@aws-sdk/client-sts

/** * The identifiers for the temporary security credentials that the operation * returns. * @public */ export interface AssumedRoleUser { /** * A unique identifier that contains the role ID and the role session name of the role that * is being assumed. The role ID is generated by Amazon Web Services when the role is created. * @public */ AssumedRoleId: string | undefined; /** * The ARN of the temporary security credentials that are returned from the <a>AssumeRole</a> action. For more information about ARNs and how to use them in * policies, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html">IAM Identifiers</a> in the * IAM User Guide. * @public */ Arn: string | undefined; } /** * A reference to the IAM managed policy that is passed as a session policy for a role * session or a federated user session. * @public */ export interface PolicyDescriptorType { /** * The Amazon Resource Name (ARN) of the IAM managed policy to use as a session policy * for the role. For more information about ARNs, see <a href="https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html">Amazon Resource Names (ARNs) and Amazon Web Services * Service Namespaces</a> in the Amazon Web Services General Reference. * @public */ arn?: string | undefined; } /** * Contains information about the provided context. This includes the signed and encrypted * trusted context assertion and the context provider ARN from which the trusted context * assertion was generated. * @public */ export interface ProvidedContext { /** * The context provider ARN from which the trusted context assertion was generated. * @public */ ProviderArn?: string | undefined; /** * The signed and encrypted trusted context assertion generated by the context provider. * The trusted context assertion is signed and encrypted by Amazon Web Services STS. * @public */ ContextAssertion?: string | undefined; } /** * You can pass custom key-value pair attributes when you assume a role or federate a user. * These are called session tags. You can then use the session tags to control access to * resources. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Tagging Amazon Web Services STS Sessions</a> in the * IAM User Guide. * @public */ export interface Tag { /** * The key for a session tag. * You can pass up to 50 session tags. The plain text session tag keys can’t exceed 128 * characters. For these and additional limits, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length">IAM * and STS Character Limits</a> in the IAM User Guide. * @public */ Key: string | undefined; /** * The value for a session tag. * You can pass up to 50 session tags. The plain text session tag values can’t exceed 256 * characters. For these and additional limits, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length">IAM * and STS Character Limits</a> in the IAM User Guide. * @public */ Value: string | undefined; } /** * @public */ export interface AssumeRoleRequest { /** * The Amazon Resource Name (ARN) of the role to assume. * @public */ RoleArn: string | undefined; /** * An identifier for the assumed role session. * Use the role session name to uniquely identify a session when the same role is assumed * by different principals or for different reasons. In cross-account scenarios, the role * session name is visible to, and can be logged by the account that owns the role. The role * session name is also used in the ARN of the assumed role principal. This means that * subsequent cross-account API requests that use the temporary security credentials will * expose the role session name to the external account in their CloudTrail logs. * For security purposes, administrators can view this field in <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#cloudtrail-integration_signin-tempcreds">CloudTrail logs</a> to help identify who performed an action in Amazon Web Services. Your * administrator might require that you specify your user name as the session name when you * assume the role. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_rolesessionname"> * <code>sts:RoleSessionName</code> * </a>. * The regex used to validate this parameter is a string of * characters consisting of upper- and lower-case alphanumeric characters with no spaces. * You can also include underscores or any of the following characters: +=,.@- * @public */ RoleSessionName: string | undefined; /** * The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as * managed session policies. The policies must exist in the same account as the role. * This parameter is optional. You can provide up to 10 managed policy ARNs. However, the * plaintext that you use for both inline and managed session policies can't exceed 2,048 * characters. For more information about ARNs, see <a href="https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html">Amazon Resource Names (ARNs) and Amazon Web Services * Service Namespaces</a> in the Amazon Web Services General Reference. * <note> * An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs, * and session tags into a packed binary format that has a separate limit. Your request can * fail for this limit even if your plaintext meets the other requirements. The * <code>PackedPolicySize</code> response element indicates by percentage how close the * policies and tags for your request are to the upper size limit. * </note> * Passing policies to this operation returns new * temporary credentials. The resulting session's permissions are the intersection of the * role's identity-based policy and the session policies. You can use the role's temporary * credentials in subsequent Amazon Web Services API calls to access resources in the account that owns * the role. You cannot use session policies to grant more permissions than those allowed * by the identity-based policy of the role that is being assumed. For more information, see * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session * Policies</a> in the IAM User Guide. * @public */ PolicyArns?: PolicyDescriptorType[] | undefined; /** * An IAM policy in JSON format that you want to use as an inline session policy. * This parameter is optional. Passing policies to this operation returns new * temporary credentials. The resulting session's permissions are the intersection of the * role's identity-based policy and the session policies. You can use the role's temporary * credentials in subsequent Amazon Web Services API calls to access resources in the account that owns * the role. You cannot use session policies to grant more permissions than those allowed * by the identity-based policy of the role that is being assumed. For more information, see * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session * Policies</a> in the IAM User Guide. * The plaintext that you use for both inline and managed session policies can't exceed * 2,048 characters. The JSON policy characters can be any ASCII character from the space * character to the end of the valid character list (\u0020 through \u00FF). It can also * include the tab (\u0009), linefeed (\u000A), and carriage return (\u000D) * characters. * <note> * An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs, * and session tags into a packed binary format that has a separate limit. Your request can * fail for this limit even if your plaintext meets the other requirements. The * <code>PackedPolicySize</code> response element indicates by percentage how close the * policies and tags for your request are to the upper size limit. * </note> * For more information about role session permissions, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session * policies</a>. * @public */ Policy?: string | undefined; /** * The duration, in seconds, of the role session. The value specified can range from 900 * seconds (15 minutes) up to the maximum session duration set for the role. The maximum * session duration setting can have a value from 1 hour to 12 hours. If you specify a value * higher than this setting or the administrator setting (whichever is lower), the operation * fails. For example, if you specify a session duration of 12 hours, but your administrator * set the maximum session duration to 6 hours, your operation fails. * Role chaining limits your Amazon Web Services CLI or Amazon Web Services API role session to a maximum of one hour. * When you use the <code>AssumeRole</code> API operation to assume a role, you can specify * the duration of your role session with the <code>DurationSeconds</code> parameter. You can * specify a parameter value of up to 43200 seconds (12 hours), depending on the maximum * session duration setting for your role. However, if you assume a role using role chaining * and provide a <code>DurationSeconds</code> parameter value greater than one hour, the * operation fails. To learn how to view the maximum value for your role, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-settings.html#id_roles_update-session-duration">Update the maximum session duration for a role</a>. * By default, the value is set to <code>3600</code> seconds. * <note> * The <code>DurationSeconds</code> parameter is separate from the duration of a console * session that you might request using the returned credentials. The request to the * federation endpoint for a console sign-in token takes a <code>SessionDuration</code> * parameter that specifies the maximum length of the console session. For more * information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html">Creating a URL * that Enables Federated Users to Access the Amazon Web Services Management Console</a> in the * IAM User Guide. * </note> * @public */ DurationSeconds?: number | undefined; /** * A list of session tags that you want to pass. Each session tag consists of a key name * and an associated value. For more information about session tags, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Tagging Amazon Web Services STS * Sessions</a> in the IAM User Guide. * This parameter is optional. You can pass up to 50 session tags. The plaintext session * tag keys can’t exceed 128 characters, and the values can’t exceed 256 characters. For these * and additional limits, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length">IAM * and STS Character Limits</a> in the IAM User Guide. * <note> * An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs, * and session tags into a packed binary format that has a separate limit. Your request can * fail for this limit even if your plaintext meets the other requirements. The * <code>PackedPolicySize</code> response element indicates by percentage how close the * policies and tags for your request are to the upper size limit. * </note> * You can pass a session tag with the same key as a tag that is already attached to the * role. When you do, session tags override a role tag with the same key. * Tag key–value pairs are not case sensitive, but case is preserved. This means that you * cannot have separate <code>Department</code> and <code>department</code> tag keys. Assume * that the role has the <code>Department</code>=<code>Marketing</code> tag and you pass the * <code>department</code>=<code>engineering</code> session tag. <code>Department</code> * and <code>department</code> are not saved as separate tags, and the session tag passed in * the request takes precedence over the role tag. * Additionally, if you used temporary credentials to perform this operation, the new * session inherits any transitive session tags from the calling session. If you pass a * session tag with the same key as an inherited tag, the operation fails. To view the * inherited tags for a session, see the CloudTrail logs. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_ctlogs">Viewing Session Tags in CloudTrail</a> in the * IAM User Guide. * @public */ Tags?: Tag[] | undefined; /** * A list of keys for session tags that you want to set as transitive. If you set a tag key * as transitive, the corresponding key and value passes to subsequent sessions in a role * chain. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining">Chaining Roles * with Session Tags</a> in the IAM User Guide. * This parameter is optional. The transitive status of a session tag does not impact its * packed binary size. * If you choose not to specify a transitive tag key, then no tags are passed from this * session to any subsequent sessions. * @public */ TransitiveTagKeys?: string[] | undefined; /** * A unique identifier that might be required when you assume a role in another account. If * the administrator of the account to which the role belongs provided you with an external * ID, then provide that value in the <code>ExternalId</code> parameter. This value can be any * string, such as a passphrase or account number. A cross-account role is usually set up to * trust everyone in an account. Therefore, the administrator of the trusting account might * send an external ID to the administrator of the trusted account. That way, only someone * with the ID can assume the role, rather than everyone in the account. For more information * about the external ID, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html">How to Use an External ID * When Granting Access to Your Amazon Web Services Resources to a Third Party</a> in the * IAM User Guide. * The regex used to validate this parameter is a string of * characters consisting of upper- and lower-case alphanumeric characters with no spaces. * You can also include underscores or any of the following characters: +=,.@:\/- * @public */ ExternalId?: string | undefined; /** * The identification number of the MFA device that is associated with the user who is * making the <code>AssumeRole</code> call. Specify this value if the trust policy of the role * being assumed includes a condition that requires MFA authentication. The value is either * the serial number for a hardware device (such as <code>GAHT12345678</code>) or an Amazon * Resource Name (ARN) for a virtual device (such as * <code>arn:aws:iam::123456789012:mfa/user</code>). * The regex used to validate this parameter is a string of * characters consisting of upper- and lower-case alphanumeric characters with no spaces. * You can also include underscores or any of the following characters: +=/:,.@- * @public */ SerialNumber?: string | undefined; /** * The value provided by the MFA device, if the trust policy of the role being assumed * requires MFA. (In other words, if the policy includes a condition that tests for MFA). If * the role being assumed requires MFA and if the <code>TokenCode</code> value is missing or * expired, the <code>AssumeRole</code> call returns an "access denied" error. * The format for this parameter, as described by its regex pattern, is a sequence of six * numeric digits. * @public */ TokenCode?: string | undefined; /** * The source identity specified by the principal that is calling the * <code>AssumeRole</code> operation. The source identity value persists across <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#iam-term-role-chaining">chained role</a> sessions. * You can require users to specify a source identity when they assume a role. You do this * by using the <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_condition-keys.html#condition-keys-sourceidentity"> * <code>sts:SourceIdentity</code> * </a> condition key in a role trust policy. You * can use source identity information in CloudTrail logs to determine who took actions with a * role. You can use the <code>aws:SourceIdentity</code> condition key to further control * access to Amazon Web Services resources based on the value of source identity. For more information about * using source identity, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html">Monitor and control * actions taken with assumed roles</a> in the * IAM User Guide. * The regex used to validate this parameter is a string of characters consisting of upper- * and lower-case alphanumeric characters with no spaces. You can also include underscores or * any of the following characters: +=,.@-. You cannot use a value that begins with the text * <code>aws:</code>. This prefix is reserved for Amazon Web Services internal use. * @public */ SourceIdentity?: string | undefined; /** * A list of previously acquired trusted context assertions in the format of a JSON array. * The trusted context assertion is signed and encrypted by Amazon Web Services STS. * The following is an example of a <code>ProvidedContext</code> value that includes a * single trusted context assertion and the ARN of the context provider from which the trusted * context assertion was generated. * * <code>[\{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"\}]</code> * * @public */ ProvidedContexts?: ProvidedContext[] | undefined; } /** * Amazon Web Services credentials for API authentication. * @public */ export interface Credentials { /** * The access key ID that identifies the temporary security credentials. * @public */ AccessKeyId: string | undefined; /** * The secret access key that can be used to sign requests. * @public */ SecretAccessKey: string | undefined; /** * The token that users must pass to the service API to use the temporary * credentials. * @public */ SessionToken: string | undefined; /** * The date on which the current credentials expire. * @public */ Expiration: Date | undefined; } /** * Contains the response to a successful <a>AssumeRole</a> request, including * temporary Amazon Web Services credentials that can be used to make Amazon Web Services requests. * @public */ export interface AssumeRoleResponse { /** * The temporary security credentials, which include an access key ID, a secret access key, * and a security (or session) token. * <note> * The size of the security token that STS API operations return is not fixed. We * strongly recommend that you make no assumptions about the maximum size. * </note> * @public */ Credentials?: Credentials | undefined; /** * The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers that you * can use to refer to the resulting temporary security credentials. For example, you can * reference these credentials as a principal in a resource-based policy by using the ARN or * assumed role ID. The ARN and ID include the <code>RoleSessionName</code> that you specified * when you called <code>AssumeRole</code>. * @public */ AssumedRoleUser?: AssumedRoleUser | undefined; /** * A percentage value that indicates the packed size of the session policies and session * tags combined passed in the request. The request fails if the packed size is greater than 100 percent, * which means the policies and tags exceeded the allowed space. * @public */ PackedPolicySize?: number | undefined; /** * The source identity specified by the principal that is calling the * <code>AssumeRole</code> operation. * You can require users to specify a source identity when they assume a role. You do this * by using the <code>sts:SourceIdentity</code> condition key in a role trust policy. You can * use source identity information in CloudTrail logs to determine who took actions with a role. * You can use the <code>aws:SourceIdentity</code> condition key to further control access to * Amazon Web Services resources based on the value of source identity. For more information about using * source identity, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html">Monitor and control * actions taken with assumed roles</a> in the * IAM User Guide. * The regex used to validate this parameter is a string of characters consisting of upper- * and lower-case alphanumeric characters with no spaces. You can also include underscores or * any of the following characters: =,.@- * @public */ SourceIdentity?: string | undefined; } /** * @public */ export interface AssumeRoleWithSAMLRequest { /** * The Amazon Resource Name (ARN) of the role that the caller is assuming. * @public */ RoleArn: string | undefined; /** * The Amazon Resource Name (ARN) of the SAML provider in IAM that describes the * IdP. * @public */ PrincipalArn: string | undefined; /** * The base64 encoded SAML authentication response provided by the IdP. * For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html">Configuring a Relying Party and * Adding Claims</a> in the IAM User Guide. * @public */ SAMLAssertion: string | undefined; /** * The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as * managed session policies. The policies must exist in the same account as the role. * This parameter is optional. You can provide up to 10 managed policy ARNs. However, the * plaintext that you use for both inline and managed session policies can't exceed 2,048 * characters. For more information about ARNs, see <a href="https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html">Amazon Resource Names (ARNs) and Amazon Web Services * Service Namespaces</a> in the Amazon Web Services General Reference. * <note> * An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs, * and session tags into a packed binary format that has a separate limit. Your request can * fail for this limit even if your plaintext meets the other requirements. The * <code>PackedPolicySize</code> response element indicates by percentage how close the * policies and tags for your request are to the upper size limit. * </note> * Passing policies to this operation returns new * temporary credentials. The resulting session's permissions are the intersection of the * role's identity-based policy and the session policies. You can use the role's temporary * credentials in subsequent Amazon Web Services API calls to access resources in the account that owns * the role. You cannot use session policies to grant more permissions than those allowed * by the identity-based policy of the role that is being assumed. For more information, see * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session * Policies</a> in the IAM User Guide. * @public */ PolicyArns?: PolicyDescriptorType[] | undefined; /** * An IAM policy in JSON format that you want to use as an inline session policy. * This parameter is optional. Passing policies to this operation returns new * temporary credentials. The resulting session's permissions are the intersection of the * role's identity-based policy and the session policies. You can use the role's temporary * credentials in subsequent Amazon Web Services API calls to access resources in the account that owns * the role. You cannot use session policies to grant more permissions than those allowed * by the identity-based policy of the role that is being assumed. For more information, see * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session * Policies</a> in the IAM User Guide. * The plaintext that you use for both inline and managed session policies can't exceed * 2,048 characters. The JSON policy characters can be any ASCII character from the space * character to the end of the valid character list (\u0020 through \u00FF). It can also * include the tab (\u0009), linefeed (\u000A), and carriage return (\u000D) * characters. * For more information about role session permissions, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session * policies</a>. * <note> * An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs, * and session tags into a packed binary format that has a separate limit. Your request can * fail for this limit even if your plaintext meets the other requirements. The * <code>PackedPolicySize</code> response element indicates by percentage how close the * policies and tags for your request are to the upper size limit. * </note> * @public */ Policy?: string | undefined; /** * The duration, in seconds, of the role session. Your role session lasts for the duration * that you specify for the <code>DurationSeconds</code> parameter, or until the time * specified in the SAML authentication response's <code>SessionNotOnOrAfter</code> value, * whichever is shorter. You can provide a <code>DurationSeconds</code> value from 900 seconds * (15 minutes) up to the maximum session duration setting for the role. This setting can have * a value from 1 hour to 12 hours. If you specify a value higher than this setting, the * operation fails. For example, if you specify a session duration of 12 hours, but your * administrator set the maximum session duration to 6 hours, your operation fails. To learn * how to view the maximum value for your role, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session">View the * Maximum Session Duration Setting for a Role</a> in the * IAM User Guide. * By default, the value is set to <code>3600</code> seconds. * <note> * The <code>DurationSeconds</code> parameter is separate from the duration of a console * session that you might request using the returned credentials. The request to the * federation endpoint for a console sign-in token takes a <code>SessionDuration</code> * parameter that specifies the maximum length of the console session. For more * information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html">Creating a URL * that Enables Federated Users to Access the Amazon Web Services Management Console</a> in the * IAM User Guide. * </note> * @public */ DurationSeconds?: number | undefined; } /** * Contains the response to a successful <a>AssumeRoleWithSAML</a> request, * including temporary Amazon Web Services credentials that can be used to make Amazon Web Services requests. * @public */ export interface AssumeRoleWithSAMLResponse { /** * The temporary security credentials, which include an access key ID, a secret access key, * and a security (or session) token. * <note> * The size of the security token that STS API operations return is not fixed. We * strongly recommend that you make no assumptions about the maximum size. * </note> * @public */ Credentials?: Credentials | undefined; /** * The identifiers for the temporary security credentials that the operation * returns. * @public */ AssumedRoleUser?: AssumedRoleUser | undefined; /** * A percentage value that indicates the packed size of the session policies and session * tags combined passed in the request. The request fails if the packed size is greater than 100 percent, * which means the policies and tags exceeded the allowed space. * @public */ PackedPolicySize?: number | undefined; /** * The value of the <code>NameID</code> element in the <code>Subject</code> element of the * SAML assertion. * @public */ Subject?: string | undefined; /** * The format of the name ID, as defined by the <code>Format</code> attribute in the * <code>NameID</code> element of the SAML assertion. Typical examples of the format are * <code>transient</code> or <code>persistent</code>. * If the format includes the prefix * <code>urn:oasis:names:tc:SAML:2.0:nameid-format</code>, that prefix is removed. For * example, <code>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</code> is returned as * <code>transient</code>. If the format includes any other prefix, the format is returned * with no modifications. * @public */ SubjectType?: string | undefined; /** * The value of the <code>Issuer</code> element of the SAML assertion. * @public */ Issuer?: string | undefined; /** * The value of the <code>Recipient</code> attribute of the * <code>SubjectConfirmationData</code> element of the SAML assertion. * @public */ Audience?: string | undefined; /** * A hash value based on the concatenation of the following: * <ul> * <li> * The <code>Issuer</code> response value. * </li> * <li> * The Amazon Web Services account ID. * </li> * <li> * The friendly name (the last part of the ARN) of the SAML provider in IAM. * </li> * </ul> * The combination of <code>NameQualifier</code> and <code>Subject</code> can be used to * uniquely identify a user. * The following pseudocode shows how the hash value is calculated: * * <code>BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) )</code> * * @public */ NameQualifier?: string | undefined; /** * The value in the <code>SourceIdentity</code> attribute in the SAML assertion. The source * identity value persists across <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#iam-term-role-chaining">chained role</a> * sessions. * You can require users to set a source identity value when they assume a role. You do * this by using the <code>sts:SourceIdentity</code> condition key in a role trust policy. * That way, actions that are taken with the role are associated with that user. After the * source identity is set, the value cannot be changed. It is present in the request for all * actions that are taken by the role and persists across <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#id_roles_terms-and-concepts">chained role</a> * sessions. You can configure your SAML identity provider to use an attribute associated with * your users, like user name or email, as the source identity when calling * <code>AssumeRoleWithSAML</code>. You do this by adding an attribute to the SAML * assertion. For more information about using source identity, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html">Monitor and control * actions taken with assumed roles</a> in the * IAM User Guide. * The regex used to validate this parameter is a string of characters * consisting of upper- and lower-case alphanumeric characters with no spaces. You can * also include underscores or any of the following characters: =,.@- * @public */ SourceIdentity?: string | undefined; } /** * @public */ export interface AssumeRoleWithWebIdentityRequest { /** * The Amazon Resource Name (ARN) of the role that the caller is assuming. * <note> * Additional considerations apply to Amazon Cognito identity pools that assume <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies-cross-account-resource-access.html">cross-account IAM roles</a>. The trust policies of these roles must accept the * <code>cognito-identity.amazonaws.com</code> service principal and must contain the * <code>cognito-identity.amazonaws.com:aud</code> condition key to restrict role * assumption to users from your intended identity pools. A policy that trusts Amazon Cognito * identity pools without this condition creates a risk that a user from an unintended * identity pool can assume the role. For more information, see <a href="https://docs.aws.amazon.com/cognito/latest/developerguide/iam-roles.html#trust-policies"> Trust policies for * IAM roles in Basic (Classic) authentication </a> in the Amazon Cognito * Developer Guide. * </note> * @public */ RoleArn: string | undefined; /** * An identifier for the assumed role session. Typically, you pass the name or identifier * that is associated with the user who is using your application. That way, the temporary * security credentials that your application will use are associated with that user. This * session name is included as part of the ARN and assumed role ID in the * <code>AssumedRoleUser</code> response element. * For security purposes, administrators can view this field in <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html#cloudtrail-integration_signin-tempcreds">CloudTrail logs</a> to help identify who performed an action in Amazon Web Services. Your * administrator might require that you specify your user name as the session name when you * assume the role. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_iam-condition-keys.html#ck_rolesessionname"> * <code>sts:RoleSessionName</code> * </a>. * The regex used to validate this parameter is a string of characters * consisting of upper- and lower-case alphanumeric characters with no spaces. You can * also include underscores or any of the following characters: =,.@- * @public */ RoleSessionName: string | undefined; /** * The OAuth 2.0 access token or OpenID Connect ID token that is provided by the identity * provider. Your application must get this token by authenticating the user who is using your * application with a web identity provider before the application makes an * <code>AssumeRoleWithWebIdentity</code> call. Timestamps in the token must be formatted * as either an integer or a long integer. Tokens must be signed using either RSA keys (RS256, * RS384, or RS512) or ECDSA keys (ES256, ES384, or ES512). * @public */ WebIdentityToken: string | undefined; /** * The fully qualified host component of the domain name of the OAuth 2.0 identity * provider. Do not specify this value for an OpenID Connect identity provider. * Currently <code>www.amazon.com</code> and <code>graph.facebook.com</code> are the only * supported identity providers for OAuth 2.0 access tokens. Do not include URL schemes and * port numbers. * Do not specify this value for OpenID Connect ID tokens. * @public */ ProviderId?: string | undefined; /** * The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as * managed session policies. The policies must exist in the same account as the role. * This parameter is optional. You can provide up to 10 managed policy ARNs. However, the * plaintext that you use for both inline and managed session policies can't exceed 2,048 * characters. For more information about ARNs, see <a href="https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html">Amazon Resource Names (ARNs) and Amazon Web Services * Service Namespaces</a> in the Amazon Web Services General Reference. * <note> * An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs, * and session tags into a packed binary format that has a separate limit. Your request can * fail for this limit even if your plaintext meets the other requirements. The * <code>PackedPolicySize</code> response element indicates by percentage how close the * policies and tags for your request are to the upper size limit. * </note> * Passing policies to this operation returns new * temporary credentials. The resulting session's permissions are the intersection of the * role's identity-based policy and the session policies. You can use the role's temporary * credentials in subsequent Amazon Web Services API calls to access resources in the account that owns * the role. You cannot use session policies to grant more permissions than those allowed * by the identity-based policy of the role that is being assumed. For more information, see * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session * Policies</a> in the IAM User Guide. * @public */ PolicyArns?: PolicyDescriptorType[] | undefined; /** * An IAM policy in JSON format that you want to use as an inline session policy. * This parameter is optional. Passing policies to this operation returns new * temporary credentials. The resulting session's permissions are the intersection of the * role's identity-based policy and the session policies. You can use the role's temporary * credentials in subsequent Amazon Web Services API calls to access resources in the account that owns * the role. You cannot use session policies to grant more permissions than those allowed * by the identity-based policy of the role that is being assumed. For more information, see * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session * Policies</a> in the IAM User Guide. * The plaintext that you use for both inline and managed session policies can't exceed * 2,048 characters. The JSON policy characters can be any ASCII character from the space * character to the end of the valid character list (\u0020 through \u00FF). It can also * include the tab (\u0009), linefeed (\u000A), and carriage return (\u000D) * characters. * For more information about role session permissions, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session * policies</a>. * <note> * An Amazon Web Services conversion compresses the passed inline session policy, managed policy ARNs, * and session tags into a packed binary format that has a separate limit. Your request can * fail for this limit even if your plaintext meets the other requirements. The * <code>PackedPolicySize</code> response element indicates by percentage how close the * policies and tags for your request are to the upper size limit. * </note> * @public */ Policy?: string | undefined; /** * The duration, in seconds, of the role session. The value can range from 900 seconds (15 * minutes) up to the maximum session duration setting for the role. This setting can have a * value from 1 hour to 12 hours. If you specify a value higher than this setting, the * operation fails. For example, if you specify a session duration of 12 hours, but your * administrator set the maximum session duration to 6 hours, your operation fails. To learn * how to view the maximum value for your role, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session">View the * Maximum Session Duration Setting for a Role</a> in the * IAM User Guide. * By default, the value is set to <code>3600</code> seconds. * <note> * The <code>DurationSeconds</code> parameter is separate from the duration of a console * session that you might request using the returned credentials. The request to the * federation endpoint for a console sign-in token takes a <code>SessionDuration</code> * parameter that specifies the maximum length of the console session. For more * information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html">Creating a URL * that Enables Federated Users to Access the Amazon Web Services Management Console</a> in the * IAM User Guide. * </note> * @public */ DurationSeconds?: number | undefined; } /** * Contains the response to a successful <a>AssumeRoleWithWebIdentity</a> * request, including temporary Amazon Web Services credentials that can be used to make Amazon Web Services requests. * @public */ export interface AssumeRoleWithWebIdentityResponse { /** * The temporary security credentials, which include an access key ID, a secret access key, * and a security token. * <note> * The size of the security token that STS API operations return is not fixed. We * strongly recommend that you make no assumptions about the maximum size. * </note> * @public */ Credentials?: Credentials | undefined; /** * The unique user identifier that is returned by the identity provider. This identifier is * associated with the <code>WebIdentityToken</code> that was submitted with the * <code>AssumeRoleWithWebIdentity</code> call. The identifier is typically unique to the * user and the application that acquired the <code>WebIdentityToken</code> (pairwise * identifier). For OpenID Connect ID tokens, this field contains the value returned by the * identity provider as the token's <code>sub</code> (Subject) claim. * @public */ SubjectFromWebIdentityToken?: string | undefined; /** * The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers that you * can use to refer to the resulting temporary security credentials. For example, you can * reference these credentials as a principal in a resource-based policy by using the ARN or * assumed role ID. The ARN and ID include the <code>RoleSessionName</code> that you specified * when you called <code>AssumeRole</code>. * @public */ AssumedRoleUser?: AssumedRoleUser | undefined; /** * A percentage value that indicates the packed size of the session policies and session * tags combined passed in the request. The request fails if the packed size is greater than 100 percent,