java.lang.String requestId
java.lang.String errorCode
AmazonServiceException.ErrorType errorType
AmazonServiceException.ErrorTypejava.lang.String errorMessage
int statusCode
java.lang.String serviceName
boolean autoConstruct
java.lang.String providerName
The provider name for an Amazon Cognito user pool. For example,
cognito-idp.us-east-1.amazonaws.com/us-east-1_123456789.
Constraints:
Length: 1 - 128
Pattern: [\w._:/-]+
java.lang.String clientId
The client ID for the Amazon Cognito user pool.
Constraints:
Length: 1 - 128
Pattern: [\w_]+
java.lang.Boolean serverSideTokenCheck
TRUE if server-side token validation is enabled for the identity provider’s token.
Once you set ServerSideTokenCheck to TRUE for an identity
pool, that identity pool will check with the integrated user pools to
make sure that the user has not been globally signed out or deleted
before the identity pool provides an OIDC token or AWS credentials for
the user.
If the user is signed out or deleted, the identity pool will return a 400 Not Authorized error.
java.lang.String identityPoolName
A string that you provide.
Constraints:
Length: 1 - 128
Pattern: [\w\s+=,.@-]+
java.lang.Boolean allowUnauthenticatedIdentities
TRUE if the identity pool supports unauthenticated logins.
java.lang.Boolean allowClassicFlow
Enables or disables the Basic (Classic) authentication flow. For more information, see Identity Pools (Federated Identities) Authentication Flow in the Amazon Cognito Developer Guide.
java.util.Map<K,V> supportedLoginProviders
Optional key:value pairs mapping provider names to provider app IDs.
java.lang.String developerProviderName
The "domain" by which Cognito will refer to your users. This name acts as
a placeholder that allows your backend and the Cognito service to
communicate about the developer provider. For the
DeveloperProviderName, you can use letters as well as period
(.), underscore (_), and dash (-).
Once you have set a developer provider name, you cannot change it. Please take care in setting this parameter.
Constraints:
Length: 1 - 128
Pattern: [\w._-]+
java.util.List<E> openIdConnectProviderARNs
The Amazon Resource Names (ARN) of the OpenID Connect providers.
java.util.List<E> cognitoIdentityProviders
An array of Amazon Cognito user pools and their client IDs.
java.util.List<E> samlProviderARNs
An array of Amazon Resource Names (ARNs) of the SAML provider for your identity pool.
java.util.Map<K,V> identityPoolTags
Tags to assign to the identity pool. A tag is a label that you can apply to identity pools to categorize and manage them in different ways, such as by purpose, owner, environment, or other criteria.
java.lang.String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.lang.String identityPoolName
A string that you provide.
Constraints:
Length: 1 - 128
Pattern: [\w\s+=,.@-]+
java.lang.Boolean allowUnauthenticatedIdentities
TRUE if the identity pool supports unauthenticated logins.
java.lang.Boolean allowClassicFlow
Enables or disables the Basic (Classic) authentication flow. For more information, see Identity Pools (Federated Identities) Authentication Flow in the Amazon Cognito Developer Guide.
java.util.Map<K,V> supportedLoginProviders
Optional key:value pairs mapping provider names to provider app IDs.
java.lang.String developerProviderName
The "domain" by which Cognito will refer to your users.
Constraints:
Length: 1 - 128
Pattern: [\w._-]+
java.util.List<E> openIdConnectProviderARNs
The ARNs of the OpenID Connect providers.
java.util.List<E> cognitoIdentityProviders
A list representing an Amazon Cognito user pool and its client ID.
java.util.List<E> samlProviderARNs
An array of Amazon Resource Names (ARNs) of the SAML provider for your identity pool.
java.util.Map<K,V> identityPoolTags
The tags that are assigned to the identity pool. A tag is a label that you can apply to identity pools to categorize and manage them in different ways, such as by purpose, owner, environment, or other criteria.
java.lang.String accessKeyId
The Access Key portion of the credentials.
java.lang.String secretKey
The Secret Access Key portion of the credentials
java.lang.String sessionToken
The Session Token portion of the credentials
java.util.Date expiration
The date at which these credentials will expire.
java.util.List<E> identityIdsToDelete
A list of 1-60 identities that you want to delete.
java.util.List<E> unprocessedIdentityIds
An array of UnprocessedIdentityId objects, each of which contains an ErrorCode and IdentityId.
java.lang.String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.lang.String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.lang.String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.lang.String identityPoolName
A string that you provide.
Constraints:
Length: 1 - 128
Pattern: [\w\s+=,.@-]+
java.lang.Boolean allowUnauthenticatedIdentities
TRUE if the identity pool supports unauthenticated logins.
java.lang.Boolean allowClassicFlow
Enables or disables the Basic (Classic) authentication flow. For more information, see Identity Pools (Federated Identities) Authentication Flow in the Amazon Cognito Developer Guide.
java.util.Map<K,V> supportedLoginProviders
Optional key:value pairs mapping provider names to provider app IDs.
java.lang.String developerProviderName
The "domain" by which Cognito will refer to your users.
Constraints:
Length: 1 - 128
Pattern: [\w._-]+
java.util.List<E> openIdConnectProviderARNs
The ARNs of the OpenID Connect providers.
java.util.List<E> cognitoIdentityProviders
A list representing an Amazon Cognito user pool and its client ID.
java.util.List<E> samlProviderARNs
An array of Amazon Resource Names (ARNs) of the SAML provider for your identity pool.
java.util.Map<K,V> identityPoolTags
The tags that are assigned to the identity pool. A tag is a label that you can apply to identity pools to categorize and manage them in different ways, such as by purpose, owner, environment, or other criteria.
java.lang.String identityId
A unique identifier in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.lang.String identityId
A unique identifier in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.util.List<E> logins
The provider names.
java.util.Date creationDate
Date on which the identity was created.
java.util.Date lastModifiedDate
Date on which the identity was last modified.
java.lang.String identityId
A unique identifier in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.util.Map<K,V> logins
A set of optional name-value pairs that map provider names to provider tokens. The name-value pair will follow the syntax "provider_name": "provider_user_identifier".
Logins should not be specified when trying to get credentials for an unauthenticated identity.
The Logins parameter is required when using identities associated with
external identity providers such as Facebook. For examples of
Logins maps, see the code examples in the External Identity Providers section of the Amazon Cognito Developer
Guide.
java.lang.String customRoleArn
The Amazon Resource Name (ARN) of the role to be assumed when multiple roles were received in the token from the identity provider. For example, a SAML-based identity provider. This parameter is optional for identity providers that do not support role customization.
Constraints:
Length: 20 - 2048
java.lang.String identityId
A unique identifier in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
Credentials credentials
Credentials for the provided identity ID.
java.lang.String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.lang.String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.util.Map<K,V> roles
The map of roles associated with this pool. Currently only authenticated and unauthenticated roles are supported.
java.util.Map<K,V> roleMappings
How users for a specific identity provider are to mapped to roles. This is a String-to-RoleMapping object map. The string identifies the identity provider, for example, "graph.facebook.com" or "cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id".
java.lang.String accountId
A standard AWS account ID (9+ digits).
Constraints:
Length: 1 - 15
Pattern: \d+
java.lang.String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.util.Map<K,V> logins
A set of optional name-value pairs that map provider names to provider
tokens. The available provider names for Logins are as
follows:
Facebook: graph.facebook.com
Amazon Cognito user pool:
cognito-idp.<region>.amazonaws.com/<YOUR_USER_POOL_ID>
, for example,
cognito-idp.us-east-1.amazonaws.com/us-east-1_123456789.
Google: accounts.google.com
Amazon: www.amazon.com
Twitter: api.twitter.com
Digits: www.digits.com
java.lang.String identityId
A unique identifier in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.lang.String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.lang.String identityId
A unique identifier in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.util.Map<K,V> logins
A set of optional name-value pairs that map provider names to provider
tokens. Each name-value pair represents a user from a public provider or
developer provider. If the user is from a developer provider, the
name-value pair will follow the syntax
"developer_provider_name": "developer_user_identifier". The
developer provider is the "domain" by which Cognito will refer to your
users; you provided this domain while creating/updating the identity
pool. The developer user identifier is an identifier from your backend
that uniquely identifies a user. When you create an identity pool, you
can specify the supported logins.
java.util.Map<K,V> principalTags
Use this operation to configure attribute mappings for custom providers.
java.lang.Long tokenDuration
The expiration time of the token, in seconds. You can specify a custom expiration time for the token so that you can cache it. If you don't provide an expiration time, the token is valid for 15 minutes. You can exchange the token with Amazon STS for temporary AWS credentials, which are valid for a maximum of one hour. The maximum token duration you can set is 24 hours. You should take care in setting the expiration time for a token, as there are significant security implications: an attacker could use a leaked token to access your AWS resources for the token's duration.
Please provide for a small grace period, usually no more than 5 minutes, to account for clock skew.
Constraints:
Range: 1 - 86400
java.lang.String identityId
A unique identifier in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.lang.String token
An OpenID token.
java.lang.String identityId
A unique identifier in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.util.Map<K,V> logins
A set of optional name-value pairs that map provider names to provider
tokens. When using graph.facebook.com and www.amazon.com, supply the
access_token returned from the provider's authflow. For
accounts.google.com, an Amazon Cognito user pool provider, or any other
OpenID Connect provider, always include the id_token.
java.lang.String identityId
A unique identifier in the format REGION:GUID. Note that the IdentityId returned may not match the one passed on input.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.lang.String token
An OpenID token, valid for 10 minutes.
java.lang.String identityPoolId
You can use this operation to get the ID of the Identity Pool you setup attribute mappings for.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.lang.String identityProviderName
You can use this operation to get the provider name.
Constraints:
Length: 1 - 128
java.lang.String identityPoolId
You can use this operation to get the ID of the Identity Pool you setup attribute mappings for.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.lang.String identityProviderName
You can use this operation to get the provider name.
Constraints:
Length: 1 - 128
java.lang.Boolean useDefaults
You can use this operation to list
java.util.Map<K,V> principalTags
You can use this operation to add principal tags. The
PrincipalTagsoperation enables you to reference user
attributes in your IAM permissions policy.
java.lang.String identityId
A unique identifier in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.util.List<E> logins
The provider names.
java.util.Date creationDate
Date on which the identity was created.
java.util.Date lastModifiedDate
Date on which the identity was last modified.
java.lang.String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.lang.String identityPoolName
A string that you provide.
Constraints:
Length: 1 - 128
Pattern: [\w\s+=,.@-]+
java.lang.String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.lang.Integer maxResults
The maximum number of identities to return.
Constraints:
Range: 1 - 60
java.lang.String nextToken
A pagination token.
Constraints:
Length: 1 - 65535
Pattern: [\S]+
java.lang.Boolean hideDisabled
An optional boolean parameter that allows you to hide disabled identities. If omitted, the ListIdentities API will include disabled identities in the response.
java.lang.String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.util.List<E> identities
An object containing a set of identities and associated mappings.
java.lang.String nextToken
A pagination token.
Constraints:
Length: 1 - 65535
Pattern: [\S]+
java.lang.Integer maxResults
The maximum number of identities to return.
Constraints:
Range: 1 - 60
java.lang.String nextToken
A pagination token.
Constraints:
Length: 1 - 65535
Pattern: [\S]+
java.util.List<E> identityPools
The identity pools returned by the ListIdentityPools action.
java.lang.String nextToken
A pagination token.
Constraints:
Length: 1 - 65535
Pattern: [\S]+
java.lang.String resourceArn
The Amazon Resource Name (ARN) of the identity pool that the tags are assigned to.
Constraints:
Length: 20 - 2048
java.util.Map<K,V> tags
The tags that are assigned to the identity pool.
java.lang.String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.lang.String identityId
A unique identifier in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.lang.String developerUserIdentifier
A unique ID used by your backend authentication process to identify a user. Typically, a developer identity provider would issue many developer user identifiers, in keeping with the number of users.
Constraints:
Length: 1 - 1024
java.lang.Integer maxResults
The maximum number of identities to return.
Constraints:
Range: 1 - 60
java.lang.String nextToken
A pagination token. The first call you make will have
NextToken set to null. After that the service will return
NextToken values as needed. For example, let's say you make
a request with MaxResults set to 10, and there are 20
matches in the database. The service will return a pagination token as a
part of the response. This token can be used to call the API again and
get results starting from the 11th match.
Constraints:
Length: 1 - 65535
Pattern: [\S]+
java.lang.String identityId
A unique identifier in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.util.List<E> developerUserIdentifierList
This is the list of developer user identifiers associated with an identity ID. Cognito supports the association of multiple developer user identifiers with an identity ID.
java.lang.String nextToken
A pagination token. The first call you make will have
NextToken set to null. After that the service will return
NextToken values as needed. For example, let's say you make
a request with MaxResults set to 10, and there are 20
matches in the database. The service will return a pagination token as a
part of the response. This token can be used to call the API again and
get results starting from the 11th match.
Constraints:
Length: 1 - 65535
Pattern: [\S]+
java.lang.String claim
The claim name that must be present in the token, for example, "isAdmin" or "paid".
Constraints:
Length: 1 - 64
Pattern: [\p{L}\p{M}\p{S}\p{N}\p{P}]+
java.lang.String matchType
The match condition that specifies how closely the claim value in the IdP
token must match Value.
Constraints:
Allowed Values: Equals, Contains, StartsWith, NotEqual
java.lang.String value
A brief string that the claim must match, for example, "paid" or "yes".
Constraints:
Length: 1 - 128
java.lang.String roleARN
The role ARN.
Constraints:
Length: 20 - 2048
java.lang.String sourceUserIdentifier
User identifier for the source user. The value should be a
DeveloperUserIdentifier.
Constraints:
Length: 1 - 1024
java.lang.String destinationUserIdentifier
User identifier for the destination user. The value should be a
DeveloperUserIdentifier.
Constraints:
Length: 1 - 1024
java.lang.String developerProviderName
The "domain" by which Cognito will refer to your users. This is a
(pseudo) domain name that you provide while creating an identity pool.
This name acts as a placeholder that allows your backend and the Cognito
service to communicate about the developer provider. For the
DeveloperProviderName, you can use letters as well as period
(.), underscore (_), and dash (-).
Constraints:
Length: 1 - 128
Pattern: [\w._-]+
java.lang.String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.lang.String identityId
A unique identifier in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.lang.String type
The role mapping type. Token will use cognito:roles and
cognito:preferred_role claims from the Cognito identity
provider token to map groups to roles. Rules will attempt to match claims
from the token to map to a role.
Constraints:
Allowed Values: Token, Rules
java.lang.String ambiguousRoleResolution
If you specify Token or Rules as the Type,
AmbiguousRoleResolution is required.
Specifies the action to be taken if either no rules match the claim value
for the Rules type, or there is no
cognito:preferred_role claim and there are multiple
cognito:roles matches for the Token type.
Constraints:
Allowed Values: AuthenticatedRole, Deny
RulesConfigurationType rulesConfiguration
The rules to be used for mapping users to roles.
If you specify Rules as the role mapping type,
RulesConfiguration is required.
java.util.List<E> rules
An array of rules. You can specify up to 25 rules per identity provider.
Rules are evaluated in order. The first one to match specifies the role.
java.lang.String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.util.Map<K,V> roles
The map of roles associated with this pool. For a given role, the key will be either "authenticated" or "unauthenticated" and the value will be the Role ARN.
java.util.Map<K,V> roleMappings
How users for a specific identity provider are to mapped to roles. This is a string to RoleMapping object map. The string identifies the identity provider, for example, "graph.facebook.com" or "cognito-idp.us-east-1.amazonaws.com/us-east-1_abcdefghi:app_client_id".
Up to 25 rules can be specified per identity provider.
java.lang.String identityPoolId
The ID of the Identity Pool you want to set attribute mappings for.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.lang.String identityProviderName
The provider name you want to use for attribute mappings.
Constraints:
Length: 1 - 128
java.lang.Boolean useDefaults
You can use this operation to use default (username and clientID) attribute mappings.
java.util.Map<K,V> principalTags
You can use this operation to add principal tags.
java.lang.String identityPoolId
The ID of the Identity Pool you want to set attribute mappings for.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.lang.String identityProviderName
The provider name you want to use for attribute mappings.
Constraints:
Length: 1 - 128
java.lang.Boolean useDefaults
You can use this operation to select default (username and clientID) attribute mappings.
java.util.Map<K,V> principalTags
You can use this operation to add principal tags. The
PrincipalTagsoperation enables you to reference user
attributes in your IAM permissions policy.
java.lang.String resourceArn
The Amazon Resource Name (ARN) of the identity pool.
Constraints:
Length: 20 - 2048
java.util.Map<K,V> tags
The tags to assign to the identity pool.
java.lang.String identityId
A unique identifier in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.lang.String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.lang.String developerProviderName
The "domain" by which Cognito will refer to your users.
Constraints:
Length: 1 - 128
Pattern: [\w._-]+
java.lang.String developerUserIdentifier
A unique ID used by your backend authentication process to identify a user.
Constraints:
Length: 1 - 1024
java.lang.String identityId
A unique identifier in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.util.Map<K,V> logins
A set of optional name-value pairs that map provider names to provider tokens.
java.util.List<E> loginsToRemove
Provider names to unlink from this identity.
java.lang.String identityId
A unique identifier in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.lang.String errorCode
The error code indicating the type of error that occurred.
Constraints:
Allowed Values: AccessDenied, InternalServerError
java.lang.String resourceArn
The Amazon Resource Name (ARN) of the identity pool.
Constraints:
Length: 20 - 2048
java.util.List<E> tagKeys
The keys of the tags to remove from the user pool.
java.lang.String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.lang.String identityPoolName
A string that you provide.
Constraints:
Length: 1 - 128
Pattern: [\w\s+=,.@-]+
java.lang.Boolean allowUnauthenticatedIdentities
TRUE if the identity pool supports unauthenticated logins.
java.lang.Boolean allowClassicFlow
Enables or disables the Basic (Classic) authentication flow. For more information, see Identity Pools (Federated Identities) Authentication Flow in the Amazon Cognito Developer Guide.
java.util.Map<K,V> supportedLoginProviders
Optional key:value pairs mapping provider names to provider app IDs.
java.lang.String developerProviderName
The "domain" by which Cognito will refer to your users.
Constraints:
Length: 1 - 128
Pattern: [\w._-]+
java.util.List<E> openIdConnectProviderARNs
The ARNs of the OpenID Connect providers.
java.util.List<E> cognitoIdentityProviders
A list representing an Amazon Cognito user pool and its client ID.
java.util.List<E> samlProviderARNs
An array of Amazon Resource Names (ARNs) of the SAML provider for your identity pool.
java.util.Map<K,V> identityPoolTags
The tags that are assigned to the identity pool. A tag is a label that you can apply to identity pools to categorize and manage them in different ways, such as by purpose, owner, environment, or other criteria.
java.lang.String identityPoolId
An identity pool ID in the format REGION:GUID.
Constraints:
Length: 1 - 55
Pattern: [\w-]+:[0-9a-f-]+
java.lang.String identityPoolName
A string that you provide.
Constraints:
Length: 1 - 128
Pattern: [\w\s+=,.@-]+
java.lang.Boolean allowUnauthenticatedIdentities
TRUE if the identity pool supports unauthenticated logins.
java.lang.Boolean allowClassicFlow
Enables or disables the Basic (Classic) authentication flow. For more information, see Identity Pools (Federated Identities) Authentication Flow in the Amazon Cognito Developer Guide.
java.util.Map<K,V> supportedLoginProviders
Optional key:value pairs mapping provider names to provider app IDs.
java.lang.String developerProviderName
The "domain" by which Cognito will refer to your users.
Constraints:
Length: 1 - 128
Pattern: [\w._-]+
java.util.List<E> openIdConnectProviderARNs
The ARNs of the OpenID Connect providers.
java.util.List<E> cognitoIdentityProviders
A list representing an Amazon Cognito user pool and its client ID.
java.util.List<E> samlProviderARNs
An array of Amazon Resource Names (ARNs) of the SAML provider for your identity pool.
java.util.Map<K,V> identityPoolTags
The tags that are assigned to the identity pool. A tag is a label that you can apply to identity pools to categorize and manage them in different ways, such as by purpose, owner, environment, or other criteria.
java.lang.String assumedRoleId
A unique identifier that contains the role ID and the role session name of the role that is being assumed. The role ID is generated by Amazon Web Services when the role is created.
Constraints:
Length: 2 - 193
Pattern: [\w+=,.@:-]*
java.lang.String arn
The ARN of the temporary security credentials that are returned from the AssumeRole action. For more information about ARNs and how to use them in policies, see IAM Identifiers in the IAM User Guide.
Constraints:
Length: 20 - 2048
Pattern: [
-~
--�က0-ჿFF]+
java.lang.String roleArn
The Amazon Resource Name (ARN) of the role to assume.
Constraints:
Length: 20 - 2048
Pattern: [
-~
--�က0-ჿFF]+
java.lang.String roleSessionName
An identifier for the assumed role session.
Use the role session name to uniquely identify a session when the same role is assumed by different principals or for different reasons. In cross-account scenarios, the role session name is visible to, and can be logged by the account that owns the role. The role session name is also used in the ARN of the assumed role principal. This means that subsequent cross-account API requests that use the temporary security credentials will expose the role session name to the external account in their CloudTrail logs.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
Constraints:
Length: 2 - 64
Pattern: [\w+=,.@-]*
java.util.List<E> policyArns
The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as managed session policies. The policies must exist in the same account as the role.
This parameter is optional. You can provide up to 10 managed policy ARNs. However, the plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. For more information about ARNs, see Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces in the Amazon Web Services General Reference.
An Amazon Web Services conversion compresses the passed inline session
policy, managed policy ARNs, and session tags into a packed binary format
that has a separate limit. Your request can fail for this limit even if
your plaintext meets the other requirements. The
PackedPolicySize response element indicates by percentage
how close the policies and tags for your request are to the upper size
limit.
Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
java.lang.String policy
An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list ( through ÿ). It can also include the tab ( ), linefeed ( ), and carriage return ( ) characters.
An Amazon Web Services conversion compresses the passed inline session
policy, managed policy ARNs, and session tags into a packed binary format
that has a separate limit. Your request can fail for this limit even if
your plaintext meets the other requirements. The
PackedPolicySize response element indicates by percentage
how close the policies and tags for your request are to the upper size
limit.
Constraints:
Length: 1 - 2048
Pattern: [ -ÿ]+
java.lang.Integer durationSeconds
The duration, in seconds, of the role session. The value specified can range from 900 seconds (15 minutes) up to the maximum session duration set for the role. The maximum session duration setting can have a value from 1 hour to 12 hours. If you specify a value higher than this setting or the administrator setting (whichever is lower), the operation fails. For example, if you specify a session duration of 12 hours, but your administrator set the maximum session duration to 6 hours, your operation fails.
Role chaining limits your Amazon Web Services CLI or Amazon Web Services
API role session to a maximum of one hour. When you use the
AssumeRole API operation to assume a role, you can specify
the duration of your role session with the DurationSeconds
parameter. You can specify a parameter value of up to 43200 seconds (12
hours), depending on the maximum session duration setting for your role.
However, if you assume a role using role chaining and provide a
DurationSeconds parameter value greater than one hour, the
operation fails. To learn how to view the maximum value for your role,
see View the Maximum Session Duration Setting for a Role in the IAM
User Guide.
By default, the value is set to 3600 seconds.
The DurationSeconds parameter is separate from the duration
of a console session that you might request using the returned
credentials. The request to the federation endpoint for a console sign-in
token takes a SessionDuration parameter that specifies the
maximum length of the console session. For more information, see Creating a URL that Enables Federated Users to Access the Amazon Web
Services Management Console in the IAM User Guide.
Constraints:
Range: 900 - 43200
java.util.List<E> tags
A list of session tags that you want to pass. Each session tag consists of a key name and an associated value. For more information about session tags, see Tagging Amazon Web Services STS Sessions in the IAM User Guide.
This parameter is optional. You can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128 characters, and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An Amazon Web Services conversion compresses the passed inline session
policy, managed policy ARNs, and session tags into a packed binary format
that has a separate limit. Your request can fail for this limit even if
your plaintext meets the other requirements. The
PackedPolicySize response element indicates by percentage
how close the policies and tags for your request are to the upper size
limit.
You can pass a session tag with the same key as a tag that is already attached to the role. When you do, session tags override a role tag with the same key.
Tag key–value pairs are not case sensitive, but case is preserved. This
means that you cannot have separate Department and
department tag keys. Assume that the role has the
Department=Marketing tag and you pass the
department=engineering session tag.
Department and department are not saved as
separate tags, and the session tag passed in the request takes precedence
over the role tag.
Additionally, if you used temporary credentials to perform this operation, the new session inherits any transitive session tags from the calling session. If you pass a session tag with the same key as an inherited tag, the operation fails. To view the inherited tags for a session, see the CloudTrail logs. For more information, see Viewing Session Tags in CloudTrail in the IAM User Guide.
java.util.List<E> transitiveTagKeys
A list of keys for session tags that you want to set as transitive. If you set a tag key as transitive, the corresponding key and value passes to subsequent sessions in a role chain. For more information, see Chaining Roles with Session Tags in the IAM User Guide.
This parameter is optional. When you set session tags as transitive, the session policy and session tags packed binary limit is not affected.
If you choose not to specify a transitive tag key, then no tags are passed from this session to any subsequent sessions.
java.lang.String externalId
A unique identifier that might be required when you assume a role in
another account. If the administrator of the account to which the role
belongs provided you with an external ID, then provide that value in the
ExternalId parameter. This value can be any string, such as
a passphrase or account number. A cross-account role is usually set up to
trust everyone in an account. Therefore, the administrator of the
trusting account might send an external ID to the administrator of the
trusted account. That way, only someone with the ID can assume the role,
rather than everyone in the account. For more information about the
external ID, see How to Use an External ID When Granting Access to Your Amazon Web
Services Resources to a Third Party in the IAM User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
Constraints:
Length: 2 - 1224
Pattern: [\w+=,.@:\/-]*
java.lang.String serialNumber
The identification number of the MFA device that is associated with the
user who is making the AssumeRole call. Specify this value
if the trust policy of the role being assumed includes a condition that
requires MFA authentication. The value is either the serial number for a
hardware device (such as GAHT12345678) or an Amazon Resource
Name (ARN) for a virtual device (such as
arn:aws:iam::123456789012:mfa/user).
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
Constraints:
Length: 9 - 256
Pattern: [\w+=/:,.@-]*
java.lang.String tokenCode
The value provided by the MFA device, if the trust policy of the role
being assumed requires MFA. (In other words, if the policy includes a
condition that tests for MFA). If the role being assumed requires MFA and
if the TokenCode value is missing or expired, the
AssumeRole call returns an "access denied" error.
The format for this parameter, as described by its regex pattern, is a sequence of six numeric digits.
Constraints:
Length: 6 - 6
Pattern: [\d]*
java.lang.String sourceIdentity
The source identity specified by the principal that is calling the
AssumeRole operation.
You can require users to specify a source identity when they assume a
role. You do this by using the sts:SourceIdentity condition
key in a role trust policy. You can use source identity information in
CloudTrail logs to determine who took actions with a role. You can use
the aws:SourceIdentity condition key to further control
access to Amazon Web Services resources based on the value of source
identity. For more information about using source identity, see Monitor and control actions taken with assumed roles in the IAM
User Guide.
The regex used to validate this parameter is a string of characters
consisting of upper- and lower-case alphanumeric characters with no
spaces. You can also include underscores or any of the following
characters: =,.@-. You cannot use a value that begins with the text
aws:. This prefix is reserved for Amazon Web Services
internal use.
Constraints:
Length: 2 - 64
Pattern: [\w+=,.@-]*
java.util.List<E> providedContexts
Reserved for future use.
Credentials credentials
The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token.
The size of the security token that STS API operations return is not fixed. We strongly recommend that you make no assumptions about the maximum size.
AssumedRoleUser assumedRoleUser
The Amazon Resource Name (ARN) and the assumed role ID, which are
identifiers that you can use to refer to the resulting temporary security
credentials. For example, you can reference these credentials as a
principal in a resource-based policy by using the ARN or assumed role ID.
The ARN and ID include the RoleSessionName that you
specified when you called AssumeRole.
java.lang.Integer packedPolicySize
A percentage value that indicates the packed size of the session policies and session tags combined passed in the request. The request fails if the packed size is greater than 100 percent, which means the policies and tags exceeded the allowed space.
Constraints:
Range: 0 -
java.lang.String sourceIdentity
The source identity specified by the principal that is calling the
AssumeRole operation.
You can require users to specify a source identity when they assume a
role. You do this by using the sts:SourceIdentity condition
key in a role trust policy. You can use source identity information in
CloudTrail logs to determine who took actions with a role. You can use
the aws:SourceIdentity condition key to further control
access to Amazon Web Services resources based on the value of source
identity. For more information about using source identity, see Monitor and control actions taken with assumed roles in the IAM
User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
Constraints:
Length: 2 - 64
Pattern: [\w+=,.@-]*
java.lang.String roleArn
The Amazon Resource Name (ARN) of the role that the caller is assuming.
Constraints:
Length: 20 - 2048
Pattern: [
-~
--�က0-ჿFF]+
java.lang.String principalArn
The Amazon Resource Name (ARN) of the SAML provider in IAM that describes the IdP.
Constraints:
Length: 20 - 2048
Pattern: [
-~
--�က0-ჿFF]+
java.lang.String sAMLAssertion
The base64 encoded SAML authentication response provided by the IdP.
For more information, see Configuring a Relying Party and Adding Claims in the IAM User Guide.
Constraints:
Length: 4 - 100000
java.util.List<E> policyArns
The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as managed session policies. The policies must exist in the same account as the role.
This parameter is optional. You can provide up to 10 managed policy ARNs. However, the plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. For more information about ARNs, see Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces in the Amazon Web Services General Reference.
An Amazon Web Services conversion compresses the passed inline session
policy, managed policy ARNs, and session tags into a packed binary format
that has a separate limit. Your request can fail for this limit even if
your plaintext meets the other requirements. The
PackedPolicySize response element indicates by percentage
how close the policies and tags for your request are to the upper size
limit.
Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
java.lang.String policy
An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list ( through ÿ). It can also include the tab ( ), linefeed ( ), and carriage return ( ) characters.
An Amazon Web Services conversion compresses the passed inline session
policy, managed policy ARNs, and session tags into a packed binary format
that has a separate limit. Your request can fail for this limit even if
your plaintext meets the other requirements. The
PackedPolicySize response element indicates by percentage
how close the policies and tags for your request are to the upper size
limit.
Constraints:
Length: 1 - 2048
Pattern: [ -ÿ]+
java.lang.Integer durationSeconds
The duration, in seconds, of the role session. Your role session lasts
for the duration that you specify for the DurationSeconds
parameter, or until the time specified in the SAML authentication
response's SessionNotOnOrAfter value, whichever is shorter.
You can provide a DurationSeconds value from 900 seconds (15
minutes) up to the maximum session duration setting for the role. This
setting can have a value from 1 hour to 12 hours. If you specify a value
higher than this setting, the operation fails. For example, if you
specify a session duration of 12 hours, but your administrator set the
maximum session duration to 6 hours, your operation fails. To learn how
to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM
User Guide.
By default, the value is set to 3600 seconds.
The DurationSeconds parameter is separate from the duration
of a console session that you might request using the returned
credentials. The request to the federation endpoint for a console sign-in
token takes a SessionDuration parameter that specifies the
maximum length of the console session. For more information, see Creating a URL that Enables Federated Users to Access the Amazon Web
Services Management Console in the IAM User Guide.
Constraints:
Range: 900 - 43200
Credentials credentials
The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token.
The size of the security token that STS API operations return is not fixed. We strongly recommend that you make no assumptions about the maximum size.
AssumedRoleUser assumedRoleUser
The identifiers for the temporary security credentials that the operation returns.
java.lang.Integer packedPolicySize
A percentage value that indicates the packed size of the session policies and session tags combined passed in the request. The request fails if the packed size is greater than 100 percent, which means the policies and tags exceeded the allowed space.
Constraints:
Range: 0 -
java.lang.String subject
The value of the NameID element in the Subject
element of the SAML assertion.
java.lang.String subjectType
The format of the name ID, as defined by the Format
attribute in the NameID element of the SAML assertion.
Typical examples of the format are transient or
persistent.
If the format includes the prefix
urn:oasis:names:tc:SAML:2.0:nameid-format, that prefix is
removed. For example,
urn:oasis:names:tc:SAML:2.0:nameid-format:transient is
returned as transient. If the format includes any other
prefix, the format is returned with no modifications.
java.lang.String issuer
The value of the Issuer element of the SAML assertion.
java.lang.String audience
The value of the Recipient attribute of the
SubjectConfirmationData element of the SAML assertion.
java.lang.String nameQualifier
A hash value based on the concatenation of the following:
The Issuer response value.
The Amazon Web Services account ID.
The friendly name (the last part of the ARN) of the SAML provider in IAM.
The combination of NameQualifier and Subject
can be used to uniquely identify a user.
The following pseudocode shows how the hash value is calculated:
BASE64 ( SHA1 ( "https://example.com/saml" + "123456789012" + "/MySAMLIdP" ) )
java.lang.String sourceIdentity
The value in the SourceIdentity attribute in the SAML
assertion.
You can require users to set a source identity value when they assume a
role. You do this by using the sts:SourceIdentity condition
key in a role trust policy. That way, actions that are taken with the
role are associated with that user. After the source identity is set, the
value cannot be changed. It is present in the request for all actions
that are taken by the role and persists across chained role sessions. You can configure your SAML identity provider
to use an attribute associated with your users, like user name or email,
as the source identity when calling AssumeRoleWithSAML. You
do this by adding an attribute to the SAML assertion. For more
information about using source identity, see Monitor and control actions taken with assumed roles in the IAM
User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
Constraints:
Length: 2 - 64
Pattern: [\w+=,.@-]*
java.lang.String roleArn
The Amazon Resource Name (ARN) of the role that the caller is assuming.
Constraints:
Length: 20 - 2048
Pattern: [
-~
--�က0-ჿFF]+
java.lang.String roleSessionName
An identifier for the assumed role session. Typically, you pass the name
or identifier that is associated with the user who is using your
application. That way, the temporary security credentials that your
application will use are associated with that user. This session name is
included as part of the ARN and assumed role ID in the
AssumedRoleUser response element.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
Constraints:
Length: 2 - 64
Pattern: [\w+=,.@-]*
java.lang.String webIdentityToken
The OAuth 2.0 access token or OpenID Connect ID token that is provided by
the identity provider. Your application must get this token by
authenticating the user who is using your application with a web identity
provider before the application makes an
AssumeRoleWithWebIdentity call. Only tokens with RSA
algorithms (RS256) are supported.
Constraints:
Length: 4 - 20000
java.lang.String providerId
The fully qualified host component of the domain name of the OAuth 2.0 identity provider. Do not specify this value for an OpenID Connect identity provider.
Currently www.amazon.com and graph.facebook.com
are the only supported identity providers for OAuth 2.0 access tokens. Do
not include URL schemes and port numbers.
Do not specify this value for OpenID Connect ID tokens.
Constraints:
Length: 4 - 2048
java.util.List<E> policyArns
The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as managed session policies. The policies must exist in the same account as the role.
This parameter is optional. You can provide up to 10 managed policy ARNs. However, the plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. For more information about ARNs, see Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces in the Amazon Web Services General Reference.
An Amazon Web Services conversion compresses the passed inline session
policy, managed policy ARNs, and session tags into a packed binary format
that has a separate limit. Your request can fail for this limit even if
your plaintext meets the other requirements. The
PackedPolicySize response element indicates by percentage
how close the policies and tags for your request are to the upper size
limit.
Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
java.lang.String policy
An IAM policy in JSON format that you want to use as an inline session policy.
This parameter is optional. Passing policies to this operation returns new temporary credentials. The resulting session's permissions are the intersection of the role's identity-based policy and the session policies. You can use the role's temporary credentials in subsequent Amazon Web Services API calls to access resources in the account that owns the role. You cannot use session policies to grant more permissions than those allowed by the identity-based policy of the role that is being assumed. For more information, see Session Policies in the IAM User Guide.
The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list ( through ÿ). It can also include the tab ( ), linefeed ( ), and carriage return ( ) characters.
An Amazon Web Services conversion compresses the passed inline session
policy, managed policy ARNs, and session tags into a packed binary format
that has a separate limit. Your request can fail for this limit even if
your plaintext meets the other requirements. The
PackedPolicySize response element indicates by percentage
how close the policies and tags for your request are to the upper size
limit.
Constraints:
Length: 1 - 2048
Pattern: [ -ÿ]+
java.lang.Integer durationSeconds
The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. If you specify a value higher than this setting, the operation fails. For example, if you specify a session duration of 12 hours, but your administrator set the maximum session duration to 6 hours, your operation fails. To learn how to view the maximum value for your role, see View the Maximum Session Duration Setting for a Role in the IAM User Guide.
By default, the value is set to 3600 seconds.
The DurationSeconds parameter is separate from the duration
of a console session that you might request using the returned
credentials. The request to the federation endpoint for a console sign-in
token takes a SessionDuration parameter that specifies the
maximum length of the console session. For more information, see Creating a URL that Enables Federated Users to Access the Amazon Web
Services Management Console in the IAM User Guide.
Constraints:
Range: 900 - 43200
Credentials credentials
The temporary security credentials, which include an access key ID, a secret access key, and a security token.
The size of the security token that STS API operations return is not fixed. We strongly recommend that you make no assumptions about the maximum size.
java.lang.String subjectFromWebIdentityToken
The unique user identifier that is returned by the identity provider.
This identifier is associated with the WebIdentityToken that
was submitted with the AssumeRoleWithWebIdentity call. The
identifier is typically unique to the user and the application that
acquired the WebIdentityToken (pairwise identifier). For
OpenID Connect ID tokens, this field contains the value returned by the
identity provider as the token's sub (Subject) claim.
Constraints:
Length: 6 - 255
AssumedRoleUser assumedRoleUser
The Amazon Resource Name (ARN) and the assumed role ID, which are
identifiers that you can use to refer to the resulting temporary security
credentials. For example, you can reference these credentials as a
principal in a resource-based policy by using the ARN or assumed role ID.
The ARN and ID include the RoleSessionName that you
specified when you called AssumeRole.
java.lang.Integer packedPolicySize
A percentage value that indicates the packed size of the session policies and session tags combined passed in the request. The request fails if the packed size is greater than 100 percent, which means the policies and tags exceeded the allowed space.
Constraints:
Range: 0 -
java.lang.String provider
The issuing authority of the web identity token presented. For OpenID
Connect ID tokens, this contains the value of the iss field.
For OAuth 2.0 access tokens, this contains the value of the
ProviderId parameter that was passed in the
AssumeRoleWithWebIdentity request.
java.lang.String audience
The intended audience (also known as client ID) of the web identity token. This is traditionally the client identifier issued to the application that requested the web identity token.
java.lang.String sourceIdentity
The value of the source identity that is returned in the JSON web token (JWT) from the identity provider.
You can require users to set a source identity value when they assume a
role. You do this by using the sts:SourceIdentity condition
key in a role trust policy. That way, actions that are taken with the
role are associated with that user. After the source identity is set, the
value cannot be changed. It is present in the request for all actions
that are taken by the role and persists across chained role sessions. You can configure your identity provider to
use an attribute associated with your users, like user name or email, as
the source identity when calling AssumeRoleWithWebIdentity.
You do this by adding a claim to the JSON web token. To learn more about
OIDC tokens and claims, see Using Tokens with User Pools in the Amazon Cognito Developer
Guide. For more information about using source identity, see Monitor and control actions taken with assumed roles in the IAM
User Guide.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
Constraints:
Length: 2 - 64
Pattern: [\w+=,.@-]*
java.lang.String accessKeyId
The access key ID that identifies the temporary security credentials.
Constraints:
Length: 16 - 128
Pattern: [\w]*
java.lang.String secretAccessKey
The secret access key that can be used to sign requests.
java.lang.String sessionToken
The token that users must pass to the service API to use the temporary credentials.
java.util.Date expiration
The date on which the current credentials expire.
java.lang.String encodedMessage
The encoded message that was returned with the response.
Constraints:
Length: 1 - 10240
java.lang.String decodedMessage
The API returns a response with the decoded message.
java.lang.String federatedUserId
The string that identifies the federated user associated with the credentials, similar to the unique ID of an IAM user.
Constraints:
Length: 2 - 193
Pattern: [\w+=,.@\:-]*
java.lang.String arn
The ARN that specifies the federated user that is associated with the credentials. For more information about ARNs and how to use them in policies, see IAM Identifiers in the IAM User Guide.
Constraints:
Length: 20 - 2048
Pattern: [
-~
--�က0-ჿFF]+
java.lang.String accessKeyId
The identifier of an access key.
This parameter allows (through its regex pattern) a string of characters that can consist of any upper- or lowercase letter or digit.
Constraints:
Length: 16 - 128
Pattern: [\w]*
java.lang.String account
The number used to identify the Amazon Web Services account.
java.lang.String userId
The unique identifier of the calling entity. The exact value depends on the type of entity that is making the call. The values returned are those listed in the aws:userid column in the Principal table found on the Policy Variables reference page in the IAM User Guide.
java.lang.String account
The Amazon Web Services account ID number of the account that owns or contains the calling entity.
java.lang.String arn
The Amazon Web Services ARN associated with the calling entity.
Constraints:
Length: 20 - 2048
Pattern: [
-~
--�က0-ჿFF]+
java.lang.String name
The name of the federated user. The name is used as an identifier for the
temporary security credentials (such as Bob). For example,
you can reference the federated user name in a resource-based policy,
such as in an Amazon S3 bucket policy.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@-
Constraints:
Length: 2 - 32
Pattern: [\w+=,.@-]*
java.lang.String policy
An IAM policy in JSON format that you want to use as an inline session policy.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed session policies.
This parameter is optional. However, if you do not pass any session policies, then the resulting federated user session has no permissions.
When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide.
The resulting credentials can be used to access a resource that has a
resource-based policy. If that policy specifically references the
federated user session in the Principal element of the
policy, the session has the permissions allowed by the policy. These
permissions are granted in addition to the permissions that are granted
by the session policies.
The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. The JSON policy characters can be any ASCII character from the space character to the end of the valid character list ( through ÿ). It can also include the tab ( ), linefeed ( ), and carriage return ( ) characters.
An Amazon Web Services conversion compresses the passed inline session
policy, managed policy ARNs, and session tags into a packed binary format
that has a separate limit. Your request can fail for this limit even if
your plaintext meets the other requirements. The
PackedPolicySize response element indicates by percentage
how close the policies and tags for your request are to the upper size
limit.
Constraints:
Length: 1 - 2048
Pattern: [ -ÿ]+
java.util.List<E> policyArns
The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as a managed session policy. The policies must exist in the same account as the IAM user that is requesting federated access.
You must pass an inline or managed session policy to this operation. You can pass a single JSON policy document to use as an inline session policy. You can also specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed session policies. The plaintext that you use for both inline and managed session policies can't exceed 2,048 characters. You can provide up to 10 managed policy ARNs. For more information about ARNs, see Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces in the Amazon Web Services General Reference.
This parameter is optional. However, if you do not pass any session policies, then the resulting federated user session has no permissions.
When you pass session policies, the session permissions are the intersection of the IAM user policies and the session policies that you pass. This gives you a way to further restrict the permissions for a federated user. You cannot use session policies to grant more permissions than those that are defined in the permissions policy of the IAM user. For more information, see Session Policies in the IAM User Guide.
The resulting credentials can be used to access a resource that has a
resource-based policy. If that policy specifically references the
federated user session in the Principal element of the
policy, the session has the permissions allowed by the policy. These
permissions are granted in addition to the permissions that are granted
by the session policies.
An Amazon Web Services conversion compresses the passed inline session
policy, managed policy ARNs, and session tags into a packed binary format
that has a separate limit. Your request can fail for this limit even if
your plaintext meets the other requirements. The
PackedPolicySize response element indicates by percentage
how close the policies and tags for your request are to the upper size
limit.
java.lang.Integer durationSeconds
The duration, in seconds, that the session should last. Acceptable durations for federation sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions obtained using root user credentials are restricted to a maximum of 3,600 seconds (one hour). If the specified duration is longer than one hour, the session obtained by using root user credentials defaults to one hour.
Constraints:
Range: 900 - 129600
java.util.List<E> tags
A list of session tags. Each session tag consists of a key name and an associated value. For more information about session tags, see Passing Session Tags in STS in the IAM User Guide.
This parameter is optional. You can pass up to 50 session tags. The plaintext session tag keys can’t exceed 128 characters and the values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
An Amazon Web Services conversion compresses the passed inline session
policy, managed policy ARNs, and session tags into a packed binary format
that has a separate limit. Your request can fail for this limit even if
your plaintext meets the other requirements. The
PackedPolicySize response element indicates by percentage
how close the policies and tags for your request are to the upper size
limit.
You can pass a session tag with the same key as a tag that is already attached to the user you are federating. When you do, session tags override a user tag with the same key.
Tag key–value pairs are not case sensitive, but case is preserved. This
means that you cannot have separate Department and
department tag keys. Assume that the role has the
Department=Marketing tag and you pass the
department=engineering session tag.
Department and department are not saved as
separate tags, and the session tag passed in the request takes precedence
over the role tag.
Credentials credentials
The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token.
The size of the security token that STS API operations return is not fixed. We strongly recommend that you make no assumptions about the maximum size.
FederatedUser federatedUser
Identifiers for the federated user associated with the credentials (such
as arn:aws:sts::123456789012:federated-user/Bob or
123456789012:Bob). You can use the federated user's ARN in
your resource-based policies, such as an Amazon S3 bucket policy.
java.lang.Integer packedPolicySize
A percentage value that indicates the packed size of the session policies and session tags combined passed in the request. The request fails if the packed size is greater than 100 percent, which means the policies and tags exceeded the allowed space.
Constraints:
Range: 0 -
java.lang.Integer durationSeconds
The duration, in seconds, that the credentials should remain valid. Acceptable durations for IAM user sessions range from 900 seconds (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the default. Sessions for Amazon Web Services account owners are restricted to a maximum of 3,600 seconds (one hour). If the duration is longer than one hour, the session for Amazon Web Services account owners defaults to one hour.
Constraints:
Range: 900 - 129600
java.lang.String serialNumber
The identification number of the MFA device that is associated with the
IAM user who is making the GetSessionToken call. Specify
this value if the IAM user has a policy that requires MFA authentication.
The value is either the serial number for a hardware device (such as
GAHT12345678) or an Amazon Resource Name (ARN) for a virtual
device (such as arn:aws:iam::123456789012:mfa/user). You can
find the device for an IAM user by going to the Amazon Web Services
Management Console and viewing the user's security credentials.
The regex used to validate this parameter is a string of characters consisting of upper- and lower-case alphanumeric characters with no spaces. You can also include underscores or any of the following characters: =,.@:/-
Constraints:
Length: 9 - 256
Pattern: [\w+=/:,.@-]*
java.lang.String tokenCode
The value provided by the MFA device, if MFA is required. If any policy requires the IAM user to submit an MFA code, specify this value. If MFA authentication is required, the user must provide a code when requesting a set of temporary security credentials. A user who fails to provide the code receives an "access denied" response when requesting resources that require MFA authentication.
The format for this parameter, as described by its regex pattern, is a sequence of six numeric digits.
Constraints:
Length: 6 - 6
Pattern: [\d]*
Credentials credentials
The temporary security credentials, which include an access key ID, a secret access key, and a security (or session) token.
The size of the security token that STS API operations return is not fixed. We strongly recommend that you make no assumptions about the maximum size.
java.lang.String arn
The Amazon Resource Name (ARN) of the IAM managed policy to use as a session policy for the role. For more information about ARNs, see Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces in the Amazon Web Services General Reference.
Constraints:
Length: 20 - 2048
Pattern: [
-~
--�က0-ჿFF]+
java.lang.String providerArn
Reserved for future use.
Constraints:
Length: 20 - 2048
Pattern: [
-~
--�က0-ჿFF]+
java.lang.String contextAssertion
Reserved for future use.
Constraints:
Length: 4 - 2048
java.lang.String key
The key for a session tag.
You can pass up to 50 session tags. The plain text session tag keys can’t exceed 128 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
Constraints:
Length: 1 - 128
Pattern: [\p{L}\p{Z}\p{N}_.:/=+\-@]+
java.lang.String value
The value for a session tag.
You can pass up to 50 session tags. The plain text session tag values can’t exceed 256 characters. For these and additional limits, see IAM and STS Character Limits in the IAM User Guide.
Constraints:
Length: 0 - 256
Pattern: [\p{L}\p{Z}\p{N}_.:/=+\-@]*