namespace RegionDisabledException { /** * @internal */ export const filterSensitiveLog = (obj: RegionDisabledException): any => ({ ...obj, }); } export interface AssumeRoleWithSAMLRequest { /** *The Amazon Resource Name (ARN) of the role that the caller is assuming.
*/ RoleArn: string | undefined; /** *The Amazon Resource Name (ARN) of the SAML provider in IAM that describes the * IdP.
*/ PrincipalArn: string | undefined; /** *The base64 encoded SAML authentication response provided by the IdP.
*For more information, see Configuring a Relying Party and * Adding Claims in the IAM User Guide.
*/ SAMLAssertion: string | undefined; /** *The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as * managed session policies. The policies must exist in the same account as the role.
*This parameter is optional. You can provide up to 10 managed policy ARNs. However, the * plaintext that you use for both inline and managed session policies can't exceed 2,048 * characters. For more information about ARNs, see Amazon Resource Names (ARNs) and Amazon Web Services * Service Namespaces in the Amazon Web Services General Reference.
*An Amazon Web Services conversion compresses the passed session policies and session tags into a
* packed binary format that has a separate limit. Your request can fail for this limit
* even if your plaintext meets the other requirements. The PackedPolicySize
* response element indicates by percentage how close the policies and tags for your
* request are to the upper size limit.
*
Passing policies to this operation returns new * temporary credentials. The resulting session's permissions are the intersection of the * role's identity-based policy and the session policies. You can use the role's temporary * credentials in subsequent Amazon Web Services API calls to access resources in the account that owns * the role. You cannot use session policies to grant more permissions than those allowed * by the identity-based policy of the role that is being assumed. For more information, see * Session * Policies in the IAM User Guide.
*/ PolicyArns?: PolicyDescriptorType[]; /** *An IAM policy in JSON format that you want to use as an inline session policy.
*This parameter is optional. Passing policies to this operation returns new * temporary credentials. The resulting session's permissions are the intersection of the * role's identity-based policy and the session policies. You can use the role's temporary * credentials in subsequent Amazon Web Services API calls to access resources in the account that owns * the role. You cannot use session policies to grant more permissions than those allowed * by the identity-based policy of the role that is being assumed. For more information, see * Session * Policies in the IAM User Guide.
*The plaintext that you use for both inline and managed session policies can't exceed * 2,048 characters. The JSON policy characters can be any ASCII character from the space * character to the end of the valid character list (\u0020 through \u00FF). It can also * include the tab (\u0009), linefeed (\u000A), and carriage return (\u000D) * characters.
*An Amazon Web Services conversion compresses the passed session policies and session tags into a
* packed binary format that has a separate limit. Your request can fail for this limit
* even if your plaintext meets the other requirements. The PackedPolicySize
* response element indicates by percentage how close the policies and tags for your
* request are to the upper size limit.
*
The duration, in seconds, of the role session. Your role session lasts for the duration
* that you specify for the DurationSeconds parameter, or until the time
* specified in the SAML authentication response's SessionNotOnOrAfter value,
* whichever is shorter. You can provide a DurationSeconds value from 900 seconds
* (15 minutes) up to the maximum session duration setting for the role. This setting can have
* a value from 1 hour to 12 hours. If you specify a value higher than this setting, the
* operation fails. For example, if you specify a session duration of 12 hours, but your
* administrator set the maximum session duration to 6 hours, your operation fails. To learn
* how to view the maximum value for your role, see View the
* Maximum Session Duration Setting for a Role in the
* IAM User Guide.
By default, the value is set to 3600 seconds.
The DurationSeconds parameter is separate from the duration of a console
* session that you might request using the returned credentials. The request to the
* federation endpoint for a console sign-in token takes a SessionDuration
* parameter that specifies the maximum length of the console session. For more
* information, see Creating a URL
* that Enables Federated Users to Access the Management Console in the
* IAM User Guide.
Contains the response to a successful AssumeRoleWithSAML request, * including temporary Amazon Web Services credentials that can be used to make Amazon Web Services requests.
*/ export interface AssumeRoleWithSAMLResponse { /** *The temporary security credentials, which include an access key ID, a secret access key, * and a security (or session) token.
*The size of the security token that STS API operations return is not fixed. We * strongly recommend that you make no assumptions about the maximum size.
*The identifiers for the temporary security credentials that the operation * returns.
*/ AssumedRoleUser?: AssumedRoleUser; /** *A percentage value that indicates the packed size of the session policies and session * tags combined passed in the request. The request fails if the packed size is greater than 100 percent, * which means the policies and tags exceeded the allowed space.
*/ PackedPolicySize?: number; /** *The value of the NameID element in the Subject element of the
* SAML assertion.
The format of the name ID, as defined by the Format attribute in the
* NameID element of the SAML assertion. Typical examples of the format are
* transient or persistent.
If the format includes the prefix
* urn:oasis:names:tc:SAML:2.0:nameid-format, that prefix is removed. For
* example, urn:oasis:names:tc:SAML:2.0:nameid-format:transient is returned as
* transient. If the format includes any other prefix, the format is returned
* with no modifications.
The value of the Issuer element of the SAML assertion.
The value of the Recipient attribute of the
* SubjectConfirmationData element of the SAML assertion.
A hash value based on the concatenation of the following:
*The Issuer response value.
The Amazon Web Services account ID.
*The friendly name (the last part of the ARN) of the SAML provider in IAM.
*The combination of NameQualifier and Subject can be used to
* uniquely identify a federated user.
The following pseudocode shows how the hash value is calculated:
*
* BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) )
*
The value in the SourceIdentity attribute in the SAML assertion.
You can require users to set a source identity value when they assume a role. You do
* this by using the sts:SourceIdentity condition key in a role trust policy.
* That way, actions that are taken with the role are associated with that user. After the
* source identity is set, the value cannot be changed. It is present in the request for all
* actions that are taken by the role and persists across chained
* role sessions. You can configure your SAML identity provider to use an attribute
* associated with your users, like user name or email, as the source identity when calling
* AssumeRoleWithSAML. You do this by adding an attribute to the SAML
* assertion. For more information about using source identity, see Monitor and control
* actions taken with assumed roles in the
* IAM User Guide.
The regex used to validate this parameter is a string of characters * consisting of upper- and lower-case alphanumeric characters with no spaces. You can * also include underscores or any of the following characters: =,.@-
*/ SourceIdentity?: string; } export namespace AssumeRoleWithSAMLResponse { /** * @internal */ export const filterSensitiveLog = (obj: AssumeRoleWithSAMLResponse): any => ({ ...obj, }); } /** *The identity provider (IdP) reported that authentication failed. This might be because * the claim is invalid.
*If this error is returned for the AssumeRoleWithWebIdentity operation, it
* can also mean that the claim has expired or has been explicitly revoked.
The web identity token that was passed could not be validated by Amazon Web Services. Get a new * identity token from the identity provider and then retry the request.
*/ export interface InvalidIdentityTokenException extends __SmithyException, $MetadataBearer { name: "InvalidIdentityTokenException"; $fault: "client"; message?: string; } export namespace InvalidIdentityTokenException { /** * @internal */ export const filterSensitiveLog = (obj: InvalidIdentityTokenException): any => ({ ...obj, }); } export interface AssumeRoleWithWebIdentityRequest { /** *The Amazon Resource Name (ARN) of the role that the caller is assuming.
*/ RoleArn: string | undefined; /** *An identifier for the assumed role session. Typically, you pass the name or identifier
* that is associated with the user who is using your application. That way, the temporary
* security credentials that your application will use are associated with that user. This
* session name is included as part of the ARN and assumed role ID in the
* AssumedRoleUser response element.
The regex used to validate this parameter is a string of characters * consisting of upper- and lower-case alphanumeric characters with no spaces. You can * also include underscores or any of the following characters: =,.@-
*/ RoleSessionName: string | undefined; /** *The OAuth 2.0 access token or OpenID Connect ID token that is provided by the identity
* provider. Your application must get this token by authenticating the user who is using your
* application with a web identity provider before the application makes an
* AssumeRoleWithWebIdentity call.
The fully qualified host component of the domain name of the identity provider.
*Specify this value only for OAuth 2.0 access tokens. Currently
* www.amazon.com and graph.facebook.com are the only supported
* identity providers for OAuth 2.0 access tokens. Do not include URL schemes and port
* numbers.
Do not specify this value for OpenID Connect ID tokens.
*/ ProviderId?: string; /** *The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as * managed session policies. The policies must exist in the same account as the role.
*This parameter is optional. You can provide up to 10 managed policy ARNs. However, the * plaintext that you use for both inline and managed session policies can't exceed 2,048 * characters. For more information about ARNs, see Amazon Resource Names (ARNs) and Amazon Web Services * Service Namespaces in the Amazon Web Services General Reference.
*An Amazon Web Services conversion compresses the passed session policies and session tags into a
* packed binary format that has a separate limit. Your request can fail for this limit
* even if your plaintext meets the other requirements. The PackedPolicySize
* response element indicates by percentage how close the policies and tags for your
* request are to the upper size limit.
*
Passing policies to this operation returns new * temporary credentials. The resulting session's permissions are the intersection of the * role's identity-based policy and the session policies. You can use the role's temporary * credentials in subsequent Amazon Web Services API calls to access resources in the account that owns * the role. You cannot use session policies to grant more permissions than those allowed * by the identity-based policy of the role that is being assumed. For more information, see * Session * Policies in the IAM User Guide.
*/ PolicyArns?: PolicyDescriptorType[]; /** *An IAM policy in JSON format that you want to use as an inline session policy.
*This parameter is optional. Passing policies to this operation returns new * temporary credentials. The resulting session's permissions are the intersection of the * role's identity-based policy and the session policies. You can use the role's temporary * credentials in subsequent Amazon Web Services API calls to access resources in the account that owns * the role. You cannot use session policies to grant more permissions than those allowed * by the identity-based policy of the role that is being assumed. For more information, see * Session * Policies in the IAM User Guide.
*The plaintext that you use for both inline and managed session policies can't exceed * 2,048 characters. The JSON policy characters can be any ASCII character from the space * character to the end of the valid character list (\u0020 through \u00FF). It can also * include the tab (\u0009), linefeed (\u000A), and carriage return (\u000D) * characters.
*An Amazon Web Services conversion compresses the passed session policies and session tags into a
* packed binary format that has a separate limit. Your request can fail for this limit
* even if your plaintext meets the other requirements. The PackedPolicySize
* response element indicates by percentage how close the policies and tags for your
* request are to the upper size limit.
*
The duration, in seconds, of the role session. The value can range from 900 seconds (15 * minutes) up to the maximum session duration setting for the role. This setting can have a * value from 1 hour to 12 hours. If you specify a value higher than this setting, the * operation fails. For example, if you specify a session duration of 12 hours, but your * administrator set the maximum session duration to 6 hours, your operation fails. To learn * how to view the maximum value for your role, see View the * Maximum Session Duration Setting for a Role in the * IAM User Guide.
*By default, the value is set to 3600 seconds.
The DurationSeconds parameter is separate from the duration of a console
* session that you might request using the returned credentials. The request to the
* federation endpoint for a console sign-in token takes a SessionDuration
* parameter that specifies the maximum length of the console session. For more
* information, see Creating a URL
* that Enables Federated Users to Access the Management Console in the
* IAM User Guide.
Contains the response to a successful AssumeRoleWithWebIdentity * request, including temporary Amazon Web Services credentials that can be used to make Amazon Web Services requests.
*/ export interface AssumeRoleWithWebIdentityResponse { /** *The temporary security credentials, which include an access key ID, a secret access key, * and a security token.
*The size of the security token that STS API operations return is not fixed. We * strongly recommend that you make no assumptions about the maximum size.
*The unique user identifier that is returned by the identity provider. This identifier is
* associated with the WebIdentityToken that was submitted with the
* AssumeRoleWithWebIdentity call. The identifier is typically unique to the
* user and the application that acquired the WebIdentityToken (pairwise
* identifier). For OpenID Connect ID tokens, this field contains the value returned by the
* identity provider as the token's sub (Subject) claim.
The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers that you
* can use to refer to the resulting temporary security credentials. For example, you can
* reference these credentials as a principal in a resource-based policy by using the ARN or
* assumed role ID. The ARN and ID include the RoleSessionName that you specified
* when you called AssumeRole.
A percentage value that indicates the packed size of the session policies and session * tags combined passed in the request. The request fails if the packed size is greater than 100 percent, * which means the policies and tags exceeded the allowed space.
*/ PackedPolicySize?: number; /** * The issuing authority of the web identity token presented. For OpenID Connect ID
* tokens, this contains the value of the iss field. For OAuth 2.0 access tokens,
* this contains the value of the ProviderId parameter that was passed in the
* AssumeRoleWithWebIdentity request.
The intended audience (also known as client ID) of the web identity token. This is * traditionally the client identifier issued to the application that requested the web * identity token.
*/ Audience?: string; /** *The value of the source identity that is returned in the JSON web token (JWT) from the * identity provider.
*You can require users to set a source identity value when they assume a role. You do
* this by using the sts:SourceIdentity condition key in a role trust policy.
* That way, actions that are taken with the role are associated with that user. After the
* source identity is set, the value cannot be changed. It is present in the request for all
* actions that are taken by the role and persists across chained
* role sessions. You can configure your identity provider to use an attribute
* associated with your users, like user name or email, as the source identity when calling
* AssumeRoleWithWebIdentity. You do this by adding a claim to the JSON web
* token. To learn more about OIDC tokens and claims, see Using Tokens with User Pools in the Amazon Cognito Developer Guide.
* For more information about using source identity, see Monitor and control
* actions taken with assumed roles in the
* IAM User Guide.
The regex used to validate this parameter is a string of characters * consisting of upper- and lower-case alphanumeric characters with no spaces. You can * also include underscores or any of the following characters: =,.@-
*/ SourceIdentity?: string; } export namespace AssumeRoleWithWebIdentityResponse { /** * @internal */ export const filterSensitiveLog = (obj: AssumeRoleWithWebIdentityResponse): any => ({ ...obj, }); } /** *The request could not be fulfilled because the identity provider (IDP) that * was asked to verify the incoming identity token could not be reached. This is often a * transient error caused by network conditions. Retry the request a limited number of * times so that you don't exceed the request rate. If the error persists, the * identity provider might be down or not responding.
*/ export interface IDPCommunicationErrorException extends __SmithyException, $MetadataBearer { name: "IDPCommunicationErrorException"; $fault: "client"; message?: string; } export namespace IDPCommunicationErrorException { /** * @internal */ export const filterSensitiveLog = (obj: IDPCommunicationErrorException): any => ({ ...obj, }); } export interface DecodeAuthorizationMessageRequest { /** *The encoded message that was returned with the response.
*/ EncodedMessage: string | undefined; } export namespace DecodeAuthorizationMessageRequest { /** * @internal */ export const filterSensitiveLog = (obj: DecodeAuthorizationMessageRequest): any => ({ ...obj, }); } /** *A document that contains additional information about the authorization status of a * request from an encoded message that is returned in response to an Amazon Web Services request.
*/ export interface DecodeAuthorizationMessageResponse { /** *An XML document that contains the decoded message.
*/ DecodedMessage?: string; } export namespace DecodeAuthorizationMessageResponse { /** * @internal */ export const filterSensitiveLog = (obj: DecodeAuthorizationMessageResponse): any => ({ ...obj, }); } /** *The error returned if the message passed to DecodeAuthorizationMessage
* was invalid. This can happen if the token contains invalid characters, such as
* linebreaks.
The identifier of an access key.
*This parameter allows (through its regex pattern) a string of characters that can * consist of any upper- or lowercase letter or digit.
*/ AccessKeyId: string | undefined; } export namespace GetAccessKeyInfoRequest { /** * @internal */ export const filterSensitiveLog = (obj: GetAccessKeyInfoRequest): any => ({ ...obj, }); } export interface GetAccessKeyInfoResponse { /** *The number used to identify the Amazon Web Services account.
*/ Account?: string; } export namespace GetAccessKeyInfoResponse { /** * @internal */ export const filterSensitiveLog = (obj: GetAccessKeyInfoResponse): any => ({ ...obj, }); } export interface GetCallerIdentityRequest {} export namespace GetCallerIdentityRequest { /** * @internal */ export const filterSensitiveLog = (obj: GetCallerIdentityRequest): any => ({ ...obj, }); } /** *Contains the response to a successful GetCallerIdentity request, * including information about the entity making the request.
*/ export interface GetCallerIdentityResponse { /** *The unique identifier of the calling entity. The exact value depends on the type of * entity that is making the call. The values returned are those listed in the aws:userid column in the Principal * table found on the Policy Variables reference * page in the IAM User Guide.
*/ UserId?: string; /** *The Amazon Web Services account ID number of the account that owns or contains the calling * entity.
*/ Account?: string; /** *The Amazon Web Services ARN associated with the calling entity.
*/ Arn?: string; } export namespace GetCallerIdentityResponse { /** * @internal */ export const filterSensitiveLog = (obj: GetCallerIdentityResponse): any => ({ ...obj, }); } export interface GetFederationTokenRequest { /** *The name of the federated user. The name is used as an identifier for the temporary
* security credentials (such as Bob). For example, you can reference the
* federated user name in a resource-based policy, such as in an Amazon S3 bucket policy.
The regex used to validate this parameter is a string of characters * consisting of upper- and lower-case alphanumeric characters with no spaces. You can * also include underscores or any of the following characters: =,.@-
*/ Name: string | undefined; /** *An IAM policy in JSON format that you want to use as an inline session policy.
*You must pass an inline or managed session policy to * this operation. You can pass a single JSON policy document to use as an inline session * policy. You can also specify up to 10 managed policies to use as managed session * policies.
*This parameter is optional. However, if you do not pass any session policies, then the * resulting federated user session has no permissions.
*When you pass session policies, the session permissions are the intersection of the * IAM user policies and the session policies that you pass. This gives you a way to further * restrict the permissions for a federated user. You cannot use session policies to grant * more permissions than those that are defined in the permissions policy of the IAM user. * For more information, see Session Policies in * the IAM User Guide.
*The resulting credentials can be used to access a resource that has a resource-based
* policy. If that policy specifically references the federated user session in the
* Principal element of the policy, the session has the permissions allowed by
* the policy. These permissions are granted in addition to the permissions that are granted
* by the session policies.
The plaintext that you use for both inline and managed session policies can't exceed * 2,048 characters. The JSON policy characters can be any ASCII character from the space * character to the end of the valid character list (\u0020 through \u00FF). It can also * include the tab (\u0009), linefeed (\u000A), and carriage return (\u000D) * characters.
*An Amazon Web Services conversion compresses the passed session policies and session tags into a
* packed binary format that has a separate limit. Your request can fail for this limit
* even if your plaintext meets the other requirements. The PackedPolicySize
* response element indicates by percentage how close the policies and tags for your
* request are to the upper size limit.
*
The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as a * managed session policy. The policies must exist in the same account as the IAM user that * is requesting federated access.
*You must pass an inline or managed session policy to * this operation. You can pass a single JSON policy document to use as an inline session * policy. You can also specify up to 10 managed policies to use as managed session policies. * The plaintext that you use for both inline and managed session policies can't exceed 2,048 * characters. You can provide up to 10 managed policy ARNs. For more information about ARNs, * see Amazon * Resource Names (ARNs) and Amazon Web Services Service Namespaces in the Amazon Web Services General Reference.
*This parameter is optional. However, if you do not pass any session policies, then the * resulting federated user session has no permissions.
*When you pass session policies, the session permissions are the intersection of the * IAM user policies and the session policies that you pass. This gives you a way to further * restrict the permissions for a federated user. You cannot use session policies to grant * more permissions than those that are defined in the permissions policy of the IAM user. * For more information, see Session Policies in * the IAM User Guide.
*The resulting credentials can be used to access a resource that has a resource-based
* policy. If that policy specifically references the federated user session in the
* Principal element of the policy, the session has the permissions allowed by
* the policy. These permissions are granted in addition to the permissions that are granted
* by the session policies.
An Amazon Web Services conversion compresses the passed session policies and session tags into a
* packed binary format that has a separate limit. Your request can fail for this limit
* even if your plaintext meets the other requirements. The PackedPolicySize
* response element indicates by percentage how close the policies and tags for your
* request are to the upper size limit.
*
The duration, in seconds, that the session should last. Acceptable durations for * federation sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with * 43,200 seconds (12 hours) as the default. Sessions obtained using Amazon Web Services account root user * credentials are restricted to a maximum of 3,600 seconds (one hour). If the specified * duration is longer than one hour, the session obtained by using root user credentials * defaults to one hour.
*/ DurationSeconds?: number; /** *A list of session tags. Each session tag consists of a key name and an associated value. * For more information about session tags, see Passing Session Tags in STS in the * IAM User Guide.
*This parameter is optional. You can pass up to 50 session tags. The plaintext session * tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these * and additional limits, see IAM * and STS Character Limits in the IAM User Guide.
* *An Amazon Web Services conversion compresses the passed session policies and session tags into a
* packed binary format that has a separate limit. Your request can fail for this limit
* even if your plaintext meets the other requirements. The PackedPolicySize
* response element indicates by percentage how close the policies and tags for your
* request are to the upper size limit.
*
You can pass a session tag with the same key as a tag that is already * attached to the user you are federating. When you do, session tags override a user tag with * the same key.
*Tag key–value pairs are not case sensitive, but case is preserved. This means that you
* cannot have separate Department and department tag keys. Assume
* that the role has the Department=Marketing tag and you pass the
* department=engineering session tag. Department
* and department are not saved as separate tags, and the session tag passed in
* the request takes precedence over the role tag.
Identifiers for the federated user that is associated with the credentials.
*/ export interface FederatedUser { /** *The string that identifies the federated user associated with the credentials, similar * to the unique ID of an IAM user.
*/ FederatedUserId: string | undefined; /** *The ARN that specifies the federated user that is associated with the credentials. For * more information about ARNs and how to use them in policies, see IAM * Identifiers in the IAM User Guide.
*/ Arn: string | undefined; } export namespace FederatedUser { /** * @internal */ export const filterSensitiveLog = (obj: FederatedUser): any => ({ ...obj, }); } /** *Contains the response to a successful GetFederationToken request, * including temporary Amazon Web Services credentials that can be used to make Amazon Web Services requests.
*/ export interface GetFederationTokenResponse { /** *The temporary security credentials, which include an access key ID, a secret access key, * and a security (or session) token.
*The size of the security token that STS API operations return is not fixed. We * strongly recommend that you make no assumptions about the maximum size.
*Identifiers for the federated user associated with the credentials (such as
* arn:aws:sts::123456789012:federated-user/Bob or
* 123456789012:Bob). You can use the federated user's ARN in your
* resource-based policies, such as an Amazon S3 bucket policy.
A percentage value that indicates the packed size of the session policies and session * tags combined passed in the request. The request fails if the packed size is greater than 100 percent, * which means the policies and tags exceeded the allowed space.
*/ PackedPolicySize?: number; } export namespace GetFederationTokenResponse { /** * @internal */ export const filterSensitiveLog = (obj: GetFederationTokenResponse): any => ({ ...obj, }); } export interface GetSessionTokenRequest { /** *The duration, in seconds, that the credentials should remain valid. Acceptable * durations for IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds * (36 hours), with 43,200 seconds (12 hours) as the default. Sessions for Amazon Web Services account * owners are restricted to a maximum of 3,600 seconds (one hour). If the duration is * longer than one hour, the session for Amazon Web Services account owners defaults to one hour.
*/ DurationSeconds?: number; /** *The identification number of the MFA device that is associated with the IAM user who
* is making the GetSessionToken call. Specify this value if the IAM user
* has a policy that requires MFA authentication. The value is either the serial number for
* a hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN)
* for a virtual device (such as arn:aws:iam::123456789012:mfa/user). You can
* find the device for an IAM user by going to the Management Console and viewing the user's
* security credentials.
The regex used to validate this parameter is a string of * characters consisting of upper- and lower-case alphanumeric characters with no spaces. * You can also include underscores or any of the following characters: =,.@:/-
*/ SerialNumber?: string; /** *The value provided by the MFA device, if MFA is required. If any policy requires the * IAM user to submit an MFA code, specify this value. If MFA authentication is required, * the user must provide a code when requesting a set of temporary security credentials. A * user who fails to provide the code receives an "access denied" response when requesting * resources that require MFA authentication.
*The format for this parameter, as described by its regex pattern, is a sequence of six * numeric digits.
*/ TokenCode?: string; } export namespace GetSessionTokenRequest { /** * @internal */ export const filterSensitiveLog = (obj: GetSessionTokenRequest): any => ({ ...obj, }); } /** *Contains the response to a successful GetSessionToken request, * including temporary Amazon Web Services credentials that can be used to make Amazon Web Services requests.
*/ export interface GetSessionTokenResponse { /** *The temporary security credentials, which include an access key ID, a secret access * key, and a security (or session) token.
* *The size of the security token that STS API operations return is not fixed. We * strongly recommend that you make no assumptions about the maximum size.
*