amazonka-sts 0.0.1 → 0.0.2
raw patch · 10 files changed
+424/−410 lines, 10 filesdep ~amazonka-corePVP ok
version bump matches the API change (PVP)
Dependency ranges changed: amazonka-core
API changes (from Hackage documentation)
Files
- README.md +3/−1
- amazonka-sts.cabal +5/−6
- gen/Network/AWS/STS.hs +2/−3
- gen/Network/AWS/STS/AssumeRole.hs +104/−98
- gen/Network/AWS/STS/AssumeRoleWithSAML.hs +78/−71
- gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs +91/−93
- gen/Network/AWS/STS/DecodeAuthorizationMessage.hs +16/−15
- gen/Network/AWS/STS/GetFederationToken.hs +80/−79
- gen/Network/AWS/STS/GetSessionToken.hs +37/−35
- gen/Network/AWS/STS/Types.hs +8/−9
README.md view
@@ -8,7 +8,9 @@ ## Description -The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users).+ The AWS Security Token Service (STS) is a web service that enables you to+ request temporary, limited-privilege credentials for AWS Identity and Access+ Management (IAM) users or for users that you authenticate (federated users). Documentation is available via [Hackage](http://hackage.haskell.org/package/amazonka-sts) and [AWS API Reference](http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html).
amazonka-sts.cabal view
@@ -1,5 +1,5 @@ name: amazonka-sts-version: 0.0.1+version: 0.0.2 synopsis: Amazon Security Token Service SDK. homepage: https://github.com/brendanhay/amazonka license: OtherLicense@@ -13,10 +13,9 @@ cabal-version: >= 1.10 description:- The AWS Security Token Service (STS) is a web service that enables you- to request temporary, limited-privilege credentials for AWS Identity- and Access Management (IAM) users or for users that you authenticate- (federated users).+ The AWS Security Token Service (STS) is a web service that enables you to+ request temporary, limited-privilege credentials for AWS Identity and Access+ Management (IAM) users or for users that you authenticate (federated users). . /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html AWS API Reference> .@@ -46,5 +45,5 @@ other-modules: build-depends:- amazonka-core == 0.0.1.*+ amazonka-core == 0.0.2.* , base >= 4.7 && < 5
gen/Network/AWS/STS.hs view
@@ -9,9 +9,8 @@ -- Portability : non-portable (GHC extensions) -- | The AWS Security Token Service (STS) is a web service that enables you to--- request temporary, limited-privilege credentials for AWS Identity and--- Access Management (IAM) users or for users that you authenticate (federated--- users).+-- request temporary, limited-privilege credentials for AWS Identity and Access+-- Management (IAM) users or for users that you authenticate (federated users). module Network.AWS.STS ( module Network.AWS.STS.AssumeRole , module Network.AWS.STS.AssumeRoleWithSAML
gen/Network/AWS/STS/AssumeRole.hs view
@@ -20,62 +20,73 @@ -- Stability : experimental -- Portability : non-portable (GHC extensions) --- | Returns a set of temporary security credentials (consisting of an access--- key ID, a secret access key, and a security token) that you can use to--- access AWS resources that you might not normally have access to. Typically,--- you use AssumeRole for cross-account access or federation. Important: You--- cannot call AssumeRole by using AWS account credentials; access will be--- denied. You must use IAM user credentials or temporary security credentials--- to call AssumeRole. For cross-account access, imagine that you own multiple--- accounts and need to access resources in each account. You could create--- long-term credentials in each account to access those resources. However,--- managing all those credentials and remembering which one can access which--- account can be time consuming. Instead, you can create one set of long-term--- credentials in one account and then use temporary security credentials to--- access all the other accounts by assuming roles in those accounts. For more--- information about roles, see Roles in Using IAM. For federation, you can,--- for example, grant single sign-on access to the AWS Management Console. If--- you already have an identity and authentication system in your corporate--- network, you don't have to recreate user identities in AWS in order to--- grant those user identities access to AWS. Instead, after a user has been--- authenticated, you call AssumeRole (and specify the role with the--- appropriate permissions) to get temporary security credentials for that--- user. With those temporary security credentials, you construct a sign-in--- URL that users can use to access the console. For more information, see--- Scenarios for Granting Temporary Access in Using Temporary Security--- Credentials. The temporary security credentials are valid for the duration--- that you specified when calling AssumeRole, which can be from 900 seconds--- (15 minutes) to 3600 seconds (1 hour). The default is 1 hour. Optionally,--- you can pass an IAM access policy to this operation. If you choose not to--- pass a policy, the temporary security credentials that are returned by the--- operation have the permissions that are defined in the access policy of the--- role that is being assumed. If you pass a policy to this operation, the--- temporary security credentials that are returned by the operation have the--- permissions that are allowed by both the access policy of the role that is--- being assumed, and the policy that you pass. This gives you a way to--- further restrict the permissions for the resulting temporary security--- credentials. You cannot use the passed policy to grant permissions that are--- in excess of those allowed by the access policy of the role that is being--- assumed. For more information, see Permissions for AssumeRole in Using--- Temporary Security Credentials. To assume a role, your AWS account must be--- trusted by the role. The trust relationship is defined in the role's trust--- policy when the role is created. You must also have a policy that allows--- you to call sts:AssumeRole. Using MFA with AssumeRole You can optionally--- include multi-factor authentication (MFA) information when you call--- AssumeRole. This is useful for cross-account scenarios in which you want to--- make sure that the user who is assuming the role has been authenticated--- using an AWS MFA device. In that scenario, the trust policy of the role--- being assumed includes a condition that tests for MFA authentication; if--- the caller does not include valid MFA information, the request to assume--- the role is denied. The condition in a trust policy that tests for MFA--- authentication might look like the following example. "Condition": {"Null":--- {"aws:MultiFactorAuthAge": false}} For more information, see Configuring--- MFA-Protected API Access in the Using IAM guide. To use MFA with--- AssumeRole, you pass values for the SerialNumber and TokenCode parameters.--- The SerialNumber value identifies the user's hardware or virtual MFA--- device. The TokenCode is the time-based one-time password (TOTP) that the+-- | Returns a set of temporary security credentials (consisting of an access key+-- ID, a secret access key, and a security token) that you can use to access AWS+-- resources that you might not normally have access to. Typically, you use 'AssumeRole' for cross-account access or federation.+--+-- Important: You cannot call 'AssumeRole' by using AWS account credentials;+-- access will be denied. You must use IAM user credentials or temporary+-- security credentials to call 'AssumeRole'.+--+-- For cross-account access, imagine that you own multiple accounts and need to+-- access resources in each account. You could create long-term credentials in+-- each account to access those resources. However, managing all those+-- credentials and remembering which one can access which account can be time+-- consuming. Instead, you can create one set of long-term credentials in one+-- account and then use temporary security credentials to access all the other+-- accounts by assuming roles in those accounts. For more information about+-- roles, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.html Roles> in /Using IAM/.+--+-- For federation, you can, for example, grant single sign-on access to the AWS+-- Management Console. If you already have an identity and authentication system+-- in your corporate network, you don't have to recreate user identities in AWS+-- in order to grant those user identities access to AWS. Instead, after a user+-- has been authenticated, you call 'AssumeRole' (and specify the role with the+-- appropriate permissions) to get temporary security credentials for that user.+-- With those temporary security credentials, you construct a sign-in URL that+-- users can use to access the console. For more information, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html Scenarios forGranting Temporary Access> in /Using Temporary Security Credentials/.+--+-- The temporary security credentials are valid for the duration that you+-- specified when calling 'AssumeRole', which can be from 900 seconds (15 minutes)+-- to 3600 seconds (1 hour). The default is 1 hour.+--+-- Optionally, you can pass an IAM access policy to this operation. If you+-- choose not to pass a policy, the temporary security credentials that are+-- returned by the operation have the permissions that are defined in the access+-- policy of the role that is being assumed. If you pass a policy to this+-- operation, the temporary security credentials that are returned by the+-- operation have the permissions that are allowed by both the access policy of+-- the role that is being assumed, /and/ the policy that you pass. This gives you+-- a way to further restrict the permissions for the resulting temporary+-- security credentials. You cannot use the passed policy to grant permissions+-- that are in excess of those allowed by the access policy of the role that is+-- being assumed. For more information, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRole> in /UsingTemporary Security Credentials/.+--+-- To assume a role, your AWS account must be trusted by the role. The trust+-- relationship is defined in the role's trust policy when the role is created.+-- You must also have a policy that allows you to call 'sts:AssumeRole'.+--+-- Using MFA with AssumeRole+--+-- You can optionally include multi-factor authentication (MFA) information+-- when you call 'AssumeRole'. This is useful for cross-account scenarios in which+-- you want to make sure that the user who is assuming the role has been+-- authenticated using an AWS MFA device. In that scenario, the trust policy of+-- the role being assumed includes a condition that tests for MFA+-- authentication; if the caller does not include valid MFA information, the+-- request to assume the role is denied. The condition in a trust policy that+-- tests for MFA authentication might look like the following example.+--+-- '"Condition": {"Null": {"aws:MultiFactorAuthAge": false}}'+--+-- For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html Configuring MFA-Protected API Access> in the /UsingIAM/ guide.+--+-- To use MFA with 'AssumeRole', you pass values for the 'SerialNumber' and 'TokenCode' parameters. The 'SerialNumber' value identifies the user's hardware or virtual+-- MFA device. The 'TokenCode' is the time-based one-time password (TOTP) that the -- MFA devices produces. --+--+-- -- <http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html> module Network.AWS.STS.AssumeRole (@@ -148,34 +159,33 @@ , _arTokenCode = Nothing } --- | The duration, in seconds, of the role session. The value can range from--- 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the value--- is set to 3600 seconds.+-- | The duration, in seconds, of the role session. The value can range from 900+-- seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set+-- to 3600 seconds. arDurationSeconds :: Lens' AssumeRole (Maybe Natural) arDurationSeconds = lens _arDurationSeconds (\s a -> s { _arDurationSeconds = a }) . mapping _Nat --- | A unique identifier that is used by third parties to assume a role in--- their customers' accounts. For each role that the third party can assume,--- they should instruct their customers to create a role with the external--- ID that the third party generated. Each time the third party assumes the--- role, they must pass the customer's external ID. The external ID is--- useful in order to help third parties bind a role to the customer who--- created it. For more information about the external ID, see About the--- External ID in Using Temporary Security Credentials.+-- | A unique identifier that is used by third parties to assume a role in their+-- customers' accounts. For each role that the third party can assume, they+-- should instruct their customers to create a role with the external ID that+-- the third party generated. Each time the third party assumes the role, they+-- must pass the customer's external ID. The external ID is useful in order to+-- help third parties bind a role to the customer who created it. For more+-- information about the external ID, see About the External ID in /UsingTemporary Security Credentials/. arExternalId :: Lens' AssumeRole (Maybe Text) arExternalId = lens _arExternalId (\s a -> s { _arExternalId = a }) --- | An IAM policy in JSON format. The policy parameter is optional. If you--- pass a policy, the temporary security credentials that are returned by--- the operation have the permissions that are allowed by both the access--- policy of the role that is being assumed, and the policy that you pass.--- This gives you a way to further restrict the permissions for the--- resulting temporary security credentials. You cannot use the passed--- policy to grant permissions that are in excess of those allowed by the--- access policy of the role that is being assumed. For more information,--- see Permissions for AssumeRole in Using Temporary Security Credentials.+-- | An IAM policy in JSON format.+--+-- The policy parameter is optional. If you pass a policy, the temporary+-- security credentials that are returned by the operation have the permissions+-- that are allowed by both the access policy of the role that is being assumed, /and/ the policy that you pass. This gives you a way to further restrict the+-- permissions for the resulting temporary security credentials. You cannot use+-- the passed policy to grant permissions that are in excess of those allowed by+-- the access policy of the role that is being assumed. For more information,+-- see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRole> in /Using Temporary Security Credentials/. arPolicy :: Lens' AssumeRole (Maybe Text) arPolicy = lens _arPolicy (\s a -> s { _arPolicy = a }) @@ -183,26 +193,23 @@ arRoleArn :: Lens' AssumeRole Text arRoleArn = lens _arRoleArn (\s a -> s { _arRoleArn = a }) --- | An identifier for the assumed role session. The session name is included--- as part of the AssumedRoleUser.+-- | An identifier for the assumed role session. The session name is included as+-- part of the 'AssumedRoleUser'. arRoleSessionName :: Lens' AssumeRole Text arRoleSessionName = lens _arRoleSessionName (\s a -> s { _arRoleSessionName = a }) --- | The identification number of the MFA device that is associated with the--- user who is making the AssumeRole call. Specify this value if the trust--- policy of the role being assumed includes a condition that requires MFA--- authentication. The value is either the serial number for a hardware--- device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a--- virtual device (such as arn:aws:iam::123456789012:mfa/user).+-- | The identification number of the MFA device that is associated with the user+-- who is making the 'AssumeRole' call. Specify this value if the trust policy of+-- the role being assumed includes a condition that requires MFA authentication.+-- The value is either the serial number for a hardware device (such as 'GAHT12345678') or an Amazon Resource Name (ARN) for a virtual device (such as 'arn:aws:iam::123456789012:mfa/user'). arSerialNumber :: Lens' AssumeRole (Maybe Text) arSerialNumber = lens _arSerialNumber (\s a -> s { _arSerialNumber = a }) --- | The value provided by the MFA device, if the trust policy of the role--- being assumed requires MFA (that is, if the policy includes a condition--- that tests for MFA). If the role being assumed requires MFA and if the--- TokenCode value is missing or expired, the AssumeRole call returns an--- "access denied" error.+-- | The value provided by the MFA device, if the trust policy of the role being+-- assumed requires MFA (that is, if the policy includes a condition that tests+-- for MFA). If the role being assumed requires MFA and if the 'TokenCode' value+-- is missing or expired, the 'AssumeRole' call returns an "access denied" error. arTokenCode :: Lens' AssumeRole (Maybe Text) arTokenCode = lens _arTokenCode (\s a -> s { _arTokenCode = a }) @@ -229,24 +236,23 @@ , _arrPackedPolicySize = Nothing } --- | The Amazon Resource Name (ARN) and the assumed role ID, which are--- identifiers that you can use to refer to the resulting temporary security--- credentials. For example, you can reference these credentials as a--- principal in a resource-based policy by using the ARN or assumed role ID.--- The ARN and ID include the RoleSessionName that you specified when you--- called AssumeRole.+-- | The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers+-- that you can use to refer to the resulting temporary security credentials.+-- For example, you can reference these credentials as a principal in a+-- resource-based policy by using the ARN or assumed role ID. The ARN and ID+-- include the 'RoleSessionName' that you specified when you called 'AssumeRole'. arrAssumedRoleUser :: Lens' AssumeRoleResponse (Maybe AssumedRoleUser) arrAssumedRoleUser = lens _arrAssumedRoleUser (\s a -> s { _arrAssumedRoleUser = a }) --- | The temporary security credentials, which include an access key ID, a--- secret access key, and a security (or session) token.+-- | The temporary security credentials, which include an access key ID, a secret+-- access key, and a security (or session) token. arrCredentials :: Lens' AssumeRoleResponse (Maybe Credentials) arrCredentials = lens _arrCredentials (\s a -> s { _arrCredentials = a }) --- | A percentage value that indicates the size of the policy in packed form.--- The service rejects any policy with a packed size greater than 100--- percent, which means the policy exceeded the allowed space.+-- | A percentage value that indicates the size of the policy in packed form. The+-- service rejects any policy with a packed size greater than 100 percent, which+-- means the policy exceeded the allowed space. arrPackedPolicySize :: Lens' AssumeRoleResponse (Maybe Natural) arrPackedPolicySize = lens _arrPackedPolicySize (\s a -> s { _arrPackedPolicySize = a })
gen/Network/AWS/STS/AssumeRoleWithSAML.hs view
@@ -23,39 +23,43 @@ -- | Returns a set of temporary security credentials for users who have been -- authenticated via a SAML authentication response. This operation provides a -- mechanism for tying an enterprise identity store or directory to role-based--- AWS access without user-specific credentials or configuration. The--- temporary security credentials returned by this operation consist of an+-- AWS access without user-specific credentials or configuration.+--+-- The temporary security credentials returned by this operation consist of an -- access key ID, a secret access key, and a security token. Applications can -- use these temporary security credentials to sign calls to AWS services. The--- credentials are valid for the duration that you specified when calling--- AssumeRoleWithSAML, which can be up to 3600 seconds (1 hour) or until the--- time specified in the SAML authentication response's NotOnOrAfter value,--- whichever is shorter. Optionally, you can pass an IAM access policy to this--- operation. If you choose not to pass a policy, the temporary security--- credentials that are returned by the operation have the permissions that--- are defined in the access policy of the role that is being assumed. If you--- pass a policy to this operation, the temporary security credentials that--- are returned by the operation have the permissions that are allowed by both--- the access policy of the role that is being assumed, and the policy that--- you pass. This gives you a way to further restrict the permissions for the--- resulting temporary security credentials. You cannot use the passed policy--- to grant permissions that are in excess of those allowed by the access--- policy of the role that is being assumed. For more information, see--- Permissions for AssumeRoleWithSAML in Using Temporary Security Credentials.--- Before your application can call AssumeRoleWithSAML, you must configure--- your SAML identity provider (IdP) to issue the claims required by AWS.--- Additionally, you must use AWS Identity and Access Management (IAM) to--- create a SAML provider entity in your AWS account that represents your--- identity provider, and create an IAM role that specifies this SAML provider--- in its trust policy. Calling AssumeRoleWithSAML does not require the use of--- AWS security credentials. The identity of the caller is validated by using--- keys in the metadata document that is uploaded for the SAML provider entity--- for your identity provider. For more information, see the following--- resources: Creating Temporary Security Credentials for SAML Federation in--- Using Temporary Security Credentials. SAML Providers in Using IAM.--- Configuring a Relying Party and Claims in Using IAM. Creating a Role for--- SAML-Based Federation in Using IAM.+-- credentials are valid for the duration that you specified when calling 'AssumeRoleWithSAML', which can be up to 3600 seconds (1 hour) or until the time specified in the+-- SAML authentication response's 'NotOnOrAfter' value, whichever is shorter. --+-- Optionally, you can pass an IAM access policy to this operation. If you+-- choose not to pass a policy, the temporary security credentials that are+-- returned by the operation have the permissions that are defined in the access+-- policy of the role that is being assumed. If you pass a policy to this+-- operation, the temporary security credentials that are returned by the+-- operation have the permissions that are allowed by both the access policy of+-- the role that is being assumed, /and/ the policy that you pass. This gives you+-- a way to further restrict the permissions for the resulting temporary+-- security credentials. You cannot use the passed policy to grant permissions+-- that are in excess of those allowed by the access policy of the role that is+-- being assumed. For more information, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithSAML>+-- in /Using Temporary Security Credentials/.+--+-- Before your application can call 'AssumeRoleWithSAML', you must configure your+-- SAML identity provider (IdP) to issue the claims required by AWS.+-- Additionally, you must use AWS Identity and Access Management (IAM) to create+-- a SAML provider entity in your AWS account that represents your identity+-- provider, and create an IAM role that specifies this SAML provider in its+-- trust policy.+--+-- Calling 'AssumeRoleWithSAML' does not require the use of AWS security+-- credentials. The identity of the caller is validated by using keys in the+-- metadata document that is uploaded for the SAML provider entity for your+-- identity provider.+--+-- For more information, see the following resources:+--+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingSAML.html Creating Temporary Security Credentials for SAML Federation> in /UsingTemporary Security Credentials/. <http://docs.aws.amazon.com/IAM/latest/UserGuide/idp-managing-identityproviders.html SAML Providers> in /Using IAM/. <http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html Configuringa Relying Party and Claims> in /Using IAM/. <http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml.html Creating a Role for SAML-BasedFederation> in /Using IAM/.+-- -- <http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html> module Network.AWS.STS.AssumeRoleWithSAML (@@ -124,31 +128,31 @@ , _arwsamlDurationSeconds = Nothing } --- | The duration, in seconds, of the role session. The value can range from--- 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the value--- is set to 3600 seconds. An expiration can also be specified in the SAML--- authentication response's NotOnOrAfter value. The actual expiration time--- is whichever value is shorter.+-- | The duration, in seconds, of the role session. The value can range from 900+-- seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set+-- to 3600 seconds. An expiration can also be specified in the SAML+-- authentication response's 'NotOnOrAfter' value. The actual expiration time is+-- whichever value is shorter. arwsamlDurationSeconds :: Lens' AssumeRoleWithSAML (Maybe Natural) arwsamlDurationSeconds = lens _arwsamlDurationSeconds (\s a -> s { _arwsamlDurationSeconds = a }) . mapping _Nat --- | An IAM policy in JSON format. The policy parameter is optional. If you--- pass a policy, the temporary security credentials that are returned by--- the operation have the permissions that are allowed by both the access--- policy of the role that is being assumed, and the policy that you pass.--- This gives you a way to further restrict the permissions for the--- resulting temporary security credentials. You cannot use the passed--- policy to grant permissions that are in excess of those allowed by the--- access policy of the role that is being assumed. For more information,--- see Permissions for AssumeRoleWithSAML in Using Temporary Security--- Credentials.+-- | An IAM policy in JSON format.+--+-- The policy parameter is optional. If you pass a policy, the temporary+-- security credentials that are returned by the operation have the permissions+-- that are allowed by both the access policy of the role that is being assumed, /and/ the policy that you pass. This gives you a way to further restrict the+-- permissions for the resulting temporary security credentials. You cannot use+-- the passed policy to grant permissions that are in excess of those allowed by+-- the access policy of the role that is being assumed. For more information,+-- see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithSAML> in /Using Temporary Security Credentials/+-- . arwsamlPolicy :: Lens' AssumeRoleWithSAML (Maybe Text) arwsamlPolicy = lens _arwsamlPolicy (\s a -> s { _arwsamlPolicy = a }) --- | The Amazon Resource Name (ARN) of the SAML provider in IAM that describes--- the IdP.+-- | The Amazon Resource Name (ARN) of the SAML provider in IAM that describes the+-- IdP. arwsamlPrincipalArn :: Lens' AssumeRoleWithSAML Text arwsamlPrincipalArn = lens _arwsamlPrincipalArn (\s a -> s { _arwsamlPrincipalArn = a })@@ -157,9 +161,10 @@ arwsamlRoleArn :: Lens' AssumeRoleWithSAML Text arwsamlRoleArn = lens _arwsamlRoleArn (\s a -> s { _arwsamlRoleArn = a }) --- | The base-64 encoded SAML authentication response provided by the IdP. For--- more information, see Configuring a Relying Party and Adding Claims in--- the Using IAM guide.+-- | The base-64 encoded SAML authentication response provided by the IdP.+--+-- For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html Configuring a Relying Party and Adding Claims> in+-- the /Using IAM/ guide. arwsamlSAMLAssertion :: Lens' AssumeRoleWithSAML Text arwsamlSAMLAssertion = lens _arwsamlSAMLAssertion (\s a -> s { _arwsamlSAMLAssertion = a })@@ -211,8 +216,8 @@ arwsamlrAssumedRoleUser = lens _arwsamlrAssumedRoleUser (\s a -> s { _arwsamlrAssumedRoleUser = a }) --- | The value of the Recipient attribute of the SubjectConfirmationData--- element of the SAML assertion.+-- | The value of the 'Recipient' attribute of the 'SubjectConfirmationData' element+-- of the SAML assertion. arwsamlrAudience :: Lens' AssumeRoleWithSAMLResponse (Maybe Text) arwsamlrAudience = lens _arwsamlrAudience (\s a -> s { _arwsamlrAudience = a }) @@ -220,41 +225,43 @@ arwsamlrCredentials = lens _arwsamlrCredentials (\s a -> s { _arwsamlrCredentials = a }) --- | The value of the Issuer element of the SAML assertion.+-- | The value of the 'Issuer' element of the SAML assertion. arwsamlrIssuer :: Lens' AssumeRoleWithSAMLResponse (Maybe Text) arwsamlrIssuer = lens _arwsamlrIssuer (\s a -> s { _arwsamlrIssuer = a }) --- | A hash value based on the concatenation of the Issuer response value, the--- AWS account ID, and the friendly name (the last part of the ARN) of the--- SAML provider in IAM. The combination of NameQualifier and Subject can be--- used to uniquely identify a federated user. The following pseudocode--- shows how the hash value is calculated: BASE64 ( SHA1 (--- "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) ).+-- | A hash value based on the concatenation of the 'Issuer' response value, the AWS+-- account ID, and the friendly name (the last part of the ARN) of the SAML+-- provider in IAM. The combination of 'NameQualifier' and 'Subject' can be used to+-- uniquely identify a federated user.+--+-- The following pseudocode shows how the hash value is calculated:+--+-- 'BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP") )' arwsamlrNameQualifier :: Lens' AssumeRoleWithSAMLResponse (Maybe Text) arwsamlrNameQualifier = lens _arwsamlrNameQualifier (\s a -> s { _arwsamlrNameQualifier = a }) --- | A percentage value that indicates the size of the policy in packed form.--- The service rejects any policy with a packed size greater than 100--- percent, which means the policy exceeded the allowed space.+-- | A percentage value that indicates the size of the policy in packed form. The+-- service rejects any policy with a packed size greater than 100 percent, which+-- means the policy exceeded the allowed space. arwsamlrPackedPolicySize :: Lens' AssumeRoleWithSAMLResponse (Maybe Natural) arwsamlrPackedPolicySize = lens _arwsamlrPackedPolicySize (\s a -> s { _arwsamlrPackedPolicySize = a }) . mapping _Nat --- | The value of the NameID element in the Subject element of the SAML--- assertion.+-- | The value of the 'NameID' element in the 'Subject' element of the SAML assertion. arwsamlrSubject :: Lens' AssumeRoleWithSAMLResponse (Maybe Text) arwsamlrSubject = lens _arwsamlrSubject (\s a -> s { _arwsamlrSubject = a }) --- | The format of the name ID, as defined by the Format attribute in the--- NameID element of the SAML assertion. Typical examples of the format are--- transient or persistent. If the format includes the prefix--- urn:oasis:names:tc:SAML:2.0:nameid-format, that prefix is removed. For--- example, urn:oasis:names:tc:SAML:2.0:nameid-format:transient is returned--- as transient. If the format includes any other prefix, the format is--- returned with no modifications.+-- | The format of the name ID, as defined by the 'Format' attribute in the 'NameID'+-- element of the SAML assertion. Typical examples of the format are 'transient'+-- or 'persistent'.+--+-- If the format includes the prefix 'urn:oasis:names:tc:SAML:2.0:nameid-format', that prefix is removed. For example,+-- 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' is returned as 'transient'.+-- If the format includes any other prefix, the format is returned with no+-- modifications. arwsamlrSubjectType :: Lens' AssumeRoleWithSAMLResponse (Maybe Text) arwsamlrSubjectType = lens _arwsamlrSubjectType (\s a -> s { _arwsamlrSubjectType = a })
gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs view
@@ -22,52 +22,55 @@ -- | Returns a set of temporary security credentials for users who have been -- authenticated in a mobile or web application with a web identity provider,--- such as Login with Amazon, Amazon Cognito, Facebook, or Google. Calling--- AssumeRoleWithWebIdentity does not require the use of AWS security+-- such as Login with Amazon, Amazon Cognito, Facebook, or Google.+--+-- Calling 'AssumeRoleWithWebIdentity' does not require the use of AWS security -- credentials. Therefore, you can distribute an application (for example, on -- mobile devices) that requests temporary security credentials without--- including long-term AWS credentials in the application, and without--- deploying server-based proxy services that use long-term AWS credentials.--- Instead, the identity of the caller is validated by using a token from the--- web identity provider. The temporary security credentials returned by this--- API consist of an access key ID, a secret access key, and a security token.--- Applications can use these temporary security credentials to sign calls to--- AWS service APIs. The credentials are valid for the duration that you--- specified when calling AssumeRoleWithWebIdentity, which can be from 900--- seconds (15 minutes) to 3600 seconds (1 hour). By default, the temporary--- security credentials are valid for 1 hour. Optionally, you can pass an IAM--- access policy to this operation. If you choose not to pass a policy, the--- temporary security credentials that are returned by the operation have the--- permissions that are defined in the access policy of the role that is being--- assumed. If you pass a policy to this operation, the temporary security--- credentials that are returned by the operation have the permissions that--- are allowed by both the access policy of the role that is being assumed,--- and the policy that you pass. This gives you a way to further restrict the--- permissions for the resulting temporary security credentials. You cannot--- use the passed policy to grant permissions that are in excess of those--- allowed by the access policy of the role that is being assumed. For more--- information, see Permissions for AssumeRoleWithWebIdentity in Using--- Temporary Security Credentials. Before your application can call--- AssumeRoleWithWebIdentity, you must have an identity token from a supported--- identity provider and create a role that the application can assume. The--- role that your application assumes must trust the identity provider that is--- associated with the identity token. In other words, the identity provider--- must be specified in the role's trust policy. For more information about--- how to use web identity federation and the AssumeRoleWithWebIdentity, see--- the following resources: Creating a Mobile Application with Third-Party--- Sign-In and Creating Temporary Security Credentials for Mobile Apps Using--- Third-Party Identity Providers in Using Temporary Security Credentials. Web--- Identity Federation Playground. This interactive website lets you walk--- through the process of authenticating via Login with Amazon, Facebook, or--- Google, getting temporary security credentials, and then using those--- credentials to make a request to AWS. AWS SDK for iOS and AWS SDK for--- Android. These toolkits contain sample apps that show how to invoke the--- identity providers, and then how to use the information from these--- providers to get and use temporary security credentials. Web Identity--- Federation with Mobile Applications. This article discusses web identity--- federation and shows an example of how to use web identity federation to--- get access to content in Amazon S3.+-- including long-term AWS credentials in the application, and without deploying+-- server-based proxy services that use long-term AWS credentials. Instead, the+-- identity of the caller is validated by using a token from the web identity+-- provider. --+-- The temporary security credentials returned by this API consist of an access+-- key ID, a secret access key, and a security token. Applications can use these+-- temporary security credentials to sign calls to AWS service APIs. The+-- credentials are valid for the duration that you specified when calling 'AssumeRoleWithWebIdentity', which can be from 900 seconds (15 minutes) to 3600 seconds (1 hour). By+-- default, the temporary security credentials are valid for 1 hour.+--+-- Optionally, you can pass an IAM access policy to this operation. If you+-- choose not to pass a policy, the temporary security credentials that are+-- returned by the operation have the permissions that are defined in the access+-- policy of the role that is being assumed. If you pass a policy to this+-- operation, the temporary security credentials that are returned by the+-- operation have the permissions that are allowed by both the access policy of+-- the role that is being assumed, /and/ the policy that you pass. This gives you+-- a way to further restrict the permissions for the resulting temporary+-- security credentials. You cannot use the passed policy to grant permissions+-- that are in excess of those allowed by the access policy of the role that is+-- being assumed. For more information, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions forAssumeRoleWithWebIdentity> in /Using Temporary Security Credentials/.+--+-- Before your application can call 'AssumeRoleWithWebIdentity', you must have an+-- identity token from a supported identity provider and create a role that the+-- application can assume. The role that your application assumes must trust the+-- identity provider that is associated with the identity token. In other words,+-- the identity provider must be specified in the role's trust policy.+--+-- For more information about how to use web identity federation and the 'AssumeRoleWithWebIdentity', see the following resources:+--+-- Creating a Mobile Application with Third-Party Sign-In and Creating+-- Temporary Security Credentials for Mobile Apps Using Third-Party Identity+-- Providers in /Using Temporary Security Credentials/. Web Identity Federation+-- Playground. This interactive website lets you walk through the process of+-- authenticating via Login with Amazon, Facebook, or Google, getting temporary+-- security credentials, and then using those credentials to make a request to+-- AWS. <http://aws.amazon.com/sdkforios/ AWS SDK for iOS> and AWS SDK for Android. These toolkits contain sample+-- apps that show how to invoke the identity providers, and then how to use the+-- information from these providers to get and use temporary security+-- credentials. Web Identity Federation with Mobile Applications. This article+-- discusses web identity federation and shows an example of how to use web+-- identity federation to get access to content in Amazon S3.+-- -- <http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html> module Network.AWS.STS.AssumeRoleWithWebIdentity (@@ -139,32 +142,30 @@ , _arwwiDurationSeconds = Nothing } --- | The duration, in seconds, of the role session. The value can range from--- 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the value--- is set to 3600 seconds.+-- | The duration, in seconds, of the role session. The value can range from 900+-- seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set+-- to 3600 seconds. arwwiDurationSeconds :: Lens' AssumeRoleWithWebIdentity (Maybe Natural) arwwiDurationSeconds = lens _arwwiDurationSeconds (\s a -> s { _arwwiDurationSeconds = a }) . mapping _Nat --- | An IAM policy in JSON format. The policy parameter is optional. If you--- pass a policy, the temporary security credentials that are returned by--- the operation have the permissions that are allowed by both the access--- policy of the role that is being assumed, and the policy that you pass.--- This gives you a way to further restrict the permissions for the--- resulting temporary security credentials. You cannot use the passed--- policy to grant permissions that are in excess of those allowed by the--- access policy of the role that is being assumed. For more information,--- see Permissions for AssumeRoleWithWebIdentity in Using Temporary Security--- Credentials.+-- | An IAM policy in JSON format.+--+-- The policy parameter is optional. If you pass a policy, the temporary+-- security credentials that are returned by the operation have the permissions+-- that are allowed by both the access policy of the role that is being assumed, /and/ the policy that you pass. This gives you a way to further restrict the+-- permissions for the resulting temporary security credentials. You cannot use+-- the passed policy to grant permissions that are in excess of those allowed by+-- the access policy of the role that is being assumed. For more information,+-- see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithWebIdentity> in /Using Temporary SecurityCredentials/. arwwiPolicy :: Lens' AssumeRoleWithWebIdentity (Maybe Text) arwwiPolicy = lens _arwwiPolicy (\s a -> s { _arwwiPolicy = a }) -- | The fully-qualified host component of the domain name of the identity -- provider. Specify this value only for OAuth access tokens. Do not specify--- this value for OpenID Connect ID tokens, such as accounts.google.com. Do--- not include URL schemes and port numbers. Currently, www.amazon.com and--- graph.facebook.com are supported.+-- this value for OpenID Connect ID tokens, such as 'accounts.google.com'. Do not+-- include URL schemes and port numbers. Currently, 'www.amazon.com' and 'graph.facebook.com' are supported. arwwiProviderId :: Lens' AssumeRoleWithWebIdentity (Maybe Text) arwwiProviderId = lens _arwwiProviderId (\s a -> s { _arwwiProviderId = a }) @@ -172,20 +173,19 @@ arwwiRoleArn :: Lens' AssumeRoleWithWebIdentity Text arwwiRoleArn = lens _arwwiRoleArn (\s a -> s { _arwwiRoleArn = a }) --- | An identifier for the assumed role session. Typically, you pass the name--- or identifier that is associated with the user who is using your--- application. That way, the temporary security credentials that your--- application will use are associated with that user. This session name is--- included as part of the ARN and assumed role ID in the AssumedRoleUser--- response element.+-- | An identifier for the assumed role session. Typically, you pass the name or+-- identifier that is associated with the user who is using your application.+-- That way, the temporary security credentials that your application will use+-- are associated with that user. This session name is included as part of the+-- ARN and assumed role ID in the 'AssumedRoleUser' response element. arwwiRoleSessionName :: Lens' AssumeRoleWithWebIdentity Text arwwiRoleSessionName = lens _arwwiRoleSessionName (\s a -> s { _arwwiRoleSessionName = a }) --- | The OAuth 2.0 access token or OpenID Connect ID token that is provided by--- the identity provider. Your application must get this token by--- authenticating the user who is using your application with a web identity--- provider before the application makes an AssumeRoleWithWebIdentity call.+-- | The OAuth 2.0 access token or OpenID Connect ID token that is provided by the+-- identity provider. Your application must get this token by authenticating the+-- user who is using your application with a web identity provider before the+-- application makes an 'AssumeRoleWithWebIdentity' call. arwwiWebIdentityToken :: Lens' AssumeRoleWithWebIdentity Text arwwiWebIdentityToken = lens _arwwiWebIdentityToken (\s a -> s { _arwwiWebIdentityToken = a })@@ -225,50 +225,48 @@ , _arwwirAudience = Nothing } --- | The Amazon Resource Name (ARN) and the assumed role ID, which are--- identifiers that you can use to refer to the resulting temporary security--- credentials. For example, you can reference these credentials as a--- principal in a resource-based policy by using the ARN or assumed role ID.--- The ARN and ID include the RoleSessionName that you specified when you--- called AssumeRole.+-- | The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers+-- that you can use to refer to the resulting temporary security credentials.+-- For example, you can reference these credentials as a principal in a+-- resource-based policy by using the ARN or assumed role ID. The ARN and ID+-- include the 'RoleSessionName' that you specified when you called 'AssumeRole'. arwwirAssumedRoleUser :: Lens' AssumeRoleWithWebIdentityResponse (Maybe AssumedRoleUser) arwwirAssumedRoleUser = lens _arwwirAssumedRoleUser (\s a -> s { _arwwirAssumedRoleUser = a }) --- | The intended audience of the web identity token. This is traditionally--- the client identifier issued to the application that requested the web--- identity token.+-- | The intended audience of the web identity token. This is traditionally the+-- client identifier issued to the application that requested the web identity+-- token. arwwirAudience :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text) arwwirAudience = lens _arwwirAudience (\s a -> s { _arwwirAudience = a }) --- | The temporary security credentials, which include an access key ID, a--- secret access key, and a security token.+-- | The temporary security credentials, which include an access key ID, a secret+-- access key, and a security token. arwwirCredentials :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Credentials) arwwirCredentials = lens _arwwirCredentials (\s a -> s { _arwwirCredentials = a }) --- | A percentage value that indicates the size of the policy in packed form.--- The service rejects any policy with a packed size greater than 100--- percent, which means the policy exceeded the allowed space.+-- | A percentage value that indicates the size of the policy in packed form. The+-- service rejects any policy with a packed size greater than 100 percent, which+-- means the policy exceeded the allowed space. arwwirPackedPolicySize :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Natural) arwwirPackedPolicySize = lens _arwwirPackedPolicySize (\s a -> s { _arwwirPackedPolicySize = a }) . mapping _Nat -- | The issuing authority of the web identity token presented. For OpenID--- Connect ID Tokens this contains the value of the iss field. For OAuth 2.0--- Access Tokens, this contains the value of the ProviderId parameter that--- was passed in the AssumeRoleWithWebIdentity request.+-- Connect ID Tokens this contains the value of the 'iss' field. For OAuth 2.0+-- Access Tokens, this contains the value of the 'ProviderId' parameter that was+-- passed in the 'AssumeRoleWithWebIdentity' request. arwwirProvider :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text) arwwirProvider = lens _arwwirProvider (\s a -> s { _arwwirProvider = a }) --- | The unique user identifier that is returned by the identity provider.--- This identifier is associated with the WebIdentityToken that was--- submitted with the AssumeRoleWithWebIdentity call. The identifier is--- typically unique to the user and the application that acquired the--- WebIdentityToken (pairwise identifier). If an OpenID Connect ID token was--- submitted in the WebIdentityToken, this value is returned by the identity--- provider as the token's sub (Subject) claim.+-- | The unique user identifier that is returned by the identity provider. This+-- identifier is associated with the 'WebIdentityToken' that was submitted with+-- the 'AssumeRoleWithWebIdentity' call. The identifier is typically unique to the+-- user and the application that acquired the 'WebIdentityToken' (pairwise+-- identifier). If an OpenID Connect ID token was submitted in the 'WebIdentityToken', this value is returned by the identity provider as the token's 'sub'+-- (Subject) claim. arwwirSubjectFromWebIdentityToken :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text) arwwirSubjectFromWebIdentityToken = lens _arwwirSubjectFromWebIdentityToken
gen/Network/AWS/STS/DecodeAuthorizationMessage.hs view
@@ -21,23 +21,25 @@ -- Portability : non-portable (GHC extensions) -- | Decodes additional information about the authorization status of a request--- from an encoded message returned in response to an AWS request. For--- example, if a user is not authorized to perform an action that he or she--- has requested, the request returns a Client.UnauthorizedOperation response+-- from an encoded message returned in response to an AWS request.+--+-- For example, if a user is not authorized to perform an action that he or she+-- has requested, the request returns a 'Client.UnauthorizedOperation' response -- (an HTTP 403 response). Some AWS actions additionally return an encoded--- message that can provide details about this authorization failure. The--- message is encoded because the details of the authorization status can+-- message that can provide details about this authorization failure.+--+-- The message is encoded because the details of the authorization status can -- constitute privileged information that the user who requested the action -- should not see. To decode an authorization status message, a user must be--- granted permissions via an IAM policy to request the--- DecodeAuthorizationMessage (sts:DecodeAuthorizationMessage) action. The--- decoded message includes the following type of information: Whether the--- request was denied due to an explicit deny or due to the absence of an--- explicit allow. For more information, see Determining Whether a Request is--- Allowed or Denied in Using IAM. The principal who made the request. The--- requested action. The requested resource. The values of condition keys in--- the context of the user's request.+-- granted permissions via an IAM policy to request the 'DecodeAuthorizationMessage' ('sts:DecodeAuthorizationMessage') action. --+-- The decoded message includes the following type of information:+--+-- Whether the request was denied due to an explicit deny or due to the+-- absence of an explicit allow. For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_EvaluationLogic.html#policy-eval-denyallow Determining Whether aRequest is Allowed or Denied> in /Using IAM/. The principal who made the+-- request. The requested action. The requested resource. The values of+-- condition keys in the context of the user's request.+-- -- <http://docs.aws.amazon.com/STS/latest/APIReference/API_DecodeAuthorizationMessage.html> module Network.AWS.STS.DecodeAuthorizationMessage (@@ -97,8 +99,7 @@ { _damrDecodedMessage = Nothing } --- | An XML document that contains the decoded message. For more information,--- see DecodeAuthorizationMessage.+-- | An XML document that contains the decoded message. For more information, see 'DecodeAuthorizationMessage'. damrDecodedMessage :: Lens' DecodeAuthorizationMessageResponse (Maybe Text) damrDecodedMessage = lens _damrDecodedMessage (\s a -> s { _damrDecodedMessage = a })
gen/Network/AWS/STS/GetFederationToken.hs view
@@ -20,57 +20,61 @@ -- Stability : experimental -- Portability : non-portable (GHC extensions) --- | Returns a set of temporary security credentials (consisting of an access--- key ID, a secret access key, and a security token) for a federated user. A+-- | Returns a set of temporary security credentials (consisting of an access key+-- ID, a secret access key, and a security token) for a federated user. A -- typical use is in a proxy application that gets temporary security--- credentials on behalf of distributed applications inside a corporate--- network. Because you must call the GetFederationToken action using the--- long-term security credentials of an IAM user, this call is appropriate in--- contexts where those credentials can be safely stored, usually in a--- server-based application. Note: Do not use this call in mobile applications--- or client-based web applications that directly get temporary security--- credentials. For those types of applications, use--- AssumeRoleWithWebIdentity. The GetFederationToken action must be called by--- using the long-term AWS security credentials of an IAM user. You can also--- call GetFederationToken using the security credentials of an AWS account--- (root), but this is not recommended. Instead, we recommend that you create--- an IAM user for the purpose of the proxy application and then attach a--- policy to the IAM user that limits federated users to only the actions and--- resources they need access to. For more information, see IAM Best Practices--- in Using IAM. The temporary security credentials that are obtained by using--- the long-term credentials of an IAM user are valid for the specified--- duration, between 900 seconds (15 minutes) and 129600 seconds (36 hours).--- Temporary credentials that are obtained by using AWS account (root)--- credentials have a maximum duration of 3600 seconds (1 hour) Permissions--- The permissions for the temporary security credentials returned by--- GetFederationToken are determined by a combination of the following: The--- policy or policies that are attached to the IAM user whose credentials are--- used to call GetFederationToken. The policy that is passed as a parameter--- in the call. The passed policy is attached to the temporary security--- credentials that result from the GetFederationToken API call--that is, to--- the federated user. When the federated user makes an AWS request, AWS--- evaluates the policy attached to the federated user in combination with the--- policy or policies attached to the IAM user whose credentials were used to--- call GetFederationToken. AWS allows the federated user's request only when--- both the federated user and the IAM user are explicitly allowed to perform--- the requested action. The passed policy cannot grant more permissions than--- those that are defined in the IAM user policy. A typical use case is that--- the permissions of the IAM user whose credentials are used to call--- GetFederationToken are designed to allow access to all the actions and--- resources that any federated user will need. Then, for individual users,--- you pass a policy to the operation that scopes down the permissions to a--- level that's appropriate to that individual user, using a policy that--- allows only a subset of permissions that are granted to the IAM user. If--- you do not pass a policy, the resulting temporary security credentials have--- no effective permissions. The only exception is when the temporary security--- credentials are used to access a resource that has a resource-based policy--- that specifically allows the federated user to access the resource. For--- more information about how permissions work, see Permissions for--- GetFederationToken in Using Temporary Security Credentials. For information--- about using GetFederationToken to create temporary security credentials,--- see Creating Temporary Credentials to Enable Access for Federated Users in--- Using Temporary Security Credentials.+-- credentials on behalf of distributed applications inside a corporate network.+-- Because you must call the 'GetFederationToken' action using the long-term+-- security credentials of an IAM user, this call is appropriate in contexts+-- where those credentials can be safely stored, usually in a server-based+-- application. --+-- Note: Do not use this call in mobile applications or client-based web+-- applications that directly get temporary security credentials. For those+-- types of applications, use 'AssumeRoleWithWebIdentity'.+--+-- The 'GetFederationToken' action must be called by using the long-term AWS+-- security credentials of an IAM user. You can also call 'GetFederationToken'+-- using the security credentials of an AWS account (root), but this is not+-- recommended. Instead, we recommend that you create an IAM user for the+-- purpose of the proxy application and then attach a policy to the IAM user+-- that limits federated users to only the actions and resources they need+-- access to. For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html IAM Best Practices> in /Using IAM/.+--+-- The temporary security credentials that are obtained by using the long-term+-- credentials of an IAM user are valid for the specified duration, between 900+-- seconds (15 minutes) and 129600 seconds (36 hours). Temporary credentials+-- that are obtained by using AWS account (root) credentials have a maximum+-- duration of 3600 seconds (1 hour)+--+-- Permissions+--+-- The permissions for the temporary security credentials returned by 'GetFederationToken' are determined by a combination of the following:+--+-- The policy or policies that are attached to the IAM user whose credentials+-- are used to call 'GetFederationToken'. The policy that is passed as a parameter+-- in the call. The passed policy is attached to the temporary security+-- credentials that result from the 'GetFederationToken' API call--that is, to the /federated user/. When the federated user makes an AWS request, AWS evaluates+-- the policy attached to the federated user in combination with the policy or+-- policies attached to the IAM user whose credentials were used to call 'GetFederationToken'. AWS allows the federated user's request only when both the federated user /and/ the IAM user are explicitly allowed to perform the requested action. The+-- passed policy cannot grant more permissions than those that are defined in+-- the IAM user policy.+--+-- A typical use case is that the permissions of the IAM user whose credentials+-- are used to call 'GetFederationToken' are designed to allow access to all the+-- actions and resources that any federated user will need. Then, for individual+-- users, you pass a policy to the operation that scopes down the permissions to+-- a level that's appropriate to that individual user, using a policy that+-- allows only a subset of permissions that are granted to the IAM user.+--+-- If you do not pass a policy, the resulting temporary security credentials+-- have no effective permissions. The only exception is when the temporary+-- security credentials are used to access a resource that has a resource-based+-- policy that specifically allows the federated user to access the resource.+--+-- For more information about how permissions work, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-get-federation-token.html Permissions forGetFederationToken> in /Using Temporary Security Credentials/. For information+-- about using 'GetFederationToken' to create temporary security credentials, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingFedTokens.html Creating Temporary Credentials to Enable Access for Federated Users> in /Using Temporary Security Credentials/.+-- -- <http://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html> module Network.AWS.STS.GetFederationToken (@@ -122,41 +126,40 @@ , _gftDurationSeconds = Nothing } --- | The duration, in seconds, that the session should last. Acceptable--- durations for federation sessions range from 900 seconds (15 minutes) to--- 129600 seconds (36 hours), with 43200 seconds (12 hours) as the default.--- Sessions obtained using AWS account (root) credentials are restricted to--- a maximum of 3600 seconds (one hour). If the specified duration is longer--- than one hour, the session obtained by using AWS account (root)--- credentials defaults to one hour.+-- | The duration, in seconds, that the session should last. Acceptable durations+-- for federation sessions range from 900 seconds (15 minutes) to 129600 seconds+-- (36 hours), with 43200 seconds (12 hours) as the default. Sessions obtained+-- using AWS account (root) credentials are restricted to a maximum of 3600+-- seconds (one hour). If the specified duration is longer than one hour, the+-- session obtained by using AWS account (root) credentials defaults to one+-- hour. gftDurationSeconds :: Lens' GetFederationToken (Maybe Natural) gftDurationSeconds = lens _gftDurationSeconds (\s a -> s { _gftDurationSeconds = a }) . mapping _Nat -- | The name of the federated user. The name is used as an identifier for the--- temporary security credentials (such as Bob). For example, you can--- reference the federated user name in a resource-based policy, such as in--- an Amazon S3 bucket policy.+-- temporary security credentials (such as 'Bob'). For example, you can reference+-- the federated user name in a resource-based policy, such as in an Amazon S3+-- bucket policy. gftName :: Lens' GetFederationToken Text gftName = lens _gftName (\s a -> s { _gftName = a }) --- | An IAM policy in JSON format that is passed with the GetFederationToken--- call and evaluated along with the policy or policies that are attached to--- the IAM user whose credentials are used to call GetFederationToken. The--- passed policy is used to scope down the permissions that are available to--- the IAM user, by allowing only a subset of the permissions that are--- granted to the IAM user. The passed policy cannot grant more permissions--- than those granted to the IAM user. The final permissions for the--- federated user are the most restrictive set based on the intersection of--- the passed policy and the IAM user policy. If you do not pass a policy,--- the resulting temporary security credentials have no effective--- permissions. The only exception is when the temporary security--- credentials are used to access a resource that has a resource-based--- policy that specifically allows the federated user to access the--- resource. For more information about how permissions work, see--- Permissions for GetFederationToken in Using Temporary Security--- Credentials.+-- | An IAM policy in JSON format that is passed with the 'GetFederationToken' call+-- and evaluated along with the policy or policies that are attached to the IAM+-- user whose credentials are used to call 'GetFederationToken'. The passed policy+-- is used to scope down the permissions that are available to the IAM user, by+-- allowing only a subset of the permissions that are granted to the IAM user.+-- The passed policy cannot grant more permissions than those granted to the IAM+-- user. The final permissions for the federated user are the most restrictive+-- set based on the intersection of the passed policy and the IAM user policy.+--+-- If you do not pass a policy, the resulting temporary security credentials+-- have no effective permissions. The only exception is when the temporary+-- security credentials are used to access a resource that has a resource-based+-- policy that specifically allows the federated user to access the resource.+--+-- For more information about how permissions work, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-get-federation-token.html Permissions forGetFederationToken> in /Using Temporary Security Credentials/. gftPolicy :: Lens' GetFederationToken (Maybe Text) gftPolicy = lens _gftPolicy (\s a -> s { _gftPolicy = a }) @@ -187,10 +190,8 @@ gftrCredentials :: Lens' GetFederationTokenResponse (Maybe Credentials) gftrCredentials = lens _gftrCredentials (\s a -> s { _gftrCredentials = a }) --- | Identifiers for the federated user associated with the credentials (such--- as arn:aws:sts::123456789012:federated-user/Bob or 123456789012:Bob). You--- can use the federated user's ARN in your resource-based policies, such as--- an Amazon S3 bucket policy.+-- | Identifiers for the federated user associated with the credentials (such as 'arn:aws:sts::123456789012:federated-user/Bob' or '123456789012:Bob'). You can use the federated user's ARN in your+-- resource-based policies, such as an Amazon S3 bucket policy. gftrFederatedUser :: Lens' GetFederationTokenResponse (Maybe FederatedUser) gftrFederatedUser = lens _gftrFederatedUser (\s a -> s { _gftrFederatedUser = a })
gen/Network/AWS/STS/GetSessionToken.hs view
@@ -21,28 +21,32 @@ -- Portability : non-portable (GHC extensions) -- | Returns a set of temporary credentials for an AWS account or IAM user. The--- credentials consist of an access key ID, a secret access key, and a--- security token. Typically, you use GetSessionToken if you want to use MFA--- to protect programmatic calls to specific AWS APIs like Amazon EC2--- StopInstances. MFA-enabled IAM users would need to call GetSessionToken and--- submit an MFA code that is associated with their MFA device. Using the--- temporary security credentials that are returned from the call, IAM users--- can then make programmatic calls to APIs that require MFA authentication.--- The GetSessionToken action must be called by using the long-term AWS--- security credentials of the AWS account or an IAM user. Credentials that--- are created by IAM users are valid for the duration that you specify,--- between 900 seconds (15 minutes) and 129600 seconds (36 hours); credentials--- that are created by using account credentials have a maximum duration of--- 3600 seconds (1 hour). The permissions associated with the temporary--- security credentials returned by GetSessionToken are based on the--- permissions associated with account or IAM user whose credentials are used--- to call the action. If GetSessionToken is called using root account--- credentials, the temporary credentials have root account permissions.--- Similarly, if GetSessionToken is called using the credentials of an IAM--- user, the temporary credentials have the same permissions as the IAM user.--- For more information about using GetSessionToken to create temporary+-- credentials consist of an access key ID, a secret access key, and a security+-- token. Typically, you use 'GetSessionToken' if you want to use MFA to protect+-- programmatic calls to specific AWS APIs like Amazon EC2 'StopInstances'.+-- MFA-enabled IAM users would need to call 'GetSessionToken' and submit an MFA+-- code that is associated with their MFA device. Using the temporary security+-- credentials that are returned from the call, IAM users can then make+-- programmatic calls to APIs that require MFA authentication.+--+-- The 'GetSessionToken' action must be called by using the long-term AWS+-- security credentials of the AWS account or an IAM user. Credentials that are+-- created by IAM users are valid for the duration that you specify, between 900+-- seconds (15 minutes) and 129600 seconds (36 hours); credentials that are+-- created by using account credentials have a maximum duration of 3600 seconds+-- (1 hour).+--+-- The permissions associated with the temporary security credentials returned+-- by 'GetSessionToken' are based on the permissions associated with account or+-- IAM user whose credentials are used to call the action. If 'GetSessionToken' is+-- called using root account credentials, the temporary credentials have root+-- account permissions. Similarly, if 'GetSessionToken' is called using the+-- credentials of an IAM user, the temporary credentials have the same+-- permissions as the IAM user.+--+-- For more information about using 'GetSessionToken' to create temporary -- credentials, go to Creating Temporary Credentials to Enable Access for IAM--- Users in Using Temporary Security Credentials.+-- Users in /Using Temporary Security Credentials/. -- -- <http://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html> module Network.AWS.STS.GetSessionToken@@ -94,31 +98,29 @@ -- | The duration, in seconds, that the credentials should remain valid. -- Acceptable durations for IAM user sessions range from 900 seconds (15--- minutes) to 129600 seconds (36 hours), with 43200 seconds (12 hours) as--- the default. Sessions for AWS account owners are restricted to a maximum--- of 3600 seconds (one hour). If the duration is longer than one hour, the--- session for AWS account owners defaults to one hour.+-- minutes) to 129600 seconds (36 hours), with 43200 seconds (12 hours) as the+-- default. Sessions for AWS account owners are restricted to a maximum of 3600+-- seconds (one hour). If the duration is longer than one hour, the session for+-- AWS account owners defaults to one hour. gstDurationSeconds :: Lens' GetSessionToken (Maybe Natural) gstDurationSeconds = lens _gstDurationSeconds (\s a -> s { _gstDurationSeconds = a }) . mapping _Nat --- | The identification number of the MFA device that is associated with the--- IAM user who is making the GetSessionToken call. Specify this value if--- the IAM user has a policy that requires MFA authentication. The value is--- either the serial number for a hardware device (such as GAHT12345678) or--- an Amazon Resource Name (ARN) for a virtual device (such as--- arn:aws:iam::123456789012:mfa/user). You can find the device for an IAM--- user by going to the AWS Management Console and viewing the user's--- security credentials.+-- | The identification number of the MFA device that is associated with the IAM+-- user who is making the 'GetSessionToken' call. Specify this value if the IAM+-- user has a policy that requires MFA authentication. The value is either the+-- serial number for a hardware device (such as 'GAHT12345678') or an Amazon+-- Resource Name (ARN) for a virtual device (such as 'arn:aws:iam::123456789012:mfa/user'). You can find the device for an IAM user by going to the AWS Management+-- Console and viewing the user's security credentials. gstSerialNumber :: Lens' GetSessionToken (Maybe Text) gstSerialNumber = lens _gstSerialNumber (\s a -> s { _gstSerialNumber = a }) -- | The value provided by the MFA device, if MFA is required. If any policy -- requires the IAM user to submit an MFA code, specify this value. If MFA -- authentication is required, and the user does not provide a code when--- requesting a set of temporary security credentials, the user will receive--- an "access denied" response when requesting resources that require MFA+-- requesting a set of temporary security credentials, the user will receive an+-- "access denied" response when requesting resources that require MFA -- authentication. gstTokenCode :: Lens' GetSessionToken (Maybe Text) gstTokenCode = lens _gstTokenCode (\s a -> s { _gstTokenCode = a })
gen/Network/AWS/STS/Types.hs view
@@ -78,7 +78,7 @@ data Credentials = Credentials { _cAccessKeyId :: Text- , _cExpiration :: RFC822+ , _cExpiration :: ISO8601 , _cSecretAccessKey :: Text , _cSessionToken :: Text } deriving (Eq, Ord, Show)@@ -161,8 +161,8 @@ } -- | The ARN that specifies the federated user that is associated with the--- credentials. For more information about ARNs and how to use them in--- policies, see Identifiers for IAM Entities in Using IAM.+-- credentials. For more information about ARNs and how to use them in policies,+-- see Identifiers for IAM Entities in /Using IAM/. fuArn :: Lens' FederatedUser Text fuArn = lens _fuArn (\s a -> s { _fuArn = a }) @@ -204,15 +204,14 @@ , _aruArn = p2 } --- | The ARN of the temporary security credentials that are returned from the--- AssumeRole action. For more information about ARNs and how to use them in--- policies, see Identifiers for IAM Entities in Using IAM.+-- | The ARN of the temporary security credentials that are returned from the 'AssumeRole' action. For more information about ARNs and how to use them in policies, see+-- Identifiers for IAM Entities in /Using IAM/. aruArn :: Lens' AssumedRoleUser Text aruArn = lens _aruArn (\s a -> s { _aruArn = a }) --- | A unique identifier that contains the role ID and the role session name--- of the role that is being assumed. The role ID is generated by AWS when--- the role is created.+-- | A unique identifier that contains the role ID and the role session name of+-- the role that is being assumed. The role ID is generated by AWS when the role+-- is created. aruAssumedRoleId :: Lens' AssumedRoleUser Text aruAssumedRoleId = lens _aruAssumedRoleId (\s a -> s { _aruAssumedRoleId = a })