import { Command as $Command } from "@aws-sdk/smithy-client"; import { Handler, HttpHandlerOptions as __HttpHandlerOptions, MetadataBearer as __MetadataBearer, MiddlewareStack } from "@aws-sdk/types"; import { AssumeRoleRequest, AssumeRoleResponse } from "../models/models_0"; import { ServiceInputTypes, ServiceOutputTypes, STSClientResolvedConfig } from "../STSClient"; export interface AssumeRoleCommandInput extends AssumeRoleRequest { } export interface AssumeRoleCommandOutput extends AssumeRoleResponse, __MetadataBearer { } /** *

Returns a set of temporary security credentials that you can use to access Amazon Web Services * resources that you might not normally have access to. These temporary credentials * consist of an access key ID, a secret access key, and a security token. Typically, you * use AssumeRole within your account or for cross-account access. For a * comparison of AssumeRole with other API operations that produce temporary * credentials, see Requesting Temporary Security * Credentials and Comparing * the STS API operations in the * IAM User Guide.

*

* Permissions *

*

The temporary security credentials created by AssumeRole can be used to * make API calls to any Amazon Web Services service with the following exception: You cannot call the * STS GetFederationToken or GetSessionToken API * operations.

*

(Optional) You can pass inline or managed session policies to * this operation. You can pass a single JSON policy document to use as an inline session * policy. You can also specify up to 10 managed policies to use as managed session policies. * The plaintext that you use for both inline and managed session policies can't exceed 2,048 * characters. Passing policies to this operation returns new * temporary credentials. The resulting session's permissions are the intersection of the * role's identity-based policy and the session policies. You can use the role's temporary * credentials in subsequent Amazon Web Services API calls to access resources in the account that owns * the role. You cannot use session policies to grant more permissions than those allowed * by the identity-based policy of the role that is being assumed. For more information, see * Session * Policies in the IAM User Guide.

*

To assume a role from a different account, your account must be trusted by the * role. The trust relationship is defined in the role's trust policy when the role is * created. That trust policy states which accounts are allowed to delegate that access to * users in the account.

*

A user who wants to access a role in a different account must also have permissions that * are delegated from the user account administrator. The administrator must attach a policy * that allows the user to call AssumeRole for the ARN of the role in the other * account. If the user is in the same account as the role, then you can do either of the * following:

* *

In this case, the trust policy acts as an IAM resource-based policy. Users in the same * account as the role do not need explicit permission to assume the role. For more * information about trust policies and resource-based policies, see IAM Policies in * the IAM User Guide.

*

* Tags *

*

(Optional) You can pass tag key-value pairs to your session. These tags are called * session tags. For more information about session tags, see Passing Session Tags in STS in the * IAM User Guide.

*

An administrator must grant you the permissions necessary to pass session tags. The * administrator can also create granular permissions to allow you to pass only specific * session tags. For more information, see Tutorial: Using Tags * for Attribute-Based Access Control in the * IAM User Guide.

*

You can set the session tags as transitive. Transitive tags persist during role * chaining. For more information, see Chaining Roles * with Session Tags in the IAM User Guide.

*

* Using MFA with AssumeRole *

*

(Optional) You can include multi-factor authentication (MFA) information when you call * AssumeRole. This is useful for cross-account scenarios to ensure that the * user that assumes the role has been authenticated with an Amazon Web Services MFA device. In that * scenario, the trust policy of the role being assumed includes a condition that tests for * MFA authentication. If the caller does not include valid MFA information, the request to * assume the role is denied. The condition in a trust policy that tests for MFA * authentication might look like the following example.

*

* "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}} *

*

For more information, see Configuring MFA-Protected API Access * in the IAM User Guide guide.

*

To use MFA with AssumeRole, you pass values for the * SerialNumber and TokenCode parameters. The * SerialNumber value identifies the user's hardware or virtual MFA device. * The TokenCode is the time-based one-time password (TOTP) that the MFA device * produces.

* @example * Use a bare-bones client and the command you need to make an API call. * ```javascript * import { STSClient, AssumeRoleCommand } from "@aws-sdk/client-sts"; // ES Modules import * // const { STSClient, AssumeRoleCommand } = require("@aws-sdk/client-sts"); // CommonJS import * const client = new STSClient(config); * const command = new AssumeRoleCommand(input); * const response = await client.send(command); * ``` * * @see {@link AssumeRoleCommandInput} for command's `input` shape. * @see {@link AssumeRoleCommandOutput} for command's `response` shape. * @see {@link STSClientResolvedConfig | config} for command's `input` shape. * */ export declare class AssumeRoleCommand extends $Command { readonly input: AssumeRoleCommandInput; constructor(input: AssumeRoleCommandInput); /** * @internal */ resolveMiddleware(clientStack: MiddlewareStack, configuration: STSClientResolvedConfig, options?: __HttpHandlerOptions): Handler; private serialize; private deserialize; }