packages feed

amazonka-sts (empty) → 0.0.0

raw patch · 12 files changed

+2110/−0 lines, 12 filesdep +amazonka-coredep +basesetup-changed

Dependencies added: amazonka-core, base

Files

+ LICENSE view
@@ -0,0 +1,373 @@+Mozilla Public License Version 2.0+==================================++1. Definitions+--------------++1.1. "Contributor"+    means each individual or legal entity that creates, contributes to+    the creation of, or owns Covered Software.++1.2. "Contributor Version"+    means the combination of the Contributions of others (if any) used+    by a Contributor and that particular Contributor's Contribution.++1.3. "Contribution"+    means Covered Software of a particular Contributor.++1.4. "Covered Software"+    means Source Code Form to which the initial Contributor has attached+    the notice in Exhibit A, the Executable Form of such Source Code+    Form, and Modifications of such Source Code Form, in each case+    including portions thereof.++1.5. "Incompatible With Secondary Licenses"+    means++    (a) that the initial Contributor has attached the notice described+        in Exhibit B to the Covered Software; or++    (b) that the Covered Software was made available under the terms of+        version 1.1 or earlier of the License, but not also under the+        terms of a Secondary License.++1.6. "Executable Form"+    means any form of the work other than Source Code Form.++1.7. "Larger Work"+    means a work that combines Covered Software with other material, in+    a separate file or files, that is not Covered Software.++1.8. "License"+    means this document.++1.9. "Licensable"+    means having the right to grant, to the maximum extent possible,+    whether at the time of the initial grant or subsequently, any and+    all of the rights conveyed by this License.++1.10. "Modifications"+    means any of the following:++    (a) any file in Source Code Form that results from an addition to,+        deletion from, or modification of the contents of Covered+        Software; or++    (b) any new file in Source Code Form that contains any Covered+        Software.++1.11. "Patent Claims" of a Contributor+    means any patent claim(s), including without limitation, method,+    process, and apparatus claims, in any patent Licensable by such+    Contributor that would be infringed, but for the grant of the+    License, by the making, using, selling, offering for sale, having+    made, import, or transfer of either its Contributions or its+    Contributor Version.++1.12. "Secondary License"+    means either the GNU General Public License, Version 2.0, the GNU+    Lesser General Public License, Version 2.1, the GNU Affero General+    Public License, Version 3.0, or any later versions of those+    licenses.++1.13. "Source Code Form"+    means the form of the work preferred for making modifications.++1.14. "You" (or "Your")+    means an individual or a legal entity exercising rights under this+    License. For legal entities, "You" includes any entity that+    controls, is controlled by, or is under common control with You. For+    purposes of this definition, "control" means (a) the power, direct+    or indirect, to cause the direction or management of such entity,+    whether by contract or otherwise, or (b) ownership of more than+    fifty percent (50%) of the outstanding shares or beneficial+    ownership of such entity.++2. License Grants and Conditions+--------------------------------++2.1. Grants++Each Contributor hereby grants You a world-wide, royalty-free,+non-exclusive license:++(a) under intellectual property rights (other than patent or trademark)+    Licensable by such Contributor to use, reproduce, make available,+    modify, display, perform, distribute, and otherwise exploit its+    Contributions, either on an unmodified basis, with Modifications, or+    as part of a Larger Work; and++(b) under Patent Claims of such Contributor to make, use, sell, offer+    for sale, have made, import, and otherwise transfer either its+    Contributions or its Contributor Version.++2.2. Effective Date++The licenses granted in Section 2.1 with respect to any Contribution+become effective for each Contribution on the date the Contributor first+distributes such Contribution.++2.3. Limitations on Grant Scope++The licenses granted in this Section 2 are the only rights granted under+this License. No additional rights or licenses will be implied from the+distribution or licensing of Covered Software under this License.+Notwithstanding Section 2.1(b) above, no patent license is granted by a+Contributor:++(a) for any code that a Contributor has removed from Covered Software;+    or++(b) for infringements caused by: (i) Your and any other third party's+    modifications of Covered Software, or (ii) the combination of its+    Contributions with other software (except as part of its Contributor+    Version); or++(c) under Patent Claims infringed by Covered Software in the absence of+    its Contributions.++This License does not grant any rights in the trademarks, service marks,+or logos of any Contributor (except as may be necessary to comply with+the notice requirements in Section 3.4).++2.4. Subsequent Licenses++No Contributor makes additional grants as a result of Your choice to+distribute the Covered Software under a subsequent version of this+License (see Section 10.2) or under the terms of a Secondary License (if+permitted under the terms of Section 3.3).++2.5. Representation++Each Contributor represents that the Contributor believes its+Contributions are its original creation(s) or it has sufficient rights+to grant the rights to its Contributions conveyed by this License.++2.6. Fair Use++This License is not intended to limit any rights You have under+applicable copyright doctrines of fair use, fair dealing, or other+equivalents.++2.7. Conditions++Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted+in Section 2.1.++3. Responsibilities+-------------------++3.1. Distribution of Source Form++All distribution of Covered Software in Source Code Form, including any+Modifications that You create or to which You contribute, must be under+the terms of this License. You must inform recipients that the Source+Code Form of the Covered Software is governed by the terms of this+License, and how they can obtain a copy of this License. You may not+attempt to alter or restrict the recipients' rights in the Source Code+Form.++3.2. Distribution of Executable Form++If You distribute Covered Software in Executable Form then:++(a) such Covered Software must also be made available in Source Code+    Form, as described in Section 3.1, and You must inform recipients of+    the Executable Form how they can obtain a copy of such Source Code+    Form by reasonable means in a timely manner, at a charge no more+    than the cost of distribution to the recipient; and++(b) You may distribute such Executable Form under the terms of this+    License, or sublicense it under different terms, provided that the+    license for the Executable Form does not attempt to limit or alter+    the recipients' rights in the Source Code Form under this License.++3.3. Distribution of a Larger Work++You may create and distribute a Larger Work under terms of Your choice,+provided that You also comply with the requirements of this License for+the Covered Software. If the Larger Work is a combination of Covered+Software with a work governed by one or more Secondary Licenses, and the+Covered Software is not Incompatible With Secondary Licenses, this+License permits You to additionally distribute such Covered Software+under the terms of such Secondary License(s), so that the recipient of+the Larger Work may, at their option, further distribute the Covered+Software under the terms of either this License or such Secondary+License(s).++3.4. Notices++You may not remove or alter the substance of any license notices+(including copyright notices, patent notices, disclaimers of warranty,+or limitations of liability) contained within the Source Code Form of+the Covered Software, except that You may alter any license notices to+the extent required to remedy known factual inaccuracies.++3.5. Application of Additional Terms++You may choose to offer, and to charge a fee for, warranty, support,+indemnity or liability obligations to one or more recipients of Covered+Software. However, You may do so only on Your own behalf, and not on+behalf of any Contributor. You must make it absolutely clear that any+such warranty, support, indemnity, or liability obligation is offered by+You alone, and You hereby agree to indemnify every Contributor for any+liability incurred by such Contributor as a result of warranty, support,+indemnity or liability terms You offer. You may include additional+disclaimers of warranty and limitations of liability specific to any+jurisdiction.++4. Inability to Comply Due to Statute or Regulation+---------------------------------------------------++If it is impossible for You to comply with any of the terms of this+License with respect to some or all of the Covered Software due to+statute, judicial order, or regulation then You must: (a) comply with+the terms of this License to the maximum extent possible; and (b)+describe the limitations and the code they affect. Such description must+be placed in a text file included with all distributions of the Covered+Software under this License. Except to the extent prohibited by statute+or regulation, such description must be sufficiently detailed for a+recipient of ordinary skill to be able to understand it.++5. Termination+--------------++5.1. The rights granted under this License will terminate automatically+if You fail to comply with any of its terms. However, if You become+compliant, then the rights granted under this License from a particular+Contributor are reinstated (a) provisionally, unless and until such+Contributor explicitly and finally terminates Your grants, and (b) on an+ongoing basis, if such Contributor fails to notify You of the+non-compliance by some reasonable means prior to 60 days after You have+come back into compliance. Moreover, Your grants from a particular+Contributor are reinstated on an ongoing basis if such Contributor+notifies You of the non-compliance by some reasonable means, this is the+first time You have received notice of non-compliance with this License+from such Contributor, and You become compliant prior to 30 days after+Your receipt of the notice.++5.2. If You initiate litigation against any entity by asserting a patent+infringement claim (excluding declaratory judgment actions,+counter-claims, and cross-claims) alleging that a Contributor Version+directly or indirectly infringes any patent, then the rights granted to+You by any and all Contributors for the Covered Software under Section+2.1 of this License shall terminate.++5.3. In the event of termination under Sections 5.1 or 5.2 above, all+end user license agreements (excluding distributors and resellers) which+have been validly granted by You or Your distributors under this License+prior to termination shall survive termination.++************************************************************************+*                                                                      *+*  6. Disclaimer of Warranty                                           *+*  -------------------------                                           *+*                                                                      *+*  Covered Software is provided under this License on an "as is"       *+*  basis, without warranty of any kind, either expressed, implied, or  *+*  statutory, including, without limitation, warranties that the       *+*  Covered Software is free of defects, merchantable, fit for a        *+*  particular purpose or non-infringing. The entire risk as to the     *+*  quality and performance of the Covered Software is with You.        *+*  Should any Covered Software prove defective in any respect, You     *+*  (not any Contributor) assume the cost of any necessary servicing,   *+*  repair, or correction. This disclaimer of warranty constitutes an   *+*  essential part of this License. No use of any Covered Software is   *+*  authorized under this License except under this disclaimer.         *+*                                                                      *+************************************************************************++************************************************************************+*                                                                      *+*  7. Limitation of Liability                                          *+*  --------------------------                                          *+*                                                                      *+*  Under no circumstances and under no legal theory, whether tort      *+*  (including negligence), contract, or otherwise, shall any           *+*  Contributor, or anyone who distributes Covered Software as          *+*  permitted above, be liable to You for any direct, indirect,         *+*  special, incidental, or consequential damages of any character      *+*  including, without limitation, damages for lost profits, loss of    *+*  goodwill, work stoppage, computer failure or malfunction, or any    *+*  and all other commercial damages or losses, even if such party      *+*  shall have been informed of the possibility of such damages. This   *+*  limitation of liability shall not apply to liability for death or   *+*  personal injury resulting from such party's negligence to the       *+*  extent applicable law prohibits such limitation. Some               *+*  jurisdictions do not allow the exclusion or limitation of           *+*  incidental or consequential damages, so this exclusion and          *+*  limitation may not apply to You.                                    *+*                                                                      *+************************************************************************++8. Litigation+-------------++Any litigation relating to this License may be brought only in the+courts of a jurisdiction where the defendant maintains its principal+place of business and such litigation shall be governed by laws of that+jurisdiction, without reference to its conflict-of-law provisions.+Nothing in this Section shall prevent a party's ability to bring+cross-claims or counter-claims.++9. Miscellaneous+----------------++This License represents the complete agreement concerning the subject+matter hereof. If any provision of this License is held to be+unenforceable, such provision shall be reformed only to the extent+necessary to make it enforceable. Any law or regulation which provides+that the language of a contract shall be construed against the drafter+shall not be used to construe this License against a Contributor.++10. Versions of the License+---------------------------++10.1. New Versions++Mozilla Foundation is the license steward. Except as provided in Section+10.3, no one other than the license steward has the right to modify or+publish new versions of this License. Each version will be given a+distinguishing version number.++10.2. Effect of New Versions++You may distribute the Covered Software under the terms of the version+of the License under which You originally received the Covered Software,+or under the terms of any subsequent version published by the license+steward.++10.3. Modified Versions++If you create software not governed by this License, and you want to+create a new license for such software, you may create and use a+modified version of this License if you rename the license and remove+any references to the name of the license steward (except to note that+such modified license differs from this License).++10.4. Distributing Source Code Form that is Incompatible With Secondary+Licenses++If You choose to distribute Source Code Form that is Incompatible With+Secondary Licenses under the terms of this version of the License, the+notice described in Exhibit B of this License must be attached.++Exhibit A - Source Code Form License Notice+-------------------------------------------++  This Source Code Form is subject to the terms of the Mozilla Public+  License, v. 2.0. If a copy of the MPL was not distributed with this+  file, You can obtain one at http://mozilla.org/MPL/2.0/.++If it is not possible or desirable to put the notice in a particular+file, then You may include the notice in a location (such as a LICENSE+file in a relevant directory) where a recipient would be likely to look+for such a notice.++You may add additional accurate notices of copyright ownership.++Exhibit B - "Incompatible With Secondary Licenses" Notice+---------------------------------------------------------++  This Source Code Form is "Incompatible With Secondary Licenses", as+  defined by the Mozilla Public License, v. 2.0.
+ README.md view
@@ -0,0 +1,26 @@+# Amazon Security Token Service SDK++> _Warning:_ This is an experimental preview release which is still under heavy development and not intended for public consumption, _caveat emptor_!++* [description](#description)+* [Contribute](#contribute)+* [Licence](#licence)++## Description++The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users).++Documentation is available via [Hackage](http://hackage.haskell.org/package/amazonka-sts)+and [AWS API Reference](http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html).+++## Contribute++For any problems, comments, or feedback please create an issue [here on GitHub](https://github.com/brendanhay/amazonka/issues).++> _Note:_ this library is an auto-generated Haskell package. Please see `amazonka-gen` for more information.+++## Licence++`amazonka-sts` is released under the [Mozilla Public License Version 2.0](http://www.mozilla.org/MPL/).
+ Setup.hs view
@@ -0,0 +1,2 @@+import Distribution.Simple+main = defaultMain
+ amazonka-sts.cabal view
@@ -0,0 +1,50 @@+name:                  amazonka-sts+version:               0.0.0+synopsis:              Amazon Security Token Service SDK.+homepage:              https://github.com/brendanhay/amazonka+license:               OtherLicense+license-file:          LICENSE+author:                Brendan Hay+maintainer:            Brendan Hay <brendan.g.hay@gmail.com>+copyright:             Copyright (c) 2013-2014 Brendan Hay+category:              Network, AWS, Cloud+build-type:            Simple+extra-source-files:    README.md+cabal-version:         >= 1.10++description:+    The AWS Security Token Service (STS) is a web service that enables you+    to request temporary, limited-privilege credentials for AWS Identity+    and Access Management (IAM) users or for users that you authenticate+    (federated users).+    .+    /See:/ <http://docs.aws.amazon.com/STS/latest/APIReference/Welcome.html AWS API Reference>+    .+    /Warning:/ This is an experimental preview release which is still under+    heavy development and not intended for public consumption, caveat emptor!++source-repository head+    type:     git+    location: git://github.com/brendanhay/amazonka.git++library+    default-language:  Haskell2010+    hs-source-dirs:    src gen++    ghc-options:       -Wall++    exposed-modules:+          Network.AWS.STS+        , Network.AWS.STS.AssumeRole+        , Network.AWS.STS.AssumeRoleWithSAML+        , Network.AWS.STS.AssumeRoleWithWebIdentity+        , Network.AWS.STS.DecodeAuthorizationMessage+        , Network.AWS.STS.GetFederationToken+        , Network.AWS.STS.GetSessionToken+        , Network.AWS.STS.Types++    other-modules:++    build-depends:+          amazonka-core+        , base          >= 4.7 && < 5
+ gen/Network/AWS/STS.hs view
@@ -0,0 +1,31 @@+-- Module      : Network.AWS.STS+-- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>+-- License     : This Source Code Form is subject to the terms of+--               the Mozilla Public License, v. 2.0.+--               A copy of the MPL can be found in the LICENSE file or+--               you can obtain it at http://mozilla.org/MPL/2.0/.+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>+-- Stability   : experimental+-- Portability : non-portable (GHC extensions)++-- | The AWS Security Token Service (STS) is a web service that enables you to+-- request temporary, limited-privilege credentials for AWS Identity and+-- Access Management (IAM) users or for users that you authenticate (federated+-- users).+module Network.AWS.STS+    ( module Network.AWS.STS.AssumeRole+    , module Network.AWS.STS.AssumeRoleWithSAML+    , module Network.AWS.STS.AssumeRoleWithWebIdentity+    , module Network.AWS.STS.DecodeAuthorizationMessage+    , module Network.AWS.STS.GetFederationToken+    , module Network.AWS.STS.GetSessionToken+    , module Network.AWS.STS.Types+    ) where++import Network.AWS.STS.AssumeRole+import Network.AWS.STS.AssumeRoleWithSAML+import Network.AWS.STS.AssumeRoleWithWebIdentity+import Network.AWS.STS.DecodeAuthorizationMessage+import Network.AWS.STS.GetFederationToken+import Network.AWS.STS.GetSessionToken+import Network.AWS.STS.Types
+ gen/Network/AWS/STS/AssumeRole.hs view
@@ -0,0 +1,282 @@+{-# LANGUAGE DataKinds                   #-}+{-# LANGUAGE DeriveGeneric               #-}+{-# LANGUAGE FlexibleInstances           #-}+{-# LANGUAGE GeneralizedNewtypeDeriving  #-}+{-# LANGUAGE LambdaCase                  #-}+{-# LANGUAGE NoImplicitPrelude           #-}+{-# LANGUAGE OverloadedStrings           #-}+{-# LANGUAGE RecordWildCards             #-}+{-# LANGUAGE TypeFamilies                #-}++{-# OPTIONS_GHC -fno-warn-unused-imports #-}++-- Module      : Network.AWS.STS.AssumeRole+-- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>+-- License     : This Source Code Form is subject to the terms of+--               the Mozilla Public License, v. 2.0.+--               A copy of the MPL can be found in the LICENSE file or+--               you can obtain it at http://mozilla.org/MPL/2.0/.+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>+-- Stability   : experimental+-- Portability : non-portable (GHC extensions)++-- | Returns a set of temporary security credentials (consisting of an access+-- key ID, a secret access key, and a security token) that you can use to+-- access AWS resources that you might not normally have access to. Typically,+-- you use AssumeRole for cross-account access or federation. Important: You+-- cannot call AssumeRole by using AWS account credentials; access will be+-- denied. You must use IAM user credentials or temporary security credentials+-- to call AssumeRole. For cross-account access, imagine that you own multiple+-- accounts and need to access resources in each account. You could create+-- long-term credentials in each account to access those resources. However,+-- managing all those credentials and remembering which one can access which+-- account can be time consuming. Instead, you can create one set of long-term+-- credentials in one account and then use temporary security credentials to+-- access all the other accounts by assuming roles in those accounts. For more+-- information about roles, see Roles in Using IAM. For federation, you can,+-- for example, grant single sign-on access to the AWS Management Console. If+-- you already have an identity and authentication system in your corporate+-- network, you don't have to recreate user identities in AWS in order to+-- grant those user identities access to AWS. Instead, after a user has been+-- authenticated, you call AssumeRole (and specify the role with the+-- appropriate permissions) to get temporary security credentials for that+-- user. With those temporary security credentials, you construct a sign-in+-- URL that users can use to access the console. For more information, see+-- Scenarios for Granting Temporary Access in Using Temporary Security+-- Credentials. The temporary security credentials are valid for the duration+-- that you specified when calling AssumeRole, which can be from 900 seconds+-- (15 minutes) to 3600 seconds (1 hour). The default is 1 hour. Optionally,+-- you can pass an IAM access policy to this operation. If you choose not to+-- pass a policy, the temporary security credentials that are returned by the+-- operation have the permissions that are defined in the access policy of the+-- role that is being assumed. If you pass a policy to this operation, the+-- temporary security credentials that are returned by the operation have the+-- permissions that are allowed by both the access policy of the role that is+-- being assumed, and the policy that you pass. This gives you a way to+-- further restrict the permissions for the resulting temporary security+-- credentials. You cannot use the passed policy to grant permissions that are+-- in excess of those allowed by the access policy of the role that is being+-- assumed. For more information, see Permissions for AssumeRole in Using+-- Temporary Security Credentials. To assume a role, your AWS account must be+-- trusted by the role. The trust relationship is defined in the role's trust+-- policy when the role is created. You must also have a policy that allows+-- you to call sts:AssumeRole. Using MFA with AssumeRole You can optionally+-- include multi-factor authentication (MFA) information when you call+-- AssumeRole. This is useful for cross-account scenarios in which you want to+-- make sure that the user who is assuming the role has been authenticated+-- using an AWS MFA device. In that scenario, the trust policy of the role+-- being assumed includes a condition that tests for MFA authentication; if+-- the caller does not include valid MFA information, the request to assume+-- the role is denied. The condition in a trust policy that tests for MFA+-- authentication might look like the following example. "Condition": {"Null":+-- {"aws:MultiFactorAuthAge": false}} For more information, see Configuring+-- MFA-Protected API Access in the Using IAM guide. To use MFA with+-- AssumeRole, you pass values for the SerialNumber and TokenCode parameters.+-- The SerialNumber value identifies the user's hardware or virtual MFA+-- device. The TokenCode is the time-based one-time password (TOTP) that the+-- MFA devices produces.+--+-- <http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRole.html>+module Network.AWS.STS.AssumeRole+    (+    -- * Request+      AssumeRole+    -- ** Request constructor+    , assumeRole+    -- ** Request lenses+    , arDurationSeconds+    , arExternalId+    , arPolicy+    , arRoleArn+    , arRoleSessionName+    , arSerialNumber+    , arTokenCode++    -- * Response+    , AssumeRoleResponse+    -- ** Response constructor+    , assumeRoleResponse+    -- ** Response lenses+    , arrAssumedRoleUser+    , arrCredentials+    , arrPackedPolicySize+    ) where++import Network.AWS.Prelude+import Network.AWS.Request.Query+import Network.AWS.STS.Types+import qualified GHC.Exts++data AssumeRole = AssumeRole+    { _arDurationSeconds :: Maybe Nat+    , _arExternalId      :: Maybe Text+    , _arPolicy          :: Maybe Text+    , _arRoleArn         :: Text+    , _arRoleSessionName :: Text+    , _arSerialNumber    :: Maybe Text+    , _arTokenCode       :: Maybe Text+    } deriving (Eq, Ord, Show)++-- | 'AssumeRole' constructor.+--+-- The fields accessible through corresponding lenses are:+--+-- * 'arDurationSeconds' @::@ 'Maybe' 'Natural'+--+-- * 'arExternalId' @::@ 'Maybe' 'Text'+--+-- * 'arPolicy' @::@ 'Maybe' 'Text'+--+-- * 'arRoleArn' @::@ 'Text'+--+-- * 'arRoleSessionName' @::@ 'Text'+--+-- * 'arSerialNumber' @::@ 'Maybe' 'Text'+--+-- * 'arTokenCode' @::@ 'Maybe' 'Text'+--+assumeRole :: Text -- ^ 'arRoleArn'+           -> Text -- ^ 'arRoleSessionName'+           -> AssumeRole+assumeRole p1 p2 = AssumeRole+    { _arRoleArn         = p1+    , _arRoleSessionName = p2+    , _arPolicy          = Nothing+    , _arDurationSeconds = Nothing+    , _arExternalId      = Nothing+    , _arSerialNumber    = Nothing+    , _arTokenCode       = Nothing+    }++-- | The duration, in seconds, of the role session. The value can range from+-- 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the value+-- is set to 3600 seconds.+arDurationSeconds :: Lens' AssumeRole (Maybe Natural)+arDurationSeconds =+    lens _arDurationSeconds (\s a -> s { _arDurationSeconds = a })+        . mapping _Nat++-- | A unique identifier that is used by third parties to assume a role in+-- their customers' accounts. For each role that the third party can assume,+-- they should instruct their customers to create a role with the external+-- ID that the third party generated. Each time the third party assumes the+-- role, they must pass the customer's external ID. The external ID is+-- useful in order to help third parties bind a role to the customer who+-- created it. For more information about the external ID, see About the+-- External ID in Using Temporary Security Credentials.+arExternalId :: Lens' AssumeRole (Maybe Text)+arExternalId = lens _arExternalId (\s a -> s { _arExternalId = a })++-- | An IAM policy in JSON format. The policy parameter is optional. If you+-- pass a policy, the temporary security credentials that are returned by+-- the operation have the permissions that are allowed by both the access+-- policy of the role that is being assumed, and the policy that you pass.+-- This gives you a way to further restrict the permissions for the+-- resulting temporary security credentials. You cannot use the passed+-- policy to grant permissions that are in excess of those allowed by the+-- access policy of the role that is being assumed. For more information,+-- see Permissions for AssumeRole in Using Temporary Security Credentials.+arPolicy :: Lens' AssumeRole (Maybe Text)+arPolicy = lens _arPolicy (\s a -> s { _arPolicy = a })++-- | The Amazon Resource Name (ARN) of the role that the caller is assuming.+arRoleArn :: Lens' AssumeRole Text+arRoleArn = lens _arRoleArn (\s a -> s { _arRoleArn = a })++-- | An identifier for the assumed role session. The session name is included+-- as part of the AssumedRoleUser.+arRoleSessionName :: Lens' AssumeRole Text+arRoleSessionName =+    lens _arRoleSessionName (\s a -> s { _arRoleSessionName = a })++-- | The identification number of the MFA device that is associated with the+-- user who is making the AssumeRole call. Specify this value if the trust+-- policy of the role being assumed includes a condition that requires MFA+-- authentication. The value is either the serial number for a hardware+-- device (such as GAHT12345678) or an Amazon Resource Name (ARN) for a+-- virtual device (such as arn:aws:iam::123456789012:mfa/user).+arSerialNumber :: Lens' AssumeRole (Maybe Text)+arSerialNumber = lens _arSerialNumber (\s a -> s { _arSerialNumber = a })++-- | The value provided by the MFA device, if the trust policy of the role+-- being assumed requires MFA (that is, if the policy includes a condition+-- that tests for MFA). If the role being assumed requires MFA and if the+-- TokenCode value is missing or expired, the AssumeRole call returns an+-- "access denied" error.+arTokenCode :: Lens' AssumeRole (Maybe Text)+arTokenCode = lens _arTokenCode (\s a -> s { _arTokenCode = a })++data AssumeRoleResponse = AssumeRoleResponse+    { _arrAssumedRoleUser  :: Maybe AssumedRoleUser+    , _arrCredentials      :: Maybe Credentials+    , _arrPackedPolicySize :: Maybe Nat+    } deriving (Eq, Show)++-- | 'AssumeRoleResponse' constructor.+--+-- The fields accessible through corresponding lenses are:+--+-- * 'arrAssumedRoleUser' @::@ 'Maybe' 'AssumedRoleUser'+--+-- * 'arrCredentials' @::@ 'Maybe' 'Credentials'+--+-- * 'arrPackedPolicySize' @::@ 'Maybe' 'Natural'+--+assumeRoleResponse :: AssumeRoleResponse+assumeRoleResponse = AssumeRoleResponse+    { _arrCredentials      = Nothing+    , _arrAssumedRoleUser  = Nothing+    , _arrPackedPolicySize = Nothing+    }++-- | The Amazon Resource Name (ARN) and the assumed role ID, which are+-- identifiers that you can use to refer to the resulting temporary security+-- credentials. For example, you can reference these credentials as a+-- principal in a resource-based policy by using the ARN or assumed role ID.+-- The ARN and ID include the RoleSessionName that you specified when you+-- called AssumeRole.+arrAssumedRoleUser :: Lens' AssumeRoleResponse (Maybe AssumedRoleUser)+arrAssumedRoleUser =+    lens _arrAssumedRoleUser (\s a -> s { _arrAssumedRoleUser = a })++-- | The temporary security credentials, which include an access key ID, a+-- secret access key, and a security (or session) token.+arrCredentials :: Lens' AssumeRoleResponse (Maybe Credentials)+arrCredentials = lens _arrCredentials (\s a -> s { _arrCredentials = a })++-- | A percentage value that indicates the size of the policy in packed form.+-- The service rejects any policy with a packed size greater than 100+-- percent, which means the policy exceeded the allowed space.+arrPackedPolicySize :: Lens' AssumeRoleResponse (Maybe Natural)+arrPackedPolicySize =+    lens _arrPackedPolicySize (\s a -> s { _arrPackedPolicySize = a })+        . mapping _Nat++instance ToPath AssumeRole where+    toPath = const "/"++instance ToQuery AssumeRole where+    toQuery AssumeRole{..} = mconcat+        [ "DurationSeconds" =? _arDurationSeconds+        , "ExternalId"      =? _arExternalId+        , "Policy"          =? _arPolicy+        , "RoleArn"         =? _arRoleArn+        , "RoleSessionName" =? _arRoleSessionName+        , "SerialNumber"    =? _arSerialNumber+        , "TokenCode"       =? _arTokenCode+        ]++instance ToHeaders AssumeRole++instance AWSRequest AssumeRole where+    type Sv AssumeRole = STS+    type Rs AssumeRole = AssumeRoleResponse++    request  = post "AssumeRole"+    response = xmlResponse++instance FromXML AssumeRoleResponse where+    parseXML = withElement "AssumeRoleResult" $ \x -> AssumeRoleResponse+        <$> x .@? "AssumedRoleUser"+        <*> x .@? "Credentials"+        <*> x .@? "PackedPolicySize"
+ gen/Network/AWS/STS/AssumeRoleWithSAML.hs view
@@ -0,0 +1,292 @@+{-# LANGUAGE DataKinds                   #-}+{-# LANGUAGE DeriveGeneric               #-}+{-# LANGUAGE FlexibleInstances           #-}+{-# LANGUAGE GeneralizedNewtypeDeriving  #-}+{-# LANGUAGE LambdaCase                  #-}+{-# LANGUAGE NoImplicitPrelude           #-}+{-# LANGUAGE OverloadedStrings           #-}+{-# LANGUAGE RecordWildCards             #-}+{-# LANGUAGE TypeFamilies                #-}++{-# OPTIONS_GHC -fno-warn-unused-imports #-}++-- Module      : Network.AWS.STS.AssumeRoleWithSAML+-- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>+-- License     : This Source Code Form is subject to the terms of+--               the Mozilla Public License, v. 2.0.+--               A copy of the MPL can be found in the LICENSE file or+--               you can obtain it at http://mozilla.org/MPL/2.0/.+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>+-- Stability   : experimental+-- Portability : non-portable (GHC extensions)++-- | Returns a set of temporary security credentials for users who have been+-- authenticated via a SAML authentication response. This operation provides a+-- mechanism for tying an enterprise identity store or directory to role-based+-- AWS access without user-specific credentials or configuration. The+-- temporary security credentials returned by this operation consist of an+-- access key ID, a secret access key, and a security token. Applications can+-- use these temporary security credentials to sign calls to AWS services. The+-- credentials are valid for the duration that you specified when calling+-- AssumeRoleWithSAML, which can be up to 3600 seconds (1 hour) or until the+-- time specified in the SAML authentication response's NotOnOrAfter value,+-- whichever is shorter. Optionally, you can pass an IAM access policy to this+-- operation. If you choose not to pass a policy, the temporary security+-- credentials that are returned by the operation have the permissions that+-- are defined in the access policy of the role that is being assumed. If you+-- pass a policy to this operation, the temporary security credentials that+-- are returned by the operation have the permissions that are allowed by both+-- the access policy of the role that is being assumed, and the policy that+-- you pass. This gives you a way to further restrict the permissions for the+-- resulting temporary security credentials. You cannot use the passed policy+-- to grant permissions that are in excess of those allowed by the access+-- policy of the role that is being assumed. For more information, see+-- Permissions for AssumeRoleWithSAML in Using Temporary Security Credentials.+-- Before your application can call AssumeRoleWithSAML, you must configure+-- your SAML identity provider (IdP) to issue the claims required by AWS.+-- Additionally, you must use AWS Identity and Access Management (IAM) to+-- create a SAML provider entity in your AWS account that represents your+-- identity provider, and create an IAM role that specifies this SAML provider+-- in its trust policy. Calling AssumeRoleWithSAML does not require the use of+-- AWS security credentials. The identity of the caller is validated by using+-- keys in the metadata document that is uploaded for the SAML provider entity+-- for your identity provider. For more information, see the following+-- resources: Creating Temporary Security Credentials for SAML Federation in+-- Using Temporary Security Credentials. SAML Providers in Using IAM.+-- Configuring a Relying Party and Claims in Using IAM. Creating a Role for+-- SAML-Based Federation in Using IAM.+--+-- <http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithSAML.html>+module Network.AWS.STS.AssumeRoleWithSAML+    (+    -- * Request+      AssumeRoleWithSAML+    -- ** Request constructor+    , assumeRoleWithSAML+    -- ** Request lenses+    , arwsamlDurationSeconds+    , arwsamlPolicy+    , arwsamlPrincipalArn+    , arwsamlRoleArn+    , arwsamlSAMLAssertion++    -- * Response+    , AssumeRoleWithSAMLResponse+    -- ** Response constructor+    , assumeRoleWithSAMLResponse+    -- ** Response lenses+    , arwsamlrAssumedRoleUser+    , arwsamlrAudience+    , arwsamlrCredentials+    , arwsamlrIssuer+    , arwsamlrNameQualifier+    , arwsamlrPackedPolicySize+    , arwsamlrSubject+    , arwsamlrSubjectType+    ) where++import Network.AWS.Prelude+import Network.AWS.Request.Query+import Network.AWS.STS.Types+import qualified GHC.Exts++data AssumeRoleWithSAML = AssumeRoleWithSAML+    { _arwsamlDurationSeconds :: Maybe Nat+    , _arwsamlPolicy          :: Maybe Text+    , _arwsamlPrincipalArn    :: Text+    , _arwsamlRoleArn         :: Text+    , _arwsamlSAMLAssertion   :: Text+    } deriving (Eq, Ord, Show)++-- | 'AssumeRoleWithSAML' constructor.+--+-- The fields accessible through corresponding lenses are:+--+-- * 'arwsamlDurationSeconds' @::@ 'Maybe' 'Natural'+--+-- * 'arwsamlPolicy' @::@ 'Maybe' 'Text'+--+-- * 'arwsamlPrincipalArn' @::@ 'Text'+--+-- * 'arwsamlRoleArn' @::@ 'Text'+--+-- * 'arwsamlSAMLAssertion' @::@ 'Text'+--+assumeRoleWithSAML :: Text -- ^ 'arwsamlRoleArn'+                   -> Text -- ^ 'arwsamlPrincipalArn'+                   -> Text -- ^ 'arwsamlSAMLAssertion'+                   -> AssumeRoleWithSAML+assumeRoleWithSAML p1 p2 p3 = AssumeRoleWithSAML+    { _arwsamlRoleArn         = p1+    , _arwsamlPrincipalArn    = p2+    , _arwsamlSAMLAssertion   = p3+    , _arwsamlPolicy          = Nothing+    , _arwsamlDurationSeconds = Nothing+    }++-- | The duration, in seconds, of the role session. The value can range from+-- 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the value+-- is set to 3600 seconds. An expiration can also be specified in the SAML+-- authentication response's NotOnOrAfter value. The actual expiration time+-- is whichever value is shorter.+arwsamlDurationSeconds :: Lens' AssumeRoleWithSAML (Maybe Natural)+arwsamlDurationSeconds =+    lens _arwsamlDurationSeconds (\s a -> s { _arwsamlDurationSeconds = a })+        . mapping _Nat++-- | An IAM policy in JSON format. The policy parameter is optional. If you+-- pass a policy, the temporary security credentials that are returned by+-- the operation have the permissions that are allowed by both the access+-- policy of the role that is being assumed, and the policy that you pass.+-- This gives you a way to further restrict the permissions for the+-- resulting temporary security credentials. You cannot use the passed+-- policy to grant permissions that are in excess of those allowed by the+-- access policy of the role that is being assumed. For more information,+-- see Permissions for AssumeRoleWithSAML in Using Temporary Security+-- Credentials.+arwsamlPolicy :: Lens' AssumeRoleWithSAML (Maybe Text)+arwsamlPolicy = lens _arwsamlPolicy (\s a -> s { _arwsamlPolicy = a })++-- | The Amazon Resource Name (ARN) of the SAML provider in IAM that describes+-- the IdP.+arwsamlPrincipalArn :: Lens' AssumeRoleWithSAML Text+arwsamlPrincipalArn =+    lens _arwsamlPrincipalArn (\s a -> s { _arwsamlPrincipalArn = a })++-- | The Amazon Resource Name (ARN) of the role that the caller is assuming.+arwsamlRoleArn :: Lens' AssumeRoleWithSAML Text+arwsamlRoleArn = lens _arwsamlRoleArn (\s a -> s { _arwsamlRoleArn = a })++-- | The base-64 encoded SAML authentication response provided by the IdP. For+-- more information, see Configuring a Relying Party and Adding Claims in+-- the Using IAM guide.+arwsamlSAMLAssertion :: Lens' AssumeRoleWithSAML Text+arwsamlSAMLAssertion =+    lens _arwsamlSAMLAssertion (\s a -> s { _arwsamlSAMLAssertion = a })++data AssumeRoleWithSAMLResponse = AssumeRoleWithSAMLResponse+    { _arwsamlrAssumedRoleUser  :: Maybe AssumedRoleUser+    , _arwsamlrAudience         :: Maybe Text+    , _arwsamlrCredentials      :: Maybe Credentials+    , _arwsamlrIssuer           :: Maybe Text+    , _arwsamlrNameQualifier    :: Maybe Text+    , _arwsamlrPackedPolicySize :: Maybe Nat+    , _arwsamlrSubject          :: Maybe Text+    , _arwsamlrSubjectType      :: Maybe Text+    } deriving (Eq, Show)++-- | 'AssumeRoleWithSAMLResponse' constructor.+--+-- The fields accessible through corresponding lenses are:+--+-- * 'arwsamlrAssumedRoleUser' @::@ 'Maybe' 'AssumedRoleUser'+--+-- * 'arwsamlrAudience' @::@ 'Maybe' 'Text'+--+-- * 'arwsamlrCredentials' @::@ 'Maybe' 'Credentials'+--+-- * 'arwsamlrIssuer' @::@ 'Maybe' 'Text'+--+-- * 'arwsamlrNameQualifier' @::@ 'Maybe' 'Text'+--+-- * 'arwsamlrPackedPolicySize' @::@ 'Maybe' 'Natural'+--+-- * 'arwsamlrSubject' @::@ 'Maybe' 'Text'+--+-- * 'arwsamlrSubjectType' @::@ 'Maybe' 'Text'+--+assumeRoleWithSAMLResponse :: AssumeRoleWithSAMLResponse+assumeRoleWithSAMLResponse = AssumeRoleWithSAMLResponse+    { _arwsamlrCredentials      = Nothing+    , _arwsamlrAssumedRoleUser  = Nothing+    , _arwsamlrPackedPolicySize = Nothing+    , _arwsamlrSubject          = Nothing+    , _arwsamlrSubjectType      = Nothing+    , _arwsamlrIssuer           = Nothing+    , _arwsamlrAudience         = Nothing+    , _arwsamlrNameQualifier    = Nothing+    }++arwsamlrAssumedRoleUser :: Lens' AssumeRoleWithSAMLResponse (Maybe AssumedRoleUser)+arwsamlrAssumedRoleUser =+    lens _arwsamlrAssumedRoleUser (\s a -> s { _arwsamlrAssumedRoleUser = a })++-- | The value of the Recipient attribute of the SubjectConfirmationData+-- element of the SAML assertion.+arwsamlrAudience :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)+arwsamlrAudience = lens _arwsamlrAudience (\s a -> s { _arwsamlrAudience = a })++arwsamlrCredentials :: Lens' AssumeRoleWithSAMLResponse (Maybe Credentials)+arwsamlrCredentials =+    lens _arwsamlrCredentials (\s a -> s { _arwsamlrCredentials = a })++-- | The value of the Issuer element of the SAML assertion.+arwsamlrIssuer :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)+arwsamlrIssuer = lens _arwsamlrIssuer (\s a -> s { _arwsamlrIssuer = a })++-- | A hash value based on the concatenation of the Issuer response value, the+-- AWS account ID, and the friendly name (the last part of the ARN) of the+-- SAML provider in IAM. The combination of NameQualifier and Subject can be+-- used to uniquely identify a federated user. The following pseudocode+-- shows how the hash value is calculated: BASE64 ( SHA1 (+-- "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) ).+arwsamlrNameQualifier :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)+arwsamlrNameQualifier =+    lens _arwsamlrNameQualifier (\s a -> s { _arwsamlrNameQualifier = a })++-- | A percentage value that indicates the size of the policy in packed form.+-- The service rejects any policy with a packed size greater than 100+-- percent, which means the policy exceeded the allowed space.+arwsamlrPackedPolicySize :: Lens' AssumeRoleWithSAMLResponse (Maybe Natural)+arwsamlrPackedPolicySize =+    lens _arwsamlrPackedPolicySize+        (\s a -> s { _arwsamlrPackedPolicySize = a })+            . mapping _Nat++-- | The value of the NameID element in the Subject element of the SAML+-- assertion.+arwsamlrSubject :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)+arwsamlrSubject = lens _arwsamlrSubject (\s a -> s { _arwsamlrSubject = a })++-- | The format of the name ID, as defined by the Format attribute in the+-- NameID element of the SAML assertion. Typical examples of the format are+-- transient or persistent. If the format includes the prefix+-- urn:oasis:names:tc:SAML:2.0:nameid-format, that prefix is removed. For+-- example, urn:oasis:names:tc:SAML:2.0:nameid-format:transient is returned+-- as transient. If the format includes any other prefix, the format is+-- returned with no modifications.+arwsamlrSubjectType :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)+arwsamlrSubjectType =+    lens _arwsamlrSubjectType (\s a -> s { _arwsamlrSubjectType = a })++instance ToPath AssumeRoleWithSAML where+    toPath = const "/"++instance ToQuery AssumeRoleWithSAML where+    toQuery AssumeRoleWithSAML{..} = mconcat+        [ "DurationSeconds" =? _arwsamlDurationSeconds+        , "Policy"          =? _arwsamlPolicy+        , "PrincipalArn"    =? _arwsamlPrincipalArn+        , "RoleArn"         =? _arwsamlRoleArn+        , "SAMLAssertion"   =? _arwsamlSAMLAssertion+        ]++instance ToHeaders AssumeRoleWithSAML++instance AWSRequest AssumeRoleWithSAML where+    type Sv AssumeRoleWithSAML = STS+    type Rs AssumeRoleWithSAML = AssumeRoleWithSAMLResponse++    request  = post "AssumeRoleWithSAML"+    response = xmlResponse++instance FromXML AssumeRoleWithSAMLResponse where+    parseXML = withElement "AssumeRoleWithSAMLResult" $ \x -> AssumeRoleWithSAMLResponse+        <$> x .@? "AssumedRoleUser"+        <*> x .@? "Audience"+        <*> x .@? "Credentials"+        <*> x .@? "Issuer"+        <*> x .@? "NameQualifier"+        <*> x .@? "PackedPolicySize"+        <*> x .@? "Subject"+        <*> x .@? "SubjectType"
+ gen/Network/AWS/STS/AssumeRoleWithWebIdentity.hs view
@@ -0,0 +1,306 @@+{-# LANGUAGE DataKinds                   #-}+{-# LANGUAGE DeriveGeneric               #-}+{-# LANGUAGE FlexibleInstances           #-}+{-# LANGUAGE GeneralizedNewtypeDeriving  #-}+{-# LANGUAGE LambdaCase                  #-}+{-# LANGUAGE NoImplicitPrelude           #-}+{-# LANGUAGE OverloadedStrings           #-}+{-# LANGUAGE RecordWildCards             #-}+{-# LANGUAGE TypeFamilies                #-}++{-# OPTIONS_GHC -fno-warn-unused-imports #-}++-- Module      : Network.AWS.STS.AssumeRoleWithWebIdentity+-- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>+-- License     : This Source Code Form is subject to the terms of+--               the Mozilla Public License, v. 2.0.+--               A copy of the MPL can be found in the LICENSE file or+--               you can obtain it at http://mozilla.org/MPL/2.0/.+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>+-- Stability   : experimental+-- Portability : non-portable (GHC extensions)++-- | Returns a set of temporary security credentials for users who have been+-- authenticated in a mobile or web application with a web identity provider,+-- such as Login with Amazon, Amazon Cognito, Facebook, or Google. Calling+-- AssumeRoleWithWebIdentity does not require the use of AWS security+-- credentials. Therefore, you can distribute an application (for example, on+-- mobile devices) that requests temporary security credentials without+-- including long-term AWS credentials in the application, and without+-- deploying server-based proxy services that use long-term AWS credentials.+-- Instead, the identity of the caller is validated by using a token from the+-- web identity provider. The temporary security credentials returned by this+-- API consist of an access key ID, a secret access key, and a security token.+-- Applications can use these temporary security credentials to sign calls to+-- AWS service APIs. The credentials are valid for the duration that you+-- specified when calling AssumeRoleWithWebIdentity, which can be from 900+-- seconds (15 minutes) to 3600 seconds (1 hour). By default, the temporary+-- security credentials are valid for 1 hour. Optionally, you can pass an IAM+-- access policy to this operation. If you choose not to pass a policy, the+-- temporary security credentials that are returned by the operation have the+-- permissions that are defined in the access policy of the role that is being+-- assumed. If you pass a policy to this operation, the temporary security+-- credentials that are returned by the operation have the permissions that+-- are allowed by both the access policy of the role that is being assumed,+-- and the policy that you pass. This gives you a way to further restrict the+-- permissions for the resulting temporary security credentials. You cannot+-- use the passed policy to grant permissions that are in excess of those+-- allowed by the access policy of the role that is being assumed. For more+-- information, see Permissions for AssumeRoleWithWebIdentity in Using+-- Temporary Security Credentials. Before your application can call+-- AssumeRoleWithWebIdentity, you must have an identity token from a supported+-- identity provider and create a role that the application can assume. The+-- role that your application assumes must trust the identity provider that is+-- associated with the identity token. In other words, the identity provider+-- must be specified in the role's trust policy. For more information about+-- how to use web identity federation and the AssumeRoleWithWebIdentity, see+-- the following resources: Creating a Mobile Application with Third-Party+-- Sign-In and Creating Temporary Security Credentials for Mobile Apps Using+-- Third-Party Identity Providers in Using Temporary Security Credentials. Web+-- Identity Federation Playground. This interactive website lets you walk+-- through the process of authenticating via Login with Amazon, Facebook, or+-- Google, getting temporary security credentials, and then using those+-- credentials to make a request to AWS. AWS SDK for iOS and AWS SDK for+-- Android. These toolkits contain sample apps that show how to invoke the+-- identity providers, and then how to use the information from these+-- providers to get and use temporary security credentials. Web Identity+-- Federation with Mobile Applications. This article discusses web identity+-- federation and shows an example of how to use web identity federation to+-- get access to content in Amazon S3.+--+-- <http://docs.aws.amazon.com/STS/latest/APIReference/API_AssumeRoleWithWebIdentity.html>+module Network.AWS.STS.AssumeRoleWithWebIdentity+    (+    -- * Request+      AssumeRoleWithWebIdentity+    -- ** Request constructor+    , assumeRoleWithWebIdentity+    -- ** Request lenses+    , arwwiDurationSeconds+    , arwwiPolicy+    , arwwiProviderId+    , arwwiRoleArn+    , arwwiRoleSessionName+    , arwwiWebIdentityToken++    -- * Response+    , AssumeRoleWithWebIdentityResponse+    -- ** Response constructor+    , assumeRoleWithWebIdentityResponse+    -- ** Response lenses+    , arwwirAssumedRoleUser+    , arwwirAudience+    , arwwirCredentials+    , arwwirPackedPolicySize+    , arwwirProvider+    , arwwirSubjectFromWebIdentityToken+    ) where++import Network.AWS.Prelude+import Network.AWS.Request.Query+import Network.AWS.STS.Types+import qualified GHC.Exts++data AssumeRoleWithWebIdentity = AssumeRoleWithWebIdentity+    { _arwwiDurationSeconds  :: Maybe Nat+    , _arwwiPolicy           :: Maybe Text+    , _arwwiProviderId       :: Maybe Text+    , _arwwiRoleArn          :: Text+    , _arwwiRoleSessionName  :: Text+    , _arwwiWebIdentityToken :: Text+    } deriving (Eq, Ord, Show)++-- | 'AssumeRoleWithWebIdentity' constructor.+--+-- The fields accessible through corresponding lenses are:+--+-- * 'arwwiDurationSeconds' @::@ 'Maybe' 'Natural'+--+-- * 'arwwiPolicy' @::@ 'Maybe' 'Text'+--+-- * 'arwwiProviderId' @::@ 'Maybe' 'Text'+--+-- * 'arwwiRoleArn' @::@ 'Text'+--+-- * 'arwwiRoleSessionName' @::@ 'Text'+--+-- * 'arwwiWebIdentityToken' @::@ 'Text'+--+assumeRoleWithWebIdentity :: Text -- ^ 'arwwiRoleArn'+                          -> Text -- ^ 'arwwiRoleSessionName'+                          -> Text -- ^ 'arwwiWebIdentityToken'+                          -> AssumeRoleWithWebIdentity+assumeRoleWithWebIdentity p1 p2 p3 = AssumeRoleWithWebIdentity+    { _arwwiRoleArn          = p1+    , _arwwiRoleSessionName  = p2+    , _arwwiWebIdentityToken = p3+    , _arwwiProviderId       = Nothing+    , _arwwiPolicy           = Nothing+    , _arwwiDurationSeconds  = Nothing+    }++-- | The duration, in seconds, of the role session. The value can range from+-- 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the value+-- is set to 3600 seconds.+arwwiDurationSeconds :: Lens' AssumeRoleWithWebIdentity (Maybe Natural)+arwwiDurationSeconds =+    lens _arwwiDurationSeconds (\s a -> s { _arwwiDurationSeconds = a })+        . mapping _Nat++-- | An IAM policy in JSON format. The policy parameter is optional. If you+-- pass a policy, the temporary security credentials that are returned by+-- the operation have the permissions that are allowed by both the access+-- policy of the role that is being assumed, and the policy that you pass.+-- This gives you a way to further restrict the permissions for the+-- resulting temporary security credentials. You cannot use the passed+-- policy to grant permissions that are in excess of those allowed by the+-- access policy of the role that is being assumed. For more information,+-- see Permissions for AssumeRoleWithWebIdentity in Using Temporary Security+-- Credentials.+arwwiPolicy :: Lens' AssumeRoleWithWebIdentity (Maybe Text)+arwwiPolicy = lens _arwwiPolicy (\s a -> s { _arwwiPolicy = a })++-- | The fully-qualified host component of the domain name of the identity+-- provider. Specify this value only for OAuth access tokens. Do not specify+-- this value for OpenID Connect ID tokens, such as accounts.google.com. Do+-- not include URL schemes and port numbers. Currently, www.amazon.com and+-- graph.facebook.com are supported.+arwwiProviderId :: Lens' AssumeRoleWithWebIdentity (Maybe Text)+arwwiProviderId = lens _arwwiProviderId (\s a -> s { _arwwiProviderId = a })++-- | The Amazon Resource Name (ARN) of the role that the caller is assuming.+arwwiRoleArn :: Lens' AssumeRoleWithWebIdentity Text+arwwiRoleArn = lens _arwwiRoleArn (\s a -> s { _arwwiRoleArn = a })++-- | An identifier for the assumed role session. Typically, you pass the name+-- or identifier that is associated with the user who is using your+-- application. That way, the temporary security credentials that your+-- application will use are associated with that user. This session name is+-- included as part of the ARN and assumed role ID in the AssumedRoleUser+-- response element.+arwwiRoleSessionName :: Lens' AssumeRoleWithWebIdentity Text+arwwiRoleSessionName =+    lens _arwwiRoleSessionName (\s a -> s { _arwwiRoleSessionName = a })++-- | The OAuth 2.0 access token or OpenID Connect ID token that is provided by+-- the identity provider. Your application must get this token by+-- authenticating the user who is using your application with a web identity+-- provider before the application makes an AssumeRoleWithWebIdentity call.+arwwiWebIdentityToken :: Lens' AssumeRoleWithWebIdentity Text+arwwiWebIdentityToken =+    lens _arwwiWebIdentityToken (\s a -> s { _arwwiWebIdentityToken = a })++data AssumeRoleWithWebIdentityResponse = AssumeRoleWithWebIdentityResponse+    { _arwwirAssumedRoleUser             :: Maybe AssumedRoleUser+    , _arwwirAudience                    :: Maybe Text+    , _arwwirCredentials                 :: Maybe Credentials+    , _arwwirPackedPolicySize            :: Maybe Nat+    , _arwwirProvider                    :: Maybe Text+    , _arwwirSubjectFromWebIdentityToken :: Maybe Text+    } deriving (Eq, Show)++-- | 'AssumeRoleWithWebIdentityResponse' constructor.+--+-- The fields accessible through corresponding lenses are:+--+-- * 'arwwirAssumedRoleUser' @::@ 'Maybe' 'AssumedRoleUser'+--+-- * 'arwwirAudience' @::@ 'Maybe' 'Text'+--+-- * 'arwwirCredentials' @::@ 'Maybe' 'Credentials'+--+-- * 'arwwirPackedPolicySize' @::@ 'Maybe' 'Natural'+--+-- * 'arwwirProvider' @::@ 'Maybe' 'Text'+--+-- * 'arwwirSubjectFromWebIdentityToken' @::@ 'Maybe' 'Text'+--+assumeRoleWithWebIdentityResponse :: AssumeRoleWithWebIdentityResponse+assumeRoleWithWebIdentityResponse = AssumeRoleWithWebIdentityResponse+    { _arwwirCredentials                 = Nothing+    , _arwwirSubjectFromWebIdentityToken = Nothing+    , _arwwirAssumedRoleUser             = Nothing+    , _arwwirPackedPolicySize            = Nothing+    , _arwwirProvider                    = Nothing+    , _arwwirAudience                    = Nothing+    }++-- | The Amazon Resource Name (ARN) and the assumed role ID, which are+-- identifiers that you can use to refer to the resulting temporary security+-- credentials. For example, you can reference these credentials as a+-- principal in a resource-based policy by using the ARN or assumed role ID.+-- The ARN and ID include the RoleSessionName that you specified when you+-- called AssumeRole.+arwwirAssumedRoleUser :: Lens' AssumeRoleWithWebIdentityResponse (Maybe AssumedRoleUser)+arwwirAssumedRoleUser =+    lens _arwwirAssumedRoleUser (\s a -> s { _arwwirAssumedRoleUser = a })++-- | The intended audience of the web identity token. This is traditionally+-- the client identifier issued to the application that requested the web+-- identity token.+arwwirAudience :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)+arwwirAudience = lens _arwwirAudience (\s a -> s { _arwwirAudience = a })++-- | The temporary security credentials, which include an access key ID, a+-- secret access key, and a security token.+arwwirCredentials :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Credentials)+arwwirCredentials =+    lens _arwwirCredentials (\s a -> s { _arwwirCredentials = a })++-- | A percentage value that indicates the size of the policy in packed form.+-- The service rejects any policy with a packed size greater than 100+-- percent, which means the policy exceeded the allowed space.+arwwirPackedPolicySize :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Natural)+arwwirPackedPolicySize =+    lens _arwwirPackedPolicySize (\s a -> s { _arwwirPackedPolicySize = a })+        . mapping _Nat++-- | The issuing authority of the web identity token presented. For OpenID+-- Connect ID Tokens this contains the value of the iss field. For OAuth 2.0+-- Access Tokens, this contains the value of the ProviderId parameter that+-- was passed in the AssumeRoleWithWebIdentity request.+arwwirProvider :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)+arwwirProvider = lens _arwwirProvider (\s a -> s { _arwwirProvider = a })++-- | The unique user identifier that is returned by the identity provider.+-- This identifier is associated with the WebIdentityToken that was+-- submitted with the AssumeRoleWithWebIdentity call. The identifier is+-- typically unique to the user and the application that acquired the+-- WebIdentityToken (pairwise identifier). If an OpenID Connect ID token was+-- submitted in the WebIdentityToken, this value is returned by the identity+-- provider as the token's sub (Subject) claim.+arwwirSubjectFromWebIdentityToken :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)+arwwirSubjectFromWebIdentityToken =+    lens _arwwirSubjectFromWebIdentityToken+        (\s a -> s { _arwwirSubjectFromWebIdentityToken = a })++instance ToPath AssumeRoleWithWebIdentity where+    toPath = const "/"++instance ToQuery AssumeRoleWithWebIdentity where+    toQuery AssumeRoleWithWebIdentity{..} = mconcat+        [ "DurationSeconds"  =? _arwwiDurationSeconds+        , "Policy"           =? _arwwiPolicy+        , "ProviderId"       =? _arwwiProviderId+        , "RoleArn"          =? _arwwiRoleArn+        , "RoleSessionName"  =? _arwwiRoleSessionName+        , "WebIdentityToken" =? _arwwiWebIdentityToken+        ]++instance ToHeaders AssumeRoleWithWebIdentity++instance AWSRequest AssumeRoleWithWebIdentity where+    type Sv AssumeRoleWithWebIdentity = STS+    type Rs AssumeRoleWithWebIdentity = AssumeRoleWithWebIdentityResponse++    request  = post "AssumeRoleWithWebIdentity"+    response = xmlResponse++instance FromXML AssumeRoleWithWebIdentityResponse where+    parseXML = withElement "AssumeRoleWithWebIdentityResult" $ \x -> AssumeRoleWithWebIdentityResponse+        <$> x .@? "AssumedRoleUser"+        <*> x .@? "Audience"+        <*> x .@? "Credentials"+        <*> x .@? "PackedPolicySize"+        <*> x .@? "Provider"+        <*> x .@? "SubjectFromWebIdentityToken"
+ gen/Network/AWS/STS/DecodeAuthorizationMessage.hs view
@@ -0,0 +1,125 @@+{-# LANGUAGE DataKinds                   #-}+{-# LANGUAGE DeriveGeneric               #-}+{-# LANGUAGE FlexibleInstances           #-}+{-# LANGUAGE GeneralizedNewtypeDeriving  #-}+{-# LANGUAGE LambdaCase                  #-}+{-# LANGUAGE NoImplicitPrelude           #-}+{-# LANGUAGE OverloadedStrings           #-}+{-# LANGUAGE RecordWildCards             #-}+{-# LANGUAGE TypeFamilies                #-}++{-# OPTIONS_GHC -fno-warn-unused-imports #-}++-- Module      : Network.AWS.STS.DecodeAuthorizationMessage+-- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>+-- License     : This Source Code Form is subject to the terms of+--               the Mozilla Public License, v. 2.0.+--               A copy of the MPL can be found in the LICENSE file or+--               you can obtain it at http://mozilla.org/MPL/2.0/.+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>+-- Stability   : experimental+-- Portability : non-portable (GHC extensions)++-- | Decodes additional information about the authorization status of a request+-- from an encoded message returned in response to an AWS request. For+-- example, if a user is not authorized to perform an action that he or she+-- has requested, the request returns a Client.UnauthorizedOperation response+-- (an HTTP 403 response). Some AWS actions additionally return an encoded+-- message that can provide details about this authorization failure. The+-- message is encoded because the details of the authorization status can+-- constitute privileged information that the user who requested the action+-- should not see. To decode an authorization status message, a user must be+-- granted permissions via an IAM policy to request the+-- DecodeAuthorizationMessage (sts:DecodeAuthorizationMessage) action. The+-- decoded message includes the following type of information: Whether the+-- request was denied due to an explicit deny or due to the absence of an+-- explicit allow. For more information, see Determining Whether a Request is+-- Allowed or Denied in Using IAM. The principal who made the request. The+-- requested action. The requested resource. The values of condition keys in+-- the context of the user's request.+--+-- <http://docs.aws.amazon.com/STS/latest/APIReference/API_DecodeAuthorizationMessage.html>+module Network.AWS.STS.DecodeAuthorizationMessage+    (+    -- * Request+      DecodeAuthorizationMessage+    -- ** Request constructor+    , decodeAuthorizationMessage+    -- ** Request lenses+    , damEncodedMessage++    -- * Response+    , DecodeAuthorizationMessageResponse+    -- ** Response constructor+    , decodeAuthorizationMessageResponse+    -- ** Response lenses+    , damrDecodedMessage+    ) where++import Network.AWS.Prelude+import Network.AWS.Request.Query+import Network.AWS.STS.Types+import qualified GHC.Exts++newtype DecodeAuthorizationMessage = DecodeAuthorizationMessage+    { _damEncodedMessage :: Text+    } deriving (Eq, Ord, Show, Monoid, IsString)++-- | 'DecodeAuthorizationMessage' constructor.+--+-- The fields accessible through corresponding lenses are:+--+-- * 'damEncodedMessage' @::@ 'Text'+--+decodeAuthorizationMessage :: Text -- ^ 'damEncodedMessage'+                           -> DecodeAuthorizationMessage+decodeAuthorizationMessage p1 = DecodeAuthorizationMessage+    { _damEncodedMessage = p1+    }++-- | The encoded message that was returned with the response.+damEncodedMessage :: Lens' DecodeAuthorizationMessage Text+damEncodedMessage =+    lens _damEncodedMessage (\s a -> s { _damEncodedMessage = a })++newtype DecodeAuthorizationMessageResponse = DecodeAuthorizationMessageResponse+    { _damrDecodedMessage :: Maybe Text+    } deriving (Eq, Ord, Show, Monoid)++-- | 'DecodeAuthorizationMessageResponse' constructor.+--+-- The fields accessible through corresponding lenses are:+--+-- * 'damrDecodedMessage' @::@ 'Maybe' 'Text'+--+decodeAuthorizationMessageResponse :: DecodeAuthorizationMessageResponse+decodeAuthorizationMessageResponse = DecodeAuthorizationMessageResponse+    { _damrDecodedMessage = Nothing+    }++-- | An XML document that contains the decoded message. For more information,+-- see DecodeAuthorizationMessage.+damrDecodedMessage :: Lens' DecodeAuthorizationMessageResponse (Maybe Text)+damrDecodedMessage =+    lens _damrDecodedMessage (\s a -> s { _damrDecodedMessage = a })++instance ToPath DecodeAuthorizationMessage where+    toPath = const "/"++instance ToQuery DecodeAuthorizationMessage where+    toQuery DecodeAuthorizationMessage{..} = mconcat+        [ "EncodedMessage" =? _damEncodedMessage+        ]++instance ToHeaders DecodeAuthorizationMessage++instance AWSRequest DecodeAuthorizationMessage where+    type Sv DecodeAuthorizationMessage = STS+    type Rs DecodeAuthorizationMessage = DecodeAuthorizationMessageResponse++    request  = post "DecodeAuthorizationMessage"+    response = xmlResponse++instance FromXML DecodeAuthorizationMessageResponse where+    parseXML = withElement "DecodeAuthorizationMessageResult" $ \x -> DecodeAuthorizationMessageResponse+        <$> x .@? "DecodedMessage"
+ gen/Network/AWS/STS/GetFederationToken.hs view
@@ -0,0 +1,229 @@+{-# LANGUAGE DataKinds                   #-}+{-# LANGUAGE DeriveGeneric               #-}+{-# LANGUAGE FlexibleInstances           #-}+{-# LANGUAGE GeneralizedNewtypeDeriving  #-}+{-# LANGUAGE LambdaCase                  #-}+{-# LANGUAGE NoImplicitPrelude           #-}+{-# LANGUAGE OverloadedStrings           #-}+{-# LANGUAGE RecordWildCards             #-}+{-# LANGUAGE TypeFamilies                #-}++{-# OPTIONS_GHC -fno-warn-unused-imports #-}++-- Module      : Network.AWS.STS.GetFederationToken+-- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>+-- License     : This Source Code Form is subject to the terms of+--               the Mozilla Public License, v. 2.0.+--               A copy of the MPL can be found in the LICENSE file or+--               you can obtain it at http://mozilla.org/MPL/2.0/.+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>+-- Stability   : experimental+-- Portability : non-portable (GHC extensions)++-- | Returns a set of temporary security credentials (consisting of an access+-- key ID, a secret access key, and a security token) for a federated user. A+-- typical use is in a proxy application that gets temporary security+-- credentials on behalf of distributed applications inside a corporate+-- network. Because you must call the GetFederationToken action using the+-- long-term security credentials of an IAM user, this call is appropriate in+-- contexts where those credentials can be safely stored, usually in a+-- server-based application. Note: Do not use this call in mobile applications+-- or client-based web applications that directly get temporary security+-- credentials. For those types of applications, use+-- AssumeRoleWithWebIdentity. The GetFederationToken action must be called by+-- using the long-term AWS security credentials of an IAM user. You can also+-- call GetFederationToken using the security credentials of an AWS account+-- (root), but this is not recommended. Instead, we recommend that you create+-- an IAM user for the purpose of the proxy application and then attach a+-- policy to the IAM user that limits federated users to only the actions and+-- resources they need access to. For more information, see IAM Best Practices+-- in Using IAM. The temporary security credentials that are obtained by using+-- the long-term credentials of an IAM user are valid for the specified+-- duration, between 900 seconds (15 minutes) and 129600 seconds (36 hours).+-- Temporary credentials that are obtained by using AWS account (root)+-- credentials have a maximum duration of 3600 seconds (1 hour) Permissions+-- The permissions for the temporary security credentials returned by+-- GetFederationToken are determined by a combination of the following: The+-- policy or policies that are attached to the IAM user whose credentials are+-- used to call GetFederationToken. The policy that is passed as a parameter+-- in the call. The passed policy is attached to the temporary security+-- credentials that result from the GetFederationToken API call--that is, to+-- the federated user. When the federated user makes an AWS request, AWS+-- evaluates the policy attached to the federated user in combination with the+-- policy or policies attached to the IAM user whose credentials were used to+-- call GetFederationToken. AWS allows the federated user's request only when+-- both the federated user and the IAM user are explicitly allowed to perform+-- the requested action. The passed policy cannot grant more permissions than+-- those that are defined in the IAM user policy. A typical use case is that+-- the permissions of the IAM user whose credentials are used to call+-- GetFederationToken are designed to allow access to all the actions and+-- resources that any federated user will need. Then, for individual users,+-- you pass a policy to the operation that scopes down the permissions to a+-- level that's appropriate to that individual user, using a policy that+-- allows only a subset of permissions that are granted to the IAM user. If+-- you do not pass a policy, the resulting temporary security credentials have+-- no effective permissions. The only exception is when the temporary security+-- credentials are used to access a resource that has a resource-based policy+-- that specifically allows the federated user to access the resource. For+-- more information about how permissions work, see Permissions for+-- GetFederationToken in Using Temporary Security Credentials. For information+-- about using GetFederationToken to create temporary security credentials,+-- see Creating Temporary Credentials to Enable Access for Federated Users in+-- Using Temporary Security Credentials.+--+-- <http://docs.aws.amazon.com/STS/latest/APIReference/API_GetFederationToken.html>+module Network.AWS.STS.GetFederationToken+    (+    -- * Request+      GetFederationToken+    -- ** Request constructor+    , getFederationToken+    -- ** Request lenses+    , gftDurationSeconds+    , gftName+    , gftPolicy++    -- * Response+    , GetFederationTokenResponse+    -- ** Response constructor+    , getFederationTokenResponse+    -- ** Response lenses+    , gftrCredentials+    , gftrFederatedUser+    , gftrPackedPolicySize+    ) where++import Network.AWS.Prelude+import Network.AWS.Request.Query+import Network.AWS.STS.Types+import qualified GHC.Exts++data GetFederationToken = GetFederationToken+    { _gftDurationSeconds :: Maybe Nat+    , _gftName            :: Text+    , _gftPolicy          :: Maybe Text+    } deriving (Eq, Ord, Show)++-- | 'GetFederationToken' constructor.+--+-- The fields accessible through corresponding lenses are:+--+-- * 'gftDurationSeconds' @::@ 'Maybe' 'Natural'+--+-- * 'gftName' @::@ 'Text'+--+-- * 'gftPolicy' @::@ 'Maybe' 'Text'+--+getFederationToken :: Text -- ^ 'gftName'+                   -> GetFederationToken+getFederationToken p1 = GetFederationToken+    { _gftName            = p1+    , _gftPolicy          = Nothing+    , _gftDurationSeconds = Nothing+    }++-- | The duration, in seconds, that the session should last. Acceptable+-- durations for federation sessions range from 900 seconds (15 minutes) to+-- 129600 seconds (36 hours), with 43200 seconds (12 hours) as the default.+-- Sessions obtained using AWS account (root) credentials are restricted to+-- a maximum of 3600 seconds (one hour). If the specified duration is longer+-- than one hour, the session obtained by using AWS account (root)+-- credentials defaults to one hour.+gftDurationSeconds :: Lens' GetFederationToken (Maybe Natural)+gftDurationSeconds =+    lens _gftDurationSeconds (\s a -> s { _gftDurationSeconds = a })+        . mapping _Nat++-- | The name of the federated user. The name is used as an identifier for the+-- temporary security credentials (such as Bob). For example, you can+-- reference the federated user name in a resource-based policy, such as in+-- an Amazon S3 bucket policy.+gftName :: Lens' GetFederationToken Text+gftName = lens _gftName (\s a -> s { _gftName = a })++-- | An IAM policy in JSON format that is passed with the GetFederationToken+-- call and evaluated along with the policy or policies that are attached to+-- the IAM user whose credentials are used to call GetFederationToken. The+-- passed policy is used to scope down the permissions that are available to+-- the IAM user, by allowing only a subset of the permissions that are+-- granted to the IAM user. The passed policy cannot grant more permissions+-- than those granted to the IAM user. The final permissions for the+-- federated user are the most restrictive set based on the intersection of+-- the passed policy and the IAM user policy. If you do not pass a policy,+-- the resulting temporary security credentials have no effective+-- permissions. The only exception is when the temporary security+-- credentials are used to access a resource that has a resource-based+-- policy that specifically allows the federated user to access the+-- resource. For more information about how permissions work, see+-- Permissions for GetFederationToken in Using Temporary Security+-- Credentials.+gftPolicy :: Lens' GetFederationToken (Maybe Text)+gftPolicy = lens _gftPolicy (\s a -> s { _gftPolicy = a })++data GetFederationTokenResponse = GetFederationTokenResponse+    { _gftrCredentials      :: Maybe Credentials+    , _gftrFederatedUser    :: Maybe FederatedUser+    , _gftrPackedPolicySize :: Maybe Nat+    } deriving (Eq, Show)++-- | 'GetFederationTokenResponse' constructor.+--+-- The fields accessible through corresponding lenses are:+--+-- * 'gftrCredentials' @::@ 'Maybe' 'Credentials'+--+-- * 'gftrFederatedUser' @::@ 'Maybe' 'FederatedUser'+--+-- * 'gftrPackedPolicySize' @::@ 'Maybe' 'Natural'+--+getFederationTokenResponse :: GetFederationTokenResponse+getFederationTokenResponse = GetFederationTokenResponse+    { _gftrCredentials      = Nothing+    , _gftrFederatedUser    = Nothing+    , _gftrPackedPolicySize = Nothing+    }++-- | Credentials for the service API authentication.+gftrCredentials :: Lens' GetFederationTokenResponse (Maybe Credentials)+gftrCredentials = lens _gftrCredentials (\s a -> s { _gftrCredentials = a })++-- | Identifiers for the federated user associated with the credentials (such+-- as arn:aws:sts::123456789012:federated-user/Bob or 123456789012:Bob). You+-- can use the federated user's ARN in your resource-based policies, such as+-- an Amazon S3 bucket policy.+gftrFederatedUser :: Lens' GetFederationTokenResponse (Maybe FederatedUser)+gftrFederatedUser =+    lens _gftrFederatedUser (\s a -> s { _gftrFederatedUser = a })++-- | A percentage value indicating the size of the policy in packed form. The+-- service rejects policies for which the packed size is greater than 100+-- percent of the allowed value.+gftrPackedPolicySize :: Lens' GetFederationTokenResponse (Maybe Natural)+gftrPackedPolicySize =+    lens _gftrPackedPolicySize (\s a -> s { _gftrPackedPolicySize = a })+        . mapping _Nat++instance ToPath GetFederationToken where+    toPath = const "/"++instance ToQuery GetFederationToken where+    toQuery GetFederationToken{..} = mconcat+        [ "DurationSeconds" =? _gftDurationSeconds+        , "Name"            =? _gftName+        , "Policy"          =? _gftPolicy+        ]++instance ToHeaders GetFederationToken++instance AWSRequest GetFederationToken where+    type Sv GetFederationToken = STS+    type Rs GetFederationToken = GetFederationTokenResponse++    request  = post "GetFederationToken"+    response = xmlResponse++instance FromXML GetFederationTokenResponse where+    parseXML = withElement "GetFederationTokenResult" $ \x -> GetFederationTokenResponse+        <$> x .@? "Credentials"+        <*> x .@? "FederatedUser"+        <*> x .@? "PackedPolicySize"
+ gen/Network/AWS/STS/GetSessionToken.hs view
@@ -0,0 +1,166 @@+{-# LANGUAGE DataKinds                   #-}+{-# LANGUAGE DeriveGeneric               #-}+{-# LANGUAGE FlexibleInstances           #-}+{-# LANGUAGE GeneralizedNewtypeDeriving  #-}+{-# LANGUAGE LambdaCase                  #-}+{-# LANGUAGE NoImplicitPrelude           #-}+{-# LANGUAGE OverloadedStrings           #-}+{-# LANGUAGE RecordWildCards             #-}+{-# LANGUAGE TypeFamilies                #-}++{-# OPTIONS_GHC -fno-warn-unused-imports #-}++-- Module      : Network.AWS.STS.GetSessionToken+-- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>+-- License     : This Source Code Form is subject to the terms of+--               the Mozilla Public License, v. 2.0.+--               A copy of the MPL can be found in the LICENSE file or+--               you can obtain it at http://mozilla.org/MPL/2.0/.+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>+-- Stability   : experimental+-- Portability : non-portable (GHC extensions)++-- | Returns a set of temporary credentials for an AWS account or IAM user. The+-- credentials consist of an access key ID, a secret access key, and a+-- security token. Typically, you use GetSessionToken if you want to use MFA+-- to protect programmatic calls to specific AWS APIs like Amazon EC2+-- StopInstances. MFA-enabled IAM users would need to call GetSessionToken and+-- submit an MFA code that is associated with their MFA device. Using the+-- temporary security credentials that are returned from the call, IAM users+-- can then make programmatic calls to APIs that require MFA authentication.+-- The GetSessionToken action must be called by using the long-term AWS+-- security credentials of the AWS account or an IAM user. Credentials that+-- are created by IAM users are valid for the duration that you specify,+-- between 900 seconds (15 minutes) and 129600 seconds (36 hours); credentials+-- that are created by using account credentials have a maximum duration of+-- 3600 seconds (1 hour). The permissions associated with the temporary+-- security credentials returned by GetSessionToken are based on the+-- permissions associated with account or IAM user whose credentials are used+-- to call the action. If GetSessionToken is called using root account+-- credentials, the temporary credentials have root account permissions.+-- Similarly, if GetSessionToken is called using the credentials of an IAM+-- user, the temporary credentials have the same permissions as the IAM user.+-- For more information about using GetSessionToken to create temporary+-- credentials, go to Creating Temporary Credentials to Enable Access for IAM+-- Users in Using Temporary Security Credentials.+--+-- <http://docs.aws.amazon.com/STS/latest/APIReference/API_GetSessionToken.html>+module Network.AWS.STS.GetSessionToken+    (+    -- * Request+      GetSessionToken+    -- ** Request constructor+    , getSessionToken+    -- ** Request lenses+    , gstDurationSeconds+    , gstSerialNumber+    , gstTokenCode++    -- * Response+    , GetSessionTokenResponse+    -- ** Response constructor+    , getSessionTokenResponse+    -- ** Response lenses+    , gstrCredentials+    ) where++import Network.AWS.Prelude+import Network.AWS.Request.Query+import Network.AWS.STS.Types+import qualified GHC.Exts++data GetSessionToken = GetSessionToken+    { _gstDurationSeconds :: Maybe Nat+    , _gstSerialNumber    :: Maybe Text+    , _gstTokenCode       :: Maybe Text+    } deriving (Eq, Ord, Show)++-- | 'GetSessionToken' constructor.+--+-- The fields accessible through corresponding lenses are:+--+-- * 'gstDurationSeconds' @::@ 'Maybe' 'Natural'+--+-- * 'gstSerialNumber' @::@ 'Maybe' 'Text'+--+-- * 'gstTokenCode' @::@ 'Maybe' 'Text'+--+getSessionToken :: GetSessionToken+getSessionToken = GetSessionToken+    { _gstDurationSeconds = Nothing+    , _gstSerialNumber    = Nothing+    , _gstTokenCode       = Nothing+    }++-- | The duration, in seconds, that the credentials should remain valid.+-- Acceptable durations for IAM user sessions range from 900 seconds (15+-- minutes) to 129600 seconds (36 hours), with 43200 seconds (12 hours) as+-- the default. Sessions for AWS account owners are restricted to a maximum+-- of 3600 seconds (one hour). If the duration is longer than one hour, the+-- session for AWS account owners defaults to one hour.+gstDurationSeconds :: Lens' GetSessionToken (Maybe Natural)+gstDurationSeconds =+    lens _gstDurationSeconds (\s a -> s { _gstDurationSeconds = a })+        . mapping _Nat++-- | The identification number of the MFA device that is associated with the+-- IAM user who is making the GetSessionToken call. Specify this value if+-- the IAM user has a policy that requires MFA authentication. The value is+-- either the serial number for a hardware device (such as GAHT12345678) or+-- an Amazon Resource Name (ARN) for a virtual device (such as+-- arn:aws:iam::123456789012:mfa/user). You can find the device for an IAM+-- user by going to the AWS Management Console and viewing the user's+-- security credentials.+gstSerialNumber :: Lens' GetSessionToken (Maybe Text)+gstSerialNumber = lens _gstSerialNumber (\s a -> s { _gstSerialNumber = a })++-- | The value provided by the MFA device, if MFA is required. If any policy+-- requires the IAM user to submit an MFA code, specify this value. If MFA+-- authentication is required, and the user does not provide a code when+-- requesting a set of temporary security credentials, the user will receive+-- an "access denied" response when requesting resources that require MFA+-- authentication.+gstTokenCode :: Lens' GetSessionToken (Maybe Text)+gstTokenCode = lens _gstTokenCode (\s a -> s { _gstTokenCode = a })++newtype GetSessionTokenResponse = GetSessionTokenResponse+    { _gstrCredentials :: Maybe Credentials+    } deriving (Eq, Show)++-- | 'GetSessionTokenResponse' constructor.+--+-- The fields accessible through corresponding lenses are:+--+-- * 'gstrCredentials' @::@ 'Maybe' 'Credentials'+--+getSessionTokenResponse :: GetSessionTokenResponse+getSessionTokenResponse = GetSessionTokenResponse+    { _gstrCredentials = Nothing+    }++-- | The session credentials for API authentication.+gstrCredentials :: Lens' GetSessionTokenResponse (Maybe Credentials)+gstrCredentials = lens _gstrCredentials (\s a -> s { _gstrCredentials = a })++instance ToPath GetSessionToken where+    toPath = const "/"++instance ToQuery GetSessionToken where+    toQuery GetSessionToken{..} = mconcat+        [ "DurationSeconds" =? _gstDurationSeconds+        , "SerialNumber"    =? _gstSerialNumber+        , "TokenCode"       =? _gstTokenCode+        ]++instance ToHeaders GetSessionToken++instance AWSRequest GetSessionToken where+    type Sv GetSessionToken = STS+    type Rs GetSessionToken = GetSessionTokenResponse++    request  = post "GetSessionToken"+    response = xmlResponse++instance FromXML GetSessionTokenResponse where+    parseXML = withElement "GetSessionTokenResult" $ \x -> GetSessionTokenResponse+        <$> x .@? "Credentials"
+ gen/Network/AWS/STS/Types.hs view
@@ -0,0 +1,228 @@+{-# LANGUAGE DataKinds                   #-}+{-# LANGUAGE DeriveGeneric               #-}+{-# LANGUAGE FlexibleInstances           #-}+{-# LANGUAGE GeneralizedNewtypeDeriving  #-}+{-# LANGUAGE LambdaCase                  #-}+{-# LANGUAGE NoImplicitPrelude           #-}+{-# LANGUAGE OverloadedStrings           #-}+{-# LANGUAGE RecordWildCards             #-}+{-# LANGUAGE TypeFamilies                #-}++{-# OPTIONS_GHC -fno-warn-unused-imports #-}++-- Module      : Network.AWS.STS.Types+-- Copyright   : (c) 2013-2014 Brendan Hay <brendan.g.hay@gmail.com>+-- License     : This Source Code Form is subject to the terms of+--               the Mozilla Public License, v. 2.0.+--               A copy of the MPL can be found in the LICENSE file or+--               you can obtain it at http://mozilla.org/MPL/2.0/.+-- Maintainer  : Brendan Hay <brendan.g.hay@gmail.com>+-- Stability   : experimental+-- Portability : non-portable (GHC extensions)++module Network.AWS.STS.Types+    (+    -- * Service+      STS+    -- ** Error+    , RESTError+    -- ** XML+    , ns++    -- * Credentials+    , Credentials+    , credentials+    , cAccessKeyId+    , cExpiration+    , cSecretAccessKey+    , cSessionToken++    -- * FederatedUser+    , FederatedUser+    , federatedUser+    , fuArn+    , fuFederatedUserId++    -- * AssumedRoleUser+    , AssumedRoleUser+    , assumedRoleUser+    , aruArn+    , aruAssumedRoleId+    ) where++import Network.AWS.Error+import Network.AWS.Prelude+import Network.AWS.Signing.V4+import qualified GHC.Exts++-- | Version @2011-06-15@ of the Amazon Security Token Service service.+data STS++instance AWSService STS where+    type Sg STS = V4+    type Er STS = RESTError++    service = Service+        { _svcEndpoint     = global+        , _svcAbbrev       = "STS"+        , _svcPrefix       = "sts"+        , _svcVersion      = "2011-06-15"+        , _svcTargetPrefix = Nothing+        , _svcJSONVersion  = Nothing+        }++    handle = restError statusSuccess++ns :: Text+ns = "https://sts.amazonaws.com/doc/2011-06-15/"++data Credentials = Credentials+    { _cAccessKeyId     :: Text+    , _cExpiration      :: RFC822+    , _cSecretAccessKey :: Text+    , _cSessionToken    :: Text+    } deriving (Eq, Ord, Show)++-- | 'Credentials' constructor.+--+-- The fields accessible through corresponding lenses are:+--+-- * 'cAccessKeyId' @::@ 'Text'+--+-- * 'cExpiration' @::@ 'UTCTime'+--+-- * 'cSecretAccessKey' @::@ 'Text'+--+-- * 'cSessionToken' @::@ 'Text'+--+credentials :: Text -- ^ 'cAccessKeyId'+            -> Text -- ^ 'cSecretAccessKey'+            -> Text -- ^ 'cSessionToken'+            -> UTCTime -- ^ 'cExpiration'+            -> Credentials+credentials p1 p2 p3 p4 = Credentials+    { _cAccessKeyId     = p1+    , _cSecretAccessKey = p2+    , _cSessionToken    = p3+    , _cExpiration      = withIso _Time (const id) p4+    }++-- | The access key ID that identifies the temporary security credentials.+cAccessKeyId :: Lens' Credentials Text+cAccessKeyId = lens _cAccessKeyId (\s a -> s { _cAccessKeyId = a })++-- | The date on which the current credentials expire.+cExpiration :: Lens' Credentials UTCTime+cExpiration = lens _cExpiration (\s a -> s { _cExpiration = a }) . _Time++-- | The secret access key that can be used to sign requests.+cSecretAccessKey :: Lens' Credentials Text+cSecretAccessKey = lens _cSecretAccessKey (\s a -> s { _cSecretAccessKey = a })++-- | The token that users must pass to the service API to use the temporary+-- credentials.+cSessionToken :: Lens' Credentials Text+cSessionToken = lens _cSessionToken (\s a -> s { _cSessionToken = a })++instance FromXML Credentials where+    parseXML x = Credentials+        <$> x .@  "AccessKeyId"+        <*> x .@  "Expiration"+        <*> x .@  "SecretAccessKey"+        <*> x .@  "SessionToken"++instance ToQuery Credentials where+    toQuery Credentials{..} = mconcat+        [ "AccessKeyId"     =? _cAccessKeyId+        , "Expiration"      =? _cExpiration+        , "SecretAccessKey" =? _cSecretAccessKey+        , "SessionToken"    =? _cSessionToken+        ]++data FederatedUser = FederatedUser+    { _fuArn             :: Text+    , _fuFederatedUserId :: Text+    } deriving (Eq, Ord, Show)++-- | 'FederatedUser' constructor.+--+-- The fields accessible through corresponding lenses are:+--+-- * 'fuArn' @::@ 'Text'+--+-- * 'fuFederatedUserId' @::@ 'Text'+--+federatedUser :: Text -- ^ 'fuFederatedUserId'+              -> Text -- ^ 'fuArn'+              -> FederatedUser+federatedUser p1 p2 = FederatedUser+    { _fuFederatedUserId = p1+    , _fuArn             = p2+    }++-- | The ARN that specifies the federated user that is associated with the+-- credentials. For more information about ARNs and how to use them in+-- policies, see Identifiers for IAM Entities in Using IAM.+fuArn :: Lens' FederatedUser Text+fuArn = lens _fuArn (\s a -> s { _fuArn = a })++-- | The string that identifies the federated user associated with the+-- credentials, similar to the unique ID of an IAM user.+fuFederatedUserId :: Lens' FederatedUser Text+fuFederatedUserId =+    lens _fuFederatedUserId (\s a -> s { _fuFederatedUserId = a })++instance FromXML FederatedUser where+    parseXML x = FederatedUser+        <$> x .@  "Arn"+        <*> x .@  "FederatedUserId"++instance ToQuery FederatedUser where+    toQuery FederatedUser{..} = mconcat+        [ "Arn"             =? _fuArn+        , "FederatedUserId" =? _fuFederatedUserId+        ]++data AssumedRoleUser = AssumedRoleUser+    { _aruArn           :: Text+    , _aruAssumedRoleId :: Text+    } deriving (Eq, Ord, Show)++-- | 'AssumedRoleUser' constructor.+--+-- The fields accessible through corresponding lenses are:+--+-- * 'aruArn' @::@ 'Text'+--+-- * 'aruAssumedRoleId' @::@ 'Text'+--+assumedRoleUser :: Text -- ^ 'aruAssumedRoleId'+                -> Text -- ^ 'aruArn'+                -> AssumedRoleUser+assumedRoleUser p1 p2 = AssumedRoleUser+    { _aruAssumedRoleId = p1+    , _aruArn           = p2+    }++-- | The ARN of the temporary security credentials that are returned from the+-- AssumeRole action. For more information about ARNs and how to use them in+-- policies, see Identifiers for IAM Entities in Using IAM.+aruArn :: Lens' AssumedRoleUser Text+aruArn = lens _aruArn (\s a -> s { _aruArn = a })++-- | A unique identifier that contains the role ID and the role session name+-- of the role that is being assumed. The role ID is generated by AWS when+-- the role is created.+aruAssumedRoleId :: Lens' AssumedRoleUser Text+aruAssumedRoleId = lens _aruAssumedRoleId (\s a -> s { _aruAssumedRoleId = a })++instance FromXML AssumedRoleUser where+    parseXML x = AssumedRoleUser+        <$> x .@  "Arn"+        <*> x .@  "AssumedRoleId"++instance ToQuery AssumedRoleUser where+    toQuery AssumedRoleUser{..} = mconcat+        [ "Arn"           =? _aruArn+        , "AssumedRoleId" =? _aruAssumedRoleId+        ]