annotate env/lib/python3.9/site-packages/boto/sts/connection.py @ 0:4f3585e2f14b draft default tip

"planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
author shellac
date Mon, 22 Mar 2021 18:12:50 +0000
parents
children
Ignore whitespace changes - Everywhere: Within whitespace: At end of lines:
rev   line source
0
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
1 # Copyright (c) 2011 Mitch Garnaat http://garnaat.org/
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
2 # Copyright (c) 2011, Eucalyptus Systems, Inc.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
3 # Copyright (c) 2013 Amazon.com, Inc. or its affiliates. All Rights Reserved
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
4 #
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
5 # Permission is hereby granted, free of charge, to any person obtaining a
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
6 # copy of this software and associated documentation files (the
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
7 # "Software"), to deal in the Software without restriction, including
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
8 # without limitation the rights to use, copy, modify, merge, publish, dis-
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
9 # tribute, sublicense, and/or sell copies of the Software, and to permit
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
10 # persons to whom the Software is furnished to do so, subject to the fol-
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
11 # lowing conditions:
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
12 #
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
13 # The above copyright notice and this permission notice shall be included
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
14 # in all copies or substantial portions of the Software.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
15 #
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
16 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
17 # OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABIL-
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
18 # ITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
19 # SHALL THE AUTHOR BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
20 # WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
21 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
22 # IN THE SOFTWARE.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
23
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
24 from boto.connection import AWSQueryConnection
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
25 from boto.provider import Provider, NO_CREDENTIALS_PROVIDED
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
26 from boto.regioninfo import RegionInfo
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
27 from boto.sts.credentials import Credentials, FederationToken, AssumedRole
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
28 from boto.sts.credentials import DecodeAuthorizationMessage
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
29 import boto
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
30 import boto.utils
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
31 import datetime
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
32 import threading
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
33
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
34 _session_token_cache = {}
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
35
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
36
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
37 class STSConnection(AWSQueryConnection):
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
38 """
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
39 AWS Security Token Service
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
40 The AWS Security Token Service is a web service that enables you
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
41 to request temporary, limited-privilege credentials for AWS
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
42 Identity and Access Management (IAM) users or for users that you
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
43 authenticate (federated users). This guide provides descriptions
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
44 of the AWS Security Token Service API.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
45
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
46 For more detailed information about using this service, go to
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
47 `Using Temporary Security Credentials`_.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
48
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
49 For information about setting up signatures and authorization
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
50 through the API, go to `Signing AWS API Requests`_ in the AWS
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
51 General Reference . For general information about the Query API,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
52 go to `Making Query Requests`_ in Using IAM . For information
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
53 about using security tokens with other AWS products, go to `Using
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
54 Temporary Security Credentials to Access AWS`_ in Using Temporary
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
55 Security Credentials .
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
56
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
57 If you're new to AWS and need additional technical information
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
58 about a specific AWS product, you can find the product's technical
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
59 documentation at `http://aws.amazon.com/documentation/`_.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
60
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
61 We will refer to Amazon Identity and Access Management using the
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
62 abbreviated form IAM. All copyrights and legal protections still
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
63 apply.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
64 """
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
65 DefaultRegionName = 'us-east-1'
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
66 DefaultRegionEndpoint = 'sts.amazonaws.com'
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
67 APIVersion = '2011-06-15'
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
68
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
69 def __init__(self, aws_access_key_id=None, aws_secret_access_key=None,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
70 is_secure=True, port=None, proxy=None, proxy_port=None,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
71 proxy_user=None, proxy_pass=None, debug=0,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
72 https_connection_factory=None, region=None, path='/',
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
73 converter=None, validate_certs=True, anon=False,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
74 security_token=None, profile_name=None):
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
75 """
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
76 :type anon: boolean
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
77 :param anon: If this parameter is True, the ``STSConnection`` object
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
78 will make anonymous requests, and it will not use AWS
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
79 Credentials or even search for AWS Credentials to make these
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
80 requests.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
81 """
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
82 if not region:
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
83 region = RegionInfo(self, self.DefaultRegionName,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
84 self.DefaultRegionEndpoint,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
85 connection_cls=STSConnection)
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
86 self.region = region
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
87 self.anon = anon
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
88 self._mutex = threading.Semaphore()
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
89 provider = 'aws'
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
90 # If an anonymous request is sent, do not try to look for credentials.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
91 # So we pass in dummy values for the access key id, secret access
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
92 # key, and session token. It does not matter that they are
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
93 # not actual values because the request is anonymous.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
94 if self.anon:
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
95 provider = Provider('aws', NO_CREDENTIALS_PROVIDED,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
96 NO_CREDENTIALS_PROVIDED,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
97 NO_CREDENTIALS_PROVIDED)
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
98 super(STSConnection, self).__init__(aws_access_key_id,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
99 aws_secret_access_key,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
100 is_secure, port, proxy, proxy_port,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
101 proxy_user, proxy_pass,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
102 self.region.endpoint, debug,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
103 https_connection_factory, path,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
104 validate_certs=validate_certs,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
105 security_token=security_token,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
106 profile_name=profile_name,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
107 provider=provider)
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
108
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
109 def _required_auth_capability(self):
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
110 if self.anon:
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
111 return ['sts-anon']
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
112 else:
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
113 return ['hmac-v4']
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
114
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
115 def _check_token_cache(self, token_key, duration=None, window_seconds=60):
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
116 token = _session_token_cache.get(token_key, None)
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
117 if token:
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
118 now = datetime.datetime.utcnow()
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
119 expires = boto.utils.parse_ts(token.expiration)
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
120 delta = expires - now
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
121 if delta < datetime.timedelta(seconds=window_seconds):
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
122 msg = 'Cached session token %s is expired' % token_key
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
123 boto.log.debug(msg)
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
124 token = None
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
125 return token
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
126
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
127 def _get_session_token(self, duration=None,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
128 mfa_serial_number=None, mfa_token=None):
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
129 params = {}
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
130 if duration:
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
131 params['DurationSeconds'] = duration
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
132 if mfa_serial_number:
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
133 params['SerialNumber'] = mfa_serial_number
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
134 if mfa_token:
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
135 params['TokenCode'] = mfa_token
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
136 return self.get_object('GetSessionToken', params,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
137 Credentials, verb='POST')
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
138
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
139 def get_session_token(self, duration=None, force_new=False,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
140 mfa_serial_number=None, mfa_token=None):
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
141 """
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
142 Return a valid session token. Because retrieving new tokens
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
143 from the Secure Token Service is a fairly heavyweight operation
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
144 this module caches previously retrieved tokens and returns
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
145 them when appropriate. Each token is cached with a key
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
146 consisting of the region name of the STS endpoint
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
147 concatenated with the requesting user's access id. If there
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
148 is a token in the cache meeting with this key, the session
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
149 expiration is checked to make sure it is still valid and if
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
150 so, the cached token is returned. Otherwise, a new session
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
151 token is requested from STS and it is placed into the cache
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
152 and returned.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
153
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
154 :type duration: int
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
155 :param duration: The number of seconds the credentials should
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
156 remain valid.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
157
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
158 :type force_new: bool
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
159 :param force_new: If this parameter is True, a new session token
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
160 will be retrieved from the Secure Token Service regardless
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
161 of whether there is a valid cached token or not.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
162
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
163 :type mfa_serial_number: str
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
164 :param mfa_serial_number: The serial number of an MFA device.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
165 If this is provided and if the mfa_passcode provided is
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
166 valid, the temporary session token will be authorized with
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
167 to perform operations requiring the MFA device authentication.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
168
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
169 :type mfa_token: str
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
170 :param mfa_token: The 6 digit token associated with the
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
171 MFA device.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
172 """
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
173 token_key = '%s:%s' % (self.region.name, self.provider.access_key)
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
174 token = self._check_token_cache(token_key, duration)
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
175 if force_new or not token:
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
176 boto.log.debug('fetching a new token for %s' % token_key)
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
177 try:
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
178 self._mutex.acquire()
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
179 token = self._get_session_token(duration,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
180 mfa_serial_number,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
181 mfa_token)
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
182 _session_token_cache[token_key] = token
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
183 finally:
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
184 self._mutex.release()
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
185 return token
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
186
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
187 def get_federation_token(self, name, duration=None, policy=None):
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
188 """
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
189 Returns a set of temporary security credentials (consisting of
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
190 an access key ID, a secret access key, and a security token)
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
191 for a federated user. A typical use is in a proxy application
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
192 that is getting temporary security credentials on behalf of
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
193 distributed applications inside a corporate network. Because
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
194 you must call the `GetFederationToken` action using the long-
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
195 term security credentials of an IAM user, this call is
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
196 appropriate in contexts where those credentials can be safely
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
197 stored, usually in a server-based application.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
198
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
199 **Note:** Do not use this call in mobile applications or
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
200 client-based web applications that directly get temporary
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
201 security credentials. For those types of applications, use
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
202 `AssumeRoleWithWebIdentity`.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
203
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
204 The `GetFederationToken` action must be called by using the
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
205 long-term AWS security credentials of the AWS account or an
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
206 IAM user. Credentials that are created by IAM users are valid
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
207 for the specified duration, between 900 seconds (15 minutes)
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
208 and 129600 seconds (36 hours); credentials that are created by
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
209 using account credentials have a maximum duration of 3600
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
210 seconds (1 hour).
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
211
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
212 The permissions that are granted to the federated user are the
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
213 intersection of the policy that is passed with the
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
214 `GetFederationToken` request and policies that are associated
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
215 with of the entity making the `GetFederationToken` call.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
216
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
217 For more information about how permissions work, see
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
218 `Controlling Permissions in Temporary Credentials`_ in Using
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
219 Temporary Security Credentials . For information about using
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
220 `GetFederationToken` to create temporary security credentials,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
221 see `Creating Temporary Credentials to Enable Access for
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
222 Federated Users`_ in Using Temporary Security Credentials .
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
223
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
224 :type name: string
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
225 :param name: The name of the federated user. The name is used as an
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
226 identifier for the temporary security credentials (such as `Bob`).
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
227 For example, you can reference the federated user name in a
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
228 resource-based policy, such as in an Amazon S3 bucket policy.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
229
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
230 :type policy: string
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
231 :param policy: A policy that specifies the permissions that are granted
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
232 to the federated user. By default, federated users have no
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
233 permissions; they do not inherit any from the IAM user. When you
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
234 specify a policy, the federated user's permissions are intersection
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
235 of the specified policy and the IAM user's policy. If you don't
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
236 specify a policy, federated users can only access AWS resources
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
237 that explicitly allow those federated users in a resource policy,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
238 such as in an Amazon S3 bucket policy.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
239
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
240 :type duration: integer
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
241 :param duration: The duration, in seconds, that the session
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
242 should last. Acceptable durations for federation sessions range
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
243 from 900 seconds (15 minutes) to 129600 seconds (36 hours), with
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
244 43200 seconds (12 hours) as the default. Sessions for AWS account
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
245 owners are restricted to a maximum of 3600 seconds (one hour). If
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
246 the duration is longer than one hour, the session for AWS account
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
247 owners defaults to one hour.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
248
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
249 """
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
250 params = {'Name': name}
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
251 if duration:
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
252 params['DurationSeconds'] = duration
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
253 if policy:
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
254 params['Policy'] = policy
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
255 return self.get_object('GetFederationToken', params,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
256 FederationToken, verb='POST')
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
257
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
258 def assume_role(self, role_arn, role_session_name, policy=None,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
259 duration_seconds=None, external_id=None,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
260 mfa_serial_number=None,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
261 mfa_token=None):
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
262 """
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
263 Returns a set of temporary security credentials (consisting of
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
264 an access key ID, a secret access key, and a security token)
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
265 that you can use to access AWS resources that you might not
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
266 normally have access to. Typically, you use `AssumeRole` for
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
267 cross-account access or federation.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
268
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
269 For cross-account access, imagine that you own multiple
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
270 accounts and need to access resources in each account. You
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
271 could create long-term credentials in each account to access
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
272 those resources. However, managing all those credentials and
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
273 remembering which one can access which account can be time
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
274 consuming. Instead, you can create one set of long-term
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
275 credentials in one account and then use temporary security
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
276 credentials to access all the other accounts by assuming roles
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
277 in those accounts. For more information about roles, see
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
278 `Roles`_ in Using IAM .
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
279
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
280 For federation, you can, for example, grant single sign-on
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
281 access to the AWS Management Console. If you already have an
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
282 identity and authentication system in your corporate network,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
283 you don't have to recreate user identities in AWS in order to
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
284 grant those user identities access to AWS. Instead, after a
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
285 user has been authenticated, you call `AssumeRole` (and
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
286 specify the role with the appropriate permissions) to get
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
287 temporary security credentials for that user. With those
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
288 temporary security credentials, you construct a sign-in URL
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
289 that users can use to access the console. For more
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
290 information, see `Scenarios for Granting Temporary Access`_ in
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
291 AWS Security Token Service .
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
292
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
293 The temporary security credentials are valid for the duration
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
294 that you specified when calling `AssumeRole`, which can be
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
295 from 900 seconds (15 minutes) to 3600 seconds (1 hour). The
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
296 default is 1 hour.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
297
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
298 The temporary security credentials that are returned from the
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
299 `AssumeRoleWithWebIdentity` response have the permissions that
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
300 are associated with the access policy of the role being
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
301 assumed and any policies that are associated with the AWS
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
302 resource being accessed. You can further restrict the
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
303 permissions of the temporary security credentials by passing a
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
304 policy in the request. The resulting permissions are an
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
305 intersection of the role's access policy and the policy that
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
306 you passed. These policies and any applicable resource-based
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
307 policies are evaluated when calls to AWS service APIs are made
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
308 using the temporary security credentials.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
309
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
310 To assume a role, your AWS account must be trusted by the
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
311 role. The trust relationship is defined in the role's trust
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
312 policy when the IAM role is created. You must also have a
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
313 policy that allows you to call `sts:AssumeRole`.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
314
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
315 **Important:** You cannot call `Assumerole` by using AWS
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
316 account credentials; access will be denied. You must use IAM
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
317 user credentials to call `AssumeRole`.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
318
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
319 :type role_arn: string
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
320 :param role_arn: The Amazon Resource Name (ARN) of the role that the
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
321 caller is assuming.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
322
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
323 :type role_session_name: string
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
324 :param role_session_name: An identifier for the assumed role session.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
325 The session name is included as part of the `AssumedRoleUser`.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
326
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
327 :type policy: string
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
328 :param policy: A supplemental policy that is associated with the
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
329 temporary security credentials from the `AssumeRole` call. The
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
330 resulting permissions of the temporary security credentials are an
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
331 intersection of this policy and the access policy that is
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
332 associated with the role. Use this policy to further restrict the
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
333 permissions of the temporary security credentials.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
334
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
335 :type duration_seconds: integer
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
336 :param duration_seconds: The duration, in seconds, of the role session.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
337 The value can range from 900 seconds (15 minutes) to 3600 seconds
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
338 (1 hour). By default, the value is set to 3600 seconds.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
339
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
340 :type external_id: string
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
341 :param external_id: A unique identifier that is used by third parties
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
342 to assume a role in their customers' accounts. For each role that
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
343 the third party can assume, they should instruct their customers to
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
344 create a role with the external ID that the third party generated.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
345 Each time the third party assumes the role, they must pass the
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
346 customer's external ID. The external ID is useful in order to help
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
347 third parties bind a role to the customer who created it. For more
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
348 information about the external ID, see `About the External ID`_ in
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
349 Using Temporary Security Credentials .
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
350
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
351 :type mfa_serial_number: string
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
352 :param mfa_serial_number: The identification number of the MFA device that
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
353 is associated with the user who is making the AssumeRole call.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
354 Specify this value if the trust policy of the role being assumed
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
355 includes a condition that requires MFA authentication. The value is
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
356 either the serial number for a hardware device (such as
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
357 GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
358 (such as arn:aws:iam::123456789012:mfa/user). Minimum length of 9.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
359 Maximum length of 256.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
360
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
361 :type mfa_token: string
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
362 :param mfa_token: The value provided by the MFA device, if the trust
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
363 policy of the role being assumed requires MFA (that is, if the
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
364 policy includes a condition that tests for MFA). If the role being
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
365 assumed requires MFA and if the TokenCode value is missing or
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
366 expired, the AssumeRole call returns an "access denied" errror.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
367 Minimum length of 6. Maximum length of 6.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
368
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
369 """
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
370 params = {
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
371 'RoleArn': role_arn,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
372 'RoleSessionName': role_session_name
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
373 }
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
374 if policy is not None:
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
375 params['Policy'] = policy
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
376 if duration_seconds is not None:
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
377 params['DurationSeconds'] = duration_seconds
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
378 if external_id is not None:
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
379 params['ExternalId'] = external_id
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
380 if mfa_serial_number is not None:
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
381 params['SerialNumber'] = mfa_serial_number
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
382 if mfa_token is not None:
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
383 params['TokenCode'] = mfa_token
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
384 return self.get_object('AssumeRole', params, AssumedRole, verb='POST')
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
385
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
386 def assume_role_with_saml(self, role_arn, principal_arn, saml_assertion,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
387 policy=None, duration_seconds=None):
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
388 """
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
389 Returns a set of temporary security credentials for users who
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
390 have been authenticated via a SAML authentication response.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
391 This operation provides a mechanism for tying an enterprise
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
392 identity store or directory to role-based AWS access without
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
393 user-specific credentials or configuration.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
394
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
395 The temporary security credentials returned by this operation
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
396 consist of an access key ID, a secret access key, and a
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
397 security token. Applications can use these temporary security
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
398 credentials to sign calls to AWS services. The credentials are
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
399 valid for the duration that you specified when calling
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
400 `AssumeRoleWithSAML`, which can be up to 3600 seconds (1 hour)
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
401 or until the time specified in the SAML authentication
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
402 response's `NotOnOrAfter` value, whichever is shorter.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
403
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
404 The maximum duration for a session is 1 hour, and the minimum
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
405 duration is 15 minutes, even if values outside this range are
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
406 specified.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
407
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
408 Optionally, you can pass an AWS IAM access policy to this
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
409 operation. The temporary security credentials that are
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
410 returned by the operation have the permissions that are
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
411 associated with the access policy of the role being assumed,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
412 except for any permissions explicitly denied by the policy you
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
413 pass. This gives you a way to further restrict the permissions
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
414 for the federated user. These policies and any applicable
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
415 resource-based policies are evaluated when calls to AWS are
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
416 made using the temporary security credentials.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
417
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
418 Before your application can call `AssumeRoleWithSAML`, you
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
419 must configure your SAML identity provider (IdP) to issue the
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
420 claims required by AWS. Additionally, you must use AWS
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
421 Identity and Access Management (AWS IAM) to create a SAML
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
422 provider entity in your AWS account that represents your
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
423 identity provider, and create an AWS IAM role that specifies
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
424 this SAML provider in its trust policy.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
425
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
426 Calling `AssumeRoleWithSAML` does not require the use of AWS
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
427 security credentials. The identity of the caller is validated
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
428 by using keys in the metadata document that is uploaded for
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
429 the SAML provider entity for your identity provider.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
430
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
431 For more information, see the following resources:
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
432
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
433
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
434 + `Creating Temporary Security Credentials for SAML
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
435 Federation`_ in the Using Temporary Security Credentials
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
436 guide.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
437 + `SAML Providers`_ in the Using IAM guide.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
438 + `Configuring a Relying Party and Claims in the Using IAM
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
439 guide. `_
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
440 + `Creating a Role for SAML-Based Federation`_ in the Using
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
441 IAM guide.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
442
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
443 :type role_arn: string
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
444 :param role_arn: The Amazon Resource Name (ARN) of the role that the
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
445 caller is assuming.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
446
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
447 :type principal_arn: string
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
448 :param principal_arn: The Amazon Resource Name (ARN) of the SAML
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
449 provider in AWS IAM that describes the IdP.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
450
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
451 :type saml_assertion: string
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
452 :param saml_assertion: The base-64 encoded SAML authentication response
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
453 provided by the IdP.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
454 For more information, see `Configuring a Relying Party and Adding
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
455 Claims`_ in the Using IAM guide.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
456
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
457 :type policy: string
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
458 :param policy:
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
459 An AWS IAM policy in JSON format.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
460
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
461 The temporary security credentials that are returned by this operation
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
462 have the permissions that are associated with the access policy of
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
463 the role being assumed, except for any permissions explicitly
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
464 denied by the policy you pass. These policies and any applicable
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
465 resource-based policies are evaluated when calls to AWS are made
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
466 using the temporary security credentials.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
467
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
468 The policy must be 2048 bytes or shorter, and its packed size must be
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
469 less than 450 bytes.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
470
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
471 :type duration_seconds: integer
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
472 :param duration_seconds:
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
473 The duration, in seconds, of the role session. The value can range from
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
474 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
475 value is set to 3600 seconds. An expiration can also be specified
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
476 in the SAML authentication response's `NotOnOrAfter` value. The
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
477 actual expiration time is whichever value is shorter.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
478
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
479 The maximum duration for a session is 1 hour, and the minimum duration
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
480 is 15 minutes, even if values outside this range are specified.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
481
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
482 """
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
483 params = {
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
484 'RoleArn': role_arn,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
485 'PrincipalArn': principal_arn,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
486 'SAMLAssertion': saml_assertion,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
487 }
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
488 if policy is not None:
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
489 params['Policy'] = policy
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
490 if duration_seconds is not None:
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
491 params['DurationSeconds'] = duration_seconds
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
492 return self.get_object('AssumeRoleWithSAML', params, AssumedRole,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
493 verb='POST')
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
494
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
495 def assume_role_with_web_identity(self, role_arn, role_session_name,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
496 web_identity_token, provider_id=None,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
497 policy=None, duration_seconds=None):
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
498 """
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
499 Returns a set of temporary security credentials for users who
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
500 have been authenticated in a mobile or web application with a
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
501 web identity provider, such as Login with Amazon, Facebook, or
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
502 Google. `AssumeRoleWithWebIdentity` is an API call that does
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
503 not require the use of AWS security credentials. Therefore,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
504 you can distribute an application (for example, on mobile
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
505 devices) that requests temporary security credentials without
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
506 including long-term AWS credentials in the application or by
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
507 deploying server-based proxy services that use long-term AWS
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
508 credentials. For more information, see `Creating a Mobile
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
509 Application with Third-Party Sign-In`_ in AWS Security Token
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
510 Service .
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
511
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
512 The temporary security credentials consist of an access key
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
513 ID, a secret access key, and a security token. Applications
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
514 can use these temporary security credentials to sign calls to
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
515 AWS service APIs. The credentials are valid for the duration
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
516 that you specified when calling `AssumeRoleWithWebIdentity`,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
517 which can be from 900 seconds (15 minutes) to 3600 seconds (1
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
518 hour). By default, the temporary security credentials are
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
519 valid for 1 hour.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
520
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
521 The temporary security credentials that are returned from the
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
522 `AssumeRoleWithWebIdentity` response have the permissions that
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
523 are associated with the access policy of the role being
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
524 assumed. You can further restrict the permissions of the
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
525 temporary security credentials by passing a policy in the
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
526 request. The resulting permissions are an intersection of the
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
527 role's access policy and the policy that you passed. These
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
528 policies and any applicable resource-based policies are
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
529 evaluated when calls to AWS service APIs are made using the
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
530 temporary security credentials.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
531
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
532 Before your application can call `AssumeRoleWithWebIdentity`,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
533 you must have an identity token from a supported identity
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
534 provider and create a role that the application can assume.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
535 The role that your application assumes must trust the identity
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
536 provider that is associated with the identity token. In other
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
537 words, the identity provider must be specified in the role's
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
538 trust policy. For more information, see ` Creating Temporary
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
539 Security Credentials for Mobile Apps Using Third-Party
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
540 Identity Providers`_.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
541
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
542 :type role_arn: string
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
543 :param role_arn: The Amazon Resource Name (ARN) of the role that the
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
544 caller is assuming.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
545
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
546 :type role_session_name: string
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
547 :param role_session_name: An identifier for the assumed role session.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
548 Typically, you pass the name or identifier that is associated with
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
549 the user who is using your application. That way, the temporary
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
550 security credentials that your application will use are associated
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
551 with that user. This session name is included as part of the ARN
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
552 and assumed role ID in the `AssumedRoleUser` response element.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
553
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
554 :type web_identity_token: string
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
555 :param web_identity_token: The OAuth 2.0 access token or OpenID Connect
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
556 ID token that is provided by the identity provider. Your
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
557 application must get this token by authenticating the user who is
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
558 using your application with a web identity provider before the
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
559 application makes an `AssumeRoleWithWebIdentity` call.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
560
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
561 :type provider_id: string
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
562 :param provider_id: Specify this value only for OAuth access tokens. Do
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
563 not specify this value for OpenID Connect ID tokens, such as
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
564 `accounts.google.com`. This is the fully-qualified host component
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
565 of the domain name of the identity provider. Do not include URL
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
566 schemes and port numbers. Currently, `www.amazon.com` and
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
567 `graph.facebook.com` are supported.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
568
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
569 :type policy: string
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
570 :param policy: A supplemental policy that is associated with the
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
571 temporary security credentials from the `AssumeRoleWithWebIdentity`
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
572 call. The resulting permissions of the temporary security
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
573 credentials are an intersection of this policy and the access
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
574 policy that is associated with the role. Use this policy to further
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
575 restrict the permissions of the temporary security credentials.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
576
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
577 :type duration_seconds: integer
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
578 :param duration_seconds: The duration, in seconds, of the role session.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
579 The value can range from 900 seconds (15 minutes) to 3600 seconds
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
580 (1 hour). By default, the value is set to 3600 seconds.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
581
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
582 """
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
583 params = {
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
584 'RoleArn': role_arn,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
585 'RoleSessionName': role_session_name,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
586 'WebIdentityToken': web_identity_token,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
587 }
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
588 if provider_id is not None:
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
589 params['ProviderId'] = provider_id
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
590 if policy is not None:
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
591 params['Policy'] = policy
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
592 if duration_seconds is not None:
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
593 params['DurationSeconds'] = duration_seconds
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
594 return self.get_object(
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
595 'AssumeRoleWithWebIdentity',
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
596 params,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
597 AssumedRole,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
598 verb='POST'
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
599 )
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
600
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
601 def decode_authorization_message(self, encoded_message):
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
602 """
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
603 Decodes additional information about the authorization status
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
604 of a request from an encoded message returned in response to
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
605 an AWS request.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
606
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
607 For example, if a user is not authorized to perform an action
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
608 that he or she has requested, the request returns a
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
609 `Client.UnauthorizedOperation` response (an HTTP 403
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
610 response). Some AWS actions additionally return an encoded
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
611 message that can provide details about this authorization
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
612 failure.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
613 Only certain AWS actions return an encoded authorization
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
614 message. The documentation for an individual action indicates
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
615 whether that action returns an encoded message in addition to
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
616 returning an HTTP code.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
617 The message is encoded because the details of the
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
618 authorization status can constitute privileged information
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
619 that the user who requested the action should not see. To
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
620 decode an authorization status message, a user must be granted
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
621 permissions via an IAM policy to request the
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
622 `DecodeAuthorizationMessage` (
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
623 `sts:DecodeAuthorizationMessage`) action.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
624
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
625 The decoded message includes the following type of
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
626 information:
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
627
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
628
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
629 + Whether the request was denied due to an explicit deny or
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
630 due to the absence of an explicit allow. For more information,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
631 see `Determining Whether a Request is Allowed or Denied`_ in
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
632 Using IAM .
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
633 + The principal who made the request.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
634 + The requested action.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
635 + The requested resource.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
636 + The values of condition keys in the context of the user's
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
637 request.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
638
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
639 :type encoded_message: string
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
640 :param encoded_message: The encoded message that was returned with the
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
641 response.
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
642
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
643 """
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
644 params = {
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
645 'EncodedMessage': encoded_message,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
646 }
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
647 return self.get_object(
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
648 'DecodeAuthorizationMessage',
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
649 params,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
650 DecodeAuthorizationMessage,
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
651 verb='POST'
4f3585e2f14b "planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
shellac
parents:
diff changeset
652 )