amazonka-sts 0.3.6 → 1.0.0
raw patch · 17 files changed
+2148/−1348 lines, 17 filesdep +amazonka-stsdep +amazonka-testdep +bytestringdep ~amazonka-coredep ~basePVP ok
version bump matches the API change (PVP)
Dependencies added: amazonka-sts, amazonka-test, bytestring, lens, tasty, tasty-hunit, text, time, unordered-containers
Dependency ranges changed: amazonka-core, base
API changes (from Hackage documentation)
- Network.AWS.STS.AssumeRole: arRoleArn :: Lens' AssumeRole Text
- Network.AWS.STS.AssumeRole: arrAssumedRoleUser :: Lens' AssumeRoleResponse (Maybe AssumedRoleUser)
- Network.AWS.STS.AssumeRole: arrCredentials :: Lens' AssumeRoleResponse (Maybe Credentials)
- Network.AWS.STS.AssumeRole: arrPackedPolicySize :: Lens' AssumeRoleResponse (Maybe Natural)
- Network.AWS.STS.AssumeRole: instance FromXML AssumeRoleResponse
- Network.AWS.STS.AssumeRole: instance Ord AssumeRole
- Network.AWS.STS.AssumeRoleWithSAML: arwsamlPrincipalArn :: Lens' AssumeRoleWithSAML Text
- Network.AWS.STS.AssumeRoleWithSAML: arwsamlRoleArn :: Lens' AssumeRoleWithSAML Text
- Network.AWS.STS.AssumeRoleWithSAML: arwsamlrAssumedRoleUser :: Lens' AssumeRoleWithSAMLResponse (Maybe AssumedRoleUser)
- Network.AWS.STS.AssumeRoleWithSAML: arwsamlrAudience :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
- Network.AWS.STS.AssumeRoleWithSAML: arwsamlrCredentials :: Lens' AssumeRoleWithSAMLResponse (Maybe Credentials)
- Network.AWS.STS.AssumeRoleWithSAML: arwsamlrIssuer :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
- Network.AWS.STS.AssumeRoleWithSAML: arwsamlrNameQualifier :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
- Network.AWS.STS.AssumeRoleWithSAML: arwsamlrPackedPolicySize :: Lens' AssumeRoleWithSAMLResponse (Maybe Natural)
- Network.AWS.STS.AssumeRoleWithSAML: arwsamlrSubject :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
- Network.AWS.STS.AssumeRoleWithSAML: arwsamlrSubjectType :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
- Network.AWS.STS.AssumeRoleWithSAML: instance FromXML AssumeRoleWithSAMLResponse
- Network.AWS.STS.AssumeRoleWithSAML: instance Ord AssumeRoleWithSAML
- Network.AWS.STS.AssumeRoleWithWebIdentity: arwwiRoleArn :: Lens' AssumeRoleWithWebIdentity Text
- Network.AWS.STS.AssumeRoleWithWebIdentity: arwwirAssumedRoleUser :: Lens' AssumeRoleWithWebIdentityResponse (Maybe AssumedRoleUser)
- Network.AWS.STS.AssumeRoleWithWebIdentity: arwwirAudience :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)
- Network.AWS.STS.AssumeRoleWithWebIdentity: arwwirCredentials :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Credentials)
- Network.AWS.STS.AssumeRoleWithWebIdentity: arwwirPackedPolicySize :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Natural)
- Network.AWS.STS.AssumeRoleWithWebIdentity: arwwirProvider :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)
- Network.AWS.STS.AssumeRoleWithWebIdentity: arwwirSubjectFromWebIdentityToken :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)
- Network.AWS.STS.AssumeRoleWithWebIdentity: instance FromXML AssumeRoleWithWebIdentityResponse
- Network.AWS.STS.AssumeRoleWithWebIdentity: instance Ord AssumeRoleWithWebIdentity
- Network.AWS.STS.DecodeAuthorizationMessage: damrDecodedMessage :: Lens' DecodeAuthorizationMessageResponse (Maybe Text)
- Network.AWS.STS.DecodeAuthorizationMessage: instance FromXML DecodeAuthorizationMessageResponse
- Network.AWS.STS.DecodeAuthorizationMessage: instance IsString DecodeAuthorizationMessage
- Network.AWS.STS.DecodeAuthorizationMessage: instance Monoid DecodeAuthorizationMessage
- Network.AWS.STS.DecodeAuthorizationMessage: instance Monoid DecodeAuthorizationMessageResponse
- Network.AWS.STS.DecodeAuthorizationMessage: instance Ord DecodeAuthorizationMessage
- Network.AWS.STS.DecodeAuthorizationMessage: instance Ord DecodeAuthorizationMessageResponse
- Network.AWS.STS.GetFederationToken: gftrCredentials :: Lens' GetFederationTokenResponse (Maybe Credentials)
- Network.AWS.STS.GetFederationToken: gftrFederatedUser :: Lens' GetFederationTokenResponse (Maybe FederatedUser)
- Network.AWS.STS.GetFederationToken: gftrPackedPolicySize :: Lens' GetFederationTokenResponse (Maybe Natural)
- Network.AWS.STS.GetFederationToken: instance FromXML GetFederationTokenResponse
- Network.AWS.STS.GetFederationToken: instance Ord GetFederationToken
- Network.AWS.STS.GetSessionToken: gstrCredentials :: Lens' GetSessionTokenResponse (Maybe Credentials)
- Network.AWS.STS.GetSessionToken: instance FromXML GetSessionTokenResponse
- Network.AWS.STS.GetSessionToken: instance Ord GetSessionToken
- Network.AWS.STS.Types: aruArn :: Lens' AssumedRoleUser Text
- Network.AWS.STS.Types: data RESTError :: *
- Network.AWS.STS.Types: fuArn :: Lens' FederatedUser Text
- Network.AWS.STS.Types: instance Eq AssumedRoleUser
- Network.AWS.STS.Types: instance Eq Credentials
- Network.AWS.STS.Types: instance Eq FederatedUser
- Network.AWS.STS.Types: instance FromXML AssumedRoleUser
- Network.AWS.STS.Types: instance FromXML Credentials
- Network.AWS.STS.Types: instance FromXML FederatedUser
- Network.AWS.STS.Types: instance Ord AssumedRoleUser
- Network.AWS.STS.Types: instance Ord Credentials
- Network.AWS.STS.Types: instance Ord FederatedUser
- Network.AWS.STS.Types: instance Read AssumedRoleUser
- Network.AWS.STS.Types: instance Read Credentials
- Network.AWS.STS.Types: instance Read FederatedUser
- Network.AWS.STS.Types: instance Show AssumedRoleUser
- Network.AWS.STS.Types: instance Show Credentials
- Network.AWS.STS.Types: instance Show FederatedUser
- Network.AWS.STS.Types: instance ToQuery AssumedRoleUser
- Network.AWS.STS.Types: instance ToQuery Credentials
- Network.AWS.STS.Types: instance ToQuery FederatedUser
- Network.AWS.STS.Types: ns :: Text
+ Network.AWS.STS: _ExpiredTokenException :: AsError a => Getting (First ServiceError) a ServiceError
+ Network.AWS.STS: _IdPCommunicationErrorException :: AsError a => Getting (First ServiceError) a ServiceError
+ Network.AWS.STS: _IdPRejectedClaimException :: AsError a => Getting (First ServiceError) a ServiceError
+ Network.AWS.STS: _InvalidAuthorizationMessageException :: AsError a => Getting (First ServiceError) a ServiceError
+ Network.AWS.STS: _InvalidIdentityTokenException :: AsError a => Getting (First ServiceError) a ServiceError
+ Network.AWS.STS: _MalformedPolicyDocumentException :: AsError a => Getting (First ServiceError) a ServiceError
+ Network.AWS.STS: _PackedPolicyTooLargeException :: AsError a => Getting (First ServiceError) a ServiceError
+ Network.AWS.STS: aruARN :: Lens' AssumedRoleUser Text
+ Network.AWS.STS: aruAssumedRoleId :: Lens' AssumedRoleUser Text
+ Network.AWS.STS: assumedRoleUser :: Text -> Text -> AssumedRoleUser
+ Network.AWS.STS: cAccessKeyId :: Lens' Credentials Text
+ Network.AWS.STS: cExpiration :: Lens' Credentials UTCTime
+ Network.AWS.STS: cSecretAccessKey :: Lens' Credentials Text
+ Network.AWS.STS: cSessionToken :: Lens' Credentials Text
+ Network.AWS.STS: credentials :: Text -> Text -> Text -> UTCTime -> Credentials
+ Network.AWS.STS: data AssumedRoleUser
+ Network.AWS.STS: data Credentials
+ Network.AWS.STS: data FederatedUser
+ Network.AWS.STS: data STS
+ Network.AWS.STS: federatedUser :: Text -> Text -> FederatedUser
+ Network.AWS.STS: fuARN :: Lens' FederatedUser Text
+ Network.AWS.STS: fuFederatedUserId :: Lens' FederatedUser Text
+ Network.AWS.STS.AssumeRole: arRoleARN :: Lens' AssumeRole Text
+ Network.AWS.STS.AssumeRole: arrsAssumedRoleUser :: Lens' AssumeRoleResponse (Maybe AssumedRoleUser)
+ Network.AWS.STS.AssumeRole: arrsCredentials :: Lens' AssumeRoleResponse (Maybe Credentials)
+ Network.AWS.STS.AssumeRole: arrsPackedPolicySize :: Lens' AssumeRoleResponse (Maybe Natural)
+ Network.AWS.STS.AssumeRole: arrsStatus :: Lens' AssumeRoleResponse Int
+ Network.AWS.STS.AssumeRole: instance Constructor C1_0AssumeRole
+ Network.AWS.STS.AssumeRole: instance Constructor C1_0AssumeRoleResponse
+ Network.AWS.STS.AssumeRole: instance Data AssumeRole
+ Network.AWS.STS.AssumeRole: instance Data AssumeRoleResponse
+ Network.AWS.STS.AssumeRole: instance Datatype D1AssumeRole
+ Network.AWS.STS.AssumeRole: instance Datatype D1AssumeRoleResponse
+ Network.AWS.STS.AssumeRole: instance Generic AssumeRole
+ Network.AWS.STS.AssumeRole: instance Generic AssumeRoleResponse
+ Network.AWS.STS.AssumeRole: instance Selector S1_0_0AssumeRole
+ Network.AWS.STS.AssumeRole: instance Selector S1_0_0AssumeRoleResponse
+ Network.AWS.STS.AssumeRole: instance Selector S1_0_1AssumeRole
+ Network.AWS.STS.AssumeRole: instance Selector S1_0_1AssumeRoleResponse
+ Network.AWS.STS.AssumeRole: instance Selector S1_0_2AssumeRole
+ Network.AWS.STS.AssumeRole: instance Selector S1_0_2AssumeRoleResponse
+ Network.AWS.STS.AssumeRole: instance Selector S1_0_3AssumeRole
+ Network.AWS.STS.AssumeRole: instance Selector S1_0_3AssumeRoleResponse
+ Network.AWS.STS.AssumeRole: instance Selector S1_0_4AssumeRole
+ Network.AWS.STS.AssumeRole: instance Selector S1_0_5AssumeRole
+ Network.AWS.STS.AssumeRole: instance Selector S1_0_6AssumeRole
+ Network.AWS.STS.AssumeRole: instance Typeable AssumeRole
+ Network.AWS.STS.AssumeRole: instance Typeable AssumeRoleResponse
+ Network.AWS.STS.AssumeRoleWithSAML: arwsamlPrincipalARN :: Lens' AssumeRoleWithSAML Text
+ Network.AWS.STS.AssumeRoleWithSAML: arwsamlRoleARN :: Lens' AssumeRoleWithSAML Text
+ Network.AWS.STS.AssumeRoleWithSAML: arwsamlrsAssumedRoleUser :: Lens' AssumeRoleWithSAMLResponse (Maybe AssumedRoleUser)
+ Network.AWS.STS.AssumeRoleWithSAML: arwsamlrsAudience :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
+ Network.AWS.STS.AssumeRoleWithSAML: arwsamlrsCredentials :: Lens' AssumeRoleWithSAMLResponse (Maybe Credentials)
+ Network.AWS.STS.AssumeRoleWithSAML: arwsamlrsIssuer :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
+ Network.AWS.STS.AssumeRoleWithSAML: arwsamlrsNameQualifier :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
+ Network.AWS.STS.AssumeRoleWithSAML: arwsamlrsPackedPolicySize :: Lens' AssumeRoleWithSAMLResponse (Maybe Natural)
+ Network.AWS.STS.AssumeRoleWithSAML: arwsamlrsStatus :: Lens' AssumeRoleWithSAMLResponse Int
+ Network.AWS.STS.AssumeRoleWithSAML: arwsamlrsSubject :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
+ Network.AWS.STS.AssumeRoleWithSAML: arwsamlrsSubjectType :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
+ Network.AWS.STS.AssumeRoleWithSAML: instance Constructor C1_0AssumeRoleWithSAML
+ Network.AWS.STS.AssumeRoleWithSAML: instance Constructor C1_0AssumeRoleWithSAMLResponse
+ Network.AWS.STS.AssumeRoleWithSAML: instance Data AssumeRoleWithSAML
+ Network.AWS.STS.AssumeRoleWithSAML: instance Data AssumeRoleWithSAMLResponse
+ Network.AWS.STS.AssumeRoleWithSAML: instance Datatype D1AssumeRoleWithSAML
+ Network.AWS.STS.AssumeRoleWithSAML: instance Datatype D1AssumeRoleWithSAMLResponse
+ Network.AWS.STS.AssumeRoleWithSAML: instance Generic AssumeRoleWithSAML
+ Network.AWS.STS.AssumeRoleWithSAML: instance Generic AssumeRoleWithSAMLResponse
+ Network.AWS.STS.AssumeRoleWithSAML: instance Selector S1_0_0AssumeRoleWithSAML
+ Network.AWS.STS.AssumeRoleWithSAML: instance Selector S1_0_0AssumeRoleWithSAMLResponse
+ Network.AWS.STS.AssumeRoleWithSAML: instance Selector S1_0_1AssumeRoleWithSAML
+ Network.AWS.STS.AssumeRoleWithSAML: instance Selector S1_0_1AssumeRoleWithSAMLResponse
+ Network.AWS.STS.AssumeRoleWithSAML: instance Selector S1_0_2AssumeRoleWithSAML
+ Network.AWS.STS.AssumeRoleWithSAML: instance Selector S1_0_2AssumeRoleWithSAMLResponse
+ Network.AWS.STS.AssumeRoleWithSAML: instance Selector S1_0_3AssumeRoleWithSAML
+ Network.AWS.STS.AssumeRoleWithSAML: instance Selector S1_0_3AssumeRoleWithSAMLResponse
+ Network.AWS.STS.AssumeRoleWithSAML: instance Selector S1_0_4AssumeRoleWithSAML
+ Network.AWS.STS.AssumeRoleWithSAML: instance Selector S1_0_4AssumeRoleWithSAMLResponse
+ Network.AWS.STS.AssumeRoleWithSAML: instance Selector S1_0_5AssumeRoleWithSAMLResponse
+ Network.AWS.STS.AssumeRoleWithSAML: instance Selector S1_0_6AssumeRoleWithSAMLResponse
+ Network.AWS.STS.AssumeRoleWithSAML: instance Selector S1_0_7AssumeRoleWithSAMLResponse
+ Network.AWS.STS.AssumeRoleWithSAML: instance Selector S1_0_8AssumeRoleWithSAMLResponse
+ Network.AWS.STS.AssumeRoleWithSAML: instance Typeable AssumeRoleWithSAML
+ Network.AWS.STS.AssumeRoleWithSAML: instance Typeable AssumeRoleWithSAMLResponse
+ Network.AWS.STS.AssumeRoleWithWebIdentity: arwwiRoleARN :: Lens' AssumeRoleWithWebIdentity Text
+ Network.AWS.STS.AssumeRoleWithWebIdentity: arwwirsAssumedRoleUser :: Lens' AssumeRoleWithWebIdentityResponse (Maybe AssumedRoleUser)
+ Network.AWS.STS.AssumeRoleWithWebIdentity: arwwirsAudience :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)
+ Network.AWS.STS.AssumeRoleWithWebIdentity: arwwirsCredentials :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Credentials)
+ Network.AWS.STS.AssumeRoleWithWebIdentity: arwwirsPackedPolicySize :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Natural)
+ Network.AWS.STS.AssumeRoleWithWebIdentity: arwwirsProvider :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)
+ Network.AWS.STS.AssumeRoleWithWebIdentity: arwwirsStatus :: Lens' AssumeRoleWithWebIdentityResponse Int
+ Network.AWS.STS.AssumeRoleWithWebIdentity: arwwirsSubjectFromWebIdentityToken :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Constructor C1_0AssumeRoleWithWebIdentity
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Constructor C1_0AssumeRoleWithWebIdentityResponse
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Data AssumeRoleWithWebIdentity
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Data AssumeRoleWithWebIdentityResponse
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Datatype D1AssumeRoleWithWebIdentity
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Datatype D1AssumeRoleWithWebIdentityResponse
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Generic AssumeRoleWithWebIdentity
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Generic AssumeRoleWithWebIdentityResponse
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Selector S1_0_0AssumeRoleWithWebIdentity
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Selector S1_0_0AssumeRoleWithWebIdentityResponse
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Selector S1_0_1AssumeRoleWithWebIdentity
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Selector S1_0_1AssumeRoleWithWebIdentityResponse
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Selector S1_0_2AssumeRoleWithWebIdentity
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Selector S1_0_2AssumeRoleWithWebIdentityResponse
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Selector S1_0_3AssumeRoleWithWebIdentity
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Selector S1_0_3AssumeRoleWithWebIdentityResponse
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Selector S1_0_4AssumeRoleWithWebIdentity
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Selector S1_0_4AssumeRoleWithWebIdentityResponse
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Selector S1_0_5AssumeRoleWithWebIdentity
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Selector S1_0_5AssumeRoleWithWebIdentityResponse
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Selector S1_0_6AssumeRoleWithWebIdentityResponse
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Typeable AssumeRoleWithWebIdentity
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Typeable AssumeRoleWithWebIdentityResponse
+ Network.AWS.STS.DecodeAuthorizationMessage: damrsDecodedMessage :: Lens' DecodeAuthorizationMessageResponse (Maybe Text)
+ Network.AWS.STS.DecodeAuthorizationMessage: damrsStatus :: Lens' DecodeAuthorizationMessageResponse Int
+ Network.AWS.STS.DecodeAuthorizationMessage: instance Constructor C1_0DecodeAuthorizationMessage
+ Network.AWS.STS.DecodeAuthorizationMessage: instance Constructor C1_0DecodeAuthorizationMessageResponse
+ Network.AWS.STS.DecodeAuthorizationMessage: instance Data DecodeAuthorizationMessage
+ Network.AWS.STS.DecodeAuthorizationMessage: instance Data DecodeAuthorizationMessageResponse
+ Network.AWS.STS.DecodeAuthorizationMessage: instance Datatype D1DecodeAuthorizationMessage
+ Network.AWS.STS.DecodeAuthorizationMessage: instance Datatype D1DecodeAuthorizationMessageResponse
+ Network.AWS.STS.DecodeAuthorizationMessage: instance Generic DecodeAuthorizationMessage
+ Network.AWS.STS.DecodeAuthorizationMessage: instance Generic DecodeAuthorizationMessageResponse
+ Network.AWS.STS.DecodeAuthorizationMessage: instance Selector S1_0_0DecodeAuthorizationMessage
+ Network.AWS.STS.DecodeAuthorizationMessage: instance Selector S1_0_0DecodeAuthorizationMessageResponse
+ Network.AWS.STS.DecodeAuthorizationMessage: instance Selector S1_0_1DecodeAuthorizationMessageResponse
+ Network.AWS.STS.DecodeAuthorizationMessage: instance Typeable DecodeAuthorizationMessage
+ Network.AWS.STS.DecodeAuthorizationMessage: instance Typeable DecodeAuthorizationMessageResponse
+ Network.AWS.STS.GetFederationToken: gftrsCredentials :: Lens' GetFederationTokenResponse (Maybe Credentials)
+ Network.AWS.STS.GetFederationToken: gftrsFederatedUser :: Lens' GetFederationTokenResponse (Maybe FederatedUser)
+ Network.AWS.STS.GetFederationToken: gftrsPackedPolicySize :: Lens' GetFederationTokenResponse (Maybe Natural)
+ Network.AWS.STS.GetFederationToken: gftrsStatus :: Lens' GetFederationTokenResponse Int
+ Network.AWS.STS.GetFederationToken: instance Constructor C1_0GetFederationToken
+ Network.AWS.STS.GetFederationToken: instance Constructor C1_0GetFederationTokenResponse
+ Network.AWS.STS.GetFederationToken: instance Data GetFederationToken
+ Network.AWS.STS.GetFederationToken: instance Data GetFederationTokenResponse
+ Network.AWS.STS.GetFederationToken: instance Datatype D1GetFederationToken
+ Network.AWS.STS.GetFederationToken: instance Datatype D1GetFederationTokenResponse
+ Network.AWS.STS.GetFederationToken: instance Generic GetFederationToken
+ Network.AWS.STS.GetFederationToken: instance Generic GetFederationTokenResponse
+ Network.AWS.STS.GetFederationToken: instance Selector S1_0_0GetFederationToken
+ Network.AWS.STS.GetFederationToken: instance Selector S1_0_0GetFederationTokenResponse
+ Network.AWS.STS.GetFederationToken: instance Selector S1_0_1GetFederationToken
+ Network.AWS.STS.GetFederationToken: instance Selector S1_0_1GetFederationTokenResponse
+ Network.AWS.STS.GetFederationToken: instance Selector S1_0_2GetFederationToken
+ Network.AWS.STS.GetFederationToken: instance Selector S1_0_2GetFederationTokenResponse
+ Network.AWS.STS.GetFederationToken: instance Selector S1_0_3GetFederationTokenResponse
+ Network.AWS.STS.GetFederationToken: instance Typeable GetFederationToken
+ Network.AWS.STS.GetFederationToken: instance Typeable GetFederationTokenResponse
+ Network.AWS.STS.GetSessionToken: gstrsCredentials :: Lens' GetSessionTokenResponse (Maybe Credentials)
+ Network.AWS.STS.GetSessionToken: gstrsStatus :: Lens' GetSessionTokenResponse Int
+ Network.AWS.STS.GetSessionToken: instance Constructor C1_0GetSessionToken
+ Network.AWS.STS.GetSessionToken: instance Constructor C1_0GetSessionTokenResponse
+ Network.AWS.STS.GetSessionToken: instance Data GetSessionToken
+ Network.AWS.STS.GetSessionToken: instance Data GetSessionTokenResponse
+ Network.AWS.STS.GetSessionToken: instance Datatype D1GetSessionToken
+ Network.AWS.STS.GetSessionToken: instance Datatype D1GetSessionTokenResponse
+ Network.AWS.STS.GetSessionToken: instance Generic GetSessionToken
+ Network.AWS.STS.GetSessionToken: instance Generic GetSessionTokenResponse
+ Network.AWS.STS.GetSessionToken: instance Selector S1_0_0GetSessionToken
+ Network.AWS.STS.GetSessionToken: instance Selector S1_0_0GetSessionTokenResponse
+ Network.AWS.STS.GetSessionToken: instance Selector S1_0_1GetSessionToken
+ Network.AWS.STS.GetSessionToken: instance Selector S1_0_1GetSessionTokenResponse
+ Network.AWS.STS.GetSessionToken: instance Selector S1_0_2GetSessionToken
+ Network.AWS.STS.GetSessionToken: instance Typeable GetSessionToken
+ Network.AWS.STS.GetSessionToken: instance Typeable GetSessionTokenResponse
+ Network.AWS.STS.Types: _ExpiredTokenException :: AsError a => Getting (First ServiceError) a ServiceError
+ Network.AWS.STS.Types: _IdPCommunicationErrorException :: AsError a => Getting (First ServiceError) a ServiceError
+ Network.AWS.STS.Types: _IdPRejectedClaimException :: AsError a => Getting (First ServiceError) a ServiceError
+ Network.AWS.STS.Types: _InvalidAuthorizationMessageException :: AsError a => Getting (First ServiceError) a ServiceError
+ Network.AWS.STS.Types: _InvalidIdentityTokenException :: AsError a => Getting (First ServiceError) a ServiceError
+ Network.AWS.STS.Types: _MalformedPolicyDocumentException :: AsError a => Getting (First ServiceError) a ServiceError
+ Network.AWS.STS.Types: _PackedPolicyTooLargeException :: AsError a => Getting (First ServiceError) a ServiceError
+ Network.AWS.STS.Types: aruARN :: Lens' AssumedRoleUser Text
+ Network.AWS.STS.Types: fuARN :: Lens' FederatedUser Text
- Network.AWS.STS.AssumeRole: assumeRoleResponse :: AssumeRoleResponse
+ Network.AWS.STS.AssumeRole: assumeRoleResponse :: Int -> AssumeRoleResponse
- Network.AWS.STS.AssumeRoleWithSAML: assumeRoleWithSAMLResponse :: AssumeRoleWithSAMLResponse
+ Network.AWS.STS.AssumeRoleWithSAML: assumeRoleWithSAMLResponse :: Int -> AssumeRoleWithSAMLResponse
- Network.AWS.STS.AssumeRoleWithWebIdentity: assumeRoleWithWebIdentityResponse :: AssumeRoleWithWebIdentityResponse
+ Network.AWS.STS.AssumeRoleWithWebIdentity: assumeRoleWithWebIdentityResponse :: Int -> AssumeRoleWithWebIdentityResponse
- Network.AWS.STS.DecodeAuthorizationMessage: decodeAuthorizationMessageResponse :: DecodeAuthorizationMessageResponse
+ Network.AWS.STS.DecodeAuthorizationMessage: decodeAuthorizationMessageResponse :: Int -> DecodeAuthorizationMessageResponse
- Network.AWS.STS.GetFederationToken: getFederationTokenResponse :: GetFederationTokenResponse
+ Network.AWS.STS.GetFederationToken: getFederationTokenResponse :: Int -> GetFederationTokenResponse
- Network.AWS.STS.GetSessionToken: getSessionTokenResponse :: GetSessionTokenResponse
+ Network.AWS.STS.GetSessionToken: getSessionTokenResponse :: Int -> GetSessionTokenResponse
Files
- README.md +71/−5
- amazonka-sts.cabal +101/−9
- gen/Network/AWS/STS.hs +175/−22
- gen/Network/AWS/STS/AssumeRole.hs +264/−220
- gen/Network/AWS/STS/AssumeRoleWithSAML.hs +263/−236
- gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs +285/−245
- gen/Network/AWS/STS/DecodeAuthorizationMessage.hs +115/−91
- gen/Network/AWS/STS/GetFederationToken.hs +215/−178
- gen/Network/AWS/STS/GetSessionToken.hs +145/−129
- gen/Network/AWS/STS/Types.hs +100/−213
- gen/Network/AWS/STS/Types/Product.hs +170/−0
- gen/Network/AWS/STS/Types/Sum.hs +20/−0
- gen/Network/AWS/STS/Waiters.hs +20/−0
- test/Main.hs +21/−0
- test/Test/AWS/Gen/STS.hs +141/−0
- test/Test/AWS/STS.hs +26/−0
- test/Test/AWS/STS/Internal.hs +16/−0
README.md view
@@ -1,20 +1,86 @@ # Amazon Security Token Service SDK -> _Warning:_ This is an experimental preview release which is still under heavy development and not intended for public consumption, _caveat emptor_!-+* [Version](#version) * [Description](#description) * [Contribute](#contribute) * [Licence](#licence) ++## Version++`1.0.0`++ ## Description -The AWS Security Token Service (STS) is a web service that enables you to-request temporary, limited-privilege credentials for AWS Identity and Access-Management (IAM) users or for users that you authenticate (federated users).+AWS Security Token Service +The AWS Security Token Service (STS) is a web service that enables you+to request temporary, limited-privilege credentials for AWS Identity and+Access Management (IAM) users or for users that you authenticate+(federated users). This guide provides descriptions of the STS API. For+more detailed information about using this service, go to+<http://docs.aws.amazon.com/STS/latest/UsingSTS/Welcome.html Using Temporary Security Credentials>.++As an alternative to using the API, you can use one of the AWS SDKs,+which consist of libraries and sample code for various programming+languages and platforms (Java, Ruby, .NET, iOS, Android, etc.). The SDKs+provide a convenient way to create programmatic access to STS. For+example, the SDKs take care of cryptographically signing requests,+managing errors, and retrying requests automatically. For information+about the AWS SDKs, including how to download and install them, see the+<http://aws.amazon.com/tools/ Tools for Amazon Web Services page>.++For information about setting up signatures and authorization through+the API, go to+<http://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html Signing AWS API Requests>+in the /AWS General Reference/. For general information about the Query+API, go to+<http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UsingQueryAPI.html Making Query Requests>+in /Using IAM/. For information about using security tokens with other+AWS products, go to+<http://docs.aws.amazon.com/STS/latest/UsingSTS/UsingTokens.html Using Temporary Security Credentials to Access AWS>+in /Using Temporary Security Credentials/.++If you\'re new to AWS and need additional technical information about a+specific AWS product, you can find the product\'s technical+documentation at <http://aws.amazon.com/documentation/>.++__Endpoints__++The AWS Security Token Service (STS) has a default endpoint of+https:\/\/sts.amazonaws.com that maps to the US East (N. Virginia)+region. Additional regions are available, but must first be activated in+the AWS Management Console before you can use a different region\'s+endpoint. For more information about activating a region for STS see+<http://docs.aws.amazon.com/STS/latest/UsingSTS/sts-enableregions.html Activating STS in a New Region>+in the /Using Temporary Security Credentials/ guide.++For information about STS endpoints, see+<http://docs.aws.amazon.com/general/latest/gr/rande.html#sts_region Regions and Endpoints>+in the /AWS General Reference/.++__Recording API requests__++STS supports AWS CloudTrail, which is a service that records AWS calls+for your AWS account and delivers log files to an Amazon S3 bucket. By+using information collected by CloudTrail, you can determine what+requests were successfully made to STS, who made the request, when it+was made, and so on. To learn more about CloudTrail, including how to+turn it on and find your log files, see the+<http://docs.aws.amazon.com/awscloudtrail/latest/userguide/what_is_cloud_trail_top_level.html AWS CloudTrail User Guide>.+ Documentation is available via [Hackage](http://hackage.haskell.org/package/amazonka-sts) and the [AWS API Reference](http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html). +The types from this library are intended to be used with [amazonka](http://hackage.haskell.org/package/amazonka),+which provides mechanisms for specifying AuthN/AuthZ information and sending requests.++Use of lenses is required for constructing and manipulating types.+This is due to the amount of nesting of AWS types and transparency regarding+de/serialisation into more palatable Haskell values.+The provided lenses should be compatible with any of the major lens libraries+[lens](http://hackage.haskell.org/package/lens) or [lens-family-core](http://hackage.haskell.org/package/lens-family-core). ## Contribute
amazonka-sts.cabal view
@@ -1,27 +1,88 @@ name: amazonka-sts-version: 0.3.6+version: 1.0.0 synopsis: Amazon Security Token Service SDK. homepage: https://github.com/brendanhay/amazonka license: OtherLicense license-file: LICENSE author: Brendan Hay maintainer: Brendan Hay <brendan.g.hay@gmail.com>-copyright: Copyright (c) 2013-2014 Brendan Hay+copyright: Copyright (c) 2013-2015 Brendan Hay category: Network, AWS, Cloud, Distributed Computing build-type: Simple extra-source-files: README.md cabal-version: >= 1.10 description:- The AWS Security Token Service (STS) is a web service that enables you to- request temporary, limited-privilege credentials for AWS Identity and Access- Management (IAM) users or for users that you authenticate (federated users).+ AWS Security Token Service + The AWS Security Token Service (STS) is a web service that enables you+ to request temporary, limited-privilege credentials for AWS Identity and+ Access Management (IAM) users or for users that you authenticate+ (federated users). This guide provides descriptions of the STS API. For+ more detailed information about using this service, go to+ <http://docs.aws.amazon.com/STS/latest/UsingSTS/Welcome.html Using Temporary Security Credentials>.++ As an alternative to using the API, you can use one of the AWS SDKs,+ which consist of libraries and sample code for various programming+ languages and platforms (Java, Ruby, .NET, iOS, Android, etc.). The SDKs+ provide a convenient way to create programmatic access to STS. For+ example, the SDKs take care of cryptographically signing requests,+ managing errors, and retrying requests automatically. For information+ about the AWS SDKs, including how to download and install them, see the+ <http://aws.amazon.com/tools/ Tools for Amazon Web Services page>.++ For information about setting up signatures and authorization through+ the API, go to+ <http://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html Signing AWS API Requests>+ in the /AWS General Reference/. For general information about the Query+ API, go to+ <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UsingQueryAPI.html Making Query Requests>+ in /Using IAM/. For information about using security tokens with other+ AWS products, go to+ <http://docs.aws.amazon.com/STS/latest/UsingSTS/UsingTokens.html Using Temporary Security Credentials to Access AWS>+ in /Using Temporary Security Credentials/.++ If you\'re new to AWS and need additional technical information about a+ specific AWS product, you can find the product\'s technical+ documentation at <http://aws.amazon.com/documentation/>.++ __Endpoints__++ The AWS Security Token Service (STS) has a default endpoint of+ https:\/\/sts.amazonaws.com that maps to the US East (N. Virginia)+ region. Additional regions are available, but must first be activated in+ the AWS Management Console before you can use a different region\'s+ endpoint. For more information about activating a region for STS see+ <http://docs.aws.amazon.com/STS/latest/UsingSTS/sts-enableregions.html Activating STS in a New Region>+ in the /Using Temporary Security Credentials/ guide.++ For information about STS endpoints, see+ <http://docs.aws.amazon.com/general/latest/gr/rande.html#sts_region Regions and Endpoints>+ in the /AWS General Reference/.++ __Recording API requests__++ STS supports AWS CloudTrail, which is a service that records AWS calls+ for your AWS account and delivers log files to an Amazon S3 bucket. By+ using information collected by CloudTrail, you can determine what+ requests were successfully made to STS, who made the request, when it+ was made, and so on. To learn more about CloudTrail, including how to+ turn it on and find your log files, see the+ <http://docs.aws.amazon.com/awscloudtrail/latest/userguide/what_is_cloud_trail_top_level.html AWS CloudTrail User Guide>. .- /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html AWS API Reference>+ The types from this library are intended to be used with+ <http://hackage.haskell.org/package/amazonka amazonka>, which provides+ mechanisms for specifying AuthN/AuthZ information and sending requests. .- /Warning:/ This is an experimental preview release which is still under- heavy development and not intended for public consumption, caveat emptor!+ Use of lenses is required for constructing and manipulating types.+ This is due to the amount of nesting of AWS types and transparency regarding+ de/serialisation into more palatable Haskell values.+ The provided lenses should be compatible with any of the major lens libraries+ such as <http://hackage.haskell.org/package/lens lens> or+ <http://hackage.haskell.org/package/lens-family-core lens-family-core>.+ .+ See "Network.AWS.STS" and the <http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html AWS API Reference>+ to get started. source-repository head type: git@@ -42,9 +103,40 @@ , Network.AWS.STS.GetFederationToken , Network.AWS.STS.GetSessionToken , Network.AWS.STS.Types+ , Network.AWS.STS.Waiters other-modules:+ Network.AWS.STS.Types.Product+ , Network.AWS.STS.Types.Sum build-depends:- amazonka-core == 0.3.6.*+ amazonka-core == 1.0.0.* , base >= 4.7 && < 5++test-suite amazonka-sts-test+ type: exitcode-stdio-1.0+ default-language: Haskell2010+ hs-source-dirs: test+ main-is: Main.hs++ ghc-options: -Wall -threaded++ -- This is not comprehensive if modules have manually been added.+ -- It exists to ensure cabal 'somewhat' detects test module changes.+ other-modules:+ Test.AWS.STS+ , Test.AWS.Gen.STS+ , Test.AWS.STS.Internal++ build-depends:+ amazonka-core == 1.0.0+ , amazonka-test == 1.0.0+ , amazonka-sts == 1.0.0+ , base+ , bytestring+ , lens+ , tasty+ , tasty-hunit+ , text+ , time+ , unordered-containers
gen/Network/AWS/STS.hs view
@@ -1,32 +1,185 @@+{-# OPTIONS_GHC -fno-warn-unused-imports #-}+{-# OPTIONS_GHC -fno-warn-duplicate-exports #-}++-- Derived from AWS service descriptions, licensed under Apache 2.0.++-- | -- Module : Network.AWS.STS--- Copyright : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>--- License : This Source Code Form is subject to the terms of--- the Mozilla Public License, v. 2.0.--- A copy of the MPL can be found in the LICENSE file or--- you can obtain it at http://mozilla.org/MPL/2.0/.+-- Copyright : (c) 2013-2015 Brendan Hay+-- License : Mozilla Public License, v. 2.0. -- Maintainer : Brendan Hay <brendan.g.hay@gmail.com>--- Stability : experimental+-- Stability : auto-generated -- Portability : non-portable (GHC extensions) ----- Derived from AWS service descriptions, licensed under Apache 2.0.---- | The AWS Security Token Service (STS) is a web service that enables you to--- request temporary, limited-privilege credentials for AWS Identity and Access--- Management (IAM) users or for users that you authenticate (federated users).+-- AWS Security Token Service+--+-- The AWS Security Token Service (STS) is a web service that enables you+-- to request temporary, limited-privilege credentials for AWS Identity and+-- Access Management (IAM) users or for users that you authenticate+-- (federated users). This guide provides descriptions of the STS API. For+-- more detailed information about using this service, go to+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/Welcome.html Using Temporary Security Credentials>.+--+-- As an alternative to using the API, you can use one of the AWS SDKs,+-- which consist of libraries and sample code for various programming+-- languages and platforms (Java, Ruby, .NET, iOS, Android, etc.). The SDKs+-- provide a convenient way to create programmatic access to STS. For+-- example, the SDKs take care of cryptographically signing requests,+-- managing errors, and retrying requests automatically. For information+-- about the AWS SDKs, including how to download and install them, see the+-- <http://aws.amazon.com/tools/ Tools for Amazon Web Services page>.+--+-- For information about setting up signatures and authorization through+-- the API, go to+-- <http://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html Signing AWS API Requests>+-- in the /AWS General Reference/. For general information about the Query+-- API, go to+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UsingQueryAPI.html Making Query Requests>+-- in /Using IAM/. For information about using security tokens with other+-- AWS products, go to+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/UsingTokens.html Using Temporary Security Credentials to Access AWS>+-- in /Using Temporary Security Credentials/.+--+-- If you\'re new to AWS and need additional technical information about a+-- specific AWS product, you can find the product\'s technical+-- documentation at <http://aws.amazon.com/documentation/>.+--+-- __Endpoints__+--+-- The AWS Security Token Service (STS) has a default endpoint of+-- https:\/\/sts.amazonaws.com that maps to the US East (N. Virginia)+-- region. Additional regions are available, but must first be activated in+-- the AWS Management Console before you can use a different region\'s+-- endpoint. For more information about activating a region for STS see+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/sts-enableregions.html Activating STS in a New Region>+-- in the /Using Temporary Security Credentials/ guide.+--+-- For information about STS endpoints, see+-- <http://docs.aws.amazon.com/general/latest/gr/rande.html#sts_region Regions and Endpoints>+-- in the /AWS General Reference/.+--+-- __Recording API requests__+--+-- STS supports AWS CloudTrail, which is a service that records AWS calls+-- for your AWS account and delivers log files to an Amazon S3 bucket. By+-- using information collected by CloudTrail, you can determine what+-- requests were successfully made to STS, who made the request, when it+-- was made, and so on. To learn more about CloudTrail, including how to+-- turn it on and find your log files, see the+-- <http://docs.aws.amazon.com/awscloudtrail/latest/userguide/what_is_cloud_trail_top_level.html AWS CloudTrail User Guide>.+--+-- /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html AWS API Reference> module Network.AWS.STS- ( module Network.AWS.STS.AssumeRole- , module Network.AWS.STS.AssumeRoleWithSAML- , module Network.AWS.STS.AssumeRoleWithWebIdentity+ (+ -- * Service+ STS++ -- * Errors+ -- $errors++ -- ** MalformedPolicyDocumentException+ , _MalformedPolicyDocumentException++ -- ** PackedPolicyTooLargeException+ , _PackedPolicyTooLargeException++ -- ** InvalidAuthorizationMessageException+ , _InvalidAuthorizationMessageException++ -- ** IdPCommunicationErrorException+ , _IdPCommunicationErrorException++ -- ** ExpiredTokenException+ , _ExpiredTokenException++ -- ** InvalidIdentityTokenException+ , _InvalidIdentityTokenException++ -- ** IdPRejectedClaimException+ , _IdPRejectedClaimException++ -- * Waiters+ -- $waiters++ -- * Operations+ -- $operations++ -- ** AssumeRole+ , module Network.AWS.STS.AssumeRole++ -- ** DecodeAuthorizationMessage , module Network.AWS.STS.DecodeAuthorizationMessage++ -- ** AssumeRoleWithWebIdentity+ , module Network.AWS.STS.AssumeRoleWithWebIdentity++ -- ** GetFederationToken , module Network.AWS.STS.GetFederationToken++ -- ** GetSessionToken , module Network.AWS.STS.GetSessionToken- , module Network.AWS.STS.Types++ -- ** AssumeRoleWithSAML+ , module Network.AWS.STS.AssumeRoleWithSAML++ -- * Types++ -- ** AssumedRoleUser+ , AssumedRoleUser+ , assumedRoleUser+ , aruAssumedRoleId+ , aruARN++ -- ** Credentials+ , Credentials+ , credentials+ , cAccessKeyId+ , cSecretAccessKey+ , cSessionToken+ , cExpiration++ -- ** FederatedUser+ , FederatedUser+ , federatedUser+ , fuFederatedUserId+ , fuARN ) where -import Network.AWS.STS.AssumeRole-import Network.AWS.STS.AssumeRoleWithSAML-import Network.AWS.STS.AssumeRoleWithWebIdentity-import Network.AWS.STS.DecodeAuthorizationMessage-import Network.AWS.STS.GetFederationToken-import Network.AWS.STS.GetSessionToken-import Network.AWS.STS.Types+import Network.AWS.STS.AssumeRole+import Network.AWS.STS.AssumeRoleWithSAML+import Network.AWS.STS.AssumeRoleWithWebIdentity+import Network.AWS.STS.DecodeAuthorizationMessage+import Network.AWS.STS.GetFederationToken+import Network.AWS.STS.GetSessionToken+import Network.AWS.STS.Types+import Network.AWS.STS.Waiters++{- $errors+Error matchers are designed for use with the functions provided by+<http://hackage.haskell.org/package/lens/docs/Control-Exception-Lens.html Control.Exception.Lens>.+This allows catching (and rethrowing) service specific errors returned+by 'STS'.+-}++{- $operations+Some AWS operations return results that are incomplete and require subsequent+requests in order to obtain the entire result set. The process of sending+subsequent requests to continue where a previous request left off is called+pagination. For example, the 'ListObjects' operation of Amazon S3 returns up to+1000 objects at a time, and you must send subsequent requests with the+appropriate Marker in order to retrieve the next page of results.++Operations that have an 'AWSPager' instance can transparently perform subsequent+requests, correctly setting Markers and other request facets to iterate through+the entire result set of a truncated API operation. Operations which support+this have an additional note in the documentation.++Many operations have the ability to filter results on the server side. See the+individual operation parameters for details.+-}++{- $waiters+Waiters poll by repeatedly sending a request until some remote success condition+configured by the 'Wait' specification is fulfilled. The 'Wait' specification+determines how many attempts should be made, in addition to delay and retry strategies.+-}
gen/Network/AWS/STS/AssumeRole.hs view
@@ -1,290 +1,334 @@-{-# LANGUAGE DataKinds #-}-{-# LANGUAGE DeriveGeneric #-}-{-# LANGUAGE FlexibleInstances #-}-{-# LANGUAGE GeneralizedNewtypeDeriving #-}-{-# LANGUAGE LambdaCase #-}-{-# LANGUAGE NoImplicitPrelude #-}-{-# LANGUAGE OverloadedStrings #-}-{-# LANGUAGE RecordWildCards #-}-{-# LANGUAGE TypeFamilies #-}+{-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DeriveGeneric #-}+{-# LANGUAGE OverloadedStrings #-}+{-# LANGUAGE RecordWildCards #-}+{-# LANGUAGE TypeFamilies #-} {-# OPTIONS_GHC -fno-warn-unused-imports #-}+{-# OPTIONS_GHC -fno-warn-unused-binds #-}+{-# OPTIONS_GHC -fno-warn-unused-matches #-} +-- Derived from AWS service descriptions, licensed under Apache 2.0.++-- | -- Module : Network.AWS.STS.AssumeRole--- Copyright : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>--- License : This Source Code Form is subject to the terms of--- the Mozilla Public License, v. 2.0.--- A copy of the MPL can be found in the LICENSE file or--- you can obtain it at http://mozilla.org/MPL/2.0/.+-- Copyright : (c) 2013-2015 Brendan Hay+-- License : Mozilla Public License, v. 2.0. -- Maintainer : Brendan Hay <brendan.g.hay@gmail.com>--- Stability : experimental+-- Stability : auto-generated -- Portability : non-portable (GHC extensions) ----- Derived from AWS service descriptions, licensed under Apache 2.0.---- | Returns a set of temporary security credentials (consisting of an access key--- ID, a secret access key, and a security token) that you can use to access AWS--- resources that you might not normally have access to. Typically, you use 'AssumeRole' for cross-account access or federation.+-- Returns a set of temporary security credentials (consisting of an access+-- key ID, a secret access key, and a security token) that you can use to+-- access AWS resources that you might not normally have access to.+-- Typically, you use 'AssumeRole' for cross-account access or federation. ----- Important: You cannot call 'AssumeRole' by using AWS account credentials;--- access will be denied. You must use IAM user credentials or temporary--- security credentials to call 'AssumeRole'.+-- __Important:__ You cannot call 'AssumeRole' by using AWS account+-- credentials; access will be denied. You must use IAM user credentials or+-- temporary security credentials to call 'AssumeRole'. ----- For cross-account access, imagine that you own multiple accounts and need to--- access resources in each account. You could create long-term credentials in--- each account to access those resources. However, managing all those--- credentials and remembering which one can access which account can be time--- consuming. Instead, you can create one set of long-term credentials in one--- account and then use temporary security credentials to access all the other--- accounts by assuming roles in those accounts. For more information about--- roles, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.html Roles> in /Using IAM/.+-- For cross-account access, imagine that you own multiple accounts and+-- need to access resources in each account. You could create long-term+-- credentials in each account to access those resources. However, managing+-- all those credentials and remembering which one can access which account+-- can be time consuming. Instead, you can create one set of long-term+-- credentials in one account and then use temporary security credentials+-- to access all the other accounts by assuming roles in those accounts.+-- For more information about roles, see+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html IAM Roles (Delegation and Federation)>+-- in /Using IAM/. ----- For federation, you can, for example, grant single sign-on access to the AWS--- Management Console. If you already have an identity and authentication system--- in your corporate network, you don't have to recreate user identities in AWS--- in order to grant those user identities access to AWS. Instead, after a user--- has been authenticated, you call 'AssumeRole' (and specify the role with the--- appropriate permissions) to get temporary security credentials for that user.--- With those temporary security credentials, you construct a sign-in URL that--- users can use to access the console. For more information, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html Scenarios forGranting Temporary Access> in /Using Temporary Security Credentials/.+-- For federation, you can, for example, grant single sign-on access to the+-- AWS Management Console. If you already have an identity and+-- authentication system in your corporate network, you don\'t have to+-- recreate user identities in AWS in order to grant those user identities+-- access to AWS. Instead, after a user has been authenticated, you call+-- 'AssumeRole' (and specify the role with the appropriate permissions) to+-- get temporary security credentials for that user. With those temporary+-- security credentials, you construct a sign-in URL that users can use to+-- access the console. For more information, see+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html Scenarios for Granting Temporary Access>+-- in /Using Temporary Security Credentials/. -- -- The temporary security credentials are valid for the duration that you--- specified when calling 'AssumeRole', which can be from 900 seconds (15 minutes)--- to 3600 seconds (1 hour). The default is 1 hour.+-- specified when calling 'AssumeRole', which can be from 900 seconds (15+-- minutes) to 3600 seconds (1 hour). The default is 1 hour. -- -- Optionally, you can pass an IAM access policy to this operation. If you -- choose not to pass a policy, the temporary security credentials that are--- returned by the operation have the permissions that are defined in the access--- policy of the role that is being assumed. If you pass a policy to this--- operation, the temporary security credentials that are returned by the--- operation have the permissions that are allowed by both the access policy of--- the role that is being assumed, /and/ the policy that you pass. This gives you--- a way to further restrict the permissions for the resulting temporary--- security credentials. You cannot use the passed policy to grant permissions--- that are in excess of those allowed by the access policy of the role that is--- being assumed. For more information, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRole> in /UsingTemporary Security Credentials/.+-- returned by the operation have the permissions that are defined in the+-- access policy of the role that is being assumed. If you pass a policy to+-- this operation, the temporary security credentials that are returned by+-- the operation have the permissions that are allowed by both the access+-- policy of the role that is being assumed, /__and__/ the policy that you+-- pass. This gives you a way to further restrict the permissions for the+-- resulting temporary security credentials. You cannot use the passed+-- policy to grant permissions that are in excess of those allowed by the+-- access policy of the role that is being assumed. For more information,+-- see+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity>+-- in /Using Temporary Security Credentials/. ----- To assume a role, your AWS account must be trusted by the role. The trust--- relationship is defined in the role's trust policy when the role is created.--- You must also have a policy that allows you to call 'sts:AssumeRole'.+-- To assume a role, your AWS account must be trusted by the role. The+-- trust relationship is defined in the role\'s trust policy when the role+-- is created. You must also have a policy that allows you to call+-- 'sts:AssumeRole'. ----- Using MFA with AssumeRole+-- __Using MFA with AssumeRole__ -- -- You can optionally include multi-factor authentication (MFA) information--- when you call 'AssumeRole'. This is useful for cross-account scenarios in which--- you want to make sure that the user who is assuming the role has been--- authenticated using an AWS MFA device. In that scenario, the trust policy of--- the role being assumed includes a condition that tests for MFA--- authentication; if the caller does not include valid MFA information, the--- request to assume the role is denied. The condition in a trust policy that--- tests for MFA authentication might look like the following example.------ '"Condition": {"Null": {"aws:MultiFactorAuthAge": false}}'------ For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html Configuring MFA-Protected API Access> in the /UsingIAM/ guide.+-- when you call 'AssumeRole'. This is useful for cross-account scenarios+-- in which you want to make sure that the user who is assuming the role+-- has been authenticated using an AWS MFA device. In that scenario, the+-- trust policy of the role being assumed includes a condition that tests+-- for MFA authentication; if the caller does not include valid MFA+-- information, the request to assume the role is denied. The condition in+-- a trust policy that tests for MFA authentication might look like the+-- following example. ----- To use MFA with 'AssumeRole', you pass values for the 'SerialNumber' and 'TokenCode' parameters. The 'SerialNumber' value identifies the user's hardware or virtual--- MFA device. The 'TokenCode' is the time-based one-time password (TOTP) that the--- MFA devices produces.+-- '\"Condition\": {\"Bool\": {\"aws:MultiFactorAuthPresent\": true}}' --+-- For more information, see+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html Configuring MFA-Protected API Access>+-- in /Using IAM/ guide. --+-- To use MFA with 'AssumeRole', you pass values for the 'SerialNumber' and+-- 'TokenCode' parameters. The 'SerialNumber' value identifies the user\'s+-- hardware or virtual MFA device. The 'TokenCode' is the time-based+-- one-time password (TOTP) that the MFA devices produces. ----- <http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html>+-- /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html AWS API Reference> for AssumeRole. module Network.AWS.STS.AssumeRole (- -- * Request- AssumeRole- -- ** Request constructor- , assumeRole- -- ** Request lenses+ -- * Creating a Request+ assumeRole+ , AssumeRole+ -- * Request Lenses+ , arTokenCode , arDurationSeconds , arExternalId , arPolicy- , arRoleArn- , arRoleSessionName , arSerialNumber- , arTokenCode+ , arRoleARN+ , arRoleSessionName - -- * Response- , AssumeRoleResponse- -- ** Response constructor+ -- * Destructuring the Response , assumeRoleResponse- -- ** Response lenses- , arrAssumedRoleUser- , arrCredentials- , arrPackedPolicySize+ , AssumeRoleResponse+ -- * Response Lenses+ , arrsPackedPolicySize+ , arrsCredentials+ , arrsAssumedRoleUser+ , arrsStatus ) where -import Network.AWS.Prelude-import Network.AWS.Request.Query-import Network.AWS.STS.Types-import qualified GHC.Exts+import Network.AWS.Prelude+import Network.AWS.Request+import Network.AWS.Response+import Network.AWS.STS.Types+import Network.AWS.STS.Types.Product -data AssumeRole = AssumeRole- { _arDurationSeconds :: Maybe Nat- , _arExternalId :: Maybe Text- , _arPolicy :: Maybe Text- , _arRoleArn :: Text- , _arRoleSessionName :: Text- , _arSerialNumber :: Maybe Text- , _arTokenCode :: Maybe Text- } deriving (Eq, Ord, Read, Show)+-- | /See:/ 'assumeRole' smart constructor.+data AssumeRole = AssumeRole'+ { _arTokenCode :: !(Maybe Text)+ , _arDurationSeconds :: !(Maybe Nat)+ , _arExternalId :: !(Maybe Text)+ , _arPolicy :: !(Maybe Text)+ , _arSerialNumber :: !(Maybe Text)+ , _arRoleARN :: !Text+ , _arRoleSessionName :: !Text+ } deriving (Eq,Read,Show,Data,Typeable,Generic) --- | 'AssumeRole' constructor.------ The fields accessible through corresponding lenses are:+-- | Creates a value of 'AssumeRole' with the minimum fields required to make a request. ----- * 'arDurationSeconds' @::@ 'Maybe' 'Natural'+-- Use one of the following lenses to modify other fields as desired: ----- * 'arExternalId' @::@ 'Maybe' 'Text'+-- * 'arTokenCode' ----- * 'arPolicy' @::@ 'Maybe' 'Text'+-- * 'arDurationSeconds' ----- * 'arRoleArn' @::@ 'Text'+-- * 'arExternalId' ----- * 'arRoleSessionName' @::@ 'Text'+-- * 'arPolicy' ----- * 'arSerialNumber' @::@ 'Maybe' 'Text'+-- * 'arSerialNumber' ----- * 'arTokenCode' @::@ 'Maybe' 'Text'+-- * 'arRoleARN' ---assumeRole :: Text -- ^ 'arRoleArn'- -> Text -- ^ 'arRoleSessionName'- -> AssumeRole-assumeRole p1 p2 = AssumeRole- { _arRoleArn = p1- , _arRoleSessionName = p2- , _arPolicy = Nothing+-- * 'arRoleSessionName'+assumeRole+ :: Text -- ^ 'arRoleARN'+ -> Text -- ^ 'arRoleSessionName'+ -> AssumeRole+assumeRole pRoleARN_ pRoleSessionName_ =+ AssumeRole'+ { _arTokenCode = Nothing , _arDurationSeconds = Nothing- , _arExternalId = Nothing- , _arSerialNumber = Nothing- , _arTokenCode = Nothing+ , _arExternalId = Nothing+ , _arPolicy = Nothing+ , _arSerialNumber = Nothing+ , _arRoleARN = pRoleARN_+ , _arRoleSessionName = pRoleSessionName_ } --- | The duration, in seconds, of the role session. The value can range from 900--- seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set--- to 3600 seconds.+-- | The value provided by the MFA device, if the trust policy of the role+-- being assumed requires MFA (that is, if the policy includes a condition+-- that tests for MFA). If the role being assumed requires MFA and if the+-- 'TokenCode' value is missing or expired, the 'AssumeRole' call returns+-- an \"access denied\" error.+arTokenCode :: Lens' AssumeRole (Maybe Text)+arTokenCode = lens _arTokenCode (\ s a -> s{_arTokenCode = a});++-- | The duration, in seconds, of the role session. The value can range from+-- 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the value+-- is set to 3600 seconds. arDurationSeconds :: Lens' AssumeRole (Maybe Natural)-arDurationSeconds =- lens _arDurationSeconds (\s a -> s { _arDurationSeconds = a })- . mapping _Nat+arDurationSeconds = lens _arDurationSeconds (\ s a -> s{_arDurationSeconds = a}) . mapping _Nat; --- | A unique identifier that is used by third parties to assume a role in their--- customers' accounts. For each role that the third party can assume, they--- should instruct their customers to create a role with the external ID that--- the third party generated. Each time the third party assumes the role, they--- must pass the customer's external ID. The external ID is useful in order to--- help third parties bind a role to the customer who created it. For more--- information about the external ID, see About the External ID in /UsingTemporary Security Credentials/.+-- | A unique identifier that is used by third parties when assuming roles in+-- their customers\' accounts. For each role that the third party can+-- assume, they should instruct their customers to ensure the role\'s trust+-- policy checks for the external ID that the third party generated. Each+-- time the third party assumes the role, they should pass the customer\'s+-- external ID. The external ID is useful in order to help third parties+-- bind a role to the customer who created it. For more information about+-- the external ID, see+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/sts-delegating-externalid.html How to Use External ID When Granting Access to Your AWS Resources>+-- in /Using Temporary Security Credentials/. arExternalId :: Lens' AssumeRole (Maybe Text)-arExternalId = lens _arExternalId (\s a -> s { _arExternalId = a })+arExternalId = lens _arExternalId (\ s a -> s{_arExternalId = a}); -- | An IAM policy in JSON format. ----- The policy parameter is optional. If you pass a policy, the temporary--- security credentials that are returned by the operation have the permissions--- that are allowed by both the access policy of the role that is being assumed, /and/ the policy that you pass. This gives you a way to further restrict the--- permissions for the resulting temporary security credentials. You cannot use--- the passed policy to grant permissions that are in excess of those allowed by--- the access policy of the role that is being assumed. For more information,--- see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRole> in /Using Temporary Security Credentials/.+-- This parameter is optional. If you pass a policy, the temporary security+-- credentials that are returned by the operation have the permissions that+-- are allowed by both (the intersection of) the access policy of the role+-- that is being assumed, /and/ the policy that you pass. This gives you a+-- way to further restrict the permissions for the resulting temporary+-- security credentials. You cannot use the passed policy to grant+-- permissions that are in excess of those allowed by the access policy of+-- the role that is being assumed. For more information, see+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity>+-- in /Using Temporary Security Credentials/.+--+-- The policy plain text must be 2048 bytes or shorter. However, an+-- internal conversion compresses it into a packed binary format with a+-- separate limit. The PackedPolicySize response element indicates by+-- percentage how close to the upper size limit the policy is, with 100%+-- equaling the maximum allowed size. arPolicy :: Lens' AssumeRole (Maybe Text)-arPolicy = lens _arPolicy (\s a -> s { _arPolicy = a })+arPolicy = lens _arPolicy (\ s a -> s{_arPolicy = a}); --- | The Amazon Resource Name (ARN) of the role that the caller is assuming.-arRoleArn :: Lens' AssumeRole Text-arRoleArn = lens _arRoleArn (\s a -> s { _arRoleArn = a })+-- | The identification number of the MFA device that is associated with the+-- user who is making the 'AssumeRole' call. Specify this value if the+-- trust policy of the role being assumed includes a condition that+-- requires MFA authentication. The value is either the serial number for a+-- hardware device (such as 'GAHT12345678') or an Amazon Resource Name+-- (ARN) for a virtual device (such as+-- 'arn:aws:iam::123456789012:mfa\/user').+arSerialNumber :: Lens' AssumeRole (Maybe Text)+arSerialNumber = lens _arSerialNumber (\ s a -> s{_arSerialNumber = a}); --- | An identifier for the assumed role session. The session name is included as--- part of the 'AssumedRoleUser'.+-- | The Amazon Resource Name (ARN) of the role to assume.+arRoleARN :: Lens' AssumeRole Text+arRoleARN = lens _arRoleARN (\ s a -> s{_arRoleARN = a});++-- | An identifier for the assumed role session.+--+-- Use the role session name to uniquely identity a session when the same+-- role is assumed by different principals or for different reasons. In+-- cross-account scenarios, the role session name is visible to, and can be+-- logged by the account that owns the role. The role session name is also+-- used in the ARN of the assumed role principal. This means that+-- subsequent cross-account API requests using the temporary security+-- credentials will expose the role session name to the external account in+-- their CloudTrail logs. arRoleSessionName :: Lens' AssumeRole Text-arRoleSessionName =- lens _arRoleSessionName (\s a -> s { _arRoleSessionName = a })+arRoleSessionName = lens _arRoleSessionName (\ s a -> s{_arRoleSessionName = a}); --- | The identification number of the MFA device that is associated with the user--- who is making the 'AssumeRole' call. Specify this value if the trust policy of--- the role being assumed includes a condition that requires MFA authentication.--- The value is either the serial number for a hardware device (such as 'GAHT12345678') or an Amazon Resource Name (ARN) for a virtual device (such as 'arn:aws:iam::123456789012:mfa/user').-arSerialNumber :: Lens' AssumeRole (Maybe Text)-arSerialNumber = lens _arSerialNumber (\s a -> s { _arSerialNumber = a })+instance AWSRequest AssumeRole where+ type Sv AssumeRole = STS+ type Rs AssumeRole = AssumeRoleResponse+ request = postQuery+ response+ = receiveXMLWrapper "AssumeRoleResult"+ (\ s h x ->+ AssumeRoleResponse' <$>+ (x .@? "PackedPolicySize") <*> (x .@? "Credentials")+ <*> (x .@? "AssumedRoleUser")+ <*> (pure (fromEnum s))) --- | The value provided by the MFA device, if the trust policy of the role being--- assumed requires MFA (that is, if the policy includes a condition that tests--- for MFA). If the role being assumed requires MFA and if the 'TokenCode' value--- is missing or expired, the 'AssumeRole' call returns an "access denied" error.-arTokenCode :: Lens' AssumeRole (Maybe Text)-arTokenCode = lens _arTokenCode (\s a -> s { _arTokenCode = a })+instance ToHeaders AssumeRole where+ toHeaders = const mempty -data AssumeRoleResponse = AssumeRoleResponse- { _arrAssumedRoleUser :: Maybe AssumedRoleUser- , _arrCredentials :: Maybe Credentials- , _arrPackedPolicySize :: Maybe Nat- } deriving (Eq, Read, Show)+instance ToPath AssumeRole where+ toPath = const "/" --- | 'AssumeRoleResponse' constructor.+instance ToQuery AssumeRole where+ toQuery AssumeRole'{..}+ = mconcat+ ["Action" =: ("AssumeRole" :: ByteString),+ "Version" =: ("2011-06-15" :: ByteString),+ "TokenCode" =: _arTokenCode,+ "DurationSeconds" =: _arDurationSeconds,+ "ExternalId" =: _arExternalId, "Policy" =: _arPolicy,+ "SerialNumber" =: _arSerialNumber,+ "RoleArn" =: _arRoleARN,+ "RoleSessionName" =: _arRoleSessionName]++-- | Contains the response to a successful AssumeRole request, including+-- temporary AWS credentials that can be used to make AWS requests. ----- The fields accessible through corresponding lenses are:+-- /See:/ 'assumeRoleResponse' smart constructor.+data AssumeRoleResponse = AssumeRoleResponse'+ { _arrsPackedPolicySize :: !(Maybe Nat)+ , _arrsCredentials :: !(Maybe Credentials)+ , _arrsAssumedRoleUser :: !(Maybe AssumedRoleUser)+ , _arrsStatus :: !Int+ } deriving (Eq,Read,Show,Data,Typeable,Generic)++-- | Creates a value of 'AssumeRoleResponse' with the minimum fields required to make a request. ----- * 'arrAssumedRoleUser' @::@ 'Maybe' 'AssumedRoleUser'+-- Use one of the following lenses to modify other fields as desired: ----- * 'arrCredentials' @::@ 'Maybe' 'Credentials'+-- * 'arrsPackedPolicySize' ----- * 'arrPackedPolicySize' @::@ 'Maybe' 'Natural'+-- * 'arrsCredentials' ---assumeRoleResponse :: AssumeRoleResponse-assumeRoleResponse = AssumeRoleResponse- { _arrCredentials = Nothing- , _arrAssumedRoleUser = Nothing- , _arrPackedPolicySize = Nothing+-- * 'arrsAssumedRoleUser'+--+-- * 'arrsStatus'+assumeRoleResponse+ :: Int -- ^ 'arrsStatus'+ -> AssumeRoleResponse+assumeRoleResponse pStatus_ =+ AssumeRoleResponse'+ { _arrsPackedPolicySize = Nothing+ , _arrsCredentials = Nothing+ , _arrsAssumedRoleUser = Nothing+ , _arrsStatus = pStatus_ } --- | The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers--- that you can use to refer to the resulting temporary security credentials.--- For example, you can reference these credentials as a principal in a--- resource-based policy by using the ARN or assumed role ID. The ARN and ID--- include the 'RoleSessionName' that you specified when you called 'AssumeRole'.-arrAssumedRoleUser :: Lens' AssumeRoleResponse (Maybe AssumedRoleUser)-arrAssumedRoleUser =- lens _arrAssumedRoleUser (\s a -> s { _arrAssumedRoleUser = a })---- | The temporary security credentials, which include an access key ID, a secret--- access key, and a security (or session) token.-arrCredentials :: Lens' AssumeRoleResponse (Maybe Credentials)-arrCredentials = lens _arrCredentials (\s a -> s { _arrCredentials = a })---- | A percentage value that indicates the size of the policy in packed form. The--- service rejects any policy with a packed size greater than 100 percent, which--- means the policy exceeded the allowed space.-arrPackedPolicySize :: Lens' AssumeRoleResponse (Maybe Natural)-arrPackedPolicySize =- lens _arrPackedPolicySize (\s a -> s { _arrPackedPolicySize = a })- . mapping _Nat--instance ToPath AssumeRole where- toPath = const "/"--instance ToQuery AssumeRole where- toQuery AssumeRole{..} = mconcat- [ "DurationSeconds" =? _arDurationSeconds- , "ExternalId" =? _arExternalId- , "Policy" =? _arPolicy- , "RoleArn" =? _arRoleArn- , "RoleSessionName" =? _arRoleSessionName- , "SerialNumber" =? _arSerialNumber- , "TokenCode" =? _arTokenCode- ]--instance ToHeaders AssumeRole+-- | A percentage value that indicates the size of the policy in packed form.+-- The service rejects any policy with a packed size greater than 100+-- percent, which means the policy exceeded the allowed space.+arrsPackedPolicySize :: Lens' AssumeRoleResponse (Maybe Natural)+arrsPackedPolicySize = lens _arrsPackedPolicySize (\ s a -> s{_arrsPackedPolicySize = a}) . mapping _Nat; -instance AWSRequest AssumeRole where- type Sv AssumeRole = STS- type Rs AssumeRole = AssumeRoleResponse+-- | The temporary security credentials, which include an access key ID, a+-- secret access key, and a security (or session) token.+arrsCredentials :: Lens' AssumeRoleResponse (Maybe Credentials)+arrsCredentials = lens _arrsCredentials (\ s a -> s{_arrsCredentials = a}); - request = post "AssumeRole"- response = xmlResponse+-- | The Amazon Resource Name (ARN) and the assumed role ID, which are+-- identifiers that you can use to refer to the resulting temporary+-- security credentials. For example, you can reference these credentials+-- as a principal in a resource-based policy by using the ARN or assumed+-- role ID. The ARN and ID include the 'RoleSessionName' that you specified+-- when you called 'AssumeRole'.+arrsAssumedRoleUser :: Lens' AssumeRoleResponse (Maybe AssumedRoleUser)+arrsAssumedRoleUser = lens _arrsAssumedRoleUser (\ s a -> s{_arrsAssumedRoleUser = a}); -instance FromXML AssumeRoleResponse where- parseXML = withElement "AssumeRoleResult" $ \x -> AssumeRoleResponse- <$> x .@? "AssumedRoleUser"- <*> x .@? "Credentials"- <*> x .@? "PackedPolicySize"+-- | The response status code.+arrsStatus :: Lens' AssumeRoleResponse Int+arrsStatus = lens _arrsStatus (\ s a -> s{_arrsStatus = a});
gen/Network/AWS/STS/AssumeRoleWithSAML.hs view
@@ -1,309 +1,336 @@-{-# LANGUAGE DataKinds #-}-{-# LANGUAGE DeriveGeneric #-}-{-# LANGUAGE FlexibleInstances #-}-{-# LANGUAGE GeneralizedNewtypeDeriving #-}-{-# LANGUAGE LambdaCase #-}-{-# LANGUAGE NoImplicitPrelude #-}-{-# LANGUAGE OverloadedStrings #-}-{-# LANGUAGE RecordWildCards #-}-{-# LANGUAGE TypeFamilies #-}+{-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DeriveGeneric #-}+{-# LANGUAGE OverloadedStrings #-}+{-# LANGUAGE RecordWildCards #-}+{-# LANGUAGE TypeFamilies #-} {-# OPTIONS_GHC -fno-warn-unused-imports #-}+{-# OPTIONS_GHC -fno-warn-unused-binds #-}+{-# OPTIONS_GHC -fno-warn-unused-matches #-} +-- Derived from AWS service descriptions, licensed under Apache 2.0.++-- | -- Module : Network.AWS.STS.AssumeRoleWithSAML--- Copyright : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>--- License : This Source Code Form is subject to the terms of--- the Mozilla Public License, v. 2.0.--- A copy of the MPL can be found in the LICENSE file or--- you can obtain it at http://mozilla.org/MPL/2.0/.+-- Copyright : (c) 2013-2015 Brendan Hay+-- License : Mozilla Public License, v. 2.0. -- Maintainer : Brendan Hay <brendan.g.hay@gmail.com>--- Stability : experimental+-- Stability : auto-generated -- Portability : non-portable (GHC extensions) ----- Derived from AWS service descriptions, licensed under Apache 2.0.---- | Returns a set of temporary security credentials for users who have been--- authenticated via a SAML authentication response. This operation provides a--- mechanism for tying an enterprise identity store or directory to role-based--- AWS access without user-specific credentials or configuration.+-- Returns a set of temporary security credentials for users who have been+-- authenticated via a SAML authentication response. This operation+-- provides a mechanism for tying an enterprise identity store or directory+-- to role-based AWS access without user-specific credentials or+-- configuration. ----- The temporary security credentials returned by this operation consist of an--- access key ID, a secret access key, and a security token. Applications can--- use these temporary security credentials to sign calls to AWS services. The--- credentials are valid for the duration that you specified when calling 'AssumeRoleWithSAML', which can be up to 3600 seconds (1 hour) or until the time specified in the--- SAML authentication response's 'SessionNotOnOrAfter' value, whichever is--- shorter.+-- The temporary security credentials returned by this operation consist of+-- an access key ID, a secret access key, and a security token.+-- Applications can use these temporary security credentials to sign calls+-- to AWS services. The credentials are valid for the duration that you+-- specified when calling 'AssumeRoleWithSAML', which can be up to 3600+-- seconds (1 hour) or until the time specified in the SAML authentication+-- response\'s 'SessionNotOnOrAfter' value, whichever is shorter. ----- The maximum duration for a session is 1 hour, and the minimum duration is 15--- minutes, even if values outside this range are specified. Optionally, you--- can pass an IAM access policy to this operation. If you choose not to pass a--- policy, the temporary security credentials that are returned by the operation--- have the permissions that are defined in the access policy of the role that--- is being assumed. If you pass a policy to this operation, the temporary--- security credentials that are returned by the operation have the permissions--- that are allowed by both the access policy of the role that is being assumed, /and/ the policy that you pass. This gives you a way to further restrict the--- permissions for the resulting temporary security credentials. You cannot use--- the passed policy to grant permissions that are in excess of those allowed by--- the access policy of the role that is being assumed. For more information,--- see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithSAML> in /Using Temporary Security Credentials/--- .+-- The maximum duration for a session is 1 hour, and the minimum duration+-- is 15 minutes, even if values outside this range are specified. ----- Before your application can call 'AssumeRoleWithSAML', you must configure your--- SAML identity provider (IdP) to issue the claims required by AWS.--- Additionally, you must use AWS Identity and Access Management (IAM) to create--- a SAML provider entity in your AWS account that represents your identity--- provider, and create an IAM role that specifies this SAML provider in its--- trust policy.+-- Optionally, you can pass an IAM access policy to this operation. If you+-- choose not to pass a policy, the temporary security credentials that are+-- returned by the operation have the permissions that are defined in the+-- access policy of the role that is being assumed. If you pass a policy to+-- this operation, the temporary security credentials that are returned by+-- the operation have the permissions that are allowed by both the access+-- policy of the role that is being assumed, /__and__/ the policy that you+-- pass. This gives you a way to further restrict the permissions for the+-- resulting temporary security credentials. You cannot use the passed+-- policy to grant permissions that are in excess of those allowed by the+-- access policy of the role that is being assumed. For more information,+-- see+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithSAML>+-- in /Using Temporary Security Credentials/. --+-- Before your application can call 'AssumeRoleWithSAML', you must+-- configure your SAML identity provider (IdP) to issue the claims required+-- by AWS. Additionally, you must use AWS Identity and Access Management+-- (IAM) to create a SAML provider entity in your AWS account that+-- represents your identity provider, and create an IAM role that specifies+-- this SAML provider in its trust policy.+-- -- Calling 'AssumeRoleWithSAML' does not require the use of AWS security--- credentials. The identity of the caller is validated by using keys in the--- metadata document that is uploaded for the SAML provider entity for your--- identity provider.+-- credentials. The identity of the caller is validated by using keys in+-- the metadata document that is uploaded for the SAML provider entity for+-- your identity provider. -- -- For more information, see the following resources: ----- <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingSAML.html Creating Temporary Security Credentials for SAML Federation> in /UsingTemporary Security Credentials/. <http://docs.aws.amazon.com/IAM/latest/UserGuide/idp-managing-identityproviders.html SAML Providers> in /Using IAM/. <http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html Configuringa Relying Party and Claims> in /Using IAM/. <http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml.html Creating a Role for SAML-BasedFederation> in /Using IAM/.+-- - <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingSAML.html Creating Temporary Security Credentials for SAML Federation>.+-- - <http://docs.aws.amazon.com/IAM/latest/UserGuide/idp-managing-identityproviders.html SAML Providers>+-- in /Using IAM/.+-- - <http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html Configuring a Relying Party and Claims>+-- in /Using IAM/.+-- - <http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml.html Creating a Role for SAML-Based Federation>+-- in /Using IAM/. ----- <http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html>+-- /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html AWS API Reference> for AssumeRoleWithSAML. module Network.AWS.STS.AssumeRoleWithSAML (- -- * Request- AssumeRoleWithSAML- -- ** Request constructor- , assumeRoleWithSAML- -- ** Request lenses+ -- * Creating a Request+ assumeRoleWithSAML+ , AssumeRoleWithSAML+ -- * Request Lenses , arwsamlDurationSeconds , arwsamlPolicy- , arwsamlPrincipalArn- , arwsamlRoleArn+ , arwsamlRoleARN+ , arwsamlPrincipalARN , arwsamlSAMLAssertion - -- * Response- , AssumeRoleWithSAMLResponse- -- ** Response constructor+ -- * Destructuring the Response , assumeRoleWithSAMLResponse- -- ** Response lenses- , arwsamlrAssumedRoleUser- , arwsamlrAudience- , arwsamlrCredentials- , arwsamlrIssuer- , arwsamlrNameQualifier- , arwsamlrPackedPolicySize- , arwsamlrSubject- , arwsamlrSubjectType+ , AssumeRoleWithSAMLResponse+ -- * Response Lenses+ , arwsamlrsAudience+ , arwsamlrsSubject+ , arwsamlrsPackedPolicySize+ , arwsamlrsCredentials+ , arwsamlrsSubjectType+ , arwsamlrsNameQualifier+ , arwsamlrsAssumedRoleUser+ , arwsamlrsIssuer+ , arwsamlrsStatus ) where -import Network.AWS.Prelude-import Network.AWS.Request.Query-import Network.AWS.STS.Types-import qualified GHC.Exts+import Network.AWS.Prelude+import Network.AWS.Request+import Network.AWS.Response+import Network.AWS.STS.Types+import Network.AWS.STS.Types.Product -data AssumeRoleWithSAML = AssumeRoleWithSAML- { _arwsamlDurationSeconds :: Maybe Nat- , _arwsamlPolicy :: Maybe Text- , _arwsamlPrincipalArn :: Text- , _arwsamlRoleArn :: Text- , _arwsamlSAMLAssertion :: Text- } deriving (Eq, Ord, Read, Show)+-- | /See:/ 'assumeRoleWithSAML' smart constructor.+data AssumeRoleWithSAML = AssumeRoleWithSAML'+ { _arwsamlDurationSeconds :: !(Maybe Nat)+ , _arwsamlPolicy :: !(Maybe Text)+ , _arwsamlRoleARN :: !Text+ , _arwsamlPrincipalARN :: !Text+ , _arwsamlSAMLAssertion :: !Text+ } deriving (Eq,Read,Show,Data,Typeable,Generic) --- | 'AssumeRoleWithSAML' constructor.------ The fields accessible through corresponding lenses are:+-- | Creates a value of 'AssumeRoleWithSAML' with the minimum fields required to make a request. ----- * 'arwsamlDurationSeconds' @::@ 'Maybe' 'Natural'+-- Use one of the following lenses to modify other fields as desired: ----- * 'arwsamlPolicy' @::@ 'Maybe' 'Text'+-- * 'arwsamlDurationSeconds' ----- * 'arwsamlPrincipalArn' @::@ 'Text'+-- * 'arwsamlPolicy' ----- * 'arwsamlRoleArn' @::@ 'Text'+-- * 'arwsamlRoleARN' ----- * 'arwsamlSAMLAssertion' @::@ 'Text'+-- * 'arwsamlPrincipalARN' ---assumeRoleWithSAML :: Text -- ^ 'arwsamlRoleArn'- -> Text -- ^ 'arwsamlPrincipalArn'- -> Text -- ^ 'arwsamlSAMLAssertion'- -> AssumeRoleWithSAML-assumeRoleWithSAML p1 p2 p3 = AssumeRoleWithSAML- { _arwsamlRoleArn = p1- , _arwsamlPrincipalArn = p2- , _arwsamlSAMLAssertion = p3- , _arwsamlPolicy = Nothing- , _arwsamlDurationSeconds = Nothing+-- * 'arwsamlSAMLAssertion'+assumeRoleWithSAML+ :: Text -- ^ 'arwsamlRoleARN'+ -> Text -- ^ 'arwsamlPrincipalARN'+ -> Text -- ^ 'arwsamlSAMLAssertion'+ -> AssumeRoleWithSAML+assumeRoleWithSAML pRoleARN_ pPrincipalARN_ pSAMLAssertion_ =+ AssumeRoleWithSAML'+ { _arwsamlDurationSeconds = Nothing+ , _arwsamlPolicy = Nothing+ , _arwsamlRoleARN = pRoleARN_+ , _arwsamlPrincipalARN = pPrincipalARN_+ , _arwsamlSAMLAssertion = pSAMLAssertion_ } --- | The duration, in seconds, of the role session. The value can range from 900--- seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set--- to 3600 seconds. An expiration can also be specified in the SAML--- authentication response's 'SessionNotOnOrAfter' value. The actual expiration--- time is whichever value is shorter.+-- | The duration, in seconds, of the role session. The value can range from+-- 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the value+-- is set to 3600 seconds. An expiration can also be specified in the SAML+-- authentication response\'s 'SessionNotOnOrAfter' value. The actual+-- expiration time is whichever value is shorter. ----- The maximum duration for a session is 1 hour, and the minimum duration is 15--- minutes, even if values outside this range are specified.+-- The maximum duration for a session is 1 hour, and the minimum duration+-- is 15 minutes, even if values outside this range are specified. arwsamlDurationSeconds :: Lens' AssumeRoleWithSAML (Maybe Natural)-arwsamlDurationSeconds =- lens _arwsamlDurationSeconds (\s a -> s { _arwsamlDurationSeconds = a })- . mapping _Nat+arwsamlDurationSeconds = lens _arwsamlDurationSeconds (\ s a -> s{_arwsamlDurationSeconds = a}) . mapping _Nat; -- | An IAM policy in JSON format. -- -- The policy parameter is optional. If you pass a policy, the temporary--- security credentials that are returned by the operation have the permissions--- that are allowed by both the access policy of the role that is being assumed, /and/ the policy that you pass. This gives you a way to further restrict the--- permissions for the resulting temporary security credentials. You cannot use--- the passed policy to grant permissions that are in excess of those allowed by--- the access policy of the role that is being assumed. For more information,--- see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithSAML> in /Using Temporary Security Credentials/--- .+-- security credentials that are returned by the operation have the+-- permissions that are allowed by both the access policy of the role that+-- is being assumed, /__and__/ the policy that you pass. This gives you a+-- way to further restrict the permissions for the resulting temporary+-- security credentials. You cannot use the passed policy to grant+-- permissions that are in excess of those allowed by the access policy of+-- the role that is being assumed. For more information, see+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithSAML>+-- in /Using Temporary Security Credentials/. ----- The policy must be 2048 bytes or shorter, and its packed size must be less--- than 450 bytes.+-- The policy plain text must be 2048 bytes or shorter. However, an+-- internal conversion compresses it into a packed binary format with a+-- separate limit. The PackedPolicySize response element indicates by+-- percentage how close to the upper size limit the policy is, with 100%+-- equaling the maximum allowed size. arwsamlPolicy :: Lens' AssumeRoleWithSAML (Maybe Text)-arwsamlPolicy = lens _arwsamlPolicy (\s a -> s { _arwsamlPolicy = a })---- | The Amazon Resource Name (ARN) of the SAML provider in IAM that describes the--- IdP.-arwsamlPrincipalArn :: Lens' AssumeRoleWithSAML Text-arwsamlPrincipalArn =- lens _arwsamlPrincipalArn (\s a -> s { _arwsamlPrincipalArn = a })+arwsamlPolicy = lens _arwsamlPolicy (\ s a -> s{_arwsamlPolicy = a}); -- | The Amazon Resource Name (ARN) of the role that the caller is assuming.-arwsamlRoleArn :: Lens' AssumeRoleWithSAML Text-arwsamlRoleArn = lens _arwsamlRoleArn (\s a -> s { _arwsamlRoleArn = a })+arwsamlRoleARN :: Lens' AssumeRoleWithSAML Text+arwsamlRoleARN = lens _arwsamlRoleARN (\ s a -> s{_arwsamlRoleARN = a}); +-- | The Amazon Resource Name (ARN) of the SAML provider in IAM that+-- describes the IdP.+arwsamlPrincipalARN :: Lens' AssumeRoleWithSAML Text+arwsamlPrincipalARN = lens _arwsamlPrincipalARN (\ s a -> s{_arwsamlPrincipalARN = a});+ -- | The base-64 encoded SAML authentication response provided by the IdP. ----- For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html Configuring a Relying Party and Adding Claims> in--- the /Using IAM/ guide.+-- For more information, see+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html Configuring a Relying Party and Adding Claims>+-- in the /Using IAM/ guide. arwsamlSAMLAssertion :: Lens' AssumeRoleWithSAML Text-arwsamlSAMLAssertion =- lens _arwsamlSAMLAssertion (\s a -> s { _arwsamlSAMLAssertion = a })+arwsamlSAMLAssertion = lens _arwsamlSAMLAssertion (\ s a -> s{_arwsamlSAMLAssertion = a}); -data AssumeRoleWithSAMLResponse = AssumeRoleWithSAMLResponse- { _arwsamlrAssumedRoleUser :: Maybe AssumedRoleUser- , _arwsamlrAudience :: Maybe Text- , _arwsamlrCredentials :: Maybe Credentials- , _arwsamlrIssuer :: Maybe Text- , _arwsamlrNameQualifier :: Maybe Text- , _arwsamlrPackedPolicySize :: Maybe Nat- , _arwsamlrSubject :: Maybe Text- , _arwsamlrSubjectType :: Maybe Text- } deriving (Eq, Read, Show)+instance AWSRequest AssumeRoleWithSAML where+ type Sv AssumeRoleWithSAML = STS+ type Rs AssumeRoleWithSAML =+ AssumeRoleWithSAMLResponse+ request = postQuery+ response+ = receiveXMLWrapper "AssumeRoleWithSAMLResult"+ (\ s h x ->+ AssumeRoleWithSAMLResponse' <$>+ (x .@? "Audience") <*> (x .@? "Subject") <*>+ (x .@? "PackedPolicySize")+ <*> (x .@? "Credentials")+ <*> (x .@? "SubjectType")+ <*> (x .@? "NameQualifier")+ <*> (x .@? "AssumedRoleUser")+ <*> (x .@? "Issuer")+ <*> (pure (fromEnum s))) --- | 'AssumeRoleWithSAMLResponse' constructor.+instance ToHeaders AssumeRoleWithSAML where+ toHeaders = const mempty++instance ToPath AssumeRoleWithSAML where+ toPath = const "/"++instance ToQuery AssumeRoleWithSAML where+ toQuery AssumeRoleWithSAML'{..}+ = mconcat+ ["Action" =: ("AssumeRoleWithSAML" :: ByteString),+ "Version" =: ("2011-06-15" :: ByteString),+ "DurationSeconds" =: _arwsamlDurationSeconds,+ "Policy" =: _arwsamlPolicy,+ "RoleArn" =: _arwsamlRoleARN,+ "PrincipalArn" =: _arwsamlPrincipalARN,+ "SAMLAssertion" =: _arwsamlSAMLAssertion]++-- | Contains the response to a successful AssumeRoleWithSAML request,+-- including temporary AWS credentials that can be used to make AWS+-- requests. ----- The fields accessible through corresponding lenses are:+-- /See:/ 'assumeRoleWithSAMLResponse' smart constructor.+data AssumeRoleWithSAMLResponse = AssumeRoleWithSAMLResponse'+ { _arwsamlrsAudience :: !(Maybe Text)+ , _arwsamlrsSubject :: !(Maybe Text)+ , _arwsamlrsPackedPolicySize :: !(Maybe Nat)+ , _arwsamlrsCredentials :: !(Maybe Credentials)+ , _arwsamlrsSubjectType :: !(Maybe Text)+ , _arwsamlrsNameQualifier :: !(Maybe Text)+ , _arwsamlrsAssumedRoleUser :: !(Maybe AssumedRoleUser)+ , _arwsamlrsIssuer :: !(Maybe Text)+ , _arwsamlrsStatus :: !Int+ } deriving (Eq,Read,Show,Data,Typeable,Generic)++-- | Creates a value of 'AssumeRoleWithSAMLResponse' with the minimum fields required to make a request. ----- * 'arwsamlrAssumedRoleUser' @::@ 'Maybe' 'AssumedRoleUser'+-- Use one of the following lenses to modify other fields as desired: ----- * 'arwsamlrAudience' @::@ 'Maybe' 'Text'+-- * 'arwsamlrsAudience' ----- * 'arwsamlrCredentials' @::@ 'Maybe' 'Credentials'+-- * 'arwsamlrsSubject' ----- * 'arwsamlrIssuer' @::@ 'Maybe' 'Text'+-- * 'arwsamlrsPackedPolicySize' ----- * 'arwsamlrNameQualifier' @::@ 'Maybe' 'Text'+-- * 'arwsamlrsCredentials' ----- * 'arwsamlrPackedPolicySize' @::@ 'Maybe' 'Natural'+-- * 'arwsamlrsSubjectType' ----- * 'arwsamlrSubject' @::@ 'Maybe' 'Text'+-- * 'arwsamlrsNameQualifier' ----- * 'arwsamlrSubjectType' @::@ 'Maybe' 'Text'+-- * 'arwsamlrsAssumedRoleUser' ---assumeRoleWithSAMLResponse :: AssumeRoleWithSAMLResponse-assumeRoleWithSAMLResponse = AssumeRoleWithSAMLResponse- { _arwsamlrCredentials = Nothing- , _arwsamlrAssumedRoleUser = Nothing- , _arwsamlrPackedPolicySize = Nothing- , _arwsamlrSubject = Nothing- , _arwsamlrSubjectType = Nothing- , _arwsamlrIssuer = Nothing- , _arwsamlrAudience = Nothing- , _arwsamlrNameQualifier = Nothing+-- * 'arwsamlrsIssuer'+--+-- * 'arwsamlrsStatus'+assumeRoleWithSAMLResponse+ :: Int -- ^ 'arwsamlrsStatus'+ -> AssumeRoleWithSAMLResponse+assumeRoleWithSAMLResponse pStatus_ =+ AssumeRoleWithSAMLResponse'+ { _arwsamlrsAudience = Nothing+ , _arwsamlrsSubject = Nothing+ , _arwsamlrsPackedPolicySize = Nothing+ , _arwsamlrsCredentials = Nothing+ , _arwsamlrsSubjectType = Nothing+ , _arwsamlrsNameQualifier = Nothing+ , _arwsamlrsAssumedRoleUser = Nothing+ , _arwsamlrsIssuer = Nothing+ , _arwsamlrsStatus = pStatus_ } -arwsamlrAssumedRoleUser :: Lens' AssumeRoleWithSAMLResponse (Maybe AssumedRoleUser)-arwsamlrAssumedRoleUser =- lens _arwsamlrAssumedRoleUser (\s a -> s { _arwsamlrAssumedRoleUser = a })+-- | The value of the 'Recipient' attribute of the 'SubjectConfirmationData'+-- element of the SAML assertion.+arwsamlrsAudience :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)+arwsamlrsAudience = lens _arwsamlrsAudience (\ s a -> s{_arwsamlrsAudience = a}); --- | The value of the 'Recipient' attribute of the 'SubjectConfirmationData' element--- of the SAML assertion.-arwsamlrAudience :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)-arwsamlrAudience = lens _arwsamlrAudience (\s a -> s { _arwsamlrAudience = a })+-- | The value of the 'NameID' element in the 'Subject' element of the SAML+-- assertion.+arwsamlrsSubject :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)+arwsamlrsSubject = lens _arwsamlrsSubject (\ s a -> s{_arwsamlrsSubject = a}); -arwsamlrCredentials :: Lens' AssumeRoleWithSAMLResponse (Maybe Credentials)-arwsamlrCredentials =- lens _arwsamlrCredentials (\s a -> s { _arwsamlrCredentials = a })+-- | A percentage value that indicates the size of the policy in packed form.+-- The service rejects any policy with a packed size greater than 100+-- percent, which means the policy exceeded the allowed space.+arwsamlrsPackedPolicySize :: Lens' AssumeRoleWithSAMLResponse (Maybe Natural)+arwsamlrsPackedPolicySize = lens _arwsamlrsPackedPolicySize (\ s a -> s{_arwsamlrsPackedPolicySize = a}) . mapping _Nat; --- | The value of the 'Issuer' element of the SAML assertion.-arwsamlrIssuer :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)-arwsamlrIssuer = lens _arwsamlrIssuer (\s a -> s { _arwsamlrIssuer = a })+-- | Undocumented member.+arwsamlrsCredentials :: Lens' AssumeRoleWithSAMLResponse (Maybe Credentials)+arwsamlrsCredentials = lens _arwsamlrsCredentials (\ s a -> s{_arwsamlrsCredentials = a}); --- | A hash value based on the concatenation of the 'Issuer' response value, the AWS--- account ID, and the friendly name (the last part of the ARN) of the SAML--- provider in IAM. The combination of 'NameQualifier' and 'Subject' can be used to--- uniquely identify a federated user.------ The following pseudocode shows how the hash value is calculated:+-- | The format of the name ID, as defined by the 'Format' attribute in the+-- 'NameID' element of the SAML assertion. Typical examples of the format+-- are 'transient' or 'persistent'. ----- 'BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP") )'-arwsamlrNameQualifier :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)-arwsamlrNameQualifier =- lens _arwsamlrNameQualifier (\s a -> s { _arwsamlrNameQualifier = a })---- | A percentage value that indicates the size of the policy in packed form. The--- service rejects any policy with a packed size greater than 100 percent, which--- means the policy exceeded the allowed space.-arwsamlrPackedPolicySize :: Lens' AssumeRoleWithSAMLResponse (Maybe Natural)-arwsamlrPackedPolicySize =- lens _arwsamlrPackedPolicySize- (\s a -> s { _arwsamlrPackedPolicySize = a })- . mapping _Nat---- | The value of the 'NameID' element in the 'Subject' element of the SAML assertion.-arwsamlrSubject :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)-arwsamlrSubject = lens _arwsamlrSubject (\s a -> s { _arwsamlrSubject = a })+-- If the format includes the prefix+-- 'urn:oasis:names:tc:SAML:2.0:nameid-format', that prefix is removed. For+-- example, 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' is+-- returned as 'transient'. If the format includes any other prefix, the+-- format is returned with no modifications.+arwsamlrsSubjectType :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)+arwsamlrsSubjectType = lens _arwsamlrsSubjectType (\ s a -> s{_arwsamlrsSubjectType = a}); --- | The format of the name ID, as defined by the 'Format' attribute in the 'NameID'--- element of the SAML assertion. Typical examples of the format are 'transient'--- or 'persistent'.+-- | A hash value based on the concatenation of the 'Issuer' response value,+-- the AWS account ID, and the friendly name (the last part of the ARN) of+-- the SAML provider in IAM. The combination of 'NameQualifier' and+-- 'Subject' can be used to uniquely identify a federated user. ----- If the format includes the prefix 'urn:oasis:names:tc:SAML:2.0:nameid-format', that prefix is removed. For example,--- 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' is returned as 'transient'.--- If the format includes any other prefix, the format is returned with no--- modifications.-arwsamlrSubjectType :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)-arwsamlrSubjectType =- lens _arwsamlrSubjectType (\s a -> s { _arwsamlrSubjectType = a })--instance ToPath AssumeRoleWithSAML where- toPath = const "/"--instance ToQuery AssumeRoleWithSAML where- toQuery AssumeRoleWithSAML{..} = mconcat- [ "DurationSeconds" =? _arwsamlDurationSeconds- , "Policy" =? _arwsamlPolicy- , "PrincipalArn" =? _arwsamlPrincipalArn- , "RoleArn" =? _arwsamlRoleArn- , "SAMLAssertion" =? _arwsamlSAMLAssertion- ]--instance ToHeaders AssumeRoleWithSAML+-- The following pseudocode shows how the hash value is calculated:+--+-- 'BASE64 ( SHA1 ( \"https:\/\/example.com\/saml\" + \"123456789012\" + \"\/MySAMLIdP\" ) )'+arwsamlrsNameQualifier :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)+arwsamlrsNameQualifier = lens _arwsamlrsNameQualifier (\ s a -> s{_arwsamlrsNameQualifier = a}); -instance AWSRequest AssumeRoleWithSAML where- type Sv AssumeRoleWithSAML = STS- type Rs AssumeRoleWithSAML = AssumeRoleWithSAMLResponse+-- | Undocumented member.+arwsamlrsAssumedRoleUser :: Lens' AssumeRoleWithSAMLResponse (Maybe AssumedRoleUser)+arwsamlrsAssumedRoleUser = lens _arwsamlrsAssumedRoleUser (\ s a -> s{_arwsamlrsAssumedRoleUser = a}); - request = post "AssumeRoleWithSAML"- response = xmlResponse+-- | The value of the 'Issuer' element of the SAML assertion.+arwsamlrsIssuer :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)+arwsamlrsIssuer = lens _arwsamlrsIssuer (\ s a -> s{_arwsamlrsIssuer = a}); -instance FromXML AssumeRoleWithSAMLResponse where- parseXML = withElement "AssumeRoleWithSAMLResult" $ \x -> AssumeRoleWithSAMLResponse- <$> x .@? "AssumedRoleUser"- <*> x .@? "Audience"- <*> x .@? "Credentials"- <*> x .@? "Issuer"- <*> x .@? "NameQualifier"- <*> x .@? "PackedPolicySize"- <*> x .@? "Subject"- <*> x .@? "SubjectType"+-- | The response status code.+arwsamlrsStatus :: Lens' AssumeRoleWithSAMLResponse Int+arwsamlrsStatus = lens _arwsamlrsStatus (\ s a -> s{_arwsamlrsStatus = a});
gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs view
@@ -1,315 +1,355 @@-{-# LANGUAGE DataKinds #-}-{-# LANGUAGE DeriveGeneric #-}-{-# LANGUAGE FlexibleInstances #-}-{-# LANGUAGE GeneralizedNewtypeDeriving #-}-{-# LANGUAGE LambdaCase #-}-{-# LANGUAGE NoImplicitPrelude #-}-{-# LANGUAGE OverloadedStrings #-}-{-# LANGUAGE RecordWildCards #-}-{-# LANGUAGE TypeFamilies #-}+{-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DeriveGeneric #-}+{-# LANGUAGE OverloadedStrings #-}+{-# LANGUAGE RecordWildCards #-}+{-# LANGUAGE TypeFamilies #-} {-# OPTIONS_GHC -fno-warn-unused-imports #-}+{-# OPTIONS_GHC -fno-warn-unused-binds #-}+{-# OPTIONS_GHC -fno-warn-unused-matches #-} +-- Derived from AWS service descriptions, licensed under Apache 2.0.++-- | -- Module : Network.AWS.STS.AssumeRoleWithWebIdentity--- Copyright : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>--- License : This Source Code Form is subject to the terms of--- the Mozilla Public License, v. 2.0.--- A copy of the MPL can be found in the LICENSE file or--- you can obtain it at http://mozilla.org/MPL/2.0/.+-- Copyright : (c) 2013-2015 Brendan Hay+-- License : Mozilla Public License, v. 2.0. -- Maintainer : Brendan Hay <brendan.g.hay@gmail.com>--- Stability : experimental+-- Stability : auto-generated -- Portability : non-portable (GHC extensions) ----- Derived from AWS service descriptions, licensed under Apache 2.0.---- | Returns a set of temporary security credentials for users who have been--- authenticated in a mobile or web application with a web identity provider,--- such as Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID--- Connect-compatible identity provider.+-- Returns a set of temporary security credentials for users who have been+-- authenticated in a mobile or web application with a web identity+-- provider, such as Amazon Cognito, Login with Amazon, Facebook, Google,+-- or any OpenID Connect-compatible identity provider. ----- For mobile applications, we recommend that you use Amazon Cognito. You can--- use Amazon Cognito with the <http://aws.amazon.com/sdkforios/ AWS SDK for iOS> and the <http://aws.amazon.com/sdkforandroid/ AWS SDK for Android> to--- uniquely identify a user and supply the user with a consistent identity+-- For mobile applications, we recommend that you use Amazon Cognito. You+-- can use Amazon Cognito with the+-- <http://aws.amazon.com/sdkforios/ AWS SDK for iOS> and the+-- <http://aws.amazon.com/sdkforandroid/ AWS SDK for Android> to uniquely+-- identify a user and supply the user with a consistent identity -- throughout the lifetime of an application. ----- To learn more about Amazon Cognito, see <http://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840 Amazon Cognito Overview> in the /AWSSDK for Android Developer Guide/ guide and <http://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664 Amazon Cognito Overview> in the /AWSSDK for iOS Developer Guide/.+-- To learn more about Amazon Cognito, see+-- <http://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840 Amazon Cognito Overview>+-- in the /AWS SDK for Android Developer Guide/ guide and+-- <http://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664 Amazon Cognito Overview>+-- in the /AWS SDK for iOS Developer Guide/. ----- Calling 'AssumeRoleWithWebIdentity' does not require the use of AWS security--- credentials. Therefore, you can distribute an application (for example, on--- mobile devices) that requests temporary security credentials without--- including long-term AWS credentials in the application, and without deploying--- server-based proxy services that use long-term AWS credentials. Instead, the--- identity of the caller is validated by using a token from the web identity--- provider.+-- Calling 'AssumeRoleWithWebIdentity' does not require the use of AWS+-- security credentials. Therefore, you can distribute an application (for+-- example, on mobile devices) that requests temporary security credentials+-- without including long-term AWS credentials in the application, and+-- without deploying server-based proxy services that use long-term AWS+-- credentials. Instead, the identity of the caller is validated by using a+-- token from the web identity provider. ----- The temporary security credentials returned by this API consist of an access--- key ID, a secret access key, and a security token. Applications can use these--- temporary security credentials to sign calls to AWS service APIs. The--- credentials are valid for the duration that you specified when calling 'AssumeRoleWithWebIdentity', which can be from 900 seconds (15 minutes) to 3600 seconds (1 hour). By--- default, the temporary security credentials are valid for 1 hour.+-- The temporary security credentials returned by this API consist of an+-- access key ID, a secret access key, and a security token. Applications+-- can use these temporary security credentials to sign calls to AWS+-- service APIs. The credentials are valid for the duration that you+-- specified when calling 'AssumeRoleWithWebIdentity', which can be from+-- 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the+-- temporary security credentials are valid for 1 hour. -- -- Optionally, you can pass an IAM access policy to this operation. If you -- choose not to pass a policy, the temporary security credentials that are--- returned by the operation have the permissions that are defined in the access--- policy of the role that is being assumed. If you pass a policy to this--- operation, the temporary security credentials that are returned by the--- operation have the permissions that are allowed by both the access policy of--- the role that is being assumed, /and/ the policy that you pass. This gives you--- a way to further restrict the permissions for the resulting temporary--- security credentials. You cannot use the passed policy to grant permissions--- that are in excess of those allowed by the access policy of the role that is--- being assumed. For more information, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions forAssumeRoleWithWebIdentity> in /Using Temporary Security Credentials/.+-- returned by the operation have the permissions that are defined in the+-- access policy of the role that is being assumed. If you pass a policy to+-- this operation, the temporary security credentials that are returned by+-- the operation have the permissions that are allowed by both the access+-- policy of the role that is being assumed, /__and__/ the policy that you+-- pass. This gives you a way to further restrict the permissions for the+-- resulting temporary security credentials. You cannot use the passed+-- policy to grant permissions that are in excess of those allowed by the+-- access policy of the role that is being assumed. For more information,+-- see+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithWebIdentity>. ----- Before your application can call 'AssumeRoleWithWebIdentity', you must have an--- identity token from a supported identity provider and create a role that the--- application can assume. The role that your application assumes must trust the--- identity provider that is associated with the identity token. In other words,--- the identity provider must be specified in the role's trust policy.+-- Before your application can call 'AssumeRoleWithWebIdentity', you must+-- have an identity token from a supported identity provider and create a+-- role that the application can assume. The role that your application+-- assumes must trust the identity provider that is associated with the+-- identity token. In other words, the identity provider must be specified+-- in the role\'s trust policy. ----- For more information about how to use web identity federation and the 'AssumeRoleWithWebIdentity' API, see the following resources:+-- For more information about how to use web identity federation and the+-- 'AssumeRoleWithWebIdentity' API, see the following resources: ----- <http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html#MobileApplication-KnownProvider Creating a Mobile Application with Third-Party Sign-In> and <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html CreatingTemporary Security Credentials for Mobile Apps Using Third-Party IdentityProviders> in /Using Temporary Security Credentials/. <https://web-identity-federation-playground.s3.amazonaws.com/index.html Web Identity FederationPlayground>. This interactive website lets you walk through the process of--- authenticating via Login with Amazon, Facebook, or Google, getting temporary--- security credentials, and then using those credentials to make a request to--- AWS. <http://aws.amazon.com/sdkforios/ AWS SDK for iOS> and <http://aws.amazon.com/sdkforandroid/ AWS SDK for Android>. These toolkits contain sample--- apps that show how to invoke the identity providers, and then how to use the--- information from these providers to get and use temporary security--- credentials. <http://aws.amazon.com/articles/4617974389850313 Web Identity Federation with Mobile Applications>. This article--- discusses web identity federation and shows an example of how to use web--- identity federation to get access to content in Amazon S3.+-- - <http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html#MobileApplication-KnownProvider Creating a Mobile Application with Third-Party Sign-In>+-- and+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html Creating Temporary Security Credentials for Mobile Apps Using Third-Party Identity Providers>.+-- - <https://web-identity-federation-playground.s3.amazonaws.com/index.html Web Identity Federation Playground>.+-- This interactive website lets you walk through the process of+-- authenticating via Login with Amazon, Facebook, or Google, getting+-- temporary security credentials, and then using those credentials to+-- make a request to AWS.+-- - <http://aws.amazon.com/sdkforios/ AWS SDK for iOS> and+-- <http://aws.amazon.com/sdkforandroid/ AWS SDK for Android>. These+-- toolkits contain sample apps that show how to invoke the identity+-- providers, and then how to use the information from these providers+-- to get and use temporary security credentials.+-- - <http://aws.amazon.com/articles/4617974389850313 Web Identity Federation with Mobile Applications>.+-- This article discusses web identity federation and shows an example+-- of how to use web identity federation to get access to content in+-- Amazon S3. ----- <http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html>+-- /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html AWS API Reference> for AssumeRoleWithWebIdentity. module Network.AWS.STS.AssumeRoleWithWebIdentity (- -- * Request- AssumeRoleWithWebIdentity- -- ** Request constructor- , assumeRoleWithWebIdentity- -- ** Request lenses+ -- * Creating a Request+ assumeRoleWithWebIdentity+ , AssumeRoleWithWebIdentity+ -- * Request Lenses+ , arwwiProviderId , arwwiDurationSeconds , arwwiPolicy- , arwwiProviderId- , arwwiRoleArn+ , arwwiRoleARN , arwwiRoleSessionName , arwwiWebIdentityToken - -- * Response- , AssumeRoleWithWebIdentityResponse- -- ** Response constructor+ -- * Destructuring the Response , assumeRoleWithWebIdentityResponse- -- ** Response lenses- , arwwirAssumedRoleUser- , arwwirAudience- , arwwirCredentials- , arwwirPackedPolicySize- , arwwirProvider- , arwwirSubjectFromWebIdentityToken+ , AssumeRoleWithWebIdentityResponse+ -- * Response Lenses+ , arwwirsAudience+ , arwwirsSubjectFromWebIdentityToken+ , arwwirsPackedPolicySize+ , arwwirsCredentials+ , arwwirsAssumedRoleUser+ , arwwirsProvider+ , arwwirsStatus ) where -import Network.AWS.Prelude-import Network.AWS.Request.Query-import Network.AWS.STS.Types-import qualified GHC.Exts+import Network.AWS.Prelude+import Network.AWS.Request+import Network.AWS.Response+import Network.AWS.STS.Types+import Network.AWS.STS.Types.Product -data AssumeRoleWithWebIdentity = AssumeRoleWithWebIdentity- { _arwwiDurationSeconds :: Maybe Nat- , _arwwiPolicy :: Maybe Text- , _arwwiProviderId :: Maybe Text- , _arwwiRoleArn :: Text- , _arwwiRoleSessionName :: Text- , _arwwiWebIdentityToken :: Text- } deriving (Eq, Ord, Read, Show)+-- | /See:/ 'assumeRoleWithWebIdentity' smart constructor.+data AssumeRoleWithWebIdentity = AssumeRoleWithWebIdentity'+ { _arwwiProviderId :: !(Maybe Text)+ , _arwwiDurationSeconds :: !(Maybe Nat)+ , _arwwiPolicy :: !(Maybe Text)+ , _arwwiRoleARN :: !Text+ , _arwwiRoleSessionName :: !Text+ , _arwwiWebIdentityToken :: !Text+ } deriving (Eq,Read,Show,Data,Typeable,Generic) --- | 'AssumeRoleWithWebIdentity' constructor.------ The fields accessible through corresponding lenses are:+-- | Creates a value of 'AssumeRoleWithWebIdentity' with the minimum fields required to make a request. ----- * 'arwwiDurationSeconds' @::@ 'Maybe' 'Natural'+-- Use one of the following lenses to modify other fields as desired: ----- * 'arwwiPolicy' @::@ 'Maybe' 'Text'+-- * 'arwwiProviderId' ----- * 'arwwiProviderId' @::@ 'Maybe' 'Text'+-- * 'arwwiDurationSeconds' ----- * 'arwwiRoleArn' @::@ 'Text'+-- * 'arwwiPolicy' ----- * 'arwwiRoleSessionName' @::@ 'Text'+-- * 'arwwiRoleARN' ----- * 'arwwiWebIdentityToken' @::@ 'Text'+-- * 'arwwiRoleSessionName' ---assumeRoleWithWebIdentity :: Text -- ^ 'arwwiRoleArn'- -> Text -- ^ 'arwwiRoleSessionName'- -> Text -- ^ 'arwwiWebIdentityToken'- -> AssumeRoleWithWebIdentity-assumeRoleWithWebIdentity p1 p2 p3 = AssumeRoleWithWebIdentity- { _arwwiRoleArn = p1- , _arwwiRoleSessionName = p2- , _arwwiWebIdentityToken = p3- , _arwwiProviderId = Nothing- , _arwwiPolicy = Nothing- , _arwwiDurationSeconds = Nothing+-- * 'arwwiWebIdentityToken'+assumeRoleWithWebIdentity+ :: Text -- ^ 'arwwiRoleARN'+ -> Text -- ^ 'arwwiRoleSessionName'+ -> Text -- ^ 'arwwiWebIdentityToken'+ -> AssumeRoleWithWebIdentity+assumeRoleWithWebIdentity pRoleARN_ pRoleSessionName_ pWebIdentityToken_ =+ AssumeRoleWithWebIdentity'+ { _arwwiProviderId = Nothing+ , _arwwiDurationSeconds = Nothing+ , _arwwiPolicy = Nothing+ , _arwwiRoleARN = pRoleARN_+ , _arwwiRoleSessionName = pRoleSessionName_+ , _arwwiWebIdentityToken = pWebIdentityToken_ } --- | The duration, in seconds, of the role session. The value can range from 900--- seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set--- to 3600 seconds.-arwwiDurationSeconds :: Lens' AssumeRoleWithWebIdentity (Maybe Natural)-arwwiDurationSeconds =- lens _arwwiDurationSeconds (\s a -> s { _arwwiDurationSeconds = a })- . mapping _Nat---- | An IAM policy in JSON format.------ The policy parameter is optional. If you pass a policy, the temporary--- security credentials that are returned by the operation have the permissions--- that are allowed by both the access policy of the role that is being assumed, /and/ the policy that you pass. This gives you a way to further restrict the--- permissions for the resulting temporary security credentials. You cannot use--- the passed policy to grant permissions that are in excess of those allowed by--- the access policy of the role that is being assumed. For more information,--- see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithWebIdentity> in /Using Temporary SecurityCredentials/.-arwwiPolicy :: Lens' AssumeRoleWithWebIdentity (Maybe Text)-arwwiPolicy = lens _arwwiPolicy (\s a -> s { _arwwiPolicy = a })- -- | The fully qualified host component of the domain name of the identity -- provider. ----- Specify this value only for OAuth 2.0 access tokens. Currently 'www.amazon.com'--- and 'graph.facebook.com' are the only supported identity providers for OAuth--- 2.0 access tokens. Do not include URL schemes and port numbers.+-- Specify this value only for OAuth 2.0 access tokens. Currently+-- 'www.amazon.com' and 'graph.facebook.com' are the only supported+-- identity providers for OAuth 2.0 access tokens. Do not include URL+-- schemes and port numbers. -- -- Do not specify this value for OpenID Connect ID tokens. arwwiProviderId :: Lens' AssumeRoleWithWebIdentity (Maybe Text)-arwwiProviderId = lens _arwwiProviderId (\s a -> s { _arwwiProviderId = a })+arwwiProviderId = lens _arwwiProviderId (\ s a -> s{_arwwiProviderId = a}); +-- | The duration, in seconds, of the role session. The value can range from+-- 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the value+-- is set to 3600 seconds.+arwwiDurationSeconds :: Lens' AssumeRoleWithWebIdentity (Maybe Natural)+arwwiDurationSeconds = lens _arwwiDurationSeconds (\ s a -> s{_arwwiDurationSeconds = a}) . mapping _Nat;++-- | An IAM policy in JSON format.+--+-- The policy parameter is optional. If you pass a policy, the temporary+-- security credentials that are returned by the operation have the+-- permissions that are allowed by both the access policy of the role that+-- is being assumed, /__and__/ the policy that you pass. This gives you a+-- way to further restrict the permissions for the resulting temporary+-- security credentials. You cannot use the passed policy to grant+-- permissions that are in excess of those allowed by the access policy of+-- the role that is being assumed. For more information, see+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithWebIdentity>.+--+-- The policy plain text must be 2048 bytes or shorter. However, an+-- internal conversion compresses it into a packed binary format with a+-- separate limit. The PackedPolicySize response element indicates by+-- percentage how close to the upper size limit the policy is, with 100%+-- equaling the maximum allowed size.+arwwiPolicy :: Lens' AssumeRoleWithWebIdentity (Maybe Text)+arwwiPolicy = lens _arwwiPolicy (\ s a -> s{_arwwiPolicy = a});+ -- | The Amazon Resource Name (ARN) of the role that the caller is assuming.-arwwiRoleArn :: Lens' AssumeRoleWithWebIdentity Text-arwwiRoleArn = lens _arwwiRoleArn (\s a -> s { _arwwiRoleArn = a })+arwwiRoleARN :: Lens' AssumeRoleWithWebIdentity Text+arwwiRoleARN = lens _arwwiRoleARN (\ s a -> s{_arwwiRoleARN = a}); --- | An identifier for the assumed role session. Typically, you pass the name or--- identifier that is associated with the user who is using your application.--- That way, the temporary security credentials that your application will use--- are associated with that user. This session name is included as part of the--- ARN and assumed role ID in the 'AssumedRoleUser' response element.+-- | An identifier for the assumed role session. Typically, you pass the name+-- or identifier that is associated with the user who is using your+-- application. That way, the temporary security credentials that your+-- application will use are associated with that user. This session name is+-- included as part of the ARN and assumed role ID in the 'AssumedRoleUser'+-- response element. arwwiRoleSessionName :: Lens' AssumeRoleWithWebIdentity Text-arwwiRoleSessionName =- lens _arwwiRoleSessionName (\s a -> s { _arwwiRoleSessionName = a })+arwwiRoleSessionName = lens _arwwiRoleSessionName (\ s a -> s{_arwwiRoleSessionName = a}); --- | The OAuth 2.0 access token or OpenID Connect ID token that is provided by the--- identity provider. Your application must get this token by authenticating the--- user who is using your application with a web identity provider before the--- application makes an 'AssumeRoleWithWebIdentity' call.+-- | The OAuth 2.0 access token or OpenID Connect ID token that is provided+-- by the identity provider. Your application must get this token by+-- authenticating the user who is using your application with a web+-- identity provider before the application makes an+-- 'AssumeRoleWithWebIdentity' call. arwwiWebIdentityToken :: Lens' AssumeRoleWithWebIdentity Text-arwwiWebIdentityToken =- lens _arwwiWebIdentityToken (\s a -> s { _arwwiWebIdentityToken = a })+arwwiWebIdentityToken = lens _arwwiWebIdentityToken (\ s a -> s{_arwwiWebIdentityToken = a}); -data AssumeRoleWithWebIdentityResponse = AssumeRoleWithWebIdentityResponse- { _arwwirAssumedRoleUser :: Maybe AssumedRoleUser- , _arwwirAudience :: Maybe Text- , _arwwirCredentials :: Maybe Credentials- , _arwwirPackedPolicySize :: Maybe Nat- , _arwwirProvider :: Maybe Text- , _arwwirSubjectFromWebIdentityToken :: Maybe Text- } deriving (Eq, Read, Show)+instance AWSRequest AssumeRoleWithWebIdentity where+ type Sv AssumeRoleWithWebIdentity = STS+ type Rs AssumeRoleWithWebIdentity =+ AssumeRoleWithWebIdentityResponse+ request = postQuery+ response+ = receiveXMLWrapper "AssumeRoleWithWebIdentityResult"+ (\ s h x ->+ AssumeRoleWithWebIdentityResponse' <$>+ (x .@? "Audience") <*>+ (x .@? "SubjectFromWebIdentityToken")+ <*> (x .@? "PackedPolicySize")+ <*> (x .@? "Credentials")+ <*> (x .@? "AssumedRoleUser")+ <*> (x .@? "Provider")+ <*> (pure (fromEnum s))) --- | 'AssumeRoleWithWebIdentityResponse' constructor.+instance ToHeaders AssumeRoleWithWebIdentity where+ toHeaders = const mempty++instance ToPath AssumeRoleWithWebIdentity where+ toPath = const "/"++instance ToQuery AssumeRoleWithWebIdentity where+ toQuery AssumeRoleWithWebIdentity'{..}+ = mconcat+ ["Action" =:+ ("AssumeRoleWithWebIdentity" :: ByteString),+ "Version" =: ("2011-06-15" :: ByteString),+ "ProviderId" =: _arwwiProviderId,+ "DurationSeconds" =: _arwwiDurationSeconds,+ "Policy" =: _arwwiPolicy, "RoleArn" =: _arwwiRoleARN,+ "RoleSessionName" =: _arwwiRoleSessionName,+ "WebIdentityToken" =: _arwwiWebIdentityToken]++-- | Contains the response to a successful AssumeRoleWithWebIdentity request,+-- including temporary AWS credentials that can be used to make AWS+-- requests. ----- The fields accessible through corresponding lenses are:+-- /See:/ 'assumeRoleWithWebIdentityResponse' smart constructor.+data AssumeRoleWithWebIdentityResponse = AssumeRoleWithWebIdentityResponse'+ { _arwwirsAudience :: !(Maybe Text)+ , _arwwirsSubjectFromWebIdentityToken :: !(Maybe Text)+ , _arwwirsPackedPolicySize :: !(Maybe Nat)+ , _arwwirsCredentials :: !(Maybe Credentials)+ , _arwwirsAssumedRoleUser :: !(Maybe AssumedRoleUser)+ , _arwwirsProvider :: !(Maybe Text)+ , _arwwirsStatus :: !Int+ } deriving (Eq,Read,Show,Data,Typeable,Generic)++-- | Creates a value of 'AssumeRoleWithWebIdentityResponse' with the minimum fields required to make a request. ----- * 'arwwirAssumedRoleUser' @::@ 'Maybe' 'AssumedRoleUser'+-- Use one of the following lenses to modify other fields as desired: ----- * 'arwwirAudience' @::@ 'Maybe' 'Text'+-- * 'arwwirsAudience' ----- * 'arwwirCredentials' @::@ 'Maybe' 'Credentials'+-- * 'arwwirsSubjectFromWebIdentityToken' ----- * 'arwwirPackedPolicySize' @::@ 'Maybe' 'Natural'+-- * 'arwwirsPackedPolicySize' ----- * 'arwwirProvider' @::@ 'Maybe' 'Text'+-- * 'arwwirsCredentials' ----- * 'arwwirSubjectFromWebIdentityToken' @::@ 'Maybe' 'Text'+-- * 'arwwirsAssumedRoleUser' ---assumeRoleWithWebIdentityResponse :: AssumeRoleWithWebIdentityResponse-assumeRoleWithWebIdentityResponse = AssumeRoleWithWebIdentityResponse- { _arwwirCredentials = Nothing- , _arwwirSubjectFromWebIdentityToken = Nothing- , _arwwirAssumedRoleUser = Nothing- , _arwwirPackedPolicySize = Nothing- , _arwwirProvider = Nothing- , _arwwirAudience = Nothing+-- * 'arwwirsProvider'+--+-- * 'arwwirsStatus'+assumeRoleWithWebIdentityResponse+ :: Int -- ^ 'arwwirsStatus'+ -> AssumeRoleWithWebIdentityResponse+assumeRoleWithWebIdentityResponse pStatus_ =+ AssumeRoleWithWebIdentityResponse'+ { _arwwirsAudience = Nothing+ , _arwwirsSubjectFromWebIdentityToken = Nothing+ , _arwwirsPackedPolicySize = Nothing+ , _arwwirsCredentials = Nothing+ , _arwwirsAssumedRoleUser = Nothing+ , _arwwirsProvider = Nothing+ , _arwwirsStatus = pStatus_ } --- | The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers--- that you can use to refer to the resulting temporary security credentials.--- For example, you can reference these credentials as a principal in a--- resource-based policy by using the ARN or assumed role ID. The ARN and ID--- include the 'RoleSessionName' that you specified when you called 'AssumeRole'.-arwwirAssumedRoleUser :: Lens' AssumeRoleWithWebIdentityResponse (Maybe AssumedRoleUser)-arwwirAssumedRoleUser =- lens _arwwirAssumedRoleUser (\s a -> s { _arwwirAssumedRoleUser = a })---- | The intended audience (also known as client ID) of the web identity token.--- This is traditionally the client identifier issued to the application that--- requested the web identity token.-arwwirAudience :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)-arwwirAudience = lens _arwwirAudience (\s a -> s { _arwwirAudience = a })---- | The temporary security credentials, which include an access key ID, a secret--- access key, and a security token.-arwwirCredentials :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Credentials)-arwwirCredentials =- lens _arwwirCredentials (\s a -> s { _arwwirCredentials = a })---- | A percentage value that indicates the size of the policy in packed form. The--- service rejects any policy with a packed size greater than 100 percent, which--- means the policy exceeded the allowed space.-arwwirPackedPolicySize :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Natural)-arwwirPackedPolicySize =- lens _arwwirPackedPolicySize (\s a -> s { _arwwirPackedPolicySize = a })- . mapping _Nat---- | The issuing authority of the web identity token presented. For OpenID--- Connect ID Tokens this contains the value of the 'iss' field. For OAuth 2.0--- access tokens, this contains the value of the 'ProviderId' parameter that was--- passed in the 'AssumeRoleWithWebIdentity' request.-arwwirProvider :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)-arwwirProvider = lens _arwwirProvider (\s a -> s { _arwwirProvider = a })---- | The unique user identifier that is returned by the identity provider. This--- identifier is associated with the 'WebIdentityToken' that was submitted with--- the 'AssumeRoleWithWebIdentity' call. The identifier is typically unique to the--- user and the application that acquired the 'WebIdentityToken' (pairwise--- identifier). For OpenID Connect ID tokens, this field contains the value--- returned by the identity provider as the token's 'sub' (Subject) claim.-arwwirSubjectFromWebIdentityToken :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)-arwwirSubjectFromWebIdentityToken =- lens _arwwirSubjectFromWebIdentityToken- (\s a -> s { _arwwirSubjectFromWebIdentityToken = a })+-- | The intended audience (also known as client ID) of the web identity+-- token. This is traditionally the client identifier issued to the+-- application that requested the web identity token.+arwwirsAudience :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)+arwwirsAudience = lens _arwwirsAudience (\ s a -> s{_arwwirsAudience = a}); -instance ToPath AssumeRoleWithWebIdentity where- toPath = const "/"+-- | The unique user identifier that is returned by the identity provider.+-- This identifier is associated with the 'WebIdentityToken' that was+-- submitted with the 'AssumeRoleWithWebIdentity' call. The identifier is+-- typically unique to the user and the application that acquired the+-- 'WebIdentityToken' (pairwise identifier). For OpenID Connect ID tokens,+-- this field contains the value returned by the identity provider as the+-- token\'s 'sub' (Subject) claim.+arwwirsSubjectFromWebIdentityToken :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)+arwwirsSubjectFromWebIdentityToken = lens _arwwirsSubjectFromWebIdentityToken (\ s a -> s{_arwwirsSubjectFromWebIdentityToken = a}); -instance ToQuery AssumeRoleWithWebIdentity where- toQuery AssumeRoleWithWebIdentity{..} = mconcat- [ "DurationSeconds" =? _arwwiDurationSeconds- , "Policy" =? _arwwiPolicy- , "ProviderId" =? _arwwiProviderId- , "RoleArn" =? _arwwiRoleArn- , "RoleSessionName" =? _arwwiRoleSessionName- , "WebIdentityToken" =? _arwwiWebIdentityToken- ]+-- | A percentage value that indicates the size of the policy in packed form.+-- The service rejects any policy with a packed size greater than 100+-- percent, which means the policy exceeded the allowed space.+arwwirsPackedPolicySize :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Natural)+arwwirsPackedPolicySize = lens _arwwirsPackedPolicySize (\ s a -> s{_arwwirsPackedPolicySize = a}) . mapping _Nat; -instance ToHeaders AssumeRoleWithWebIdentity+-- | The temporary security credentials, which include an access key ID, a+-- secret access key, and a security token.+arwwirsCredentials :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Credentials)+arwwirsCredentials = lens _arwwirsCredentials (\ s a -> s{_arwwirsCredentials = a}); -instance AWSRequest AssumeRoleWithWebIdentity where- type Sv AssumeRoleWithWebIdentity = STS- type Rs AssumeRoleWithWebIdentity = AssumeRoleWithWebIdentityResponse+-- | The Amazon Resource Name (ARN) and the assumed role ID, which are+-- identifiers that you can use to refer to the resulting temporary+-- security credentials. For example, you can reference these credentials+-- as a principal in a resource-based policy by using the ARN or assumed+-- role ID. The ARN and ID include the 'RoleSessionName' that you specified+-- when you called 'AssumeRole'.+arwwirsAssumedRoleUser :: Lens' AssumeRoleWithWebIdentityResponse (Maybe AssumedRoleUser)+arwwirsAssumedRoleUser = lens _arwwirsAssumedRoleUser (\ s a -> s{_arwwirsAssumedRoleUser = a}); - request = post "AssumeRoleWithWebIdentity"- response = xmlResponse+-- | The issuing authority of the web identity token presented. For OpenID+-- Connect ID Tokens this contains the value of the 'iss' field. For OAuth+-- 2.0 access tokens, this contains the value of the 'ProviderId' parameter+-- that was passed in the 'AssumeRoleWithWebIdentity' request.+arwwirsProvider :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)+arwwirsProvider = lens _arwwirsProvider (\ s a -> s{_arwwirsProvider = a}); -instance FromXML AssumeRoleWithWebIdentityResponse where- parseXML = withElement "AssumeRoleWithWebIdentityResult" $ \x -> AssumeRoleWithWebIdentityResponse- <$> x .@? "AssumedRoleUser"- <*> x .@? "Audience"- <*> x .@? "Credentials"- <*> x .@? "PackedPolicySize"- <*> x .@? "Provider"- <*> x .@? "SubjectFromWebIdentityToken"+-- | The response status code.+arwwirsStatus :: Lens' AssumeRoleWithWebIdentityResponse Int+arwwirsStatus = lens _arwwirsStatus (\ s a -> s{_arwwirsStatus = a});
gen/Network/AWS/STS/DecodeAuthorizationMessage.hs view
@@ -1,131 +1,155 @@-{-# LANGUAGE DataKinds #-}-{-# LANGUAGE DeriveGeneric #-}-{-# LANGUAGE FlexibleInstances #-}-{-# LANGUAGE GeneralizedNewtypeDeriving #-}-{-# LANGUAGE LambdaCase #-}-{-# LANGUAGE NoImplicitPrelude #-}-{-# LANGUAGE OverloadedStrings #-}-{-# LANGUAGE RecordWildCards #-}-{-# LANGUAGE TypeFamilies #-}+{-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DeriveGeneric #-}+{-# LANGUAGE OverloadedStrings #-}+{-# LANGUAGE RecordWildCards #-}+{-# LANGUAGE TypeFamilies #-} {-# OPTIONS_GHC -fno-warn-unused-imports #-}+{-# OPTIONS_GHC -fno-warn-unused-binds #-}+{-# OPTIONS_GHC -fno-warn-unused-matches #-} +-- Derived from AWS service descriptions, licensed under Apache 2.0.++-- | -- Module : Network.AWS.STS.DecodeAuthorizationMessage--- Copyright : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>--- License : This Source Code Form is subject to the terms of--- the Mozilla Public License, v. 2.0.--- A copy of the MPL can be found in the LICENSE file or--- you can obtain it at http://mozilla.org/MPL/2.0/.+-- Copyright : (c) 2013-2015 Brendan Hay+-- License : Mozilla Public License, v. 2.0. -- Maintainer : Brendan Hay <brendan.g.hay@gmail.com>--- Stability : experimental+-- Stability : auto-generated -- Portability : non-portable (GHC extensions) ----- Derived from AWS service descriptions, licensed under Apache 2.0.---- | Decodes additional information about the authorization status of a request--- from an encoded message returned in response to an AWS request.+-- Decodes additional information about the authorization status of a+-- request from an encoded message returned in response to an AWS request. ----- For example, if a user is not authorized to perform an action that he or she--- has requested, the request returns a 'Client.UnauthorizedOperation' response--- (an HTTP 403 response). Some AWS actions additionally return an encoded--- message that can provide details about this authorization failure.+-- For example, if a user is not authorized to perform an action that he or+-- she has requested, the request returns a 'Client.UnauthorizedOperation'+-- response (an HTTP 403 response). Some AWS actions additionally return an+-- encoded message that can provide details about this authorization+-- failure. -- -- Only certain AWS actions return an encoded authorization message. The--- documentation for an individual action indicates whether that action returns--- an encoded message in addition to returning an HTTP code. The message is--- encoded because the details of the authorization status can constitute--- privileged information that the user who requested the action should not see.--- To decode an authorization status message, a user must be granted permissions--- via an IAM policy to request the 'DecodeAuthorizationMessage' ('sts:DecodeAuthorizationMessage') action.+-- documentation for an individual action indicates whether that action+-- returns an encoded message in addition to returning an HTTP code. --+-- The message is encoded because the details of the authorization status+-- can constitute privileged information that the user who requested the+-- action should not see. To decode an authorization status message, a user+-- must be granted permissions via an IAM policy to request the+-- 'DecodeAuthorizationMessage' ('sts:DecodeAuthorizationMessage') action.+-- -- The decoded message includes the following type of information: ----- Whether the request was denied due to an explicit deny or due to the--- absence of an explicit allow. For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_EvaluationLogic.html#policy-eval-denyallow Determining Whether aRequest is Allowed or Denied> in /Using IAM/. The principal who made the--- request. The requested action. The requested resource. The values of--- condition keys in the context of the user's request.+-- - Whether the request was denied due to an explicit deny or due to the+-- absence of an explicit allow. For more information, see+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_EvaluationLogic.html#policy-eval-denyallow Determining Whether a Request is Allowed or Denied>+-- in /Using IAM/.+-- - The principal who made the request.+-- - The requested action.+-- - The requested resource.+-- - The values of condition keys in the context of the user\'s request. ----- <http://docs.aws.amazon.com/STS/latest/APIReference/API_DecodeAuthorizationMessage.html>+-- /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/API_DecodeAuthorizationMessage.html AWS API Reference> for DecodeAuthorizationMessage. module Network.AWS.STS.DecodeAuthorizationMessage (- -- * Request- DecodeAuthorizationMessage- -- ** Request constructor- , decodeAuthorizationMessage- -- ** Request lenses+ -- * Creating a Request+ decodeAuthorizationMessage+ , DecodeAuthorizationMessage+ -- * Request Lenses , damEncodedMessage - -- * Response- , DecodeAuthorizationMessageResponse- -- ** Response constructor+ -- * Destructuring the Response , decodeAuthorizationMessageResponse- -- ** Response lenses- , damrDecodedMessage+ , DecodeAuthorizationMessageResponse+ -- * Response Lenses+ , damrsDecodedMessage+ , damrsStatus ) where -import Network.AWS.Prelude-import Network.AWS.Request.Query-import Network.AWS.STS.Types-import qualified GHC.Exts+import Network.AWS.Prelude+import Network.AWS.Request+import Network.AWS.Response+import Network.AWS.STS.Types+import Network.AWS.STS.Types.Product -newtype DecodeAuthorizationMessage = DecodeAuthorizationMessage+-- | /See:/ 'decodeAuthorizationMessage' smart constructor.+newtype DecodeAuthorizationMessage = DecodeAuthorizationMessage' { _damEncodedMessage :: Text- } deriving (Eq, Ord, Read, Show, Monoid, IsString)+ } deriving (Eq,Read,Show,Data,Typeable,Generic) --- | 'DecodeAuthorizationMessage' constructor.------ The fields accessible through corresponding lenses are:+-- | Creates a value of 'DecodeAuthorizationMessage' with the minimum fields required to make a request. ----- * 'damEncodedMessage' @::@ 'Text'+-- Use one of the following lenses to modify other fields as desired: ---decodeAuthorizationMessage :: Text -- ^ 'damEncodedMessage'- -> DecodeAuthorizationMessage-decodeAuthorizationMessage p1 = DecodeAuthorizationMessage- { _damEncodedMessage = p1+-- * 'damEncodedMessage'+decodeAuthorizationMessage+ :: Text -- ^ 'damEncodedMessage'+ -> DecodeAuthorizationMessage+decodeAuthorizationMessage pEncodedMessage_ =+ DecodeAuthorizationMessage'+ { _damEncodedMessage = pEncodedMessage_ } -- | The encoded message that was returned with the response. damEncodedMessage :: Lens' DecodeAuthorizationMessage Text-damEncodedMessage =- lens _damEncodedMessage (\s a -> s { _damEncodedMessage = a })--newtype DecodeAuthorizationMessageResponse = DecodeAuthorizationMessageResponse- { _damrDecodedMessage :: Maybe Text- } deriving (Eq, Ord, Read, Show, Monoid)+damEncodedMessage = lens _damEncodedMessage (\ s a -> s{_damEncodedMessage = a}); --- | 'DecodeAuthorizationMessageResponse' constructor.------ The fields accessible through corresponding lenses are:------ * 'damrDecodedMessage' @::@ 'Maybe' 'Text'----decodeAuthorizationMessageResponse :: DecodeAuthorizationMessageResponse-decodeAuthorizationMessageResponse = DecodeAuthorizationMessageResponse- { _damrDecodedMessage = Nothing- }+instance AWSRequest DecodeAuthorizationMessage where+ type Sv DecodeAuthorizationMessage = STS+ type Rs DecodeAuthorizationMessage =+ DecodeAuthorizationMessageResponse+ request = postQuery+ response+ = receiveXMLWrapper+ "DecodeAuthorizationMessageResult"+ (\ s h x ->+ DecodeAuthorizationMessageResponse' <$>+ (x .@? "DecodedMessage") <*> (pure (fromEnum s))) --- | An XML document that contains the decoded message. For more information, see 'DecodeAuthorizationMessage'.-damrDecodedMessage :: Lens' DecodeAuthorizationMessageResponse (Maybe Text)-damrDecodedMessage =- lens _damrDecodedMessage (\s a -> s { _damrDecodedMessage = a })+instance ToHeaders DecodeAuthorizationMessage where+ toHeaders = const mempty instance ToPath DecodeAuthorizationMessage where- toPath = const "/"+ toPath = const "/" instance ToQuery DecodeAuthorizationMessage where- toQuery DecodeAuthorizationMessage{..} = mconcat- [ "EncodedMessage" =? _damEncodedMessage- ]+ toQuery DecodeAuthorizationMessage'{..}+ = mconcat+ ["Action" =:+ ("DecodeAuthorizationMessage" :: ByteString),+ "Version" =: ("2011-06-15" :: ByteString),+ "EncodedMessage" =: _damEncodedMessage] -instance ToHeaders DecodeAuthorizationMessage+-- | A document that contains additional information about the authorization+-- status of a request from an encoded message that is returned in response+-- to an AWS request.+--+-- /See:/ 'decodeAuthorizationMessageResponse' smart constructor.+data DecodeAuthorizationMessageResponse = DecodeAuthorizationMessageResponse'+ { _damrsDecodedMessage :: !(Maybe Text)+ , _damrsStatus :: !Int+ } deriving (Eq,Read,Show,Data,Typeable,Generic) -instance AWSRequest DecodeAuthorizationMessage where- type Sv DecodeAuthorizationMessage = STS- type Rs DecodeAuthorizationMessage = DecodeAuthorizationMessageResponse+-- | Creates a value of 'DecodeAuthorizationMessageResponse' with the minimum fields required to make a request.+--+-- Use one of the following lenses to modify other fields as desired:+--+-- * 'damrsDecodedMessage'+--+-- * 'damrsStatus'+decodeAuthorizationMessageResponse+ :: Int -- ^ 'damrsStatus'+ -> DecodeAuthorizationMessageResponse+decodeAuthorizationMessageResponse pStatus_ =+ DecodeAuthorizationMessageResponse'+ { _damrsDecodedMessage = Nothing+ , _damrsStatus = pStatus_+ } - request = post "DecodeAuthorizationMessage"- response = xmlResponse+-- | An XML document that contains the decoded message. For more information,+-- see 'DecodeAuthorizationMessage'.+damrsDecodedMessage :: Lens' DecodeAuthorizationMessageResponse (Maybe Text)+damrsDecodedMessage = lens _damrsDecodedMessage (\ s a -> s{_damrsDecodedMessage = a}); -instance FromXML DecodeAuthorizationMessageResponse where- parseXML = withElement "DecodeAuthorizationMessageResult" $ \x -> DecodeAuthorizationMessageResponse- <$> x .@? "DecodedMessage"+-- | The response status code.+damrsStatus :: Lens' DecodeAuthorizationMessageResponse Int+damrsStatus = lens _damrsStatus (\ s a -> s{_damrsStatus = a});
gen/Network/AWS/STS/GetFederationToken.hs view
@@ -1,234 +1,271 @@-{-# LANGUAGE DataKinds #-}-{-# LANGUAGE DeriveGeneric #-}-{-# LANGUAGE FlexibleInstances #-}-{-# LANGUAGE GeneralizedNewtypeDeriving #-}-{-# LANGUAGE LambdaCase #-}-{-# LANGUAGE NoImplicitPrelude #-}-{-# LANGUAGE OverloadedStrings #-}-{-# LANGUAGE RecordWildCards #-}-{-# LANGUAGE TypeFamilies #-}+{-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DeriveGeneric #-}+{-# LANGUAGE OverloadedStrings #-}+{-# LANGUAGE RecordWildCards #-}+{-# LANGUAGE TypeFamilies #-} {-# OPTIONS_GHC -fno-warn-unused-imports #-}+{-# OPTIONS_GHC -fno-warn-unused-binds #-}+{-# OPTIONS_GHC -fno-warn-unused-matches #-} +-- Derived from AWS service descriptions, licensed under Apache 2.0.++-- | -- Module : Network.AWS.STS.GetFederationToken--- Copyright : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>--- License : This Source Code Form is subject to the terms of--- the Mozilla Public License, v. 2.0.--- A copy of the MPL can be found in the LICENSE file or--- you can obtain it at http://mozilla.org/MPL/2.0/.+-- Copyright : (c) 2013-2015 Brendan Hay+-- License : Mozilla Public License, v. 2.0. -- Maintainer : Brendan Hay <brendan.g.hay@gmail.com>--- Stability : experimental+-- Stability : auto-generated -- Portability : non-portable (GHC extensions) ----- Derived from AWS service descriptions, licensed under Apache 2.0.---- | Returns a set of temporary security credentials (consisting of an access key--- ID, a secret access key, and a security token) for a federated user. A--- typical use is in a proxy application that gets temporary security--- credentials on behalf of distributed applications inside a corporate network.--- Because you must call the 'GetFederationToken' action using the long-term--- security credentials of an IAM user, this call is appropriate in contexts--- where those credentials can be safely stored, usually in a server-based--- application.+-- Returns a set of temporary security credentials (consisting of an access+-- key ID, a secret access key, and a security token) for a federated user.+-- A typical use is in a proxy application that gets temporary security+-- credentials on behalf of distributed applications inside a corporate+-- network. Because you must call the 'GetFederationToken' action using the+-- long-term security credentials of an IAM user, this call is appropriate+-- in contexts where those credentials can be safely stored, usually in a+-- server-based application. -- -- If you are creating a mobile-based or browser-based app that can -- authenticate users using a web identity provider like Login with Amazon, -- Facebook, Google, or an OpenID Connect-compatible identity provider, we--- recommend that you use <http://aws.amazon.com/cognito/ Amazon Cognito> or 'AssumeRoleWithWebIdentity'. For more--- information, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html Creating Temporary Security Credentials for Mobile AppsUsing Identity Providers> in /Using Temporary Security Credentials/.+-- recommend that you use <http://aws.amazon.com/cognito/ Amazon Cognito>+-- or 'AssumeRoleWithWebIdentity'. For more information, see+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html Creating Temporary Security Credentials for Mobile Apps Using Identity Providers>. ----- The 'GetFederationToken' action must be called by using the long-term AWS--- security credentials of an IAM user. You can also call 'GetFederationToken'--- using the security credentials of an AWS account (root), but this is not--- recommended. Instead, we recommend that you create an IAM user for the--- purpose of the proxy application and then attach a policy to the IAM user--- that limits federated users to only the actions and resources they need--- access to. For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html IAM Best Practices> in /Using IAM/.+-- The 'GetFederationToken' action must be called by using the long-term+-- AWS security credentials of an IAM user. You can also call+-- 'GetFederationToken' using the security credentials of an AWS account+-- (root), but this is not recommended. Instead, we recommend that you+-- create an IAM user for the purpose of the proxy application and then+-- attach a policy to the IAM user that limits federated users to only the+-- actions and resources they need access to. For more information, see+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html IAM Best Practices>+-- in /Using IAM/. ----- The temporary security credentials that are obtained by using the long-term--- credentials of an IAM user are valid for the specified duration, between 900--- seconds (15 minutes) and 129600 seconds (36 hours). Temporary credentials--- that are obtained by using AWS account (root) credentials have a maximum--- duration of 3600 seconds (1 hour)+-- The temporary security credentials that are obtained by using the+-- long-term credentials of an IAM user are valid for the specified+-- duration, between 900 seconds (15 minutes) and 129600 seconds (36+-- hours). Temporary credentials that are obtained by using AWS account+-- (root) credentials have a maximum duration of 3600 seconds (1 hour) ----- Permissions+-- __Permissions__ ----- The permissions for the temporary security credentials returned by 'GetFederationToken' are determined by a combination of the following:+-- The permissions for the temporary security credentials returned by+-- 'GetFederationToken' are determined by a combination of the following: ----- The policy or policies that are attached to the IAM user whose credentials--- are used to call 'GetFederationToken'. The policy that is passed as a parameter--- in the call. The passed policy is attached to the temporary security--- credentials that result from the 'GetFederationToken' API call--that is, to the /federated user/. When the federated user makes an AWS request, AWS evaluates--- the policy attached to the federated user in combination with the policy or--- policies attached to the IAM user whose credentials were used to call 'GetFederationToken'. AWS allows the federated user's request only when both the federated user /and/ the IAM user are explicitly allowed to perform the requested action. The--- passed policy cannot grant more permissions than those that are defined in--- the IAM user policy.+-- - The policy or policies that are attached to the IAM user whose+-- credentials are used to call 'GetFederationToken'.+-- - The policy that is passed as a parameter in the call. ----- A typical use case is that the permissions of the IAM user whose credentials--- are used to call 'GetFederationToken' are designed to allow access to all the--- actions and resources that any federated user will need. Then, for individual--- users, you pass a policy to the operation that scopes down the permissions to--- a level that's appropriate to that individual user, using a policy that--- allows only a subset of permissions that are granted to the IAM user.+-- The passed policy is attached to the temporary security credentials that+-- result from the 'GetFederationToken' API call--that is, to the+-- /federated user/. When the federated user makes an AWS request, AWS+-- evaluates the policy attached to the federated user in combination with+-- the policy or policies attached to the IAM user whose credentials were+-- used to call 'GetFederationToken'. AWS allows the federated user\'s+-- request only when both the federated user /__and__/ the IAM user are+-- explicitly allowed to perform the requested action. The passed policy+-- cannot grant more permissions than those that are defined in the IAM+-- user policy. ----- If you do not pass a policy, the resulting temporary security credentials--- have no effective permissions. The only exception is when the temporary--- security credentials are used to access a resource that has a resource-based--- policy that specifically allows the federated user to access the resource.+-- A typical use case is that the permissions of the IAM user whose+-- credentials are used to call 'GetFederationToken' are designed to allow+-- access to all the actions and resources that any federated user will+-- need. Then, for individual users, you pass a policy to the operation+-- that scopes down the permissions to a level that\'s appropriate to that+-- individual user, using a policy that allows only a subset of permissions+-- that are granted to the IAM user. ----- For more information about how permissions work, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-get-federation-token.html Permissions forGetFederationToken> in /Using Temporary Security Credentials/. For information--- about using 'GetFederationToken' to create temporary security credentials, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingFedTokens.html Creating Temporary Credentials to Enable Access for Federated Users> in /Using Temporary Security Credentials/.+-- If you do not pass a policy, the resulting temporary security+-- credentials have no effective permissions. The only exception is when+-- the temporary security credentials are used to access a resource that+-- has a resource-based policy that specifically allows the federated user+-- to access the resource. ----- <http://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html>+-- For more information about how permissions work, see+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-get-federation-token.html Permissions for GetFederationToken>.+-- For information about using 'GetFederationToken' to create temporary+-- security credentials, see+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingFedTokens.html Creating Temporary Credentials to Enable Access for Federated Users>.+--+-- /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html AWS API Reference> for GetFederationToken. module Network.AWS.STS.GetFederationToken (- -- * Request- GetFederationToken- -- ** Request constructor- , getFederationToken- -- ** Request lenses+ -- * Creating a Request+ getFederationToken+ , GetFederationToken+ -- * Request Lenses , gftDurationSeconds- , gftName , gftPolicy+ , gftName - -- * Response- , GetFederationTokenResponse- -- ** Response constructor+ -- * Destructuring the Response , getFederationTokenResponse- -- ** Response lenses- , gftrCredentials- , gftrFederatedUser- , gftrPackedPolicySize+ , GetFederationTokenResponse+ -- * Response Lenses+ , gftrsPackedPolicySize+ , gftrsCredentials+ , gftrsFederatedUser+ , gftrsStatus ) where -import Network.AWS.Prelude-import Network.AWS.Request.Query-import Network.AWS.STS.Types-import qualified GHC.Exts+import Network.AWS.Prelude+import Network.AWS.Request+import Network.AWS.Response+import Network.AWS.STS.Types+import Network.AWS.STS.Types.Product -data GetFederationToken = GetFederationToken- { _gftDurationSeconds :: Maybe Nat- , _gftName :: Text- , _gftPolicy :: Maybe Text- } deriving (Eq, Ord, Read, Show)+-- | /See:/ 'getFederationToken' smart constructor.+data GetFederationToken = GetFederationToken'+ { _gftDurationSeconds :: !(Maybe Nat)+ , _gftPolicy :: !(Maybe Text)+ , _gftName :: !Text+ } deriving (Eq,Read,Show,Data,Typeable,Generic) --- | 'GetFederationToken' constructor.------ The fields accessible through corresponding lenses are:+-- | Creates a value of 'GetFederationToken' with the minimum fields required to make a request. ----- * 'gftDurationSeconds' @::@ 'Maybe' 'Natural'+-- Use one of the following lenses to modify other fields as desired: ----- * 'gftName' @::@ 'Text'+-- * 'gftDurationSeconds' ----- * 'gftPolicy' @::@ 'Maybe' 'Text'+-- * 'gftPolicy' ---getFederationToken :: Text -- ^ 'gftName'- -> GetFederationToken-getFederationToken p1 = GetFederationToken- { _gftName = p1- , _gftPolicy = Nothing- , _gftDurationSeconds = Nothing+-- * 'gftName'+getFederationToken+ :: Text -- ^ 'gftName'+ -> GetFederationToken+getFederationToken pName_ =+ GetFederationToken'+ { _gftDurationSeconds = Nothing+ , _gftPolicy = Nothing+ , _gftName = pName_ } --- | The duration, in seconds, that the session should last. Acceptable durations--- for federation sessions range from 900 seconds (15 minutes) to 129600 seconds--- (36 hours), with 43200 seconds (12 hours) as the default. Sessions obtained--- using AWS account (root) credentials are restricted to a maximum of 3600--- seconds (one hour). If the specified duration is longer than one hour, the--- session obtained by using AWS account (root) credentials defaults to one--- hour.+-- | The duration, in seconds, that the session should last. Acceptable+-- durations for federation sessions range from 900 seconds (15 minutes) to+-- 129600 seconds (36 hours), with 43200 seconds (12 hours) as the default.+-- Sessions obtained using AWS account (root) credentials are restricted to+-- a maximum of 3600 seconds (one hour). If the specified duration is+-- longer than one hour, the session obtained by using AWS account (root)+-- credentials defaults to one hour. gftDurationSeconds :: Lens' GetFederationToken (Maybe Natural)-gftDurationSeconds =- lens _gftDurationSeconds (\s a -> s { _gftDurationSeconds = a })- . mapping _Nat---- | The name of the federated user. The name is used as an identifier for the--- temporary security credentials (such as 'Bob'). For example, you can reference--- the federated user name in a resource-based policy, such as in an Amazon S3--- bucket policy.-gftName :: Lens' GetFederationToken Text-gftName = lens _gftName (\s a -> s { _gftName = a })+gftDurationSeconds = lens _gftDurationSeconds (\ s a -> s{_gftDurationSeconds = a}) . mapping _Nat; --- | An IAM policy in JSON format that is passed with the 'GetFederationToken' call--- and evaluated along with the policy or policies that are attached to the IAM--- user whose credentials are used to call 'GetFederationToken'. The passed policy--- is used to scope down the permissions that are available to the IAM user, by--- allowing only a subset of the permissions that are granted to the IAM user.--- The passed policy cannot grant more permissions than those granted to the IAM--- user. The final permissions for the federated user are the most restrictive--- set based on the intersection of the passed policy and the IAM user policy.+-- | An IAM policy in JSON format that is passed with the+-- 'GetFederationToken' call and evaluated along with the policy or+-- policies that are attached to the IAM user whose credentials are used to+-- call 'GetFederationToken'. The passed policy is used to scope down the+-- permissions that are available to the IAM user, by allowing only a+-- subset of the permissions that are granted to the IAM user. The passed+-- policy cannot grant more permissions than those granted to the IAM user.+-- The final permissions for the federated user are the most restrictive+-- set based on the intersection of the passed policy and the IAM user+-- policy. ----- If you do not pass a policy, the resulting temporary security credentials--- have no effective permissions. The only exception is when the temporary--- security credentials are used to access a resource that has a resource-based--- policy that specifically allows the federated user to access the resource.+-- If you do not pass a policy, the resulting temporary security+-- credentials have no effective permissions. The only exception is when+-- the temporary security credentials are used to access a resource that+-- has a resource-based policy that specifically allows the federated user+-- to access the resource. ----- For more information about how permissions work, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-get-federation-token.html Permissions forGetFederationToken> in /Using Temporary Security Credentials/.+-- The policy plain text must be 2048 bytes or shorter. However, an+-- internal conversion compresses it into a packed binary format with a+-- separate limit. The PackedPolicySize response element indicates by+-- percentage how close to the upper size limit the policy is, with 100%+-- equaling the maximum allowed size.+--+-- For more information about how permissions work, see+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-get-federation-token.html Permissions for GetFederationToken>. gftPolicy :: Lens' GetFederationToken (Maybe Text)-gftPolicy = lens _gftPolicy (\s a -> s { _gftPolicy = a })+gftPolicy = lens _gftPolicy (\ s a -> s{_gftPolicy = a}); -data GetFederationTokenResponse = GetFederationTokenResponse- { _gftrCredentials :: Maybe Credentials- , _gftrFederatedUser :: Maybe FederatedUser- , _gftrPackedPolicySize :: Maybe Nat- } deriving (Eq, Read, Show)+-- | The name of the federated user. The name is used as an identifier for+-- the temporary security credentials (such as 'Bob'). For example, you can+-- reference the federated user name in a resource-based policy, such as in+-- an Amazon S3 bucket policy.+gftName :: Lens' GetFederationToken Text+gftName = lens _gftName (\ s a -> s{_gftName = a}); --- | 'GetFederationTokenResponse' constructor.+instance AWSRequest GetFederationToken where+ type Sv GetFederationToken = STS+ type Rs GetFederationToken =+ GetFederationTokenResponse+ request = postQuery+ response+ = receiveXMLWrapper "GetFederationTokenResult"+ (\ s h x ->+ GetFederationTokenResponse' <$>+ (x .@? "PackedPolicySize") <*> (x .@? "Credentials")+ <*> (x .@? "FederatedUser")+ <*> (pure (fromEnum s)))++instance ToHeaders GetFederationToken where+ toHeaders = const mempty++instance ToPath GetFederationToken where+ toPath = const "/"++instance ToQuery GetFederationToken where+ toQuery GetFederationToken'{..}+ = mconcat+ ["Action" =: ("GetFederationToken" :: ByteString),+ "Version" =: ("2011-06-15" :: ByteString),+ "DurationSeconds" =: _gftDurationSeconds,+ "Policy" =: _gftPolicy, "Name" =: _gftName]++-- | Contains the response to a successful GetFederationToken request,+-- including temporary AWS credentials that can be used to make AWS+-- requests. ----- The fields accessible through corresponding lenses are:+-- /See:/ 'getFederationTokenResponse' smart constructor.+data GetFederationTokenResponse = GetFederationTokenResponse'+ { _gftrsPackedPolicySize :: !(Maybe Nat)+ , _gftrsCredentials :: !(Maybe Credentials)+ , _gftrsFederatedUser :: !(Maybe FederatedUser)+ , _gftrsStatus :: !Int+ } deriving (Eq,Read,Show,Data,Typeable,Generic)++-- | Creates a value of 'GetFederationTokenResponse' with the minimum fields required to make a request. ----- * 'gftrCredentials' @::@ 'Maybe' 'Credentials'+-- Use one of the following lenses to modify other fields as desired: ----- * 'gftrFederatedUser' @::@ 'Maybe' 'FederatedUser'+-- * 'gftrsPackedPolicySize' ----- * 'gftrPackedPolicySize' @::@ 'Maybe' 'Natural'+-- * 'gftrsCredentials' ---getFederationTokenResponse :: GetFederationTokenResponse-getFederationTokenResponse = GetFederationTokenResponse- { _gftrCredentials = Nothing- , _gftrFederatedUser = Nothing- , _gftrPackedPolicySize = Nothing+-- * 'gftrsFederatedUser'+--+-- * 'gftrsStatus'+getFederationTokenResponse+ :: Int -- ^ 'gftrsStatus'+ -> GetFederationTokenResponse+getFederationTokenResponse pStatus_ =+ GetFederationTokenResponse'+ { _gftrsPackedPolicySize = Nothing+ , _gftrsCredentials = Nothing+ , _gftrsFederatedUser = Nothing+ , _gftrsStatus = pStatus_ } --- | Credentials for the service API authentication.-gftrCredentials :: Lens' GetFederationTokenResponse (Maybe Credentials)-gftrCredentials = lens _gftrCredentials (\s a -> s { _gftrCredentials = a })---- | Identifiers for the federated user associated with the credentials (such as 'arn:aws:sts::123456789012:federated-user/Bob' or '123456789012:Bob'). You can use the federated user's ARN in your--- resource-based policies, such as an Amazon S3 bucket policy.-gftrFederatedUser :: Lens' GetFederationTokenResponse (Maybe FederatedUser)-gftrFederatedUser =- lens _gftrFederatedUser (\s a -> s { _gftrFederatedUser = a })- -- | A percentage value indicating the size of the policy in packed form. The -- service rejects policies for which the packed size is greater than 100 -- percent of the allowed value.-gftrPackedPolicySize :: Lens' GetFederationTokenResponse (Maybe Natural)-gftrPackedPolicySize =- lens _gftrPackedPolicySize (\s a -> s { _gftrPackedPolicySize = a })- . mapping _Nat--instance ToPath GetFederationToken where- toPath = const "/"--instance ToQuery GetFederationToken where- toQuery GetFederationToken{..} = mconcat- [ "DurationSeconds" =? _gftDurationSeconds- , "Name" =? _gftName- , "Policy" =? _gftPolicy- ]--instance ToHeaders GetFederationToken+gftrsPackedPolicySize :: Lens' GetFederationTokenResponse (Maybe Natural)+gftrsPackedPolicySize = lens _gftrsPackedPolicySize (\ s a -> s{_gftrsPackedPolicySize = a}) . mapping _Nat; -instance AWSRequest GetFederationToken where- type Sv GetFederationToken = STS- type Rs GetFederationToken = GetFederationTokenResponse+-- | Credentials for the service API authentication.+gftrsCredentials :: Lens' GetFederationTokenResponse (Maybe Credentials)+gftrsCredentials = lens _gftrsCredentials (\ s a -> s{_gftrsCredentials = a}); - request = post "GetFederationToken"- response = xmlResponse+-- | Identifiers for the federated user associated with the credentials (such+-- as 'arn:aws:sts::123456789012:federated-user\/Bob' or+-- '123456789012:Bob'). You can use the federated user\'s ARN in your+-- resource-based policies, such as an Amazon S3 bucket policy.+gftrsFederatedUser :: Lens' GetFederationTokenResponse (Maybe FederatedUser)+gftrsFederatedUser = lens _gftrsFederatedUser (\ s a -> s{_gftrsFederatedUser = a}); -instance FromXML GetFederationTokenResponse where- parseXML = withElement "GetFederationTokenResult" $ \x -> GetFederationTokenResponse- <$> x .@? "Credentials"- <*> x .@? "FederatedUser"- <*> x .@? "PackedPolicySize"+-- | The response status code.+gftrsStatus :: Lens' GetFederationTokenResponse Int+gftrsStatus = lens _gftrsStatus (\ s a -> s{_gftrsStatus = a});
gen/Network/AWS/STS/GetSessionToken.hs view
@@ -1,175 +1,191 @@-{-# LANGUAGE DataKinds #-}-{-# LANGUAGE DeriveGeneric #-}-{-# LANGUAGE FlexibleInstances #-}-{-# LANGUAGE GeneralizedNewtypeDeriving #-}-{-# LANGUAGE LambdaCase #-}-{-# LANGUAGE NoImplicitPrelude #-}-{-# LANGUAGE OverloadedStrings #-}-{-# LANGUAGE RecordWildCards #-}-{-# LANGUAGE TypeFamilies #-}+{-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DeriveGeneric #-}+{-# LANGUAGE OverloadedStrings #-}+{-# LANGUAGE RecordWildCards #-}+{-# LANGUAGE TypeFamilies #-} {-# OPTIONS_GHC -fno-warn-unused-imports #-}+{-# OPTIONS_GHC -fno-warn-unused-binds #-}+{-# OPTIONS_GHC -fno-warn-unused-matches #-} +-- Derived from AWS service descriptions, licensed under Apache 2.0.++-- | -- Module : Network.AWS.STS.GetSessionToken--- Copyright : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>--- License : This Source Code Form is subject to the terms of--- the Mozilla Public License, v. 2.0.--- A copy of the MPL can be found in the LICENSE file or--- you can obtain it at http://mozilla.org/MPL/2.0/.+-- Copyright : (c) 2013-2015 Brendan Hay+-- License : Mozilla Public License, v. 2.0. -- Maintainer : Brendan Hay <brendan.g.hay@gmail.com>--- Stability : experimental+-- Stability : auto-generated -- Portability : non-portable (GHC extensions) ----- Derived from AWS service descriptions, licensed under Apache 2.0.---- | Returns a set of temporary credentials for an AWS account or IAM user. The--- credentials consist of an access key ID, a secret access key, and a security--- token. Typically, you use 'GetSessionToken' if you want to use MFA to protect--- programmatic calls to specific AWS APIs like Amazon EC2 'StopInstances'.--- MFA-enabled IAM users would need to call 'GetSessionToken' and submit an MFA--- code that is associated with their MFA device. Using the temporary security--- credentials that are returned from the call, IAM users can then make--- programmatic calls to APIs that require MFA authentication.+-- Returns a set of temporary credentials for an AWS account or IAM user.+-- The credentials consist of an access key ID, a secret access key, and a+-- security token. Typically, you use 'GetSessionToken' if you want to use+-- MFA to protect programmatic calls to specific AWS APIs like Amazon EC2+-- 'StopInstances'. MFA-enabled IAM users would need to call+-- 'GetSessionToken' and submit an MFA code that is associated with their+-- MFA device. Using the temporary security credentials that are returned+-- from the call, IAM users can then make programmatic calls to APIs that+-- require MFA authentication. -- -- The 'GetSessionToken' action must be called by using the long-term AWS--- security credentials of the AWS account or an IAM user. Credentials that are--- created by IAM users are valid for the duration that you specify, between 900--- seconds (15 minutes) and 129600 seconds (36 hours); credentials that are--- created by using account credentials have a maximum duration of 3600 seconds--- (1 hour).+-- security credentials of the AWS account or an IAM user. Credentials that+-- are created by IAM users are valid for the duration that you specify,+-- between 900 seconds (15 minutes) and 129600 seconds (36 hours);+-- credentials that are created by using account credentials have a maximum+-- duration of 3600 seconds (1 hour). -- -- We recommend that you do not call 'GetSessionToken' with root account--- credentials. Instead, follow our <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html#create-iam-users best practices> by creating one or more IAM--- users, giving them the necessary permissions, and using IAM users for--- everyday interaction with AWS.+-- credentials. Instead, follow our+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html#create-iam-users best practices>+-- by creating one or more IAM users, giving them the necessary+-- permissions, and using IAM users for everyday interaction with AWS. ----- The permissions associated with the temporary security credentials returned--- by 'GetSessionToken' are based on the permissions associated with account or--- IAM user whose credentials are used to call the action. If 'GetSessionToken' is--- called using root account credentials, the temporary credentials have root--- account permissions. Similarly, if 'GetSessionToken' is called using the--- credentials of an IAM user, the temporary credentials have the same--- permissions as the IAM user.+-- The permissions associated with the temporary security credentials+-- returned by 'GetSessionToken' are based on the permissions associated+-- with account or IAM user whose credentials are used to call the action.+-- If 'GetSessionToken' is called using root account credentials, the+-- temporary credentials have root account permissions. Similarly, if+-- 'GetSessionToken' is called using the credentials of an IAM user, the+-- temporary credentials have the same permissions as the IAM user. -- -- For more information about using 'GetSessionToken' to create temporary--- credentials, go to Creating Temporary Credentials to Enable Access for IAM--- Users in /Using Temporary Security Credentials/.+-- credentials, go to+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingSessionTokens.html Creating Temporary Credentials to Enable Access for IAM Users>. ----- <http://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html>+-- /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html AWS API Reference> for GetSessionToken. module Network.AWS.STS.GetSessionToken (- -- * Request- GetSessionToken- -- ** Request constructor- , getSessionToken- -- ** Request lenses+ -- * Creating a Request+ getSessionToken+ , GetSessionToken+ -- * Request Lenses+ , gstTokenCode , gstDurationSeconds , gstSerialNumber- , gstTokenCode - -- * Response- , GetSessionTokenResponse- -- ** Response constructor+ -- * Destructuring the Response , getSessionTokenResponse- -- ** Response lenses- , gstrCredentials+ , GetSessionTokenResponse+ -- * Response Lenses+ , gstrsCredentials+ , gstrsStatus ) where -import Network.AWS.Prelude-import Network.AWS.Request.Query-import Network.AWS.STS.Types-import qualified GHC.Exts+import Network.AWS.Prelude+import Network.AWS.Request+import Network.AWS.Response+import Network.AWS.STS.Types+import Network.AWS.STS.Types.Product -data GetSessionToken = GetSessionToken- { _gstDurationSeconds :: Maybe Nat- , _gstSerialNumber :: Maybe Text- , _gstTokenCode :: Maybe Text- } deriving (Eq, Ord, Read, Show)+-- | /See:/ 'getSessionToken' smart constructor.+data GetSessionToken = GetSessionToken'+ { _gstTokenCode :: !(Maybe Text)+ , _gstDurationSeconds :: !(Maybe Nat)+ , _gstSerialNumber :: !(Maybe Text)+ } deriving (Eq,Read,Show,Data,Typeable,Generic) --- | 'GetSessionToken' constructor.------ The fields accessible through corresponding lenses are:+-- | Creates a value of 'GetSessionToken' with the minimum fields required to make a request. ----- * 'gstDurationSeconds' @::@ 'Maybe' 'Natural'+-- Use one of the following lenses to modify other fields as desired: ----- * 'gstSerialNumber' @::@ 'Maybe' 'Text'+-- * 'gstTokenCode' ----- * 'gstTokenCode' @::@ 'Maybe' 'Text'+-- * 'gstDurationSeconds' ---getSessionToken :: GetSessionToken-getSessionToken = GetSessionToken- { _gstDurationSeconds = Nothing- , _gstSerialNumber = Nothing- , _gstTokenCode = Nothing+-- * 'gstSerialNumber'+getSessionToken+ :: GetSessionToken+getSessionToken =+ GetSessionToken'+ { _gstTokenCode = Nothing+ , _gstDurationSeconds = Nothing+ , _gstSerialNumber = Nothing } --- | The duration, in seconds, that the credentials should remain valid.--- Acceptable durations for IAM user sessions range from 900 seconds (15--- minutes) to 129600 seconds (36 hours), with 43200 seconds (12 hours) as the--- default. Sessions for AWS account owners are restricted to a maximum of 3600--- seconds (one hour). If the duration is longer than one hour, the session for--- AWS account owners defaults to one hour.-gstDurationSeconds :: Lens' GetSessionToken (Maybe Natural)-gstDurationSeconds =- lens _gstDurationSeconds (\s a -> s { _gstDurationSeconds = a })- . mapping _Nat---- | The identification number of the MFA device that is associated with the IAM--- user who is making the 'GetSessionToken' call. Specify this value if the IAM--- user has a policy that requires MFA authentication. The value is either the--- serial number for a hardware device (such as 'GAHT12345678') or an Amazon--- Resource Name (ARN) for a virtual device (such as 'arn:aws:iam::123456789012:mfa/user'). You can find the device for an IAM user by going to the AWS Management--- Console and viewing the user's security credentials.-gstSerialNumber :: Lens' GetSessionToken (Maybe Text)-gstSerialNumber = lens _gstSerialNumber (\s a -> s { _gstSerialNumber = a })- -- | The value provided by the MFA device, if MFA is required. If any policy -- requires the IAM user to submit an MFA code, specify this value. If MFA -- authentication is required, and the user does not provide a code when--- requesting a set of temporary security credentials, the user will receive an--- "access denied" response when requesting resources that require MFA--- authentication.+-- requesting a set of temporary security credentials, the user will+-- receive an \"access denied\" response when requesting resources that+-- require MFA authentication. gstTokenCode :: Lens' GetSessionToken (Maybe Text)-gstTokenCode = lens _gstTokenCode (\s a -> s { _gstTokenCode = a })+gstTokenCode = lens _gstTokenCode (\ s a -> s{_gstTokenCode = a}); -newtype GetSessionTokenResponse = GetSessionTokenResponse- { _gstrCredentials :: Maybe Credentials- } deriving (Eq, Read, Show)+-- | The duration, in seconds, that the credentials should remain valid.+-- Acceptable durations for IAM user sessions range from 900 seconds (15+-- minutes) to 129600 seconds (36 hours), with 43200 seconds (12 hours) as+-- the default. Sessions for AWS account owners are restricted to a maximum+-- of 3600 seconds (one hour). If the duration is longer than one hour, the+-- session for AWS account owners defaults to one hour.+gstDurationSeconds :: Lens' GetSessionToken (Maybe Natural)+gstDurationSeconds = lens _gstDurationSeconds (\ s a -> s{_gstDurationSeconds = a}) . mapping _Nat; --- | 'GetSessionTokenResponse' constructor.------ The fields accessible through corresponding lenses are:------ * 'gstrCredentials' @::@ 'Maybe' 'Credentials'----getSessionTokenResponse :: GetSessionTokenResponse-getSessionTokenResponse = GetSessionTokenResponse- { _gstrCredentials = Nothing- }+-- | The identification number of the MFA device that is associated with the+-- IAM user who is making the 'GetSessionToken' call. Specify this value if+-- the IAM user has a policy that requires MFA authentication. The value is+-- either the serial number for a hardware device (such as 'GAHT12345678')+-- or an Amazon Resource Name (ARN) for a virtual device (such as+-- 'arn:aws:iam::123456789012:mfa\/user'). You can find the device for an+-- IAM user by going to the AWS Management Console and viewing the user\'s+-- security credentials.+gstSerialNumber :: Lens' GetSessionToken (Maybe Text)+gstSerialNumber = lens _gstSerialNumber (\ s a -> s{_gstSerialNumber = a}); --- | The session credentials for API authentication.-gstrCredentials :: Lens' GetSessionTokenResponse (Maybe Credentials)-gstrCredentials = lens _gstrCredentials (\s a -> s { _gstrCredentials = a })+instance AWSRequest GetSessionToken where+ type Sv GetSessionToken = STS+ type Rs GetSessionToken = GetSessionTokenResponse+ request = postQuery+ response+ = receiveXMLWrapper "GetSessionTokenResult"+ (\ s h x ->+ GetSessionTokenResponse' <$>+ (x .@? "Credentials") <*> (pure (fromEnum s))) +instance ToHeaders GetSessionToken where+ toHeaders = const mempty+ instance ToPath GetSessionToken where- toPath = const "/"+ toPath = const "/" instance ToQuery GetSessionToken where- toQuery GetSessionToken{..} = mconcat- [ "DurationSeconds" =? _gstDurationSeconds- , "SerialNumber" =? _gstSerialNumber- , "TokenCode" =? _gstTokenCode- ]+ toQuery GetSessionToken'{..}+ = mconcat+ ["Action" =: ("GetSessionToken" :: ByteString),+ "Version" =: ("2011-06-15" :: ByteString),+ "TokenCode" =: _gstTokenCode,+ "DurationSeconds" =: _gstDurationSeconds,+ "SerialNumber" =: _gstSerialNumber] -instance ToHeaders GetSessionToken+-- | Contains the response to a successful GetSessionToken request, including+-- temporary AWS credentials that can be used to make AWS requests.+--+-- /See:/ 'getSessionTokenResponse' smart constructor.+data GetSessionTokenResponse = GetSessionTokenResponse'+ { _gstrsCredentials :: !(Maybe Credentials)+ , _gstrsStatus :: !Int+ } deriving (Eq,Read,Show,Data,Typeable,Generic) -instance AWSRequest GetSessionToken where- type Sv GetSessionToken = STS- type Rs GetSessionToken = GetSessionTokenResponse+-- | Creates a value of 'GetSessionTokenResponse' with the minimum fields required to make a request.+--+-- Use one of the following lenses to modify other fields as desired:+--+-- * 'gstrsCredentials'+--+-- * 'gstrsStatus'+getSessionTokenResponse+ :: Int -- ^ 'gstrsStatus'+ -> GetSessionTokenResponse+getSessionTokenResponse pStatus_ =+ GetSessionTokenResponse'+ { _gstrsCredentials = Nothing+ , _gstrsStatus = pStatus_+ } - request = post "GetSessionToken"- response = xmlResponse+-- | The session credentials for API authentication.+gstrsCredentials :: Lens' GetSessionTokenResponse (Maybe Credentials)+gstrsCredentials = lens _gstrsCredentials (\ s a -> s{_gstrsCredentials = a}); -instance FromXML GetSessionTokenResponse where- parseXML = withElement "GetSessionTokenResult" $ \x -> GetSessionTokenResponse- <$> x .@? "Credentials"+-- | The response status code.+gstrsStatus :: Lens' GetSessionTokenResponse Int+gstrsStatus = lens _gstrsStatus (\ s a -> s{_gstrsStatus = a});
gen/Network/AWS/STS/Types.hs view
@@ -1,254 +1,141 @@-{-# LANGUAGE DataKinds #-}-{-# LANGUAGE DeriveGeneric #-}-{-# LANGUAGE FlexibleInstances #-}-{-# LANGUAGE GeneralizedNewtypeDeriving #-}-{-# LANGUAGE LambdaCase #-}-{-# LANGUAGE NoImplicitPrelude #-}-{-# LANGUAGE OverloadedStrings #-}-{-# LANGUAGE RecordWildCards #-}-{-# LANGUAGE TypeFamilies #-}-{-# LANGUAGE ViewPatterns #-}+{-# LANGUAGE OverloadedStrings #-}+{-# LANGUAGE TypeFamilies #-} -{-# OPTIONS_GHC -fno-warn-unused-imports #-}+-- Derived from AWS service descriptions, licensed under Apache 2.0. +-- | -- Module : Network.AWS.STS.Types--- Copyright : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>--- License : This Source Code Form is subject to the terms of--- the Mozilla Public License, v. 2.0.--- A copy of the MPL can be found in the LICENSE file or--- you can obtain it at http://mozilla.org/MPL/2.0/.+-- Copyright : (c) 2013-2015 Brendan Hay+-- License : Mozilla Public License, v. 2.0. -- Maintainer : Brendan Hay <brendan.g.hay@gmail.com>--- Stability : experimental+-- Stability : auto-generated -- Portability : non-portable (GHC extensions) ----- Derived from AWS service descriptions, licensed under Apache 2.0.- module Network.AWS.STS.Types ( -- * Service STS- -- ** Error- , RESTError- -- ** XML- , ns + -- * Errors+ , _MalformedPolicyDocumentException+ , _PackedPolicyTooLargeException+ , _InvalidAuthorizationMessageException+ , _IdPCommunicationErrorException+ , _ExpiredTokenException+ , _InvalidIdentityTokenException+ , _IdPRejectedClaimException++ -- * AssumedRoleUser+ , AssumedRoleUser+ , assumedRoleUser+ , aruAssumedRoleId+ , aruARN+ -- * Credentials , Credentials , credentials , cAccessKeyId- , cExpiration , cSecretAccessKey , cSessionToken+ , cExpiration -- * FederatedUser , FederatedUser , federatedUser- , fuArn , fuFederatedUserId-- -- * AssumedRoleUser- , AssumedRoleUser- , assumedRoleUser- , aruArn- , aruAssumedRoleId+ , fuARN ) where -import Network.AWS.Prelude-import Network.AWS.Signing-import qualified GHC.Exts+import Network.AWS.Prelude+import Network.AWS.Sign.V4+import Network.AWS.STS.Types.Product+import Network.AWS.STS.Types.Sum --- | Version @2011-06-15@ of the Amazon Security Token Service service.+-- | Version @2011-06-15@ of the Amazon Security Token Service SDK. data STS instance AWSService STS where type Sg STS = V4- type Er STS = RESTError-- service = service'+ service = const svc where- service' :: Service STS- service' = Service- { _svcAbbrev = "STS"- , _svcPrefix = "sts"- , _svcVersion = "2011-06-15"- , _svcTargetPrefix = Nothing- , _svcJSONVersion = Nothing- , _svcHandle = handle- , _svcRetry = retry+ svc =+ Service+ { _svcAbbrev = "STS"+ , _svcPrefix = "sts"+ , _svcVersion = "2011-06-15"+ , _svcEndpoint = defaultEndpoint svc+ , _svcTimeout = Just 70+ , _svcStatus = statusSuccess+ , _svcError = parseXMLError+ , _svcRetry = retry }-- handle :: Status- -> Maybe (LazyByteString -> ServiceError RESTError)- handle = restError statusSuccess service'-- retry :: Retry STS- retry = Exponential- { _retryBase = 0.05- , _retryGrowth = 2+ retry =+ Exponential+ { _retryBase = 5.0e-2+ , _retryGrowth = 2 , _retryAttempts = 5- , _retryCheck = check+ , _retryCheck = check }-- check :: Status- -> RESTError- -> Bool- check (statusCode -> s) (awsErrorCode -> e)- | s == 400 && (Just "Throttling") == e = True -- Throttling- | s == 500 = True -- General Server Error- | s == 509 = True -- Limit Exceeded- | s == 503 = True -- Service Unavailable- | otherwise = False--ns :: Text-ns = "https://sts.amazonaws.com/doc/2011-06-15/"-{-# INLINE ns #-}--data Credentials = Credentials- { _cAccessKeyId :: Text- , _cExpiration :: ISO8601- , _cSecretAccessKey :: Text- , _cSessionToken :: Text- } deriving (Eq, Ord, Read, Show)---- | 'Credentials' constructor.------ The fields accessible through corresponding lenses are:------ * 'cAccessKeyId' @::@ 'Text'------ * 'cExpiration' @::@ 'UTCTime'------ * 'cSecretAccessKey' @::@ 'Text'------ * 'cSessionToken' @::@ 'Text'----credentials :: Text -- ^ 'cAccessKeyId'- -> Text -- ^ 'cSecretAccessKey'- -> Text -- ^ 'cSessionToken'- -> UTCTime -- ^ 'cExpiration'- -> Credentials-credentials p1 p2 p3 p4 = Credentials- { _cAccessKeyId = p1- , _cSecretAccessKey = p2- , _cSessionToken = p3- , _cExpiration = withIso _Time (const id) p4- }---- | The access key ID that identifies the temporary security credentials.-cAccessKeyId :: Lens' Credentials Text-cAccessKeyId = lens _cAccessKeyId (\s a -> s { _cAccessKeyId = a })---- | The date on which the current credentials expire.-cExpiration :: Lens' Credentials UTCTime-cExpiration = lens _cExpiration (\s a -> s { _cExpiration = a }) . _Time---- | The secret access key that can be used to sign requests.-cSecretAccessKey :: Lens' Credentials Text-cSecretAccessKey = lens _cSecretAccessKey (\s a -> s { _cSecretAccessKey = a })---- | The token that users must pass to the service API to use the temporary--- credentials.-cSessionToken :: Lens' Credentials Text-cSessionToken = lens _cSessionToken (\s a -> s { _cSessionToken = a })--instance FromXML Credentials where- parseXML x = Credentials- <$> x .@ "AccessKeyId"- <*> x .@ "Expiration"- <*> x .@ "SecretAccessKey"- <*> x .@ "SessionToken"--instance ToQuery Credentials where- toQuery Credentials{..} = mconcat- [ "AccessKeyId" =? _cAccessKeyId- , "Expiration" =? _cExpiration- , "SecretAccessKey" =? _cSecretAccessKey- , "SessionToken" =? _cSessionToken- ]--data FederatedUser = FederatedUser- { _fuArn :: Text- , _fuFederatedUserId :: Text- } deriving (Eq, Ord, Read, Show)+ check e+ | has (hasCode "ThrottlingException" . hasStatus 400) e =+ Just "throttling_exception"+ | has (hasCode "Throttling" . hasStatus 400) e = Just "throttling"+ | has (hasStatus 503) e = Just "service_unavailable"+ | has (hasStatus 500) e = Just "general_server_error"+ | has (hasStatus 509) e = Just "limit_exceeded"+ | otherwise = Nothing --- | 'FederatedUser' constructor.------ The fields accessible through corresponding lenses are:------ * 'fuArn' @::@ 'Text'------ * 'fuFederatedUserId' @::@ 'Text'----federatedUser :: Text -- ^ 'fuFederatedUserId'- -> Text -- ^ 'fuArn'- -> FederatedUser-federatedUser p1 p2 = FederatedUser- { _fuFederatedUserId = p1- , _fuArn = p2- }+-- | The request was rejected because the policy document was malformed. The+-- error message describes the specific error.+_MalformedPolicyDocumentException :: AsError a => Getting (First ServiceError) a ServiceError+_MalformedPolicyDocumentException =+ _ServiceError . hasStatus 400 . hasCode "MalformedPolicyDocument" --- | The ARN that specifies the federated user that is associated with the--- credentials. For more information about ARNs and how to use them in policies,--- see Identifiers for IAM Entities in /Using IAM/.-fuArn :: Lens' FederatedUser Text-fuArn = lens _fuArn (\s a -> s { _fuArn = a })+-- | The request was rejected because the policy document was too large. The+-- error message describes how big the policy document is, in packed form,+-- as a percentage of what the API allows.+_PackedPolicyTooLargeException :: AsError a => Getting (First ServiceError) a ServiceError+_PackedPolicyTooLargeException =+ _ServiceError . hasStatus 400 . hasCode "PackedPolicyTooLarge" --- | The string that identifies the federated user associated with the--- credentials, similar to the unique ID of an IAM user.-fuFederatedUserId :: Lens' FederatedUser Text-fuFederatedUserId =- lens _fuFederatedUserId (\s a -> s { _fuFederatedUserId = a })+-- | The error returned if the message passed to 'DecodeAuthorizationMessage'+-- was invalid. This can happen if the token contains invalid characters,+-- such as linebreaks.+_InvalidAuthorizationMessageException :: AsError a => Getting (First ServiceError) a ServiceError+_InvalidAuthorizationMessageException =+ _ServiceError .+ hasStatus 400 . hasCode "InvalidAuthorizationMessageException" -instance FromXML FederatedUser where- parseXML x = FederatedUser- <$> x .@ "Arn"- <*> x .@ "FederatedUserId"+-- | The request could not be fulfilled because the non-AWS identity provider+-- (IDP) that was asked to verify the incoming identity token could not be+-- reached. This is often a transient error caused by network conditions.+-- Retry the request a limited number of times so that you don\'t exceed+-- the request rate. If the error persists, the non-AWS identity provider+-- might be down or not responding.+_IdPCommunicationErrorException :: AsError a => Getting (First ServiceError) a ServiceError+_IdPCommunicationErrorException =+ _ServiceError . hasStatus 400 . hasCode "IDPCommunicationError" -instance ToQuery FederatedUser where- toQuery FederatedUser{..} = mconcat- [ "Arn" =? _fuArn- , "FederatedUserId" =? _fuFederatedUserId- ]+-- | The web identity token that was passed is expired or is not valid. Get a+-- new identity token from the identity provider and then retry the+-- request.+_ExpiredTokenException :: AsError a => Getting (First ServiceError) a ServiceError+_ExpiredTokenException =+ _ServiceError . hasStatus 400 . hasCode "ExpiredTokenException" -data AssumedRoleUser = AssumedRoleUser- { _aruArn :: Text- , _aruAssumedRoleId :: Text- } deriving (Eq, Ord, Read, Show)+-- | The web identity token that was passed could not be validated by AWS.+-- Get a new identity token from the identity provider and then retry the+-- request.+_InvalidIdentityTokenException :: AsError a => Getting (First ServiceError) a ServiceError+_InvalidIdentityTokenException =+ _ServiceError . hasStatus 400 . hasCode "InvalidIdentityToken" --- | 'AssumedRoleUser' constructor.------ The fields accessible through corresponding lenses are:------ * 'aruArn' @::@ 'Text'------ * 'aruAssumedRoleId' @::@ 'Text'+-- | The identity provider (IdP) reported that authentication failed. This+-- might be because the claim is invalid. ---assumedRoleUser :: Text -- ^ 'aruAssumedRoleId'- -> Text -- ^ 'aruArn'- -> AssumedRoleUser-assumedRoleUser p1 p2 = AssumedRoleUser- { _aruAssumedRoleId = p1- , _aruArn = p2- }---- | The ARN of the temporary security credentials that are returned from the 'AssumeRole' action. For more information about ARNs and how to use them in policies, see--- Identifiers for IAM Entities in /Using IAM/.-aruArn :: Lens' AssumedRoleUser Text-aruArn = lens _aruArn (\s a -> s { _aruArn = a })---- | A unique identifier that contains the role ID and the role session name of--- the role that is being assumed. The role ID is generated by AWS when the role--- is created.-aruAssumedRoleId :: Lens' AssumedRoleUser Text-aruAssumedRoleId = lens _aruAssumedRoleId (\s a -> s { _aruAssumedRoleId = a })--instance FromXML AssumedRoleUser where- parseXML x = AssumedRoleUser- <$> x .@ "Arn"- <*> x .@ "AssumedRoleId"--instance ToQuery AssumedRoleUser where- toQuery AssumedRoleUser{..} = mconcat- [ "Arn" =? _aruArn- , "AssumedRoleId" =? _aruAssumedRoleId- ]+-- If this error is returned for the 'AssumeRoleWithWebIdentity' operation,+-- it can also mean that the claim has expired or has been explicitly+-- revoked.+_IdPRejectedClaimException :: AsError a => Getting (First ServiceError) a ServiceError+_IdPRejectedClaimException =+ _ServiceError . hasStatus 403 . hasCode "IDPRejectedClaim"
+ gen/Network/AWS/STS/Types/Product.hs view
@@ -0,0 +1,170 @@+{-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DeriveGeneric #-}+{-# LANGUAGE OverloadedStrings #-}+{-# LANGUAGE RecordWildCards #-}+{-# LANGUAGE TypeFamilies #-}++{-# OPTIONS_GHC -fno-warn-unused-imports #-}++-- Derived from AWS service descriptions, licensed under Apache 2.0.++-- |+-- Module : Network.AWS.STS.Types.Product+-- Copyright : (c) 2013-2015 Brendan Hay+-- License : Mozilla Public License, v. 2.0.+-- Maintainer : Brendan Hay <brendan.g.hay@gmail.com>+-- Stability : auto-generated+-- Portability : non-portable (GHC extensions)+--+module Network.AWS.STS.Types.Product where++import Network.AWS.Prelude+import Network.AWS.STS.Types.Sum++-- | The identifiers for the temporary security credentials that the+-- operation returns.+--+-- /See:/ 'assumedRoleUser' smart constructor.+data AssumedRoleUser = AssumedRoleUser'+ { _aruAssumedRoleId :: !Text+ , _aruARN :: !Text+ } deriving (Eq,Read,Show,Data,Typeable,Generic)++-- | Creates a value of 'AssumedRoleUser' with the minimum fields required to make a request.+--+-- Use one of the following lenses to modify other fields as desired:+--+-- * 'aruAssumedRoleId'+--+-- * 'aruARN'+assumedRoleUser+ :: Text -- ^ 'aruAssumedRoleId'+ -> Text -- ^ 'aruARN'+ -> AssumedRoleUser+assumedRoleUser pAssumedRoleId_ pARN_ =+ AssumedRoleUser'+ { _aruAssumedRoleId = pAssumedRoleId_+ , _aruARN = pARN_+ }++-- | A unique identifier that contains the role ID and the role session name+-- of the role that is being assumed. The role ID is generated by AWS when+-- the role is created.+aruAssumedRoleId :: Lens' AssumedRoleUser Text+aruAssumedRoleId = lens _aruAssumedRoleId (\ s a -> s{_aruAssumedRoleId = a});++-- | The ARN of the temporary security credentials that are returned from the+-- AssumeRole action. For more information about ARNs and how to use them+-- in policies, see+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html IAM Identifiers>+-- in /Using IAM/.+aruARN :: Lens' AssumedRoleUser Text+aruARN = lens _aruARN (\ s a -> s{_aruARN = a});++instance FromXML AssumedRoleUser where+ parseXML x+ = AssumedRoleUser' <$>+ (x .@ "AssumedRoleId") <*> (x .@ "Arn")++-- | AWS credentials for API authentication.+--+-- /See:/ 'credentials' smart constructor.+data Credentials = Credentials'+ { _cAccessKeyId :: !Text+ , _cSecretAccessKey :: !Text+ , _cSessionToken :: !Text+ , _cExpiration :: !ISO8601+ } deriving (Eq,Read,Show,Data,Typeable,Generic)++-- | Creates a value of 'Credentials' with the minimum fields required to make a request.+--+-- Use one of the following lenses to modify other fields as desired:+--+-- * 'cAccessKeyId'+--+-- * 'cSecretAccessKey'+--+-- * 'cSessionToken'+--+-- * 'cExpiration'+credentials+ :: Text -- ^ 'cAccessKeyId'+ -> Text -- ^ 'cSecretAccessKey'+ -> Text -- ^ 'cSessionToken'+ -> UTCTime -- ^ 'cExpiration'+ -> Credentials+credentials pAccessKeyId_ pSecretAccessKey_ pSessionToken_ pExpiration_ =+ Credentials'+ { _cAccessKeyId = pAccessKeyId_+ , _cSecretAccessKey = pSecretAccessKey_+ , _cSessionToken = pSessionToken_+ , _cExpiration = _Time # pExpiration_+ }++-- | The access key ID that identifies the temporary security credentials.+cAccessKeyId :: Lens' Credentials Text+cAccessKeyId = lens _cAccessKeyId (\ s a -> s{_cAccessKeyId = a});++-- | The secret access key that can be used to sign requests.+cSecretAccessKey :: Lens' Credentials Text+cSecretAccessKey = lens _cSecretAccessKey (\ s a -> s{_cSecretAccessKey = a});++-- | The token that users must pass to the service API to use the temporary+-- credentials.+cSessionToken :: Lens' Credentials Text+cSessionToken = lens _cSessionToken (\ s a -> s{_cSessionToken = a});++-- | The date on which the current credentials expire.+cExpiration :: Lens' Credentials UTCTime+cExpiration = lens _cExpiration (\ s a -> s{_cExpiration = a}) . _Time;++instance FromXML Credentials where+ parseXML x+ = Credentials' <$>+ (x .@ "AccessKeyId") <*> (x .@ "SecretAccessKey") <*>+ (x .@ "SessionToken")+ <*> (x .@ "Expiration")++-- | Identifiers for the federated user that is associated with the+-- credentials.+--+-- /See:/ 'federatedUser' smart constructor.+data FederatedUser = FederatedUser'+ { _fuFederatedUserId :: !Text+ , _fuARN :: !Text+ } deriving (Eq,Read,Show,Data,Typeable,Generic)++-- | Creates a value of 'FederatedUser' with the minimum fields required to make a request.+--+-- Use one of the following lenses to modify other fields as desired:+--+-- * 'fuFederatedUserId'+--+-- * 'fuARN'+federatedUser+ :: Text -- ^ 'fuFederatedUserId'+ -> Text -- ^ 'fuARN'+ -> FederatedUser+federatedUser pFederatedUserId_ pARN_ =+ FederatedUser'+ { _fuFederatedUserId = pFederatedUserId_+ , _fuARN = pARN_+ }++-- | The string that identifies the federated user associated with the+-- credentials, similar to the unique ID of an IAM user.+fuFederatedUserId :: Lens' FederatedUser Text+fuFederatedUserId = lens _fuFederatedUserId (\ s a -> s{_fuFederatedUserId = a});++-- | The ARN that specifies the federated user that is associated with the+-- credentials. For more information about ARNs and how to use them in+-- policies, see+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html IAM Identifiers>+-- in /Using IAM/.+fuARN :: Lens' FederatedUser Text+fuARN = lens _fuARN (\ s a -> s{_fuARN = a});++instance FromXML FederatedUser where+ parseXML x+ = FederatedUser' <$>+ (x .@ "FederatedUserId") <*> (x .@ "Arn")
+ gen/Network/AWS/STS/Types/Sum.hs view
@@ -0,0 +1,20 @@+{-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DeriveGeneric #-}+{-# LANGUAGE LambdaCase #-}+{-# LANGUAGE OverloadedStrings #-}++{-# OPTIONS_GHC -fno-warn-unused-imports #-}++-- Derived from AWS service descriptions, licensed under Apache 2.0.++-- |+-- Module : Network.AWS.STS.Types.Sum+-- Copyright : (c) 2013-2015 Brendan Hay+-- License : Mozilla Public License, v. 2.0.+-- Maintainer : Brendan Hay <brendan.g.hay@gmail.com>+-- Stability : auto-generated+-- Portability : non-portable (GHC extensions)+--+module Network.AWS.STS.Types.Sum where++import Network.AWS.Prelude
+ gen/Network/AWS/STS/Waiters.hs view
@@ -0,0 +1,20 @@+{-# LANGUAGE OverloadedStrings #-}+{-# LANGUAGE TypeFamilies #-}++{-# OPTIONS_GHC -fno-warn-unused-imports #-}++-- Derived from AWS service descriptions, licensed under Apache 2.0.++-- |+-- Module : Network.AWS.STS.Waiters+-- Copyright : (c) 2013-2015 Brendan Hay+-- License : Mozilla Public License, v. 2.0.+-- Maintainer : Brendan Hay <brendan.g.hay@gmail.com>+-- Stability : auto-generated+-- Portability : non-portable (GHC extensions)+--+module Network.AWS.STS.Waiters where++import Network.AWS.Prelude+import Network.AWS.STS.Types+import Network.AWS.Waiter
+ test/Main.hs view
@@ -0,0 +1,21 @@+{-# OPTIONS_GHC -fno-warn-unused-imports #-}++-- |+-- Module : Main+-- Copyright : (c) 2013-2015 Brendan Hay+-- License : Mozilla Public License, v. 2.0.+-- Maintainer : Brendan Hay <brendan.g.hay@gmail.com>+-- Stability : auto-generated+-- Portability : non-portable (GHC extensions)+--+module Main (main) where++import Test.Tasty+import Test.AWS.STS+import Test.AWS.STS.Internal++main :: IO ()+main = defaultMain $ testGroup "STS"+ [ testGroup "tests" tests+ , testGroup "fixtures" fixtures+ ]
+ test/Test/AWS/Gen/STS.hs view
@@ -0,0 +1,141 @@+{-# OPTIONS_GHC -fno-warn-unused-imports #-}+{-# OPTIONS_GHC -fno-warn-orphans #-}++-- Derived from AWS service descriptions, licensed under Apache 2.0.++-- |+-- Module : Test.AWS.Gen.STS+-- Copyright : (c) 2013-2015 Brendan Hay+-- License : Mozilla Public License, v. 2.0.+-- Maintainer : Brendan Hay <brendan.g.hay@gmail.com>+-- Stability : auto-generated+-- Portability : non-portable (GHC extensions)+--+module Test.AWS.Gen.STS where++import Data.Proxy+import Test.AWS.Fixture+import Test.AWS.Prelude+import Test.Tasty+import Network.AWS.STS+import Test.AWS.STS.Internal++-- Auto-generated: the actual test selection needs to be manually placed into+-- the top-level so that real test data can be incrementally added.+--+-- This commented snippet is what the entire set should look like:++-- fixtures :: TestTree+-- fixtures =+-- [ testGroup "request"+-- [ testAssumeRole $+-- assumeRole+--+-- , testDecodeAuthorizationMessage $+-- decodeAuthorizationMessage+--+-- , testAssumeRoleWithWebIdentity $+-- assumeRoleWithWebIdentity+--+-- , testGetFederationToken $+-- getFederationToken+--+-- , testGetSessionToken $+-- getSessionToken+--+-- , testAssumeRoleWithSAML $+-- assumeRoleWithSAML+--+-- ]++-- , testGroup "response"+-- [ testAssumeRoleResponse $+-- assumeRoleResponse+--+-- , testDecodeAuthorizationMessageResponse $+-- decodeAuthorizationMessageResponse+--+-- , testAssumeRoleWithWebIdentityResponse $+-- assumeRoleWithWebIdentityResponse+--+-- , testGetFederationTokenResponse $+-- getFederationTokenResponse+--+-- , testGetSessionTokenResponse $+-- getSessionTokenResponse+--+-- , testAssumeRoleWithSAMLResponse $+-- assumeRoleWithSAMLResponse+--+-- ]+-- ]++-- Requests++testAssumeRole :: AssumeRole -> TestTree+testAssumeRole = req+ "AssumeRole"+ "fixture/AssumeRole"++testDecodeAuthorizationMessage :: DecodeAuthorizationMessage -> TestTree+testDecodeAuthorizationMessage = req+ "DecodeAuthorizationMessage"+ "fixture/DecodeAuthorizationMessage"++testAssumeRoleWithWebIdentity :: AssumeRoleWithWebIdentity -> TestTree+testAssumeRoleWithWebIdentity = req+ "AssumeRoleWithWebIdentity"+ "fixture/AssumeRoleWithWebIdentity"++testGetFederationToken :: GetFederationToken -> TestTree+testGetFederationToken = req+ "GetFederationToken"+ "fixture/GetFederationToken"++testGetSessionToken :: GetSessionToken -> TestTree+testGetSessionToken = req+ "GetSessionToken"+ "fixture/GetSessionToken"++testAssumeRoleWithSAML :: AssumeRoleWithSAML -> TestTree+testAssumeRoleWithSAML = req+ "AssumeRoleWithSAML"+ "fixture/AssumeRoleWithSAML"++-- Responses++testAssumeRoleResponse :: AssumeRoleResponse -> TestTree+testAssumeRoleResponse = res+ "AssumeRoleResponse"+ "fixture/AssumeRoleResponse"+ (Proxy :: Proxy AssumeRole)++testDecodeAuthorizationMessageResponse :: DecodeAuthorizationMessageResponse -> TestTree+testDecodeAuthorizationMessageResponse = res+ "DecodeAuthorizationMessageResponse"+ "fixture/DecodeAuthorizationMessageResponse"+ (Proxy :: Proxy DecodeAuthorizationMessage)++testAssumeRoleWithWebIdentityResponse :: AssumeRoleWithWebIdentityResponse -> TestTree+testAssumeRoleWithWebIdentityResponse = res+ "AssumeRoleWithWebIdentityResponse"+ "fixture/AssumeRoleWithWebIdentityResponse"+ (Proxy :: Proxy AssumeRoleWithWebIdentity)++testGetFederationTokenResponse :: GetFederationTokenResponse -> TestTree+testGetFederationTokenResponse = res+ "GetFederationTokenResponse"+ "fixture/GetFederationTokenResponse"+ (Proxy :: Proxy GetFederationToken)++testGetSessionTokenResponse :: GetSessionTokenResponse -> TestTree+testGetSessionTokenResponse = res+ "GetSessionTokenResponse"+ "fixture/GetSessionTokenResponse"+ (Proxy :: Proxy GetSessionToken)++testAssumeRoleWithSAMLResponse :: AssumeRoleWithSAMLResponse -> TestTree+testAssumeRoleWithSAMLResponse = res+ "AssumeRoleWithSAMLResponse"+ "fixture/AssumeRoleWithSAMLResponse"+ (Proxy :: Proxy AssumeRoleWithSAML)
+ test/Test/AWS/STS.hs view
@@ -0,0 +1,26 @@+{-# LANGUAGE OverloadedStrings #-}++-- Module : Test.AWS.STS+-- Copyright : (c) 2013-2015 Brendan Hay+-- License : This Source Code Form is subject to the terms of+-- the Mozilla Public License, v. 2.0.+-- A copy of the MPL can be found in the LICENSE file or+-- you can obtain it at http://mozilla.org/MPL/2.0/.+-- Maintainer : Brendan Hay <brendan.g.hay@gmail.com>+-- Stability : experimental+-- Portability : non-portable (GHC extensions)++module Test.AWS.STS+ ( tests+ , fixtures+ ) where++import Network.AWS.STS+import Test.AWS.Gen.STS+import Test.Tasty++tests :: [TestTree]+tests = []++fixtures :: [TestTree]+fixtures = []
+ test/Test/AWS/STS/Internal.hs view
@@ -0,0 +1,16 @@+{-# LANGUAGE OverloadedStrings #-}+{-# OPTIONS_GHC -fno-warn-unused-imports #-}++-- Module : Test.AWS.STS.Internal+-- Copyright : (c) 2013-2015 Brendan Hay+-- License : This Source Code Form is subject to the terms of+-- the Mozilla Public License, v. 2.0.+-- A copy of the MPL can be found in the LICENSE file or+-- you can obtain it at http://mozilla.org/MPL/2.0/.+-- Maintainer : Brendan Hay <brendan.g.hay@gmail.com>+-- Stability : experimental+-- Portability : non-portable (GHC extensions)++module Test.AWS.STS.Internal where++import Test.AWS.Prelude