/*
* Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
*
* Licensed under the Apache License, Version 2.0 (the "License").
* You may not use this file except in compliance with the License.
* A copy of the License is located at
*
* http://aws.amazon.com/apache2.0
*
* or in the "license" file accompanying this file. This file is distributed
* on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either
* express or implied. See the License for the specific language governing
* permissions and limitations under the License.
*/
/*
* Do not modify this file. This file is generated from the sts-2011-06-15.normal.json service model.
*/
using System;
using System.Collections.Generic;
using System.Xml.Serialization;
using System.Text;
using System.IO;
using System.Net;
using Amazon.Runtime;
using Amazon.Runtime.Internal;
namespace Amazon.SecurityToken.Model
{
///
/// Container for the parameters to the AssumeRoleWithWebIdentity operation.
/// Returns a set of temporary security credentials for users who have been authenticated
/// in a mobile or web application with a web identity provider. Example providers include
/// the OAuth 2.0 providers Login with Amazon and Facebook, or any OpenID Connect-compatible
/// identity provider such as Google or Amazon
/// Cognito federated identities.
///
///
///
/// For mobile applications, we recommend that you use Amazon Cognito. You can use Amazon
/// Cognito with the Amazon Web Services SDK
/// for iOS Developer Guide and the Amazon
/// Web Services SDK for Android Developer Guide to uniquely identify a user. You
/// can also supply the user with a consistent identity throughout the lifetime of an
/// application.
///
///
///
/// To learn more about Amazon Cognito, see Amazon
/// Cognito identity pools in Amazon Cognito Developer Guide.
///
///
///
/// Calling AssumeRoleWithWebIdentity does not require the use of Amazon
/// Web Services security credentials. Therefore, you can distribute an application (for
/// example, on mobile devices) that requests temporary security credentials without including
/// long-term Amazon Web Services credentials in the application. You also don't need
/// to deploy server-based proxy services that use long-term Amazon Web Services credentials.
/// Instead, the identity of the caller is validated by using a token from the web identity
/// provider. For a comparison of AssumeRoleWithWebIdentity with the other
/// API operations that produce temporary credentials, see Requesting
/// Temporary Security Credentials and Comparing
/// the Amazon Web Services STS API operations in the IAM User Guide.
///
///
///
/// The temporary security credentials returned by this API consist of an access key ID,
/// a secret access key, and a security token. Applications can use these temporary security
/// credentials to sign calls to Amazon Web Services service API operations.
///
///
///
/// Session Duration
///
///
///
/// By default, the temporary security credentials created by AssumeRoleWithWebIdentity
/// last for one hour. However, you can use the optional DurationSeconds
/// parameter to specify the duration of your session. You can provide a value from 900
/// seconds (15 minutes) up to the maximum session duration setting for the role. This
/// setting can have a value from 1 hour to 12 hours. To learn how to view the maximum
/// value for your role, see View
/// the Maximum Session Duration Setting for a Role in the IAM User Guide.
/// The maximum session duration limit applies when you use the AssumeRole*
/// API operations or the assume-role* CLI commands. However the limit does
/// not apply when you use those operations to create a console URL. For more information,
/// see Using
/// IAM Roles in the IAM User Guide.
///
///
///
/// Permissions
///
///
///
/// The temporary security credentials created by AssumeRoleWithWebIdentity
/// can be used to make API calls to any Amazon Web Services service with the following
/// exception: you cannot call the STS GetFederationToken or GetSessionToken
/// API operations.
///
///
///
/// (Optional) You can pass inline or managed session
/// policies to this operation. You can pass a single JSON policy document to use
/// as an inline session policy. You can also specify up to 10 managed policy Amazon Resource
/// Names (ARNs) to use as managed session policies. The plaintext that you use for both
/// inline and managed session policies can't exceed 2,048 characters. Passing policies
/// to this operation returns new temporary credentials. The resulting session's permissions
/// are the intersection of the role's identity-based policy and the session policies.
/// You can use the role's temporary credentials in subsequent Amazon Web Services API
/// calls to access resources in the account that owns the role. You cannot use session
/// policies to grant more permissions than those allowed by the identity-based policy
/// of the role that is being assumed. For more information, see Session
/// Policies in the IAM User Guide.
///
///
///
/// Tags
///
///
///
/// (Optional) You can configure your IdP to pass attributes into your web identity token
/// as session tags. Each session tag consists of a key name and an associated value.
/// For more information about session tags, see Passing
/// Session Tags in STS in the IAM User Guide.
///
///
///
/// You can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128
/// characters and the values can’t exceed 256 characters. For these and additional limits,
/// see IAM
/// and STS Character Limits in the IAM User Guide.
///
///
///
/// An Amazon Web Services conversion compresses the passed inline session policy, managed
/// policy ARNs, and session tags into a packed binary format that has a separate limit.
/// Your request can fail for this limit even if your plaintext meets the other requirements.
/// The PackedPolicySize response element indicates by percentage how close
/// the policies and tags for your request are to the upper size limit.
///
///
///
/// You can pass a session tag with the same key as a tag that is attached to the role.
/// When you do, the session tag overrides the role tag with the same key.
///
///
///
/// An administrator must grant you the permissions necessary to pass session tags. The
/// administrator can also create granular permissions to allow you to pass only specific
/// session tags. For more information, see Tutorial:
/// Using Tags for Attribute-Based Access Control in the IAM User Guide.
///
///
///
/// You can set the session tags as transitive. Transitive tags persist during role chaining.
/// For more information, see Chaining
/// Roles with Session Tags in the IAM User Guide.
///
///
///
/// Identities
///
///
///
/// Before your application can call AssumeRoleWithWebIdentity, you must
/// have an identity token from a supported identity provider and create a role that the
/// application can assume. The role that your application assumes must trust the identity
/// provider that is associated with the identity token. In other words, the identity
/// provider must be specified in the role's trust policy.
///
///
///
/// Calling AssumeRoleWithWebIdentity can result in an entry in your CloudTrail
/// logs. The entry includes the Subject
/// of the provided web identity token. We recommend that you avoid using any personally
/// identifiable information (PII) in this field. For example, you could instead use a
/// GUID or a pairwise identifier, as suggested
/// in the OIDC specification.
///
///
///
/// For more information about how to use web identity federation and the AssumeRoleWithWebIdentity
/// API, see the following resources:
///
///
///
public partial class AssumeRoleWithWebIdentityRequest : AmazonSecurityTokenServiceRequest
{
private int? _durationSeconds;
private string _policy;
private List _policyArns = new List();
private string _providerId;
private string _roleArn;
private string _roleSessionName;
private string _webIdentityToken;
///
/// Gets and sets the property DurationSeconds.
///
/// The duration, in seconds, of the role session. The value can range from 900 seconds
/// (15 minutes) up to the maximum session duration setting for the role. This setting
/// can have a value from 1 hour to 12 hours. If you specify a value higher than this
/// setting, the operation fails. For example, if you specify a session duration of 12
/// hours, but your administrator set the maximum session duration to 6 hours, your operation
/// fails. To learn how to view the maximum value for your role, see View
/// the Maximum Session Duration Setting for a Role in the IAM User Guide.
///
///
///
/// By default, the value is set to 3600 seconds.
///
///
///
/// The DurationSeconds parameter is separate from the duration of a console
/// session that you might request using the returned credentials. The request to the
/// federation endpoint for a console sign-in token takes a SessionDuration
/// parameter that specifies the maximum length of the console session. For more information,
/// see Creating
/// a URL that Enables Federated Users to Access the Amazon Web Services Management Console
/// in the IAM User Guide.
///
///
///
[AWSProperty(Min=900, Max=43200)]
public int DurationSeconds
{
get { return this._durationSeconds.GetValueOrDefault(); }
set { this._durationSeconds = value; }
}
// Check to see if DurationSeconds property is set
internal bool IsSetDurationSeconds()
{
return this._durationSeconds.HasValue;
}
///
/// Gets and sets the property Policy.
///
/// An IAM policy in JSON format that you want to use as an inline session policy.
///
///
///
/// This parameter is optional. Passing policies to this operation returns new temporary
/// credentials. The resulting session's permissions are the intersection of the role's
/// identity-based policy and the session policies. You can use the role's temporary credentials
/// in subsequent Amazon Web Services API calls to access resources in the account that
/// owns the role. You cannot use session policies to grant more permissions than those
/// allowed by the identity-based policy of the role that is being assumed. For more information,
/// see Session
/// Policies in the IAM User Guide.
///
///
///
/// The plaintext that you use for both inline and managed session policies can't exceed
/// 2,048 characters. The JSON policy characters can be any ASCII character from the space
/// character to the end of the valid character list (\u0020 through \u00FF). It can also
/// include the tab (\u0009), linefeed (\u000A), and carriage return (\u000D) characters.
///
///
///
/// An Amazon Web Services conversion compresses the passed inline session policy, managed
/// policy ARNs, and session tags into a packed binary format that has a separate limit.
/// Your request can fail for this limit even if your plaintext meets the other requirements.
/// The PackedPolicySize response element indicates by percentage how close
/// the policies and tags for your request are to the upper size limit.
///
///
///
[AWSProperty(Min=1, Max=2048)]
public string Policy
{
get { return this._policy; }
set { this._policy = value; }
}
// Check to see if Policy property is set
internal bool IsSetPolicy()
{
return this._policy != null;
}
///
/// Gets and sets the property PolicyArns.
///
/// The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use
/// as managed session policies. The policies must exist in the same account as the role.
///
///
///
/// This parameter is optional. You can provide up to 10 managed policy ARNs. However,
/// the plaintext that you use for both inline and managed session policies can't exceed
/// 2,048 characters. For more information about ARNs, see Amazon
/// Resource Names (ARNs) and Amazon Web Services Service Namespaces in the Amazon
/// Web Services General Reference.
///
///
///
/// An Amazon Web Services conversion compresses the passed inline session policy, managed
/// policy ARNs, and session tags into a packed binary format that has a separate limit.
/// Your request can fail for this limit even if your plaintext meets the other requirements.
/// The PackedPolicySize response element indicates by percentage how close
/// the policies and tags for your request are to the upper size limit.
///
///
///
/// Passing policies to this operation returns new temporary credentials. The resulting
/// session's permissions are the intersection of the role's identity-based policy and
/// the session policies. You can use the role's temporary credentials in subsequent Amazon
/// Web Services API calls to access resources in the account that owns the role. You
/// cannot use session policies to grant more permissions than those allowed by the identity-based
/// policy of the role that is being assumed. For more information, see Session
/// Policies in the IAM User Guide.
///
///
public List PolicyArns
{
get { return this._policyArns; }
set { this._policyArns = value; }
}
// Check to see if PolicyArns property is set
internal bool IsSetPolicyArns()
{
return this._policyArns != null && this._policyArns.Count > 0;
}
///
/// Gets and sets the property ProviderId.
///
/// The fully qualified host component of the domain name of the OAuth 2.0 identity provider.
/// Do not specify this value for an OpenID Connect identity provider.
///
///
///
/// Currently www.amazon.com and graph.facebook.com are the
/// only supported identity providers for OAuth 2.0 access tokens. Do not include URL
/// schemes and port numbers.
///
///
///
/// Do not specify this value for OpenID Connect ID tokens.
///
///
[AWSProperty(Min=4, Max=2048)]
public string ProviderId
{
get { return this._providerId; }
set { this._providerId = value; }
}
// Check to see if ProviderId property is set
internal bool IsSetProviderId()
{
return this._providerId != null;
}
///
/// Gets and sets the property RoleArn.
///
/// The Amazon Resource Name (ARN) of the role that the caller is assuming.
///
///
[AWSProperty(Required=true, Min=20, Max=2048)]
public string RoleArn
{
get { return this._roleArn; }
set { this._roleArn = value; }
}
// Check to see if RoleArn property is set
internal bool IsSetRoleArn()
{
return this._roleArn != null;
}
///
/// Gets and sets the property RoleSessionName.
///
/// An identifier for the assumed role session. Typically, you pass the name or identifier
/// that is associated with the user who is using your application. That way, the temporary
/// security credentials that your application will use are associated with that user.
/// This session name is included as part of the ARN and assumed role ID in the AssumedRoleUser
/// response element.
///
///
///
/// The regex used to validate this parameter is a string of characters consisting of
/// upper- and lower-case alphanumeric characters with no spaces. You can also include
/// underscores or any of the following characters: =,.@-
///
///
[AWSProperty(Required=true, Min=2, Max=64)]
public string RoleSessionName
{
get { return this._roleSessionName; }
set { this._roleSessionName = value; }
}
// Check to see if RoleSessionName property is set
internal bool IsSetRoleSessionName()
{
return this._roleSessionName != null;
}
///
/// Gets and sets the property WebIdentityToken.
///
/// The OAuth 2.0 access token or OpenID Connect ID token that is provided by the identity
/// provider. Your application must get this token by authenticating the user who is using
/// your application with a web identity provider before the application makes an AssumeRoleWithWebIdentity
/// call. Only tokens with RSA algorithms (RS256) are supported.
///
///
[AWSProperty(Required=true, Sensitive=true, Min=4, Max=20000)]
public string WebIdentityToken
{
get { return this._webIdentityToken; }
set { this._webIdentityToken = value; }
}
// Check to see if WebIdentityToken property is set
internal bool IsSetWebIdentityToken()
{
return this._webIdentityToken != null;
}
}
}