1 // Code generated by smithy-go-codegen DO NOT EDIT. 2 3 package sts 4 5 import ( 6 "context" 7 "fmt" 8 awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware" 9 "github.com/aws/aws-sdk-go-v2/service/sts/types" 10 "github.com/aws/smithy-go/middleware" 11 smithyhttp "github.com/aws/smithy-go/transport/http" 12 ) 13 14 // Returns a set of temporary security credentials for users who have been 15 // authenticated via a SAML authentication response. This operation provides a 16 // mechanism for tying an enterprise identity store or directory to role-based 17 // Amazon Web Services access without user-specific credentials or configuration. 18 // For a comparison of AssumeRoleWithSAML with the other API operations that 19 // produce temporary credentials, see Requesting Temporary Security Credentials (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) 20 // and Comparing the Amazon Web Services STS API operations (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) 21 // in the IAM User Guide. The temporary security credentials returned by this 22 // operation consist of an access key ID, a secret access key, and a security 23 // token. Applications can use these temporary security credentials to sign calls 24 // to Amazon Web Services services. Session Duration By default, the temporary 25 // security credentials created by AssumeRoleWithSAML last for one hour. However, 26 // you can use the optional DurationSeconds parameter to specify the duration of 27 // your session. Your role session lasts for the duration that you specify, or 28 // until the time specified in the SAML authentication response's 29 // SessionNotOnOrAfter value, whichever is shorter. You can provide a 30 // DurationSeconds value from 900 seconds (15 minutes) up to the maximum session 31 // duration setting for the role. This setting can have a value from 1 hour to 12 32 // hours. To learn how to view the maximum value for your role, see View the 33 // Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) 34 // in the IAM User Guide. The maximum session duration limit applies when you use 35 // the AssumeRole* API operations or the assume-role* CLI commands. However the 36 // limit does not apply when you use those operations to create a console URL. For 37 // more information, see Using IAM Roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) 38 // in the IAM User Guide. Role chaining (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining) 39 // limits your CLI or Amazon Web Services API role session to a maximum of one 40 // hour. When you use the AssumeRole API operation to assume a role, you can 41 // specify the duration of your role session with the DurationSeconds parameter. 42 // You can specify a parameter value of up to 43200 seconds (12 hours), depending 43 // on the maximum session duration setting for your role. However, if you assume a 44 // role using role chaining and provide a DurationSeconds parameter value greater 45 // than one hour, the operation fails. Permissions The temporary security 46 // credentials created by AssumeRoleWithSAML can be used to make API calls to any 47 // Amazon Web Services service with the following exception: you cannot call the 48 // STS GetFederationToken or GetSessionToken API operations. (Optional) You can 49 // pass inline or managed session policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 50 // to this operation. You can pass a single JSON policy document to use as an 51 // inline session policy. You can also specify up to 10 managed policy Amazon 52 // Resource Names (ARNs) to use as managed session policies. The plaintext that you 53 // use for both inline and managed session policies can't exceed 2,048 characters. 54 // Passing policies to this operation returns new temporary credentials. The 55 // resulting session's permissions are the intersection of the role's 56 // identity-based policy and the session policies. You can use the role's temporary 57 // credentials in subsequent Amazon Web Services API calls to access resources in 58 // the account that owns the role. You cannot use session policies to grant more 59 // permissions than those allowed by the identity-based policy of the role that is 60 // being assumed. For more information, see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 61 // in the IAM User Guide. Calling AssumeRoleWithSAML does not require the use of 62 // Amazon Web Services security credentials. The identity of the caller is 63 // validated by using keys in the metadata document that is uploaded for the SAML 64 // provider entity for your identity provider. Calling AssumeRoleWithSAML can 65 // result in an entry in your CloudTrail logs. The entry includes the value in the 66 // NameID element of the SAML assertion. We recommend that you use a NameIDType 67 // that is not associated with any personally identifiable information (PII). For 68 // example, you could instead use the persistent identifier ( 69 // urn:oasis:names:tc:SAML:2.0:nameid-format:persistent ). Tags (Optional) You can 70 // configure your IdP to pass attributes into your SAML assertion as session tags. 71 // Each session tag consists of a key name and an associated value. For more 72 // information about session tags, see Passing Session Tags in STS (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) 73 // in the IAM User Guide. You can pass up to 50 session tags. The plaintext session 74 // tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. 75 // For these and additional limits, see IAM and STS Character Limits (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) 76 // in the IAM User Guide. An Amazon Web Services conversion compresses the passed 77 // inline session policy, managed policy ARNs, and session tags into a packed 78 // binary format that has a separate limit. Your request can fail for this limit 79 // even if your plaintext meets the other requirements. The PackedPolicySize 80 // response element indicates by percentage how close the policies and tags for 81 // your request are to the upper size limit. You can pass a session tag with the 82 // same key as a tag that is attached to the role. When you do, session tags 83 // override the role's tags with the same key. An administrator must grant you the 84 // permissions necessary to pass session tags. The administrator can also create 85 // granular permissions to allow you to pass only specific session tags. For more 86 // information, see Tutorial: Using Tags for Attribute-Based Access Control (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) 87 // in the IAM User Guide. You can set the session tags as transitive. Transitive 88 // tags persist during role chaining. For more information, see Chaining Roles 89 // with Session Tags (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining) 90 // in the IAM User Guide. SAML Configuration Before your application can call 91 // AssumeRoleWithSAML , you must configure your SAML identity provider (IdP) to 92 // issue the claims required by Amazon Web Services. Additionally, you must use 93 // Identity and Access Management (IAM) to create a SAML provider entity in your 94 // Amazon Web Services account that represents your identity provider. You must 95 // also create an IAM role that specifies this SAML provider in its trust policy. 96 // For more information, see the following resources: 97 // - About SAML 2.0-based Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html) 98 // in the IAM User Guide. 99 // - Creating SAML Identity Providers (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html) 100 // in the IAM User Guide. 101 // - Configuring a Relying Party and Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html) 102 // in the IAM User Guide. 103 // - Creating a Role for SAML 2.0 Federation (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html) 104 // in the IAM User Guide. 105 func (c *Client) AssumeRoleWithSAML(ctx context.Context, params *AssumeRoleWithSAMLInput, optFns ...func(*Options)) (*AssumeRoleWithSAMLOutput, error) { 106 if params == nil { 107 params = &AssumeRoleWithSAMLInput{} 108 } 109 110 result, metadata, err := c.invokeOperation(ctx, "AssumeRoleWithSAML", params, optFns, c.addOperationAssumeRoleWithSAMLMiddlewares) 111 if err != nil { 112 return nil, err 113 } 114 115 out := result.(*AssumeRoleWithSAMLOutput) 116 out.ResultMetadata = metadata 117 return out, nil 118 } 119 120 type AssumeRoleWithSAMLInput struct { 121 122 // The Amazon Resource Name (ARN) of the SAML provider in IAM that describes the 123 // IdP. 124 // 125 // This member is required. 126 PrincipalArn *string 127 128 // The Amazon Resource Name (ARN) of the role that the caller is assuming. 129 // 130 // This member is required. 131 RoleArn *string 132 133 // The base64 encoded SAML authentication response provided by the IdP. For more 134 // information, see Configuring a Relying Party and Adding Claims (https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html) 135 // in the IAM User Guide. 136 // 137 // This member is required. 138 SAMLAssertion *string 139 140 // The duration, in seconds, of the role session. Your role session lasts for the 141 // duration that you specify for the DurationSeconds parameter, or until the time 142 // specified in the SAML authentication response's SessionNotOnOrAfter value, 143 // whichever is shorter. You can provide a DurationSeconds value from 900 seconds 144 // (15 minutes) up to the maximum session duration setting for the role. This 145 // setting can have a value from 1 hour to 12 hours. If you specify a value higher 146 // than this setting, the operation fails. For example, if you specify a session 147 // duration of 12 hours, but your administrator set the maximum session duration to 148 // 6 hours, your operation fails. To learn how to view the maximum value for your 149 // role, see View the Maximum Session Duration Setting for a Role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session) 150 // in the IAM User Guide. By default, the value is set to 3600 seconds. The 151 // DurationSeconds parameter is separate from the duration of a console session 152 // that you might request using the returned credentials. The request to the 153 // federation endpoint for a console sign-in token takes a SessionDuration 154 // parameter that specifies the maximum length of the console session. For more 155 // information, see Creating a URL that Enables Federated Users to Access the 156 // Amazon Web Services Management Console (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html) 157 // in the IAM User Guide. 158 DurationSeconds *int32 159 160 // An IAM policy in JSON format that you want to use as an inline session policy. 161 // This parameter is optional. Passing policies to this operation returns new 162 // temporary credentials. The resulting session's permissions are the intersection 163 // of the role's identity-based policy and the session policies. You can use the 164 // role's temporary credentials in subsequent Amazon Web Services API calls to 165 // access resources in the account that owns the role. You cannot use session 166 // policies to grant more permissions than those allowed by the identity-based 167 // policy of the role that is being assumed. For more information, see Session 168 // Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 169 // in the IAM User Guide. The plaintext that you use for both inline and managed 170 // session policies can't exceed 2,048 characters. The JSON policy characters can 171 // be any ASCII character from the space character to the end of the valid 172 // character list (\u0020 through \u00FF). It can also include the tab (\u0009), 173 // linefeed (\u000A), and carriage return (\u000D) characters. An Amazon Web 174 // Services conversion compresses the passed inline session policy, managed policy 175 // ARNs, and session tags into a packed binary format that has a separate limit. 176 // Your request can fail for this limit even if your plaintext meets the other 177 // requirements. The PackedPolicySize response element indicates by percentage how 178 // close the policies and tags for your request are to the upper size limit. 179 Policy *string 180 181 // The Amazon Resource Names (ARNs) of the IAM managed policies that you want to 182 // use as managed session policies. The policies must exist in the same account as 183 // the role. This parameter is optional. You can provide up to 10 managed policy 184 // ARNs. However, the plaintext that you use for both inline and managed session 185 // policies can't exceed 2,048 characters. For more information about ARNs, see 186 // Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) 187 // in the Amazon Web Services General Reference. An Amazon Web Services conversion 188 // compresses the passed inline session policy, managed policy ARNs, and session 189 // tags into a packed binary format that has a separate limit. Your request can 190 // fail for this limit even if your plaintext meets the other requirements. The 191 // PackedPolicySize response element indicates by percentage how close the policies 192 // and tags for your request are to the upper size limit. Passing policies to this 193 // operation returns new temporary credentials. The resulting session's permissions 194 // are the intersection of the role's identity-based policy and the session 195 // policies. You can use the role's temporary credentials in subsequent Amazon Web 196 // Services API calls to access resources in the account that owns the role. You 197 // cannot use session policies to grant more permissions than those allowed by the 198 // identity-based policy of the role that is being assumed. For more information, 199 // see Session Policies (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 200 // in the IAM User Guide. 201 PolicyArns []types.PolicyDescriptorType 202 203 noSmithyDocumentSerde 204 } 205 206 // Contains the response to a successful AssumeRoleWithSAML request, including 207 // temporary Amazon Web Services credentials that can be used to make Amazon Web 208 // Services requests. 209 type AssumeRoleWithSAMLOutput struct { 210 211 // The identifiers for the temporary security credentials that the operation 212 // returns. 213 AssumedRoleUser *types.AssumedRoleUser 214 215 // The value of the Recipient attribute of the SubjectConfirmationData element of 216 // the SAML assertion. 217 Audience *string 218 219 // The temporary security credentials, which include an access key ID, a secret 220 // access key, and a security (or session) token. The size of the security token 221 // that STS API operations return is not fixed. We strongly recommend that you make 222 // no assumptions about the maximum size. 223 Credentials *types.Credentials 224 225 // The value of the Issuer element of the SAML assertion. 226 Issuer *string 227 228 // A hash value based on the concatenation of the following: 229 // - The Issuer response value. 230 // - The Amazon Web Services account ID. 231 // - The friendly name (the last part of the ARN) of the SAML provider in IAM. 232 // The combination of NameQualifier and Subject can be used to uniquely identify a 233 // user. The following pseudocode shows how the hash value is calculated: BASE64 ( 234 // SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) ) 235 NameQualifier *string 236 237 // A percentage value that indicates the packed size of the session policies and 238 // session tags combined passed in the request. The request fails if the packed 239 // size is greater than 100 percent, which means the policies and tags exceeded the 240 // allowed space. 241 PackedPolicySize *int32 242 243 // The value in the SourceIdentity attribute in the SAML assertion. You can 244 // require users to set a source identity value when they assume a role. You do 245 // this by using the sts:SourceIdentity condition key in a role trust policy. That 246 // way, actions that are taken with the role are associated with that user. After 247 // the source identity is set, the value cannot be changed. It is present in the 248 // request for all actions that are taken by the role and persists across chained 249 // role (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining) 250 // sessions. You can configure your SAML identity provider to use an attribute 251 // associated with your users, like user name or email, as the source identity when 252 // calling AssumeRoleWithSAML . You do this by adding an attribute to the SAML 253 // assertion. For more information about using source identity, see Monitor and 254 // control actions taken with assumed roles (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html) 255 // in the IAM User Guide. The regex used to validate this parameter is a string of 256 // characters consisting of upper- and lower-case alphanumeric characters with no 257 // spaces. You can also include underscores or any of the following characters: 258 // =,.@- 259 SourceIdentity *string 260 261 // The value of the NameID element in the Subject element of the SAML assertion. 262 Subject *string 263 264 // The format of the name ID, as defined by the Format attribute in the NameID 265 // element of the SAML assertion. Typical examples of the format are transient or 266 // persistent . If the format includes the prefix 267 // urn:oasis:names:tc:SAML:2.0:nameid-format , that prefix is removed. For example, 268 // urn:oasis:names:tc:SAML:2.0:nameid-format:transient is returned as transient . 269 // If the format includes any other prefix, the format is returned with no 270 // modifications. 271 SubjectType *string 272 273 // Metadata pertaining to the operation's result. 274 ResultMetadata middleware.Metadata 275 276 noSmithyDocumentSerde 277 } 278 279 func (c *Client) addOperationAssumeRoleWithSAMLMiddlewares(stack *middleware.Stack, options Options) (err error) { 280 if err := stack.Serialize.Add(&setOperationInputMiddleware{}, middleware.After); err != nil { 281 return err 282 } 283 err = stack.Serialize.Add(&awsAwsquery_serializeOpAssumeRoleWithSAML{}, middleware.After) 284 if err != nil { 285 return err 286 } 287 err = stack.Deserialize.Add(&awsAwsquery_deserializeOpAssumeRoleWithSAML{}, middleware.After) 288 if err != nil { 289 return err 290 } 291 if err := addProtocolFinalizerMiddlewares(stack, options, "AssumeRoleWithSAML"); err != nil { 292 return fmt.Errorf("add protocol finalizers: %v", err) 293 } 294 295 if err = addlegacyEndpointContextSetter(stack, options); err != nil { 296 return err 297 } 298 if err = addSetLoggerMiddleware(stack, options); err != nil { 299 return err 300 } 301 if err = addClientRequestID(stack); err != nil { 302 return err 303 } 304 if err = addComputeContentLength(stack); err != nil { 305 return err 306 } 307 if err = addResolveEndpointMiddleware(stack, options); err != nil { 308 return err 309 } 310 if err = addRetry(stack, options); err != nil { 311 return err 312 } 313 if err = addRawResponseToMetadata(stack); err != nil { 314 return err 315 } 316 if err = addRecordResponseTiming(stack); err != nil { 317 return err 318 } 319 if err = addClientUserAgent(stack, options); err != nil { 320 return err 321 } 322 if err = smithyhttp.AddErrorCloseResponseBodyMiddleware(stack); err != nil { 323 return err 324 } 325 if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { 326 return err 327 } 328 if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil { 329 return err 330 } 331 if err = addOpAssumeRoleWithSAMLValidationMiddleware(stack); err != nil { 332 return err 333 } 334 if err = stack.Initialize.Add(newServiceMetadataMiddleware_opAssumeRoleWithSAML(options.Region), middleware.Before); err != nil { 335 return err 336 } 337 if err = addRecursionDetection(stack); err != nil { 338 return err 339 } 340 if err = addRequestIDRetrieverMiddleware(stack); err != nil { 341 return err 342 } 343 if err = addResponseErrorMiddleware(stack); err != nil { 344 return err 345 } 346 if err = addRequestResponseLogging(stack, options); err != nil { 347 return err 348 } 349 if err = addDisableHTTPSMiddleware(stack, options); err != nil { 350 return err 351 } 352 return nil 353 } 354 355 func newServiceMetadataMiddleware_opAssumeRoleWithSAML(region string) *awsmiddleware.RegisterServiceMetadata { 356 return &awsmiddleware.RegisterServiceMetadata{ 357 Region: region, 358 ServiceID: ServiceID, 359 OperationName: "AssumeRoleWithSAML", 360 } 361 } 362