Skip to content

Commit 5528f54

Browse files
author
awstools
committed
feat(client-sts): This release introduces the new API 'AssumeRoot', which returns short-term credentials that you can use to perform privileged tasks.
1 parent 5c7c349 commit 5528f54

14 files changed

+584
-120
lines changed

clients/client-sts/README.md

Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -230,6 +230,14 @@ AssumeRoleWithWebIdentity
230230

231231
[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/sts/command/AssumeRoleWithWebIdentityCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-sts/Interface/AssumeRoleWithWebIdentityCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-sts/Interface/AssumeRoleWithWebIdentityCommandOutput/)
232232

233+
</details>
234+
<details>
235+
<summary>
236+
AssumeRoot
237+
</summary>
238+
239+
[Command API Reference](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/client/sts/command/AssumeRootCommand/) / [Input](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-sts/Interface/AssumeRootCommandInput/) / [Output](https://docs.aws.amazon.com/AWSJavaScriptSDK/v3/latest/Package/-aws-sdk-client-sts/Interface/AssumeRootCommandOutput/)
240+
233241
</details>
234242
<details>
235243
<summary>

clients/client-sts/src/STS.ts

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,7 @@ import {
1313
AssumeRoleWithWebIdentityCommandInput,
1414
AssumeRoleWithWebIdentityCommandOutput,
1515
} from "./commands/AssumeRoleWithWebIdentityCommand";
16+
import { AssumeRootCommand, AssumeRootCommandInput, AssumeRootCommandOutput } from "./commands/AssumeRootCommand";
1617
import {
1718
DecodeAuthorizationMessageCommand,
1819
DecodeAuthorizationMessageCommandInput,
@@ -44,6 +45,7 @@ const commands = {
4445
AssumeRoleCommand,
4546
AssumeRoleWithSAMLCommand,
4647
AssumeRoleWithWebIdentityCommand,
48+
AssumeRootCommand,
4749
DecodeAuthorizationMessageCommand,
4850
GetAccessKeyInfoCommand,
4951
GetCallerIdentityCommand,
@@ -97,6 +99,17 @@ export interface STS {
9799
cb: (err: any, data?: AssumeRoleWithWebIdentityCommandOutput) => void
98100
): void;
99101

102+
/**
103+
* @see {@link AssumeRootCommand}
104+
*/
105+
assumeRoot(args: AssumeRootCommandInput, options?: __HttpHandlerOptions): Promise<AssumeRootCommandOutput>;
106+
assumeRoot(args: AssumeRootCommandInput, cb: (err: any, data?: AssumeRootCommandOutput) => void): void;
107+
assumeRoot(
108+
args: AssumeRootCommandInput,
109+
options: __HttpHandlerOptions,
110+
cb: (err: any, data?: AssumeRootCommandOutput) => void
111+
): void;
112+
100113
/**
101114
* @see {@link DecodeAuthorizationMessageCommand}
102115
*/

clients/client-sts/src/STSClient.ts

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -59,6 +59,7 @@ import {
5959
AssumeRoleWithWebIdentityCommandInput,
6060
AssumeRoleWithWebIdentityCommandOutput,
6161
} from "./commands/AssumeRoleWithWebIdentityCommand";
62+
import { AssumeRootCommandInput, AssumeRootCommandOutput } from "./commands/AssumeRootCommand";
6263
import {
6364
DecodeAuthorizationMessageCommandInput,
6465
DecodeAuthorizationMessageCommandOutput,
@@ -85,6 +86,7 @@ export type ServiceInputTypes =
8586
| AssumeRoleCommandInput
8687
| AssumeRoleWithSAMLCommandInput
8788
| AssumeRoleWithWebIdentityCommandInput
89+
| AssumeRootCommandInput
8890
| DecodeAuthorizationMessageCommandInput
8991
| GetAccessKeyInfoCommandInput
9092
| GetCallerIdentityCommandInput
@@ -98,6 +100,7 @@ export type ServiceOutputTypes =
98100
| AssumeRoleCommandOutput
99101
| AssumeRoleWithSAMLCommandOutput
100102
| AssumeRoleWithWebIdentityCommandOutput
103+
| AssumeRootCommandOutput
101104
| DecodeAuthorizationMessageCommandOutput
102105
| GetAccessKeyInfoCommandOutput
103106
| GetCallerIdentityCommandOutput

clients/client-sts/src/commands/AssumeRoleCommand.ts

Lines changed: 13 additions & 13 deletions
Original file line numberDiff line numberDiff line change
@@ -33,20 +33,20 @@ export interface AssumeRoleCommandOutput extends AssumeRoleResponse, __MetadataB
3333
* and a security token. Typically, you use <code>AssumeRole</code> within your account or for
3434
* cross-account access. For a comparison of <code>AssumeRole</code> with other API operations
3535
* that produce temporary credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting Temporary Security
36-
* Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
37-
* Amazon Web Services STS API operations</a> in the <i>IAM User Guide</i>.</p>
36+
* Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html">Compare STS
37+
* credentials</a> in the <i>IAM User Guide</i>.</p>
3838
* <p>
3939
* <b>Permissions</b>
4040
* </p>
4141
* <p>The temporary security credentials created by <code>AssumeRole</code> can be used to
4242
* make API calls to any Amazon Web Services service with the following exception: You cannot call the
4343
* Amazon Web Services STS <code>GetFederationToken</code> or <code>GetSessionToken</code> API
4444
* operations.</p>
45-
* <p>(Optional) You can pass inline or managed <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session">session policies</a> to
46-
* this operation. You can pass a single JSON policy document to use as an inline session
47-
* policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as
48-
* managed session policies. The plaintext that you use for both inline and managed session
49-
* policies can't exceed 2,048 characters. Passing policies to this operation returns new
45+
* <p>(Optional) You can pass inline or managed session policies to this operation. You can
46+
* pass a single JSON policy document to use as an inline session policy. You can also specify
47+
* up to 10 managed policy Amazon Resource Names (ARNs) to use as managed session policies.
48+
* The plaintext that you use for both inline and managed session policies can't exceed 2,048
49+
* characters. Passing policies to this operation returns new
5050
* temporary credentials. The resulting session's permissions are the intersection of the
5151
* role's identity-based policy and the session policies. You can use the role's temporary
5252
* credentials in subsequent Amazon Web Services API calls to access resources in the account that owns
@@ -193,15 +193,15 @@ export interface AssumeRoleCommandOutput extends AssumeRoleResponse, __MetadataB
193193
* tags are to the upper size limit. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Passing Session Tags in STS</a> in
194194
* the <i>IAM User Guide</i>.</p>
195195
* <p>You could receive this error even though you meet other defined session policy and
196-
* session tag limits. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length">IAM and STS Entity
197-
* Character Limits</a> in the <i>IAM User Guide</i>.</p>
196+
* session tag limits. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length">IAM and STS Entity Character Limits</a> in the <i>IAM User
197+
* Guide</i>.</p>
198198
*
199199
* @throws {@link RegionDisabledException} (client fault)
200200
* <p>STS is not activated in the requested region for the account that is being asked to
201-
* generate credentials. The account administrator must use the IAM console to activate STS
202-
* in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html">Activating and
203-
* Deactivating Amazon Web Services STS in an Amazon Web Services Region</a> in the <i>IAM User
204-
* Guide</i>.</p>
201+
* generate credentials. The account administrator must use the IAM console to activate
202+
* STS in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html">Activating and
203+
* Deactivating STS in an Amazon Web Services Region</a> in the <i>IAM User
204+
* Guide</i>.</p>
205205
*
206206
* @throws {@link STSServiceException}
207207
* <p>Base exception class for all service exceptions from STS service.</p>

clients/client-sts/src/commands/AssumeRoleWithSAMLCommand.ts

Lines changed: 8 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -38,8 +38,8 @@ export interface AssumeRoleWithSAMLCommandOutput extends AssumeRoleWithSAMLRespo
3838
* enterprise identity store or directory to role-based Amazon Web Services access without user-specific
3939
* credentials or configuration. For a comparison of <code>AssumeRoleWithSAML</code> with the
4040
* other API operations that produce temporary credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting Temporary Security
41-
* Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
42-
* Amazon Web Services STS API operations</a> in the <i>IAM User Guide</i>.</p>
41+
* Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html">Compare STS
42+
* credentials</a> in the <i>IAM User Guide</i>.</p>
4343
* <p>The temporary security credentials returned by this operation consist of an access key
4444
* ID, a secret access key, and a security token. Applications can use these temporary
4545
* security credentials to sign calls to Amazon Web Services services.</p>
@@ -236,15 +236,15 @@ export interface AssumeRoleWithSAMLCommandOutput extends AssumeRoleWithSAMLRespo
236236
* tags are to the upper size limit. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Passing Session Tags in STS</a> in
237237
* the <i>IAM User Guide</i>.</p>
238238
* <p>You could receive this error even though you meet other defined session policy and
239-
* session tag limits. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length">IAM and STS Entity
240-
* Character Limits</a> in the <i>IAM User Guide</i>.</p>
239+
* session tag limits. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length">IAM and STS Entity Character Limits</a> in the <i>IAM User
240+
* Guide</i>.</p>
241241
*
242242
* @throws {@link RegionDisabledException} (client fault)
243243
* <p>STS is not activated in the requested region for the account that is being asked to
244-
* generate credentials. The account administrator must use the IAM console to activate STS
245-
* in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html">Activating and
246-
* Deactivating Amazon Web Services STS in an Amazon Web Services Region</a> in the <i>IAM User
247-
* Guide</i>.</p>
244+
* generate credentials. The account administrator must use the IAM console to activate
245+
* STS in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html">Activating and
246+
* Deactivating STS in an Amazon Web Services Region</a> in the <i>IAM User
247+
* Guide</i>.</p>
248248
*
249249
* @throws {@link STSServiceException}
250250
* <p>Base exception class for all service exceptions from STS service.</p>

clients/client-sts/src/commands/AssumeRoleWithWebIdentityCommand.ts

Lines changed: 15 additions & 30 deletions
Original file line numberDiff line numberDiff line change
@@ -53,8 +53,8 @@ export interface AssumeRoleWithWebIdentityCommandOutput extends AssumeRoleWithWe
5353
* using a token from the web identity provider. For a comparison of
5454
* <code>AssumeRoleWithWebIdentity</code> with the other API operations that produce
5555
* temporary credentials, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html">Requesting Temporary Security
56-
* Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison">Comparing the
57-
* Amazon Web Services STS API operations</a> in the <i>IAM User Guide</i>.</p>
56+
* Credentials</a> and <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html">Compare STS
57+
* credentials</a> in the <i>IAM User Guide</i>.</p>
5858
* <p>The temporary security credentials returned by this API consist of an access key ID, a
5959
* secret access key, and a security token. Applications can use these temporary security
6060
* credentials to sign calls to Amazon Web Services service API operations.</p>
@@ -66,8 +66,7 @@ export interface AssumeRoleWithWebIdentityCommandOutput extends AssumeRoleWithWe
6666
* optional <code>DurationSeconds</code> parameter to specify the duration of your session.
6767
* You can provide a value from 900 seconds (15 minutes) up to the maximum session duration
6868
* setting for the role. This setting can have a value from 1 hour to 12 hours. To learn how
69-
* to view the maximum value for your role, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session">View the
70-
* Maximum Session Duration Setting for a Role</a> in the
69+
* to view the maximum value for your role, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_update-role-settings.html#id_roles_update-session-duration">Update the maximum session duration for a role </a> in the
7170
* <i>IAM User Guide</i>. The maximum session duration limit applies when
7271
* you use the <code>AssumeRole*</code> API operations or the <code>assume-role*</code> CLI
7372
* commands. However the limit does not apply when you use those operations to create a
@@ -136,7 +135,7 @@ export interface AssumeRoleWithWebIdentityCommandOutput extends AssumeRoleWithWe
136135
* or a pairwise identifier, as <a href="http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes">suggested
137136
* in the OIDC specification</a>.</p>
138137
* </important>
139-
* <p>For more information about how to use web identity federation and the
138+
* <p>For more information about how to use OIDC federation and the
140139
* <code>AssumeRoleWithWebIdentity</code> API, see the following resources: </p>
141140
* <ul>
142141
* <li>
@@ -145,25 +144,11 @@ export interface AssumeRoleWithWebIdentityCommandOutput extends AssumeRoleWithWe
145144
* </li>
146145
* <li>
147146
* <p>
148-
* <a href="https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/"> Web Identity Federation Playground</a>. Walk through the process of
149-
* authenticating through Login with Amazon, Facebook, or Google, getting temporary
150-
* security credentials, and then using those credentials to make a request to Amazon Web Services.
151-
* </p>
152-
* </li>
153-
* <li>
154-
* <p>
155147
* <a href="http://aws.amazon.com/sdkforios/">Amazon Web Services SDK for iOS Developer Guide</a> and <a href="http://aws.amazon.com/sdkforandroid/">Amazon Web Services SDK for Android Developer Guide</a>. These toolkits
156148
* contain sample apps that show how to invoke the identity providers. The toolkits then
157149
* show how to use the information from these providers to get and use temporary
158150
* security credentials. </p>
159151
* </li>
160-
* <li>
161-
* <p>
162-
* <a href="http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications">Web Identity
163-
* Federation with Mobile Applications</a>. This article discusses web identity
164-
* federation and shows an example of how to use web identity federation to get access
165-
* to content in Amazon S3. </p>
166-
* </li>
167152
* </ul>
168153
* @example
169154
* Use a bare-bones client and the command you need to make an API call.
@@ -217,11 +202,11 @@ export interface AssumeRoleWithWebIdentityCommandOutput extends AssumeRoleWithWe
217202
* token from the identity provider and then retry the request.</p>
218203
*
219204
* @throws {@link IDPCommunicationErrorException} (client fault)
220-
* <p>The request could not be fulfilled because the identity provider (IDP) that
221-
* was asked to verify the incoming identity token could not be reached. This is often a
222-
* transient error caused by network conditions. Retry the request a limited number of
223-
* times so that you don't exceed the request rate. If the error persists, the
224-
* identity provider might be down or not responding.</p>
205+
* <p>The request could not be fulfilled because the identity provider (IDP) that was asked
206+
* to verify the incoming identity token could not be reached. This is often a transient
207+
* error caused by network conditions. Retry the request a limited number of times so that
208+
* you don't exceed the request rate. If the error persists, the identity provider might be
209+
* down or not responding.</p>
225210
*
226211
* @throws {@link IDPRejectedClaimException} (client fault)
227212
* <p>The identity provider (IdP) reported that authentication failed. This might be because
@@ -245,15 +230,15 @@ export interface AssumeRoleWithWebIdentityCommandOutput extends AssumeRoleWithWe
245230
* tags are to the upper size limit. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html">Passing Session Tags in STS</a> in
246231
* the <i>IAM User Guide</i>.</p>
247232
* <p>You could receive this error even though you meet other defined session policy and
248-
* session tag limits. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length">IAM and STS Entity
249-
* Character Limits</a> in the <i>IAM User Guide</i>.</p>
233+
* session tag limits. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length">IAM and STS Entity Character Limits</a> in the <i>IAM User
234+
* Guide</i>.</p>
250235
*
251236
* @throws {@link RegionDisabledException} (client fault)
252237
* <p>STS is not activated in the requested region for the account that is being asked to
253-
* generate credentials. The account administrator must use the IAM console to activate STS
254-
* in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html">Activating and
255-
* Deactivating Amazon Web Services STS in an Amazon Web Services Region</a> in the <i>IAM User
256-
* Guide</i>.</p>
238+
* generate credentials. The account administrator must use the IAM console to activate
239+
* STS in that region. For more information, see <a href="https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html">Activating and
240+
* Deactivating STS in an Amazon Web Services Region</a> in the <i>IAM User
241+
* Guide</i>.</p>
257242
*
258243
* @throws {@link STSServiceException}
259244
* <p>Base exception class for all service exceptions from STS service.</p>

0 commit comments

Comments
 (0)