aboutsummaryrefslogtreecommitdiff
path: root/vendor/github.com/aws/aws-sdk-go/service/sts/api.go
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/github.com/aws/aws-sdk-go/service/sts/api.go')
-rw-r--r--vendor/github.com/aws/aws-sdk-go/service/sts/api.go475
1 files changed, 340 insertions, 135 deletions
diff --git a/vendor/github.com/aws/aws-sdk-go/service/sts/api.go b/vendor/github.com/aws/aws-sdk-go/service/sts/api.go
index d183fab..e10ca8f 100644
--- a/vendor/github.com/aws/aws-sdk-go/service/sts/api.go
+++ b/vendor/github.com/aws/aws-sdk-go/service/sts/api.go
@@ -17,6 +17,8 @@ const opAssumeRole = "AssumeRole"
// value can be used to capture response data after the request's "Send" method
// is called.
//
+// See AssumeRole for usage and error information.
+//
// Creating a request object using this method should be used when you want to inject
// custom logic into the request's lifecycle using a custom handler, or if you want to
// access properties on the request object before or after sending the request. If
@@ -51,6 +53,8 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o
return
}
+// AssumeRole API operation for AWS Security Token Service.
+//
// Returns a set of temporary security credentials (consisting of an access
// key ID, a secret access key, and a security token) that you can use to access
// AWS resources that you might not normally have access to. Typically, you
@@ -60,7 +64,7 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o
// and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
// in the IAM User Guide.
//
-// Important: You cannot call AssumeRole by using AWS root account credentials;
+// Important: You cannot call AssumeRole by using AWS root account credentials;
// access is denied. You must use credentials for an IAM user or an IAM role
// to call AssumeRole.
//
@@ -89,18 +93,18 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o
// when calling AssumeRole, which can be from 900 seconds (15 minutes) to a
// maximum of 3600 seconds (1 hour). The default is 1 hour.
//
-// The temporary security credentials created by AssumeRole can be used to
-// make API calls to any AWS service with the following exception: you cannot
-// call the STS service's GetFederationToken or GetSessionToken APIs.
+// The temporary security credentials created by AssumeRole can be used to make
+// API calls to any AWS service with the following exception: you cannot call
+// the STS service's GetFederationToken or GetSessionToken APIs.
//
-// Optionally, you can pass an IAM access policy to this operation. If you
-// choose not to pass a policy, the temporary security credentials that are
-// returned by the operation have the permissions that are defined in the access
-// policy of the role that is being assumed. If you pass a policy to this operation,
+// Optionally, you can pass an IAM access policy to this operation. If you choose
+// not to pass a policy, the temporary security credentials that are returned
+// by the operation have the permissions that are defined in the access policy
+// of the role that is being assumed. If you pass a policy to this operation,
// the temporary security credentials that are returned by the operation have
// the permissions that are allowed by both the access policy of the role that
-// is being assumed, and the policy that you pass. This gives you a way to
-// further restrict the permissions for the resulting temporary security credentials.
+// is being assumed, and the policy that you pass. This gives you a way to further
+// restrict the permissions for the resulting temporary security credentials.
// You cannot use the passed policy to grant permissions that are in excess
// of those allowed by the access policy of the role that is being assumed.
// For more information, see Permissions for AssumeRole, AssumeRoleWithSAML,
@@ -120,7 +124,7 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o
// a policy to the user (identical to the previous different account user),
// or you can add the user as a principal directly in the role's trust policy
//
-// Using MFA with AssumeRole
+// Using MFA with AssumeRole
//
// You can optionally include multi-factor authentication (MFA) information
// when you call AssumeRole. This is useful for cross-account scenarios in which
@@ -131,7 +135,7 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o
// denied. The condition in a trust policy that tests for MFA authentication
// might look like the following example.
//
-// "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}
+// "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}
//
// For more information, see Configuring MFA-Protected API Access (http://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html)
// in the IAM User Guide guide.
@@ -140,6 +144,31 @@ func (c *STS) AssumeRoleRequest(input *AssumeRoleInput) (req *request.Request, o
// parameters. The SerialNumber value identifies the user's hardware or virtual
// MFA device. The TokenCode is the time-based one-time password (TOTP) that
// the MFA devices produces.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Security Token Service's
+// API operation AssumeRole for usage and error information.
+//
+// Returned Error Codes:
+// * MalformedPolicyDocument
+// The request was rejected because the policy document was malformed. The error
+// message describes the specific error.
+//
+// * PackedPolicyTooLarge
+// The request was rejected because the policy document was too large. The error
+// message describes how big the policy document is, in packed form, as a percentage
+// of what the API allows.
+//
+// * RegionDisabledException
+// STS is not activated in the requested region for the account that is being
+// asked to generate credentials. The account administrator must use the IAM
+// console to activate STS in that region. For more information, see Activating
+// and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
+// in the IAM User Guide.
+//
func (c *STS) AssumeRole(input *AssumeRoleInput) (*AssumeRoleOutput, error) {
req, out := c.AssumeRoleRequest(input)
err := req.Send()
@@ -153,6 +182,8 @@ const opAssumeRoleWithSAML = "AssumeRoleWithSAML"
// value can be used to capture response data after the request's "Send" method
// is called.
//
+// See AssumeRoleWithSAML for usage and error information.
+//
// Creating a request object using this method should be used when you want to inject
// custom logic into the request's lifecycle using a custom handler, or if you want to
// access properties on the request object before or after sending the request. If
@@ -187,6 +218,8 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re
return
}
+// AssumeRoleWithSAML API operation for AWS Security Token Service.
+//
// Returns a set of temporary security credentials for users who have been authenticated
// via a SAML authentication response. This operation provides a mechanism for
// tying an enterprise identity store or directory to role-based AWS access
@@ -206,17 +239,17 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re
// can be from 900 seconds (15 minutes) to a maximum of 3600 seconds (1 hour).
// The default is 1 hour.
//
-// The temporary security credentials created by AssumeRoleWithSAML can be
-// used to make API calls to any AWS service with the following exception: you
-// cannot call the STS service's GetFederationToken or GetSessionToken APIs.
+// The temporary security credentials created by AssumeRoleWithSAML can be used
+// to make API calls to any AWS service with the following exception: you cannot
+// call the STS service's GetFederationToken or GetSessionToken APIs.
//
-// Optionally, you can pass an IAM access policy to this operation. If you
-// choose not to pass a policy, the temporary security credentials that are
-// returned by the operation have the permissions that are defined in the access
-// policy of the role that is being assumed. If you pass a policy to this operation,
+// Optionally, you can pass an IAM access policy to this operation. If you choose
+// not to pass a policy, the temporary security credentials that are returned
+// by the operation have the permissions that are defined in the access policy
+// of the role that is being assumed. If you pass a policy to this operation,
// the temporary security credentials that are returned by the operation have
// the permissions that are allowed by the intersection of both the access policy
-// of the role that is being assumed, and the policy that you pass. This means
+// of the role that is being assumed, and the policy that you pass. This means
// that both policies must grant the permission for the action to be allowed.
// This gives you a way to further restrict the permissions for the resulting
// temporary security credentials. You cannot use the passed policy to grant
@@ -225,8 +258,8 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re
// AssumeRoleWithSAML, and AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
// in the IAM User Guide.
//
-// Before your application can call AssumeRoleWithSAML, you must configure
-// your SAML identity provider (IdP) to issue the claims required by AWS. Additionally,
+// Before your application can call AssumeRoleWithSAML, you must configure your
+// SAML identity provider (IdP) to issue the claims required by AWS. Additionally,
// you must use AWS Identity and Access Management (IAM) to create a SAML provider
// entity in your AWS account that represents your identity provider, and create
// an IAM role that specifies this SAML provider in its trust policy.
@@ -235,25 +268,65 @@ func (c *STS) AssumeRoleWithSAMLRequest(input *AssumeRoleWithSAMLInput) (req *re
// The identity of the caller is validated by using keys in the metadata document
// that is uploaded for the SAML provider entity for your identity provider.
//
-// Calling AssumeRoleWithSAML can result in an entry in your AWS CloudTrail
+// Calling AssumeRoleWithSAML can result in an entry in your AWS CloudTrail
// logs. The entry includes the value in the NameID element of the SAML assertion.
// We recommend that you use a NameIDType that is not associated with any personally
// identifiable information (PII). For example, you could instead use the Persistent
// Identifier (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent).
//
-// For more information, see the following resources:
+// For more information, see the following resources:
//
-// About SAML 2.0-based Federation (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html)
-// in the IAM User Guide.
+// * About SAML 2.0-based Federation (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html)
+// in the IAM User Guide.
//
-// Creating SAML Identity Providers (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)
-// in the IAM User Guide.
+// * Creating SAML Identity Providers (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)
+// in the IAM User Guide.
//
-// Configuring a Relying Party and Claims (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html)
-// in the IAM User Guide.
+// * Configuring a Relying Party and Claims (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html)
+// in the IAM User Guide.
+//
+// * Creating a Role for SAML 2.0 Federation (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html)
+// in the IAM User Guide.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Security Token Service's
+// API operation AssumeRoleWithSAML for usage and error information.
+//
+// Returned Error Codes:
+// * MalformedPolicyDocument
+// The request was rejected because the policy document was malformed. The error
+// message describes the specific error.
+//
+// * PackedPolicyTooLarge
+// The request was rejected because the policy document was too large. The error
+// message describes how big the policy document is, in packed form, as a percentage
+// of what the API allows.
+//
+// * IDPRejectedClaim
+// The identity provider (IdP) reported that authentication failed. This might
+// be because the claim is invalid.
+//
+// If this error is returned for the AssumeRoleWithWebIdentity operation, it
+// can also mean that the claim has expired or has been explicitly revoked.
+//
+// * InvalidIdentityToken
+// The web identity token that was passed could not be validated by AWS. Get
+// a new identity token from the identity provider and then retry the request.
+//
+// * ExpiredTokenException
+// The web identity token that was passed is expired or is not valid. Get a
+// new identity token from the identity provider and then retry the request.
+//
+// * RegionDisabledException
+// STS is not activated in the requested region for the account that is being
+// asked to generate credentials. The account administrator must use the IAM
+// console to activate STS in that region. For more information, see Activating
+// and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
+// in the IAM User Guide.
//
-// Creating a Role for SAML 2.0 Federation (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html)
-// in the IAM User Guide.
func (c *STS) AssumeRoleWithSAML(input *AssumeRoleWithSAMLInput) (*AssumeRoleWithSAMLOutput, error) {
req, out := c.AssumeRoleWithSAMLRequest(input)
err := req.Send()
@@ -267,6 +340,8 @@ const opAssumeRoleWithWebIdentity = "AssumeRoleWithWebIdentity"
// value can be used to capture response data after the request's "Send" method
// is called.
//
+// See AssumeRoleWithWebIdentity for usage and error information.
+//
// Creating a request object using this method should be used when you want to inject
// custom logic into the request's lifecycle using a custom handler, or if you want to
// access properties on the request object before or after sending the request. If
@@ -301,13 +376,15 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI
return
}
+// AssumeRoleWithWebIdentity API operation for AWS Security Token Service.
+//
// Returns a set of temporary security credentials for users who have been authenticated
// in a mobile or web application with a web identity provider, such as Amazon
// Cognito, Login with Amazon, Facebook, Google, or any OpenID Connect-compatible
// identity provider.
//
-// For mobile applications, we recommend that you use Amazon Cognito. You
-// can use Amazon Cognito with the AWS SDK for iOS (http://aws.amazon.com/sdkforios/)
+// For mobile applications, we recommend that you use Amazon Cognito. You can
+// use Amazon Cognito with the AWS SDK for iOS (http://aws.amazon.com/sdkforios/)
// and the AWS SDK for Android (http://aws.amazon.com/sdkforandroid/) to uniquely
// identify a user and supply the user with a consistent identity throughout
// the lifetime of an application.
@@ -317,7 +394,7 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI
// (http://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664)
// in the AWS SDK for iOS Developer Guide.
//
-// Calling AssumeRoleWithWebIdentity does not require the use of AWS security
+// Calling AssumeRoleWithWebIdentity does not require the use of AWS security
// credentials. Therefore, you can distribute an application (for example, on
// mobile devices) that requests temporary security credentials without including
// long-term AWS credentials in the application, and without deploying server-based
@@ -336,18 +413,18 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI
// AssumeRoleWithWebIdentity, which can be from 900 seconds (15 minutes) to
// a maximum of 3600 seconds (1 hour). The default is 1 hour.
//
-// The temporary security credentials created by AssumeRoleWithWebIdentity
-// can be used to make API calls to any AWS service with the following exception:
+// The temporary security credentials created by AssumeRoleWithWebIdentity can
+// be used to make API calls to any AWS service with the following exception:
// you cannot call the STS service's GetFederationToken or GetSessionToken APIs.
//
-// Optionally, you can pass an IAM access policy to this operation. If you
-// choose not to pass a policy, the temporary security credentials that are
-// returned by the operation have the permissions that are defined in the access
-// policy of the role that is being assumed. If you pass a policy to this operation,
+// Optionally, you can pass an IAM access policy to this operation. If you choose
+// not to pass a policy, the temporary security credentials that are returned
+// by the operation have the permissions that are defined in the access policy
+// of the role that is being assumed. If you pass a policy to this operation,
// the temporary security credentials that are returned by the operation have
// the permissions that are allowed by both the access policy of the role that
-// is being assumed, and the policy that you pass. This gives you a way to
-// further restrict the permissions for the resulting temporary security credentials.
+// is being assumed, and the policy that you pass. This gives you a way to further
+// restrict the permissions for the resulting temporary security credentials.
// You cannot use the passed policy to grant permissions that are in excess
// of those allowed by the access policy of the role that is being assumed.
// For more information, see Permissions for AssumeRole, AssumeRoleWithSAML,
@@ -360,32 +437,83 @@ func (c *STS) AssumeRoleWithWebIdentityRequest(input *AssumeRoleWithWebIdentityI
// the identity provider that is associated with the identity token. In other
// words, the identity provider must be specified in the role's trust policy.
//
-// Calling AssumeRoleWithWebIdentity can result in an entry in your AWS CloudTrail
+// Calling AssumeRoleWithWebIdentity can result in an entry in your AWS CloudTrail
// logs. The entry includes the Subject (http://openid.net/specs/openid-connect-core-1_0.html#Claims)
// of the provided Web Identity Token. We recommend that you avoid using any
// personally identifiable information (PII) in this field. For example, you
// could instead use a GUID or a pairwise identifier, as suggested in the OIDC
// specification (http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes).
//
-// For more information about how to use web identity federation and the AssumeRoleWithWebIdentity
+// For more information about how to use web identity federation and the AssumeRoleWithWebIdentity
// API, see the following resources:
//
-// Using Web Identity Federation APIs for Mobile Apps (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual)
-// and Federation Through a Web-based Identity Provider (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity).
+// * Using Web Identity Federation APIs for Mobile Apps (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual)
+// and Federation Through a Web-based Identity Provider (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity).
+//
+//
+// * Web Identity Federation Playground (https://web-identity-federation-playground.s3.amazonaws.com/index.html).
+// This interactive website lets you walk through the process of authenticating
+// via Login with Amazon, Facebook, or Google, getting temporary security
+// credentials, and then using those credentials to make a request to AWS.
+//
+//
+// * AWS SDK for iOS (http://aws.amazon.com/sdkforios/) and AWS SDK for Android
+// (http://aws.amazon.com/sdkforandroid/). These toolkits contain sample
+// apps that show how to invoke the identity providers, and then how to use
+// the information from these providers to get and use temporary security
+// credentials.
+//
+// * Web Identity Federation with Mobile Applications (http://aws.amazon.com/articles/4617974389850313).
+// This article discusses web identity federation and shows an example of
+// how to use web identity federation to get access to content in Amazon
+// S3.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
//
-// Web Identity Federation Playground (https://web-identity-federation-playground.s3.amazonaws.com/index.html).
-// This interactive website lets you walk through the process of authenticating
-// via Login with Amazon, Facebook, or Google, getting temporary security credentials,
-// and then using those credentials to make a request to AWS.
+// See the AWS API reference guide for AWS Security Token Service's
+// API operation AssumeRoleWithWebIdentity for usage and error information.
//
-// AWS SDK for iOS (http://aws.amazon.com/sdkforios/) and AWS SDK for Android
-// (http://aws.amazon.com/sdkforandroid/). These toolkits contain sample apps
-// that show how to invoke the identity providers, and then how to use the information
-// from these providers to get and use temporary security credentials.
+// Returned Error Codes:
+// * MalformedPolicyDocument
+// The request was rejected because the policy document was malformed. The error
+// message describes the specific error.
+//
+// * PackedPolicyTooLarge
+// The request was rejected because the policy document was too large. The error
+// message describes how big the policy document is, in packed form, as a percentage
+// of what the API allows.
+//
+// * IDPRejectedClaim
+// The identity provider (IdP) reported that authentication failed. This might
+// be because the claim is invalid.
+//
+// If this error is returned for the AssumeRoleWithWebIdentity operation, it
+// can also mean that the claim has expired or has been explicitly revoked.
+//
+// * IDPCommunicationError
+// The request could not be fulfilled because the non-AWS identity provider
+// (IDP) that was asked to verify the incoming identity token could not be reached.
+// This is often a transient error caused by network conditions. Retry the request
+// a limited number of times so that you don't exceed the request rate. If the
+// error persists, the non-AWS identity provider might be down or not responding.
+//
+// * InvalidIdentityToken
+// The web identity token that was passed could not be validated by AWS. Get
+// a new identity token from the identity provider and then retry the request.
+//
+// * ExpiredTokenException
+// The web identity token that was passed is expired or is not valid. Get a
+// new identity token from the identity provider and then retry the request.
+//
+// * RegionDisabledException
+// STS is not activated in the requested region for the account that is being
+// asked to generate credentials. The account administrator must use the IAM
+// console to activate STS in that region. For more information, see Activating
+// and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
+// in the IAM User Guide.
//
-// Web Identity Federation with Mobile Applications (http://aws.amazon.com/articles/4617974389850313).
-// This article discusses web identity federation and shows an example of how
-// to use web identity federation to get access to content in Amazon S3.
func (c *STS) AssumeRoleWithWebIdentity(input *AssumeRoleWithWebIdentityInput) (*AssumeRoleWithWebIdentityOutput, error) {
req, out := c.AssumeRoleWithWebIdentityRequest(input)
err := req.Send()
@@ -399,6 +527,8 @@ const opDecodeAuthorizationMessage = "DecodeAuthorizationMessage"
// value can be used to capture response data after the request's "Send" method
// is called.
//
+// See DecodeAuthorizationMessage for usage and error information.
+//
// Creating a request object using this method should be used when you want to inject
// custom logic into the request's lifecycle using a custom handler, or if you want to
// access properties on the request object before or after sending the request. If
@@ -433,6 +563,8 @@ func (c *STS) DecodeAuthorizationMessageRequest(input *DecodeAuthorizationMessag
return
}
+// DecodeAuthorizationMessage API operation for AWS Security Token Service.
+//
// Decodes additional information about the authorization status of a request
// from an encoded message returned in response to an AWS request.
//
@@ -441,30 +573,44 @@ func (c *STS) DecodeAuthorizationMessageRequest(input *DecodeAuthorizationMessag
// (an HTTP 403 response). Some AWS actions additionally return an encoded message
// that can provide details about this authorization failure.
//
-// Only certain AWS actions return an encoded authorization message. The documentation
+// Only certain AWS actions return an encoded authorization message. The documentation
// for an individual action indicates whether that action returns an encoded
// message in addition to returning an HTTP code.
//
-// The message is encoded because the details of the authorization status
-// can constitute privileged information that the user who requested the action
+// The message is encoded because the details of the authorization status can
+// constitute privileged information that the user who requested the action
// should not see. To decode an authorization status message, a user must be
// granted permissions via an IAM policy to request the DecodeAuthorizationMessage
// (sts:DecodeAuthorizationMessage) action.
//
// The decoded message includes the following type of information:
//
-// Whether the request was denied due to an explicit deny or due to the absence
-// of an explicit allow. For more information, see Determining Whether a Request
-// is Allowed or Denied (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow)
-// in the IAM User Guide.
+// * Whether the request was denied due to an explicit deny or due to the
+// absence of an explicit allow. For more information, see Determining Whether
+// a Request is Allowed or Denied (http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow)
+// in the IAM User Guide.
+//
+// * The principal who made the request.
+//
+// * The requested action.
+//
+// * The requested resource.
//
-// The principal who made the request.
+// * The values of condition keys in the context of the user's request.
//
-// The requested action.
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
//
-// The requested resource.
+// See the AWS API reference guide for AWS Security Token Service's
+// API operation DecodeAuthorizationMessage for usage and error information.
+//
+// Returned Error Codes:
+// * InvalidAuthorizationMessageException
+// The error returned if the message passed to DecodeAuthorizationMessage was
+// invalid. This can happen if the token contains invalid characters, such as
+// linebreaks.
//
-// The values of condition keys in the context of the user's request.
func (c *STS) DecodeAuthorizationMessage(input *DecodeAuthorizationMessageInput) (*DecodeAuthorizationMessageOutput, error) {
req, out := c.DecodeAuthorizationMessageRequest(input)
err := req.Send()
@@ -478,6 +624,8 @@ const opGetCallerIdentity = "GetCallerIdentity"
// value can be used to capture response data after the request's "Send" method
// is called.
//
+// See GetCallerIdentity for usage and error information.
+//
// Creating a request object using this method should be used when you want to inject
// custom logic into the request's lifecycle using a custom handler, or if you want to
// access properties on the request object before or after sending the request. If
@@ -512,8 +660,17 @@ func (c *STS) GetCallerIdentityRequest(input *GetCallerIdentityInput) (req *requ
return
}
+// GetCallerIdentity API operation for AWS Security Token Service.
+//
// Returns details about the IAM identity whose credentials are used to call
// the API.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Security Token Service's
+// API operation GetCallerIdentity for usage and error information.
func (c *STS) GetCallerIdentity(input *GetCallerIdentityInput) (*GetCallerIdentityOutput, error) {
req, out := c.GetCallerIdentityRequest(input)
err := req.Send()
@@ -527,6 +684,8 @@ const opGetFederationToken = "GetFederationToken"
// value can be used to capture response data after the request's "Send" method
// is called.
//
+// See GetFederationToken for usage and error information.
+//
// Creating a request object using this method should be used when you want to inject
// custom logic into the request's lifecycle using a custom handler, or if you want to
// access properties on the request object before or after sending the request. If
@@ -561,6 +720,8 @@ func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *re
return
}
+// GetFederationToken API operation for AWS Security Token Service.
+//
// Returns a set of temporary security credentials (consisting of an access
// key ID, a secret access key, and a security token) for a federated user.
// A typical use is in a proxy application that gets temporary security credentials
@@ -573,20 +734,20 @@ func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *re
// and Comparing the AWS STS APIs (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
// in the IAM User Guide.
//
-// If you are creating a mobile-based or browser-based app that can authenticate
+// If you are creating a mobile-based or browser-based app that can authenticate
// users using a web identity provider like Login with Amazon, Facebook, Google,
// or an OpenID Connect-compatible identity provider, we recommend that you
// use Amazon Cognito (http://aws.amazon.com/cognito/) or AssumeRoleWithWebIdentity.
// For more information, see Federation Through a Web-based Identity Provider
// (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity).
//
-// The GetFederationToken action must be called by using the long-term AWS
-// security credentials of an IAM user. You can also call GetFederationToken
-// using the security credentials of an AWS root account, but we do not recommended
-// it. Instead, we recommend that you create an IAM user for the purpose of
-// the proxy application and then attach a policy to the IAM user that limits
-// federated users to only the actions and resources that they need access to.
-// For more information, see IAM Best Practices (http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
+// The GetFederationToken action must be called by using the long-term AWS security
+// credentials of an IAM user. You can also call GetFederationToken using the
+// security credentials of an AWS root account, but we do not recommended it.
+// Instead, we recommend that you create an IAM user for the purpose of the
+// proxy application and then attach a policy to the IAM user that limits federated
+// users to only the actions and resources that they need access to. For more
+// information, see IAM Best Practices (http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html)
// in the IAM User Guide.
//
// The temporary security credentials that are obtained by using the long-term
@@ -595,30 +756,30 @@ func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *re
// is 43200 seconds (12 hours). Temporary credentials that are obtained by using
// AWS root account credentials have a maximum duration of 3600 seconds (1 hour).
//
-// The temporary security credentials created by GetFederationToken can be
-// used to make API calls to any AWS service with the following exceptions:
+// The temporary security credentials created by GetFederationToken can be used
+// to make API calls to any AWS service with the following exceptions:
//
-// You cannot use these credentials to call any IAM APIs.
+// * You cannot use these credentials to call any IAM APIs.
//
-// You cannot call any STS APIs.
+// * You cannot call any STS APIs.
//
-// Permissions
+// Permissions
//
// The permissions for the temporary security credentials returned by GetFederationToken
// are determined by a combination of the following:
//
-// The policy or policies that are attached to the IAM user whose credentials
-// are used to call GetFederationToken.
+// * The policy or policies that are attached to the IAM user whose credentials
+// are used to call GetFederationToken.
//
-// The policy that is passed as a parameter in the call.
+// * The policy that is passed as a parameter in the call.
//
-// The passed policy is attached to the temporary security credentials that
+// The passed policy is attached to the temporary security credentials that
// result from the GetFederationToken API call--that is, to the federated user.
// When the federated user makes an AWS request, AWS evaluates the policy attached
// to the federated user in combination with the policy or policies attached
// to the IAM user whose credentials were used to call GetFederationToken. AWS
-// allows the federated user's request only when both the federated user and
-// the IAM user are explicitly allowed to perform the requested action. The
+// allows the federated user's request only when both the federated user and
+// the IAM user are explicitly allowed to perform the requested action. The
// passed policy cannot grant more permissions than those that are defined in
// the IAM user policy.
//
@@ -639,6 +800,31 @@ func (c *STS) GetFederationTokenRequest(input *GetFederationTokenInput) (req *re
// For information about using GetFederationToken to create temporary security
// credentials, see GetFederationToken—Federation Through a Custom Identity
// Broker (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken).
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Security Token Service's
+// API operation GetFederationToken for usage and error information.
+//
+// Returned Error Codes:
+// * MalformedPolicyDocument
+// The request was rejected because the policy document was malformed. The error
+// message describes the specific error.
+//
+// * PackedPolicyTooLarge
+// The request was rejected because the policy document was too large. The error
+// message describes how big the policy document is, in packed form, as a percentage
+// of what the API allows.
+//
+// * RegionDisabledException
+// STS is not activated in the requested region for the account that is being
+// asked to generate credentials. The account administrator must use the IAM
+// console to activate STS in that region. For more information, see Activating
+// and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
+// in the IAM User Guide.
+//
func (c *STS) GetFederationToken(input *GetFederationTokenInput) (*GetFederationTokenOutput, error) {
req, out := c.GetFederationTokenRequest(input)
err := req.Send()
@@ -652,6 +838,8 @@ const opGetSessionToken = "GetSessionToken"
// value can be used to capture response data after the request's "Send" method
// is called.
//
+// See GetSessionToken for usage and error information.
+//
// Creating a request object using this method should be used when you want to inject
// custom logic into the request's lifecycle using a custom handler, or if you want to
// access properties on the request object before or after sending the request. If
@@ -686,6 +874,8 @@ func (c *STS) GetSessionTokenRequest(input *GetSessionTokenInput) (req *request.
return
}
+// GetSessionToken API operation for AWS Security Token Service.
+//
// Returns a set of temporary credentials for an AWS account or IAM user. The
// credentials consist of an access key ID, a secret access key, and a security
// token. Typically, you use GetSessionToken if you want to use MFA to protect
@@ -711,17 +901,17 @@ func (c *STS) GetSessionTokenRequest(input *GetSessionTokenInput) (req *request.
// The temporary security credentials created by GetSessionToken can be used
// to make API calls to any AWS service with the following exceptions:
//
-// You cannot call any IAM APIs unless MFA authentication information is
-// included in the request.
+// * You cannot call any IAM APIs unless MFA authentication information is
+// included in the request.
//
-// You cannot call any STS API except AssumeRole.
+// * You cannot call any STS API exceptAssumeRole.
//
-// We recommend that you do not call GetSessionToken with root account credentials.
+// We recommend that you do not call GetSessionToken with root account credentials.
// Instead, follow our best practices (http://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users)
// by creating one or more IAM users, giving them the necessary permissions,
// and using IAM users for everyday interaction with AWS.
//
-// The permissions associated with the temporary security credentials returned
+// The permissions associated with the temporary security credentials returned
// by GetSessionToken are based on the permissions associated with account or
// IAM user whose credentials are used to call the action. If GetSessionToken
// is called using root account credentials, the temporary credentials have
@@ -732,6 +922,22 @@ func (c *STS) GetSessionTokenRequest(input *GetSessionTokenInput) (req *request.
// For more information about using GetSessionToken to create temporary credentials,
// go to Temporary Credentials for Users in Untrusted Environments (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken)
// in the IAM User Guide.
+//
+// Returns awserr.Error for service API and SDK errors. Use runtime type assertions
+// with awserr.Error's Code and Message methods to get detailed information about
+// the error.
+//
+// See the AWS API reference guide for AWS Security Token Service's
+// API operation GetSessionToken for usage and error information.
+//
+// Returned Error Codes:
+// * RegionDisabledException
+// STS is not activated in the requested region for the account that is being
+// asked to generate credentials. The account administrator must use the IAM
+// console to activate STS in that region. For more information, see Activating
+// and Deactivating AWS STS in an AWS Region (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html)
+// in the IAM User Guide.
+//
func (c *STS) GetSessionToken(input *GetSessionTokenInput) (*GetSessionTokenOutput, error) {
req, out := c.GetSessionTokenRequest(input)
err := req.Send()
@@ -745,9 +951,9 @@ type AssumeRoleInput struct {
// seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set
// to 3600 seconds.
//
- // This is separate from the duration of a console session that you might
- // request using the returned credentials. The request to the federation endpoint
- // for a console sign-in token takes a SessionDuration parameter that specifies
+ // This is separate from the duration of a console session that you might request
+ // using the returned credentials. The request to the federation endpoint for
+ // a console sign-in token takes a SessionDuration parameter that specifies
// the maximum length of the console session, separately from the DurationSeconds
// parameter on this API. For more information, see Creating a URL that Enables
// Federated Users to Access the AWS Management Console (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
@@ -789,7 +995,7 @@ type AssumeRoleInput struct {
// list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A),
// and carriage return (\u000D) characters.
//
- // The policy plain text must be 2048 bytes or shorter. However, an internal
+ // The policy plain text must be 2048 bytes or shorter. However, an internal
// conversion compresses it into a packed binary format with a separate limit.
// The PackedPolicySize response element indicates by percentage how close to
// the upper size limit the policy is, with 100% equaling the maximum allowed
@@ -903,10 +1109,10 @@ type AssumeRoleOutput struct {
// The temporary security credentials, which include an access key ID, a secret
// access key, and a security (or session) token.
//
- // Note: The size of the security token that STS APIs return is not fixed.
- // We strongly recommend that you make no assumptions about the maximum size.
- // As of this writing, the typical size is less than 4096 bytes, but that can
- // vary. Also, future updates to AWS might require larger sizes.
+ // Note: The size of the security token that STS APIs return is not fixed. We
+ // strongly recommend that you make no assumptions about the maximum size. As
+ // of this writing, the typical size is less than 4096 bytes, but that can vary.
+ // Also, future updates to AWS might require larger sizes.
Credentials *Credentials `type:"structure"`
// A percentage value that indicates the size of the policy in packed form.
@@ -934,9 +1140,9 @@ type AssumeRoleWithSAMLInput struct {
// response's SessionNotOnOrAfter value. The actual expiration time is whichever
// value is shorter.
//
- // This is separate from the duration of a console session that you might
- // request using the returned credentials. The request to the federation endpoint
- // for a console sign-in token takes a SessionDuration parameter that specifies
+ // This is separate from the duration of a console session that you might request
+ // using the returned credentials. The request to the federation endpoint for
+ // a console sign-in token takes a SessionDuration parameter that specifies
// the maximum length of the console session, separately from the DurationSeconds
// parameter on this API. For more information, see Enabling SAML 2.0 Federated
// Users to Access the AWS Management Console (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-saml.html)
@@ -948,8 +1154,8 @@ type AssumeRoleWithSAMLInput struct {
// The policy parameter is optional. If you pass a policy, the temporary security
// credentials that are returned by the operation have the permissions that
// are allowed by both the access policy of the role that is being assumed,
- // and the policy that you pass. This gives you a way to further restrict
- // the permissions for the resulting temporary security credentials. You cannot
+ // and the policy that you pass. This gives you a way to further restrict the
+ // permissions for the resulting temporary security credentials. You cannot
// use the passed policy to grant permissions that are in excess of those allowed
// by the access policy of the role that is being assumed. For more information,
// Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity
@@ -962,7 +1168,7 @@ type AssumeRoleWithSAMLInput struct {
// list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A),
// and carriage return (\u000D) characters.
//
- // The policy plain text must be 2048 bytes or shorter. However, an internal
+ // The policy plain text must be 2048 bytes or shorter. However, an internal
// conversion compresses it into a packed binary format with a separate limit.
// The PackedPolicySize response element indicates by percentage how close to
// the upper size limit the policy is, with 100% equaling the maximum allowed
@@ -982,8 +1188,7 @@ type AssumeRoleWithSAMLInput struct {
// The base-64 encoded SAML authentication response provided by the IdP.
//
- // For more information, see Configuring a Relying Party and Adding Claims
- // (http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html)
+ // For more information, see Configuring a Relying Party and Adding Claims (http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html)
// in the Using IAM guide.
//
// SAMLAssertion is a required field
@@ -1050,10 +1255,10 @@ type AssumeRoleWithSAMLOutput struct {
// The temporary security credentials, which include an access key ID, a secret
// access key, and a security (or session) token.
//
- // Note: The size of the security token that STS APIs return is not fixed.
- // We strongly recommend that you make no assumptions about the maximum size.
- // As of this writing, the typical size is less than 4096 bytes, but that can
- // vary. Also, future updates to AWS might require larger sizes.
+ // Note: The size of the security token that STS APIs return is not fixed. We
+ // strongly recommend that you make no assumptions about the maximum size. As
+ // of this writing, the typical size is less than 4096 bytes, but that can vary.
+ // Also, future updates to AWS might require larger sizes.
Credentials *Credentials `type:"structure"`
// The value of the Issuer element of the SAML assertion.
@@ -1066,7 +1271,7 @@ type AssumeRoleWithSAMLOutput struct {
//
// The following pseudocode shows how the hash value is calculated:
//
- // BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP"
+ // BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP"
// ) )
NameQualifier *string `type:"string"`
@@ -1082,7 +1287,7 @@ type AssumeRoleWithSAMLOutput struct {
// element of the SAML assertion. Typical examples of the format are transient
// or persistent.
//
- // If the format includes the prefix urn:oasis:names:tc:SAML:2.0:nameid-format,
+ // If the format includes the prefix urn:oasis:names:tc:SAML:2.0:nameid-format,
// that prefix is removed. For example, urn:oasis:names:tc:SAML:2.0:nameid-format:transient
// is returned as transient. If the format includes any other prefix, the format
// is returned with no modifications.
@@ -1106,9 +1311,9 @@ type AssumeRoleWithWebIdentityInput struct {
// seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set
// to 3600 seconds.
//
- // This is separate from the duration of a console session that you might
- // request using the returned credentials. The request to the federation endpoint
- // for a console sign-in token takes a SessionDuration parameter that specifies
+ // This is separate from the duration of a console session that you might request
+ // using the returned credentials. The request to the federation endpoint for
+ // a console sign-in token takes a SessionDuration parameter that specifies
// the maximum length of the console session, separately from the DurationSeconds
// parameter on this API. For more information, see Creating a URL that Enables
// Federated Users to Access the AWS Management Console (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html)
@@ -1120,8 +1325,8 @@ type AssumeRoleWithWebIdentityInput struct {
// The policy parameter is optional. If you pass a policy, the temporary security
// credentials that are returned by the operation have the permissions that
// are allowed by both the access policy of the role that is being assumed,
- // and the policy that you pass. This gives you a way to further restrict
- // the permissions for the resulting temporary security credentials. You cannot
+ // and the policy that you pass. This gives you a way to further restrict the
+ // permissions for the resulting temporary security credentials. You cannot
// use the passed policy to grant permissions that are in excess of those allowed
// by the access policy of the role that is being assumed. For more information,
// see Permissions for AssumeRoleWithWebIdentity (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_assumerole.html)
@@ -1133,7 +1338,7 @@ type AssumeRoleWithWebIdentityInput struct {
// list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A),
// and carriage return (\u000D) characters.
//
- // The policy plain text must be 2048 bytes or shorter. However, an internal
+ // The policy plain text must be 2048 bytes or shorter. However, an internal
// conversion compresses it into a packed binary format with a separate limit.
// The PackedPolicySize response element indicates by percentage how close to
// the upper size limit the policy is, with 100% equaling the maximum allowed
@@ -1244,10 +1449,10 @@ type AssumeRoleWithWebIdentityOutput struct {
// The temporary security credentials, which include an access key ID, a secret
// access key, and a security token.
//
- // Note: The size of the security token that STS APIs return is not fixed.
- // We strongly recommend that you make no assumptions about the maximum size.
- // As of this writing, the typical size is less than 4096 bytes, but that can
- // vary. Also, future updates to AWS might require larger sizes.
+ // Note: The size of the security token that STS APIs return is not fixed. We
+ // strongly recommend that you make no assumptions about the maximum size. As
+ // of this writing, the typical size is less than 4096 bytes, but that can vary.
+ // Also, future updates to AWS might require larger sizes.
Credentials *Credentials `type:"structure"`
// A percentage value that indicates the size of the policy in packed form.
@@ -1519,13 +1724,13 @@ type GetFederationTokenInput struct {
// list (\u0020-\u00FF). It can also include the tab (\u0009), linefeed (\u000A),
// and carriage return (\u000D) characters.
//
- // The policy plain text must be 2048 bytes or shorter. However, an internal
+ // The policy plain text must be 2048 bytes or shorter. However, an internal
// conversion compresses it into a packed binary format with a separate limit.
// The PackedPolicySize response element indicates by percentage how close to
// the upper size limit the policy is, with 100% equaling the maximum allowed
// size.
//
- // For more information about how permissions work, see Permissions for GetFederationToken
+ // For more information about how permissions work, see Permissions for GetFederationToken
// (http://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_getfederationtoken.html).
Policy *string `min:"1" type:"string"`
}
@@ -1570,10 +1775,10 @@ type GetFederationTokenOutput struct {
// The temporary security credentials, which include an access key ID, a secret
// access key, and a security (or session) token.
//
- // Note: The size of the security token that STS APIs return is not fixed.
- // We strongly recommend that you make no assumptions about the maximum size.
- // As of this writing, the typical size is less than 4096 bytes, but that can
- // vary. Also, future updates to AWS might require larger sizes.
+ // Note: The size of the security token that STS APIs return is not fixed. We
+ // strongly recommend that you make no assumptions about the maximum size. As
+ // of this writing, the typical size is less than 4096 bytes, but that can vary.
+ // Also, future updates to AWS might require larger sizes.
Credentials *Credentials `type:"structure"`
// Identifiers for the federated user associated with the credentials (such
@@ -1671,10 +1876,10 @@ type GetSessionTokenOutput struct {
// The temporary security credentials, which include an access key ID, a secret
// access key, and a security (or session) token.
//
- // Note: The size of the security token that STS APIs return is not fixed.
- // We strongly recommend that you make no assumptions about the maximum size.
- // As of this writing, the typical size is less than 4096 bytes, but that can
- // vary. Also, future updates to AWS might require larger sizes.
+ // Note: The size of the security token that STS APIs return is not fixed. We
+ // strongly recommend that you make no assumptions about the maximum size. As
+ // of this writing, the typical size is less than 4096 bytes, but that can vary.
+ // Also, future updates to AWS might require larger sizes.
Credentials *Credentials `type:"structure"`
}