Skip to content

Commit

Permalink
feat(client-sts): This release introduces the new API 'AssumeRoot', w…
Browse files Browse the repository at this point in the history 
…hich returns short-term credentials that you can use to perform privileged tasks.
  • Loading branch information
awstools committed Nov 14, 2024
1 parent 5c7c349 commit 5528f54
Show file tree
Hide file tree
Showing 14 changed files with 584 additions and 120 deletions.
8 changes: 8 additions & 0 deletions clients/client-sts/README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -230,6 +230,14 @@ AssumeRoleWithWebIdentity

[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/sts/command/AssumeRoleWithWebIdentityCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-sts/Interface/AssumeRoleWithWebIdentityCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-sts/Interface/AssumeRoleWithWebIdentityCommandOutput/)

</details>
<details>
<summary>
AssumeRoot
</summary>

[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/sts/command/AssumeRootCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-sts/Interface/AssumeRootCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-sts/Interface/AssumeRootCommandOutput/)

</details>
<details>
<summary>
Expand Down
13 changes: 13 additions & 0 deletions clients/client-sts/src/STS.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ import {
AssumeRoleWithWebIdentityCommandInput,
AssumeRoleWithWebIdentityCommandOutput,
} from "./commands/AssumeRoleWithWebIdentityCommand";
import { AssumeRootCommand, AssumeRootCommandInput, AssumeRootCommandOutput } from "./commands/AssumeRootCommand";
import {
DecodeAuthorizationMessageCommand,
DecodeAuthorizationMessageCommandInput,
Expand Down Expand Up @@ -44,6 +45,7 @@ const commands = {
AssumeRoleCommand,
AssumeRoleWithSAMLCommand,
AssumeRoleWithWebIdentityCommand,
AssumeRootCommand,
DecodeAuthorizationMessageCommand,
GetAccessKeyInfoCommand,
GetCallerIdentityCommand,
Expand Down Expand Up @@ -97,6 +99,17 @@ export interface STS {
cb: (err: any, data?: AssumeRoleWithWebIdentityCommandOutput) => void
): void;

/**
* @see {@link AssumeRootCommand}
*/
assumeRoot(args: AssumeRootCommandInput, options?: __HttpHandlerOptions): Promise<AssumeRootCommandOutput>;
assumeRoot(args: AssumeRootCommandInput, cb: (err: any, data?: AssumeRootCommandOutput) => void): void;
assumeRoot(
args: AssumeRootCommandInput,
options: __HttpHandlerOptions,
cb: (err: any, data?: AssumeRootCommandOutput) => void
): void;

/**
* @see {@link DecodeAuthorizationMessageCommand}
*/
Expand Down
3 changes: 3 additions & 0 deletions clients/client-sts/src/STSClient.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -59,6 +59,7 @@ import {
AssumeRoleWithWebIdentityCommandInput,
AssumeRoleWithWebIdentityCommandOutput,
} from "./commands/AssumeRoleWithWebIdentityCommand";
import { AssumeRootCommandInput, AssumeRootCommandOutput } from "./commands/AssumeRootCommand";
import {
DecodeAuthorizationMessageCommandInput,
DecodeAuthorizationMessageCommandOutput,
Expand All @@ -85,6 +86,7 @@ export type ServiceInputTypes =
| AssumeRoleCommandInput
| AssumeRoleWithSAMLCommandInput
| AssumeRoleWithWebIdentityCommandInput
| AssumeRootCommandInput
| DecodeAuthorizationMessageCommandInput
| GetAccessKeyInfoCommandInput
| GetCallerIdentityCommandInput
Expand All @@ -98,6 +100,7 @@ export type ServiceOutputTypes =
| AssumeRoleCommandOutput
| AssumeRoleWithSAMLCommandOutput
| AssumeRoleWithWebIdentityCommandOutput
| AssumeRootCommandOutput
| DecodeAuthorizationMessageCommandOutput
| GetAccessKeyInfoCommandOutput
| GetCallerIdentityCommandOutput
Expand Down
26 changes: 13 additions & 13 deletions clients/client-sts/src/commands/AssumeRoleCommand.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -33,20 +33,20 @@ export interface AssumeRoleCommandOutput extends AssumeRoleResponse, __MetadataB
* and a security token. Typically, you use <code>AssumeRole</code> within your account or for
* cross-account access. For a comparison of <code>AssumeRole</code> with other API operations
* that produce temporary credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting Temporary Security
* Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
* Amazon Web Services STS API operations</a> in the <i>IAM User Guide</i>.</p>
* Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html">Compare STS
* credentials</a> in the <i>IAM User Guide</i>.</p>
* <p>
* <b>Permissions</b>
* </p>
* <p>The temporary security credentials created by <code>AssumeRole</code> can be used to
* make API calls to any Amazon Web Services service with the following exception: You cannot call the
* Amazon Web Services STS <code>GetFederationToken</code> or <code>GetSessionToken</code> API
* operations.</p>
* <p>(Optional) You can pass inline or managed <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">session policies</a> to
* this operation. You can pass a single JSON policy document to use as an inline session
* policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as
* managed session policies. The plaintext that you use for both inline and managed session
* policies can't exceed 2,048 characters. Passing policies to this operation returns new
* <p>(Optional) You can pass inline or managed session policies to this operation. You can
* pass a single JSON policy document to use as an inline session policy. You can also specify
* up to 10 managed policy Amazon Resource Names (ARNs) to use as managed session policies.
* The plaintext that you use for both inline and managed session policies can't exceed 2,048
* characters. Passing policies to this operation returns new
* temporary credentials. The resulting session's permissions are the intersection of the
* role's identity-based policy and the session policies. You can use the role's temporary
* credentials in subsequent Amazon Web Services API calls to access resources in the account that owns
Expand Down Expand Up @@ -193,15 +193,15 @@ export interface AssumeRoleCommandOutput extends AssumeRoleResponse, __MetadataB
* tags are to the upper size limit. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Passing Session Tags in STS</a> in
* the <i>IAM User Guide</i>.</p>
* <p>You could receive this error even though you meet other defined session policy and
* session tag limits. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length">IAM and STS Entity
* Character Limits</a> in the <i>IAM User Guide</i>.</p>
* session tag limits. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length">IAM and STS Entity Character Limits</a> in the <i>IAM User
* Guide</i>.</p>
*
* @throws {@link RegionDisabledException} (client fault)
* <p>STS is not activated in the requested region for the account that is being asked to
* generate credentials. The account administrator must use the IAM console to activate STS
* in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html">Activating and
* Deactivating Amazon Web Services STS in an Amazon Web Services Region</a> in the <i>IAM User
* Guide</i>.</p>
* generate credentials. The account administrator must use the IAM console to activate
* STS in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html">Activating and
* Deactivating STS in an Amazon Web Services Region</a> in the <i>IAM User
* Guide</i>.</p>
*
* @throws {@link STSServiceException}
* <p>Base exception class for all service exceptions from STS service.</p>
Expand Down
16 changes: 8 additions & 8 deletions clients/client-sts/src/commands/AssumeRoleWithSAMLCommand.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -38,8 +38,8 @@ export interface AssumeRoleWithSAMLCommandOutput extends AssumeRoleWithSAMLRespo
* enterprise identity store or directory to role-based Amazon Web Services access without user-specific
* credentials or configuration. For a comparison of <code>AssumeRoleWithSAML</code> with the
* other API operations that produce temporary credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting Temporary Security
* Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
* Amazon Web Services STS API operations</a> in the <i>IAM User Guide</i>.</p>
* Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html">Compare STS
* credentials</a> in the <i>IAM User Guide</i>.</p>
* <p>The temporary security credentials returned by this operation consist of an access key
* ID, a secret access key, and a security token. Applications can use these temporary
* security credentials to sign calls to Amazon Web Services services.</p>
Expand Down Expand Up @@ -236,15 +236,15 @@ export interface AssumeRoleWithSAMLCommandOutput extends AssumeRoleWithSAMLRespo
* tags are to the upper size limit. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Passing Session Tags in STS</a> in
* the <i>IAM User Guide</i>.</p>
* <p>You could receive this error even though you meet other defined session policy and
* session tag limits. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length">IAM and STS Entity
* Character Limits</a> in the <i>IAM User Guide</i>.</p>
* session tag limits. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length">IAM and STS Entity Character Limits</a> in the <i>IAM User
* Guide</i>.</p>
*
* @throws {@link RegionDisabledException} (client fault)
* <p>STS is not activated in the requested region for the account that is being asked to
* generate credentials. The account administrator must use the IAM console to activate STS
* in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html">Activating and
* Deactivating Amazon Web Services STS in an Amazon Web Services Region</a> in the <i>IAM User
* Guide</i>.</p>
* generate credentials. The account administrator must use the IAM console to activate
* STS in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html">Activating and
* Deactivating STS in an Amazon Web Services Region</a> in the <i>IAM User
* Guide</i>.</p>
*
* @throws {@link STSServiceException}
* <p>Base exception class for all service exceptions from STS service.</p>
Expand Down
45 changes: 15 additions & 30 deletions clients/client-sts/src/commands/AssumeRoleWithWebIdentityCommand.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -53,8 +53,8 @@ export interface AssumeRoleWithWebIdentityCommandOutput extends AssumeRoleWithWe
* using a token from the web identity provider. For a comparison of
* <code>AssumeRoleWithWebIdentity</code> with the other API operations that produce
* temporary credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting Temporary Security
* Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
* Amazon Web Services STS API operations</a> in the <i>IAM User Guide</i>.</p>
* Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html">Compare STS
* credentials</a> in the <i>IAM User Guide</i>.</p>
* <p>The temporary security credentials returned by this API consist of an access key ID, a
* secret access key, and a security token. Applications can use these temporary security
* credentials to sign calls to Amazon Web Services service API operations.</p>
Expand All @@ -66,8 +66,7 @@ export interface AssumeRoleWithWebIdentityCommandOutput extends AssumeRoleWithWe
* optional <code>DurationSeconds</code> parameter to specify the duration of your session.
* You can provide a value from 900 seconds (15 minutes) up to the maximum session duration
* setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how
* to view the maximum value for your role, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session">View the
* Maximum Session Duration Setting for a Role</a> in the
* to view the maximum value for your role, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-settings.html#id_roles_update-session-duration">Update the maximum session duration for a role </a> in the
* <i>IAM User Guide</i>. The maximum session duration limit applies when
* you use the <code>AssumeRole*</code> API operations or the <code>assume-role*</code> CLI
* commands. However the limit does not apply when you use those operations to create a
Expand Down Expand Up @@ -136,7 +135,7 @@ export interface AssumeRoleWithWebIdentityCommandOutput extends AssumeRoleWithWe
* or a pairwise identifier, as <a href="http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes">suggested
* in the OIDC specification</a>.</p>
* </important>
* <p>For more information about how to use web identity federation and the
* <p>For more information about how to use OIDC federation and the
* <code>AssumeRoleWithWebIdentity</code> API, see the following resources: </p>
* <ul>
* <li>
Expand All @@ -145,25 +144,11 @@ export interface AssumeRoleWithWebIdentityCommandOutput extends AssumeRoleWithWe
* </li>
* <li>
* <p>
* <a href="https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/"> Web Identity Federation Playground</a>. Walk through the process of
* authenticating through Login with Amazon, Facebook, or Google, getting temporary
* security credentials, and then using those credentials to make a request to Amazon Web Services.
* </p>
* </li>
* <li>
* <p>
* <a href="http://aws.amazon.com/sdkforios/">Amazon Web Services SDK for iOS Developer Guide</a> and <a href="http://aws.amazon.com/sdkforandroid/">Amazon Web Services SDK for Android Developer Guide</a>. These toolkits
* contain sample apps that show how to invoke the identity providers. The toolkits then
* show how to use the information from these providers to get and use temporary
* security credentials. </p>
* </li>
* <li>
* <p>
* <a href="http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications">Web Identity
* Federation with Mobile Applications</a>. This article discusses web identity
* federation and shows an example of how to use web identity federation to get access
* to content in Amazon S3. </p>
* </li>
* </ul>
* @example
* Use a bare-bones client and the command you need to make an API call.
Expand Down Expand Up @@ -217,11 +202,11 @@ export interface AssumeRoleWithWebIdentityCommandOutput extends AssumeRoleWithWe
* token from the identity provider and then retry the request.</p>
*
* @throws {@link IDPCommunicationErrorException} (client fault)
* <p>The request could not be fulfilled because the identity provider (IDP) that
* was asked to verify the incoming identity token could not be reached. This is often a
* transient error caused by network conditions. Retry the request a limited number of
* times so that you don't exceed the request rate. If the error persists, the
* identity provider might be down or not responding.</p>
* <p>The request could not be fulfilled because the identity provider (IDP) that was asked
* to verify the incoming identity token could not be reached. This is often a transient
* error caused by network conditions. Retry the request a limited number of times so that
* you don't exceed the request rate. If the error persists, the identity provider might be
* down or not responding.</p>
*
* @throws {@link IDPRejectedClaimException} (client fault)
* <p>The identity provider (IdP) reported that authentication failed. This might be because
Expand All @@ -245,15 +230,15 @@ export interface AssumeRoleWithWebIdentityCommandOutput extends AssumeRoleWithWe
* tags are to the upper size limit. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Passing Session Tags in STS</a> in
* the <i>IAM User Guide</i>.</p>
* <p>You could receive this error even though you meet other defined session policy and
* session tag limits. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length">IAM and STS Entity
* Character Limits</a> in the <i>IAM User Guide</i>.</p>
* session tag limits. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length">IAM and STS Entity Character Limits</a> in the <i>IAM User
* Guide</i>.</p>
*
* @throws {@link RegionDisabledException} (client fault)
* <p>STS is not activated in the requested region for the account that is being asked to
* generate credentials. The account administrator must use the IAM console to activate STS
* in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html">Activating and
* Deactivating Amazon Web Services STS in an Amazon Web Services Region</a> in the <i>IAM User
* Guide</i>.</p>
* generate credentials. The account administrator must use the IAM console to activate
* STS in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html">Activating and
* Deactivating STS in an Amazon Web Services Region</a> in the <i>IAM User
* Guide</i>.</p>
*
* @throws {@link STSServiceException}
* <p>Base exception class for all service exceptions from STS service.</p>
Expand Down
Loading

0 comments on commit 5528f54

Please sign in to comment.