1 | import { STSClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../STSClient";
|
2 | import { AssumeRoleRequest, AssumeRoleResponse } from "../models/models_0";
|
3 | import { deserializeAws_queryAssumeRoleCommand, serializeAws_queryAssumeRoleCommand } from "../protocols/Aws_query";
|
4 | import { getSerdePlugin } from "@aws-sdk/middleware-serde";
|
5 | import { getAwsAuthPlugin } from "@aws-sdk/middleware-signing";
|
6 | import { HttpRequest as __HttpRequest, HttpResponse as __HttpResponse } from "@aws-sdk/protocol-http";
|
7 | import { Command as $Command } from "@aws-sdk/smithy-client";
|
8 | import {
|
9 | FinalizeHandlerArguments,
|
10 | Handler,
|
11 | HandlerExecutionContext,
|
12 | MiddlewareStack,
|
13 | HttpHandlerOptions as __HttpHandlerOptions,
|
14 | MetadataBearer as __MetadataBearer,
|
15 | SerdeContext as __SerdeContext,
|
16 | } from "@aws-sdk/types";
|
17 |
|
18 | export interface AssumeRoleCommandInput extends AssumeRoleRequest {}
|
19 | export interface AssumeRoleCommandOutput extends AssumeRoleResponse, __MetadataBearer {}
|
20 |
|
21 | /**
|
22 | * <p>Returns a set of temporary security credentials that you can use to access Amazon Web Services
|
23 | * resources that you might not normally have access to. These temporary credentials
|
24 | * consist of an access key ID, a secret access key, and a security token. Typically, you
|
25 | * use <code>AssumeRole</code> within your account or for cross-account access. For a
|
26 | * comparison of <code>AssumeRole</code> with other API operations that produce temporary
|
27 | * credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting Temporary Security
|
28 | * Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing
|
29 | * the STS API operations</a> in the
|
30 | * <i>IAM User Guide</i>.</p>
|
31 | * <p>
|
32 | * <b>Permissions</b>
|
33 | * </p>
|
34 | * <p>The temporary security credentials created by <code>AssumeRole</code> can be used to
|
35 | * make API calls to any Amazon Web Services service with the following exception: You cannot call the
|
36 | * STS <code>GetFederationToken</code> or <code>GetSessionToken</code> API
|
37 | * operations.</p>
|
38 | * <p>(Optional) You can pass inline or managed <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">session policies</a> to
|
39 | * this operation. You can pass a single JSON policy document to use as an inline session
|
40 | * policy. You can also specify up to 10 managed policies to use as managed session policies.
|
41 | * The plaintext that you use for both inline and managed session policies can't exceed 2,048
|
42 | * characters. Passing policies to this operation returns new
|
43 | * temporary credentials. The resulting session's permissions are the intersection of the
|
44 | * role's identity-based policy and the session policies. You can use the role's temporary
|
45 | * credentials in subsequent Amazon Web Services API calls to access resources in the account that owns
|
46 | * the role. You cannot use session policies to grant more permissions than those allowed
|
47 | * by the identity-based policy of the role that is being assumed. For more information, see
|
48 | * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session
|
49 | * Policies</a> in the <i>IAM User Guide</i>.</p>
|
50 | * <p>To assume a role from a different account, your account must be trusted by the
|
51 | * role. The trust relationship is defined in the role's trust policy when the role is
|
52 | * created. That trust policy states which accounts are allowed to delegate that access to
|
53 | * users in the account. </p>
|
54 | * <p>A user who wants to access a role in a different account must also have permissions that
|
55 | * are delegated from the user account administrator. The administrator must attach a policy
|
56 | * that allows the user to call <code>AssumeRole</code> for the ARN of the role in the other
|
57 | * account. If the user is in the same account as the role, then you can do either of the
|
58 | * following:</p>
|
59 | * <ul>
|
60 | * <li>
|
61 | * <p>Attach a policy to the user (identical to the previous user in a different
|
62 | * account).</p>
|
63 | * </li>
|
64 | * <li>
|
65 | * <p>Add the user as a principal directly in the role's trust policy.</p>
|
66 | * </li>
|
67 | * </ul>
|
68 | * <p>In this case, the trust policy acts as an IAM resource-based policy. Users in the same
|
69 | * account as the role do not need explicit permission to assume the role. For more
|
70 | * information about trust policies and resource-based policies, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html">IAM Policies</a> in
|
71 | * the <i>IAM User Guide</i>.</p>
|
72 | * <p>
|
73 | * <b>Tags</b>
|
74 | * </p>
|
75 | * <p>(Optional) You can pass tag key-value pairs to your session. These tags are called
|
76 | * session tags. For more information about session tags, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Passing Session Tags in STS</a> in the
|
77 | * <i>IAM User Guide</i>.</p>
|
78 | * <p>An administrator must grant you the permissions necessary to pass session tags. The
|
79 | * administrator can also create granular permissions to allow you to pass only specific
|
80 | * session tags. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html">Tutorial: Using Tags
|
81 | * for Attribute-Based Access Control</a> in the
|
82 | * <i>IAM User Guide</i>.</p>
|
83 | * <p>You can set the session tags as transitive. Transitive tags persist during role
|
84 | * chaining. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining">Chaining Roles
|
85 | * with Session Tags</a> in the <i>IAM User Guide</i>.</p>
|
86 | * <p>
|
87 | * <b>Using MFA with AssumeRole</b>
|
88 | * </p>
|
89 | * <p>(Optional) You can include multi-factor authentication (MFA) information when you call
|
90 | * <code>AssumeRole</code>. This is useful for cross-account scenarios to ensure that the
|
91 | * user that assumes the role has been authenticated with an Amazon Web Services MFA device. In that
|
92 | * scenario, the trust policy of the role being assumed includes a condition that tests for
|
93 | * MFA authentication. If the caller does not include valid MFA information, the request to
|
94 | * assume the role is denied. The condition in a trust policy that tests for MFA
|
95 | * authentication might look like the following example.</p>
|
96 | * <p>
|
97 | * <code>"Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}</code>
|
98 | * </p>
|
99 | * <p>For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html">Configuring MFA-Protected API Access</a>
|
100 | * in the <i>IAM User Guide</i> guide.</p>
|
101 | * <p>To use MFA with <code>AssumeRole</code>, you pass values for the
|
102 | * <code>SerialNumber</code> and <code>TokenCode</code> parameters. The
|
103 | * <code>SerialNumber</code> value identifies the user's hardware or virtual MFA device.
|
104 | * The <code>TokenCode</code> is the time-based one-time password (TOTP) that the MFA device
|
105 | * produces. </p>
|
106 | * @example
|
107 | * Use a bare-bones client and the command you need to make an API call.
|
108 | * ```javascript
|
109 | * import { STSClient, AssumeRoleCommand } from "@aws-sdk/client-sts"; // ES Modules import
|
110 | * // const { STSClient, AssumeRoleCommand } = require("@aws-sdk/client-sts"); // CommonJS import
|
111 | * const client = new STSClient(config);
|
112 | * const command = new AssumeRoleCommand(input);
|
113 | * const response = await client.send(command);
|
114 | * ```
|
115 | *
|
116 | * @see {@link AssumeRoleCommandInput} for command's `input` shape.
|
117 | * @see {@link AssumeRoleCommandOutput} for command's `response` shape.
|
118 | * @see {@link STSClientResolvedConfig | config} for command's `input` shape.
|
119 | *
|
120 | */
|
121 | export class AssumeRoleCommand extends $Command<
|
122 | AssumeRoleCommandInput,
|
123 | AssumeRoleCommandOutput,
|
124 | STSClientResolvedConfig
|
125 | > {
|
126 | // Start section: command_properties
|
127 | // End section: command_properties
|
128 |
|
129 | constructor(readonly input: AssumeRoleCommandInput) {
|
130 | // Start section: command_constructor
|
131 | super();
|
132 | // End section: command_constructor
|
133 | }
|
134 |
|
135 | /**
|
136 | * @internal
|
137 | */
|
138 | resolveMiddleware(
|
139 | clientStack: MiddlewareStack<ServiceInputTypes, ServiceOutputTypes>,
|
140 | configuration: STSClientResolvedConfig,
|
141 | options?: __HttpHandlerOptions
|
142 | ): Handler<AssumeRoleCommandInput, AssumeRoleCommandOutput> {
|
143 | this.middlewareStack.use(getSerdePlugin(configuration, this.serialize, this.deserialize));
|
144 | this.middlewareStack.use(getAwsAuthPlugin(configuration));
|
145 |
|
146 | const stack = clientStack.concat(this.middlewareStack);
|
147 |
|
148 | const { logger } = configuration;
|
149 | const clientName = "STSClient";
|
150 | const commandName = "AssumeRoleCommand";
|
151 | const handlerExecutionContext: HandlerExecutionContext = {
|
152 | logger,
|
153 | clientName,
|
154 | commandName,
|
155 | inputFilterSensitiveLog: AssumeRoleRequest.filterSensitiveLog,
|
156 | outputFilterSensitiveLog: AssumeRoleResponse.filterSensitiveLog,
|
157 | };
|
158 | const { requestHandler } = configuration;
|
159 | return stack.resolve(
|
160 | (request: FinalizeHandlerArguments<any>) =>
|
161 | requestHandler.handle(request.request as __HttpRequest, options || {}),
|
162 | handlerExecutionContext
|
163 | );
|
164 | }
|
165 |
|
166 | private serialize(input: AssumeRoleCommandInput, context: __SerdeContext): Promise<__HttpRequest> {
|
167 | return serializeAws_queryAssumeRoleCommand(input, context);
|
168 | }
|
169 |
|
170 | private deserialize(output: __HttpResponse, context: __SerdeContext): Promise<AssumeRoleCommandOutput> {
|
171 | return deserializeAws_queryAssumeRoleCommand(output, context);
|
172 | }
|
173 |
|
174 | // Start section: command_body_extra
|
175 | // End section: command_body_extra
|
176 | }
|