import { STSClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../STSClient"; import { AssumeRoleRequest, AssumeRoleResponse } from "../models/models_0"; import { deserializeAws_queryAssumeRoleCommand, serializeAws_queryAssumeRoleCommand } from "../protocols/Aws_query"; import { getSerdePlugin } from "@aws-sdk/middleware-serde"; import { getAwsAuthPlugin } from "@aws-sdk/middleware-signing"; import { HttpRequest as __HttpRequest, HttpResponse as __HttpResponse } from "@aws-sdk/protocol-http"; import { Command as $Command } from "@aws-sdk/smithy-client"; import { FinalizeHandlerArguments, Handler, HandlerExecutionContext, MiddlewareStack, HttpHandlerOptions as __HttpHandlerOptions, MetadataBearer as __MetadataBearer, SerdeContext as __SerdeContext, } from "@aws-sdk/types"; export interface AssumeRoleCommandInput extends AssumeRoleRequest {} export interface AssumeRoleCommandOutput extends AssumeRoleResponse, __MetadataBearer {} /** *
Returns a set of temporary security credentials that you can use to access Amazon Web Services
* resources that you might not normally have access to. These temporary credentials
* consist of an access key ID, a secret access key, and a security token. Typically, you
* use AssumeRole
within your account or for cross-account access. For a
* comparison of AssumeRole
with other API operations that produce temporary
* credentials, see Requesting Temporary Security
* Credentials and Comparing
* the STS API operations in the
* IAM User Guide.
* Permissions *
*The temporary security credentials created by AssumeRole
can be used to
* make API calls to any Amazon Web Services service with the following exception: You cannot call the
* STS GetFederationToken
or GetSessionToken
API
* operations.
(Optional) You can pass inline or managed session policies to * this operation. You can pass a single JSON policy document to use as an inline session * policy. You can also specify up to 10 managed policies to use as managed session policies. * The plaintext that you use for both inline and managed session policies can't exceed 2,048 * characters. Passing policies to this operation returns new * temporary credentials. The resulting session's permissions are the intersection of the * role's identity-based policy and the session policies. You can use the role's temporary * credentials in subsequent Amazon Web Services API calls to access resources in the account that owns * the role. You cannot use session policies to grant more permissions than those allowed * by the identity-based policy of the role that is being assumed. For more information, see * Session * Policies in the IAM User Guide.
*To assume a role from a different account, your account must be trusted by the * role. The trust relationship is defined in the role's trust policy when the role is * created. That trust policy states which accounts are allowed to delegate that access to * users in the account.
*A user who wants to access a role in a different account must also have permissions that
* are delegated from the user account administrator. The administrator must attach a policy
* that allows the user to call AssumeRole
for the ARN of the role in the other
* account. If the user is in the same account as the role, then you can do either of the
* following:
Attach a policy to the user (identical to the previous user in a different * account).
*Add the user as a principal directly in the role's trust policy.
*In this case, the trust policy acts as an IAM resource-based policy. Users in the same * account as the role do not need explicit permission to assume the role. For more * information about trust policies and resource-based policies, see IAM Policies in * the IAM User Guide.
** Tags *
*(Optional) You can pass tag key-value pairs to your session. These tags are called * session tags. For more information about session tags, see Passing Session Tags in STS in the * IAM User Guide.
*An administrator must grant you the permissions necessary to pass session tags. The * administrator can also create granular permissions to allow you to pass only specific * session tags. For more information, see Tutorial: Using Tags * for Attribute-Based Access Control in the * IAM User Guide.
*You can set the session tags as transitive. Transitive tags persist during role * chaining. For more information, see Chaining Roles * with Session Tags in the IAM User Guide.
** Using MFA with AssumeRole *
*(Optional) You can include multi-factor authentication (MFA) information when you call
* AssumeRole
. This is useful for cross-account scenarios to ensure that the
* user that assumes the role has been authenticated with an Amazon Web Services MFA device. In that
* scenario, the trust policy of the role being assumed includes a condition that tests for
* MFA authentication. If the caller does not include valid MFA information, the request to
* assume the role is denied. The condition in a trust policy that tests for MFA
* authentication might look like the following example.
* "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}
*
For more information, see Configuring MFA-Protected API Access * in the IAM User Guide guide.
*To use MFA with AssumeRole
, you pass values for the
* SerialNumber
and TokenCode
parameters. The
* SerialNumber
value identifies the user's hardware or virtual MFA device.
* The TokenCode
is the time-based one-time password (TOTP) that the MFA device
* produces.