api_op_GetFederationToken.go (17863B)
1 // Code generated by smithy-go-codegen DO NOT EDIT. 2 3 package sts 4 5 import ( 6 "context" 7 awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware" 8 "github.com/aws/aws-sdk-go-v2/aws/signer/v4" 9 "github.com/aws/aws-sdk-go-v2/service/sts/types" 10 "github.com/aws/smithy-go/middleware" 11 smithyhttp "github.com/aws/smithy-go/transport/http" 12 ) 13 14 // Returns a set of temporary security credentials (consisting of an access key ID, 15 // a secret access key, and a security token) for a federated user. A typical use 16 // is in a proxy application that gets temporary security credentials on behalf of 17 // distributed applications inside a corporate network. You must call the 18 // GetFederationToken operation using the long-term security credentials of an IAM 19 // user. As a result, this call is appropriate in contexts where those credentials 20 // can be safely stored, usually in a server-based application. For a comparison of 21 // GetFederationToken with the other API operations that produce temporary 22 // credentials, see Requesting Temporary Security Credentials 23 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html) 24 // and Comparing the Amazon Web Services STS API operations 25 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison) 26 // in the IAM User Guide. You can create a mobile-based or browser-based app that 27 // can authenticate users using a web identity provider like Login with Amazon, 28 // Facebook, Google, or an OpenID Connect-compatible identity provider. In this 29 // case, we recommend that you use Amazon Cognito (http://aws.amazon.com/cognito/) 30 // or AssumeRoleWithWebIdentity. For more information, see Federation Through a 31 // Web-based Identity Provider 32 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity) 33 // in the IAM User Guide. You can also call GetFederationToken using the security 34 // credentials of an Amazon Web Services account root user, but we do not recommend 35 // it. Instead, we recommend that you create an IAM user for the purpose of the 36 // proxy application. Then attach a policy to the IAM user that limits federated 37 // users to only the actions and resources that they need to access. For more 38 // information, see IAM Best Practices 39 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the 40 // IAM User Guide. Session duration The temporary credentials are valid for the 41 // specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600 42 // seconds (36 hours). The default session duration is 43,200 seconds (12 hours). 43 // Temporary credentials obtained by using the Amazon Web Services account root 44 // user credentials have a maximum duration of 3,600 seconds (1 hour). Permissions 45 // You can use the temporary credentials created by GetFederationToken in any 46 // Amazon Web Services service except the following: 47 // 48 // * You cannot call any IAM 49 // operations using the CLI or the Amazon Web Services API. 50 // 51 // * You cannot call any 52 // STS operations except GetCallerIdentity. 53 // 54 // You must pass an inline or managed 55 // session policy 56 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 57 // to this operation. You can pass a single JSON policy document to use as an 58 // inline session policy. You can also specify up to 10 managed policies to use as 59 // managed session policies. The plaintext that you use for both inline and managed 60 // session policies can't exceed 2,048 characters. Though the session policy 61 // parameters are optional, if you do not pass a policy, then the resulting 62 // federated user session has no permissions. When you pass session policies, the 63 // session permissions are the intersection of the IAM user policies and the 64 // session policies that you pass. This gives you a way to further restrict the 65 // permissions for a federated user. You cannot use session policies to grant more 66 // permissions than those that are defined in the permissions policy of the IAM 67 // user. For more information, see Session Policies 68 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 69 // in the IAM User Guide. For information about using GetFederationToken to create 70 // temporary security credentials, see GetFederationToken—Federation Through a 71 // Custom Identity Broker 72 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken). 73 // You can use the credentials to access a resource that has a resource-based 74 // policy. If that policy specifically references the federated user session in the 75 // Principal element of the policy, the session has the permissions allowed by the 76 // policy. These permissions are granted in addition to the permissions granted by 77 // the session policies. Tags (Optional) You can pass tag key-value pairs to your 78 // session. These are called session tags. For more information about session tags, 79 // see Passing Session Tags in STS 80 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) in the 81 // IAM User Guide. You can create a mobile-based or browser-based app that can 82 // authenticate users using a web identity provider like Login with Amazon, 83 // Facebook, Google, or an OpenID Connect-compatible identity provider. In this 84 // case, we recommend that you use Amazon Cognito (http://aws.amazon.com/cognito/) 85 // or AssumeRoleWithWebIdentity. For more information, see Federation Through a 86 // Web-based Identity Provider 87 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity) 88 // in the IAM User Guide. An administrator must grant you the permissions necessary 89 // to pass session tags. The administrator can also create granular permissions to 90 // allow you to pass only specific session tags. For more information, see 91 // Tutorial: Using Tags for Attribute-Based Access Control 92 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html) 93 // in the IAM User Guide. Tag key–value pairs are not case sensitive, but case is 94 // preserved. This means that you cannot have separate Department and department 95 // tag keys. Assume that the user that you are federating has the 96 // Department=Marketing tag and you pass the department=engineering session tag. 97 // Department and department are not saved as separate tags, and the session tag 98 // passed in the request takes precedence over the user tag. 99 func (c *Client) GetFederationToken(ctx context.Context, params *GetFederationTokenInput, optFns ...func(*Options)) (*GetFederationTokenOutput, error) { 100 if params == nil { 101 params = &GetFederationTokenInput{} 102 } 103 104 result, metadata, err := c.invokeOperation(ctx, "GetFederationToken", params, optFns, c.addOperationGetFederationTokenMiddlewares) 105 if err != nil { 106 return nil, err 107 } 108 109 out := result.(*GetFederationTokenOutput) 110 out.ResultMetadata = metadata 111 return out, nil 112 } 113 114 type GetFederationTokenInput struct { 115 116 // The name of the federated user. The name is used as an identifier for the 117 // temporary security credentials (such as Bob). For example, you can reference the 118 // federated user name in a resource-based policy, such as in an Amazon S3 bucket 119 // policy. The regex used to validate this parameter is a string of characters 120 // consisting of upper- and lower-case alphanumeric characters with no spaces. You 121 // can also include underscores or any of the following characters: =,.@- 122 // 123 // This member is required. 124 Name *string 125 126 // The duration, in seconds, that the session should last. Acceptable durations for 127 // federation sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 128 // hours), with 43,200 seconds (12 hours) as the default. Sessions obtained using 129 // Amazon Web Services account root user credentials are restricted to a maximum of 130 // 3,600 seconds (one hour). If the specified duration is longer than one hour, the 131 // session obtained by using root user credentials defaults to one hour. 132 DurationSeconds *int32 133 134 // An IAM policy in JSON format that you want to use as an inline session policy. 135 // You must pass an inline or managed session policy 136 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 137 // to this operation. You can pass a single JSON policy document to use as an 138 // inline session policy. You can also specify up to 10 managed policies to use as 139 // managed session policies. This parameter is optional. However, if you do not 140 // pass any session policies, then the resulting federated user session has no 141 // permissions. When you pass session policies, the session permissions are the 142 // intersection of the IAM user policies and the session policies that you pass. 143 // This gives you a way to further restrict the permissions for a federated user. 144 // You cannot use session policies to grant more permissions than those that are 145 // defined in the permissions policy of the IAM user. For more information, see 146 // Session Policies 147 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 148 // in the IAM User Guide. The resulting credentials can be used to access a 149 // resource that has a resource-based policy. If that policy specifically 150 // references the federated user session in the Principal element of the policy, 151 // the session has the permissions allowed by the policy. These permissions are 152 // granted in addition to the permissions that are granted by the session policies. 153 // The plaintext that you use for both inline and managed session policies can't 154 // exceed 2,048 characters. The JSON policy characters can be any ASCII character 155 // from the space character to the end of the valid character list (\u0020 through 156 // \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage 157 // return (\u000D) characters. An Amazon Web Services conversion compresses the 158 // passed session policies and session tags into a packed binary format that has a 159 // separate limit. Your request can fail for this limit even if your plaintext 160 // meets the other requirements. The PackedPolicySize response element indicates by 161 // percentage how close the policies and tags for your request are to the upper 162 // size limit. 163 Policy *string 164 165 // The Amazon Resource Names (ARNs) of the IAM managed policies that you want to 166 // use as a managed session policy. The policies must exist in the same account as 167 // the IAM user that is requesting federated access. You must pass an inline or 168 // managed session policy 169 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 170 // to this operation. You can pass a single JSON policy document to use as an 171 // inline session policy. You can also specify up to 10 managed policies to use as 172 // managed session policies. The plaintext that you use for both inline and managed 173 // session policies can't exceed 2,048 characters. You can provide up to 10 managed 174 // policy ARNs. For more information about ARNs, see Amazon Resource Names (ARNs) 175 // and Amazon Web Services Service Namespaces 176 // (https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html) in 177 // the Amazon Web Services General Reference. This parameter is optional. However, 178 // if you do not pass any session policies, then the resulting federated user 179 // session has no permissions. When you pass session policies, the session 180 // permissions are the intersection of the IAM user policies and the session 181 // policies that you pass. This gives you a way to further restrict the permissions 182 // for a federated user. You cannot use session policies to grant more permissions 183 // than those that are defined in the permissions policy of the IAM user. For more 184 // information, see Session Policies 185 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session) 186 // in the IAM User Guide. The resulting credentials can be used to access a 187 // resource that has a resource-based policy. If that policy specifically 188 // references the federated user session in the Principal element of the policy, 189 // the session has the permissions allowed by the policy. These permissions are 190 // granted in addition to the permissions that are granted by the session policies. 191 // An Amazon Web Services conversion compresses the passed session policies and 192 // session tags into a packed binary format that has a separate limit. Your request 193 // can fail for this limit even if your plaintext meets the other requirements. The 194 // PackedPolicySize response element indicates by percentage how close the policies 195 // and tags for your request are to the upper size limit. 196 PolicyArns []types.PolicyDescriptorType 197 198 // A list of session tags. Each session tag consists of a key name and an 199 // associated value. For more information about session tags, see Passing Session 200 // Tags in STS 201 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) in the 202 // IAM User Guide. This parameter is optional. You can pass up to 50 session tags. 203 // The plaintext session tag keys can’t exceed 128 characters and the values can’t 204 // exceed 256 characters. For these and additional limits, see IAM and STS 205 // Character Limits 206 // (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length) 207 // in the IAM User Guide. An Amazon Web Services conversion compresses the passed 208 // session policies and session tags into a packed binary format that has a 209 // separate limit. Your request can fail for this limit even if your plaintext 210 // meets the other requirements. The PackedPolicySize response element indicates by 211 // percentage how close the policies and tags for your request are to the upper 212 // size limit. You can pass a session tag with the same key as a tag that is 213 // already attached to the user you are federating. When you do, session tags 214 // override a user tag with the same key. Tag key–value pairs are not case 215 // sensitive, but case is preserved. This means that you cannot have separate 216 // Department and department tag keys. Assume that the role has the 217 // Department=Marketing tag and you pass the department=engineering session tag. 218 // Department and department are not saved as separate tags, and the session tag 219 // passed in the request takes precedence over the role tag. 220 Tags []types.Tag 221 222 noSmithyDocumentSerde 223 } 224 225 // Contains the response to a successful GetFederationToken request, including 226 // temporary Amazon Web Services credentials that can be used to make Amazon Web 227 // Services requests. 228 type GetFederationTokenOutput struct { 229 230 // The temporary security credentials, which include an access key ID, a secret 231 // access key, and a security (or session) token. The size of the security token 232 // that STS API operations return is not fixed. We strongly recommend that you make 233 // no assumptions about the maximum size. 234 Credentials *types.Credentials 235 236 // Identifiers for the federated user associated with the credentials (such as 237 // arn:aws:sts::123456789012:federated-user/Bob or 123456789012:Bob). You can use 238 // the federated user's ARN in your resource-based policies, such as an Amazon S3 239 // bucket policy. 240 FederatedUser *types.FederatedUser 241 242 // A percentage value that indicates the packed size of the session policies and 243 // session tags combined passed in the request. The request fails if the packed 244 // size is greater than 100 percent, which means the policies and tags exceeded the 245 // allowed space. 246 PackedPolicySize *int32 247 248 // Metadata pertaining to the operation's result. 249 ResultMetadata middleware.Metadata 250 251 noSmithyDocumentSerde 252 } 253 254 func (c *Client) addOperationGetFederationTokenMiddlewares(stack *middleware.Stack, options Options) (err error) { 255 err = stack.Serialize.Add(&awsAwsquery_serializeOpGetFederationToken{}, middleware.After) 256 if err != nil { 257 return err 258 } 259 err = stack.Deserialize.Add(&awsAwsquery_deserializeOpGetFederationToken{}, middleware.After) 260 if err != nil { 261 return err 262 } 263 if err = addSetLoggerMiddleware(stack, options); err != nil { 264 return err 265 } 266 if err = awsmiddleware.AddClientRequestIDMiddleware(stack); err != nil { 267 return err 268 } 269 if err = smithyhttp.AddComputeContentLengthMiddleware(stack); err != nil { 270 return err 271 } 272 if err = addResolveEndpointMiddleware(stack, options); err != nil { 273 return err 274 } 275 if err = v4.AddComputePayloadSHA256Middleware(stack); err != nil { 276 return err 277 } 278 if err = addRetryMiddlewares(stack, options); err != nil { 279 return err 280 } 281 if err = addHTTPSignerV4Middleware(stack, options); err != nil { 282 return err 283 } 284 if err = awsmiddleware.AddRawResponseToMetadata(stack); err != nil { 285 return err 286 } 287 if err = awsmiddleware.AddRecordResponseTiming(stack); err != nil { 288 return err 289 } 290 if err = addClientUserAgent(stack); err != nil { 291 return err 292 } 293 if err = smithyhttp.AddErrorCloseResponseBodyMiddleware(stack); err != nil { 294 return err 295 } 296 if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { 297 return err 298 } 299 if err = addOpGetFederationTokenValidationMiddleware(stack); err != nil { 300 return err 301 } 302 if err = stack.Initialize.Add(newServiceMetadataMiddleware_opGetFederationToken(options.Region), middleware.Before); err != nil { 303 return err 304 } 305 if err = addRequestIDRetrieverMiddleware(stack); err != nil { 306 return err 307 } 308 if err = addResponseErrorMiddleware(stack); err != nil { 309 return err 310 } 311 if err = addRequestResponseLogging(stack, options); err != nil { 312 return err 313 } 314 return nil 315 } 316 317 func newServiceMetadataMiddleware_opGetFederationToken(region string) *awsmiddleware.RegisterServiceMetadata { 318 return &awsmiddleware.RegisterServiceMetadata{ 319 Region: region, 320 ServiceID: ServiceID, 321 SigningName: "sts", 322 OperationName: "GetFederationToken", 323 } 324 }