1 | import { STSClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../STSClient";
|
2 | import { AssumeRoleWithWebIdentityRequest, AssumeRoleWithWebIdentityResponse } from "../models/models_0";
|
3 | import {
|
4 | deserializeAws_queryAssumeRoleWithWebIdentityCommand,
|
5 | serializeAws_queryAssumeRoleWithWebIdentityCommand,
|
6 | } from "../protocols/Aws_query";
|
7 | import { getSerdePlugin } from "@aws-sdk/middleware-serde";
|
8 | import { HttpRequest as __HttpRequest, HttpResponse as __HttpResponse } from "@aws-sdk/protocol-http";
|
9 | import { Command as $Command } from "@aws-sdk/smithy-client";
|
10 | import {
|
11 | FinalizeHandlerArguments,
|
12 | Handler,
|
13 | HandlerExecutionContext,
|
14 | MiddlewareStack,
|
15 | HttpHandlerOptions as __HttpHandlerOptions,
|
16 | MetadataBearer as __MetadataBearer,
|
17 | SerdeContext as __SerdeContext,
|
18 | } from "@aws-sdk/types";
|
19 |
|
20 | export interface AssumeRoleWithWebIdentityCommandInput extends AssumeRoleWithWebIdentityRequest {}
|
21 | export interface AssumeRoleWithWebIdentityCommandOutput extends AssumeRoleWithWebIdentityResponse, __MetadataBearer {}
|
22 |
|
23 | /**
|
24 | * <p>Returns a set of temporary security credentials for users who have been authenticated in
|
25 | * a mobile or web application with a web identity provider. Example providers include Amazon Cognito,
|
26 | * Login with Amazon, Facebook, Google, or any OpenID Connect-compatible identity
|
27 | * provider.</p>
|
28 | * <note>
|
29 | * <p>For mobile applications, we recommend that you use Amazon Cognito. You can use Amazon Cognito with the
|
30 | * <a href="http://aws.amazon.com/sdkforios/">Amazon Web Services SDK for iOS Developer Guide</a> and the <a href="http://aws.amazon.com/sdkforandroid/">Amazon Web Services SDK for Android Developer Guide</a> to uniquely
|
31 | * identify a user. You can also supply the user with a consistent identity throughout the
|
32 | * lifetime of an application.</p>
|
33 | * <p>To learn more about Amazon Cognito, see <a href="https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840">Amazon Cognito Overview</a> in
|
34 | * <i>Amazon Web Services SDK for Android Developer Guide</i> and <a href="https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664">Amazon Cognito Overview</a> in the
|
35 | * <i>Amazon Web Services SDK for iOS Developer Guide</i>.</p>
|
36 | * </note>
|
37 | * <p>Calling <code>AssumeRoleWithWebIdentity</code> does not require the use of Amazon Web Services
|
38 | * security credentials. Therefore, you can distribute an application (for example, on mobile
|
39 | * devices) that requests temporary security credentials without including long-term Amazon Web Services
|
40 | * credentials in the application. You also don't need to deploy server-based proxy services
|
41 | * that use long-term Amazon Web Services credentials. Instead, the identity of the caller is validated by
|
42 | * using a token from the web identity provider. For a comparison of
|
43 | * <code>AssumeRoleWithWebIdentity</code> with the other API operations that produce
|
44 | * temporary credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting Temporary Security
|
45 | * Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
|
46 | * STS API operations</a> in the <i>IAM User Guide</i>.</p>
|
47 | * <p>The temporary security credentials returned by this API consist of an access key ID, a
|
48 | * secret access key, and a security token. Applications can use these temporary security
|
49 | * credentials to sign calls to Amazon Web Services service API operations.</p>
|
50 | * <p>
|
51 | * <b>Session Duration</b>
|
52 | * </p>
|
53 | * <p>By default, the temporary security credentials created by
|
54 | * <code>AssumeRoleWithWebIdentity</code> last for one hour. However, you can use the
|
55 | * optional <code>DurationSeconds</code> parameter to specify the duration of your session.
|
56 | * You can provide a value from 900 seconds (15 minutes) up to the maximum session duration
|
57 | * setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how
|
58 | * to view the maximum value for your role, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session">View the
|
59 | * Maximum Session Duration Setting for a Role</a> in the
|
60 | * <i>IAM User Guide</i>. The maximum session duration limit applies when
|
61 | * you use the <code>AssumeRole*</code> API operations or the <code>assume-role*</code> CLI
|
62 | * commands. However the limit does not apply when you use those operations to create a
|
63 | * console URL. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html">Using IAM Roles</a> in the
|
64 | * <i>IAM User Guide</i>. </p>
|
65 | * <p>
|
66 | * <b>Permissions</b>
|
67 | * </p>
|
68 | * <p>The temporary security credentials created by <code>AssumeRoleWithWebIdentity</code> can
|
69 | * be used to make API calls to any Amazon Web Services service with the following exception: you cannot
|
70 | * call the STS <code>GetFederationToken</code> or <code>GetSessionToken</code> API
|
71 | * operations.</p>
|
72 | * <p>(Optional) You can pass inline or managed <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">session policies</a> to
|
73 | * this operation. You can pass a single JSON policy document to use as an inline session
|
74 | * policy. You can also specify up to 10 managed policies to use as managed session policies.
|
75 | * The plaintext that you use for both inline and managed session policies can't exceed 2,048
|
76 | * characters. Passing policies to this operation returns new
|
77 | * temporary credentials. The resulting session's permissions are the intersection of the
|
78 | * role's identity-based policy and the session policies. You can use the role's temporary
|
79 | * credentials in subsequent Amazon Web Services API calls to access resources in the account that owns
|
80 | * the role. You cannot use session policies to grant more permissions than those allowed
|
81 | * by the identity-based policy of the role that is being assumed. For more information, see
|
82 | * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session
|
83 | * Policies</a> in the <i>IAM User Guide</i>.</p>
|
84 | * <p>
|
85 | * <b>Tags</b>
|
86 | * </p>
|
87 | * <p>(Optional) You can configure your IdP to pass attributes into your web identity token as
|
88 | * session tags. Each session tag consists of a key name and an associated value. For more
|
89 | * information about session tags, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Passing Session Tags in STS</a> in the
|
90 | * <i>IAM User Guide</i>.</p>
|
91 | * <p>You can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128
|
92 | * characters and the values can’t exceed 256 characters. For these and additional limits, see
|
93 | * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length">IAM
|
94 | * and STS Character Limits</a> in the <i>IAM User Guide</i>.</p>
|
95 | *
|
96 | * <note>
|
97 | * <p>An Amazon Web Services conversion compresses the passed session policies and session tags into a
|
98 | * packed binary format that has a separate limit. Your request can fail for this limit
|
99 | * even if your plaintext meets the other requirements. The <code>PackedPolicySize</code>
|
100 | * response element indicates by percentage how close the policies and tags for your
|
101 | * request are to the upper size limit.
|
102 | * </p>
|
103 | * </note>
|
104 | * <p>You can pass a session tag with the same key as a tag that is
|
105 | * attached to the role. When you do, the session tag overrides the role tag with the same
|
106 | * key.</p>
|
107 | * <p>An administrator must grant you the permissions necessary to pass session tags. The
|
108 | * administrator can also create granular permissions to allow you to pass only specific
|
109 | * session tags. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html">Tutorial: Using Tags
|
110 | * for Attribute-Based Access Control</a> in the
|
111 | * <i>IAM User Guide</i>.</p>
|
112 | * <p>You can set the session tags as transitive. Transitive tags persist during role
|
113 | * chaining. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining">Chaining Roles
|
114 | * with Session Tags</a> in the <i>IAM User Guide</i>.</p>
|
115 | * <p>
|
116 | * <b>Identities</b>
|
117 | * </p>
|
118 | * <p>Before your application can call <code>AssumeRoleWithWebIdentity</code>, you must have
|
119 | * an identity token from a supported identity provider and create a role that the application
|
120 | * can assume. The role that your application assumes must trust the identity provider that is
|
121 | * associated with the identity token. In other words, the identity provider must be specified
|
122 | * in the role's trust policy. </p>
|
123 | * <important>
|
124 | * <p>Calling <code>AssumeRoleWithWebIdentity</code> can result in an entry in your
|
125 | * CloudTrail logs. The entry includes the <a href="http://openid.net/specs/openid-connect-core-1_0.html#Claims">Subject</a> of
|
126 | * the provided web identity token. We recommend that you avoid using any personally
|
127 | * identifiable information (PII) in this field. For example, you could instead use a GUID
|
128 | * or a pairwise identifier, as <a href="http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes">suggested
|
129 | * in the OIDC specification</a>.</p>
|
130 | * </important>
|
131 | * <p>For more information about how to use web identity federation and the
|
132 | * <code>AssumeRoleWithWebIdentity</code> API, see the following resources: </p>
|
133 | * <ul>
|
134 | * <li>
|
135 | * <p>
|
136 | * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html">Using Web Identity Federation API Operations for Mobile Apps</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity">Federation Through a Web-based Identity Provider</a>. </p>
|
137 | * </li>
|
138 | * <li>
|
139 | * <p>
|
140 | * <a href="https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/"> Web Identity Federation Playground</a>. Walk through the process of
|
141 | * authenticating through Login with Amazon, Facebook, or Google, getting temporary
|
142 | * security credentials, and then using those credentials to make a request to Amazon Web Services.
|
143 | * </p>
|
144 | * </li>
|
145 | * <li>
|
146 | * <p>
|
147 | * <a href="http://aws.amazon.com/sdkforios/">Amazon Web Services SDK for iOS Developer Guide</a> and <a href="http://aws.amazon.com/sdkforandroid/">Amazon Web Services SDK for Android Developer Guide</a>. These toolkits
|
148 | * contain sample apps that show how to invoke the identity providers. The toolkits then
|
149 | * show how to use the information from these providers to get and use temporary
|
150 | * security credentials. </p>
|
151 | * </li>
|
152 | * <li>
|
153 | * <p>
|
154 | * <a href="http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications">Web Identity
|
155 | * Federation with Mobile Applications</a>. This article discusses web identity
|
156 | * federation and shows an example of how to use web identity federation to get access
|
157 | * to content in Amazon S3. </p>
|
158 | * </li>
|
159 | * </ul>
|
160 | * @example
|
161 | * Use a bare-bones client and the command you need to make an API call.
|
162 | * ```javascript
|
163 | * import { STSClient, AssumeRoleWithWebIdentityCommand } from "@aws-sdk/client-sts"; // ES Modules import
|
164 | * // const { STSClient, AssumeRoleWithWebIdentityCommand } = require("@aws-sdk/client-sts"); // CommonJS import
|
165 | * const client = new STSClient(config);
|
166 | * const command = new AssumeRoleWithWebIdentityCommand(input);
|
167 | * const response = await client.send(command);
|
168 | * ```
|
169 | *
|
170 | * @see {@link AssumeRoleWithWebIdentityCommandInput} for command's `input` shape.
|
171 | * @see {@link AssumeRoleWithWebIdentityCommandOutput} for command's `response` shape.
|
172 | * @see {@link STSClientResolvedConfig | config} for command's `input` shape.
|
173 | *
|
174 | */
|
175 | export class AssumeRoleWithWebIdentityCommand extends $Command<
|
176 | AssumeRoleWithWebIdentityCommandInput,
|
177 | AssumeRoleWithWebIdentityCommandOutput,
|
178 | STSClientResolvedConfig
|
179 | > {
|
180 | // Start section: command_properties
|
181 | // End section: command_properties
|
182 |
|
183 | constructor(readonly input: AssumeRoleWithWebIdentityCommandInput) {
|
184 | // Start section: command_constructor
|
185 | super();
|
186 | // End section: command_constructor
|
187 | }
|
188 |
|
189 | /**
|
190 | * @internal
|
191 | */
|
192 | resolveMiddleware(
|
193 | clientStack: MiddlewareStack<ServiceInputTypes, ServiceOutputTypes>,
|
194 | configuration: STSClientResolvedConfig,
|
195 | options?: __HttpHandlerOptions
|
196 | ): Handler<AssumeRoleWithWebIdentityCommandInput, AssumeRoleWithWebIdentityCommandOutput> {
|
197 | this.middlewareStack.use(getSerdePlugin(configuration, this.serialize, this.deserialize));
|
198 |
|
199 | const stack = clientStack.concat(this.middlewareStack);
|
200 |
|
201 | const { logger } = configuration;
|
202 | const clientName = "STSClient";
|
203 | const commandName = "AssumeRoleWithWebIdentityCommand";
|
204 | const handlerExecutionContext: HandlerExecutionContext = {
|
205 | logger,
|
206 | clientName,
|
207 | commandName,
|
208 | inputFilterSensitiveLog: AssumeRoleWithWebIdentityRequest.filterSensitiveLog,
|
209 | outputFilterSensitiveLog: AssumeRoleWithWebIdentityResponse.filterSensitiveLog,
|
210 | };
|
211 | const { requestHandler } = configuration;
|
212 | return stack.resolve(
|
213 | (request: FinalizeHandlerArguments<any>) =>
|
214 | requestHandler.handle(request.request as __HttpRequest, options || {}),
|
215 | handlerExecutionContext
|
216 | );
|
217 | }
|
218 |
|
219 | private serialize(input: AssumeRoleWithWebIdentityCommandInput, context: __SerdeContext): Promise<__HttpRequest> {
|
220 | return serializeAws_queryAssumeRoleWithWebIdentityCommand(input, context);
|
221 | }
|
222 |
|
223 | private deserialize(
|
224 | output: __HttpResponse,
|
225 | context: __SerdeContext
|
226 | ): Promise<AssumeRoleWithWebIdentityCommandOutput> {
|
227 | return deserializeAws_queryAssumeRoleWithWebIdentityCommand(output, context);
|
228 | }
|
229 |
|
230 | // Start section: command_body_extra
|
231 | // End section: command_body_extra
|
232 | }
|