/* * Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved. * * Licensed under the Apache License, Version 2.0 (the "License"). * You may not use this file except in compliance with the License. * A copy of the License is located at * * http://aws.amazon.com/apache2.0 * * or in the "license" file accompanying this file. This file is distributed * on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either * express or implied. See the License for the specific language governing * permissions and limitations under the License. */ /* * Do not modify this file. This file is generated from the sts-2011-06-15.normal.json service model. */ using System; using System.Collections.Generic; using System.Xml.Serialization; using System.Text; using System.IO; using System.Net; using Amazon.Runtime; using Amazon.Runtime.Internal; namespace Amazon.SecurityToken.Model { ///

/// Container for the parameters to the AssumeRole operation. /// Returns a set of temporary security credentials that you can use to access Amazon /// Web Services resources. These temporary credentials consist of an access key ID, a /// secret access key, and a security token. Typically, you use AssumeRole /// within your account or for cross-account access. For a comparison of AssumeRole /// with other API operations that produce temporary credentials, see Requesting /// Temporary Security Credentials and Comparing /// the Amazon Web Services STS API operations in the IAM User Guide. /// /// /// /// Permissions /// /// /// /// The temporary security credentials created by AssumeRole can be used /// to make API calls to any Amazon Web Services service with the following exception: /// You cannot call the Amazon Web Services STS GetFederationToken or GetSessionToken /// API operations. /// /// /// /// (Optional) You can pass inline or managed session /// policies to this operation. You can pass a single JSON policy document to use /// as an inline session policy. You can also specify up to 10 managed policy Amazon Resource /// Names (ARNs) to use as managed session policies. The plaintext that you use for both /// inline and managed session policies can't exceed 2,048 characters. Passing policies /// to this operation returns new temporary credentials. The resulting session's permissions /// are the intersection of the role's identity-based policy and the session policies. /// You can use the role's temporary credentials in subsequent Amazon Web Services API /// calls to access resources in the account that owns the role. You cannot use session /// policies to grant more permissions than those allowed by the identity-based policy /// of the role that is being assumed. For more information, see Session /// Policies in the IAM User Guide. /// /// /// /// When you create a role, you create two policies: a role trust policy that specifies /// who can assume the role, and a permissions policy that specifies what /// can be done with the role. You specify the trusted principal that is allowed to assume /// the role in the role trust policy. /// /// /// /// To assume a role from a different account, your Amazon Web Services account must be /// trusted by the role. The trust relationship is defined in the role's trust policy /// when the role is created. That trust policy states which accounts are allowed to delegate /// that access to users in the account. /// /// /// /// A user who wants to access a role in a different account must also have permissions /// that are delegated from the account administrator. The administrator must attach a /// policy that allows the user to call AssumeRole for the ARN of the role /// in the other account. /// /// /// /// To allow a user to assume a role in the same account, you can do either of the following: /// ///

/// /// Attach a policy to the user that allows the user to call AssumeRole (as /// long as the role's trust policy trusts the account). /// ///
/// /// Add the user as a principal directly in the role's trust policy. /// ///

/// /// You can do either because the role’s trust policy acts as an IAM resource-based policy. /// When a resource-based policy grants access to a principal in the same account, no /// additional identity-based policy is required. For more information about trust policies /// and resource-based policies, see IAM /// Policies in the IAM User Guide. /// /// /// /// Tags /// /// /// /// (Optional) You can pass tag key-value pairs to your session. These tags are called /// session tags. For more information about session tags, see Passing /// Session Tags in STS in the IAM User Guide. /// /// /// /// An administrator must grant you the permissions necessary to pass session tags. The /// administrator can also create granular permissions to allow you to pass only specific /// session tags. For more information, see Tutorial: /// Using Tags for Attribute-Based Access Control in the IAM User Guide. /// /// /// /// You can set the session tags as transitive. Transitive tags persist during role chaining. /// For more information, see Chaining /// Roles with Session Tags in the IAM User Guide. /// /// /// /// Using MFA with AssumeRole /// /// /// /// (Optional) You can include multi-factor authentication (MFA) information when you /// call AssumeRole. This is useful for cross-account scenarios to ensure /// that the user that assumes the role has been authenticated with an Amazon Web Services /// MFA device. In that scenario, the trust policy of the role being assumed includes /// a condition that tests for MFA authentication. If the caller does not include valid /// MFA information, the request to assume the role is denied. The condition in a trust /// policy that tests for MFA authentication might look like the following example. /// /// /// /// "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}} /// /// /// /// For more information, see Configuring /// MFA-Protected API Access in the IAM User Guide guide. /// /// /// /// To use MFA with AssumeRole, you pass values for the SerialNumber /// and TokenCode parameters. The SerialNumber value identifies /// the user's hardware or virtual MFA device. The TokenCode is the time-based /// one-time password (TOTP) that the MFA device produces. /// ///

public partial class AssumeRoleRequest : AmazonSecurityTokenServiceRequest { private int? _durationSeconds; private string _externalId; private string _policy; private List _policyArns = new List(); private List _providedContexts = new List(); private string _roleArn; private string _roleSessionName; private string _serialNumber; private string _sourceIdentity; private List _tags = new List(); private string _tokenCode; private List _transitiveTagKeys = new List(); ///

/// Gets and sets the property DurationSeconds. /// /// The duration, in seconds, of the role session. The value specified can range from /// 900 seconds (15 minutes) up to the maximum session duration set for the role. The /// maximum session duration setting can have a value from 1 hour to 12 hours. If you /// specify a value higher than this setting or the administrator setting (whichever is /// lower), the operation fails. For example, if you specify a session duration of 12 /// hours, but your administrator set the maximum session duration to 6 hours, your operation /// fails. /// /// /// /// Role chaining limits your Amazon Web Services CLI or Amazon Web Services API role /// session to a maximum of one hour. When you use the AssumeRole API operation /// to assume a role, you can specify the duration of your role session with the DurationSeconds /// parameter. You can specify a parameter value of up to 43200 seconds (12 hours), depending /// on the maximum session duration setting for your role. However, if you assume a role /// using role chaining and provide a DurationSeconds parameter value greater /// than one hour, the operation fails. To learn how to view the maximum value for your /// role, see View /// the Maximum Session Duration Setting for a Role in the IAM User Guide. /// /// /// /// By default, the value is set to 3600 seconds. /// /// /// /// The DurationSeconds parameter is separate from the duration of a console /// session that you might request using the returned credentials. The request to the /// federation endpoint for a console sign-in token takes a SessionDuration /// parameter that specifies the maximum length of the console session. For more information, /// see Creating /// a URL that Enables Federated Users to Access the Amazon Web Services Management Console /// in the IAM User Guide. /// /// ///

[AWSProperty(Min=900, Max=43200)] public int DurationSeconds { get { return this._durationSeconds.GetValueOrDefault(); } set { this._durationSeconds = value; } } // Check to see if DurationSeconds property is set internal bool IsSetDurationSeconds() { return this._durationSeconds.HasValue; } ///

/// Gets and sets the property ExternalId. /// /// A unique identifier that might be required when you assume a role in another account. /// If the administrator of the account to which the role belongs provided you with an /// external ID, then provide that value in the ExternalId parameter. This /// value can be any string, such as a passphrase or account number. A cross-account role /// is usually set up to trust everyone in an account. Therefore, the administrator of /// the trusting account might send an external ID to the administrator of the trusted /// account. That way, only someone with the ID can assume the role, rather than everyone /// in the account. For more information about the external ID, see How /// to Use an External ID When Granting Access to Your Amazon Web Services Resources to /// a Third Party in the IAM User Guide. /// /// /// /// The regex used to validate this parameter is a string of characters consisting of /// upper- and lower-case alphanumeric characters with no spaces. You can also include /// underscores or any of the following characters: =,.@:/- /// ///

[AWSProperty(Min=2, Max=1224)] public string ExternalId { get { return this._externalId; } set { this._externalId = value; } } // Check to see if ExternalId property is set internal bool IsSetExternalId() { return this._externalId != null; } ///

/// Gets and sets the property Policy. /// /// An IAM policy in JSON format that you want to use as an inline session policy. /// /// /// /// This parameter is optional. Passing policies to this operation returns new temporary /// credentials. The resulting session's permissions are the intersection of the role's /// identity-based policy and the session policies. You can use the role's temporary credentials /// in subsequent Amazon Web Services API calls to access resources in the account that /// owns the role. You cannot use session policies to grant more permissions than those /// allowed by the identity-based policy of the role that is being assumed. For more information, /// see Session /// Policies in the IAM User Guide. /// /// /// /// The plaintext that you use for both inline and managed session policies can't exceed /// 2,048 characters. The JSON policy characters can be any ASCII character from the space /// character to the end of the valid character list (\u0020 through \u00FF). It can also /// include the tab (\u0009), linefeed (\u000A), and carriage return (\u000D) characters. /// /// /// /// An Amazon Web Services conversion compresses the passed inline session policy, managed /// policy ARNs, and session tags into a packed binary format that has a separate limit. /// Your request can fail for this limit even if your plaintext meets the other requirements. /// The PackedPolicySize response element indicates by percentage how close /// the policies and tags for your request are to the upper size limit. /// /// ///

[AWSProperty(Min=1, Max=2048)] public string Policy { get { return this._policy; } set { this._policy = value; } } // Check to see if Policy property is set internal bool IsSetPolicy() { return this._policy != null; } ///

/// Gets and sets the property PolicyArns. /// /// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use /// as managed session policies. The policies must exist in the same account as the role. /// /// /// /// This parameter is optional. You can provide up to 10 managed policy ARNs. However, /// the plaintext that you use for both inline and managed session policies can't exceed /// 2,048 characters. For more information about ARNs, see Amazon /// Resource Names (ARNs) and Amazon Web Services Service Namespaces in the Amazon /// Web Services General Reference. /// /// /// /// An Amazon Web Services conversion compresses the passed inline session policy, managed /// policy ARNs, and session tags into a packed binary format that has a separate limit. /// Your request can fail for this limit even if your plaintext meets the other requirements. /// The PackedPolicySize response element indicates by percentage how close /// the policies and tags for your request are to the upper size limit. /// /// /// /// Passing policies to this operation returns new temporary credentials. The resulting /// session's permissions are the intersection of the role's identity-based policy and /// the session policies. You can use the role's temporary credentials in subsequent Amazon /// Web Services API calls to access resources in the account that owns the role. You /// cannot use session policies to grant more permissions than those allowed by the identity-based /// policy of the role that is being assumed. For more information, see Session /// Policies in the IAM User Guide. /// ///

public List PolicyArns { get { return this._policyArns; } set { this._policyArns = value; } } // Check to see if PolicyArns property is set internal bool IsSetPolicyArns() { return this._policyArns != null && this._policyArns.Count > 0; } ///

/// Gets and sets the property ProvidedContexts. /// /// Reserved for future use. /// ///

[AWSProperty(Max=5)] public List ProvidedContexts { get { return this._providedContexts; } set { this._providedContexts = value; } } // Check to see if ProvidedContexts property is set internal bool IsSetProvidedContexts() { return this._providedContexts != null && this._providedContexts.Count > 0; } ///

/// Gets and sets the property RoleArn. /// /// The Amazon Resource Name (ARN) of the role to assume. /// ///

[AWSProperty(Required=true, Min=20, Max=2048)] public string RoleArn { get { return this._roleArn; } set { this._roleArn = value; } } // Check to see if RoleArn property is set internal bool IsSetRoleArn() { return this._roleArn != null; } ///

/// Gets and sets the property RoleSessionName. /// /// An identifier for the assumed role session. /// /// /// /// Use the role session name to uniquely identify a session when the same role is assumed /// by different principals or for different reasons. In cross-account scenarios, the /// role session name is visible to, and can be logged by the account that owns the role. /// The role session name is also used in the ARN of the assumed role principal. This /// means that subsequent cross-account API requests that use the temporary security credentials /// will expose the role session name to the external account in their CloudTrail logs. /// /// /// /// The regex used to validate this parameter is a string of characters consisting of /// upper- and lower-case alphanumeric characters with no spaces. You can also include /// underscores or any of the following characters: =,.@- /// ///

[AWSProperty(Required=true, Min=2, Max=64)] public string RoleSessionName { get { return this._roleSessionName; } set { this._roleSessionName = value; } } // Check to see if RoleSessionName property is set internal bool IsSetRoleSessionName() { return this._roleSessionName != null; } ///

/// Gets and sets the property SerialNumber. /// /// The identification number of the MFA device that is associated with the user who is /// making the AssumeRole call. Specify this value if the trust policy of /// the role being assumed includes a condition that requires MFA authentication. The /// value is either the serial number for a hardware device (such as GAHT12345678) /// or an Amazon Resource Name (ARN) for a virtual device (such as arn:aws:iam::123456789012:mfa/user). /// /// /// /// The regex used to validate this parameter is a string of characters consisting of /// upper- and lower-case alphanumeric characters with no spaces. You can also include /// underscores or any of the following characters: =,.@- /// ///

[AWSProperty(Min=9, Max=256)] public string SerialNumber { get { return this._serialNumber; } set { this._serialNumber = value; } } // Check to see if SerialNumber property is set internal bool IsSetSerialNumber() { return this._serialNumber != null; } ///

/// Gets and sets the property SourceIdentity. /// /// The source identity specified by the principal that is calling the AssumeRole /// operation. /// /// /// /// You can require users to specify a source identity when they assume a role. You do /// this by using the sts:SourceIdentity condition key in a role trust policy. /// You can use source identity information in CloudTrail logs to determine who took actions /// with a role. You can use the aws:SourceIdentity condition key to further /// control access to Amazon Web Services resources based on the value of source identity. /// For more information about using source identity, see Monitor /// and control actions taken with assumed roles in the IAM User Guide. /// /// /// /// The regex used to validate this parameter is a string of characters consisting of /// upper- and lower-case alphanumeric characters with no spaces. You can also include /// underscores or any of the following characters: =,.@-. You cannot use a value that /// begins with the text aws:. This prefix is reserved for Amazon Web Services /// internal use. /// ///

[AWSProperty(Min=2, Max=64)] public string SourceIdentity { get { return this._sourceIdentity; } set { this._sourceIdentity = value; } } // Check to see if SourceIdentity property is set internal bool IsSetSourceIdentity() { return this._sourceIdentity != null; } ///

/// Gets and sets the property Tags. /// /// A list of session tags that you want to pass. Each session tag consists of a key name /// and an associated value. For more information about session tags, see Tagging /// Amazon Web Services STS Sessions in the IAM User Guide. /// /// /// /// This parameter is optional. You can pass up to 50 session tags. The plaintext session /// tag keys can’t exceed 128 characters, and the values can’t exceed 256 characters. /// For these and additional limits, see IAM /// and STS Character Limits in the IAM User Guide. /// /// /// /// An Amazon Web Services conversion compresses the passed inline session policy, managed /// policy ARNs, and session tags into a packed binary format that has a separate limit. /// Your request can fail for this limit even if your plaintext meets the other requirements. /// The PackedPolicySize response element indicates by percentage how close /// the policies and tags for your request are to the upper size limit. /// /// /// /// You can pass a session tag with the same key as a tag that is already attached to /// the role. When you do, session tags override a role tag with the same key. /// /// /// /// Tag key–value pairs are not case sensitive, but case is preserved. This means that /// you cannot have separate Department and department tag keys. /// Assume that the role has the Department=Marketing tag and /// you pass the department=engineering session tag. Department /// and department are not saved as separate tags, and the session tag passed /// in the request takes precedence over the role tag. /// /// /// /// Additionally, if you used temporary credentials to perform this operation, the new /// session inherits any transitive session tags from the calling session. If you pass /// a session tag with the same key as an inherited tag, the operation fails. To view /// the inherited tags for a session, see the CloudTrail logs. For more information, see /// Viewing /// Session Tags in CloudTrail in the IAM User Guide. /// ///

[AWSProperty(Max=50)] public List Tags { get { return this._tags; } set { this._tags = value; } } // Check to see if Tags property is set internal bool IsSetTags() { return this._tags != null && this._tags.Count > 0; } ///

/// Gets and sets the property TokenCode. /// /// The value provided by the MFA device, if the trust policy of the role being assumed /// requires MFA. (In other words, if the policy includes a condition that tests for MFA). /// If the role being assumed requires MFA and if the TokenCode value is /// missing or expired, the AssumeRole call returns an "access denied" error. /// /// /// /// The format for this parameter, as described by its regex pattern, is a sequence of /// six numeric digits. /// ///

[AWSProperty(Min=6, Max=6)] public string TokenCode { get { return this._tokenCode; } set { this._tokenCode = value; } } // Check to see if TokenCode property is set internal bool IsSetTokenCode() { return this._tokenCode != null; } ///

/// Gets and sets the property TransitiveTagKeys. /// /// A list of keys for session tags that you want to set as transitive. If you set a tag /// key as transitive, the corresponding key and value passes to subsequent sessions in /// a role chain. For more information, see Chaining /// Roles with Session Tags in the IAM User Guide. /// /// /// /// This parameter is optional. When you set session tags as transitive, the session policy /// and session tags packed binary limit is not affected. /// /// /// /// If you choose not to specify a transitive tag key, then no tags are passed from this /// session to any subsequent sessions. /// ///

[AWSProperty(Max=50)] public List TransitiveTagKeys { get { return this._transitiveTagKeys; } set { this._transitiveTagKeys = value; } } // Check to see if TransitiveTagKeys property is set internal bool IsSetTransitiveTagKeys() { return this._transitiveTagKeys != null && this._transitiveTagKeys.Count > 0; } } }