UNPKG

10.3 kBPlain TextView Raw
1import { STSClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../STSClient";
2import { AssumeRoleRequest, AssumeRoleResponse } from "../models/models_0";
3import { deserializeAws_queryAssumeRoleCommand, serializeAws_queryAssumeRoleCommand } from "../protocols/Aws_query";
4import { getSerdePlugin } from "@aws-sdk/middleware-serde";
5import { getAwsAuthPlugin } from "@aws-sdk/middleware-signing";
6import { HttpRequest as __HttpRequest, HttpResponse as __HttpResponse } from "@aws-sdk/protocol-http";
7import { Command as $Command } from "@aws-sdk/smithy-client";
8import {
9 FinalizeHandlerArguments,
10 Handler,
11 HandlerExecutionContext,
12 MiddlewareStack,
13 HttpHandlerOptions as __HttpHandlerOptions,
14 MetadataBearer as __MetadataBearer,
15 SerdeContext as __SerdeContext,
16} from "@aws-sdk/types";
17
18export interface AssumeRoleCommandInput extends AssumeRoleRequest {}
19export interface AssumeRoleCommandOutput extends AssumeRoleResponse, __MetadataBearer {}
20
21/**
22 * <p>Returns a set of temporary security credentials that you can use to access Amazon Web Services
23 * resources that you might not normally have access to. These temporary credentials
24 * consist of an access key ID, a secret access key, and a security token. Typically, you
25 * use <code>AssumeRole</code> within your account or for cross-account access. For a
26 * comparison of <code>AssumeRole</code> with other API operations that produce temporary
27 * credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting Temporary Security
28 * Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing
29 * the STS API operations</a> in the
30 * <i>IAM User Guide</i>.</p>
31 * <p>
32 * <b>Permissions</b>
33 * </p>
34 * <p>The temporary security credentials created by <code>AssumeRole</code> can be used to
35 * make API calls to any Amazon Web Services service with the following exception: You cannot call the
36 * STS <code>GetFederationToken</code> or <code>GetSessionToken</code> API
37 * operations.</p>
38 * <p>(Optional) You can pass inline or managed <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">session policies</a> to
39 * this operation. You can pass a single JSON policy document to use as an inline session
40 * policy. You can also specify up to 10 managed policies to use as managed session policies.
41 * The plaintext that you use for both inline and managed session policies can't exceed 2,048
42 * characters. Passing policies to this operation returns new
43 * temporary credentials. The resulting session's permissions are the intersection of the
44 * role's identity-based policy and the session policies. You can use the role's temporary
45 * credentials in subsequent Amazon Web Services API calls to access resources in the account that owns
46 * the role. You cannot use session policies to grant more permissions than those allowed
47 * by the identity-based policy of the role that is being assumed. For more information, see
48 * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session
49 * Policies</a> in the <i>IAM User Guide</i>.</p>
50 * <p>To assume a role from a different account, your account must be trusted by the
51 * role. The trust relationship is defined in the role's trust policy when the role is
52 * created. That trust policy states which accounts are allowed to delegate that access to
53 * users in the account. </p>
54 * <p>A user who wants to access a role in a different account must also have permissions that
55 * are delegated from the user account administrator. The administrator must attach a policy
56 * that allows the user to call <code>AssumeRole</code> for the ARN of the role in the other
57 * account. If the user is in the same account as the role, then you can do either of the
58 * following:</p>
59 * <ul>
60 * <li>
61 * <p>Attach a policy to the user (identical to the previous user in a different
62 * account).</p>
63 * </li>
64 * <li>
65 * <p>Add the user as a principal directly in the role's trust policy.</p>
66 * </li>
67 * </ul>
68 * <p>In this case, the trust policy acts as an IAM resource-based policy. Users in the same
69 * account as the role do not need explicit permission to assume the role. For more
70 * information about trust policies and resource-based policies, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html">IAM Policies</a> in
71 * the <i>IAM User Guide</i>.</p>
72 * <p>
73 * <b>Tags</b>
74 * </p>
75 * <p>(Optional) You can pass tag key-value pairs to your session. These tags are called
76 * session tags. For more information about session tags, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Passing Session Tags in STS</a> in the
77 * <i>IAM User Guide</i>.</p>
78 * <p>An administrator must grant you the permissions necessary to pass session tags. The
79 * administrator can also create granular permissions to allow you to pass only specific
80 * session tags. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html">Tutorial: Using Tags
81 * for Attribute-Based Access Control</a> in the
82 * <i>IAM User Guide</i>.</p>
83 * <p>You can set the session tags as transitive. Transitive tags persist during role
84 * chaining. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining">Chaining Roles
85 * with Session Tags</a> in the <i>IAM User Guide</i>.</p>
86 * <p>
87 * <b>Using MFA with AssumeRole</b>
88 * </p>
89 * <p>(Optional) You can include multi-factor authentication (MFA) information when you call
90 * <code>AssumeRole</code>. This is useful for cross-account scenarios to ensure that the
91 * user that assumes the role has been authenticated with an Amazon Web Services MFA device. In that
92 * scenario, the trust policy of the role being assumed includes a condition that tests for
93 * MFA authentication. If the caller does not include valid MFA information, the request to
94 * assume the role is denied. The condition in a trust policy that tests for MFA
95 * authentication might look like the following example.</p>
96 * <p>
97 * <code>"Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}</code>
98 * </p>
99 * <p>For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html">Configuring MFA-Protected API Access</a>
100 * in the <i>IAM User Guide</i> guide.</p>
101 * <p>To use MFA with <code>AssumeRole</code>, you pass values for the
102 * <code>SerialNumber</code> and <code>TokenCode</code> parameters. The
103 * <code>SerialNumber</code> value identifies the user's hardware or virtual MFA device.
104 * The <code>TokenCode</code> is the time-based one-time password (TOTP) that the MFA device
105 * produces. </p>
106 * @example
107 * Use a bare-bones client and the command you need to make an API call.
108 * ```javascript
109 * import { STSClient, AssumeRoleCommand } from "@aws-sdk/client-sts"; // ES Modules import
110 * // const { STSClient, AssumeRoleCommand } = require("@aws-sdk/client-sts"); // CommonJS import
111 * const client = new STSClient(config);
112 * const command = new AssumeRoleCommand(input);
113 * const response = await client.send(command);
114 * ```
115 *
116 * @see {@link AssumeRoleCommandInput} for command's `input` shape.
117 * @see {@link AssumeRoleCommandOutput} for command's `response` shape.
118 * @see {@link STSClientResolvedConfig | config} for command's `input` shape.
119 *
120 */
121export class AssumeRoleCommand extends $Command<
122 AssumeRoleCommandInput,
123 AssumeRoleCommandOutput,
124 STSClientResolvedConfig
125> {
126 // Start section: command_properties
127 // End section: command_properties
128
129 constructor(readonly input: AssumeRoleCommandInput) {
130 // Start section: command_constructor
131 super();
132 // End section: command_constructor
133 }
134
135 /**
136 * @internal
137 */
138 resolveMiddleware(
139 clientStack: MiddlewareStack<ServiceInputTypes, ServiceOutputTypes>,
140 configuration: STSClientResolvedConfig,
141 options?: __HttpHandlerOptions
142 ): Handler<AssumeRoleCommandInput, AssumeRoleCommandOutput> {
143 this.middlewareStack.use(getSerdePlugin(configuration, this.serialize, this.deserialize));
144 this.middlewareStack.use(getAwsAuthPlugin(configuration));
145
146 const stack = clientStack.concat(this.middlewareStack);
147
148 const { logger } = configuration;
149 const clientName = "STSClient";
150 const commandName = "AssumeRoleCommand";
151 const handlerExecutionContext: HandlerExecutionContext = {
152 logger,
153 clientName,
154 commandName,
155 inputFilterSensitiveLog: AssumeRoleRequest.filterSensitiveLog,
156 outputFilterSensitiveLog: AssumeRoleResponse.filterSensitiveLog,
157 };
158 const { requestHandler } = configuration;
159 return stack.resolve(
160 (request: FinalizeHandlerArguments<any>) =>
161 requestHandler.handle(request.request as __HttpRequest, options || {}),
162 handlerExecutionContext
163 );
164 }
165
166 private serialize(input: AssumeRoleCommandInput, context: __SerdeContext): Promise<__HttpRequest> {
167 return serializeAws_queryAssumeRoleCommand(input, context);
168 }
169
170 private deserialize(output: __HttpResponse, context: __SerdeContext): Promise<AssumeRoleCommandOutput> {
171 return deserializeAws_queryAssumeRoleCommand(output, context);
172 }
173
174 // Start section: command_body_extra
175 // End section: command_body_extra
176}