The identifiers for the temporary security credentials that the operation * returns.
*/ export interface AssumedRoleUser { /** *A unique identifier that contains the role ID and the role session name of the role that * is being assumed. The role ID is generated by Amazon Web Services when the role is created.
*/ AssumedRoleId: string | undefined; /** *The ARN of the temporary security credentials that are returned from the AssumeRole action. For more information about ARNs and how to use them in * policies, see IAM Identifiers in the * IAM User Guide.
*/ Arn: string | undefined; } /** * @public *A reference to the IAM managed policy that is passed as a session policy for a role * session or a federated user session.
*/ export interface PolicyDescriptorType { /** *The Amazon Resource Name (ARN) of the IAM managed policy to use as a session policy * for the role. For more information about ARNs, see Amazon Resource Names (ARNs) and Amazon Web Services * Service Namespaces in the Amazon Web Services General Reference.
*/ arn?: string; } /** * @public *You can pass custom key-value pair attributes when you assume a role or federate a user. * These are called session tags. You can then use the session tags to control access to * resources. For more information, see Tagging Amazon Web Services STS Sessions in the * IAM User Guide.
*/ export interface Tag { /** *The key for a session tag.
*You can pass up to 50 session tags. The plain text session tag keys can’t exceed 128 * characters. For these and additional limits, see IAM * and STS Character Limits in the IAM User Guide.
*/ Key: string | undefined; /** *The value for a session tag.
*You can pass up to 50 session tags. The plain text session tag values can’t exceed 256 * characters. For these and additional limits, see IAM * and STS Character Limits in the IAM User Guide.
*/ Value: string | undefined; } /** * @public */ export interface AssumeRoleRequest { /** *The Amazon Resource Name (ARN) of the role to assume.
*/ RoleArn: string | undefined; /** *An identifier for the assumed role session.
*Use the role session name to uniquely identify a session when the same role is assumed * by different principals or for different reasons. In cross-account scenarios, the role * session name is visible to, and can be logged by the account that owns the role. The role * session name is also used in the ARN of the assumed role principal. This means that * subsequent cross-account API requests that use the temporary security credentials will * expose the role session name to the external account in their CloudTrail logs.
*The regex used to validate this parameter is a string of characters * consisting of upper- and lower-case alphanumeric characters with no spaces. You can * also include underscores or any of the following characters: =,.@-
*/ RoleSessionName: string | undefined; /** *The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as * managed session policies. The policies must exist in the same account as the role.
*This parameter is optional. You can provide up to 10 managed policy ARNs. However, the * plaintext that you use for both inline and managed session policies can't exceed 2,048 * characters. For more information about ARNs, see Amazon Resource Names (ARNs) and Amazon Web Services * Service Namespaces in the Amazon Web Services General Reference.
*An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,
* and session tags into a packed binary format that has a separate limit. Your request can
* fail for this limit even if your plaintext meets the other requirements. The
* PackedPolicySize response element indicates by percentage how close the
* policies and tags for your request are to the upper size limit.
Passing policies to this operation returns new * temporary credentials. The resulting session's permissions are the intersection of the * role's identity-based policy and the session policies. You can use the role's temporary * credentials in subsequent Amazon Web Services API calls to access resources in the account that owns * the role. You cannot use session policies to grant more permissions than those allowed * by the identity-based policy of the role that is being assumed. For more information, see * Session * Policies in the IAM User Guide.
*/ PolicyArns?: PolicyDescriptorType[]; /** *An IAM policy in JSON format that you want to use as an inline session policy.
*This parameter is optional. Passing policies to this operation returns new * temporary credentials. The resulting session's permissions are the intersection of the * role's identity-based policy and the session policies. You can use the role's temporary * credentials in subsequent Amazon Web Services API calls to access resources in the account that owns * the role. You cannot use session policies to grant more permissions than those allowed * by the identity-based policy of the role that is being assumed. For more information, see * Session * Policies in the IAM User Guide.
*The plaintext that you use for both inline and managed session policies can't exceed * 2,048 characters. The JSON policy characters can be any ASCII character from the space * character to the end of the valid character list (\u0020 through \u00FF). It can also * include the tab (\u0009), linefeed (\u000A), and carriage return (\u000D) * characters.
*An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,
* and session tags into a packed binary format that has a separate limit. Your request can
* fail for this limit even if your plaintext meets the other requirements. The
* PackedPolicySize response element indicates by percentage how close the
* policies and tags for your request are to the upper size limit.
The duration, in seconds, of the role session. The value specified can range from 900 * seconds (15 minutes) up to the maximum session duration set for the role. The maximum * session duration setting can have a value from 1 hour to 12 hours. If you specify a value * higher than this setting or the administrator setting (whichever is lower), the operation * fails. For example, if you specify a session duration of 12 hours, but your administrator * set the maximum session duration to 6 hours, your operation fails.
*Role chaining limits your Amazon Web Services CLI or Amazon Web Services API role session to a maximum of one hour.
* When you use the AssumeRole API operation to assume a role, you can specify
* the duration of your role session with the DurationSeconds parameter. You can
* specify a parameter value of up to 43200 seconds (12 hours), depending on the maximum
* session duration setting for your role. However, if you assume a role using role chaining
* and provide a DurationSeconds parameter value greater than one hour, the
* operation fails. To learn how to view the maximum value for your role, see View the
* Maximum Session Duration Setting for a Role in the
* IAM User Guide.
By default, the value is set to 3600 seconds.
The DurationSeconds parameter is separate from the duration of a console
* session that you might request using the returned credentials. The request to the
* federation endpoint for a console sign-in token takes a SessionDuration
* parameter that specifies the maximum length of the console session. For more
* information, see Creating a URL
* that Enables Federated Users to Access the Amazon Web Services Management Console in the
* IAM User Guide.
A list of session tags that you want to pass. Each session tag consists of a key name * and an associated value. For more information about session tags, see Tagging Amazon Web Services STS * Sessions in the IAM User Guide.
*This parameter is optional. You can pass up to 50 session tags. The plaintext session * tag keys can’t exceed 128 characters, and the values can’t exceed 256 characters. For these * and additional limits, see IAM * and STS Character Limits in the IAM User Guide.
*An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,
* and session tags into a packed binary format that has a separate limit. Your request can
* fail for this limit even if your plaintext meets the other requirements. The
* PackedPolicySize response element indicates by percentage how close the
* policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is already attached to the * role. When you do, session tags override a role tag with the same key.
*Tag key–value pairs are not case sensitive, but case is preserved. This means that you
* cannot have separate Department and department tag keys. Assume
* that the role has the Department=Marketing tag and you pass the
* department=engineering session tag. Department
* and department are not saved as separate tags, and the session tag passed in
* the request takes precedence over the role tag.
Additionally, if you used temporary credentials to perform this operation, the new * session inherits any transitive session tags from the calling session. If you pass a * session tag with the same key as an inherited tag, the operation fails. To view the * inherited tags for a session, see the CloudTrail logs. For more information, see Viewing Session Tags in CloudTrail in the * IAM User Guide.
*/ Tags?: Tag[]; /** *A list of keys for session tags that you want to set as transitive. If you set a tag key * as transitive, the corresponding key and value passes to subsequent sessions in a role * chain. For more information, see Chaining Roles * with Session Tags in the IAM User Guide.
*This parameter is optional. When you set session tags as transitive, the session policy * and session tags packed binary limit is not affected.
*If you choose not to specify a transitive tag key, then no tags are passed from this * session to any subsequent sessions.
*/ TransitiveTagKeys?: string[]; /** *A unique identifier that might be required when you assume a role in another account. If
* the administrator of the account to which the role belongs provided you with an external
* ID, then provide that value in the ExternalId parameter. This value can be any
* string, such as a passphrase or account number. A cross-account role is usually set up to
* trust everyone in an account. Therefore, the administrator of the trusting account might
* send an external ID to the administrator of the trusted account. That way, only someone
* with the ID can assume the role, rather than everyone in the account. For more information
* about the external ID, see How to Use an External ID
* When Granting Access to Your Amazon Web Services Resources to a Third Party in the
* IAM User Guide.
The regex used to validate this parameter is a string of * characters consisting of upper- and lower-case alphanumeric characters with no spaces. * You can also include underscores or any of the following characters: =,.@:/-
*/ ExternalId?: string; /** *The identification number of the MFA device that is associated with the user who is
* making the AssumeRole call. Specify this value if the trust policy of the role
* being assumed includes a condition that requires MFA authentication. The value is either
* the serial number for a hardware device (such as GAHT12345678) or an Amazon
* Resource Name (ARN) for a virtual device (such as
* arn:aws:iam::123456789012:mfa/user).
The regex used to validate this parameter is a string of characters * consisting of upper- and lower-case alphanumeric characters with no spaces. You can * also include underscores or any of the following characters: =,.@-
*/ SerialNumber?: string; /** *The value provided by the MFA device, if the trust policy of the role being assumed
* requires MFA. (In other words, if the policy includes a condition that tests for MFA). If
* the role being assumed requires MFA and if the TokenCode value is missing or
* expired, the AssumeRole call returns an "access denied" error.
The format for this parameter, as described by its regex pattern, is a sequence of six * numeric digits.
*/ TokenCode?: string; /** *The source identity specified by the principal that is calling the
* AssumeRole operation.
You can require users to specify a source identity when they assume a role. You do this
* by using the sts:SourceIdentity condition key in a role trust policy. You can
* use source identity information in CloudTrail logs to determine who took actions with a role.
* You can use the aws:SourceIdentity condition key to further control access to
* Amazon Web Services resources based on the value of source identity. For more information about using
* source identity, see Monitor and control
* actions taken with assumed roles in the
* IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper-
* and lower-case alphanumeric characters with no spaces. You can also include underscores or
* any of the following characters: =,.@-. You cannot use a value that begins with the text
* aws:. This prefix is reserved for Amazon Web Services internal use.
Amazon Web Services credentials for API authentication.
*/ export interface Credentials { /** *The access key ID that identifies the temporary security credentials.
*/ AccessKeyId: string | undefined; /** *The secret access key that can be used to sign requests.
*/ SecretAccessKey: string | undefined; /** *The token that users must pass to the service API to use the temporary * credentials.
*/ SessionToken: string | undefined; /** *The date on which the current credentials expire.
*/ Expiration: Date | undefined; } /** * @public *Contains the response to a successful AssumeRole request, including * temporary Amazon Web Services credentials that can be used to make Amazon Web Services requests.
*/ export interface AssumeRoleResponse { /** *The temporary security credentials, which include an access key ID, a secret access key, * and a security (or session) token.
*The size of the security token that STS API operations return is not fixed. We * strongly recommend that you make no assumptions about the maximum size.
*The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers that you
* can use to refer to the resulting temporary security credentials. For example, you can
* reference these credentials as a principal in a resource-based policy by using the ARN or
* assumed role ID. The ARN and ID include the RoleSessionName that you specified
* when you called AssumeRole.
A percentage value that indicates the packed size of the session policies and session * tags combined passed in the request. The request fails if the packed size is greater than 100 percent, * which means the policies and tags exceeded the allowed space.
*/ PackedPolicySize?: number; /** *The source identity specified by the principal that is calling the
* AssumeRole operation.
You can require users to specify a source identity when they assume a role. You do this
* by using the sts:SourceIdentity condition key in a role trust policy. You can
* use source identity information in CloudTrail logs to determine who took actions with a role.
* You can use the aws:SourceIdentity condition key to further control access to
* Amazon Web Services resources based on the value of source identity. For more information about using
* source identity, see Monitor and control
* actions taken with assumed roles in the
* IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- * and lower-case alphanumeric characters with no spaces. You can also include underscores or * any of the following characters: =,.@-
*/ SourceIdentity?: string; } /** * @public *The web identity token that was passed is expired or is not valid. Get a new identity * token from the identity provider and then retry the request.
*/ export declare class ExpiredTokenException extends __BaseException { readonly name: "ExpiredTokenException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionTypeThe request was rejected because the policy document was malformed. The error message * describes the specific error.
*/ export declare class MalformedPolicyDocumentException extends __BaseException { readonly name: "MalformedPolicyDocumentException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionTypeThe request was rejected because the total packed size of the session policies and * session tags combined was too large. An Amazon Web Services conversion compresses the session policy * document, session policy ARNs, and session tags into a packed binary format that has a * separate limit. The error message indicates by percentage how close the policies and * tags are to the upper size limit. For more information, see Passing Session Tags in STS in * the IAM User Guide.
*You could receive this error even though you meet other defined session policy and * session tag limits. For more information, see IAM and STS Entity * Character Limits in the IAM User Guide.
*/ export declare class PackedPolicyTooLargeException extends __BaseException { readonly name: "PackedPolicyTooLargeException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionTypeSTS is not activated in the requested region for the account that is being asked to * generate credentials. The account administrator must use the IAM console to activate STS * in that region. For more information, see Activating and * Deactivating Amazon Web Services STS in an Amazon Web Services Region in the IAM User * Guide.
*/ export declare class RegionDisabledException extends __BaseException { readonly name: "RegionDisabledException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionTypeThe Amazon Resource Name (ARN) of the role that the caller is assuming.
*/ RoleArn: string | undefined; /** *The Amazon Resource Name (ARN) of the SAML provider in IAM that describes the * IdP.
*/ PrincipalArn: string | undefined; /** *The base64 encoded SAML authentication response provided by the IdP.
*For more information, see Configuring a Relying Party and * Adding Claims in the IAM User Guide.
*/ SAMLAssertion: string | undefined; /** *The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as * managed session policies. The policies must exist in the same account as the role.
*This parameter is optional. You can provide up to 10 managed policy ARNs. However, the * plaintext that you use for both inline and managed session policies can't exceed 2,048 * characters. For more information about ARNs, see Amazon Resource Names (ARNs) and Amazon Web Services * Service Namespaces in the Amazon Web Services General Reference.
*An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,
* and session tags into a packed binary format that has a separate limit. Your request can
* fail for this limit even if your plaintext meets the other requirements. The
* PackedPolicySize response element indicates by percentage how close the
* policies and tags for your request are to the upper size limit.
Passing policies to this operation returns new * temporary credentials. The resulting session's permissions are the intersection of the * role's identity-based policy and the session policies. You can use the role's temporary * credentials in subsequent Amazon Web Services API calls to access resources in the account that owns * the role. You cannot use session policies to grant more permissions than those allowed * by the identity-based policy of the role that is being assumed. For more information, see * Session * Policies in the IAM User Guide.
*/ PolicyArns?: PolicyDescriptorType[]; /** *An IAM policy in JSON format that you want to use as an inline session policy.
*This parameter is optional. Passing policies to this operation returns new * temporary credentials. The resulting session's permissions are the intersection of the * role's identity-based policy and the session policies. You can use the role's temporary * credentials in subsequent Amazon Web Services API calls to access resources in the account that owns * the role. You cannot use session policies to grant more permissions than those allowed * by the identity-based policy of the role that is being assumed. For more information, see * Session * Policies in the IAM User Guide.
*The plaintext that you use for both inline and managed session policies can't exceed * 2,048 characters. The JSON policy characters can be any ASCII character from the space * character to the end of the valid character list (\u0020 through \u00FF). It can also * include the tab (\u0009), linefeed (\u000A), and carriage return (\u000D) * characters.
*An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,
* and session tags into a packed binary format that has a separate limit. Your request can
* fail for this limit even if your plaintext meets the other requirements. The
* PackedPolicySize response element indicates by percentage how close the
* policies and tags for your request are to the upper size limit.
The duration, in seconds, of the role session. Your role session lasts for the duration
* that you specify for the DurationSeconds parameter, or until the time
* specified in the SAML authentication response's SessionNotOnOrAfter value,
* whichever is shorter. You can provide a DurationSeconds value from 900 seconds
* (15 minutes) up to the maximum session duration setting for the role. This setting can have
* a value from 1 hour to 12 hours. If you specify a value higher than this setting, the
* operation fails. For example, if you specify a session duration of 12 hours, but your
* administrator set the maximum session duration to 6 hours, your operation fails. To learn
* how to view the maximum value for your role, see View the
* Maximum Session Duration Setting for a Role in the
* IAM User Guide.
By default, the value is set to 3600 seconds.
The DurationSeconds parameter is separate from the duration of a console
* session that you might request using the returned credentials. The request to the
* federation endpoint for a console sign-in token takes a SessionDuration
* parameter that specifies the maximum length of the console session. For more
* information, see Creating a URL
* that Enables Federated Users to Access the Amazon Web Services Management Console in the
* IAM User Guide.
Contains the response to a successful AssumeRoleWithSAML request, * including temporary Amazon Web Services credentials that can be used to make Amazon Web Services requests.
*/ export interface AssumeRoleWithSAMLResponse { /** *The temporary security credentials, which include an access key ID, a secret access key, * and a security (or session) token.
*The size of the security token that STS API operations return is not fixed. We * strongly recommend that you make no assumptions about the maximum size.
*The identifiers for the temporary security credentials that the operation * returns.
*/ AssumedRoleUser?: AssumedRoleUser; /** *A percentage value that indicates the packed size of the session policies and session * tags combined passed in the request. The request fails if the packed size is greater than 100 percent, * which means the policies and tags exceeded the allowed space.
*/ PackedPolicySize?: number; /** *The value of the NameID element in the Subject element of the
* SAML assertion.
The format of the name ID, as defined by the Format attribute in the
* NameID element of the SAML assertion. Typical examples of the format are
* transient or persistent.
If the format includes the prefix
* urn:oasis:names:tc:SAML:2.0:nameid-format, that prefix is removed. For
* example, urn:oasis:names:tc:SAML:2.0:nameid-format:transient is returned as
* transient. If the format includes any other prefix, the format is returned
* with no modifications.
The value of the Issuer element of the SAML assertion.
The value of the Recipient attribute of the
* SubjectConfirmationData element of the SAML assertion.
A hash value based on the concatenation of the following:
*The Issuer response value.
The Amazon Web Services account ID.
*The friendly name (the last part of the ARN) of the SAML provider in IAM.
*The combination of NameQualifier and Subject can be used to
* uniquely identify a user.
The following pseudocode shows how the hash value is calculated:
*
* BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) )
*
The value in the SourceIdentity attribute in the SAML assertion.
You can require users to set a source identity value when they assume a role. You do
* this by using the sts:SourceIdentity condition key in a role trust policy.
* That way, actions that are taken with the role are associated with that user. After the
* source identity is set, the value cannot be changed. It is present in the request for all
* actions that are taken by the role and persists across chained
* role sessions. You can configure your SAML identity provider to use an attribute
* associated with your users, like user name or email, as the source identity when calling
* AssumeRoleWithSAML. You do this by adding an attribute to the SAML
* assertion. For more information about using source identity, see Monitor and control
* actions taken with assumed roles in the
* IAM User Guide.
The regex used to validate this parameter is a string of characters * consisting of upper- and lower-case alphanumeric characters with no spaces. You can * also include underscores or any of the following characters: =,.@-
*/ SourceIdentity?: string; } /** * @public *The identity provider (IdP) reported that authentication failed. This might be because * the claim is invalid.
*If this error is returned for the AssumeRoleWithWebIdentity operation, it
* can also mean that the claim has expired or has been explicitly revoked.
The web identity token that was passed could not be validated by Amazon Web Services. Get a new * identity token from the identity provider and then retry the request.
*/ export declare class InvalidIdentityTokenException extends __BaseException { readonly name: "InvalidIdentityTokenException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionTypeThe Amazon Resource Name (ARN) of the role that the caller is assuming.
*/ RoleArn: string | undefined; /** *An identifier for the assumed role session. Typically, you pass the name or identifier
* that is associated with the user who is using your application. That way, the temporary
* security credentials that your application will use are associated with that user. This
* session name is included as part of the ARN and assumed role ID in the
* AssumedRoleUser response element.
The regex used to validate this parameter is a string of characters * consisting of upper- and lower-case alphanumeric characters with no spaces. You can * also include underscores or any of the following characters: =,.@-
*/ RoleSessionName: string | undefined; /** *The OAuth 2.0 access token or OpenID Connect ID token that is provided by the identity
* provider. Your application must get this token by authenticating the user who is using your
* application with a web identity provider before the application makes an
* AssumeRoleWithWebIdentity call.
The fully qualified host component of the domain name of the OAuth 2.0 identity * provider. Do not specify this value for an OpenID Connect identity provider.
*Currently www.amazon.com and graph.facebook.com are the only
* supported identity providers for OAuth 2.0 access tokens. Do not include URL schemes and
* port numbers.
Do not specify this value for OpenID Connect ID tokens.
*/ ProviderId?: string; /** *The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as * managed session policies. The policies must exist in the same account as the role.
*This parameter is optional. You can provide up to 10 managed policy ARNs. However, the * plaintext that you use for both inline and managed session policies can't exceed 2,048 * characters. For more information about ARNs, see Amazon Resource Names (ARNs) and Amazon Web Services * Service Namespaces in the Amazon Web Services General Reference.
*An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,
* and session tags into a packed binary format that has a separate limit. Your request can
* fail for this limit even if your plaintext meets the other requirements. The
* PackedPolicySize response element indicates by percentage how close the
* policies and tags for your request are to the upper size limit.
Passing policies to this operation returns new * temporary credentials. The resulting session's permissions are the intersection of the * role's identity-based policy and the session policies. You can use the role's temporary * credentials in subsequent Amazon Web Services API calls to access resources in the account that owns * the role. You cannot use session policies to grant more permissions than those allowed * by the identity-based policy of the role that is being assumed. For more information, see * Session * Policies in the IAM User Guide.
*/ PolicyArns?: PolicyDescriptorType[]; /** *An IAM policy in JSON format that you want to use as an inline session policy.
*This parameter is optional. Passing policies to this operation returns new * temporary credentials. The resulting session's permissions are the intersection of the * role's identity-based policy and the session policies. You can use the role's temporary * credentials in subsequent Amazon Web Services API calls to access resources in the account that owns * the role. You cannot use session policies to grant more permissions than those allowed * by the identity-based policy of the role that is being assumed. For more information, see * Session * Policies in the IAM User Guide.
*The plaintext that you use for both inline and managed session policies can't exceed * 2,048 characters. The JSON policy characters can be any ASCII character from the space * character to the end of the valid character list (\u0020 through \u00FF). It can also * include the tab (\u0009), linefeed (\u000A), and carriage return (\u000D) * characters.
*An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,
* and session tags into a packed binary format that has a separate limit. Your request can
* fail for this limit even if your plaintext meets the other requirements. The
* PackedPolicySize response element indicates by percentage how close the
* policies and tags for your request are to the upper size limit.
The duration, in seconds, of the role session. The value can range from 900 seconds (15 * minutes) up to the maximum session duration setting for the role. This setting can have a * value from 1 hour to 12 hours. If you specify a value higher than this setting, the * operation fails. For example, if you specify a session duration of 12 hours, but your * administrator set the maximum session duration to 6 hours, your operation fails. To learn * how to view the maximum value for your role, see View the * Maximum Session Duration Setting for a Role in the * IAM User Guide.
*By default, the value is set to 3600 seconds.
The DurationSeconds parameter is separate from the duration of a console
* session that you might request using the returned credentials. The request to the
* federation endpoint for a console sign-in token takes a SessionDuration
* parameter that specifies the maximum length of the console session. For more
* information, see Creating a URL
* that Enables Federated Users to Access the Amazon Web Services Management Console in the
* IAM User Guide.
Contains the response to a successful AssumeRoleWithWebIdentity * request, including temporary Amazon Web Services credentials that can be used to make Amazon Web Services requests.
*/ export interface AssumeRoleWithWebIdentityResponse { /** *The temporary security credentials, which include an access key ID, a secret access key, * and a security token.
*The size of the security token that STS API operations return is not fixed. We * strongly recommend that you make no assumptions about the maximum size.
*The unique user identifier that is returned by the identity provider. This identifier is
* associated with the WebIdentityToken that was submitted with the
* AssumeRoleWithWebIdentity call. The identifier is typically unique to the
* user and the application that acquired the WebIdentityToken (pairwise
* identifier). For OpenID Connect ID tokens, this field contains the value returned by the
* identity provider as the token's sub (Subject) claim.
The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers that you
* can use to refer to the resulting temporary security credentials. For example, you can
* reference these credentials as a principal in a resource-based policy by using the ARN or
* assumed role ID. The ARN and ID include the RoleSessionName that you specified
* when you called AssumeRole.
A percentage value that indicates the packed size of the session policies and session * tags combined passed in the request. The request fails if the packed size is greater than 100 percent, * which means the policies and tags exceeded the allowed space.
*/ PackedPolicySize?: number; /** * The issuing authority of the web identity token presented. For OpenID Connect ID
* tokens, this contains the value of the iss field. For OAuth 2.0 access tokens,
* this contains the value of the ProviderId parameter that was passed in the
* AssumeRoleWithWebIdentity request.
The intended audience (also known as client ID) of the web identity token. This is * traditionally the client identifier issued to the application that requested the web * identity token.
*/ Audience?: string; /** *The value of the source identity that is returned in the JSON web token (JWT) from the * identity provider.
*You can require users to set a source identity value when they assume a role. You do
* this by using the sts:SourceIdentity condition key in a role trust policy.
* That way, actions that are taken with the role are associated with that user. After the
* source identity is set, the value cannot be changed. It is present in the request for all
* actions that are taken by the role and persists across chained
* role sessions. You can configure your identity provider to use an attribute
* associated with your users, like user name or email, as the source identity when calling
* AssumeRoleWithWebIdentity. You do this by adding a claim to the JSON web
* token. To learn more about OIDC tokens and claims, see Using Tokens with User Pools in the Amazon Cognito Developer Guide.
* For more information about using source identity, see Monitor and control
* actions taken with assumed roles in the
* IAM User Guide.
The regex used to validate this parameter is a string of characters * consisting of upper- and lower-case alphanumeric characters with no spaces. You can * also include underscores or any of the following characters: =,.@-
*/ SourceIdentity?: string; } /** * @public *The request could not be fulfilled because the identity provider (IDP) that * was asked to verify the incoming identity token could not be reached. This is often a * transient error caused by network conditions. Retry the request a limited number of * times so that you don't exceed the request rate. If the error persists, the * identity provider might be down or not responding.
*/ export declare class IDPCommunicationErrorException extends __BaseException { readonly name: "IDPCommunicationErrorException"; readonly $fault: "client"; /** * @internal */ constructor(opts: __ExceptionOptionTypeThe encoded message that was returned with the response.
*/ EncodedMessage: string | undefined; } /** * @public *A document that contains additional information about the authorization status of a * request from an encoded message that is returned in response to an Amazon Web Services request.
*/ export interface DecodeAuthorizationMessageResponse { /** *The API returns a response with the decoded message.
*/ DecodedMessage?: string; } /** * @public *The error returned if the message passed to DecodeAuthorizationMessage
* was invalid. This can happen if the token contains invalid characters, such as
* linebreaks.
The identifier of an access key.
*This parameter allows (through its regex pattern) a string of characters that can * consist of any upper- or lowercase letter or digit.
*/ AccessKeyId: string | undefined; } /** * @public */ export interface GetAccessKeyInfoResponse { /** *The number used to identify the Amazon Web Services account.
*/ Account?: string; } /** * @public */ export interface GetCallerIdentityRequest { } /** * @public *Contains the response to a successful GetCallerIdentity request, * including information about the entity making the request.
*/ export interface GetCallerIdentityResponse { /** *The unique identifier of the calling entity. The exact value depends on the type of * entity that is making the call. The values returned are those listed in the aws:userid column in the Principal * table found on the Policy Variables reference * page in the IAM User Guide.
*/ UserId?: string; /** *The Amazon Web Services account ID number of the account that owns or contains the calling * entity.
*/ Account?: string; /** *The Amazon Web Services ARN associated with the calling entity.
*/ Arn?: string; } /** * @public */ export interface GetFederationTokenRequest { /** *The name of the federated user. The name is used as an identifier for the temporary
* security credentials (such as Bob). For example, you can reference the
* federated user name in a resource-based policy, such as in an Amazon S3 bucket policy.
The regex used to validate this parameter is a string of characters * consisting of upper- and lower-case alphanumeric characters with no spaces. You can * also include underscores or any of the following characters: =,.@-
*/ Name: string | undefined; /** *An IAM policy in JSON format that you want to use as an inline session policy.
*You must pass an inline or managed session policy to * this operation. You can pass a single JSON policy document to use as an inline session * policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as * managed session policies.
*This parameter is optional. However, if you do not pass any session policies, then the * resulting federated user session has no permissions.
*When you pass session policies, the session permissions are the intersection of the * IAM user policies and the session policies that you pass. This gives you a way to further * restrict the permissions for a federated user. You cannot use session policies to grant * more permissions than those that are defined in the permissions policy of the IAM user. * For more information, see Session Policies in * the IAM User Guide.
*The resulting credentials can be used to access a resource that has a resource-based
* policy. If that policy specifically references the federated user session in the
* Principal element of the policy, the session has the permissions allowed by
* the policy. These permissions are granted in addition to the permissions that are granted
* by the session policies.
The plaintext that you use for both inline and managed session policies can't exceed * 2,048 characters. The JSON policy characters can be any ASCII character from the space * character to the end of the valid character list (\u0020 through \u00FF). It can also * include the tab (\u0009), linefeed (\u000A), and carriage return (\u000D) * characters.
*An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,
* and session tags into a packed binary format that has a separate limit. Your request can
* fail for this limit even if your plaintext meets the other requirements. The
* PackedPolicySize response element indicates by percentage how close the
* policies and tags for your request are to the upper size limit.
The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as a * managed session policy. The policies must exist in the same account as the IAM user that * is requesting federated access.
*You must pass an inline or managed session policy to * this operation. You can pass a single JSON policy document to use as an inline session * policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as * managed session policies. The plaintext that you use for both inline and managed session * policies can't exceed 2,048 characters. You can provide up to 10 managed policy ARNs. For * more information about ARNs, see Amazon Resource Names (ARNs) and Amazon Web Services * Service Namespaces in the Amazon Web Services General Reference.
*This parameter is optional. However, if you do not pass any session policies, then the * resulting federated user session has no permissions.
*When you pass session policies, the session permissions are the intersection of the * IAM user policies and the session policies that you pass. This gives you a way to further * restrict the permissions for a federated user. You cannot use session policies to grant * more permissions than those that are defined in the permissions policy of the IAM user. * For more information, see Session Policies in * the IAM User Guide.
*The resulting credentials can be used to access a resource that has a resource-based
* policy. If that policy specifically references the federated user session in the
* Principal element of the policy, the session has the permissions allowed by
* the policy. These permissions are granted in addition to the permissions that are granted
* by the session policies.
An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,
* and session tags into a packed binary format that has a separate limit. Your request can
* fail for this limit even if your plaintext meets the other requirements. The
* PackedPolicySize response element indicates by percentage how close the
* policies and tags for your request are to the upper size limit.
The duration, in seconds, that the session should last. Acceptable durations for * federation sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with * 43,200 seconds (12 hours) as the default. Sessions obtained using root user * credentials are restricted to a maximum of 3,600 seconds (one hour). If the specified * duration is longer than one hour, the session obtained by using root user credentials * defaults to one hour.
*/ DurationSeconds?: number; /** *A list of session tags. Each session tag consists of a key name and an associated value. * For more information about session tags, see Passing Session Tags in STS in the * IAM User Guide.
*This parameter is optional. You can pass up to 50 session tags. The plaintext session * tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these * and additional limits, see IAM * and STS Character Limits in the IAM User Guide.
*An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs,
* and session tags into a packed binary format that has a separate limit. Your request can
* fail for this limit even if your plaintext meets the other requirements. The
* PackedPolicySize response element indicates by percentage how close the
* policies and tags for your request are to the upper size limit.
You can pass a session tag with the same key as a tag that is already attached to the * user you are federating. When you do, session tags override a user tag with the same key.
*Tag key–value pairs are not case sensitive, but case is preserved. This means that you
* cannot have separate Department and department tag keys. Assume
* that the role has the Department=Marketing tag and you pass the
* department=engineering session tag. Department
* and department are not saved as separate tags, and the session tag passed in
* the request takes precedence over the role tag.
Identifiers for the federated user that is associated with the credentials.
*/ export interface FederatedUser { /** *The string that identifies the federated user associated with the credentials, similar * to the unique ID of an IAM user.
*/ FederatedUserId: string | undefined; /** *The ARN that specifies the federated user that is associated with the credentials. For * more information about ARNs and how to use them in policies, see IAM * Identifiers in the IAM User Guide.
*/ Arn: string | undefined; } /** * @public *Contains the response to a successful GetFederationToken request, * including temporary Amazon Web Services credentials that can be used to make Amazon Web Services requests.
*/ export interface GetFederationTokenResponse { /** *The temporary security credentials, which include an access key ID, a secret access key, * and a security (or session) token.
*The size of the security token that STS API operations return is not fixed. We * strongly recommend that you make no assumptions about the maximum size.
*Identifiers for the federated user associated with the credentials (such as
* arn:aws:sts::123456789012:federated-user/Bob or
* 123456789012:Bob). You can use the federated user's ARN in your
* resource-based policies, such as an Amazon S3 bucket policy.
A percentage value that indicates the packed size of the session policies and session * tags combined passed in the request. The request fails if the packed size is greater than 100 percent, * which means the policies and tags exceeded the allowed space.
*/ PackedPolicySize?: number; } /** * @public */ export interface GetSessionTokenRequest { /** *The duration, in seconds, that the credentials should remain valid. Acceptable durations * for IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), * with 43,200 seconds (12 hours) as the default. Sessions for Amazon Web Services account owners are * restricted to a maximum of 3,600 seconds (one hour). If the duration is longer than one * hour, the session for Amazon Web Services account owners defaults to one hour.
*/ DurationSeconds?: number; /** *The identification number of the MFA device that is associated with the IAM user who
* is making the GetSessionToken call. Specify this value if the IAM user has a
* policy that requires MFA authentication. The value is either the serial number for a
* hardware device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a
* virtual device (such as arn:aws:iam::123456789012:mfa/user). You can find the
* device for an IAM user by going to the Amazon Web Services Management Console and viewing the user's security
* credentials.
The regex used to validate this parameter is a string of * characters consisting of upper- and lower-case alphanumeric characters with no spaces. * You can also include underscores or any of the following characters: =,.@:/-
*/ SerialNumber?: string; /** *The value provided by the MFA device, if MFA is required. If any policy requires the * IAM user to submit an MFA code, specify this value. If MFA authentication is required, * the user must provide a code when requesting a set of temporary security credentials. A * user who fails to provide the code receives an "access denied" response when requesting * resources that require MFA authentication.
*The format for this parameter, as described by its regex pattern, is a sequence of six * numeric digits.
*/ TokenCode?: string; } /** * @public *Contains the response to a successful GetSessionToken request, * including temporary Amazon Web Services credentials that can be used to make Amazon Web Services requests.
*/ export interface GetSessionTokenResponse { /** *The temporary security credentials, which include an access key ID, a secret access key, * and a security (or session) token.
*The size of the security token that STS API operations return is not fixed. We * strongly recommend that you make no assumptions about the maximum size.
*