api_op_AssumeRoot.go (8635B)
1 // Code generated by smithy-go-codegen DO NOT EDIT. 2 3 package sts 4 5 import ( 6 "context" 7 "fmt" 8 awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware" 9 "github.com/aws/aws-sdk-go-v2/service/sts/types" 10 "github.com/aws/smithy-go/middleware" 11 smithyhttp "github.com/aws/smithy-go/transport/http" 12 ) 13 14 // Returns a set of short term credentials you can use to perform privileged tasks 15 // on a member account in your organization. 16 // 17 // Before you can launch a privileged session, you must have centralized root 18 // access in your organization. For steps to enable this feature, see [Centralize root access for member accounts]in the IAM 19 // User Guide. 20 // 21 // The STS global endpoint is not supported for AssumeRoot. You must send this 22 // request to a Regional STS endpoint. For more information, see [Endpoints]. 23 // 24 // You can track AssumeRoot in CloudTrail logs to determine what actions were 25 // performed in a session. For more information, see [Track privileged tasks in CloudTrail]in the IAM User Guide. 26 // 27 // [Endpoints]: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html#sts-endpoints 28 // [Track privileged tasks in CloudTrail]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-track-privileged-tasks.html 29 // [Centralize root access for member accounts]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-enable-root-access.html 30 func (c *Client) AssumeRoot(ctx context.Context, params *AssumeRootInput, optFns ...func(*Options)) (*AssumeRootOutput, error) { 31 if params == nil { 32 params = &AssumeRootInput{} 33 } 34 35 result, metadata, err := c.invokeOperation(ctx, "AssumeRoot", params, optFns, c.addOperationAssumeRootMiddlewares) 36 if err != nil { 37 return nil, err 38 } 39 40 out := result.(*AssumeRootOutput) 41 out.ResultMetadata = metadata 42 return out, nil 43 } 44 45 type AssumeRootInput struct { 46 47 // The member account principal ARN or account ID. 48 // 49 // This member is required. 50 TargetPrincipal *string 51 52 // The identity based policy that scopes the session to the privileged tasks that 53 // can be performed. You can use one of following Amazon Web Services managed 54 // policies to scope root session actions. 55 // 56 // [IAMAuditRootUserCredentials] 57 // 58 // [IAMCreateRootUserPassword] 59 // 60 // [IAMDeleteRootUserCredentials] 61 // 62 // [S3UnlockBucketPolicy] 63 // 64 // [SQSUnlockQueuePolicy] 65 // 66 // [IAMDeleteRootUserCredentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMDeleteRootUserCredentials 67 // [IAMCreateRootUserPassword]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMCreateRootUserPassword 68 // [IAMAuditRootUserCredentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMAuditRootUserCredentials 69 // [S3UnlockBucketPolicy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-S3UnlockBucketPolicy 70 // [SQSUnlockQueuePolicy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-SQSUnlockQueuePolicy 71 // 72 // This member is required. 73 TaskPolicyArn *types.PolicyDescriptorType 74 75 // The duration, in seconds, of the privileged session. The value can range from 0 76 // seconds up to the maximum session duration of 900 seconds (15 minutes). If you 77 // specify a value higher than this setting, the operation fails. 78 // 79 // By default, the value is set to 900 seconds. 80 DurationSeconds *int32 81 82 noSmithyDocumentSerde 83 } 84 85 type AssumeRootOutput struct { 86 87 // The temporary security credentials, which include an access key ID, a secret 88 // access key, and a security token. 89 // 90 // The size of the security token that STS API operations return is not fixed. We 91 // strongly recommend that you make no assumptions about the maximum size. 92 Credentials *types.Credentials 93 94 // The source identity specified by the principal that is calling the AssumeRoot 95 // operation. 96 // 97 // You can use the aws:SourceIdentity condition key to control access based on the 98 // value of source identity. For more information about using source identity, see [Monitor and control actions taken with assumed roles] 99 // in the IAM User Guide. 100 // 101 // The regex used to validate this parameter is a string of characters consisting 102 // of upper- and lower-case alphanumeric characters with no spaces. You can also 103 // include underscores or any of the following characters: =,.@- 104 // 105 // [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html 106 SourceIdentity *string 107 108 // Metadata pertaining to the operation's result. 109 ResultMetadata middleware.Metadata 110 111 noSmithyDocumentSerde 112 } 113 114 func (c *Client) addOperationAssumeRootMiddlewares(stack *middleware.Stack, options Options) (err error) { 115 if err := stack.Serialize.Add(&setOperationInputMiddleware{}, middleware.After); err != nil { 116 return err 117 } 118 err = stack.Serialize.Add(&awsAwsquery_serializeOpAssumeRoot{}, middleware.After) 119 if err != nil { 120 return err 121 } 122 err = stack.Deserialize.Add(&awsAwsquery_deserializeOpAssumeRoot{}, middleware.After) 123 if err != nil { 124 return err 125 } 126 if err := addProtocolFinalizerMiddlewares(stack, options, "AssumeRoot"); err != nil { 127 return fmt.Errorf("add protocol finalizers: %v", err) 128 } 129 130 if err = addlegacyEndpointContextSetter(stack, options); err != nil { 131 return err 132 } 133 if err = addSetLoggerMiddleware(stack, options); err != nil { 134 return err 135 } 136 if err = addClientRequestID(stack); err != nil { 137 return err 138 } 139 if err = addComputeContentLength(stack); err != nil { 140 return err 141 } 142 if err = addResolveEndpointMiddleware(stack, options); err != nil { 143 return err 144 } 145 if err = addComputePayloadSHA256(stack); err != nil { 146 return err 147 } 148 if err = addRetry(stack, options); err != nil { 149 return err 150 } 151 if err = addRawResponseToMetadata(stack); err != nil { 152 return err 153 } 154 if err = addRecordResponseTiming(stack); err != nil { 155 return err 156 } 157 if err = addSpanRetryLoop(stack, options); err != nil { 158 return err 159 } 160 if err = addClientUserAgent(stack, options); err != nil { 161 return err 162 } 163 if err = smithyhttp.AddErrorCloseResponseBodyMiddleware(stack); err != nil { 164 return err 165 } 166 if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil { 167 return err 168 } 169 if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil { 170 return err 171 } 172 if err = addTimeOffsetBuild(stack, c); err != nil { 173 return err 174 } 175 if err = addUserAgentRetryMode(stack, options); err != nil { 176 return err 177 } 178 if err = addCredentialSource(stack, options); err != nil { 179 return err 180 } 181 if err = addOpAssumeRootValidationMiddleware(stack); err != nil { 182 return err 183 } 184 if err = stack.Initialize.Add(newServiceMetadataMiddleware_opAssumeRoot(options.Region), middleware.Before); err != nil { 185 return err 186 } 187 if err = addRecursionDetection(stack); err != nil { 188 return err 189 } 190 if err = addRequestIDRetrieverMiddleware(stack); err != nil { 191 return err 192 } 193 if err = addResponseErrorMiddleware(stack); err != nil { 194 return err 195 } 196 if err = addRequestResponseLogging(stack, options); err != nil { 197 return err 198 } 199 if err = addDisableHTTPSMiddleware(stack, options); err != nil { 200 return err 201 } 202 if err = addInterceptBeforeRetryLoop(stack, options); err != nil { 203 return err 204 } 205 if err = addInterceptAttempt(stack, options); err != nil { 206 return err 207 } 208 if err = addInterceptExecution(stack, options); err != nil { 209 return err 210 } 211 if err = addInterceptBeforeSerialization(stack, options); err != nil { 212 return err 213 } 214 if err = addInterceptAfterSerialization(stack, options); err != nil { 215 return err 216 } 217 if err = addInterceptBeforeSigning(stack, options); err != nil { 218 return err 219 } 220 if err = addInterceptAfterSigning(stack, options); err != nil { 221 return err 222 } 223 if err = addInterceptTransmit(stack, options); err != nil { 224 return err 225 } 226 if err = addInterceptBeforeDeserialization(stack, options); err != nil { 227 return err 228 } 229 if err = addInterceptAfterDeserialization(stack, options); err != nil { 230 return err 231 } 232 if err = addSpanInitializeStart(stack); err != nil { 233 return err 234 } 235 if err = addSpanInitializeEnd(stack); err != nil { 236 return err 237 } 238 if err = addSpanBuildRequestStart(stack); err != nil { 239 return err 240 } 241 if err = addSpanBuildRequestEnd(stack); err != nil { 242 return err 243 } 244 return nil 245 } 246 247 func newServiceMetadataMiddleware_opAssumeRoot(region string) *awsmiddleware.RegisterServiceMetadata { 248 return &awsmiddleware.RegisterServiceMetadata{ 249 Region: region, 250 ServiceID: ServiceID, 251 OperationName: "AssumeRoot", 252 } 253 }