String requestId
String errorCode
AmazonServiceException.ErrorType errorType
AmazonServiceException.ErrorTypeString errorMessage
int statusCode
String serviceName
String providerName
The provider name for an Amazon Cognito user pool. For example,
cognito-idp.us-east-1.amazonaws.com/us-east-1_123456789.
Constraints:
Length: 1 - 128
Pattern: [\w._:/-]+
String clientId
The client ID for the Amazon Cognito user pool.
Constraints:
Length: 1 - 128
Pattern: [\w_]+
Boolean serverSideTokenCheck
TRUE if server-side token validation is enabled for the identity provider’s token.
Once you set ServerSideTokenCheck to TRUE for an identity
pool, that identity pool will check with the integrated user pools to
make sure that the user has not been globally signed out or deleted
before the identity pool provides an OIDC token or AWS credentials for
the user.
If the user is signed out or deleted, the identity pool will return a 400 Not Authorized error.
String identityPoolName
A string that you provide.
Constraints:
Length: 1 - 128
Pattern: [\w ]+
Boolean allowUnauthenticatedIdentities
TRUE if the identity pool supports unauthenticated logins.
Map<K,V> supportedLoginProviders
Optional key:value pairs mapping provider names to provider app IDs.
String developerProviderName
The "domain" by which Cognito will refer to your users. This name acts as
a placeholder that allows your backend and the Cognito service to
communicate about the developer provider. For the
DeveloperProviderName, you can use letters as well as period
(.), underscore (_), and dash (-).
Once you have set a developer provider name, you cannot change it. Please take care in setting this parameter.
Constraints:
Length: 1 - 128
Pattern: [\w._-]+
List<E> openIdConnectProviderARNs
A list of OpendID Connect provider ARNs.
List<E> cognitoIdentityProviders
An array of Amazon Cognito user pools and their client IDs.
List<E> samlProviderARNs
An array of Amazon Resource Names (ARNs) of the SAML provider for your identity pool.
Map<K,V> identityPoolTags
Tags to assign to the identity pool. A tag is a label that you can apply to identity pools to categorize and manage them in different ways, such as by purpose, owner, environment, or other criteria.
String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
String identityPoolName
A string that you provide.
Constraints:
Length: 1 - 128
Pattern: [\w ]+
Boolean allowUnauthenticatedIdentities
TRUE if the identity pool supports unauthenticated logins.
Map<K,V> supportedLoginProviders
Optional key:value pairs mapping provider names to provider app IDs.
String developerProviderName
The "domain" by which Cognito will refer to your users.
Constraints:
Length: 1 - 128
Pattern: [\w._-]+
List<E> openIdConnectProviderARNs
A list of OpendID Connect provider ARNs.
List<E> cognitoIdentityProviders
A list representing an Amazon Cognito user pool and its client ID.
List<E> samlProviderARNs
An array of Amazon Resource Names (ARNs) of the SAML provider for your identity pool.
Map<K,V> identityPoolTags
The tags that are assigned to the identity pool. A tag is a label that you can apply to identity pools to categorize and manage them in different ways, such as by purpose, owner, environment, or other criteria.
String accessKeyId
The Access Key portion of the credentials.
String secretKey
The Secret Access Key portion of the credentials
String sessionToken
The Session Token portion of the credentials
Date expiration
The date at which these credentials will expire.
String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
String identityPoolName
A string that you provide.
Constraints:
Length: 1 - 128
Pattern: [\w ]+
Boolean allowUnauthenticatedIdentities
TRUE if the identity pool supports unauthenticated logins.
Map<K,V> supportedLoginProviders
Optional key:value pairs mapping provider names to provider app IDs.
String developerProviderName
The "domain" by which Cognito will refer to your users.
Constraints:
Length: 1 - 128
Pattern: [\w._-]+
List<E> openIdConnectProviderARNs
A list of OpendID Connect provider ARNs.
List<E> cognitoIdentityProviders
A list representing an Amazon Cognito user pool and its client ID.
List<E> samlProviderARNs
An array of Amazon Resource Names (ARNs) of the SAML provider for your identity pool.
Map<K,V> identityPoolTags
The tags that are assigned to the identity pool. A tag is a label that you can apply to identity pools to categorize and manage them in different ways, such as by purpose, owner, environment, or other criteria.
String identityId
A unique identifier in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
String identityId
A unique identifier in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
List<E> logins
The provider names.
Date creationDate
Date on which the identity was created.
Date lastModifiedDate
Date on which the identity was last modified.
String identityId
A unique identifier in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
Map<K,V> logins
A set of optional name-value pairs that map provider names to provider tokens. The name-value pair will follow the syntax "provider_name": "provider_user_identifier".
Logins should not be specified when trying to get credentials for an unauthenticated identity.
The Logins parameter is required when using identities associated with
external identity providers such as FaceBook. For examples of
Logins maps, see the code examples in the External Identity Providers section of the Amazon Cognito Developer
Guide.
String customRoleArn
The Amazon Resource Name (ARN) of the role to be assumed when multiple roles were received in the token from the identity provider. For example, a SAML-based identity provider. This parameter is optional for identity providers that do not support role customization.
Constraints:
Length: 20 - 2048
String identityId
A unique identifier in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
Credentials credentials
Credentials for the provided identity ID.
String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
Map<K,V> roles
The map of roles associated with this pool. Currently only authenticated and unauthenticated roles are supported.
Map<K,V> roleMappings
How users for a specific identity provider are to mapped to roles. This is a String-to-RoleMapping object map. The string identifies the identity provider, for example, "graph.facebook.com" or "cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id".
String accountId
A standard AWS account ID (9+ digits).
Constraints:
Length: 1 - 15
Pattern: \d+
String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
Map<K,V> logins
A set of optional name-value pairs that map provider names to provider
tokens. The available provider names for Logins are as
follows:
Facebook: graph.facebook.com
Amazon Cognito user pool:
cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>
, for example,
cognito-idp.us-east-1.amazonaws.com/us-east-1_123456789.
Google: accounts.google.com
Amazon: www.amazon.com
Twitter: api.twitter.com
Digits: www.digits.com
String identityId
A unique identifier in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
String identityId
A unique identifier in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
Map<K,V> logins
A set of optional name-value pairs that map provider names to provider
tokens. Each name-value pair represents a user from a public provider or
developer provider. If the user is from a developer provider, the
name-value pair will follow the syntax
"developer_provider_name": "developer_user_identifier". The
developer provider is the "domain" by which Cognito will refer to your
users; you provided this domain while creating/updating the identity
pool. The developer user identifier is an identifier from your backend
that uniquely identifies a user. When you create an identity pool, you
can specify the supported logins.
Long tokenDuration
The expiration time of the token, in seconds. You can specify a custom expiration time for the token so that you can cache it. If you don't provide an expiration time, the token is valid for 15 minutes. You can exchange the token with Amazon STS for temporary AWS credentials, which are valid for a maximum of one hour. The maximum token duration you can set is 24 hours. You should take care in setting the expiration time for a token, as there are significant security implications: an attacker could use a leaked token to access your AWS resources for the token's duration.
Constraints:
Range: 1 - 86400
String identityId
A unique identifier in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
Map<K,V> logins
A set of optional name-value pairs that map provider names to provider
tokens. When using graph.facebook.com and www.amazon.com, supply the
access_token returned from the provider's authflow. For
accounts.google.com, an Amazon Cognito user pool provider, or any other
OpenId Connect provider, always include the id_token.
String identityId
A unique identifier in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
List<E> logins
The provider names.
Date creationDate
Date on which the identity was created.
Date lastModifiedDate
Date on which the identity was last modified.
String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
Integer maxResults
The maximum number of identities to return.
Constraints:
Range: 1 - 60
String nextToken
A pagination token.
Constraints:
Length: 1 -
Pattern: [\S]+
Boolean hideDisabled
An optional boolean parameter that allows you to hide disabled identities. If omitted, the ListIdentities API will include disabled identities in the response.
String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
List<E> identities
An object containing a set of identities and associated mappings.
String nextToken
A pagination token.
Constraints:
Length: 1 -
Pattern: [\S]+
String resourceArn
The Amazon Resource Name (ARN) of the identity pool that the tags are assigned to.
Constraints:
Length: 20 - 2048
String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
String identityId
A unique identifier in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
String developerUserIdentifier
A unique ID used by your backend authentication process to identify a user. Typically, a developer identity provider would issue many developer user identifiers, in keeping with the number of users.
Constraints:
Length: 1 - 1024
Integer maxResults
The maximum number of identities to return.
Constraints:
Range: 1 - 60
String nextToken
A pagination token. The first call you make will have
NextToken set to null. After that the service will return
NextToken values as needed. For example, let's say you make
a request with MaxResults set to 10, and there are 20
matches in the database. The service will return a pagination token as a
part of the response. This token can be used to call the API again and
get results starting from the 11th match.
Constraints:
Length: 1 -
Pattern: [\S]+
String identityId
A unique identifier in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
List<E> developerUserIdentifierList
This is the list of developer user identifiers associated with an identity ID. Cognito supports the association of multiple developer user identifiers with an identity ID.
String nextToken
A pagination token. The first call you make will have
NextToken set to null. After that the service will return
NextToken values as needed. For example, let's say you make
a request with MaxResults set to 10, and there are 20
matches in the database. The service will return a pagination token as a
part of the response. This token can be used to call the API again and
get results starting from the 11th match.
Constraints:
Length: 1 -
Pattern: [\S]+
String claim
The claim name that must be present in the token, for example, "isAdmin" or "paid".
Constraints:
Length: 1 - 64
Pattern: [\p{L}\p{M}\p{S}\p{N}\p{P}]+
String matchType
The match condition that specifies how closely the claim value in the IdP
token must match Value.
Constraints:
Allowed Values: Equals, Contains, StartsWith, NotEqual
String value
A brief string that the claim must match, for example, "paid" or "yes".
Constraints:
Length: 1 - 128
String roleARN
The role ARN.
Constraints:
Length: 20 - 2048
String sourceUserIdentifier
User identifier for the source user. The value should be a
DeveloperUserIdentifier.
Constraints:
Length: 1 - 1024
String destinationUserIdentifier
User identifier for the destination user. The value should be a
DeveloperUserIdentifier.
Constraints:
Length: 1 - 1024
String developerProviderName
The "domain" by which Cognito will refer to your users. This is a
(pseudo) domain name that you provide while creating an identity pool.
This name acts as a placeholder that allows your backend and the Cognito
service to communicate about the developer provider. For the
DeveloperProviderName, you can use letters as well as period
(.), underscore (_), and dash (-).
Constraints:
Length: 1 - 128
Pattern: [\w._-]+
String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
String identityId
A unique identifier in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
String type
The role mapping type. Token will use cognito:roles and
cognito:preferred_role claims from the Cognito identity
provider token to map groups to roles. Rules will attempt to match claims
from the token to map to a role.
Constraints:
Allowed Values: Token, Rules
String ambiguousRoleResolution
If you specify Token or Rules as the Type,
AmbiguousRoleResolution is required.
Specifies the action to be taken if either no rules match the claim value
for the Rules type, or there is no
cognito:preferred_role claim and there are multiple
cognito:roles matches for the Token type.
Constraints:
Allowed Values: AuthenticatedRole, Deny
RulesConfigurationType rulesConfiguration
The rules to be used for mapping users to roles.
If you specify Rules as the role mapping type,
RulesConfiguration is required.
String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
Map<K,V> roles
The map of roles associated with this pool. For a given role, the key will be either "authenticated" or "unauthenticated" and the value will be the Role ARN.
Map<K,V> roleMappings
How users for a specific identity provider are to mapped to roles. This is a string to RoleMapping object map. The string identifies the identity provider, for example, "graph.facebook.com" or "cognito-idp-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id".
Up to 25 rules can be specified per identity provider.
String identityId
A unique identifier in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
String developerProviderName
The "domain" by which Cognito will refer to your users.
Constraints:
Length: 1 - 128
Pattern: [\w._-]+
String developerUserIdentifier
A unique ID used by your backend authentication process to identify a user.
Constraints:
Length: 1 - 1024
String identityId
A unique identifier in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
Map<K,V> logins
A set of optional name-value pairs that map provider names to provider tokens.
List<E> loginsToRemove
Provider names to unlink from this identity.
String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
String identityPoolName
A string that you provide.
Constraints:
Length: 1 - 128
Pattern: [\w ]+
Boolean allowUnauthenticatedIdentities
TRUE if the identity pool supports unauthenticated logins.
Map<K,V> supportedLoginProviders
Optional key:value pairs mapping provider names to provider app IDs.
String developerProviderName
The "domain" by which Cognito will refer to your users.
Constraints:
Length: 1 - 128
Pattern: [\w._-]+
List<E> openIdConnectProviderARNs
A list of OpendID Connect provider ARNs.
List<E> cognitoIdentityProviders
A list representing an Amazon Cognito user pool and its client ID.
List<E> samlProviderARNs
An array of Amazon Resource Names (ARNs) of the SAML provider for your identity pool.
Map<K,V> identityPoolTags
The tags that are assigned to the identity pool. A tag is a label that you can apply to identity pools to categorize and manage them in different ways, such as by purpose, owner, environment, or other criteria.
String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
String identityPoolName
A string that you provide.
Constraints:
Length: 1 - 128
Pattern: [\w ]+
Boolean allowUnauthenticatedIdentities
TRUE if the identity pool supports unauthenticated logins.
Map<K,V> supportedLoginProviders
Optional key:value pairs mapping provider names to provider app IDs.
String developerProviderName
The "domain" by which Cognito will refer to your users.
Constraints:
Length: 1 - 128
Pattern: [\w._-]+
List<E> openIdConnectProviderARNs
A list of OpendID Connect provider ARNs.
List<E> cognitoIdentityProviders
A list representing an Amazon Cognito user pool and its client ID.
List<E> samlProviderARNs
An array of Amazon Resource Names (ARNs) of the SAML provider for your identity pool.
Map<K,V> identityPoolTags
The tags that are assigned to the identity pool. A tag is a label that you can apply to identity pools to categorize and manage them in different ways, such as by purpose, owner, environment, or other criteria.
String assumedRoleId
A unique identifier that contains the role ID and the role session name of the role that is being assumed. The role ID is generated by AWS when the role is created.
Constraints:
Length: 2 - 193
Pattern: [\w+=,.@:-]*
String arn
The ARN of the temporary security credentials that are returned from the AssumeRole action. For more information about ARNs and how to use them in policies, see IAM Identifiers in Using IAM.
Constraints:
Length: 20 - 2048
Pattern: [
-~
--�က0-ჿFF]+
String roleArn
The Amazon Resource Name (ARN) of the role to assume.
Constraints:
Length: 20 - 2048
Pattern: [
-~
--�က0-ჿFF]+
String roleSessionName
An identifier for the assumed role session.
Use the role session name to uniquely identify a session when the same role is assumed by different principals or for different reasons. In cross-account scenarios, the role session name is visible to, and can be logged by the account that owns the role. The role session name is also used in the ARN of the assumed role principal. This means that subsequent cross-account API requests that use the temporary security credentials will expose the role session name to the external account in their AWS CloudTrail logs.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
Constraints:
Length: 2 - 64
Pattern: [\w+=,.@-]*
List<E> policyArns
The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as managed session policies. The policies must exist in the same account as the role.
This parameter is optional. You can provide up to 10 managed policy ARNs. However, the plain text that you use for both inline and managed session policies shouldn't exceed 2048 characters. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
The characters in this parameter count towards the 2048 character session
policy guideline. However, an AWS conversion compresses the session
policies into a packed binary format that has a separate limit. This is
the enforced limit. The PackedPolicySize response element
indicates by percentage how close the policy is to the upper size limit.
Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
String policy
An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plain text that you use for both inline and managed session policies shouldn't exceed 2048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list ( through ÿ). It can also include the tab ( ), linefeed ( ), and carriage return ( ) characters.
The characters in this parameter count towards the 2048 character session
policy guideline. However, an AWS conversion compresses the session
policies into a packed binary format that has a separate limit. This is
the enforced limit. The PackedPolicySize response element
indicates by percentage how close the policy is to the upper size limit.
Constraints:
Length: 1 - 2048
Pattern: [ -ÿ]+
Integer durationSeconds
The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. If you specify a value higher than this setting, the operation fails. For example, if you specify a session duration of 12 hours, but your administrator set the maximum session duration to 6 hours, your operation fails. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide.
By default, the value is set to 3600 seconds.
The DurationSeconds parameter is separate from the duration
of a console session that you might request using the returned
credentials. The request to the federation endpoint for a console sign-in
token takes a SessionDuration parameter that specifies the
maximum length of the console session. For more information, see Creating a URL that Enables Federated Users to Access the AWS Management
Console in the IAM User Guide.
Constraints:
Range: 900 - 43200
String externalId
A unique identifier that might be required when you assume a role in
another account. If the administrator of the account to which the role
belongs provided you with an external ID, then provide that value in the
ExternalId parameter. This value can be any string, such as
a passphrase or account number. A cross-account role is usually set up to
trust everyone in an account. Therefore, the administrator of the
trusting account might send an external ID to the administrator of the
trusted account. That way, only someone with the ID can assume the role,
rather than everyone in the account. For more information about the
external ID, see How to Use an External ID When Granting Access to Your AWS Resources to
a Third Party in the IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
Constraints:
Length: 2 - 1224
Pattern: [\w+=,.@:\/-]*
String serialNumber
The identification number of the MFA device that is associated with the
user who is making the AssumeRole call. Specify this value
if the trust policy of the role being assumed includes a condition that
requires MFA authentication. The value is either the serial number for a
hardware device (such as GAHT12345678) or an Amazon Resource
Name (ARN) for a virtual device (such as
arn:aws:iam::123456789012:mfa/user).
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
Constraints:
Length: 9 - 256
Pattern: [\w+=/:,.@-]*
String tokenCode
The value provided by the MFA device, if the trust policy of the role
being assumed requires MFA (that is, if the policy includes a condition
that tests for MFA). If the role being assumed requires MFA and if the
TokenCode value is missing or expired, the
AssumeRole call returns an "access denied" error.
The format for this parameter, as described by its regex pattern, is a sequence of six numeric digits.
Constraints:
Length: 6 - 6
Pattern: [\d]*
Credentials credentials
The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token.
The size of the security token that STS API operations return is not fixed. We strongly recommend that you make no assumptions about the maximum size.
AssumedRoleUser assumedRoleUser
The Amazon Resource Name (ARN) and the assumed role ID, which are
identifiers that you can use to refer to the resulting temporary security
credentials. For example, you can reference these credentials as a
principal in a resource-based policy by using the ARN or assumed role ID.
The ARN and ID include the RoleSessionName that you
specified when you called AssumeRole.
Integer packedPolicySize
A percentage value that indicates the size of the policy in packed form. The service rejects any policy with a packed size greater than 100 percent, which means the policy exceeded the allowed space.
Constraints:
Range: 0 -
String roleArn
The Amazon Resource Name (ARN) of the role that the caller is assuming.
Constraints:
Length: 20 - 2048
Pattern: [
-~
--�က0-ჿFF]+
String roleSessionName
An identifier for the assumed role session. Typically, you pass the name
or identifier that is associated with the user who is using your
application. That way, the temporary security credentials that your
application will use are associated with that user. This session name is
included as part of the ARN and assumed role ID in the
AssumedRoleUser response element.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
Constraints:
Length: 2 - 64
Pattern: [\w+=,.@-]*
String webIdentityToken
The OAuth 2.0 access token or OpenID Connect ID token that is provided by
the identity provider. Your application must get this token by
authenticating the user who is using your application with a web identity
provider before the application makes an
AssumeRoleWithWebIdentity call.
Constraints:
Length: 4 - 2048
String providerId
The fully qualified host component of the domain name of the identity provider.
Specify this value only for OAuth 2.0 access tokens. Currently
www.amazon.com and graph.facebook.com are the
only supported identity providers for OAuth 2.0 access tokens. Do not
include URL schemes and port numbers.
Do not specify this value for OpenID Connect ID tokens.
Constraints:
Length: 4 - 2048
List<E> policyArns
The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as managed session policies. The policies must exist in the same account as the role.
This parameter is optional. You can provide up to 10 managed policy ARNs. However, the plain text that you use for both inline and managed session policies shouldn't exceed 2048 characters. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
The characters in this parameter count towards the 2048 character session
policy guideline. However, an AWS conversion compresses the session
policies into a packed binary format that has a separate limit. This is
the enforced limit. The PackedPolicySize response element
indicates by percentage how close the policy is to the upper size limit.
Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
String policy
An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent AWS API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plain text that you use for both inline and managed session policies shouldn't exceed 2048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list ( through ÿ). It can also include the tab ( ), linefeed ( ), and carriage return ( ) characters.
The characters in this parameter count towards the 2048 character session
policy guideline. However, an AWS conversion compresses the session
policies into a packed binary format that has a separate limit. This is
the enforced limit. The PackedPolicySize response element
indicates by percentage how close the policy is to the upper size limit.
Constraints:
Length: 1 - 2048
Pattern: [ -ÿ]+
Integer durationSeconds
The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. If you specify a value higher than this setting, the operation fails. For example, if you specify a session duration of 12 hours, but your administrator set the maximum session duration to 6 hours, your operation fails. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide.
By default, the value is set to 3600 seconds.
The DurationSeconds parameter is separate from the duration
of a console session that you might request using the returned
credentials. The request to the federation endpoint for a console sign-in
token takes a SessionDuration parameter that specifies the
maximum length of the console session. For more information, see Creating a URL that Enables Federated Users to Access the AWS Management
Console in the IAM User Guide.
Constraints:
Range: 900 - 43200
Credentials credentials
The temporary security credentials, which include an access key ID, a secret access key, and a security token.
The size of the security token that STS API operations return is not fixed. We strongly recommend that you make no assumptions about the maximum size.
String subjectFromWebIdentityToken
The unique user identifier that is returned by the identity provider.
This identifier is associated with the WebIdentityToken that
was submitted with the AssumeRoleWithWebIdentity call. The
identifier is typically unique to the user and the application that
acquired the WebIdentityToken (pairwise identifier). For
OpenID Connect ID tokens, this field contains the value returned by the
identity provider as the token's sub (Subject) claim.
Constraints:
Length: 6 - 255
AssumedRoleUser assumedRoleUser
The Amazon Resource Name (ARN) and the assumed role ID, which are
identifiers that you can use to refer to the resulting temporary security
credentials. For example, you can reference these credentials as a
principal in a resource-based policy by using the ARN or assumed role ID.
The ARN and ID include the RoleSessionName that you
specified when you called AssumeRole.
Integer packedPolicySize
A percentage value that indicates the size of the policy in packed form. The service rejects any policy with a packed size greater than 100 percent, which means the policy exceeded the allowed space.
Constraints:
Range: 0 -
String provider
The issuing authority of the web identity token presented. For OpenID
Connect ID tokens, this contains the value of the iss field.
For OAuth 2.0 access tokens, this contains the value of the
ProviderId parameter that was passed in the
AssumeRoleWithWebIdentity request.
String audience
The intended audience (also known as client ID) of the web identity token. This is traditionally the client identifier issued to the application that requested the web identity token.
String accessKeyId
The access key ID that identifies the temporary security credentials.
Constraints:
Length: 16 - 128
Pattern: [\w]*
String secretAccessKey
The secret access key that can be used to sign requests.
String sessionToken
The token that users must pass to the service API to use the temporary credentials.
Date expiration
The date on which the current credentials expire.
String federatedUserId
The string that identifies the federated user associated with the credentials, similar to the unique ID of an IAM user.
Constraints:
Length: 2 - 193
Pattern: [\w+=,.@\:-]*
String arn
The ARN that specifies the federated user that is associated with the credentials. For more information about ARNs and how to use them in policies, see IAM Identifiers in Using IAM.
Constraints:
Length: 20 - 2048
Pattern: [
-~
--�က0-ჿFF]+
String userId
The unique identifier of the calling entity. The exact value depends on the type of entity that is making the call. The values returned are those listed in the aws:userid column in the Principal table found on the Policy Variables reference page in the IAM User Guide.
String account
The AWS account ID number of the account that owns or contains the calling entity.
String arn
The AWS ARN associated with the calling entity.
Constraints:
Length: 20 - 2048
Pattern: [
-~
--�က0-ჿFF]+
String name
The name of the federated user. The name is used as an identifier for the
temporary security credentials (such as Bob). For example,
you can reference the federated user name in a resource-based policy,
such as in an Amazon S3 bucket policy.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
Constraints:
Length: 2 - 32
Pattern: [\w+=,.@-]*
String policy
An IAM policy in JSON format that you want to use as an inline session policy.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies.
This parameter is optional. However, if you do not pass any session
policies, then the resulting federated user session has no permissions.
The only exception is when the credentials are used to access a resource
that has a resource-based policy that specifically references the
federated user session in the Principal element of the
policy.
When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide.
The plain text that you use for both inline and managed session policies shouldn't exceed 2048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list ( through ÿ). It can also include the tab ( ), linefeed ( ), and carriage return ( ) characters.
The characters in this parameter count towards the 2048 character session
policy guideline. However, an AWS conversion compresses the session
policies into a packed binary format that has a separate limit. This is
the enforced limit. The PackedPolicySize response element
indicates by percentage how close the policy is to the upper size limit.
Constraints:
Length: 1 - 2048
Pattern: [ -ÿ]+
List<E> policyArns
The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as a managed session policy. The policies must exist in the same account as the IAM user that is requesting federated access.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policies to use as managed session policies. The plain text that you use for both inline and managed session policies shouldn't exceed 2048 characters. You can provide up to 10 managed policy ARNs. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
This parameter is optional. However, if you do not pass any session
policies, then the resulting federated user session has no permissions.
The only exception is when the credentials are used to access a resource
that has a resource-based policy that specifically references the
federated user session in the Principal element of the
policy.
When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide.
The characters in this parameter count towards the 2048 character session
policy guideline. However, an AWS conversion compresses the session
policies into a packed binary format that has a separate limit. This is
the enforced limit. The PackedPolicySize response element
indicates by percentage how close the policy is to the upper size limit.
Integer durationSeconds
The duration, in seconds, that the session should last. Acceptable durations for federation sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions obtained using AWS account root user credentials are restricted to a maximum of 3,600 seconds (one hour). If the specified duration is longer than one hour, the session obtained by using root user credentials defaults to one hour.
Constraints:
Range: 900 - 129600
Credentials credentials
The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token.
The size of the security token that STS API operations return is not fixed. We strongly recommend that you make no assumptions about the maximum size.
FederatedUser federatedUser
Identifiers for the federated user associated with the credentials (such
as arn:aws:sts::123456789012:federated-user/Bob or
123456789012:Bob). You can use the federated user's ARN in
your resource-based policies, such as an Amazon S3 bucket policy.
Integer packedPolicySize
A percentage value indicating the size of the policy in packed form. The service rejects policies for which the packed size is greater than 100 percent of the allowed value.
Constraints:
Range: 0 -
Integer durationSeconds
The duration, in seconds, that the credentials should remain valid. Acceptable durations for IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions for AWS account owners are restricted to a maximum of 3,600 seconds (one hour). If the duration is longer than one hour, the session for AWS account owners defaults to one hour.
Constraints:
Range: 900 - 129600
String serialNumber
The identification number of the MFA device that is associated with the
IAM user who is making the GetSessionToken call. Specify
this value if the IAM user has a policy that requires MFA authentication.
The value is either the serial number for a hardware device (such as
GAHT12345678) or an Amazon Resource Name (ARN) for a virtual
device (such as arn:aws:iam::123456789012:mfa/user). You can
find the device for an IAM user by going to the AWS Management Console
and viewing the user's security credentials.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
Constraints:
Length: 9 - 256
Pattern: [\w+=/:,.@-]*
String tokenCode
The value provided by the MFA device, if MFA is required. If any policy requires the IAM user to submit an MFA code, specify this value. If MFA authentication is required, the user must provide a code when requesting a set of temporary security credentials. A user who fails to provide the code receives an "access denied" response when requesting resources that require MFA authentication.
The format for this parameter, as described by its regex pattern, is a sequence of six numeric digits.
Constraints:
Length: 6 - 6
Pattern: [\d]*
Credentials credentials
The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token.
The size of the security token that STS API operations return is not fixed. We strongly recommend that you make no assumptions about the maximum size.
String arn
The Amazon Resource Name (ARN) of the IAM managed policy to use as a session policy for the role. For more information about ARNs, see Amazon Resource Names (ARNs) and AWS Service Namespaces in the AWS General Reference.
Constraints:
Length: 20 - 2048
Pattern: [
-~
--�က0-ჿFF]+
Copyright © 2019. All rights reserved.