1 | import { STSClientResolvedConfig, ServiceInputTypes, ServiceOutputTypes } from "../STSClient";
|
2 | import { AssumeRoleWithSAMLRequest, AssumeRoleWithSAMLResponse } from "../models/models_0";
|
3 | import {
|
4 | deserializeAws_queryAssumeRoleWithSAMLCommand,
|
5 | serializeAws_queryAssumeRoleWithSAMLCommand,
|
6 | } from "../protocols/Aws_query";
|
7 | import { getSerdePlugin } from "@aws-sdk/middleware-serde";
|
8 | import { HttpRequest as __HttpRequest, HttpResponse as __HttpResponse } from "@aws-sdk/protocol-http";
|
9 | import { Command as $Command } from "@aws-sdk/smithy-client";
|
10 | import {
|
11 | FinalizeHandlerArguments,
|
12 | Handler,
|
13 | HandlerExecutionContext,
|
14 | MiddlewareStack,
|
15 | HttpHandlerOptions as __HttpHandlerOptions,
|
16 | MetadataBearer as __MetadataBearer,
|
17 | SerdeContext as __SerdeContext,
|
18 | } from "@aws-sdk/types";
|
19 |
|
20 | export interface AssumeRoleWithSAMLCommandInput extends AssumeRoleWithSAMLRequest {}
|
21 | export interface AssumeRoleWithSAMLCommandOutput extends AssumeRoleWithSAMLResponse, __MetadataBearer {}
|
22 |
|
23 | /**
|
24 | * <p>Returns a set of temporary security credentials for users who have been authenticated
|
25 | * via a SAML authentication response. This operation provides a mechanism for tying an
|
26 | * enterprise identity store or directory to role-based Amazon Web Services access without user-specific
|
27 | * credentials or configuration. For a comparison of <code>AssumeRoleWithSAML</code> with the
|
28 | * other API operations that produce temporary credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting Temporary Security
|
29 | * Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
|
30 | * STS API operations</a> in the <i>IAM User Guide</i>.</p>
|
31 | * <p>The temporary security credentials returned by this operation consist of an access key
|
32 | * ID, a secret access key, and a security token. Applications can use these temporary
|
33 | * security credentials to sign calls to Amazon Web Services services.</p>
|
34 | * <p>
|
35 | * <b>Session Duration</b>
|
36 | * </p>
|
37 | * <p>By default, the temporary security credentials created by
|
38 | * <code>AssumeRoleWithSAML</code> last for one hour. However, you can use the optional
|
39 | * <code>DurationSeconds</code> parameter to specify the duration of your session. Your
|
40 | * role session lasts for the duration that you specify, or until the time specified in the
|
41 | * SAML authentication response's <code>SessionNotOnOrAfter</code> value, whichever is
|
42 | * shorter. You can provide a <code>DurationSeconds</code> value from 900 seconds (15 minutes)
|
43 | * up to the maximum session duration setting for the role. This setting can have a value from
|
44 | * 1 hour to 12 hours. To learn how to view the maximum value for your role, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session">View the
|
45 | * Maximum Session Duration Setting for a Role</a> in the
|
46 | * <i>IAM User Guide</i>. The maximum session duration limit applies when
|
47 | * you use the <code>AssumeRole*</code> API operations or the <code>assume-role*</code> CLI
|
48 | * commands. However the limit does not apply when you use those operations to create a
|
49 | * console URL. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html">Using IAM Roles</a> in the
|
50 | * <i>IAM User Guide</i>.</p>
|
51 | * <note>
|
52 | * <p>
|
53 | * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining">Role chaining</a> limits your CLI or Amazon Web Services API
|
54 | * role session to a maximum of one hour. When you use the <code>AssumeRole</code> API
|
55 | * operation to assume a role, you can specify the duration of your role session with
|
56 | * the <code>DurationSeconds</code> parameter. You can specify a parameter value of up
|
57 | * to 43200 seconds (12 hours), depending on the maximum session duration setting for
|
58 | * your role. However, if you assume a role using role chaining and provide a
|
59 | * <code>DurationSeconds</code> parameter value greater than one hour, the
|
60 | * operation fails.</p>
|
61 | * </note>
|
62 | * <p>
|
63 | * <b>Permissions</b>
|
64 | * </p>
|
65 | * <p>The temporary security credentials created by <code>AssumeRoleWithSAML</code> can be
|
66 | * used to make API calls to any Amazon Web Services service with the following exception: you cannot call
|
67 | * the STS <code>GetFederationToken</code> or <code>GetSessionToken</code> API
|
68 | * operations.</p>
|
69 | * <p>(Optional) You can pass inline or managed <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">session policies</a> to
|
70 | * this operation. You can pass a single JSON policy document to use as an inline session
|
71 | * policy. You can also specify up to 10 managed policies to use as managed session policies.
|
72 | * The plaintext that you use for both inline and managed session policies can't exceed 2,048
|
73 | * characters. Passing policies to this operation returns new
|
74 | * temporary credentials. The resulting session's permissions are the intersection of the
|
75 | * role's identity-based policy and the session policies. You can use the role's temporary
|
76 | * credentials in subsequent Amazon Web Services API calls to access resources in the account that owns
|
77 | * the role. You cannot use session policies to grant more permissions than those allowed
|
78 | * by the identity-based policy of the role that is being assumed. For more information, see
|
79 | * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">Session
|
80 | * Policies</a> in the <i>IAM User Guide</i>.</p>
|
81 | * <p>Calling <code>AssumeRoleWithSAML</code> does not require the use of Amazon Web Services security
|
82 | * credentials. The identity of the caller is validated by using keys in the metadata document
|
83 | * that is uploaded for the SAML provider entity for your identity provider. </p>
|
84 | * <important>
|
85 | * <p>Calling <code>AssumeRoleWithSAML</code> can result in an entry in your CloudTrail logs.
|
86 | * The entry includes the value in the <code>NameID</code> element of the SAML assertion.
|
87 | * We recommend that you use a <code>NameIDType</code> that is not associated with any
|
88 | * personally identifiable information (PII). For example, you could instead use the
|
89 | * persistent identifier
|
90 | * (<code>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</code>).</p>
|
91 | * </important>
|
92 | * <p>
|
93 | * <b>Tags</b>
|
94 | * </p>
|
95 | * <p>(Optional) You can configure your IdP to pass attributes into your SAML assertion as
|
96 | * session tags. Each session tag consists of a key name and an associated value. For more
|
97 | * information about session tags, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Passing Session Tags in STS</a> in the
|
98 | * <i>IAM User Guide</i>.</p>
|
99 | * <p>You can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128
|
100 | * characters and the values can’t exceed 256 characters. For these and additional limits, see
|
101 | * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length">IAM
|
102 | * and STS Character Limits</a> in the <i>IAM User Guide</i>.</p>
|
103 | *
|
104 | * <note>
|
105 | * <p>An Amazon Web Services conversion compresses the passed session policies and session tags into a
|
106 | * packed binary format that has a separate limit. Your request can fail for this limit
|
107 | * even if your plaintext meets the other requirements. The <code>PackedPolicySize</code>
|
108 | * response element indicates by percentage how close the policies and tags for your
|
109 | * request are to the upper size limit.
|
110 | * </p>
|
111 | * </note>
|
112 | * <p>You can pass a session tag with the same key as a tag that is
|
113 | * attached to the role. When you do, session tags override the role's tags with the same
|
114 | * key.</p>
|
115 | * <p>An administrator must grant you the permissions necessary to pass session tags. The
|
116 | * administrator can also create granular permissions to allow you to pass only specific
|
117 | * session tags. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html">Tutorial: Using Tags
|
118 | * for Attribute-Based Access Control</a> in the
|
119 | * <i>IAM User Guide</i>.</p>
|
120 | * <p>You can set the session tags as transitive. Transitive tags persist during role
|
121 | * chaining. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining">Chaining Roles
|
122 | * with Session Tags</a> in the <i>IAM User Guide</i>.</p>
|
123 | * <p>
|
124 | * <b>SAML Configuration</b>
|
125 | * </p>
|
126 | * <p>Before your application can call <code>AssumeRoleWithSAML</code>, you must configure
|
127 | * your SAML identity provider (IdP) to issue the claims required by Amazon Web Services. Additionally, you
|
128 | * must use Identity and Access Management (IAM) to create a SAML provider entity in your Amazon Web Services account that
|
129 | * represents your identity provider. You must also create an IAM role that specifies this
|
130 | * SAML provider in its trust policy. </p>
|
131 | * <p>For more information, see the following resources:</p>
|
132 | * <ul>
|
133 | * <li>
|
134 | * <p>
|
135 | * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html">About
|
136 | * SAML 2.0-based Federation</a> in the <i>IAM User Guide</i>.
|
137 | * </p>
|
138 | * </li>
|
139 | * <li>
|
140 | * <p>
|
141 | * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html">Creating SAML Identity Providers</a> in the
|
142 | * <i>IAM User Guide</i>. </p>
|
143 | * </li>
|
144 | * <li>
|
145 | * <p>
|
146 | * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html">Configuring
|
147 | * a Relying Party and Claims</a> in the <i>IAM User Guide</i>.
|
148 | * </p>
|
149 | * </li>
|
150 | * <li>
|
151 | * <p>
|
152 | * <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html">Creating a Role for SAML 2.0 Federation</a> in the
|
153 | * <i>IAM User Guide</i>. </p>
|
154 | * </li>
|
155 | * </ul>
|
156 | * @example
|
157 | * Use a bare-bones client and the command you need to make an API call.
|
158 | * ```javascript
|
159 | * import { STSClient, AssumeRoleWithSAMLCommand } from "@aws-sdk/client-sts"; // ES Modules import
|
160 | * // const { STSClient, AssumeRoleWithSAMLCommand } = require("@aws-sdk/client-sts"); // CommonJS import
|
161 | * const client = new STSClient(config);
|
162 | * const command = new AssumeRoleWithSAMLCommand(input);
|
163 | * const response = await client.send(command);
|
164 | * ```
|
165 | *
|
166 | * @see {@link AssumeRoleWithSAMLCommandInput} for command's `input` shape.
|
167 | * @see {@link AssumeRoleWithSAMLCommandOutput} for command's `response` shape.
|
168 | * @see {@link STSClientResolvedConfig | config} for command's `input` shape.
|
169 | *
|
170 | */
|
171 | export class AssumeRoleWithSAMLCommand extends $Command<
|
172 | AssumeRoleWithSAMLCommandInput,
|
173 | AssumeRoleWithSAMLCommandOutput,
|
174 | STSClientResolvedConfig
|
175 | > {
|
176 | // Start section: command_properties
|
177 | // End section: command_properties
|
178 |
|
179 | constructor(readonly input: AssumeRoleWithSAMLCommandInput) {
|
180 | // Start section: command_constructor
|
181 | super();
|
182 | // End section: command_constructor
|
183 | }
|
184 |
|
185 | /**
|
186 | * @internal
|
187 | */
|
188 | resolveMiddleware(
|
189 | clientStack: MiddlewareStack<ServiceInputTypes, ServiceOutputTypes>,
|
190 | configuration: STSClientResolvedConfig,
|
191 | options?: __HttpHandlerOptions
|
192 | ): Handler<AssumeRoleWithSAMLCommandInput, AssumeRoleWithSAMLCommandOutput> {
|
193 | this.middlewareStack.use(getSerdePlugin(configuration, this.serialize, this.deserialize));
|
194 |
|
195 | const stack = clientStack.concat(this.middlewareStack);
|
196 |
|
197 | const { logger } = configuration;
|
198 | const clientName = "STSClient";
|
199 | const commandName = "AssumeRoleWithSAMLCommand";
|
200 | const handlerExecutionContext: HandlerExecutionContext = {
|
201 | logger,
|
202 | clientName,
|
203 | commandName,
|
204 | inputFilterSensitiveLog: AssumeRoleWithSAMLRequest.filterSensitiveLog,
|
205 | outputFilterSensitiveLog: AssumeRoleWithSAMLResponse.filterSensitiveLog,
|
206 | };
|
207 | const { requestHandler } = configuration;
|
208 | return stack.resolve(
|
209 | (request: FinalizeHandlerArguments<any>) =>
|
210 | requestHandler.handle(request.request as __HttpRequest, options || {}),
|
211 | handlerExecutionContext
|
212 | );
|
213 | }
|
214 |
|
215 | private serialize(input: AssumeRoleWithSAMLCommandInput, context: __SerdeContext): Promise<__HttpRequest> {
|
216 | return serializeAws_queryAssumeRoleWithSAMLCommand(input, context);
|
217 | }
|
218 |
|
219 | private deserialize(output: __HttpResponse, context: __SerdeContext): Promise<AssumeRoleWithSAMLCommandOutput> {
|
220 | return deserializeAws_queryAssumeRoleWithSAMLCommand(output, context);
|
221 | }
|
222 |
|
223 | // Start section: command_body_extra
|
224 | // End section: command_body_extra
|
225 | }
|