packages feed

amazonka-sts 0.3.6 → 1.0.0

raw patch · 17 files changed

+2148/−1348 lines, 17 filesdep +amazonka-stsdep +amazonka-testdep +bytestringdep ~amazonka-coredep ~basePVP ok

version bump matches the API change (PVP)

Dependencies added: amazonka-sts, amazonka-test, bytestring, lens, tasty, tasty-hunit, text, time, unordered-containers

Dependency ranges changed: amazonka-core, base

API changes (from Hackage documentation)

- Network.AWS.STS.AssumeRole: arRoleArn :: Lens' AssumeRole Text
- Network.AWS.STS.AssumeRole: arrAssumedRoleUser :: Lens' AssumeRoleResponse (Maybe AssumedRoleUser)
- Network.AWS.STS.AssumeRole: arrCredentials :: Lens' AssumeRoleResponse (Maybe Credentials)
- Network.AWS.STS.AssumeRole: arrPackedPolicySize :: Lens' AssumeRoleResponse (Maybe Natural)
- Network.AWS.STS.AssumeRole: instance FromXML AssumeRoleResponse
- Network.AWS.STS.AssumeRole: instance Ord AssumeRole
- Network.AWS.STS.AssumeRoleWithSAML: arwsamlPrincipalArn :: Lens' AssumeRoleWithSAML Text
- Network.AWS.STS.AssumeRoleWithSAML: arwsamlRoleArn :: Lens' AssumeRoleWithSAML Text
- Network.AWS.STS.AssumeRoleWithSAML: arwsamlrAssumedRoleUser :: Lens' AssumeRoleWithSAMLResponse (Maybe AssumedRoleUser)
- Network.AWS.STS.AssumeRoleWithSAML: arwsamlrAudience :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
- Network.AWS.STS.AssumeRoleWithSAML: arwsamlrCredentials :: Lens' AssumeRoleWithSAMLResponse (Maybe Credentials)
- Network.AWS.STS.AssumeRoleWithSAML: arwsamlrIssuer :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
- Network.AWS.STS.AssumeRoleWithSAML: arwsamlrNameQualifier :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
- Network.AWS.STS.AssumeRoleWithSAML: arwsamlrPackedPolicySize :: Lens' AssumeRoleWithSAMLResponse (Maybe Natural)
- Network.AWS.STS.AssumeRoleWithSAML: arwsamlrSubject :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
- Network.AWS.STS.AssumeRoleWithSAML: arwsamlrSubjectType :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
- Network.AWS.STS.AssumeRoleWithSAML: instance FromXML AssumeRoleWithSAMLResponse
- Network.AWS.STS.AssumeRoleWithSAML: instance Ord AssumeRoleWithSAML
- Network.AWS.STS.AssumeRoleWithWebIdentity: arwwiRoleArn :: Lens' AssumeRoleWithWebIdentity Text
- Network.AWS.STS.AssumeRoleWithWebIdentity: arwwirAssumedRoleUser :: Lens' AssumeRoleWithWebIdentityResponse (Maybe AssumedRoleUser)
- Network.AWS.STS.AssumeRoleWithWebIdentity: arwwirAudience :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)
- Network.AWS.STS.AssumeRoleWithWebIdentity: arwwirCredentials :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Credentials)
- Network.AWS.STS.AssumeRoleWithWebIdentity: arwwirPackedPolicySize :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Natural)
- Network.AWS.STS.AssumeRoleWithWebIdentity: arwwirProvider :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)
- Network.AWS.STS.AssumeRoleWithWebIdentity: arwwirSubjectFromWebIdentityToken :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)
- Network.AWS.STS.AssumeRoleWithWebIdentity: instance FromXML AssumeRoleWithWebIdentityResponse
- Network.AWS.STS.AssumeRoleWithWebIdentity: instance Ord AssumeRoleWithWebIdentity
- Network.AWS.STS.DecodeAuthorizationMessage: damrDecodedMessage :: Lens' DecodeAuthorizationMessageResponse (Maybe Text)
- Network.AWS.STS.DecodeAuthorizationMessage: instance FromXML DecodeAuthorizationMessageResponse
- Network.AWS.STS.DecodeAuthorizationMessage: instance IsString DecodeAuthorizationMessage
- Network.AWS.STS.DecodeAuthorizationMessage: instance Monoid DecodeAuthorizationMessage
- Network.AWS.STS.DecodeAuthorizationMessage: instance Monoid DecodeAuthorizationMessageResponse
- Network.AWS.STS.DecodeAuthorizationMessage: instance Ord DecodeAuthorizationMessage
- Network.AWS.STS.DecodeAuthorizationMessage: instance Ord DecodeAuthorizationMessageResponse
- Network.AWS.STS.GetFederationToken: gftrCredentials :: Lens' GetFederationTokenResponse (Maybe Credentials)
- Network.AWS.STS.GetFederationToken: gftrFederatedUser :: Lens' GetFederationTokenResponse (Maybe FederatedUser)
- Network.AWS.STS.GetFederationToken: gftrPackedPolicySize :: Lens' GetFederationTokenResponse (Maybe Natural)
- Network.AWS.STS.GetFederationToken: instance FromXML GetFederationTokenResponse
- Network.AWS.STS.GetFederationToken: instance Ord GetFederationToken
- Network.AWS.STS.GetSessionToken: gstrCredentials :: Lens' GetSessionTokenResponse (Maybe Credentials)
- Network.AWS.STS.GetSessionToken: instance FromXML GetSessionTokenResponse
- Network.AWS.STS.GetSessionToken: instance Ord GetSessionToken
- Network.AWS.STS.Types: aruArn :: Lens' AssumedRoleUser Text
- Network.AWS.STS.Types: data RESTError :: *
- Network.AWS.STS.Types: fuArn :: Lens' FederatedUser Text
- Network.AWS.STS.Types: instance Eq AssumedRoleUser
- Network.AWS.STS.Types: instance Eq Credentials
- Network.AWS.STS.Types: instance Eq FederatedUser
- Network.AWS.STS.Types: instance FromXML AssumedRoleUser
- Network.AWS.STS.Types: instance FromXML Credentials
- Network.AWS.STS.Types: instance FromXML FederatedUser
- Network.AWS.STS.Types: instance Ord AssumedRoleUser
- Network.AWS.STS.Types: instance Ord Credentials
- Network.AWS.STS.Types: instance Ord FederatedUser
- Network.AWS.STS.Types: instance Read AssumedRoleUser
- Network.AWS.STS.Types: instance Read Credentials
- Network.AWS.STS.Types: instance Read FederatedUser
- Network.AWS.STS.Types: instance Show AssumedRoleUser
- Network.AWS.STS.Types: instance Show Credentials
- Network.AWS.STS.Types: instance Show FederatedUser
- Network.AWS.STS.Types: instance ToQuery AssumedRoleUser
- Network.AWS.STS.Types: instance ToQuery Credentials
- Network.AWS.STS.Types: instance ToQuery FederatedUser
- Network.AWS.STS.Types: ns :: Text
+ Network.AWS.STS: _ExpiredTokenException :: AsError a => Getting (First ServiceError) a ServiceError
+ Network.AWS.STS: _IdPCommunicationErrorException :: AsError a => Getting (First ServiceError) a ServiceError
+ Network.AWS.STS: _IdPRejectedClaimException :: AsError a => Getting (First ServiceError) a ServiceError
+ Network.AWS.STS: _InvalidAuthorizationMessageException :: AsError a => Getting (First ServiceError) a ServiceError
+ Network.AWS.STS: _InvalidIdentityTokenException :: AsError a => Getting (First ServiceError) a ServiceError
+ Network.AWS.STS: _MalformedPolicyDocumentException :: AsError a => Getting (First ServiceError) a ServiceError
+ Network.AWS.STS: _PackedPolicyTooLargeException :: AsError a => Getting (First ServiceError) a ServiceError
+ Network.AWS.STS: aruARN :: Lens' AssumedRoleUser Text
+ Network.AWS.STS: aruAssumedRoleId :: Lens' AssumedRoleUser Text
+ Network.AWS.STS: assumedRoleUser :: Text -> Text -> AssumedRoleUser
+ Network.AWS.STS: cAccessKeyId :: Lens' Credentials Text
+ Network.AWS.STS: cExpiration :: Lens' Credentials UTCTime
+ Network.AWS.STS: cSecretAccessKey :: Lens' Credentials Text
+ Network.AWS.STS: cSessionToken :: Lens' Credentials Text
+ Network.AWS.STS: credentials :: Text -> Text -> Text -> UTCTime -> Credentials
+ Network.AWS.STS: data AssumedRoleUser
+ Network.AWS.STS: data Credentials
+ Network.AWS.STS: data FederatedUser
+ Network.AWS.STS: data STS
+ Network.AWS.STS: federatedUser :: Text -> Text -> FederatedUser
+ Network.AWS.STS: fuARN :: Lens' FederatedUser Text
+ Network.AWS.STS: fuFederatedUserId :: Lens' FederatedUser Text
+ Network.AWS.STS.AssumeRole: arRoleARN :: Lens' AssumeRole Text
+ Network.AWS.STS.AssumeRole: arrsAssumedRoleUser :: Lens' AssumeRoleResponse (Maybe AssumedRoleUser)
+ Network.AWS.STS.AssumeRole: arrsCredentials :: Lens' AssumeRoleResponse (Maybe Credentials)
+ Network.AWS.STS.AssumeRole: arrsPackedPolicySize :: Lens' AssumeRoleResponse (Maybe Natural)
+ Network.AWS.STS.AssumeRole: arrsStatus :: Lens' AssumeRoleResponse Int
+ Network.AWS.STS.AssumeRole: instance Constructor C1_0AssumeRole
+ Network.AWS.STS.AssumeRole: instance Constructor C1_0AssumeRoleResponse
+ Network.AWS.STS.AssumeRole: instance Data AssumeRole
+ Network.AWS.STS.AssumeRole: instance Data AssumeRoleResponse
+ Network.AWS.STS.AssumeRole: instance Datatype D1AssumeRole
+ Network.AWS.STS.AssumeRole: instance Datatype D1AssumeRoleResponse
+ Network.AWS.STS.AssumeRole: instance Generic AssumeRole
+ Network.AWS.STS.AssumeRole: instance Generic AssumeRoleResponse
+ Network.AWS.STS.AssumeRole: instance Selector S1_0_0AssumeRole
+ Network.AWS.STS.AssumeRole: instance Selector S1_0_0AssumeRoleResponse
+ Network.AWS.STS.AssumeRole: instance Selector S1_0_1AssumeRole
+ Network.AWS.STS.AssumeRole: instance Selector S1_0_1AssumeRoleResponse
+ Network.AWS.STS.AssumeRole: instance Selector S1_0_2AssumeRole
+ Network.AWS.STS.AssumeRole: instance Selector S1_0_2AssumeRoleResponse
+ Network.AWS.STS.AssumeRole: instance Selector S1_0_3AssumeRole
+ Network.AWS.STS.AssumeRole: instance Selector S1_0_3AssumeRoleResponse
+ Network.AWS.STS.AssumeRole: instance Selector S1_0_4AssumeRole
+ Network.AWS.STS.AssumeRole: instance Selector S1_0_5AssumeRole
+ Network.AWS.STS.AssumeRole: instance Selector S1_0_6AssumeRole
+ Network.AWS.STS.AssumeRole: instance Typeable AssumeRole
+ Network.AWS.STS.AssumeRole: instance Typeable AssumeRoleResponse
+ Network.AWS.STS.AssumeRoleWithSAML: arwsamlPrincipalARN :: Lens' AssumeRoleWithSAML Text
+ Network.AWS.STS.AssumeRoleWithSAML: arwsamlRoleARN :: Lens' AssumeRoleWithSAML Text
+ Network.AWS.STS.AssumeRoleWithSAML: arwsamlrsAssumedRoleUser :: Lens' AssumeRoleWithSAMLResponse (Maybe AssumedRoleUser)
+ Network.AWS.STS.AssumeRoleWithSAML: arwsamlrsAudience :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
+ Network.AWS.STS.AssumeRoleWithSAML: arwsamlrsCredentials :: Lens' AssumeRoleWithSAMLResponse (Maybe Credentials)
+ Network.AWS.STS.AssumeRoleWithSAML: arwsamlrsIssuer :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
+ Network.AWS.STS.AssumeRoleWithSAML: arwsamlrsNameQualifier :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
+ Network.AWS.STS.AssumeRoleWithSAML: arwsamlrsPackedPolicySize :: Lens' AssumeRoleWithSAMLResponse (Maybe Natural)
+ Network.AWS.STS.AssumeRoleWithSAML: arwsamlrsStatus :: Lens' AssumeRoleWithSAMLResponse Int
+ Network.AWS.STS.AssumeRoleWithSAML: arwsamlrsSubject :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
+ Network.AWS.STS.AssumeRoleWithSAML: arwsamlrsSubjectType :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)
+ Network.AWS.STS.AssumeRoleWithSAML: instance Constructor C1_0AssumeRoleWithSAML
+ Network.AWS.STS.AssumeRoleWithSAML: instance Constructor C1_0AssumeRoleWithSAMLResponse
+ Network.AWS.STS.AssumeRoleWithSAML: instance Data AssumeRoleWithSAML
+ Network.AWS.STS.AssumeRoleWithSAML: instance Data AssumeRoleWithSAMLResponse
+ Network.AWS.STS.AssumeRoleWithSAML: instance Datatype D1AssumeRoleWithSAML
+ Network.AWS.STS.AssumeRoleWithSAML: instance Datatype D1AssumeRoleWithSAMLResponse
+ Network.AWS.STS.AssumeRoleWithSAML: instance Generic AssumeRoleWithSAML
+ Network.AWS.STS.AssumeRoleWithSAML: instance Generic AssumeRoleWithSAMLResponse
+ Network.AWS.STS.AssumeRoleWithSAML: instance Selector S1_0_0AssumeRoleWithSAML
+ Network.AWS.STS.AssumeRoleWithSAML: instance Selector S1_0_0AssumeRoleWithSAMLResponse
+ Network.AWS.STS.AssumeRoleWithSAML: instance Selector S1_0_1AssumeRoleWithSAML
+ Network.AWS.STS.AssumeRoleWithSAML: instance Selector S1_0_1AssumeRoleWithSAMLResponse
+ Network.AWS.STS.AssumeRoleWithSAML: instance Selector S1_0_2AssumeRoleWithSAML
+ Network.AWS.STS.AssumeRoleWithSAML: instance Selector S1_0_2AssumeRoleWithSAMLResponse
+ Network.AWS.STS.AssumeRoleWithSAML: instance Selector S1_0_3AssumeRoleWithSAML
+ Network.AWS.STS.AssumeRoleWithSAML: instance Selector S1_0_3AssumeRoleWithSAMLResponse
+ Network.AWS.STS.AssumeRoleWithSAML: instance Selector S1_0_4AssumeRoleWithSAML
+ Network.AWS.STS.AssumeRoleWithSAML: instance Selector S1_0_4AssumeRoleWithSAMLResponse
+ Network.AWS.STS.AssumeRoleWithSAML: instance Selector S1_0_5AssumeRoleWithSAMLResponse
+ Network.AWS.STS.AssumeRoleWithSAML: instance Selector S1_0_6AssumeRoleWithSAMLResponse
+ Network.AWS.STS.AssumeRoleWithSAML: instance Selector S1_0_7AssumeRoleWithSAMLResponse
+ Network.AWS.STS.AssumeRoleWithSAML: instance Selector S1_0_8AssumeRoleWithSAMLResponse
+ Network.AWS.STS.AssumeRoleWithSAML: instance Typeable AssumeRoleWithSAML
+ Network.AWS.STS.AssumeRoleWithSAML: instance Typeable AssumeRoleWithSAMLResponse
+ Network.AWS.STS.AssumeRoleWithWebIdentity: arwwiRoleARN :: Lens' AssumeRoleWithWebIdentity Text
+ Network.AWS.STS.AssumeRoleWithWebIdentity: arwwirsAssumedRoleUser :: Lens' AssumeRoleWithWebIdentityResponse (Maybe AssumedRoleUser)
+ Network.AWS.STS.AssumeRoleWithWebIdentity: arwwirsAudience :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)
+ Network.AWS.STS.AssumeRoleWithWebIdentity: arwwirsCredentials :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Credentials)
+ Network.AWS.STS.AssumeRoleWithWebIdentity: arwwirsPackedPolicySize :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Natural)
+ Network.AWS.STS.AssumeRoleWithWebIdentity: arwwirsProvider :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)
+ Network.AWS.STS.AssumeRoleWithWebIdentity: arwwirsStatus :: Lens' AssumeRoleWithWebIdentityResponse Int
+ Network.AWS.STS.AssumeRoleWithWebIdentity: arwwirsSubjectFromWebIdentityToken :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Constructor C1_0AssumeRoleWithWebIdentity
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Constructor C1_0AssumeRoleWithWebIdentityResponse
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Data AssumeRoleWithWebIdentity
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Data AssumeRoleWithWebIdentityResponse
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Datatype D1AssumeRoleWithWebIdentity
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Datatype D1AssumeRoleWithWebIdentityResponse
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Generic AssumeRoleWithWebIdentity
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Generic AssumeRoleWithWebIdentityResponse
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Selector S1_0_0AssumeRoleWithWebIdentity
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Selector S1_0_0AssumeRoleWithWebIdentityResponse
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Selector S1_0_1AssumeRoleWithWebIdentity
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Selector S1_0_1AssumeRoleWithWebIdentityResponse
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Selector S1_0_2AssumeRoleWithWebIdentity
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Selector S1_0_2AssumeRoleWithWebIdentityResponse
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Selector S1_0_3AssumeRoleWithWebIdentity
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Selector S1_0_3AssumeRoleWithWebIdentityResponse
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Selector S1_0_4AssumeRoleWithWebIdentity
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Selector S1_0_4AssumeRoleWithWebIdentityResponse
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Selector S1_0_5AssumeRoleWithWebIdentity
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Selector S1_0_5AssumeRoleWithWebIdentityResponse
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Selector S1_0_6AssumeRoleWithWebIdentityResponse
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Typeable AssumeRoleWithWebIdentity
+ Network.AWS.STS.AssumeRoleWithWebIdentity: instance Typeable AssumeRoleWithWebIdentityResponse
+ Network.AWS.STS.DecodeAuthorizationMessage: damrsDecodedMessage :: Lens' DecodeAuthorizationMessageResponse (Maybe Text)
+ Network.AWS.STS.DecodeAuthorizationMessage: damrsStatus :: Lens' DecodeAuthorizationMessageResponse Int
+ Network.AWS.STS.DecodeAuthorizationMessage: instance Constructor C1_0DecodeAuthorizationMessage
+ Network.AWS.STS.DecodeAuthorizationMessage: instance Constructor C1_0DecodeAuthorizationMessageResponse
+ Network.AWS.STS.DecodeAuthorizationMessage: instance Data DecodeAuthorizationMessage
+ Network.AWS.STS.DecodeAuthorizationMessage: instance Data DecodeAuthorizationMessageResponse
+ Network.AWS.STS.DecodeAuthorizationMessage: instance Datatype D1DecodeAuthorizationMessage
+ Network.AWS.STS.DecodeAuthorizationMessage: instance Datatype D1DecodeAuthorizationMessageResponse
+ Network.AWS.STS.DecodeAuthorizationMessage: instance Generic DecodeAuthorizationMessage
+ Network.AWS.STS.DecodeAuthorizationMessage: instance Generic DecodeAuthorizationMessageResponse
+ Network.AWS.STS.DecodeAuthorizationMessage: instance Selector S1_0_0DecodeAuthorizationMessage
+ Network.AWS.STS.DecodeAuthorizationMessage: instance Selector S1_0_0DecodeAuthorizationMessageResponse
+ Network.AWS.STS.DecodeAuthorizationMessage: instance Selector S1_0_1DecodeAuthorizationMessageResponse
+ Network.AWS.STS.DecodeAuthorizationMessage: instance Typeable DecodeAuthorizationMessage
+ Network.AWS.STS.DecodeAuthorizationMessage: instance Typeable DecodeAuthorizationMessageResponse
+ Network.AWS.STS.GetFederationToken: gftrsCredentials :: Lens' GetFederationTokenResponse (Maybe Credentials)
+ Network.AWS.STS.GetFederationToken: gftrsFederatedUser :: Lens' GetFederationTokenResponse (Maybe FederatedUser)
+ Network.AWS.STS.GetFederationToken: gftrsPackedPolicySize :: Lens' GetFederationTokenResponse (Maybe Natural)
+ Network.AWS.STS.GetFederationToken: gftrsStatus :: Lens' GetFederationTokenResponse Int
+ Network.AWS.STS.GetFederationToken: instance Constructor C1_0GetFederationToken
+ Network.AWS.STS.GetFederationToken: instance Constructor C1_0GetFederationTokenResponse
+ Network.AWS.STS.GetFederationToken: instance Data GetFederationToken
+ Network.AWS.STS.GetFederationToken: instance Data GetFederationTokenResponse
+ Network.AWS.STS.GetFederationToken: instance Datatype D1GetFederationToken
+ Network.AWS.STS.GetFederationToken: instance Datatype D1GetFederationTokenResponse
+ Network.AWS.STS.GetFederationToken: instance Generic GetFederationToken
+ Network.AWS.STS.GetFederationToken: instance Generic GetFederationTokenResponse
+ Network.AWS.STS.GetFederationToken: instance Selector S1_0_0GetFederationToken
+ Network.AWS.STS.GetFederationToken: instance Selector S1_0_0GetFederationTokenResponse
+ Network.AWS.STS.GetFederationToken: instance Selector S1_0_1GetFederationToken
+ Network.AWS.STS.GetFederationToken: instance Selector S1_0_1GetFederationTokenResponse
+ Network.AWS.STS.GetFederationToken: instance Selector S1_0_2GetFederationToken
+ Network.AWS.STS.GetFederationToken: instance Selector S1_0_2GetFederationTokenResponse
+ Network.AWS.STS.GetFederationToken: instance Selector S1_0_3GetFederationTokenResponse
+ Network.AWS.STS.GetFederationToken: instance Typeable GetFederationToken
+ Network.AWS.STS.GetFederationToken: instance Typeable GetFederationTokenResponse
+ Network.AWS.STS.GetSessionToken: gstrsCredentials :: Lens' GetSessionTokenResponse (Maybe Credentials)
+ Network.AWS.STS.GetSessionToken: gstrsStatus :: Lens' GetSessionTokenResponse Int
+ Network.AWS.STS.GetSessionToken: instance Constructor C1_0GetSessionToken
+ Network.AWS.STS.GetSessionToken: instance Constructor C1_0GetSessionTokenResponse
+ Network.AWS.STS.GetSessionToken: instance Data GetSessionToken
+ Network.AWS.STS.GetSessionToken: instance Data GetSessionTokenResponse
+ Network.AWS.STS.GetSessionToken: instance Datatype D1GetSessionToken
+ Network.AWS.STS.GetSessionToken: instance Datatype D1GetSessionTokenResponse
+ Network.AWS.STS.GetSessionToken: instance Generic GetSessionToken
+ Network.AWS.STS.GetSessionToken: instance Generic GetSessionTokenResponse
+ Network.AWS.STS.GetSessionToken: instance Selector S1_0_0GetSessionToken
+ Network.AWS.STS.GetSessionToken: instance Selector S1_0_0GetSessionTokenResponse
+ Network.AWS.STS.GetSessionToken: instance Selector S1_0_1GetSessionToken
+ Network.AWS.STS.GetSessionToken: instance Selector S1_0_1GetSessionTokenResponse
+ Network.AWS.STS.GetSessionToken: instance Selector S1_0_2GetSessionToken
+ Network.AWS.STS.GetSessionToken: instance Typeable GetSessionToken
+ Network.AWS.STS.GetSessionToken: instance Typeable GetSessionTokenResponse
+ Network.AWS.STS.Types: _ExpiredTokenException :: AsError a => Getting (First ServiceError) a ServiceError
+ Network.AWS.STS.Types: _IdPCommunicationErrorException :: AsError a => Getting (First ServiceError) a ServiceError
+ Network.AWS.STS.Types: _IdPRejectedClaimException :: AsError a => Getting (First ServiceError) a ServiceError
+ Network.AWS.STS.Types: _InvalidAuthorizationMessageException :: AsError a => Getting (First ServiceError) a ServiceError
+ Network.AWS.STS.Types: _InvalidIdentityTokenException :: AsError a => Getting (First ServiceError) a ServiceError
+ Network.AWS.STS.Types: _MalformedPolicyDocumentException :: AsError a => Getting (First ServiceError) a ServiceError
+ Network.AWS.STS.Types: _PackedPolicyTooLargeException :: AsError a => Getting (First ServiceError) a ServiceError
+ Network.AWS.STS.Types: aruARN :: Lens' AssumedRoleUser Text
+ Network.AWS.STS.Types: fuARN :: Lens' FederatedUser Text
- Network.AWS.STS.AssumeRole: assumeRoleResponse :: AssumeRoleResponse
+ Network.AWS.STS.AssumeRole: assumeRoleResponse :: Int -> AssumeRoleResponse
- Network.AWS.STS.AssumeRoleWithSAML: assumeRoleWithSAMLResponse :: AssumeRoleWithSAMLResponse
+ Network.AWS.STS.AssumeRoleWithSAML: assumeRoleWithSAMLResponse :: Int -> AssumeRoleWithSAMLResponse
- Network.AWS.STS.AssumeRoleWithWebIdentity: assumeRoleWithWebIdentityResponse :: AssumeRoleWithWebIdentityResponse
+ Network.AWS.STS.AssumeRoleWithWebIdentity: assumeRoleWithWebIdentityResponse :: Int -> AssumeRoleWithWebIdentityResponse
- Network.AWS.STS.DecodeAuthorizationMessage: decodeAuthorizationMessageResponse :: DecodeAuthorizationMessageResponse
+ Network.AWS.STS.DecodeAuthorizationMessage: decodeAuthorizationMessageResponse :: Int -> DecodeAuthorizationMessageResponse
- Network.AWS.STS.GetFederationToken: getFederationTokenResponse :: GetFederationTokenResponse
+ Network.AWS.STS.GetFederationToken: getFederationTokenResponse :: Int -> GetFederationTokenResponse
- Network.AWS.STS.GetSessionToken: getSessionTokenResponse :: GetSessionTokenResponse
+ Network.AWS.STS.GetSessionToken: getSessionTokenResponse :: Int -> GetSessionTokenResponse

Files

README.md view
@@ -1,20 +1,86 @@ # Amazon Security Token Service SDK -> _Warning:_ This is an experimental preview release which is still under heavy development and not intended for public consumption, _caveat emptor_!-+* [Version](#version) * [Description](#description) * [Contribute](#contribute) * [Licence](#licence) ++## Version++`1.0.0`++ ## Description -The AWS Security Token Service (STS) is a web service that enables you to-request temporary, limited-privilege credentials for AWS Identity and Access-Management (IAM) users or for users that you authenticate (federated users).+AWS Security Token Service +The AWS Security Token Service (STS) is a web service that enables you+to request temporary, limited-privilege credentials for AWS Identity and+Access Management (IAM) users or for users that you authenticate+(federated users). This guide provides descriptions of the STS API. For+more detailed information about using this service, go to+<http://docs.aws.amazon.com/STS/latest/UsingSTS/Welcome.html Using Temporary Security Credentials>.++As an alternative to using the API, you can use one of the AWS SDKs,+which consist of libraries and sample code for various programming+languages and platforms (Java, Ruby, .NET, iOS, Android, etc.). The SDKs+provide a convenient way to create programmatic access to STS. For+example, the SDKs take care of cryptographically signing requests,+managing errors, and retrying requests automatically. For information+about the AWS SDKs, including how to download and install them, see the+<http://aws.amazon.com/tools/ Tools for Amazon Web Services page>.++For information about setting up signatures and authorization through+the API, go to+<http://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html Signing AWS API Requests>+in the /AWS General Reference/. For general information about the Query+API, go to+<http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UsingQueryAPI.html Making Query Requests>+in /Using IAM/. For information about using security tokens with other+AWS products, go to+<http://docs.aws.amazon.com/STS/latest/UsingSTS/UsingTokens.html Using Temporary Security Credentials to Access AWS>+in /Using Temporary Security Credentials/.++If you\'re new to AWS and need additional technical information about a+specific AWS product, you can find the product\'s technical+documentation at <http://aws.amazon.com/documentation/>.++__Endpoints__++The AWS Security Token Service (STS) has a default endpoint of+https:\/\/sts.amazonaws.com that maps to the US East (N. Virginia)+region. Additional regions are available, but must first be activated in+the AWS Management Console before you can use a different region\'s+endpoint. For more information about activating a region for STS see+<http://docs.aws.amazon.com/STS/latest/UsingSTS/sts-enableregions.html Activating STS in a New Region>+in the /Using Temporary Security Credentials/ guide.++For information about STS endpoints, see+<http://docs.aws.amazon.com/general/latest/gr/rande.html#sts_region Regions and Endpoints>+in the /AWS General Reference/.++__Recording API requests__++STS supports AWS CloudTrail, which is a service that records AWS calls+for your AWS account and delivers log files to an Amazon S3 bucket. By+using information collected by CloudTrail, you can determine what+requests were successfully made to STS, who made the request, when it+was made, and so on. To learn more about CloudTrail, including how to+turn it on and find your log files, see the+<http://docs.aws.amazon.com/awscloudtrail/latest/userguide/what_is_cloud_trail_top_level.html AWS CloudTrail User Guide>.+ Documentation is available via [Hackage](http://hackage.haskell.org/package/amazonka-sts) and the [AWS API Reference](http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html). +The types from this library are intended to be used with [amazonka](http://hackage.haskell.org/package/amazonka),+which provides mechanisms for specifying AuthN/AuthZ information and sending requests.++Use of lenses is required for constructing and manipulating types.+This is due to the amount of nesting of AWS types and transparency regarding+de/serialisation into more palatable Haskell values.+The provided lenses should be compatible with any of the major lens libraries+[lens](http://hackage.haskell.org/package/lens) or [lens-family-core](http://hackage.haskell.org/package/lens-family-core).  ## Contribute 
amazonka-sts.cabal view
@@ -1,27 +1,88 @@ name:                  amazonka-sts-version:               0.3.6+version:               1.0.0 synopsis:              Amazon Security Token Service SDK. homepage:              https://github.com/brendanhay/amazonka license:               OtherLicense license-file:          LICENSE author:                Brendan Hay maintainer:            Brendan Hay <brendan.g.hay@gmail.com>-copyright:             Copyright (c) 2013-2014 Brendan Hay+copyright:             Copyright (c) 2013-2015 Brendan Hay category:              Network, AWS, Cloud, Distributed Computing build-type:            Simple extra-source-files:    README.md cabal-version:         >= 1.10  description:-    The AWS Security Token Service (STS) is a web service that enables you to-    request temporary, limited-privilege credentials for AWS Identity and Access-    Management (IAM) users or for users that you authenticate (federated users).+    AWS Security Token Service +    The AWS Security Token Service (STS) is a web service that enables you+    to request temporary, limited-privilege credentials for AWS Identity and+    Access Management (IAM) users or for users that you authenticate+    (federated users). This guide provides descriptions of the STS API. For+    more detailed information about using this service, go to+    <http://docs.aws.amazon.com/STS/latest/UsingSTS/Welcome.html Using Temporary Security Credentials>.++    As an alternative to using the API, you can use one of the AWS SDKs,+    which consist of libraries and sample code for various programming+    languages and platforms (Java, Ruby, .NET, iOS, Android, etc.). The SDKs+    provide a convenient way to create programmatic access to STS. For+    example, the SDKs take care of cryptographically signing requests,+    managing errors, and retrying requests automatically. For information+    about the AWS SDKs, including how to download and install them, see the+    <http://aws.amazon.com/tools/ Tools for Amazon Web Services page>.++    For information about setting up signatures and authorization through+    the API, go to+    <http://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html Signing AWS API Requests>+    in the /AWS General Reference/. For general information about the Query+    API, go to+    <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UsingQueryAPI.html Making Query Requests>+    in /Using IAM/. For information about using security tokens with other+    AWS products, go to+    <http://docs.aws.amazon.com/STS/latest/UsingSTS/UsingTokens.html Using Temporary Security Credentials to Access AWS>+    in /Using Temporary Security Credentials/.++    If you\'re new to AWS and need additional technical information about a+    specific AWS product, you can find the product\'s technical+    documentation at <http://aws.amazon.com/documentation/>.++    __Endpoints__++    The AWS Security Token Service (STS) has a default endpoint of+    https:\/\/sts.amazonaws.com that maps to the US East (N. Virginia)+    region. Additional regions are available, but must first be activated in+    the AWS Management Console before you can use a different region\'s+    endpoint. For more information about activating a region for STS see+    <http://docs.aws.amazon.com/STS/latest/UsingSTS/sts-enableregions.html Activating STS in a New Region>+    in the /Using Temporary Security Credentials/ guide.++    For information about STS endpoints, see+    <http://docs.aws.amazon.com/general/latest/gr/rande.html#sts_region Regions and Endpoints>+    in the /AWS General Reference/.++    __Recording API requests__++    STS supports AWS CloudTrail, which is a service that records AWS calls+    for your AWS account and delivers log files to an Amazon S3 bucket. By+    using information collected by CloudTrail, you can determine what+    requests were successfully made to STS, who made the request, when it+    was made, and so on. To learn more about CloudTrail, including how to+    turn it on and find your log files, see the+    <http://docs.aws.amazon.com/awscloudtrail/latest/userguide/what_is_cloud_trail_top_level.html AWS CloudTrail User Guide>.     .-    /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html AWS API Reference>+    The types from this library are intended to be used with+    <http://hackage.haskell.org/package/amazonka amazonka>, which provides+    mechanisms for specifying AuthN/AuthZ information and sending requests.     .-    /Warning:/ This is an experimental preview release which is still under-    heavy development and not intended for public consumption, caveat emptor!+    Use of lenses is required for constructing and manipulating types.+    This is due to the amount of nesting of AWS types and transparency regarding+    de/serialisation into more palatable Haskell values.+    The provided lenses should be compatible with any of the major lens libraries+    such as <http://hackage.haskell.org/package/lens lens> or+    <http://hackage.haskell.org/package/lens-family-core lens-family-core>.+    .+    See "Network.AWS.STS" and the <http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html AWS API Reference>+    to get started.  source-repository head     type:     git@@ -42,9 +103,40 @@         , Network.AWS.STS.GetFederationToken         , Network.AWS.STS.GetSessionToken         , Network.AWS.STS.Types+        , Network.AWS.STS.Waiters      other-modules:+          Network.AWS.STS.Types.Product+        , Network.AWS.STS.Types.Sum      build-depends:-          amazonka-core == 0.3.6.*+          amazonka-core == 1.0.0.*         , base          >= 4.7     && < 5++test-suite amazonka-sts-test+    type:              exitcode-stdio-1.0+    default-language:  Haskell2010+    hs-source-dirs:    test+    main-is:           Main.hs++    ghc-options:       -Wall -threaded++    -- This is not comprehensive if modules have manually been added.+    -- It exists to ensure cabal 'somewhat' detects test module changes.+    other-modules:+          Test.AWS.STS+        , Test.AWS.Gen.STS+        , Test.AWS.STS.Internal++    build-depends:+          amazonka-core == 1.0.0+        , amazonka-test == 1.0.0+        , amazonka-sts == 1.0.0+        , base+        , bytestring+        , lens+        , tasty+        , tasty-hunit+        , text+        , time+        , unordered-containers
gen/Network/AWS/STS.hs view
@@ -1,32 +1,185 @@+{-# OPTIONS_GHC -fno-warn-unused-imports    #-}+{-# OPTIONS_GHC -fno-warn-duplicate-exports #-}++-- Derived from AWS service descriptions, licensed under Apache 2.0.++-- | -- Module      : Network.AWS.STS--- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>--- License     : This Source Code Form is subject to the terms of---               the Mozilla Public License, v. 2.0.---               A copy of the MPL can be found in the LICENSE file or---               you can obtain it at http://mozilla.org/MPL/2.0/.+-- Copyright   : (c) 2013-2015 Brendan Hay+-- License     : Mozilla Public License, v. 2.0. -- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>--- Stability   : experimental+-- Stability   : auto-generated -- Portability : non-portable (GHC extensions) ----- Derived from AWS service descriptions, licensed under Apache 2.0.---- | The AWS Security Token Service (STS) is a web service that enables you to--- request temporary, limited-privilege credentials for AWS Identity and Access--- Management (IAM) users or for users that you authenticate (federated users).+-- AWS Security Token Service+--+-- The AWS Security Token Service (STS) is a web service that enables you+-- to request temporary, limited-privilege credentials for AWS Identity and+-- Access Management (IAM) users or for users that you authenticate+-- (federated users). This guide provides descriptions of the STS API. For+-- more detailed information about using this service, go to+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/Welcome.html Using Temporary Security Credentials>.+--+-- As an alternative to using the API, you can use one of the AWS SDKs,+-- which consist of libraries and sample code for various programming+-- languages and platforms (Java, Ruby, .NET, iOS, Android, etc.). The SDKs+-- provide a convenient way to create programmatic access to STS. For+-- example, the SDKs take care of cryptographically signing requests,+-- managing errors, and retrying requests automatically. For information+-- about the AWS SDKs, including how to download and install them, see the+-- <http://aws.amazon.com/tools/ Tools for Amazon Web Services page>.+--+-- For information about setting up signatures and authorization through+-- the API, go to+-- <http://docs.aws.amazon.com/general/latest/gr/signing_aws_api_requests.html Signing AWS API Requests>+-- in the /AWS General Reference/. For general information about the Query+-- API, go to+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAM_UsingQueryAPI.html Making Query Requests>+-- in /Using IAM/. For information about using security tokens with other+-- AWS products, go to+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/UsingTokens.html Using Temporary Security Credentials to Access AWS>+-- in /Using Temporary Security Credentials/.+--+-- If you\'re new to AWS and need additional technical information about a+-- specific AWS product, you can find the product\'s technical+-- documentation at <http://aws.amazon.com/documentation/>.+--+-- __Endpoints__+--+-- The AWS Security Token Service (STS) has a default endpoint of+-- https:\/\/sts.amazonaws.com that maps to the US East (N. Virginia)+-- region. Additional regions are available, but must first be activated in+-- the AWS Management Console before you can use a different region\'s+-- endpoint. For more information about activating a region for STS see+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/sts-enableregions.html Activating STS in a New Region>+-- in the /Using Temporary Security Credentials/ guide.+--+-- For information about STS endpoints, see+-- <http://docs.aws.amazon.com/general/latest/gr/rande.html#sts_region Regions and Endpoints>+-- in the /AWS General Reference/.+--+-- __Recording API requests__+--+-- STS supports AWS CloudTrail, which is a service that records AWS calls+-- for your AWS account and delivers log files to an Amazon S3 bucket. By+-- using information collected by CloudTrail, you can determine what+-- requests were successfully made to STS, who made the request, when it+-- was made, and so on. To learn more about CloudTrail, including how to+-- turn it on and find your log files, see the+-- <http://docs.aws.amazon.com/awscloudtrail/latest/userguide/what_is_cloud_trail_top_level.html AWS CloudTrail User Guide>.+--+-- /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html AWS API Reference> module Network.AWS.STS-    ( module Network.AWS.STS.AssumeRole-    , module Network.AWS.STS.AssumeRoleWithSAML-    , module Network.AWS.STS.AssumeRoleWithWebIdentity+    (+    -- * Service+      STS++    -- * Errors+    -- $errors++    -- ** MalformedPolicyDocumentException+    , _MalformedPolicyDocumentException++    -- ** PackedPolicyTooLargeException+    , _PackedPolicyTooLargeException++    -- ** InvalidAuthorizationMessageException+    , _InvalidAuthorizationMessageException++    -- ** IdPCommunicationErrorException+    , _IdPCommunicationErrorException++    -- ** ExpiredTokenException+    , _ExpiredTokenException++    -- ** InvalidIdentityTokenException+    , _InvalidIdentityTokenException++    -- ** IdPRejectedClaimException+    , _IdPRejectedClaimException++    -- * Waiters+    -- $waiters++    -- * Operations+    -- $operations++    -- ** AssumeRole+    , module Network.AWS.STS.AssumeRole++    -- ** DecodeAuthorizationMessage     , module Network.AWS.STS.DecodeAuthorizationMessage++    -- ** AssumeRoleWithWebIdentity+    , module Network.AWS.STS.AssumeRoleWithWebIdentity++    -- ** GetFederationToken     , module Network.AWS.STS.GetFederationToken++    -- ** GetSessionToken     , module Network.AWS.STS.GetSessionToken-    , module Network.AWS.STS.Types++    -- ** AssumeRoleWithSAML+    , module Network.AWS.STS.AssumeRoleWithSAML++    -- * Types++    -- ** AssumedRoleUser+    , AssumedRoleUser+    , assumedRoleUser+    , aruAssumedRoleId+    , aruARN++    -- ** Credentials+    , Credentials+    , credentials+    , cAccessKeyId+    , cSecretAccessKey+    , cSessionToken+    , cExpiration++    -- ** FederatedUser+    , FederatedUser+    , federatedUser+    , fuFederatedUserId+    , fuARN     ) where -import Network.AWS.STS.AssumeRole-import Network.AWS.STS.AssumeRoleWithSAML-import Network.AWS.STS.AssumeRoleWithWebIdentity-import Network.AWS.STS.DecodeAuthorizationMessage-import Network.AWS.STS.GetFederationToken-import Network.AWS.STS.GetSessionToken-import Network.AWS.STS.Types+import           Network.AWS.STS.AssumeRole+import           Network.AWS.STS.AssumeRoleWithSAML+import           Network.AWS.STS.AssumeRoleWithWebIdentity+import           Network.AWS.STS.DecodeAuthorizationMessage+import           Network.AWS.STS.GetFederationToken+import           Network.AWS.STS.GetSessionToken+import           Network.AWS.STS.Types+import           Network.AWS.STS.Waiters++{- $errors+Error matchers are designed for use with the functions provided by+<http://hackage.haskell.org/package/lens/docs/Control-Exception-Lens.html Control.Exception.Lens>.+This allows catching (and rethrowing) service specific errors returned+by 'STS'.+-}++{- $operations+Some AWS operations return results that are incomplete and require subsequent+requests in order to obtain the entire result set. The process of sending+subsequent requests to continue where a previous request left off is called+pagination. For example, the 'ListObjects' operation of Amazon S3 returns up to+1000 objects at a time, and you must send subsequent requests with the+appropriate Marker in order to retrieve the next page of results.++Operations that have an 'AWSPager' instance can transparently perform subsequent+requests, correctly setting Markers and other request facets to iterate through+the entire result set of a truncated API operation. Operations which support+this have an additional note in the documentation.++Many operations have the ability to filter results on the server side. See the+individual operation parameters for details.+-}++{- $waiters+Waiters poll by repeatedly sending a request until some remote success condition+configured by the 'Wait' specification is fulfilled. The 'Wait' specification+determines how many attempts should be made, in addition to delay and retry strategies.+-}
gen/Network/AWS/STS/AssumeRole.hs view
@@ -1,290 +1,334 @@-{-# LANGUAGE DataKinds                   #-}-{-# LANGUAGE DeriveGeneric               #-}-{-# LANGUAGE FlexibleInstances           #-}-{-# LANGUAGE GeneralizedNewtypeDeriving  #-}-{-# LANGUAGE LambdaCase                  #-}-{-# LANGUAGE NoImplicitPrelude           #-}-{-# LANGUAGE OverloadedStrings           #-}-{-# LANGUAGE RecordWildCards             #-}-{-# LANGUAGE TypeFamilies                #-}+{-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DeriveGeneric      #-}+{-# LANGUAGE OverloadedStrings  #-}+{-# LANGUAGE RecordWildCards    #-}+{-# LANGUAGE TypeFamilies       #-}  {-# OPTIONS_GHC -fno-warn-unused-imports #-}+{-# OPTIONS_GHC -fno-warn-unused-binds   #-}+{-# OPTIONS_GHC -fno-warn-unused-matches #-} +-- Derived from AWS service descriptions, licensed under Apache 2.0.++-- | -- Module      : Network.AWS.STS.AssumeRole--- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>--- License     : This Source Code Form is subject to the terms of---               the Mozilla Public License, v. 2.0.---               A copy of the MPL can be found in the LICENSE file or---               you can obtain it at http://mozilla.org/MPL/2.0/.+-- Copyright   : (c) 2013-2015 Brendan Hay+-- License     : Mozilla Public License, v. 2.0. -- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>--- Stability   : experimental+-- Stability   : auto-generated -- Portability : non-portable (GHC extensions) ----- Derived from AWS service descriptions, licensed under Apache 2.0.---- | Returns a set of temporary security credentials (consisting of an access key--- ID, a secret access key, and a security token) that you can use to access AWS--- resources that you might not normally have access to. Typically, you use 'AssumeRole' for cross-account access or federation.+-- Returns a set of temporary security credentials (consisting of an access+-- key ID, a secret access key, and a security token) that you can use to+-- access AWS resources that you might not normally have access to.+-- Typically, you use 'AssumeRole' for cross-account access or federation. ----- Important: You cannot call 'AssumeRole' by using AWS account credentials;--- access will be denied. You must use IAM user credentials or temporary--- security credentials to call 'AssumeRole'.+-- __Important:__ You cannot call 'AssumeRole' by using AWS account+-- credentials; access will be denied. You must use IAM user credentials or+-- temporary security credentials to call 'AssumeRole'. ----- For cross-account access, imagine that you own multiple accounts and need to--- access resources in each account. You could create long-term credentials in--- each account to access those resources. However, managing all those--- credentials and remembering which one can access which account can be time--- consuming. Instead, you can create one set of long-term credentials in one--- account and then use temporary security credentials to access all the other--- accounts by assuming roles in those accounts. For more information about--- roles, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/WorkingWithRoles.html Roles> in /Using IAM/.+-- For cross-account access, imagine that you own multiple accounts and+-- need to access resources in each account. You could create long-term+-- credentials in each account to access those resources. However, managing+-- all those credentials and remembering which one can access which account+-- can be time consuming. Instead, you can create one set of long-term+-- credentials in one account and then use temporary security credentials+-- to access all the other accounts by assuming roles in those accounts.+-- For more information about roles, see+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/roles-toplevel.html IAM Roles (Delegation and Federation)>+-- in /Using IAM/. ----- For federation, you can, for example, grant single sign-on access to the AWS--- Management Console. If you already have an identity and authentication system--- in your corporate network, you don't have to recreate user identities in AWS--- in order to grant those user identities access to AWS. Instead, after a user--- has been authenticated, you call 'AssumeRole' (and specify the role with the--- appropriate permissions) to get temporary security credentials for that user.--- With those temporary security credentials, you construct a sign-in URL that--- users can use to access the console. For more information, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html Scenarios forGranting Temporary Access> in /Using Temporary Security Credentials/.+-- For federation, you can, for example, grant single sign-on access to the+-- AWS Management Console. If you already have an identity and+-- authentication system in your corporate network, you don\'t have to+-- recreate user identities in AWS in order to grant those user identities+-- access to AWS. Instead, after a user has been authenticated, you call+-- 'AssumeRole' (and specify the role with the appropriate permissions) to+-- get temporary security credentials for that user. With those temporary+-- security credentials, you construct a sign-in URL that users can use to+-- access the console. For more information, see+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html Scenarios for Granting Temporary Access>+-- in /Using Temporary Security Credentials/. -- -- The temporary security credentials are valid for the duration that you--- specified when calling 'AssumeRole', which can be from 900 seconds (15 minutes)--- to 3600 seconds (1 hour). The default is 1 hour.+-- specified when calling 'AssumeRole', which can be from 900 seconds (15+-- minutes) to 3600 seconds (1 hour). The default is 1 hour. -- -- Optionally, you can pass an IAM access policy to this operation. If you -- choose not to pass a policy, the temporary security credentials that are--- returned by the operation have the permissions that are defined in the access--- policy of the role that is being assumed. If you pass a policy to this--- operation, the temporary security credentials that are returned by the--- operation have the permissions that are allowed by both the access policy of--- the role that is being assumed, /and/ the policy that you pass. This gives you--- a way to further restrict the permissions for the resulting temporary--- security credentials. You cannot use the passed policy to grant permissions--- that are in excess of those allowed by the access policy of the role that is--- being assumed. For more information, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRole> in /UsingTemporary Security Credentials/.+-- returned by the operation have the permissions that are defined in the+-- access policy of the role that is being assumed. If you pass a policy to+-- this operation, the temporary security credentials that are returned by+-- the operation have the permissions that are allowed by both the access+-- policy of the role that is being assumed, /__and__/ the policy that you+-- pass. This gives you a way to further restrict the permissions for the+-- resulting temporary security credentials. You cannot use the passed+-- policy to grant permissions that are in excess of those allowed by the+-- access policy of the role that is being assumed. For more information,+-- see+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity>+-- in /Using Temporary Security Credentials/. ----- To assume a role, your AWS account must be trusted by the role. The trust--- relationship is defined in the role's trust policy when the role is created.--- You must also have a policy that allows you to call 'sts:AssumeRole'.+-- To assume a role, your AWS account must be trusted by the role. The+-- trust relationship is defined in the role\'s trust policy when the role+-- is created. You must also have a policy that allows you to call+-- 'sts:AssumeRole'. ----- Using MFA with AssumeRole+-- __Using MFA with AssumeRole__ -- -- You can optionally include multi-factor authentication (MFA) information--- when you call 'AssumeRole'. This is useful for cross-account scenarios in which--- you want to make sure that the user who is assuming the role has been--- authenticated using an AWS MFA device. In that scenario, the trust policy of--- the role being assumed includes a condition that tests for MFA--- authentication; if the caller does not include valid MFA information, the--- request to assume the role is denied. The condition in a trust policy that--- tests for MFA authentication might look like the following example.------ '"Condition": {"Null": {"aws:MultiFactorAuthAge": false}}'------ For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html Configuring MFA-Protected API Access> in the /UsingIAM/ guide.+-- when you call 'AssumeRole'. This is useful for cross-account scenarios+-- in which you want to make sure that the user who is assuming the role+-- has been authenticated using an AWS MFA device. In that scenario, the+-- trust policy of the role being assumed includes a condition that tests+-- for MFA authentication; if the caller does not include valid MFA+-- information, the request to assume the role is denied. The condition in+-- a trust policy that tests for MFA authentication might look like the+-- following example. ----- To use MFA with 'AssumeRole', you pass values for the 'SerialNumber' and 'TokenCode' parameters. The 'SerialNumber' value identifies the user's hardware or virtual--- MFA device. The 'TokenCode' is the time-based one-time password (TOTP) that the--- MFA devices produces.+-- '\"Condition\": {\"Bool\": {\"aws:MultiFactorAuthPresent\": true}}' --+-- For more information, see+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html Configuring MFA-Protected API Access>+-- in /Using IAM/ guide. --+-- To use MFA with 'AssumeRole', you pass values for the 'SerialNumber' and+-- 'TokenCode' parameters. The 'SerialNumber' value identifies the user\'s+-- hardware or virtual MFA device. The 'TokenCode' is the time-based+-- one-time password (TOTP) that the MFA devices produces. ----- <http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html>+-- /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html AWS API Reference> for AssumeRole. module Network.AWS.STS.AssumeRole     (-    -- * Request-      AssumeRole-    -- ** Request constructor-    , assumeRole-    -- ** Request lenses+    -- * Creating a Request+      assumeRole+    , AssumeRole+    -- * Request Lenses+    , arTokenCode     , arDurationSeconds     , arExternalId     , arPolicy-    , arRoleArn-    , arRoleSessionName     , arSerialNumber-    , arTokenCode+    , arRoleARN+    , arRoleSessionName -    -- * Response-    , AssumeRoleResponse-    -- ** Response constructor+    -- * Destructuring the Response     , assumeRoleResponse-    -- ** Response lenses-    , arrAssumedRoleUser-    , arrCredentials-    , arrPackedPolicySize+    , AssumeRoleResponse+    -- * Response Lenses+    , arrsPackedPolicySize+    , arrsCredentials+    , arrsAssumedRoleUser+    , arrsStatus     ) where -import Network.AWS.Prelude-import Network.AWS.Request.Query-import Network.AWS.STS.Types-import qualified GHC.Exts+import           Network.AWS.Prelude+import           Network.AWS.Request+import           Network.AWS.Response+import           Network.AWS.STS.Types+import           Network.AWS.STS.Types.Product -data AssumeRole = AssumeRole-    { _arDurationSeconds :: Maybe Nat-    , _arExternalId      :: Maybe Text-    , _arPolicy          :: Maybe Text-    , _arRoleArn         :: Text-    , _arRoleSessionName :: Text-    , _arSerialNumber    :: Maybe Text-    , _arTokenCode       :: Maybe Text-    } deriving (Eq, Ord, Read, Show)+-- | /See:/ 'assumeRole' smart constructor.+data AssumeRole = AssumeRole'+    { _arTokenCode       :: !(Maybe Text)+    , _arDurationSeconds :: !(Maybe Nat)+    , _arExternalId      :: !(Maybe Text)+    , _arPolicy          :: !(Maybe Text)+    , _arSerialNumber    :: !(Maybe Text)+    , _arRoleARN         :: !Text+    , _arRoleSessionName :: !Text+    } deriving (Eq,Read,Show,Data,Typeable,Generic) --- | 'AssumeRole' constructor.------ The fields accessible through corresponding lenses are:+-- | Creates a value of 'AssumeRole' with the minimum fields required to make a request. ----- * 'arDurationSeconds' @::@ 'Maybe' 'Natural'+-- Use one of the following lenses to modify other fields as desired: ----- * 'arExternalId' @::@ 'Maybe' 'Text'+-- * 'arTokenCode' ----- * 'arPolicy' @::@ 'Maybe' 'Text'+-- * 'arDurationSeconds' ----- * 'arRoleArn' @::@ 'Text'+-- * 'arExternalId' ----- * 'arRoleSessionName' @::@ 'Text'+-- * 'arPolicy' ----- * 'arSerialNumber' @::@ 'Maybe' 'Text'+-- * 'arSerialNumber' ----- * 'arTokenCode' @::@ 'Maybe' 'Text'+-- * 'arRoleARN' ---assumeRole :: Text -- ^ 'arRoleArn'-           -> Text -- ^ 'arRoleSessionName'-           -> AssumeRole-assumeRole p1 p2 = AssumeRole-    { _arRoleArn         = p1-    , _arRoleSessionName = p2-    , _arPolicy          = Nothing+-- * 'arRoleSessionName'+assumeRole+    :: Text -- ^ 'arRoleARN'+    -> Text -- ^ 'arRoleSessionName'+    -> AssumeRole+assumeRole pRoleARN_ pRoleSessionName_ =+    AssumeRole'+    { _arTokenCode = Nothing     , _arDurationSeconds = Nothing-    , _arExternalId      = Nothing-    , _arSerialNumber    = Nothing-    , _arTokenCode       = Nothing+    , _arExternalId = Nothing+    , _arPolicy = Nothing+    , _arSerialNumber = Nothing+    , _arRoleARN = pRoleARN_+    , _arRoleSessionName = pRoleSessionName_     } --- | The duration, in seconds, of the role session. The value can range from 900--- seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set--- to 3600 seconds.+-- | The value provided by the MFA device, if the trust policy of the role+-- being assumed requires MFA (that is, if the policy includes a condition+-- that tests for MFA). If the role being assumed requires MFA and if the+-- 'TokenCode' value is missing or expired, the 'AssumeRole' call returns+-- an \"access denied\" error.+arTokenCode :: Lens' AssumeRole (Maybe Text)+arTokenCode = lens _arTokenCode (\ s a -> s{_arTokenCode = a});++-- | The duration, in seconds, of the role session. The value can range from+-- 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the value+-- is set to 3600 seconds. arDurationSeconds :: Lens' AssumeRole (Maybe Natural)-arDurationSeconds =-    lens _arDurationSeconds (\s a -> s { _arDurationSeconds = a })-        . mapping _Nat+arDurationSeconds = lens _arDurationSeconds (\ s a -> s{_arDurationSeconds = a}) . mapping _Nat; --- | A unique identifier that is used by third parties to assume a role in their--- customers' accounts. For each role that the third party can assume, they--- should instruct their customers to create a role with the external ID that--- the third party generated. Each time the third party assumes the role, they--- must pass the customer's external ID. The external ID is useful in order to--- help third parties bind a role to the customer who created it. For more--- information about the external ID, see About the External ID in /UsingTemporary Security Credentials/.+-- | A unique identifier that is used by third parties when assuming roles in+-- their customers\' accounts. For each role that the third party can+-- assume, they should instruct their customers to ensure the role\'s trust+-- policy checks for the external ID that the third party generated. Each+-- time the third party assumes the role, they should pass the customer\'s+-- external ID. The external ID is useful in order to help third parties+-- bind a role to the customer who created it. For more information about+-- the external ID, see+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/sts-delegating-externalid.html How to Use External ID When Granting Access to Your AWS Resources>+-- in /Using Temporary Security Credentials/. arExternalId :: Lens' AssumeRole (Maybe Text)-arExternalId = lens _arExternalId (\s a -> s { _arExternalId = a })+arExternalId = lens _arExternalId (\ s a -> s{_arExternalId = a});  -- | An IAM policy in JSON format. ----- The policy parameter is optional. If you pass a policy, the temporary--- security credentials that are returned by the operation have the permissions--- that are allowed by both the access policy of the role that is being assumed, /and/ the policy that you pass. This gives you a way to further restrict the--- permissions for the resulting temporary security credentials. You cannot use--- the passed policy to grant permissions that are in excess of those allowed by--- the access policy of the role that is being assumed. For more information,--- see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRole> in /Using Temporary Security Credentials/.+-- This parameter is optional. If you pass a policy, the temporary security+-- credentials that are returned by the operation have the permissions that+-- are allowed by both (the intersection of) the access policy of the role+-- that is being assumed, /and/ the policy that you pass. This gives you a+-- way to further restrict the permissions for the resulting temporary+-- security credentials. You cannot use the passed policy to grant+-- permissions that are in excess of those allowed by the access policy of+-- the role that is being assumed. For more information, see+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity>+-- in /Using Temporary Security Credentials/.+--+-- The policy plain text must be 2048 bytes or shorter. However, an+-- internal conversion compresses it into a packed binary format with a+-- separate limit. The PackedPolicySize response element indicates by+-- percentage how close to the upper size limit the policy is, with 100%+-- equaling the maximum allowed size. arPolicy :: Lens' AssumeRole (Maybe Text)-arPolicy = lens _arPolicy (\s a -> s { _arPolicy = a })+arPolicy = lens _arPolicy (\ s a -> s{_arPolicy = a}); --- | The Amazon Resource Name (ARN) of the role that the caller is assuming.-arRoleArn :: Lens' AssumeRole Text-arRoleArn = lens _arRoleArn (\s a -> s { _arRoleArn = a })+-- | The identification number of the MFA device that is associated with the+-- user who is making the 'AssumeRole' call. Specify this value if the+-- trust policy of the role being assumed includes a condition that+-- requires MFA authentication. The value is either the serial number for a+-- hardware device (such as 'GAHT12345678') or an Amazon Resource Name+-- (ARN) for a virtual device (such as+-- 'arn:aws:iam::123456789012:mfa\/user').+arSerialNumber :: Lens' AssumeRole (Maybe Text)+arSerialNumber = lens _arSerialNumber (\ s a -> s{_arSerialNumber = a}); --- | An identifier for the assumed role session. The session name is included as--- part of the 'AssumedRoleUser'.+-- | The Amazon Resource Name (ARN) of the role to assume.+arRoleARN :: Lens' AssumeRole Text+arRoleARN = lens _arRoleARN (\ s a -> s{_arRoleARN = a});++-- | An identifier for the assumed role session.+--+-- Use the role session name to uniquely identity a session when the same+-- role is assumed by different principals or for different reasons. In+-- cross-account scenarios, the role session name is visible to, and can be+-- logged by the account that owns the role. The role session name is also+-- used in the ARN of the assumed role principal. This means that+-- subsequent cross-account API requests using the temporary security+-- credentials will expose the role session name to the external account in+-- their CloudTrail logs. arRoleSessionName :: Lens' AssumeRole Text-arRoleSessionName =-    lens _arRoleSessionName (\s a -> s { _arRoleSessionName = a })+arRoleSessionName = lens _arRoleSessionName (\ s a -> s{_arRoleSessionName = a}); --- | The identification number of the MFA device that is associated with the user--- who is making the 'AssumeRole' call. Specify this value if the trust policy of--- the role being assumed includes a condition that requires MFA authentication.--- The value is either the serial number for a hardware device (such as 'GAHT12345678') or an Amazon Resource Name (ARN) for a virtual device (such as 'arn:aws:iam::123456789012:mfa/user').-arSerialNumber :: Lens' AssumeRole (Maybe Text)-arSerialNumber = lens _arSerialNumber (\s a -> s { _arSerialNumber = a })+instance AWSRequest AssumeRole where+        type Sv AssumeRole = STS+        type Rs AssumeRole = AssumeRoleResponse+        request = postQuery+        response+          = receiveXMLWrapper "AssumeRoleResult"+              (\ s h x ->+                 AssumeRoleResponse' <$>+                   (x .@? "PackedPolicySize") <*> (x .@? "Credentials")+                     <*> (x .@? "AssumedRoleUser")+                     <*> (pure (fromEnum s))) --- | The value provided by the MFA device, if the trust policy of the role being--- assumed requires MFA (that is, if the policy includes a condition that tests--- for MFA). If the role being assumed requires MFA and if the 'TokenCode' value--- is missing or expired, the 'AssumeRole' call returns an "access denied" error.-arTokenCode :: Lens' AssumeRole (Maybe Text)-arTokenCode = lens _arTokenCode (\s a -> s { _arTokenCode = a })+instance ToHeaders AssumeRole where+        toHeaders = const mempty -data AssumeRoleResponse = AssumeRoleResponse-    { _arrAssumedRoleUser  :: Maybe AssumedRoleUser-    , _arrCredentials      :: Maybe Credentials-    , _arrPackedPolicySize :: Maybe Nat-    } deriving (Eq, Read, Show)+instance ToPath AssumeRole where+        toPath = const "/" --- | 'AssumeRoleResponse' constructor.+instance ToQuery AssumeRole where+        toQuery AssumeRole'{..}+          = mconcat+              ["Action" =: ("AssumeRole" :: ByteString),+               "Version" =: ("2011-06-15" :: ByteString),+               "TokenCode" =: _arTokenCode,+               "DurationSeconds" =: _arDurationSeconds,+               "ExternalId" =: _arExternalId, "Policy" =: _arPolicy,+               "SerialNumber" =: _arSerialNumber,+               "RoleArn" =: _arRoleARN,+               "RoleSessionName" =: _arRoleSessionName]++-- | Contains the response to a successful AssumeRole request, including+-- temporary AWS credentials that can be used to make AWS requests. ----- The fields accessible through corresponding lenses are:+-- /See:/ 'assumeRoleResponse' smart constructor.+data AssumeRoleResponse = AssumeRoleResponse'+    { _arrsPackedPolicySize :: !(Maybe Nat)+    , _arrsCredentials      :: !(Maybe Credentials)+    , _arrsAssumedRoleUser  :: !(Maybe AssumedRoleUser)+    , _arrsStatus           :: !Int+    } deriving (Eq,Read,Show,Data,Typeable,Generic)++-- | Creates a value of 'AssumeRoleResponse' with the minimum fields required to make a request. ----- * 'arrAssumedRoleUser' @::@ 'Maybe' 'AssumedRoleUser'+-- Use one of the following lenses to modify other fields as desired: ----- * 'arrCredentials' @::@ 'Maybe' 'Credentials'+-- * 'arrsPackedPolicySize' ----- * 'arrPackedPolicySize' @::@ 'Maybe' 'Natural'+-- * 'arrsCredentials' ---assumeRoleResponse :: AssumeRoleResponse-assumeRoleResponse = AssumeRoleResponse-    { _arrCredentials      = Nothing-    , _arrAssumedRoleUser  = Nothing-    , _arrPackedPolicySize = Nothing+-- * 'arrsAssumedRoleUser'+--+-- * 'arrsStatus'+assumeRoleResponse+    :: Int -- ^ 'arrsStatus'+    -> AssumeRoleResponse+assumeRoleResponse pStatus_ =+    AssumeRoleResponse'+    { _arrsPackedPolicySize = Nothing+    , _arrsCredentials = Nothing+    , _arrsAssumedRoleUser = Nothing+    , _arrsStatus = pStatus_     } --- | The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers--- that you can use to refer to the resulting temporary security credentials.--- For example, you can reference these credentials as a principal in a--- resource-based policy by using the ARN or assumed role ID. The ARN and ID--- include the 'RoleSessionName' that you specified when you called 'AssumeRole'.-arrAssumedRoleUser :: Lens' AssumeRoleResponse (Maybe AssumedRoleUser)-arrAssumedRoleUser =-    lens _arrAssumedRoleUser (\s a -> s { _arrAssumedRoleUser = a })---- | The temporary security credentials, which include an access key ID, a secret--- access key, and a security (or session) token.-arrCredentials :: Lens' AssumeRoleResponse (Maybe Credentials)-arrCredentials = lens _arrCredentials (\s a -> s { _arrCredentials = a })---- | A percentage value that indicates the size of the policy in packed form. The--- service rejects any policy with a packed size greater than 100 percent, which--- means the policy exceeded the allowed space.-arrPackedPolicySize :: Lens' AssumeRoleResponse (Maybe Natural)-arrPackedPolicySize =-    lens _arrPackedPolicySize (\s a -> s { _arrPackedPolicySize = a })-        . mapping _Nat--instance ToPath AssumeRole where-    toPath = const "/"--instance ToQuery AssumeRole where-    toQuery AssumeRole{..} = mconcat-        [ "DurationSeconds" =? _arDurationSeconds-        , "ExternalId"      =? _arExternalId-        , "Policy"          =? _arPolicy-        , "RoleArn"         =? _arRoleArn-        , "RoleSessionName" =? _arRoleSessionName-        , "SerialNumber"    =? _arSerialNumber-        , "TokenCode"       =? _arTokenCode-        ]--instance ToHeaders AssumeRole+-- | A percentage value that indicates the size of the policy in packed form.+-- The service rejects any policy with a packed size greater than 100+-- percent, which means the policy exceeded the allowed space.+arrsPackedPolicySize :: Lens' AssumeRoleResponse (Maybe Natural)+arrsPackedPolicySize = lens _arrsPackedPolicySize (\ s a -> s{_arrsPackedPolicySize = a}) . mapping _Nat; -instance AWSRequest AssumeRole where-    type Sv AssumeRole = STS-    type Rs AssumeRole = AssumeRoleResponse+-- | The temporary security credentials, which include an access key ID, a+-- secret access key, and a security (or session) token.+arrsCredentials :: Lens' AssumeRoleResponse (Maybe Credentials)+arrsCredentials = lens _arrsCredentials (\ s a -> s{_arrsCredentials = a}); -    request  = post "AssumeRole"-    response = xmlResponse+-- | The Amazon Resource Name (ARN) and the assumed role ID, which are+-- identifiers that you can use to refer to the resulting temporary+-- security credentials. For example, you can reference these credentials+-- as a principal in a resource-based policy by using the ARN or assumed+-- role ID. The ARN and ID include the 'RoleSessionName' that you specified+-- when you called 'AssumeRole'.+arrsAssumedRoleUser :: Lens' AssumeRoleResponse (Maybe AssumedRoleUser)+arrsAssumedRoleUser = lens _arrsAssumedRoleUser (\ s a -> s{_arrsAssumedRoleUser = a}); -instance FromXML AssumeRoleResponse where-    parseXML = withElement "AssumeRoleResult" $ \x -> AssumeRoleResponse-        <$> x .@? "AssumedRoleUser"-        <*> x .@? "Credentials"-        <*> x .@? "PackedPolicySize"+-- | The response status code.+arrsStatus :: Lens' AssumeRoleResponse Int+arrsStatus = lens _arrsStatus (\ s a -> s{_arrsStatus = a});
gen/Network/AWS/STS/AssumeRoleWithSAML.hs view
@@ -1,309 +1,336 @@-{-# LANGUAGE DataKinds                   #-}-{-# LANGUAGE DeriveGeneric               #-}-{-# LANGUAGE FlexibleInstances           #-}-{-# LANGUAGE GeneralizedNewtypeDeriving  #-}-{-# LANGUAGE LambdaCase                  #-}-{-# LANGUAGE NoImplicitPrelude           #-}-{-# LANGUAGE OverloadedStrings           #-}-{-# LANGUAGE RecordWildCards             #-}-{-# LANGUAGE TypeFamilies                #-}+{-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DeriveGeneric      #-}+{-# LANGUAGE OverloadedStrings  #-}+{-# LANGUAGE RecordWildCards    #-}+{-# LANGUAGE TypeFamilies       #-}  {-# OPTIONS_GHC -fno-warn-unused-imports #-}+{-# OPTIONS_GHC -fno-warn-unused-binds   #-}+{-# OPTIONS_GHC -fno-warn-unused-matches #-} +-- Derived from AWS service descriptions, licensed under Apache 2.0.++-- | -- Module      : Network.AWS.STS.AssumeRoleWithSAML--- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>--- License     : This Source Code Form is subject to the terms of---               the Mozilla Public License, v. 2.0.---               A copy of the MPL can be found in the LICENSE file or---               you can obtain it at http://mozilla.org/MPL/2.0/.+-- Copyright   : (c) 2013-2015 Brendan Hay+-- License     : Mozilla Public License, v. 2.0. -- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>--- Stability   : experimental+-- Stability   : auto-generated -- Portability : non-portable (GHC extensions) ----- Derived from AWS service descriptions, licensed under Apache 2.0.---- | Returns a set of temporary security credentials for users who have been--- authenticated via a SAML authentication response. This operation provides a--- mechanism for tying an enterprise identity store or directory to role-based--- AWS access without user-specific credentials or configuration.+-- Returns a set of temporary security credentials for users who have been+-- authenticated via a SAML authentication response. This operation+-- provides a mechanism for tying an enterprise identity store or directory+-- to role-based AWS access without user-specific credentials or+-- configuration. ----- The temporary security credentials returned by this operation consist of an--- access key ID, a secret access key, and a security token. Applications can--- use these temporary security credentials to sign calls to AWS services. The--- credentials are valid for the duration that you specified when calling 'AssumeRoleWithSAML', which can be up to 3600 seconds (1 hour) or until the time specified in the--- SAML authentication response's 'SessionNotOnOrAfter' value, whichever is--- shorter.+-- The temporary security credentials returned by this operation consist of+-- an access key ID, a secret access key, and a security token.+-- Applications can use these temporary security credentials to sign calls+-- to AWS services. The credentials are valid for the duration that you+-- specified when calling 'AssumeRoleWithSAML', which can be up to 3600+-- seconds (1 hour) or until the time specified in the SAML authentication+-- response\'s 'SessionNotOnOrAfter' value, whichever is shorter. ----- The maximum duration for a session is 1 hour, and the minimum duration is 15--- minutes, even if values outside this range are specified.  Optionally, you--- can pass an IAM access policy to this operation. If you choose not to pass a--- policy, the temporary security credentials that are returned by the operation--- have the permissions that are defined in the access policy of the role that--- is being assumed. If you pass a policy to this operation, the temporary--- security credentials that are returned by the operation have the permissions--- that are allowed by both the access policy of the role that is being assumed, /and/ the policy that you pass. This gives you a way to further restrict the--- permissions for the resulting temporary security credentials. You cannot use--- the passed policy to grant permissions that are in excess of those allowed by--- the access policy of the role that is being assumed. For more information,--- see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithSAML> in /Using Temporary Security Credentials/--- .+-- The maximum duration for a session is 1 hour, and the minimum duration+-- is 15 minutes, even if values outside this range are specified. ----- Before your application can call 'AssumeRoleWithSAML', you must configure your--- SAML identity provider (IdP) to issue the claims required by AWS.--- Additionally, you must use AWS Identity and Access Management (IAM) to create--- a SAML provider entity in your AWS account that represents your identity--- provider, and create an IAM role that specifies this SAML provider in its--- trust policy.+-- Optionally, you can pass an IAM access policy to this operation. If you+-- choose not to pass a policy, the temporary security credentials that are+-- returned by the operation have the permissions that are defined in the+-- access policy of the role that is being assumed. If you pass a policy to+-- this operation, the temporary security credentials that are returned by+-- the operation have the permissions that are allowed by both the access+-- policy of the role that is being assumed, /__and__/ the policy that you+-- pass. This gives you a way to further restrict the permissions for the+-- resulting temporary security credentials. You cannot use the passed+-- policy to grant permissions that are in excess of those allowed by the+-- access policy of the role that is being assumed. For more information,+-- see+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithSAML>+-- in /Using Temporary Security Credentials/. --+-- Before your application can call 'AssumeRoleWithSAML', you must+-- configure your SAML identity provider (IdP) to issue the claims required+-- by AWS. Additionally, you must use AWS Identity and Access Management+-- (IAM) to create a SAML provider entity in your AWS account that+-- represents your identity provider, and create an IAM role that specifies+-- this SAML provider in its trust policy.+-- -- Calling 'AssumeRoleWithSAML' does not require the use of AWS security--- credentials. The identity of the caller is validated by using keys in the--- metadata document that is uploaded for the SAML provider entity for your--- identity provider.+-- credentials. The identity of the caller is validated by using keys in+-- the metadata document that is uploaded for the SAML provider entity for+-- your identity provider. -- -- For more information, see the following resources: ----- <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingSAML.html Creating Temporary Security Credentials for SAML Federation> in /UsingTemporary Security Credentials/.   <http://docs.aws.amazon.com/IAM/latest/UserGuide/idp-managing-identityproviders.html SAML Providers> in /Using IAM/.   <http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html Configuringa Relying Party and Claims> in /Using IAM/.   <http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml.html Creating a Role for SAML-BasedFederation> in /Using IAM/.+-- -   <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingSAML.html Creating Temporary Security Credentials for SAML Federation>.+-- -   <http://docs.aws.amazon.com/IAM/latest/UserGuide/idp-managing-identityproviders.html SAML Providers>+--     in /Using IAM/.+-- -   <http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html Configuring a Relying Party and Claims>+--     in /Using IAM/.+-- -   <http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml.html Creating a Role for SAML-Based Federation>+--     in /Using IAM/. ----- <http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html>+-- /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html AWS API Reference> for AssumeRoleWithSAML. module Network.AWS.STS.AssumeRoleWithSAML     (-    -- * Request-      AssumeRoleWithSAML-    -- ** Request constructor-    , assumeRoleWithSAML-    -- ** Request lenses+    -- * Creating a Request+      assumeRoleWithSAML+    , AssumeRoleWithSAML+    -- * Request Lenses     , arwsamlDurationSeconds     , arwsamlPolicy-    , arwsamlPrincipalArn-    , arwsamlRoleArn+    , arwsamlRoleARN+    , arwsamlPrincipalARN     , arwsamlSAMLAssertion -    -- * Response-    , AssumeRoleWithSAMLResponse-    -- ** Response constructor+    -- * Destructuring the Response     , assumeRoleWithSAMLResponse-    -- ** Response lenses-    , arwsamlrAssumedRoleUser-    , arwsamlrAudience-    , arwsamlrCredentials-    , arwsamlrIssuer-    , arwsamlrNameQualifier-    , arwsamlrPackedPolicySize-    , arwsamlrSubject-    , arwsamlrSubjectType+    , AssumeRoleWithSAMLResponse+    -- * Response Lenses+    , arwsamlrsAudience+    , arwsamlrsSubject+    , arwsamlrsPackedPolicySize+    , arwsamlrsCredentials+    , arwsamlrsSubjectType+    , arwsamlrsNameQualifier+    , arwsamlrsAssumedRoleUser+    , arwsamlrsIssuer+    , arwsamlrsStatus     ) where -import Network.AWS.Prelude-import Network.AWS.Request.Query-import Network.AWS.STS.Types-import qualified GHC.Exts+import           Network.AWS.Prelude+import           Network.AWS.Request+import           Network.AWS.Response+import           Network.AWS.STS.Types+import           Network.AWS.STS.Types.Product -data AssumeRoleWithSAML = AssumeRoleWithSAML-    { _arwsamlDurationSeconds :: Maybe Nat-    , _arwsamlPolicy          :: Maybe Text-    , _arwsamlPrincipalArn    :: Text-    , _arwsamlRoleArn         :: Text-    , _arwsamlSAMLAssertion   :: Text-    } deriving (Eq, Ord, Read, Show)+-- | /See:/ 'assumeRoleWithSAML' smart constructor.+data AssumeRoleWithSAML = AssumeRoleWithSAML'+    { _arwsamlDurationSeconds :: !(Maybe Nat)+    , _arwsamlPolicy          :: !(Maybe Text)+    , _arwsamlRoleARN         :: !Text+    , _arwsamlPrincipalARN    :: !Text+    , _arwsamlSAMLAssertion   :: !Text+    } deriving (Eq,Read,Show,Data,Typeable,Generic) --- | 'AssumeRoleWithSAML' constructor.------ The fields accessible through corresponding lenses are:+-- | Creates a value of 'AssumeRoleWithSAML' with the minimum fields required to make a request. ----- * 'arwsamlDurationSeconds' @::@ 'Maybe' 'Natural'+-- Use one of the following lenses to modify other fields as desired: ----- * 'arwsamlPolicy' @::@ 'Maybe' 'Text'+-- * 'arwsamlDurationSeconds' ----- * 'arwsamlPrincipalArn' @::@ 'Text'+-- * 'arwsamlPolicy' ----- * 'arwsamlRoleArn' @::@ 'Text'+-- * 'arwsamlRoleARN' ----- * 'arwsamlSAMLAssertion' @::@ 'Text'+-- * 'arwsamlPrincipalARN' ---assumeRoleWithSAML :: Text -- ^ 'arwsamlRoleArn'-                   -> Text -- ^ 'arwsamlPrincipalArn'-                   -> Text -- ^ 'arwsamlSAMLAssertion'-                   -> AssumeRoleWithSAML-assumeRoleWithSAML p1 p2 p3 = AssumeRoleWithSAML-    { _arwsamlRoleArn         = p1-    , _arwsamlPrincipalArn    = p2-    , _arwsamlSAMLAssertion   = p3-    , _arwsamlPolicy          = Nothing-    , _arwsamlDurationSeconds = Nothing+-- * 'arwsamlSAMLAssertion'+assumeRoleWithSAML+    :: Text -- ^ 'arwsamlRoleARN'+    -> Text -- ^ 'arwsamlPrincipalARN'+    -> Text -- ^ 'arwsamlSAMLAssertion'+    -> AssumeRoleWithSAML+assumeRoleWithSAML pRoleARN_ pPrincipalARN_ pSAMLAssertion_ =+    AssumeRoleWithSAML'+    { _arwsamlDurationSeconds = Nothing+    , _arwsamlPolicy = Nothing+    , _arwsamlRoleARN = pRoleARN_+    , _arwsamlPrincipalARN = pPrincipalARN_+    , _arwsamlSAMLAssertion = pSAMLAssertion_     } --- | The duration, in seconds, of the role session. The value can range from 900--- seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set--- to 3600 seconds. An expiration can also be specified in the SAML--- authentication response's 'SessionNotOnOrAfter' value. The actual expiration--- time is whichever value is shorter.+-- | The duration, in seconds, of the role session. The value can range from+-- 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the value+-- is set to 3600 seconds. An expiration can also be specified in the SAML+-- authentication response\'s 'SessionNotOnOrAfter' value. The actual+-- expiration time is whichever value is shorter. ----- The maximum duration for a session is 1 hour, and the minimum duration is 15--- minutes, even if values outside this range are specified.+-- The maximum duration for a session is 1 hour, and the minimum duration+-- is 15 minutes, even if values outside this range are specified. arwsamlDurationSeconds :: Lens' AssumeRoleWithSAML (Maybe Natural)-arwsamlDurationSeconds =-    lens _arwsamlDurationSeconds (\s a -> s { _arwsamlDurationSeconds = a })-        . mapping _Nat+arwsamlDurationSeconds = lens _arwsamlDurationSeconds (\ s a -> s{_arwsamlDurationSeconds = a}) . mapping _Nat;  -- | An IAM policy in JSON format. -- -- The policy parameter is optional. If you pass a policy, the temporary--- security credentials that are returned by the operation have the permissions--- that are allowed by both the access policy of the role that is being assumed, /and/ the policy that you pass. This gives you a way to further restrict the--- permissions for the resulting temporary security credentials. You cannot use--- the passed policy to grant permissions that are in excess of those allowed by--- the access policy of the role that is being assumed. For more information,--- see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithSAML> in /Using Temporary Security Credentials/--- .+-- security credentials that are returned by the operation have the+-- permissions that are allowed by both the access policy of the role that+-- is being assumed, /__and__/ the policy that you pass. This gives you a+-- way to further restrict the permissions for the resulting temporary+-- security credentials. You cannot use the passed policy to grant+-- permissions that are in excess of those allowed by the access policy of+-- the role that is being assumed. For more information, see+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithSAML>+-- in /Using Temporary Security Credentials/. ----- The policy must be 2048 bytes or shorter, and its packed size must be less--- than 450 bytes.+-- The policy plain text must be 2048 bytes or shorter. However, an+-- internal conversion compresses it into a packed binary format with a+-- separate limit. The PackedPolicySize response element indicates by+-- percentage how close to the upper size limit the policy is, with 100%+-- equaling the maximum allowed size. arwsamlPolicy :: Lens' AssumeRoleWithSAML (Maybe Text)-arwsamlPolicy = lens _arwsamlPolicy (\s a -> s { _arwsamlPolicy = a })---- | The Amazon Resource Name (ARN) of the SAML provider in IAM that describes the--- IdP.-arwsamlPrincipalArn :: Lens' AssumeRoleWithSAML Text-arwsamlPrincipalArn =-    lens _arwsamlPrincipalArn (\s a -> s { _arwsamlPrincipalArn = a })+arwsamlPolicy = lens _arwsamlPolicy (\ s a -> s{_arwsamlPolicy = a});  -- | The Amazon Resource Name (ARN) of the role that the caller is assuming.-arwsamlRoleArn :: Lens' AssumeRoleWithSAML Text-arwsamlRoleArn = lens _arwsamlRoleArn (\s a -> s { _arwsamlRoleArn = a })+arwsamlRoleARN :: Lens' AssumeRoleWithSAML Text+arwsamlRoleARN = lens _arwsamlRoleARN (\ s a -> s{_arwsamlRoleARN = a}); +-- | The Amazon Resource Name (ARN) of the SAML provider in IAM that+-- describes the IdP.+arwsamlPrincipalARN :: Lens' AssumeRoleWithSAML Text+arwsamlPrincipalARN = lens _arwsamlPrincipalARN (\ s a -> s{_arwsamlPrincipalARN = a});+ -- | The base-64 encoded SAML authentication response provided by the IdP. ----- For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html Configuring a Relying Party and Adding Claims> in--- the /Using IAM/ guide.+-- For more information, see+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html Configuring a Relying Party and Adding Claims>+-- in the /Using IAM/ guide. arwsamlSAMLAssertion :: Lens' AssumeRoleWithSAML Text-arwsamlSAMLAssertion =-    lens _arwsamlSAMLAssertion (\s a -> s { _arwsamlSAMLAssertion = a })+arwsamlSAMLAssertion = lens _arwsamlSAMLAssertion (\ s a -> s{_arwsamlSAMLAssertion = a}); -data AssumeRoleWithSAMLResponse = AssumeRoleWithSAMLResponse-    { _arwsamlrAssumedRoleUser  :: Maybe AssumedRoleUser-    , _arwsamlrAudience         :: Maybe Text-    , _arwsamlrCredentials      :: Maybe Credentials-    , _arwsamlrIssuer           :: Maybe Text-    , _arwsamlrNameQualifier    :: Maybe Text-    , _arwsamlrPackedPolicySize :: Maybe Nat-    , _arwsamlrSubject          :: Maybe Text-    , _arwsamlrSubjectType      :: Maybe Text-    } deriving (Eq, Read, Show)+instance AWSRequest AssumeRoleWithSAML where+        type Sv AssumeRoleWithSAML = STS+        type Rs AssumeRoleWithSAML =+             AssumeRoleWithSAMLResponse+        request = postQuery+        response+          = receiveXMLWrapper "AssumeRoleWithSAMLResult"+              (\ s h x ->+                 AssumeRoleWithSAMLResponse' <$>+                   (x .@? "Audience") <*> (x .@? "Subject") <*>+                     (x .@? "PackedPolicySize")+                     <*> (x .@? "Credentials")+                     <*> (x .@? "SubjectType")+                     <*> (x .@? "NameQualifier")+                     <*> (x .@? "AssumedRoleUser")+                     <*> (x .@? "Issuer")+                     <*> (pure (fromEnum s))) --- | 'AssumeRoleWithSAMLResponse' constructor.+instance ToHeaders AssumeRoleWithSAML where+        toHeaders = const mempty++instance ToPath AssumeRoleWithSAML where+        toPath = const "/"++instance ToQuery AssumeRoleWithSAML where+        toQuery AssumeRoleWithSAML'{..}+          = mconcat+              ["Action" =: ("AssumeRoleWithSAML" :: ByteString),+               "Version" =: ("2011-06-15" :: ByteString),+               "DurationSeconds" =: _arwsamlDurationSeconds,+               "Policy" =: _arwsamlPolicy,+               "RoleArn" =: _arwsamlRoleARN,+               "PrincipalArn" =: _arwsamlPrincipalARN,+               "SAMLAssertion" =: _arwsamlSAMLAssertion]++-- | Contains the response to a successful AssumeRoleWithSAML request,+-- including temporary AWS credentials that can be used to make AWS+-- requests. ----- The fields accessible through corresponding lenses are:+-- /See:/ 'assumeRoleWithSAMLResponse' smart constructor.+data AssumeRoleWithSAMLResponse = AssumeRoleWithSAMLResponse'+    { _arwsamlrsAudience         :: !(Maybe Text)+    , _arwsamlrsSubject          :: !(Maybe Text)+    , _arwsamlrsPackedPolicySize :: !(Maybe Nat)+    , _arwsamlrsCredentials      :: !(Maybe Credentials)+    , _arwsamlrsSubjectType      :: !(Maybe Text)+    , _arwsamlrsNameQualifier    :: !(Maybe Text)+    , _arwsamlrsAssumedRoleUser  :: !(Maybe AssumedRoleUser)+    , _arwsamlrsIssuer           :: !(Maybe Text)+    , _arwsamlrsStatus           :: !Int+    } deriving (Eq,Read,Show,Data,Typeable,Generic)++-- | Creates a value of 'AssumeRoleWithSAMLResponse' with the minimum fields required to make a request. ----- * 'arwsamlrAssumedRoleUser' @::@ 'Maybe' 'AssumedRoleUser'+-- Use one of the following lenses to modify other fields as desired: ----- * 'arwsamlrAudience' @::@ 'Maybe' 'Text'+-- * 'arwsamlrsAudience' ----- * 'arwsamlrCredentials' @::@ 'Maybe' 'Credentials'+-- * 'arwsamlrsSubject' ----- * 'arwsamlrIssuer' @::@ 'Maybe' 'Text'+-- * 'arwsamlrsPackedPolicySize' ----- * 'arwsamlrNameQualifier' @::@ 'Maybe' 'Text'+-- * 'arwsamlrsCredentials' ----- * 'arwsamlrPackedPolicySize' @::@ 'Maybe' 'Natural'+-- * 'arwsamlrsSubjectType' ----- * 'arwsamlrSubject' @::@ 'Maybe' 'Text'+-- * 'arwsamlrsNameQualifier' ----- * 'arwsamlrSubjectType' @::@ 'Maybe' 'Text'+-- * 'arwsamlrsAssumedRoleUser' ---assumeRoleWithSAMLResponse :: AssumeRoleWithSAMLResponse-assumeRoleWithSAMLResponse = AssumeRoleWithSAMLResponse-    { _arwsamlrCredentials      = Nothing-    , _arwsamlrAssumedRoleUser  = Nothing-    , _arwsamlrPackedPolicySize = Nothing-    , _arwsamlrSubject          = Nothing-    , _arwsamlrSubjectType      = Nothing-    , _arwsamlrIssuer           = Nothing-    , _arwsamlrAudience         = Nothing-    , _arwsamlrNameQualifier    = Nothing+-- * 'arwsamlrsIssuer'+--+-- * 'arwsamlrsStatus'+assumeRoleWithSAMLResponse+    :: Int -- ^ 'arwsamlrsStatus'+    -> AssumeRoleWithSAMLResponse+assumeRoleWithSAMLResponse pStatus_ =+    AssumeRoleWithSAMLResponse'+    { _arwsamlrsAudience = Nothing+    , _arwsamlrsSubject = Nothing+    , _arwsamlrsPackedPolicySize = Nothing+    , _arwsamlrsCredentials = Nothing+    , _arwsamlrsSubjectType = Nothing+    , _arwsamlrsNameQualifier = Nothing+    , _arwsamlrsAssumedRoleUser = Nothing+    , _arwsamlrsIssuer = Nothing+    , _arwsamlrsStatus = pStatus_     } -arwsamlrAssumedRoleUser :: Lens' AssumeRoleWithSAMLResponse (Maybe AssumedRoleUser)-arwsamlrAssumedRoleUser =-    lens _arwsamlrAssumedRoleUser (\s a -> s { _arwsamlrAssumedRoleUser = a })+-- | The value of the 'Recipient' attribute of the 'SubjectConfirmationData'+-- element of the SAML assertion.+arwsamlrsAudience :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)+arwsamlrsAudience = lens _arwsamlrsAudience (\ s a -> s{_arwsamlrsAudience = a}); --- | The value of the 'Recipient' attribute of the 'SubjectConfirmationData' element--- of the SAML assertion.-arwsamlrAudience :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)-arwsamlrAudience = lens _arwsamlrAudience (\s a -> s { _arwsamlrAudience = a })+-- | The value of the 'NameID' element in the 'Subject' element of the SAML+-- assertion.+arwsamlrsSubject :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)+arwsamlrsSubject = lens _arwsamlrsSubject (\ s a -> s{_arwsamlrsSubject = a}); -arwsamlrCredentials :: Lens' AssumeRoleWithSAMLResponse (Maybe Credentials)-arwsamlrCredentials =-    lens _arwsamlrCredentials (\s a -> s { _arwsamlrCredentials = a })+-- | A percentage value that indicates the size of the policy in packed form.+-- The service rejects any policy with a packed size greater than 100+-- percent, which means the policy exceeded the allowed space.+arwsamlrsPackedPolicySize :: Lens' AssumeRoleWithSAMLResponse (Maybe Natural)+arwsamlrsPackedPolicySize = lens _arwsamlrsPackedPolicySize (\ s a -> s{_arwsamlrsPackedPolicySize = a}) . mapping _Nat; --- | The value of the 'Issuer' element of the SAML assertion.-arwsamlrIssuer :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)-arwsamlrIssuer = lens _arwsamlrIssuer (\s a -> s { _arwsamlrIssuer = a })+-- | Undocumented member.+arwsamlrsCredentials :: Lens' AssumeRoleWithSAMLResponse (Maybe Credentials)+arwsamlrsCredentials = lens _arwsamlrsCredentials (\ s a -> s{_arwsamlrsCredentials = a}); --- | A hash value based on the concatenation of the 'Issuer' response value, the AWS--- account ID, and the friendly name (the last part of the ARN) of the SAML--- provider in IAM. The combination of 'NameQualifier' and 'Subject' can be used to--- uniquely identify a federated user.------ The following pseudocode shows how the hash value is calculated:+-- | The format of the name ID, as defined by the 'Format' attribute in the+-- 'NameID' element of the SAML assertion. Typical examples of the format+-- are 'transient' or 'persistent'. ----- 'BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP") )'-arwsamlrNameQualifier :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)-arwsamlrNameQualifier =-    lens _arwsamlrNameQualifier (\s a -> s { _arwsamlrNameQualifier = a })---- | A percentage value that indicates the size of the policy in packed form. The--- service rejects any policy with a packed size greater than 100 percent, which--- means the policy exceeded the allowed space.-arwsamlrPackedPolicySize :: Lens' AssumeRoleWithSAMLResponse (Maybe Natural)-arwsamlrPackedPolicySize =-    lens _arwsamlrPackedPolicySize-        (\s a -> s { _arwsamlrPackedPolicySize = a })-            . mapping _Nat---- | The value of the 'NameID' element in the 'Subject' element of the SAML assertion.-arwsamlrSubject :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)-arwsamlrSubject = lens _arwsamlrSubject (\s a -> s { _arwsamlrSubject = a })+-- If the format includes the prefix+-- 'urn:oasis:names:tc:SAML:2.0:nameid-format', that prefix is removed. For+-- example, 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' is+-- returned as 'transient'. If the format includes any other prefix, the+-- format is returned with no modifications.+arwsamlrsSubjectType :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)+arwsamlrsSubjectType = lens _arwsamlrsSubjectType (\ s a -> s{_arwsamlrsSubjectType = a}); --- | The format of the name ID, as defined by the 'Format' attribute in the 'NameID'--- element of the SAML assertion. Typical examples of the format are 'transient'--- or 'persistent'.+-- | A hash value based on the concatenation of the 'Issuer' response value,+-- the AWS account ID, and the friendly name (the last part of the ARN) of+-- the SAML provider in IAM. The combination of 'NameQualifier' and+-- 'Subject' can be used to uniquely identify a federated user. ----- If the format includes the prefix 'urn:oasis:names:tc:SAML:2.0:nameid-format', that prefix is removed. For example,--- 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient' is returned as 'transient'.--- If the format includes any other prefix, the format is returned with no--- modifications.-arwsamlrSubjectType :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)-arwsamlrSubjectType =-    lens _arwsamlrSubjectType (\s a -> s { _arwsamlrSubjectType = a })--instance ToPath AssumeRoleWithSAML where-    toPath = const "/"--instance ToQuery AssumeRoleWithSAML where-    toQuery AssumeRoleWithSAML{..} = mconcat-        [ "DurationSeconds" =? _arwsamlDurationSeconds-        , "Policy"          =? _arwsamlPolicy-        , "PrincipalArn"    =? _arwsamlPrincipalArn-        , "RoleArn"         =? _arwsamlRoleArn-        , "SAMLAssertion"   =? _arwsamlSAMLAssertion-        ]--instance ToHeaders AssumeRoleWithSAML+-- The following pseudocode shows how the hash value is calculated:+--+-- 'BASE64 ( SHA1 ( \"https:\/\/example.com\/saml\" + \"123456789012\" + \"\/MySAMLIdP\" ) )'+arwsamlrsNameQualifier :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)+arwsamlrsNameQualifier = lens _arwsamlrsNameQualifier (\ s a -> s{_arwsamlrsNameQualifier = a}); -instance AWSRequest AssumeRoleWithSAML where-    type Sv AssumeRoleWithSAML = STS-    type Rs AssumeRoleWithSAML = AssumeRoleWithSAMLResponse+-- | Undocumented member.+arwsamlrsAssumedRoleUser :: Lens' AssumeRoleWithSAMLResponse (Maybe AssumedRoleUser)+arwsamlrsAssumedRoleUser = lens _arwsamlrsAssumedRoleUser (\ s a -> s{_arwsamlrsAssumedRoleUser = a}); -    request  = post "AssumeRoleWithSAML"-    response = xmlResponse+-- | The value of the 'Issuer' element of the SAML assertion.+arwsamlrsIssuer :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)+arwsamlrsIssuer = lens _arwsamlrsIssuer (\ s a -> s{_arwsamlrsIssuer = a}); -instance FromXML AssumeRoleWithSAMLResponse where-    parseXML = withElement "AssumeRoleWithSAMLResult" $ \x -> AssumeRoleWithSAMLResponse-        <$> x .@? "AssumedRoleUser"-        <*> x .@? "Audience"-        <*> x .@? "Credentials"-        <*> x .@? "Issuer"-        <*> x .@? "NameQualifier"-        <*> x .@? "PackedPolicySize"-        <*> x .@? "Subject"-        <*> x .@? "SubjectType"+-- | The response status code.+arwsamlrsStatus :: Lens' AssumeRoleWithSAMLResponse Int+arwsamlrsStatus = lens _arwsamlrsStatus (\ s a -> s{_arwsamlrsStatus = a});
gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs view
@@ -1,315 +1,355 @@-{-# LANGUAGE DataKinds                   #-}-{-# LANGUAGE DeriveGeneric               #-}-{-# LANGUAGE FlexibleInstances           #-}-{-# LANGUAGE GeneralizedNewtypeDeriving  #-}-{-# LANGUAGE LambdaCase                  #-}-{-# LANGUAGE NoImplicitPrelude           #-}-{-# LANGUAGE OverloadedStrings           #-}-{-# LANGUAGE RecordWildCards             #-}-{-# LANGUAGE TypeFamilies                #-}+{-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DeriveGeneric      #-}+{-# LANGUAGE OverloadedStrings  #-}+{-# LANGUAGE RecordWildCards    #-}+{-# LANGUAGE TypeFamilies       #-}  {-# OPTIONS_GHC -fno-warn-unused-imports #-}+{-# OPTIONS_GHC -fno-warn-unused-binds   #-}+{-# OPTIONS_GHC -fno-warn-unused-matches #-} +-- Derived from AWS service descriptions, licensed under Apache 2.0.++-- | -- Module      : Network.AWS.STS.AssumeRoleWithWebIdentity--- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>--- License     : This Source Code Form is subject to the terms of---               the Mozilla Public License, v. 2.0.---               A copy of the MPL can be found in the LICENSE file or---               you can obtain it at http://mozilla.org/MPL/2.0/.+-- Copyright   : (c) 2013-2015 Brendan Hay+-- License     : Mozilla Public License, v. 2.0. -- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>--- Stability   : experimental+-- Stability   : auto-generated -- Portability : non-portable (GHC extensions) ----- Derived from AWS service descriptions, licensed under Apache 2.0.---- | Returns a set of temporary security credentials for users who have been--- authenticated in a mobile or web application with a web identity provider,--- such as Amazon Cognito, Login with Amazon, Facebook, Google, or any OpenID--- Connect-compatible identity provider.+-- Returns a set of temporary security credentials for users who have been+-- authenticated in a mobile or web application with a web identity+-- provider, such as Amazon Cognito, Login with Amazon, Facebook, Google,+-- or any OpenID Connect-compatible identity provider. ----- For mobile applications, we recommend that you use Amazon Cognito. You can--- use Amazon Cognito with the <http://aws.amazon.com/sdkforios/ AWS SDK for iOS> and the <http://aws.amazon.com/sdkforandroid/ AWS SDK for Android> to--- uniquely identify a user and supply the user with a consistent identity+-- For mobile applications, we recommend that you use Amazon Cognito. You+-- can use Amazon Cognito with the+-- <http://aws.amazon.com/sdkforios/ AWS SDK for iOS> and the+-- <http://aws.amazon.com/sdkforandroid/ AWS SDK for Android> to uniquely+-- identify a user and supply the user with a consistent identity -- throughout the lifetime of an application. ----- To learn more about Amazon Cognito, see <http://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840 Amazon Cognito Overview> in the /AWSSDK for Android Developer Guide/ guide and <http://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664 Amazon Cognito Overview> in the /AWSSDK for iOS Developer Guide/.+-- To learn more about Amazon Cognito, see+-- <http://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840 Amazon Cognito Overview>+-- in the /AWS SDK for Android Developer Guide/ guide and+-- <http://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664 Amazon Cognito Overview>+-- in the /AWS SDK for iOS Developer Guide/. ----- Calling 'AssumeRoleWithWebIdentity' does not require the use of AWS security--- credentials. Therefore, you can distribute an application (for example, on--- mobile devices) that requests temporary security credentials without--- including long-term AWS credentials in the application, and without deploying--- server-based proxy services that use long-term AWS credentials. Instead, the--- identity of the caller is validated by using a token from the web identity--- provider.+-- Calling 'AssumeRoleWithWebIdentity' does not require the use of AWS+-- security credentials. Therefore, you can distribute an application (for+-- example, on mobile devices) that requests temporary security credentials+-- without including long-term AWS credentials in the application, and+-- without deploying server-based proxy services that use long-term AWS+-- credentials. Instead, the identity of the caller is validated by using a+-- token from the web identity provider. ----- The temporary security credentials returned by this API consist of an access--- key ID, a secret access key, and a security token. Applications can use these--- temporary security credentials to sign calls to AWS service APIs. The--- credentials are valid for the duration that you specified when calling 'AssumeRoleWithWebIdentity', which can be from 900 seconds (15 minutes) to 3600 seconds (1 hour). By--- default, the temporary security credentials are valid for 1 hour.+-- The temporary security credentials returned by this API consist of an+-- access key ID, a secret access key, and a security token. Applications+-- can use these temporary security credentials to sign calls to AWS+-- service APIs. The credentials are valid for the duration that you+-- specified when calling 'AssumeRoleWithWebIdentity', which can be from+-- 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the+-- temporary security credentials are valid for 1 hour. -- -- Optionally, you can pass an IAM access policy to this operation. If you -- choose not to pass a policy, the temporary security credentials that are--- returned by the operation have the permissions that are defined in the access--- policy of the role that is being assumed. If you pass a policy to this--- operation, the temporary security credentials that are returned by the--- operation have the permissions that are allowed by both the access policy of--- the role that is being assumed, /and/ the policy that you pass. This gives you--- a way to further restrict the permissions for the resulting temporary--- security credentials. You cannot use the passed policy to grant permissions--- that are in excess of those allowed by the access policy of the role that is--- being assumed. For more information, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions forAssumeRoleWithWebIdentity> in /Using Temporary Security Credentials/.+-- returned by the operation have the permissions that are defined in the+-- access policy of the role that is being assumed. If you pass a policy to+-- this operation, the temporary security credentials that are returned by+-- the operation have the permissions that are allowed by both the access+-- policy of the role that is being assumed, /__and__/ the policy that you+-- pass. This gives you a way to further restrict the permissions for the+-- resulting temporary security credentials. You cannot use the passed+-- policy to grant permissions that are in excess of those allowed by the+-- access policy of the role that is being assumed. For more information,+-- see+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithWebIdentity>. ----- Before your application can call 'AssumeRoleWithWebIdentity', you must have an--- identity token from a supported identity provider and create a role that the--- application can assume. The role that your application assumes must trust the--- identity provider that is associated with the identity token. In other words,--- the identity provider must be specified in the role's trust policy.+-- Before your application can call 'AssumeRoleWithWebIdentity', you must+-- have an identity token from a supported identity provider and create a+-- role that the application can assume. The role that your application+-- assumes must trust the identity provider that is associated with the+-- identity token. In other words, the identity provider must be specified+-- in the role\'s trust policy. ----- For more information about how to use web identity federation and the 'AssumeRoleWithWebIdentity' API, see the following resources:+-- For more information about how to use web identity federation and the+-- 'AssumeRoleWithWebIdentity' API, see the following resources: ----- <http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html#MobileApplication-KnownProvider  Creating a Mobile Application with Third-Party Sign-In> and <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html  CreatingTemporary Security Credentials for Mobile Apps Using Third-Party IdentityProviders> in /Using Temporary Security Credentials/.   <https://web-identity-federation-playground.s3.amazonaws.com/index.html  Web Identity FederationPlayground>. This interactive website lets you walk through the process of--- authenticating via Login with Amazon, Facebook, or Google, getting temporary--- security credentials, and then using those credentials to make a request to--- AWS.   <http://aws.amazon.com/sdkforios/ AWS SDK for iOS> and <http://aws.amazon.com/sdkforandroid/ AWS SDK for Android>. These toolkits contain sample--- apps that show how to invoke the identity providers, and then how to use the--- information from these providers to get and use temporary security--- credentials.   <http://aws.amazon.com/articles/4617974389850313 Web Identity Federation with Mobile Applications>. This article--- discusses web identity federation and shows an example of how to use web--- identity federation to get access to content in Amazon S3.+-- -   <http://docs.aws.amazon.com/STS/latest/UsingSTS/STSUseCases.html#MobileApplication-KnownProvider Creating a Mobile Application with Third-Party Sign-In>+--     and+--     <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html Creating Temporary Security Credentials for Mobile Apps Using Third-Party Identity Providers>.+-- -   <https://web-identity-federation-playground.s3.amazonaws.com/index.html Web Identity Federation Playground>.+--     This interactive website lets you walk through the process of+--     authenticating via Login with Amazon, Facebook, or Google, getting+--     temporary security credentials, and then using those credentials to+--     make a request to AWS.+-- -   <http://aws.amazon.com/sdkforios/ AWS SDK for iOS> and+--     <http://aws.amazon.com/sdkforandroid/ AWS SDK for Android>. These+--     toolkits contain sample apps that show how to invoke the identity+--     providers, and then how to use the information from these providers+--     to get and use temporary security credentials.+-- -   <http://aws.amazon.com/articles/4617974389850313 Web Identity Federation with Mobile Applications>.+--     This article discusses web identity federation and shows an example+--     of how to use web identity federation to get access to content in+--     Amazon S3. ----- <http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html>+-- /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html AWS API Reference> for AssumeRoleWithWebIdentity. module Network.AWS.STS.AssumeRoleWithWebIdentity     (-    -- * Request-      AssumeRoleWithWebIdentity-    -- ** Request constructor-    , assumeRoleWithWebIdentity-    -- ** Request lenses+    -- * Creating a Request+      assumeRoleWithWebIdentity+    , AssumeRoleWithWebIdentity+    -- * Request Lenses+    , arwwiProviderId     , arwwiDurationSeconds     , arwwiPolicy-    , arwwiProviderId-    , arwwiRoleArn+    , arwwiRoleARN     , arwwiRoleSessionName     , arwwiWebIdentityToken -    -- * Response-    , AssumeRoleWithWebIdentityResponse-    -- ** Response constructor+    -- * Destructuring the Response     , assumeRoleWithWebIdentityResponse-    -- ** Response lenses-    , arwwirAssumedRoleUser-    , arwwirAudience-    , arwwirCredentials-    , arwwirPackedPolicySize-    , arwwirProvider-    , arwwirSubjectFromWebIdentityToken+    , AssumeRoleWithWebIdentityResponse+    -- * Response Lenses+    , arwwirsAudience+    , arwwirsSubjectFromWebIdentityToken+    , arwwirsPackedPolicySize+    , arwwirsCredentials+    , arwwirsAssumedRoleUser+    , arwwirsProvider+    , arwwirsStatus     ) where -import Network.AWS.Prelude-import Network.AWS.Request.Query-import Network.AWS.STS.Types-import qualified GHC.Exts+import           Network.AWS.Prelude+import           Network.AWS.Request+import           Network.AWS.Response+import           Network.AWS.STS.Types+import           Network.AWS.STS.Types.Product -data AssumeRoleWithWebIdentity = AssumeRoleWithWebIdentity-    { _arwwiDurationSeconds  :: Maybe Nat-    , _arwwiPolicy           :: Maybe Text-    , _arwwiProviderId       :: Maybe Text-    , _arwwiRoleArn          :: Text-    , _arwwiRoleSessionName  :: Text-    , _arwwiWebIdentityToken :: Text-    } deriving (Eq, Ord, Read, Show)+-- | /See:/ 'assumeRoleWithWebIdentity' smart constructor.+data AssumeRoleWithWebIdentity = AssumeRoleWithWebIdentity'+    { _arwwiProviderId       :: !(Maybe Text)+    , _arwwiDurationSeconds  :: !(Maybe Nat)+    , _arwwiPolicy           :: !(Maybe Text)+    , _arwwiRoleARN          :: !Text+    , _arwwiRoleSessionName  :: !Text+    , _arwwiWebIdentityToken :: !Text+    } deriving (Eq,Read,Show,Data,Typeable,Generic) --- | 'AssumeRoleWithWebIdentity' constructor.------ The fields accessible through corresponding lenses are:+-- | Creates a value of 'AssumeRoleWithWebIdentity' with the minimum fields required to make a request. ----- * 'arwwiDurationSeconds' @::@ 'Maybe' 'Natural'+-- Use one of the following lenses to modify other fields as desired: ----- * 'arwwiPolicy' @::@ 'Maybe' 'Text'+-- * 'arwwiProviderId' ----- * 'arwwiProviderId' @::@ 'Maybe' 'Text'+-- * 'arwwiDurationSeconds' ----- * 'arwwiRoleArn' @::@ 'Text'+-- * 'arwwiPolicy' ----- * 'arwwiRoleSessionName' @::@ 'Text'+-- * 'arwwiRoleARN' ----- * 'arwwiWebIdentityToken' @::@ 'Text'+-- * 'arwwiRoleSessionName' ---assumeRoleWithWebIdentity :: Text -- ^ 'arwwiRoleArn'-                          -> Text -- ^ 'arwwiRoleSessionName'-                          -> Text -- ^ 'arwwiWebIdentityToken'-                          -> AssumeRoleWithWebIdentity-assumeRoleWithWebIdentity p1 p2 p3 = AssumeRoleWithWebIdentity-    { _arwwiRoleArn          = p1-    , _arwwiRoleSessionName  = p2-    , _arwwiWebIdentityToken = p3-    , _arwwiProviderId       = Nothing-    , _arwwiPolicy           = Nothing-    , _arwwiDurationSeconds  = Nothing+-- * 'arwwiWebIdentityToken'+assumeRoleWithWebIdentity+    :: Text -- ^ 'arwwiRoleARN'+    -> Text -- ^ 'arwwiRoleSessionName'+    -> Text -- ^ 'arwwiWebIdentityToken'+    -> AssumeRoleWithWebIdentity+assumeRoleWithWebIdentity pRoleARN_ pRoleSessionName_ pWebIdentityToken_ =+    AssumeRoleWithWebIdentity'+    { _arwwiProviderId = Nothing+    , _arwwiDurationSeconds = Nothing+    , _arwwiPolicy = Nothing+    , _arwwiRoleARN = pRoleARN_+    , _arwwiRoleSessionName = pRoleSessionName_+    , _arwwiWebIdentityToken = pWebIdentityToken_     } --- | The duration, in seconds, of the role session. The value can range from 900--- seconds (15 minutes) to 3600 seconds (1 hour). By default, the value is set--- to 3600 seconds.-arwwiDurationSeconds :: Lens' AssumeRoleWithWebIdentity (Maybe Natural)-arwwiDurationSeconds =-    lens _arwwiDurationSeconds (\s a -> s { _arwwiDurationSeconds = a })-        . mapping _Nat---- | An IAM policy in JSON format.------ The policy parameter is optional. If you pass a policy, the temporary--- security credentials that are returned by the operation have the permissions--- that are allowed by both the access policy of the role that is being assumed, /and/ the policy that you pass. This gives you a way to further restrict the--- permissions for the resulting temporary security credentials. You cannot use--- the passed policy to grant permissions that are in excess of those allowed by--- the access policy of the role that is being assumed. For more information,--- see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithWebIdentity> in /Using Temporary SecurityCredentials/.-arwwiPolicy :: Lens' AssumeRoleWithWebIdentity (Maybe Text)-arwwiPolicy = lens _arwwiPolicy (\s a -> s { _arwwiPolicy = a })- -- | The fully qualified host component of the domain name of the identity -- provider. ----- Specify this value only for OAuth 2.0 access tokens. Currently 'www.amazon.com'--- and 'graph.facebook.com' are the only supported identity providers for OAuth--- 2.0 access tokens. Do not include URL schemes and port numbers.+-- Specify this value only for OAuth 2.0 access tokens. Currently+-- 'www.amazon.com' and 'graph.facebook.com' are the only supported+-- identity providers for OAuth 2.0 access tokens. Do not include URL+-- schemes and port numbers. -- -- Do not specify this value for OpenID Connect ID tokens. arwwiProviderId :: Lens' AssumeRoleWithWebIdentity (Maybe Text)-arwwiProviderId = lens _arwwiProviderId (\s a -> s { _arwwiProviderId = a })+arwwiProviderId = lens _arwwiProviderId (\ s a -> s{_arwwiProviderId = a}); +-- | The duration, in seconds, of the role session. The value can range from+-- 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the value+-- is set to 3600 seconds.+arwwiDurationSeconds :: Lens' AssumeRoleWithWebIdentity (Maybe Natural)+arwwiDurationSeconds = lens _arwwiDurationSeconds (\ s a -> s{_arwwiDurationSeconds = a}) . mapping _Nat;++-- | An IAM policy in JSON format.+--+-- The policy parameter is optional. If you pass a policy, the temporary+-- security credentials that are returned by the operation have the+-- permissions that are allowed by both the access policy of the role that+-- is being assumed, /__and__/ the policy that you pass. This gives you a+-- way to further restrict the permissions for the resulting temporary+-- security credentials. You cannot use the passed policy to grant+-- permissions that are in excess of those allowed by the access policy of+-- the role that is being assumed. For more information, see+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-assume-role.html Permissions for AssumeRoleWithWebIdentity>.+--+-- The policy plain text must be 2048 bytes or shorter. However, an+-- internal conversion compresses it into a packed binary format with a+-- separate limit. The PackedPolicySize response element indicates by+-- percentage how close to the upper size limit the policy is, with 100%+-- equaling the maximum allowed size.+arwwiPolicy :: Lens' AssumeRoleWithWebIdentity (Maybe Text)+arwwiPolicy = lens _arwwiPolicy (\ s a -> s{_arwwiPolicy = a});+ -- | The Amazon Resource Name (ARN) of the role that the caller is assuming.-arwwiRoleArn :: Lens' AssumeRoleWithWebIdentity Text-arwwiRoleArn = lens _arwwiRoleArn (\s a -> s { _arwwiRoleArn = a })+arwwiRoleARN :: Lens' AssumeRoleWithWebIdentity Text+arwwiRoleARN = lens _arwwiRoleARN (\ s a -> s{_arwwiRoleARN = a}); --- | An identifier for the assumed role session. Typically, you pass the name or--- identifier that is associated with the user who is using your application.--- That way, the temporary security credentials that your application will use--- are associated with that user. This session name is included as part of the--- ARN and assumed role ID in the 'AssumedRoleUser' response element.+-- | An identifier for the assumed role session. Typically, you pass the name+-- or identifier that is associated with the user who is using your+-- application. That way, the temporary security credentials that your+-- application will use are associated with that user. This session name is+-- included as part of the ARN and assumed role ID in the 'AssumedRoleUser'+-- response element. arwwiRoleSessionName :: Lens' AssumeRoleWithWebIdentity Text-arwwiRoleSessionName =-    lens _arwwiRoleSessionName (\s a -> s { _arwwiRoleSessionName = a })+arwwiRoleSessionName = lens _arwwiRoleSessionName (\ s a -> s{_arwwiRoleSessionName = a}); --- | The OAuth 2.0 access token or OpenID Connect ID token that is provided by the--- identity provider. Your application must get this token by authenticating the--- user who is using your application with a web identity provider before the--- application makes an 'AssumeRoleWithWebIdentity' call.+-- | The OAuth 2.0 access token or OpenID Connect ID token that is provided+-- by the identity provider. Your application must get this token by+-- authenticating the user who is using your application with a web+-- identity provider before the application makes an+-- 'AssumeRoleWithWebIdentity' call. arwwiWebIdentityToken :: Lens' AssumeRoleWithWebIdentity Text-arwwiWebIdentityToken =-    lens _arwwiWebIdentityToken (\s a -> s { _arwwiWebIdentityToken = a })+arwwiWebIdentityToken = lens _arwwiWebIdentityToken (\ s a -> s{_arwwiWebIdentityToken = a}); -data AssumeRoleWithWebIdentityResponse = AssumeRoleWithWebIdentityResponse-    { _arwwirAssumedRoleUser             :: Maybe AssumedRoleUser-    , _arwwirAudience                    :: Maybe Text-    , _arwwirCredentials                 :: Maybe Credentials-    , _arwwirPackedPolicySize            :: Maybe Nat-    , _arwwirProvider                    :: Maybe Text-    , _arwwirSubjectFromWebIdentityToken :: Maybe Text-    } deriving (Eq, Read, Show)+instance AWSRequest AssumeRoleWithWebIdentity where+        type Sv AssumeRoleWithWebIdentity = STS+        type Rs AssumeRoleWithWebIdentity =+             AssumeRoleWithWebIdentityResponse+        request = postQuery+        response+          = receiveXMLWrapper "AssumeRoleWithWebIdentityResult"+              (\ s h x ->+                 AssumeRoleWithWebIdentityResponse' <$>+                   (x .@? "Audience") <*>+                     (x .@? "SubjectFromWebIdentityToken")+                     <*> (x .@? "PackedPolicySize")+                     <*> (x .@? "Credentials")+                     <*> (x .@? "AssumedRoleUser")+                     <*> (x .@? "Provider")+                     <*> (pure (fromEnum s))) --- | 'AssumeRoleWithWebIdentityResponse' constructor.+instance ToHeaders AssumeRoleWithWebIdentity where+        toHeaders = const mempty++instance ToPath AssumeRoleWithWebIdentity where+        toPath = const "/"++instance ToQuery AssumeRoleWithWebIdentity where+        toQuery AssumeRoleWithWebIdentity'{..}+          = mconcat+              ["Action" =:+                 ("AssumeRoleWithWebIdentity" :: ByteString),+               "Version" =: ("2011-06-15" :: ByteString),+               "ProviderId" =: _arwwiProviderId,+               "DurationSeconds" =: _arwwiDurationSeconds,+               "Policy" =: _arwwiPolicy, "RoleArn" =: _arwwiRoleARN,+               "RoleSessionName" =: _arwwiRoleSessionName,+               "WebIdentityToken" =: _arwwiWebIdentityToken]++-- | Contains the response to a successful AssumeRoleWithWebIdentity request,+-- including temporary AWS credentials that can be used to make AWS+-- requests. ----- The fields accessible through corresponding lenses are:+-- /See:/ 'assumeRoleWithWebIdentityResponse' smart constructor.+data AssumeRoleWithWebIdentityResponse = AssumeRoleWithWebIdentityResponse'+    { _arwwirsAudience                    :: !(Maybe Text)+    , _arwwirsSubjectFromWebIdentityToken :: !(Maybe Text)+    , _arwwirsPackedPolicySize            :: !(Maybe Nat)+    , _arwwirsCredentials                 :: !(Maybe Credentials)+    , _arwwirsAssumedRoleUser             :: !(Maybe AssumedRoleUser)+    , _arwwirsProvider                    :: !(Maybe Text)+    , _arwwirsStatus                      :: !Int+    } deriving (Eq,Read,Show,Data,Typeable,Generic)++-- | Creates a value of 'AssumeRoleWithWebIdentityResponse' with the minimum fields required to make a request. ----- * 'arwwirAssumedRoleUser' @::@ 'Maybe' 'AssumedRoleUser'+-- Use one of the following lenses to modify other fields as desired: ----- * 'arwwirAudience' @::@ 'Maybe' 'Text'+-- * 'arwwirsAudience' ----- * 'arwwirCredentials' @::@ 'Maybe' 'Credentials'+-- * 'arwwirsSubjectFromWebIdentityToken' ----- * 'arwwirPackedPolicySize' @::@ 'Maybe' 'Natural'+-- * 'arwwirsPackedPolicySize' ----- * 'arwwirProvider' @::@ 'Maybe' 'Text'+-- * 'arwwirsCredentials' ----- * 'arwwirSubjectFromWebIdentityToken' @::@ 'Maybe' 'Text'+-- * 'arwwirsAssumedRoleUser' ---assumeRoleWithWebIdentityResponse :: AssumeRoleWithWebIdentityResponse-assumeRoleWithWebIdentityResponse = AssumeRoleWithWebIdentityResponse-    { _arwwirCredentials                 = Nothing-    , _arwwirSubjectFromWebIdentityToken = Nothing-    , _arwwirAssumedRoleUser             = Nothing-    , _arwwirPackedPolicySize            = Nothing-    , _arwwirProvider                    = Nothing-    , _arwwirAudience                    = Nothing+-- * 'arwwirsProvider'+--+-- * 'arwwirsStatus'+assumeRoleWithWebIdentityResponse+    :: Int -- ^ 'arwwirsStatus'+    -> AssumeRoleWithWebIdentityResponse+assumeRoleWithWebIdentityResponse pStatus_ =+    AssumeRoleWithWebIdentityResponse'+    { _arwwirsAudience = Nothing+    , _arwwirsSubjectFromWebIdentityToken = Nothing+    , _arwwirsPackedPolicySize = Nothing+    , _arwwirsCredentials = Nothing+    , _arwwirsAssumedRoleUser = Nothing+    , _arwwirsProvider = Nothing+    , _arwwirsStatus = pStatus_     } --- | The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers--- that you can use to refer to the resulting temporary security credentials.--- For example, you can reference these credentials as a principal in a--- resource-based policy by using the ARN or assumed role ID. The ARN and ID--- include the 'RoleSessionName' that you specified when you called 'AssumeRole'.-arwwirAssumedRoleUser :: Lens' AssumeRoleWithWebIdentityResponse (Maybe AssumedRoleUser)-arwwirAssumedRoleUser =-    lens _arwwirAssumedRoleUser (\s a -> s { _arwwirAssumedRoleUser = a })---- | The intended audience (also known as client ID) of the web identity token.--- This is traditionally the client identifier issued to the application that--- requested the web identity token.-arwwirAudience :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)-arwwirAudience = lens _arwwirAudience (\s a -> s { _arwwirAudience = a })---- | The temporary security credentials, which include an access key ID, a secret--- access key, and a security token.-arwwirCredentials :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Credentials)-arwwirCredentials =-    lens _arwwirCredentials (\s a -> s { _arwwirCredentials = a })---- | A percentage value that indicates the size of the policy in packed form. The--- service rejects any policy with a packed size greater than 100 percent, which--- means the policy exceeded the allowed space.-arwwirPackedPolicySize :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Natural)-arwwirPackedPolicySize =-    lens _arwwirPackedPolicySize (\s a -> s { _arwwirPackedPolicySize = a })-        . mapping _Nat---- | The issuing authority of the web identity token presented. For OpenID--- Connect ID Tokens this contains the value of the 'iss' field. For OAuth 2.0--- access tokens, this contains the value of the 'ProviderId' parameter that was--- passed in the 'AssumeRoleWithWebIdentity' request.-arwwirProvider :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)-arwwirProvider = lens _arwwirProvider (\s a -> s { _arwwirProvider = a })---- | The unique user identifier that is returned by the identity provider. This--- identifier is associated with the 'WebIdentityToken' that was submitted with--- the 'AssumeRoleWithWebIdentity' call. The identifier is typically unique to the--- user and the application that acquired the 'WebIdentityToken' (pairwise--- identifier). For OpenID Connect ID tokens, this field contains the value--- returned by the identity provider as the token's 'sub' (Subject) claim.-arwwirSubjectFromWebIdentityToken :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)-arwwirSubjectFromWebIdentityToken =-    lens _arwwirSubjectFromWebIdentityToken-        (\s a -> s { _arwwirSubjectFromWebIdentityToken = a })+-- | The intended audience (also known as client ID) of the web identity+-- token. This is traditionally the client identifier issued to the+-- application that requested the web identity token.+arwwirsAudience :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)+arwwirsAudience = lens _arwwirsAudience (\ s a -> s{_arwwirsAudience = a}); -instance ToPath AssumeRoleWithWebIdentity where-    toPath = const "/"+-- | The unique user identifier that is returned by the identity provider.+-- This identifier is associated with the 'WebIdentityToken' that was+-- submitted with the 'AssumeRoleWithWebIdentity' call. The identifier is+-- typically unique to the user and the application that acquired the+-- 'WebIdentityToken' (pairwise identifier). For OpenID Connect ID tokens,+-- this field contains the value returned by the identity provider as the+-- token\'s 'sub' (Subject) claim.+arwwirsSubjectFromWebIdentityToken :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)+arwwirsSubjectFromWebIdentityToken = lens _arwwirsSubjectFromWebIdentityToken (\ s a -> s{_arwwirsSubjectFromWebIdentityToken = a}); -instance ToQuery AssumeRoleWithWebIdentity where-    toQuery AssumeRoleWithWebIdentity{..} = mconcat-        [ "DurationSeconds"  =? _arwwiDurationSeconds-        , "Policy"           =? _arwwiPolicy-        , "ProviderId"       =? _arwwiProviderId-        , "RoleArn"          =? _arwwiRoleArn-        , "RoleSessionName"  =? _arwwiRoleSessionName-        , "WebIdentityToken" =? _arwwiWebIdentityToken-        ]+-- | A percentage value that indicates the size of the policy in packed form.+-- The service rejects any policy with a packed size greater than 100+-- percent, which means the policy exceeded the allowed space.+arwwirsPackedPolicySize :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Natural)+arwwirsPackedPolicySize = lens _arwwirsPackedPolicySize (\ s a -> s{_arwwirsPackedPolicySize = a}) . mapping _Nat; -instance ToHeaders AssumeRoleWithWebIdentity+-- | The temporary security credentials, which include an access key ID, a+-- secret access key, and a security token.+arwwirsCredentials :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Credentials)+arwwirsCredentials = lens _arwwirsCredentials (\ s a -> s{_arwwirsCredentials = a}); -instance AWSRequest AssumeRoleWithWebIdentity where-    type Sv AssumeRoleWithWebIdentity = STS-    type Rs AssumeRoleWithWebIdentity = AssumeRoleWithWebIdentityResponse+-- | The Amazon Resource Name (ARN) and the assumed role ID, which are+-- identifiers that you can use to refer to the resulting temporary+-- security credentials. For example, you can reference these credentials+-- as a principal in a resource-based policy by using the ARN or assumed+-- role ID. The ARN and ID include the 'RoleSessionName' that you specified+-- when you called 'AssumeRole'.+arwwirsAssumedRoleUser :: Lens' AssumeRoleWithWebIdentityResponse (Maybe AssumedRoleUser)+arwwirsAssumedRoleUser = lens _arwwirsAssumedRoleUser (\ s a -> s{_arwwirsAssumedRoleUser = a}); -    request  = post "AssumeRoleWithWebIdentity"-    response = xmlResponse+-- | The issuing authority of the web identity token presented. For OpenID+-- Connect ID Tokens this contains the value of the 'iss' field. For OAuth+-- 2.0 access tokens, this contains the value of the 'ProviderId' parameter+-- that was passed in the 'AssumeRoleWithWebIdentity' request.+arwwirsProvider :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)+arwwirsProvider = lens _arwwirsProvider (\ s a -> s{_arwwirsProvider = a}); -instance FromXML AssumeRoleWithWebIdentityResponse where-    parseXML = withElement "AssumeRoleWithWebIdentityResult" $ \x -> AssumeRoleWithWebIdentityResponse-        <$> x .@? "AssumedRoleUser"-        <*> x .@? "Audience"-        <*> x .@? "Credentials"-        <*> x .@? "PackedPolicySize"-        <*> x .@? "Provider"-        <*> x .@? "SubjectFromWebIdentityToken"+-- | The response status code.+arwwirsStatus :: Lens' AssumeRoleWithWebIdentityResponse Int+arwwirsStatus = lens _arwwirsStatus (\ s a -> s{_arwwirsStatus = a});
gen/Network/AWS/STS/DecodeAuthorizationMessage.hs view
@@ -1,131 +1,155 @@-{-# LANGUAGE DataKinds                   #-}-{-# LANGUAGE DeriveGeneric               #-}-{-# LANGUAGE FlexibleInstances           #-}-{-# LANGUAGE GeneralizedNewtypeDeriving  #-}-{-# LANGUAGE LambdaCase                  #-}-{-# LANGUAGE NoImplicitPrelude           #-}-{-# LANGUAGE OverloadedStrings           #-}-{-# LANGUAGE RecordWildCards             #-}-{-# LANGUAGE TypeFamilies                #-}+{-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DeriveGeneric      #-}+{-# LANGUAGE OverloadedStrings  #-}+{-# LANGUAGE RecordWildCards    #-}+{-# LANGUAGE TypeFamilies       #-}  {-# OPTIONS_GHC -fno-warn-unused-imports #-}+{-# OPTIONS_GHC -fno-warn-unused-binds   #-}+{-# OPTIONS_GHC -fno-warn-unused-matches #-} +-- Derived from AWS service descriptions, licensed under Apache 2.0.++-- | -- Module      : Network.AWS.STS.DecodeAuthorizationMessage--- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>--- License     : This Source Code Form is subject to the terms of---               the Mozilla Public License, v. 2.0.---               A copy of the MPL can be found in the LICENSE file or---               you can obtain it at http://mozilla.org/MPL/2.0/.+-- Copyright   : (c) 2013-2015 Brendan Hay+-- License     : Mozilla Public License, v. 2.0. -- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>--- Stability   : experimental+-- Stability   : auto-generated -- Portability : non-portable (GHC extensions) ----- Derived from AWS service descriptions, licensed under Apache 2.0.---- | Decodes additional information about the authorization status of a request--- from an encoded message returned in response to an AWS request.+-- Decodes additional information about the authorization status of a+-- request from an encoded message returned in response to an AWS request. ----- For example, if a user is not authorized to perform an action that he or she--- has requested, the request returns a 'Client.UnauthorizedOperation' response--- (an HTTP 403 response). Some AWS actions additionally return an encoded--- message that can provide details about this authorization failure.+-- For example, if a user is not authorized to perform an action that he or+-- she has requested, the request returns a 'Client.UnauthorizedOperation'+-- response (an HTTP 403 response). Some AWS actions additionally return an+-- encoded message that can provide details about this authorization+-- failure. -- -- Only certain AWS actions return an encoded authorization message. The--- documentation for an individual action indicates whether that action returns--- an encoded message in addition to returning an HTTP code.  The message is--- encoded because the details of the authorization status can constitute--- privileged information that the user who requested the action should not see.--- To decode an authorization status message, a user must be granted permissions--- via an IAM policy to request the 'DecodeAuthorizationMessage' ('sts:DecodeAuthorizationMessage') action.+-- documentation for an individual action indicates whether that action+-- returns an encoded message in addition to returning an HTTP code. --+-- The message is encoded because the details of the authorization status+-- can constitute privileged information that the user who requested the+-- action should not see. To decode an authorization status message, a user+-- must be granted permissions via an IAM policy to request the+-- 'DecodeAuthorizationMessage' ('sts:DecodeAuthorizationMessage') action.+-- -- The decoded message includes the following type of information: ----- Whether the request was denied due to an explicit deny or due to the--- absence of an explicit allow. For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_EvaluationLogic.html#policy-eval-denyallow Determining Whether aRequest is Allowed or Denied> in /Using IAM/.  The principal who made the--- request. The requested action. The requested resource. The values of--- condition keys in the context of the user's request.+-- -   Whether the request was denied due to an explicit deny or due to the+--     absence of an explicit allow. For more information, see+--     <http://docs.aws.amazon.com/IAM/latest/UserGuide/AccessPolicyLanguage_EvaluationLogic.html#policy-eval-denyallow Determining Whether a Request is Allowed or Denied>+--     in /Using IAM/.+-- -   The principal who made the request.+-- -   The requested action.+-- -   The requested resource.+-- -   The values of condition keys in the context of the user\'s request. ----- <http://docs.aws.amazon.com/STS/latest/APIReference/API_DecodeAuthorizationMessage.html>+-- /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/API_DecodeAuthorizationMessage.html AWS API Reference> for DecodeAuthorizationMessage. module Network.AWS.STS.DecodeAuthorizationMessage     (-    -- * Request-      DecodeAuthorizationMessage-    -- ** Request constructor-    , decodeAuthorizationMessage-    -- ** Request lenses+    -- * Creating a Request+      decodeAuthorizationMessage+    , DecodeAuthorizationMessage+    -- * Request Lenses     , damEncodedMessage -    -- * Response-    , DecodeAuthorizationMessageResponse-    -- ** Response constructor+    -- * Destructuring the Response     , decodeAuthorizationMessageResponse-    -- ** Response lenses-    , damrDecodedMessage+    , DecodeAuthorizationMessageResponse+    -- * Response Lenses+    , damrsDecodedMessage+    , damrsStatus     ) where -import Network.AWS.Prelude-import Network.AWS.Request.Query-import Network.AWS.STS.Types-import qualified GHC.Exts+import           Network.AWS.Prelude+import           Network.AWS.Request+import           Network.AWS.Response+import           Network.AWS.STS.Types+import           Network.AWS.STS.Types.Product -newtype DecodeAuthorizationMessage = DecodeAuthorizationMessage+-- | /See:/ 'decodeAuthorizationMessage' smart constructor.+newtype DecodeAuthorizationMessage = DecodeAuthorizationMessage'     { _damEncodedMessage :: Text-    } deriving (Eq, Ord, Read, Show, Monoid, IsString)+    } deriving (Eq,Read,Show,Data,Typeable,Generic) --- | 'DecodeAuthorizationMessage' constructor.------ The fields accessible through corresponding lenses are:+-- | Creates a value of 'DecodeAuthorizationMessage' with the minimum fields required to make a request. ----- * 'damEncodedMessage' @::@ 'Text'+-- Use one of the following lenses to modify other fields as desired: ---decodeAuthorizationMessage :: Text -- ^ 'damEncodedMessage'-                           -> DecodeAuthorizationMessage-decodeAuthorizationMessage p1 = DecodeAuthorizationMessage-    { _damEncodedMessage = p1+-- * 'damEncodedMessage'+decodeAuthorizationMessage+    :: Text -- ^ 'damEncodedMessage'+    -> DecodeAuthorizationMessage+decodeAuthorizationMessage pEncodedMessage_ =+    DecodeAuthorizationMessage'+    { _damEncodedMessage = pEncodedMessage_     }  -- | The encoded message that was returned with the response. damEncodedMessage :: Lens' DecodeAuthorizationMessage Text-damEncodedMessage =-    lens _damEncodedMessage (\s a -> s { _damEncodedMessage = a })--newtype DecodeAuthorizationMessageResponse = DecodeAuthorizationMessageResponse-    { _damrDecodedMessage :: Maybe Text-    } deriving (Eq, Ord, Read, Show, Monoid)+damEncodedMessage = lens _damEncodedMessage (\ s a -> s{_damEncodedMessage = a}); --- | 'DecodeAuthorizationMessageResponse' constructor.------ The fields accessible through corresponding lenses are:------ * 'damrDecodedMessage' @::@ 'Maybe' 'Text'----decodeAuthorizationMessageResponse :: DecodeAuthorizationMessageResponse-decodeAuthorizationMessageResponse = DecodeAuthorizationMessageResponse-    { _damrDecodedMessage = Nothing-    }+instance AWSRequest DecodeAuthorizationMessage where+        type Sv DecodeAuthorizationMessage = STS+        type Rs DecodeAuthorizationMessage =+             DecodeAuthorizationMessageResponse+        request = postQuery+        response+          = receiveXMLWrapper+              "DecodeAuthorizationMessageResult"+              (\ s h x ->+                 DecodeAuthorizationMessageResponse' <$>+                   (x .@? "DecodedMessage") <*> (pure (fromEnum s))) --- | An XML document that contains the decoded message. For more information, see 'DecodeAuthorizationMessage'.-damrDecodedMessage :: Lens' DecodeAuthorizationMessageResponse (Maybe Text)-damrDecodedMessage =-    lens _damrDecodedMessage (\s a -> s { _damrDecodedMessage = a })+instance ToHeaders DecodeAuthorizationMessage where+        toHeaders = const mempty  instance ToPath DecodeAuthorizationMessage where-    toPath = const "/"+        toPath = const "/"  instance ToQuery DecodeAuthorizationMessage where-    toQuery DecodeAuthorizationMessage{..} = mconcat-        [ "EncodedMessage" =? _damEncodedMessage-        ]+        toQuery DecodeAuthorizationMessage'{..}+          = mconcat+              ["Action" =:+                 ("DecodeAuthorizationMessage" :: ByteString),+               "Version" =: ("2011-06-15" :: ByteString),+               "EncodedMessage" =: _damEncodedMessage] -instance ToHeaders DecodeAuthorizationMessage+-- | A document that contains additional information about the authorization+-- status of a request from an encoded message that is returned in response+-- to an AWS request.+--+-- /See:/ 'decodeAuthorizationMessageResponse' smart constructor.+data DecodeAuthorizationMessageResponse = DecodeAuthorizationMessageResponse'+    { _damrsDecodedMessage :: !(Maybe Text)+    , _damrsStatus         :: !Int+    } deriving (Eq,Read,Show,Data,Typeable,Generic) -instance AWSRequest DecodeAuthorizationMessage where-    type Sv DecodeAuthorizationMessage = STS-    type Rs DecodeAuthorizationMessage = DecodeAuthorizationMessageResponse+-- | Creates a value of 'DecodeAuthorizationMessageResponse' with the minimum fields required to make a request.+--+-- Use one of the following lenses to modify other fields as desired:+--+-- * 'damrsDecodedMessage'+--+-- * 'damrsStatus'+decodeAuthorizationMessageResponse+    :: Int -- ^ 'damrsStatus'+    -> DecodeAuthorizationMessageResponse+decodeAuthorizationMessageResponse pStatus_ =+    DecodeAuthorizationMessageResponse'+    { _damrsDecodedMessage = Nothing+    , _damrsStatus = pStatus_+    } -    request  = post "DecodeAuthorizationMessage"-    response = xmlResponse+-- | An XML document that contains the decoded message. For more information,+-- see 'DecodeAuthorizationMessage'.+damrsDecodedMessage :: Lens' DecodeAuthorizationMessageResponse (Maybe Text)+damrsDecodedMessage = lens _damrsDecodedMessage (\ s a -> s{_damrsDecodedMessage = a}); -instance FromXML DecodeAuthorizationMessageResponse where-    parseXML = withElement "DecodeAuthorizationMessageResult" $ \x -> DecodeAuthorizationMessageResponse-        <$> x .@? "DecodedMessage"+-- | The response status code.+damrsStatus :: Lens' DecodeAuthorizationMessageResponse Int+damrsStatus = lens _damrsStatus (\ s a -> s{_damrsStatus = a});
gen/Network/AWS/STS/GetFederationToken.hs view
@@ -1,234 +1,271 @@-{-# LANGUAGE DataKinds                   #-}-{-# LANGUAGE DeriveGeneric               #-}-{-# LANGUAGE FlexibleInstances           #-}-{-# LANGUAGE GeneralizedNewtypeDeriving  #-}-{-# LANGUAGE LambdaCase                  #-}-{-# LANGUAGE NoImplicitPrelude           #-}-{-# LANGUAGE OverloadedStrings           #-}-{-# LANGUAGE RecordWildCards             #-}-{-# LANGUAGE TypeFamilies                #-}+{-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DeriveGeneric      #-}+{-# LANGUAGE OverloadedStrings  #-}+{-# LANGUAGE RecordWildCards    #-}+{-# LANGUAGE TypeFamilies       #-}  {-# OPTIONS_GHC -fno-warn-unused-imports #-}+{-# OPTIONS_GHC -fno-warn-unused-binds   #-}+{-# OPTIONS_GHC -fno-warn-unused-matches #-} +-- Derived from AWS service descriptions, licensed under Apache 2.0.++-- | -- Module      : Network.AWS.STS.GetFederationToken--- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>--- License     : This Source Code Form is subject to the terms of---               the Mozilla Public License, v. 2.0.---               A copy of the MPL can be found in the LICENSE file or---               you can obtain it at http://mozilla.org/MPL/2.0/.+-- Copyright   : (c) 2013-2015 Brendan Hay+-- License     : Mozilla Public License, v. 2.0. -- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>--- Stability   : experimental+-- Stability   : auto-generated -- Portability : non-portable (GHC extensions) ----- Derived from AWS service descriptions, licensed under Apache 2.0.---- | Returns a set of temporary security credentials (consisting of an access key--- ID, a secret access key, and a security token) for a federated user. A--- typical use is in a proxy application that gets temporary security--- credentials on behalf of distributed applications inside a corporate network.--- Because you must call the 'GetFederationToken' action using the long-term--- security credentials of an IAM user, this call is appropriate in contexts--- where those credentials can be safely stored, usually in a server-based--- application.+-- Returns a set of temporary security credentials (consisting of an access+-- key ID, a secret access key, and a security token) for a federated user.+-- A typical use is in a proxy application that gets temporary security+-- credentials on behalf of distributed applications inside a corporate+-- network. Because you must call the 'GetFederationToken' action using the+-- long-term security credentials of an IAM user, this call is appropriate+-- in contexts where those credentials can be safely stored, usually in a+-- server-based application. -- -- If you are creating a mobile-based or browser-based app that can -- authenticate users using a web identity provider like Login with Amazon, -- Facebook, Google, or an OpenID Connect-compatible identity provider, we--- recommend that you use <http://aws.amazon.com/cognito/ Amazon Cognito> or 'AssumeRoleWithWebIdentity'. For more--- information, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html Creating Temporary Security Credentials for Mobile AppsUsing Identity Providers> in /Using Temporary Security Credentials/.+-- recommend that you use <http://aws.amazon.com/cognito/ Amazon Cognito>+-- or 'AssumeRoleWithWebIdentity'. For more information, see+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingWIF.html Creating Temporary Security Credentials for Mobile Apps Using Identity Providers>. ----- The 'GetFederationToken' action must be called by using the long-term AWS--- security credentials of an IAM user. You can also call 'GetFederationToken'--- using the security credentials of an AWS account (root), but this is not--- recommended. Instead, we recommend that you create an IAM user for the--- purpose of the proxy application and then attach a policy to the IAM user--- that limits federated users to only the actions and resources they need--- access to. For more information, see <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html IAM Best Practices> in /Using IAM/.+-- The 'GetFederationToken' action must be called by using the long-term+-- AWS security credentials of an IAM user. You can also call+-- 'GetFederationToken' using the security credentials of an AWS account+-- (root), but this is not recommended. Instead, we recommend that you+-- create an IAM user for the purpose of the proxy application and then+-- attach a policy to the IAM user that limits federated users to only the+-- actions and resources they need access to. For more information, see+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html IAM Best Practices>+-- in /Using IAM/. ----- The temporary security credentials that are obtained by using the long-term--- credentials of an IAM user are valid for the specified duration, between 900--- seconds (15 minutes) and 129600 seconds (36 hours). Temporary credentials--- that are obtained by using AWS account (root) credentials have a maximum--- duration of 3600 seconds (1 hour)+-- The temporary security credentials that are obtained by using the+-- long-term credentials of an IAM user are valid for the specified+-- duration, between 900 seconds (15 minutes) and 129600 seconds (36+-- hours). Temporary credentials that are obtained by using AWS account+-- (root) credentials have a maximum duration of 3600 seconds (1 hour) ----- Permissions+-- __Permissions__ ----- The permissions for the temporary security credentials returned by 'GetFederationToken' are determined by a combination of the following:+-- The permissions for the temporary security credentials returned by+-- 'GetFederationToken' are determined by a combination of the following: ----- The policy or policies that are attached to the IAM user whose credentials--- are used to call 'GetFederationToken'. The policy that is passed as a parameter--- in the call.  The passed policy is attached to the temporary security--- credentials that result from the 'GetFederationToken' API call--that is, to the /federated user/. When the federated user makes an AWS request, AWS evaluates--- the policy attached to the federated user in combination with the policy or--- policies attached to the IAM user whose credentials were used to call 'GetFederationToken'. AWS allows the federated user's request only when both the federated user /and/ the IAM user are explicitly allowed to perform the requested action. The--- passed policy cannot grant more permissions than those that are defined in--- the IAM user policy.+-- -   The policy or policies that are attached to the IAM user whose+--     credentials are used to call 'GetFederationToken'.+-- -   The policy that is passed as a parameter in the call. ----- A typical use case is that the permissions of the IAM user whose credentials--- are used to call 'GetFederationToken' are designed to allow access to all the--- actions and resources that any federated user will need. Then, for individual--- users, you pass a policy to the operation that scopes down the permissions to--- a level that's appropriate to that individual user, using a policy that--- allows only a subset of permissions that are granted to the IAM user.+-- The passed policy is attached to the temporary security credentials that+-- result from the 'GetFederationToken' API call--that is, to the+-- /federated user/. When the federated user makes an AWS request, AWS+-- evaluates the policy attached to the federated user in combination with+-- the policy or policies attached to the IAM user whose credentials were+-- used to call 'GetFederationToken'. AWS allows the federated user\'s+-- request only when both the federated user /__and__/ the IAM user are+-- explicitly allowed to perform the requested action. The passed policy+-- cannot grant more permissions than those that are defined in the IAM+-- user policy. ----- If you do not pass a policy, the resulting temporary security credentials--- have no effective permissions. The only exception is when the temporary--- security credentials are used to access a resource that has a resource-based--- policy that specifically allows the federated user to access the resource.+-- A typical use case is that the permissions of the IAM user whose+-- credentials are used to call 'GetFederationToken' are designed to allow+-- access to all the actions and resources that any federated user will+-- need. Then, for individual users, you pass a policy to the operation+-- that scopes down the permissions to a level that\'s appropriate to that+-- individual user, using a policy that allows only a subset of permissions+-- that are granted to the IAM user. ----- For more information about how permissions work, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-get-federation-token.html Permissions forGetFederationToken> in /Using Temporary Security Credentials/. For information--- about using 'GetFederationToken' to create temporary security credentials, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingFedTokens.html Creating Temporary Credentials to Enable Access for Federated Users> in /Using Temporary Security Credentials/.+-- If you do not pass a policy, the resulting temporary security+-- credentials have no effective permissions. The only exception is when+-- the temporary security credentials are used to access a resource that+-- has a resource-based policy that specifically allows the federated user+-- to access the resource. ----- <http://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html>+-- For more information about how permissions work, see+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-get-federation-token.html Permissions for GetFederationToken>.+-- For information about using 'GetFederationToken' to create temporary+-- security credentials, see+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingFedTokens.html Creating Temporary Credentials to Enable Access for Federated Users>.+--+-- /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html AWS API Reference> for GetFederationToken. module Network.AWS.STS.GetFederationToken     (-    -- * Request-      GetFederationToken-    -- ** Request constructor-    , getFederationToken-    -- ** Request lenses+    -- * Creating a Request+      getFederationToken+    , GetFederationToken+    -- * Request Lenses     , gftDurationSeconds-    , gftName     , gftPolicy+    , gftName -    -- * Response-    , GetFederationTokenResponse-    -- ** Response constructor+    -- * Destructuring the Response     , getFederationTokenResponse-    -- ** Response lenses-    , gftrCredentials-    , gftrFederatedUser-    , gftrPackedPolicySize+    , GetFederationTokenResponse+    -- * Response Lenses+    , gftrsPackedPolicySize+    , gftrsCredentials+    , gftrsFederatedUser+    , gftrsStatus     ) where -import Network.AWS.Prelude-import Network.AWS.Request.Query-import Network.AWS.STS.Types-import qualified GHC.Exts+import           Network.AWS.Prelude+import           Network.AWS.Request+import           Network.AWS.Response+import           Network.AWS.STS.Types+import           Network.AWS.STS.Types.Product -data GetFederationToken = GetFederationToken-    { _gftDurationSeconds :: Maybe Nat-    , _gftName            :: Text-    , _gftPolicy          :: Maybe Text-    } deriving (Eq, Ord, Read, Show)+-- | /See:/ 'getFederationToken' smart constructor.+data GetFederationToken = GetFederationToken'+    { _gftDurationSeconds :: !(Maybe Nat)+    , _gftPolicy          :: !(Maybe Text)+    , _gftName            :: !Text+    } deriving (Eq,Read,Show,Data,Typeable,Generic) --- | 'GetFederationToken' constructor.------ The fields accessible through corresponding lenses are:+-- | Creates a value of 'GetFederationToken' with the minimum fields required to make a request. ----- * 'gftDurationSeconds' @::@ 'Maybe' 'Natural'+-- Use one of the following lenses to modify other fields as desired: ----- * 'gftName' @::@ 'Text'+-- * 'gftDurationSeconds' ----- * 'gftPolicy' @::@ 'Maybe' 'Text'+-- * 'gftPolicy' ---getFederationToken :: Text -- ^ 'gftName'-                   -> GetFederationToken-getFederationToken p1 = GetFederationToken-    { _gftName            = p1-    , _gftPolicy          = Nothing-    , _gftDurationSeconds = Nothing+-- * 'gftName'+getFederationToken+    :: Text -- ^ 'gftName'+    -> GetFederationToken+getFederationToken pName_ =+    GetFederationToken'+    { _gftDurationSeconds = Nothing+    , _gftPolicy = Nothing+    , _gftName = pName_     } --- | The duration, in seconds, that the session should last. Acceptable durations--- for federation sessions range from 900 seconds (15 minutes) to 129600 seconds--- (36 hours), with 43200 seconds (12 hours) as the default. Sessions obtained--- using AWS account (root) credentials are restricted to a maximum of 3600--- seconds (one hour). If the specified duration is longer than one hour, the--- session obtained by using AWS account (root) credentials defaults to one--- hour.+-- | The duration, in seconds, that the session should last. Acceptable+-- durations for federation sessions range from 900 seconds (15 minutes) to+-- 129600 seconds (36 hours), with 43200 seconds (12 hours) as the default.+-- Sessions obtained using AWS account (root) credentials are restricted to+-- a maximum of 3600 seconds (one hour). If the specified duration is+-- longer than one hour, the session obtained by using AWS account (root)+-- credentials defaults to one hour. gftDurationSeconds :: Lens' GetFederationToken (Maybe Natural)-gftDurationSeconds =-    lens _gftDurationSeconds (\s a -> s { _gftDurationSeconds = a })-        . mapping _Nat---- | The name of the federated user. The name is used as an identifier for the--- temporary security credentials (such as 'Bob'). For example, you can reference--- the federated user name in a resource-based policy, such as in an Amazon S3--- bucket policy.-gftName :: Lens' GetFederationToken Text-gftName = lens _gftName (\s a -> s { _gftName = a })+gftDurationSeconds = lens _gftDurationSeconds (\ s a -> s{_gftDurationSeconds = a}) . mapping _Nat; --- | An IAM policy in JSON format that is passed with the 'GetFederationToken' call--- and evaluated along with the policy or policies that are attached to the IAM--- user whose credentials are used to call 'GetFederationToken'. The passed policy--- is used to scope down the permissions that are available to the IAM user, by--- allowing only a subset of the permissions that are granted to the IAM user.--- The passed policy cannot grant more permissions than those granted to the IAM--- user. The final permissions for the federated user are the most restrictive--- set based on the intersection of the passed policy and the IAM user policy.+-- | An IAM policy in JSON format that is passed with the+-- 'GetFederationToken' call and evaluated along with the policy or+-- policies that are attached to the IAM user whose credentials are used to+-- call 'GetFederationToken'. The passed policy is used to scope down the+-- permissions that are available to the IAM user, by allowing only a+-- subset of the permissions that are granted to the IAM user. The passed+-- policy cannot grant more permissions than those granted to the IAM user.+-- The final permissions for the federated user are the most restrictive+-- set based on the intersection of the passed policy and the IAM user+-- policy. ----- If you do not pass a policy, the resulting temporary security credentials--- have no effective permissions. The only exception is when the temporary--- security credentials are used to access a resource that has a resource-based--- policy that specifically allows the federated user to access the resource.+-- If you do not pass a policy, the resulting temporary security+-- credentials have no effective permissions. The only exception is when+-- the temporary security credentials are used to access a resource that+-- has a resource-based policy that specifically allows the federated user+-- to access the resource. ----- For more information about how permissions work, see <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-get-federation-token.html Permissions forGetFederationToken> in /Using Temporary Security Credentials/.+-- The policy plain text must be 2048 bytes or shorter. However, an+-- internal conversion compresses it into a packed binary format with a+-- separate limit. The PackedPolicySize response element indicates by+-- percentage how close to the upper size limit the policy is, with 100%+-- equaling the maximum allowed size.+--+-- For more information about how permissions work, see+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/permissions-get-federation-token.html Permissions for GetFederationToken>. gftPolicy :: Lens' GetFederationToken (Maybe Text)-gftPolicy = lens _gftPolicy (\s a -> s { _gftPolicy = a })+gftPolicy = lens _gftPolicy (\ s a -> s{_gftPolicy = a}); -data GetFederationTokenResponse = GetFederationTokenResponse-    { _gftrCredentials      :: Maybe Credentials-    , _gftrFederatedUser    :: Maybe FederatedUser-    , _gftrPackedPolicySize :: Maybe Nat-    } deriving (Eq, Read, Show)+-- | The name of the federated user. The name is used as an identifier for+-- the temporary security credentials (such as 'Bob'). For example, you can+-- reference the federated user name in a resource-based policy, such as in+-- an Amazon S3 bucket policy.+gftName :: Lens' GetFederationToken Text+gftName = lens _gftName (\ s a -> s{_gftName = a}); --- | 'GetFederationTokenResponse' constructor.+instance AWSRequest GetFederationToken where+        type Sv GetFederationToken = STS+        type Rs GetFederationToken =+             GetFederationTokenResponse+        request = postQuery+        response+          = receiveXMLWrapper "GetFederationTokenResult"+              (\ s h x ->+                 GetFederationTokenResponse' <$>+                   (x .@? "PackedPolicySize") <*> (x .@? "Credentials")+                     <*> (x .@? "FederatedUser")+                     <*> (pure (fromEnum s)))++instance ToHeaders GetFederationToken where+        toHeaders = const mempty++instance ToPath GetFederationToken where+        toPath = const "/"++instance ToQuery GetFederationToken where+        toQuery GetFederationToken'{..}+          = mconcat+              ["Action" =: ("GetFederationToken" :: ByteString),+               "Version" =: ("2011-06-15" :: ByteString),+               "DurationSeconds" =: _gftDurationSeconds,+               "Policy" =: _gftPolicy, "Name" =: _gftName]++-- | Contains the response to a successful GetFederationToken request,+-- including temporary AWS credentials that can be used to make AWS+-- requests. ----- The fields accessible through corresponding lenses are:+-- /See:/ 'getFederationTokenResponse' smart constructor.+data GetFederationTokenResponse = GetFederationTokenResponse'+    { _gftrsPackedPolicySize :: !(Maybe Nat)+    , _gftrsCredentials      :: !(Maybe Credentials)+    , _gftrsFederatedUser    :: !(Maybe FederatedUser)+    , _gftrsStatus           :: !Int+    } deriving (Eq,Read,Show,Data,Typeable,Generic)++-- | Creates a value of 'GetFederationTokenResponse' with the minimum fields required to make a request. ----- * 'gftrCredentials' @::@ 'Maybe' 'Credentials'+-- Use one of the following lenses to modify other fields as desired: ----- * 'gftrFederatedUser' @::@ 'Maybe' 'FederatedUser'+-- * 'gftrsPackedPolicySize' ----- * 'gftrPackedPolicySize' @::@ 'Maybe' 'Natural'+-- * 'gftrsCredentials' ---getFederationTokenResponse :: GetFederationTokenResponse-getFederationTokenResponse = GetFederationTokenResponse-    { _gftrCredentials      = Nothing-    , _gftrFederatedUser    = Nothing-    , _gftrPackedPolicySize = Nothing+-- * 'gftrsFederatedUser'+--+-- * 'gftrsStatus'+getFederationTokenResponse+    :: Int -- ^ 'gftrsStatus'+    -> GetFederationTokenResponse+getFederationTokenResponse pStatus_ =+    GetFederationTokenResponse'+    { _gftrsPackedPolicySize = Nothing+    , _gftrsCredentials = Nothing+    , _gftrsFederatedUser = Nothing+    , _gftrsStatus = pStatus_     } --- | Credentials for the service API authentication.-gftrCredentials :: Lens' GetFederationTokenResponse (Maybe Credentials)-gftrCredentials = lens _gftrCredentials (\s a -> s { _gftrCredentials = a })---- | Identifiers for the federated user associated with the credentials (such as 'arn:aws:sts::123456789012:federated-user/Bob' or '123456789012:Bob'). You can use the federated user's ARN in your--- resource-based policies, such as an Amazon S3 bucket policy.-gftrFederatedUser :: Lens' GetFederationTokenResponse (Maybe FederatedUser)-gftrFederatedUser =-    lens _gftrFederatedUser (\s a -> s { _gftrFederatedUser = a })- -- | A percentage value indicating the size of the policy in packed form. The -- service rejects policies for which the packed size is greater than 100 -- percent of the allowed value.-gftrPackedPolicySize :: Lens' GetFederationTokenResponse (Maybe Natural)-gftrPackedPolicySize =-    lens _gftrPackedPolicySize (\s a -> s { _gftrPackedPolicySize = a })-        . mapping _Nat--instance ToPath GetFederationToken where-    toPath = const "/"--instance ToQuery GetFederationToken where-    toQuery GetFederationToken{..} = mconcat-        [ "DurationSeconds" =? _gftDurationSeconds-        , "Name"            =? _gftName-        , "Policy"          =? _gftPolicy-        ]--instance ToHeaders GetFederationToken+gftrsPackedPolicySize :: Lens' GetFederationTokenResponse (Maybe Natural)+gftrsPackedPolicySize = lens _gftrsPackedPolicySize (\ s a -> s{_gftrsPackedPolicySize = a}) . mapping _Nat; -instance AWSRequest GetFederationToken where-    type Sv GetFederationToken = STS-    type Rs GetFederationToken = GetFederationTokenResponse+-- | Credentials for the service API authentication.+gftrsCredentials :: Lens' GetFederationTokenResponse (Maybe Credentials)+gftrsCredentials = lens _gftrsCredentials (\ s a -> s{_gftrsCredentials = a}); -    request  = post "GetFederationToken"-    response = xmlResponse+-- | Identifiers for the federated user associated with the credentials (such+-- as 'arn:aws:sts::123456789012:federated-user\/Bob' or+-- '123456789012:Bob'). You can use the federated user\'s ARN in your+-- resource-based policies, such as an Amazon S3 bucket policy.+gftrsFederatedUser :: Lens' GetFederationTokenResponse (Maybe FederatedUser)+gftrsFederatedUser = lens _gftrsFederatedUser (\ s a -> s{_gftrsFederatedUser = a}); -instance FromXML GetFederationTokenResponse where-    parseXML = withElement "GetFederationTokenResult" $ \x -> GetFederationTokenResponse-        <$> x .@? "Credentials"-        <*> x .@? "FederatedUser"-        <*> x .@? "PackedPolicySize"+-- | The response status code.+gftrsStatus :: Lens' GetFederationTokenResponse Int+gftrsStatus = lens _gftrsStatus (\ s a -> s{_gftrsStatus = a});
gen/Network/AWS/STS/GetSessionToken.hs view
@@ -1,175 +1,191 @@-{-# LANGUAGE DataKinds                   #-}-{-# LANGUAGE DeriveGeneric               #-}-{-# LANGUAGE FlexibleInstances           #-}-{-# LANGUAGE GeneralizedNewtypeDeriving  #-}-{-# LANGUAGE LambdaCase                  #-}-{-# LANGUAGE NoImplicitPrelude           #-}-{-# LANGUAGE OverloadedStrings           #-}-{-# LANGUAGE RecordWildCards             #-}-{-# LANGUAGE TypeFamilies                #-}+{-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DeriveGeneric      #-}+{-# LANGUAGE OverloadedStrings  #-}+{-# LANGUAGE RecordWildCards    #-}+{-# LANGUAGE TypeFamilies       #-}  {-# OPTIONS_GHC -fno-warn-unused-imports #-}+{-# OPTIONS_GHC -fno-warn-unused-binds   #-}+{-# OPTIONS_GHC -fno-warn-unused-matches #-} +-- Derived from AWS service descriptions, licensed under Apache 2.0.++-- | -- Module      : Network.AWS.STS.GetSessionToken--- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>--- License     : This Source Code Form is subject to the terms of---               the Mozilla Public License, v. 2.0.---               A copy of the MPL can be found in the LICENSE file or---               you can obtain it at http://mozilla.org/MPL/2.0/.+-- Copyright   : (c) 2013-2015 Brendan Hay+-- License     : Mozilla Public License, v. 2.0. -- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>--- Stability   : experimental+-- Stability   : auto-generated -- Portability : non-portable (GHC extensions) ----- Derived from AWS service descriptions, licensed under Apache 2.0.---- | Returns a set of temporary credentials for an AWS account or IAM user. The--- credentials consist of an access key ID, a secret access key, and a security--- token. Typically, you use 'GetSessionToken' if you want to use MFA to protect--- programmatic calls to specific AWS APIs like Amazon EC2 'StopInstances'.--- MFA-enabled IAM users would need to call 'GetSessionToken' and submit an MFA--- code that is associated with their MFA device. Using the temporary security--- credentials that are returned from the call, IAM users can then make--- programmatic calls to APIs that require MFA authentication.+-- Returns a set of temporary credentials for an AWS account or IAM user.+-- The credentials consist of an access key ID, a secret access key, and a+-- security token. Typically, you use 'GetSessionToken' if you want to use+-- MFA to protect programmatic calls to specific AWS APIs like Amazon EC2+-- 'StopInstances'. MFA-enabled IAM users would need to call+-- 'GetSessionToken' and submit an MFA code that is associated with their+-- MFA device. Using the temporary security credentials that are returned+-- from the call, IAM users can then make programmatic calls to APIs that+-- require MFA authentication. -- -- The 'GetSessionToken' action must be called by using the long-term AWS--- security credentials of the AWS account or an IAM user. Credentials that are--- created by IAM users are valid for the duration that you specify, between 900--- seconds (15 minutes) and 129600 seconds (36 hours); credentials that are--- created by using account credentials have a maximum duration of 3600 seconds--- (1 hour).+-- security credentials of the AWS account or an IAM user. Credentials that+-- are created by IAM users are valid for the duration that you specify,+-- between 900 seconds (15 minutes) and 129600 seconds (36 hours);+-- credentials that are created by using account credentials have a maximum+-- duration of 3600 seconds (1 hour). -- -- We recommend that you do not call 'GetSessionToken' with root account--- credentials. Instead, follow our <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html#create-iam-users best practices> by creating one or more IAM--- users, giving them the necessary permissions, and using IAM users for--- everyday interaction with AWS.+-- credentials. Instead, follow our+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/IAMBestPractices.html#create-iam-users best practices>+-- by creating one or more IAM users, giving them the necessary+-- permissions, and using IAM users for everyday interaction with AWS. ----- The permissions associated with the temporary security credentials returned--- by 'GetSessionToken' are based on the permissions associated with account or--- IAM user whose credentials are used to call the action. If 'GetSessionToken' is--- called using root account credentials, the temporary credentials have root--- account permissions. Similarly, if 'GetSessionToken' is called using the--- credentials of an IAM user, the temporary credentials have the same--- permissions as the IAM user.+-- The permissions associated with the temporary security credentials+-- returned by 'GetSessionToken' are based on the permissions associated+-- with account or IAM user whose credentials are used to call the action.+-- If 'GetSessionToken' is called using root account credentials, the+-- temporary credentials have root account permissions. Similarly, if+-- 'GetSessionToken' is called using the credentials of an IAM user, the+-- temporary credentials have the same permissions as the IAM user. -- -- For more information about using 'GetSessionToken' to create temporary--- credentials, go to Creating Temporary Credentials to Enable Access for IAM--- Users in /Using Temporary Security Credentials/.+-- credentials, go to+-- <http://docs.aws.amazon.com/STS/latest/UsingSTS/CreatingSessionTokens.html Creating Temporary Credentials to Enable Access for IAM Users>. ----- <http://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html>+-- /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html AWS API Reference> for GetSessionToken. module Network.AWS.STS.GetSessionToken     (-    -- * Request-      GetSessionToken-    -- ** Request constructor-    , getSessionToken-    -- ** Request lenses+    -- * Creating a Request+      getSessionToken+    , GetSessionToken+    -- * Request Lenses+    , gstTokenCode     , gstDurationSeconds     , gstSerialNumber-    , gstTokenCode -    -- * Response-    , GetSessionTokenResponse-    -- ** Response constructor+    -- * Destructuring the Response     , getSessionTokenResponse-    -- ** Response lenses-    , gstrCredentials+    , GetSessionTokenResponse+    -- * Response Lenses+    , gstrsCredentials+    , gstrsStatus     ) where -import Network.AWS.Prelude-import Network.AWS.Request.Query-import Network.AWS.STS.Types-import qualified GHC.Exts+import           Network.AWS.Prelude+import           Network.AWS.Request+import           Network.AWS.Response+import           Network.AWS.STS.Types+import           Network.AWS.STS.Types.Product -data GetSessionToken = GetSessionToken-    { _gstDurationSeconds :: Maybe Nat-    , _gstSerialNumber    :: Maybe Text-    , _gstTokenCode       :: Maybe Text-    } deriving (Eq, Ord, Read, Show)+-- | /See:/ 'getSessionToken' smart constructor.+data GetSessionToken = GetSessionToken'+    { _gstTokenCode       :: !(Maybe Text)+    , _gstDurationSeconds :: !(Maybe Nat)+    , _gstSerialNumber    :: !(Maybe Text)+    } deriving (Eq,Read,Show,Data,Typeable,Generic) --- | 'GetSessionToken' constructor.------ The fields accessible through corresponding lenses are:+-- | Creates a value of 'GetSessionToken' with the minimum fields required to make a request. ----- * 'gstDurationSeconds' @::@ 'Maybe' 'Natural'+-- Use one of the following lenses to modify other fields as desired: ----- * 'gstSerialNumber' @::@ 'Maybe' 'Text'+-- * 'gstTokenCode' ----- * 'gstTokenCode' @::@ 'Maybe' 'Text'+-- * 'gstDurationSeconds' ---getSessionToken :: GetSessionToken-getSessionToken = GetSessionToken-    { _gstDurationSeconds = Nothing-    , _gstSerialNumber    = Nothing-    , _gstTokenCode       = Nothing+-- * 'gstSerialNumber'+getSessionToken+    :: GetSessionToken+getSessionToken =+    GetSessionToken'+    { _gstTokenCode = Nothing+    , _gstDurationSeconds = Nothing+    , _gstSerialNumber = Nothing     } --- | The duration, in seconds, that the credentials should remain valid.--- Acceptable durations for IAM user sessions range from 900 seconds (15--- minutes) to 129600 seconds (36 hours), with 43200 seconds (12 hours) as the--- default. Sessions for AWS account owners are restricted to a maximum of 3600--- seconds (one hour). If the duration is longer than one hour, the session for--- AWS account owners defaults to one hour.-gstDurationSeconds :: Lens' GetSessionToken (Maybe Natural)-gstDurationSeconds =-    lens _gstDurationSeconds (\s a -> s { _gstDurationSeconds = a })-        . mapping _Nat---- | The identification number of the MFA device that is associated with the IAM--- user who is making the 'GetSessionToken' call. Specify this value if the IAM--- user has a policy that requires MFA authentication. The value is either the--- serial number for a hardware device (such as 'GAHT12345678') or an Amazon--- Resource Name (ARN) for a virtual device (such as 'arn:aws:iam::123456789012:mfa/user'). You can find the device for an IAM user by going to the AWS Management--- Console and viewing the user's security credentials.-gstSerialNumber :: Lens' GetSessionToken (Maybe Text)-gstSerialNumber = lens _gstSerialNumber (\s a -> s { _gstSerialNumber = a })- -- | The value provided by the MFA device, if MFA is required. If any policy -- requires the IAM user to submit an MFA code, specify this value. If MFA -- authentication is required, and the user does not provide a code when--- requesting a set of temporary security credentials, the user will receive an--- "access denied" response when requesting resources that require MFA--- authentication.+-- requesting a set of temporary security credentials, the user will+-- receive an \"access denied\" response when requesting resources that+-- require MFA authentication. gstTokenCode :: Lens' GetSessionToken (Maybe Text)-gstTokenCode = lens _gstTokenCode (\s a -> s { _gstTokenCode = a })+gstTokenCode = lens _gstTokenCode (\ s a -> s{_gstTokenCode = a}); -newtype GetSessionTokenResponse = GetSessionTokenResponse-    { _gstrCredentials :: Maybe Credentials-    } deriving (Eq, Read, Show)+-- | The duration, in seconds, that the credentials should remain valid.+-- Acceptable durations for IAM user sessions range from 900 seconds (15+-- minutes) to 129600 seconds (36 hours), with 43200 seconds (12 hours) as+-- the default. Sessions for AWS account owners are restricted to a maximum+-- of 3600 seconds (one hour). If the duration is longer than one hour, the+-- session for AWS account owners defaults to one hour.+gstDurationSeconds :: Lens' GetSessionToken (Maybe Natural)+gstDurationSeconds = lens _gstDurationSeconds (\ s a -> s{_gstDurationSeconds = a}) . mapping _Nat; --- | 'GetSessionTokenResponse' constructor.------ The fields accessible through corresponding lenses are:------ * 'gstrCredentials' @::@ 'Maybe' 'Credentials'----getSessionTokenResponse :: GetSessionTokenResponse-getSessionTokenResponse = GetSessionTokenResponse-    { _gstrCredentials = Nothing-    }+-- | The identification number of the MFA device that is associated with the+-- IAM user who is making the 'GetSessionToken' call. Specify this value if+-- the IAM user has a policy that requires MFA authentication. The value is+-- either the serial number for a hardware device (such as 'GAHT12345678')+-- or an Amazon Resource Name (ARN) for a virtual device (such as+-- 'arn:aws:iam::123456789012:mfa\/user'). You can find the device for an+-- IAM user by going to the AWS Management Console and viewing the user\'s+-- security credentials.+gstSerialNumber :: Lens' GetSessionToken (Maybe Text)+gstSerialNumber = lens _gstSerialNumber (\ s a -> s{_gstSerialNumber = a}); --- | The session credentials for API authentication.-gstrCredentials :: Lens' GetSessionTokenResponse (Maybe Credentials)-gstrCredentials = lens _gstrCredentials (\s a -> s { _gstrCredentials = a })+instance AWSRequest GetSessionToken where+        type Sv GetSessionToken = STS+        type Rs GetSessionToken = GetSessionTokenResponse+        request = postQuery+        response+          = receiveXMLWrapper "GetSessionTokenResult"+              (\ s h x ->+                 GetSessionTokenResponse' <$>+                   (x .@? "Credentials") <*> (pure (fromEnum s))) +instance ToHeaders GetSessionToken where+        toHeaders = const mempty+ instance ToPath GetSessionToken where-    toPath = const "/"+        toPath = const "/"  instance ToQuery GetSessionToken where-    toQuery GetSessionToken{..} = mconcat-        [ "DurationSeconds" =? _gstDurationSeconds-        , "SerialNumber"    =? _gstSerialNumber-        , "TokenCode"       =? _gstTokenCode-        ]+        toQuery GetSessionToken'{..}+          = mconcat+              ["Action" =: ("GetSessionToken" :: ByteString),+               "Version" =: ("2011-06-15" :: ByteString),+               "TokenCode" =: _gstTokenCode,+               "DurationSeconds" =: _gstDurationSeconds,+               "SerialNumber" =: _gstSerialNumber] -instance ToHeaders GetSessionToken+-- | Contains the response to a successful GetSessionToken request, including+-- temporary AWS credentials that can be used to make AWS requests.+--+-- /See:/ 'getSessionTokenResponse' smart constructor.+data GetSessionTokenResponse = GetSessionTokenResponse'+    { _gstrsCredentials :: !(Maybe Credentials)+    , _gstrsStatus      :: !Int+    } deriving (Eq,Read,Show,Data,Typeable,Generic) -instance AWSRequest GetSessionToken where-    type Sv GetSessionToken = STS-    type Rs GetSessionToken = GetSessionTokenResponse+-- | Creates a value of 'GetSessionTokenResponse' with the minimum fields required to make a request.+--+-- Use one of the following lenses to modify other fields as desired:+--+-- * 'gstrsCredentials'+--+-- * 'gstrsStatus'+getSessionTokenResponse+    :: Int -- ^ 'gstrsStatus'+    -> GetSessionTokenResponse+getSessionTokenResponse pStatus_ =+    GetSessionTokenResponse'+    { _gstrsCredentials = Nothing+    , _gstrsStatus = pStatus_+    } -    request  = post "GetSessionToken"-    response = xmlResponse+-- | The session credentials for API authentication.+gstrsCredentials :: Lens' GetSessionTokenResponse (Maybe Credentials)+gstrsCredentials = lens _gstrsCredentials (\ s a -> s{_gstrsCredentials = a}); -instance FromXML GetSessionTokenResponse where-    parseXML = withElement "GetSessionTokenResult" $ \x -> GetSessionTokenResponse-        <$> x .@? "Credentials"+-- | The response status code.+gstrsStatus :: Lens' GetSessionTokenResponse Int+gstrsStatus = lens _gstrsStatus (\ s a -> s{_gstrsStatus = a});
gen/Network/AWS/STS/Types.hs view
@@ -1,254 +1,141 @@-{-# LANGUAGE DataKinds                   #-}-{-# LANGUAGE DeriveGeneric               #-}-{-# LANGUAGE FlexibleInstances           #-}-{-# LANGUAGE GeneralizedNewtypeDeriving  #-}-{-# LANGUAGE LambdaCase                  #-}-{-# LANGUAGE NoImplicitPrelude           #-}-{-# LANGUAGE OverloadedStrings           #-}-{-# LANGUAGE RecordWildCards             #-}-{-# LANGUAGE TypeFamilies                #-}-{-# LANGUAGE ViewPatterns                #-}+{-# LANGUAGE OverloadedStrings #-}+{-# LANGUAGE TypeFamilies      #-} -{-# OPTIONS_GHC -fno-warn-unused-imports #-}+-- Derived from AWS service descriptions, licensed under Apache 2.0. +-- | -- Module      : Network.AWS.STS.Types--- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>--- License     : This Source Code Form is subject to the terms of---               the Mozilla Public License, v. 2.0.---               A copy of the MPL can be found in the LICENSE file or---               you can obtain it at http://mozilla.org/MPL/2.0/.+-- Copyright   : (c) 2013-2015 Brendan Hay+-- License     : Mozilla Public License, v. 2.0. -- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>--- Stability   : experimental+-- Stability   : auto-generated -- Portability : non-portable (GHC extensions) ----- Derived from AWS service descriptions, licensed under Apache 2.0.- module Network.AWS.STS.Types     (     -- * Service       STS-    -- ** Error-    , RESTError-    -- ** XML-    , ns +    -- * Errors+    , _MalformedPolicyDocumentException+    , _PackedPolicyTooLargeException+    , _InvalidAuthorizationMessageException+    , _IdPCommunicationErrorException+    , _ExpiredTokenException+    , _InvalidIdentityTokenException+    , _IdPRejectedClaimException++    -- * AssumedRoleUser+    , AssumedRoleUser+    , assumedRoleUser+    , aruAssumedRoleId+    , aruARN+     -- * Credentials     , Credentials     , credentials     , cAccessKeyId-    , cExpiration     , cSecretAccessKey     , cSessionToken+    , cExpiration      -- * FederatedUser     , FederatedUser     , federatedUser-    , fuArn     , fuFederatedUserId--    -- * AssumedRoleUser-    , AssumedRoleUser-    , assumedRoleUser-    , aruArn-    , aruAssumedRoleId+    , fuARN     ) where -import Network.AWS.Prelude-import Network.AWS.Signing-import qualified GHC.Exts+import           Network.AWS.Prelude+import           Network.AWS.Sign.V4+import           Network.AWS.STS.Types.Product+import           Network.AWS.STS.Types.Sum --- | Version @2011-06-15@ of the Amazon Security Token Service service.+-- | Version @2011-06-15@ of the Amazon Security Token Service SDK. data STS  instance AWSService STS where     type Sg STS = V4-    type Er STS = RESTError--    service = service'+    service = const svc       where-        service' :: Service STS-        service' = Service-            { _svcAbbrev       = "STS"-            , _svcPrefix       = "sts"-            , _svcVersion      = "2011-06-15"-            , _svcTargetPrefix = Nothing-            , _svcJSONVersion  = Nothing-            , _svcHandle       = handle-            , _svcRetry        = retry+        svc =+            Service+            { _svcAbbrev = "STS"+            , _svcPrefix = "sts"+            , _svcVersion = "2011-06-15"+            , _svcEndpoint = defaultEndpoint svc+            , _svcTimeout = Just 70+            , _svcStatus = statusSuccess+            , _svcError = parseXMLError+            , _svcRetry = retry             }--        handle :: Status-               -> Maybe (LazyByteString -> ServiceError RESTError)-        handle = restError statusSuccess service'--        retry :: Retry STS-        retry = Exponential-            { _retryBase     = 0.05-            , _retryGrowth   = 2+        retry =+            Exponential+            { _retryBase = 5.0e-2+            , _retryGrowth = 2             , _retryAttempts = 5-            , _retryCheck    = check+            , _retryCheck = check             }--        check :: Status-              -> RESTError-              -> Bool-        check (statusCode -> s) (awsErrorCode -> e)-            | s == 400 && (Just "Throttling") == e = True -- Throttling-            | s == 500  = True -- General Server Error-            | s == 509  = True -- Limit Exceeded-            | s == 503  = True -- Service Unavailable-            | otherwise = False--ns :: Text-ns = "https://sts.amazonaws.com/doc/2011-06-15/"-{-# INLINE ns #-}--data Credentials = Credentials-    { _cAccessKeyId     :: Text-    , _cExpiration      :: ISO8601-    , _cSecretAccessKey :: Text-    , _cSessionToken    :: Text-    } deriving (Eq, Ord, Read, Show)---- | 'Credentials' constructor.------ The fields accessible through corresponding lenses are:------ * 'cAccessKeyId' @::@ 'Text'------ * 'cExpiration' @::@ 'UTCTime'------ * 'cSecretAccessKey' @::@ 'Text'------ * 'cSessionToken' @::@ 'Text'----credentials :: Text -- ^ 'cAccessKeyId'-            -> Text -- ^ 'cSecretAccessKey'-            -> Text -- ^ 'cSessionToken'-            -> UTCTime -- ^ 'cExpiration'-            -> Credentials-credentials p1 p2 p3 p4 = Credentials-    { _cAccessKeyId     = p1-    , _cSecretAccessKey = p2-    , _cSessionToken    = p3-    , _cExpiration      = withIso _Time (const id) p4-    }---- | The access key ID that identifies the temporary security credentials.-cAccessKeyId :: Lens' Credentials Text-cAccessKeyId = lens _cAccessKeyId (\s a -> s { _cAccessKeyId = a })---- | The date on which the current credentials expire.-cExpiration :: Lens' Credentials UTCTime-cExpiration = lens _cExpiration (\s a -> s { _cExpiration = a }) . _Time---- | The secret access key that can be used to sign requests.-cSecretAccessKey :: Lens' Credentials Text-cSecretAccessKey = lens _cSecretAccessKey (\s a -> s { _cSecretAccessKey = a })---- | The token that users must pass to the service API to use the temporary--- credentials.-cSessionToken :: Lens' Credentials Text-cSessionToken = lens _cSessionToken (\s a -> s { _cSessionToken = a })--instance FromXML Credentials where-    parseXML x = Credentials-        <$> x .@  "AccessKeyId"-        <*> x .@  "Expiration"-        <*> x .@  "SecretAccessKey"-        <*> x .@  "SessionToken"--instance ToQuery Credentials where-    toQuery Credentials{..} = mconcat-        [ "AccessKeyId"     =? _cAccessKeyId-        , "Expiration"      =? _cExpiration-        , "SecretAccessKey" =? _cSecretAccessKey-        , "SessionToken"    =? _cSessionToken-        ]--data FederatedUser = FederatedUser-    { _fuArn             :: Text-    , _fuFederatedUserId :: Text-    } deriving (Eq, Ord, Read, Show)+        check e+          | has (hasCode "ThrottlingException" . hasStatus 400) e =+              Just "throttling_exception"+          | has (hasCode "Throttling" . hasStatus 400) e = Just "throttling"+          | has (hasStatus 503) e = Just "service_unavailable"+          | has (hasStatus 500) e = Just "general_server_error"+          | has (hasStatus 509) e = Just "limit_exceeded"+          | otherwise = Nothing --- | 'FederatedUser' constructor.------ The fields accessible through corresponding lenses are:------ * 'fuArn' @::@ 'Text'------ * 'fuFederatedUserId' @::@ 'Text'----federatedUser :: Text -- ^ 'fuFederatedUserId'-              -> Text -- ^ 'fuArn'-              -> FederatedUser-federatedUser p1 p2 = FederatedUser-    { _fuFederatedUserId = p1-    , _fuArn             = p2-    }+-- | The request was rejected because the policy document was malformed. The+-- error message describes the specific error.+_MalformedPolicyDocumentException :: AsError a => Getting (First ServiceError) a ServiceError+_MalformedPolicyDocumentException =+    _ServiceError . hasStatus 400 . hasCode "MalformedPolicyDocument" --- | The ARN that specifies the federated user that is associated with the--- credentials. For more information about ARNs and how to use them in policies,--- see Identifiers for IAM Entities in /Using IAM/.-fuArn :: Lens' FederatedUser Text-fuArn = lens _fuArn (\s a -> s { _fuArn = a })+-- | The request was rejected because the policy document was too large. The+-- error message describes how big the policy document is, in packed form,+-- as a percentage of what the API allows.+_PackedPolicyTooLargeException :: AsError a => Getting (First ServiceError) a ServiceError+_PackedPolicyTooLargeException =+    _ServiceError . hasStatus 400 . hasCode "PackedPolicyTooLarge" --- | The string that identifies the federated user associated with the--- credentials, similar to the unique ID of an IAM user.-fuFederatedUserId :: Lens' FederatedUser Text-fuFederatedUserId =-    lens _fuFederatedUserId (\s a -> s { _fuFederatedUserId = a })+-- | The error returned if the message passed to 'DecodeAuthorizationMessage'+-- was invalid. This can happen if the token contains invalid characters,+-- such as linebreaks.+_InvalidAuthorizationMessageException :: AsError a => Getting (First ServiceError) a ServiceError+_InvalidAuthorizationMessageException =+    _ServiceError .+    hasStatus 400 . hasCode "InvalidAuthorizationMessageException" -instance FromXML FederatedUser where-    parseXML x = FederatedUser-        <$> x .@  "Arn"-        <*> x .@  "FederatedUserId"+-- | The request could not be fulfilled because the non-AWS identity provider+-- (IDP) that was asked to verify the incoming identity token could not be+-- reached. This is often a transient error caused by network conditions.+-- Retry the request a limited number of times so that you don\'t exceed+-- the request rate. If the error persists, the non-AWS identity provider+-- might be down or not responding.+_IdPCommunicationErrorException :: AsError a => Getting (First ServiceError) a ServiceError+_IdPCommunicationErrorException =+    _ServiceError . hasStatus 400 . hasCode "IDPCommunicationError" -instance ToQuery FederatedUser where-    toQuery FederatedUser{..} = mconcat-        [ "Arn"             =? _fuArn-        , "FederatedUserId" =? _fuFederatedUserId-        ]+-- | The web identity token that was passed is expired or is not valid. Get a+-- new identity token from the identity provider and then retry the+-- request.+_ExpiredTokenException :: AsError a => Getting (First ServiceError) a ServiceError+_ExpiredTokenException =+    _ServiceError . hasStatus 400 . hasCode "ExpiredTokenException" -data AssumedRoleUser = AssumedRoleUser-    { _aruArn           :: Text-    , _aruAssumedRoleId :: Text-    } deriving (Eq, Ord, Read, Show)+-- | The web identity token that was passed could not be validated by AWS.+-- Get a new identity token from the identity provider and then retry the+-- request.+_InvalidIdentityTokenException :: AsError a => Getting (First ServiceError) a ServiceError+_InvalidIdentityTokenException =+    _ServiceError . hasStatus 400 . hasCode "InvalidIdentityToken" --- | 'AssumedRoleUser' constructor.------ The fields accessible through corresponding lenses are:------ * 'aruArn' @::@ 'Text'------ * 'aruAssumedRoleId' @::@ 'Text'+-- | The identity provider (IdP) reported that authentication failed. This+-- might be because the claim is invalid. ---assumedRoleUser :: Text -- ^ 'aruAssumedRoleId'-                -> Text -- ^ 'aruArn'-                -> AssumedRoleUser-assumedRoleUser p1 p2 = AssumedRoleUser-    { _aruAssumedRoleId = p1-    , _aruArn           = p2-    }---- | The ARN of the temporary security credentials that are returned from the 'AssumeRole' action. For more information about ARNs and how to use them in policies, see--- Identifiers for IAM Entities  in /Using IAM/.-aruArn :: Lens' AssumedRoleUser Text-aruArn = lens _aruArn (\s a -> s { _aruArn = a })---- | A unique identifier that contains the role ID and the role session name of--- the role that is being assumed. The role ID is generated by AWS when the role--- is created.-aruAssumedRoleId :: Lens' AssumedRoleUser Text-aruAssumedRoleId = lens _aruAssumedRoleId (\s a -> s { _aruAssumedRoleId = a })--instance FromXML AssumedRoleUser where-    parseXML x = AssumedRoleUser-        <$> x .@  "Arn"-        <*> x .@  "AssumedRoleId"--instance ToQuery AssumedRoleUser where-    toQuery AssumedRoleUser{..} = mconcat-        [ "Arn"           =? _aruArn-        , "AssumedRoleId" =? _aruAssumedRoleId-        ]+-- If this error is returned for the 'AssumeRoleWithWebIdentity' operation,+-- it can also mean that the claim has expired or has been explicitly+-- revoked.+_IdPRejectedClaimException :: AsError a => Getting (First ServiceError) a ServiceError+_IdPRejectedClaimException =+    _ServiceError . hasStatus 403 . hasCode "IDPRejectedClaim"
+ gen/Network/AWS/STS/Types/Product.hs view
@@ -0,0 +1,170 @@+{-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DeriveGeneric      #-}+{-# LANGUAGE OverloadedStrings  #-}+{-# LANGUAGE RecordWildCards    #-}+{-# LANGUAGE TypeFamilies       #-}++{-# OPTIONS_GHC -fno-warn-unused-imports #-}++-- Derived from AWS service descriptions, licensed under Apache 2.0.++-- |+-- Module      : Network.AWS.STS.Types.Product+-- Copyright   : (c) 2013-2015 Brendan Hay+-- License     : Mozilla Public License, v. 2.0.+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>+-- Stability   : auto-generated+-- Portability : non-portable (GHC extensions)+--+module Network.AWS.STS.Types.Product where++import           Network.AWS.Prelude+import           Network.AWS.STS.Types.Sum++-- | The identifiers for the temporary security credentials that the+-- operation returns.+--+-- /See:/ 'assumedRoleUser' smart constructor.+data AssumedRoleUser = AssumedRoleUser'+    { _aruAssumedRoleId :: !Text+    , _aruARN           :: !Text+    } deriving (Eq,Read,Show,Data,Typeable,Generic)++-- | Creates a value of 'AssumedRoleUser' with the minimum fields required to make a request.+--+-- Use one of the following lenses to modify other fields as desired:+--+-- * 'aruAssumedRoleId'+--+-- * 'aruARN'+assumedRoleUser+    :: Text -- ^ 'aruAssumedRoleId'+    -> Text -- ^ 'aruARN'+    -> AssumedRoleUser+assumedRoleUser pAssumedRoleId_ pARN_ =+    AssumedRoleUser'+    { _aruAssumedRoleId = pAssumedRoleId_+    , _aruARN = pARN_+    }++-- | A unique identifier that contains the role ID and the role session name+-- of the role that is being assumed. The role ID is generated by AWS when+-- the role is created.+aruAssumedRoleId :: Lens' AssumedRoleUser Text+aruAssumedRoleId = lens _aruAssumedRoleId (\ s a -> s{_aruAssumedRoleId = a});++-- | The ARN of the temporary security credentials that are returned from the+-- AssumeRole action. For more information about ARNs and how to use them+-- in policies, see+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html IAM Identifiers>+-- in /Using IAM/.+aruARN :: Lens' AssumedRoleUser Text+aruARN = lens _aruARN (\ s a -> s{_aruARN = a});++instance FromXML AssumedRoleUser where+        parseXML x+          = AssumedRoleUser' <$>+              (x .@ "AssumedRoleId") <*> (x .@ "Arn")++-- | AWS credentials for API authentication.+--+-- /See:/ 'credentials' smart constructor.+data Credentials = Credentials'+    { _cAccessKeyId     :: !Text+    , _cSecretAccessKey :: !Text+    , _cSessionToken    :: !Text+    , _cExpiration      :: !ISO8601+    } deriving (Eq,Read,Show,Data,Typeable,Generic)++-- | Creates a value of 'Credentials' with the minimum fields required to make a request.+--+-- Use one of the following lenses to modify other fields as desired:+--+-- * 'cAccessKeyId'+--+-- * 'cSecretAccessKey'+--+-- * 'cSessionToken'+--+-- * 'cExpiration'+credentials+    :: Text -- ^ 'cAccessKeyId'+    -> Text -- ^ 'cSecretAccessKey'+    -> Text -- ^ 'cSessionToken'+    -> UTCTime -- ^ 'cExpiration'+    -> Credentials+credentials pAccessKeyId_ pSecretAccessKey_ pSessionToken_ pExpiration_ =+    Credentials'+    { _cAccessKeyId = pAccessKeyId_+    , _cSecretAccessKey = pSecretAccessKey_+    , _cSessionToken = pSessionToken_+    , _cExpiration = _Time # pExpiration_+    }++-- | The access key ID that identifies the temporary security credentials.+cAccessKeyId :: Lens' Credentials Text+cAccessKeyId = lens _cAccessKeyId (\ s a -> s{_cAccessKeyId = a});++-- | The secret access key that can be used to sign requests.+cSecretAccessKey :: Lens' Credentials Text+cSecretAccessKey = lens _cSecretAccessKey (\ s a -> s{_cSecretAccessKey = a});++-- | The token that users must pass to the service API to use the temporary+-- credentials.+cSessionToken :: Lens' Credentials Text+cSessionToken = lens _cSessionToken (\ s a -> s{_cSessionToken = a});++-- | The date on which the current credentials expire.+cExpiration :: Lens' Credentials UTCTime+cExpiration = lens _cExpiration (\ s a -> s{_cExpiration = a}) . _Time;++instance FromXML Credentials where+        parseXML x+          = Credentials' <$>+              (x .@ "AccessKeyId") <*> (x .@ "SecretAccessKey") <*>+                (x .@ "SessionToken")+                <*> (x .@ "Expiration")++-- | Identifiers for the federated user that is associated with the+-- credentials.+--+-- /See:/ 'federatedUser' smart constructor.+data FederatedUser = FederatedUser'+    { _fuFederatedUserId :: !Text+    , _fuARN             :: !Text+    } deriving (Eq,Read,Show,Data,Typeable,Generic)++-- | Creates a value of 'FederatedUser' with the minimum fields required to make a request.+--+-- Use one of the following lenses to modify other fields as desired:+--+-- * 'fuFederatedUserId'+--+-- * 'fuARN'+federatedUser+    :: Text -- ^ 'fuFederatedUserId'+    -> Text -- ^ 'fuARN'+    -> FederatedUser+federatedUser pFederatedUserId_ pARN_ =+    FederatedUser'+    { _fuFederatedUserId = pFederatedUserId_+    , _fuARN = pARN_+    }++-- | The string that identifies the federated user associated with the+-- credentials, similar to the unique ID of an IAM user.+fuFederatedUserId :: Lens' FederatedUser Text+fuFederatedUserId = lens _fuFederatedUserId (\ s a -> s{_fuFederatedUserId = a});++-- | The ARN that specifies the federated user that is associated with the+-- credentials. For more information about ARNs and how to use them in+-- policies, see+-- <http://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html IAM Identifiers>+-- in /Using IAM/.+fuARN :: Lens' FederatedUser Text+fuARN = lens _fuARN (\ s a -> s{_fuARN = a});++instance FromXML FederatedUser where+        parseXML x+          = FederatedUser' <$>+              (x .@ "FederatedUserId") <*> (x .@ "Arn")
+ gen/Network/AWS/STS/Types/Sum.hs view
@@ -0,0 +1,20 @@+{-# LANGUAGE DeriveDataTypeable #-}+{-# LANGUAGE DeriveGeneric      #-}+{-# LANGUAGE LambdaCase         #-}+{-# LANGUAGE OverloadedStrings  #-}++{-# OPTIONS_GHC -fno-warn-unused-imports #-}++-- Derived from AWS service descriptions, licensed under Apache 2.0.++-- |+-- Module      : Network.AWS.STS.Types.Sum+-- Copyright   : (c) 2013-2015 Brendan Hay+-- License     : Mozilla Public License, v. 2.0.+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>+-- Stability   : auto-generated+-- Portability : non-portable (GHC extensions)+--+module Network.AWS.STS.Types.Sum where++import           Network.AWS.Prelude
+ gen/Network/AWS/STS/Waiters.hs view
@@ -0,0 +1,20 @@+{-# LANGUAGE OverloadedStrings #-}+{-# LANGUAGE TypeFamilies      #-}++{-# OPTIONS_GHC -fno-warn-unused-imports #-}++-- Derived from AWS service descriptions, licensed under Apache 2.0.++-- |+-- Module      : Network.AWS.STS.Waiters+-- Copyright   : (c) 2013-2015 Brendan Hay+-- License     : Mozilla Public License, v. 2.0.+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>+-- Stability   : auto-generated+-- Portability : non-portable (GHC extensions)+--+module Network.AWS.STS.Waiters where++import           Network.AWS.Prelude+import           Network.AWS.STS.Types+import           Network.AWS.Waiter
+ test/Main.hs view
@@ -0,0 +1,21 @@+{-# OPTIONS_GHC -fno-warn-unused-imports #-}++-- |+-- Module      : Main+-- Copyright   : (c) 2013-2015 Brendan Hay+-- License     : Mozilla Public License, v. 2.0.+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>+-- Stability   : auto-generated+-- Portability : non-portable (GHC extensions)+--+module Main (main) where++import Test.Tasty+import Test.AWS.STS+import Test.AWS.STS.Internal++main :: IO ()+main = defaultMain $ testGroup "STS"+    [ testGroup "tests"    tests+    , testGroup "fixtures" fixtures+    ]
+ test/Test/AWS/Gen/STS.hs view
@@ -0,0 +1,141 @@+{-# OPTIONS_GHC -fno-warn-unused-imports #-}+{-# OPTIONS_GHC -fno-warn-orphans        #-}++-- Derived from AWS service descriptions, licensed under Apache 2.0.++-- |+-- Module      : Test.AWS.Gen.STS+-- Copyright   : (c) 2013-2015 Brendan Hay+-- License     : Mozilla Public License, v. 2.0.+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>+-- Stability   : auto-generated+-- Portability : non-portable (GHC extensions)+--+module Test.AWS.Gen.STS where++import Data.Proxy+import Test.AWS.Fixture+import Test.AWS.Prelude+import Test.Tasty+import Network.AWS.STS+import Test.AWS.STS.Internal++-- Auto-generated: the actual test selection needs to be manually placed into+-- the top-level so that real test data can be incrementally added.+--+-- This commented snippet is what the entire set should look like:++-- fixtures :: TestTree+-- fixtures =+--     [ testGroup "request"+--         [ testAssumeRole $+--             assumeRole+--+--         , testDecodeAuthorizationMessage $+--             decodeAuthorizationMessage+--+--         , testAssumeRoleWithWebIdentity $+--             assumeRoleWithWebIdentity+--+--         , testGetFederationToken $+--             getFederationToken+--+--         , testGetSessionToken $+--             getSessionToken+--+--         , testAssumeRoleWithSAML $+--             assumeRoleWithSAML+--+--           ]++--     , testGroup "response"+--         [ testAssumeRoleResponse $+--             assumeRoleResponse+--+--         , testDecodeAuthorizationMessageResponse $+--             decodeAuthorizationMessageResponse+--+--         , testAssumeRoleWithWebIdentityResponse $+--             assumeRoleWithWebIdentityResponse+--+--         , testGetFederationTokenResponse $+--             getFederationTokenResponse+--+--         , testGetSessionTokenResponse $+--             getSessionTokenResponse+--+--         , testAssumeRoleWithSAMLResponse $+--             assumeRoleWithSAMLResponse+--+--           ]+--     ]++-- Requests++testAssumeRole :: AssumeRole -> TestTree+testAssumeRole = req+    "AssumeRole"+    "fixture/AssumeRole"++testDecodeAuthorizationMessage :: DecodeAuthorizationMessage -> TestTree+testDecodeAuthorizationMessage = req+    "DecodeAuthorizationMessage"+    "fixture/DecodeAuthorizationMessage"++testAssumeRoleWithWebIdentity :: AssumeRoleWithWebIdentity -> TestTree+testAssumeRoleWithWebIdentity = req+    "AssumeRoleWithWebIdentity"+    "fixture/AssumeRoleWithWebIdentity"++testGetFederationToken :: GetFederationToken -> TestTree+testGetFederationToken = req+    "GetFederationToken"+    "fixture/GetFederationToken"++testGetSessionToken :: GetSessionToken -> TestTree+testGetSessionToken = req+    "GetSessionToken"+    "fixture/GetSessionToken"++testAssumeRoleWithSAML :: AssumeRoleWithSAML -> TestTree+testAssumeRoleWithSAML = req+    "AssumeRoleWithSAML"+    "fixture/AssumeRoleWithSAML"++-- Responses++testAssumeRoleResponse :: AssumeRoleResponse -> TestTree+testAssumeRoleResponse = res+    "AssumeRoleResponse"+    "fixture/AssumeRoleResponse"+    (Proxy :: Proxy AssumeRole)++testDecodeAuthorizationMessageResponse :: DecodeAuthorizationMessageResponse -> TestTree+testDecodeAuthorizationMessageResponse = res+    "DecodeAuthorizationMessageResponse"+    "fixture/DecodeAuthorizationMessageResponse"+    (Proxy :: Proxy DecodeAuthorizationMessage)++testAssumeRoleWithWebIdentityResponse :: AssumeRoleWithWebIdentityResponse -> TestTree+testAssumeRoleWithWebIdentityResponse = res+    "AssumeRoleWithWebIdentityResponse"+    "fixture/AssumeRoleWithWebIdentityResponse"+    (Proxy :: Proxy AssumeRoleWithWebIdentity)++testGetFederationTokenResponse :: GetFederationTokenResponse -> TestTree+testGetFederationTokenResponse = res+    "GetFederationTokenResponse"+    "fixture/GetFederationTokenResponse"+    (Proxy :: Proxy GetFederationToken)++testGetSessionTokenResponse :: GetSessionTokenResponse -> TestTree+testGetSessionTokenResponse = res+    "GetSessionTokenResponse"+    "fixture/GetSessionTokenResponse"+    (Proxy :: Proxy GetSessionToken)++testAssumeRoleWithSAMLResponse :: AssumeRoleWithSAMLResponse -> TestTree+testAssumeRoleWithSAMLResponse = res+    "AssumeRoleWithSAMLResponse"+    "fixture/AssumeRoleWithSAMLResponse"+    (Proxy :: Proxy AssumeRoleWithSAML)
+ test/Test/AWS/STS.hs view
@@ -0,0 +1,26 @@+{-# LANGUAGE OverloadedStrings #-}++-- Module      : Test.AWS.STS+-- Copyright   : (c) 2013-2015 Brendan Hay+-- License     : This Source Code Form is subject to the terms of+--               the Mozilla Public License, v. 2.0.+--               A copy of the MPL can be found in the LICENSE file or+--               you can obtain it at http://mozilla.org/MPL/2.0/.+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>+-- Stability   : experimental+-- Portability : non-portable (GHC extensions)++module Test.AWS.STS+    ( tests+    , fixtures+    ) where++import           Network.AWS.STS+import           Test.AWS.Gen.STS+import           Test.Tasty++tests :: [TestTree]+tests = []++fixtures :: [TestTree]+fixtures = []
+ test/Test/AWS/STS/Internal.hs view
@@ -0,0 +1,16 @@+{-# LANGUAGE OverloadedStrings #-}+{-# OPTIONS_GHC -fno-warn-unused-imports #-}++-- Module      : Test.AWS.STS.Internal+-- Copyright   : (c) 2013-2015 Brendan Hay+-- License     : This Source Code Form is subject to the terms of+--               the Mozilla Public License, v. 2.0.+--               A copy of the MPL can be found in the LICENSE file or+--               you can obtain it at http://mozilla.org/MPL/2.0/.+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>+-- Stability   : experimental+-- Portability : non-portable (GHC extensions)++module Test.AWS.STS.Internal where++import Test.AWS.Prelude