Mercurial > repos > shellac > sam_consensus_v3

comparison env/lib/python3.9/site-packages/boto/sts/connection.py @ 0:4f3585e2f14b draft default tip

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
"planemo upload commit 60cee0fc7c0cda8592644e1aad72851dec82c959"
author shellac
date Mon, 22 Mar 2021 18:12:50 +0000
parents
children
comparison
equal deleted inserted replaced
-1:000000000000 0:4f3585e2f14b
1 # Copyright (c) 2011 Mitch Garnaat http://garnaat.org/
2 # Copyright (c) 2011, Eucalyptus Systems, Inc.
3 # Copyright (c) 2013 Amazon.com, Inc. or its affiliates. All Rights Reserved
4 #
5 # Permission is hereby granted, free of charge, to any person obtaining a
6 # copy of this software and associated documentation files (the
7 # "Software"), to deal in the Software without restriction, including
8 # without limitation the rights to use, copy, modify, merge, publish, dis-
9 # tribute, sublicense, and/or sell copies of the Software, and to permit
10 # persons to whom the Software is furnished to do so, subject to the fol-
11 # lowing conditions:
12 #
13 # The above copyright notice and this permission notice shall be included
14 # in all copies or substantial portions of the Software.
15 #
16 # THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS
17 # OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABIL-
18 # ITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT
19 # SHALL THE AUTHOR BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
20 # WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
21 # OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS
22 # IN THE SOFTWARE.
23
24 from boto.connection import AWSQueryConnection
25 from boto.provider import Provider, NO_CREDENTIALS_PROVIDED
26 from boto.regioninfo import RegionInfo
27 from boto.sts.credentials import Credentials, FederationToken, AssumedRole
28 from boto.sts.credentials import DecodeAuthorizationMessage
29 import boto
30 import boto.utils
31 import datetime
32 import threading
33
34 _session_token_cache = {}
35
36
37 class STSConnection(AWSQueryConnection):
38 """
39 AWS Security Token Service
40 The AWS Security Token Service is a web service that enables you
41 to request temporary, limited-privilege credentials for AWS
42 Identity and Access Management (IAM) users or for users that you
43 authenticate (federated users). This guide provides descriptions
44 of the AWS Security Token Service API.
45
46 For more detailed information about using this service, go to
47 `Using Temporary Security Credentials`_.
48
49 For information about setting up signatures and authorization
50 through the API, go to `Signing AWS API Requests`_ in the AWS
51 General Reference . For general information about the Query API,
52 go to `Making Query Requests`_ in Using IAM . For information
53 about using security tokens with other AWS products, go to `Using
54 Temporary Security Credentials to Access AWS`_ in Using Temporary
55 Security Credentials .
56
57 If you're new to AWS and need additional technical information
58 about a specific AWS product, you can find the product's technical
59 documentation at `http://aws.amazon.com/documentation/`_.
60
61 We will refer to Amazon Identity and Access Management using the
62 abbreviated form IAM. All copyrights and legal protections still
63 apply.
64 """
65 DefaultRegionName = 'us-east-1'
66 DefaultRegionEndpoint = 'sts.amazonaws.com'
67 APIVersion = '2011-06-15'
68
69 def __init__(self, aws_access_key_id=None, aws_secret_access_key=None,
70 is_secure=True, port=None, proxy=None, proxy_port=None,
71 proxy_user=None, proxy_pass=None, debug=0,
72 https_connection_factory=None, region=None, path='/',
73 converter=None, validate_certs=True, anon=False,
74 security_token=None, profile_name=None):
75 """
76 :type anon: boolean
77 :param anon: If this parameter is True, the ``STSConnection`` object
78 will make anonymous requests, and it will not use AWS
79 Credentials or even search for AWS Credentials to make these
80 requests.
81 """
82 if not region:
83 region = RegionInfo(self, self.DefaultRegionName,
84 self.DefaultRegionEndpoint,
85 connection_cls=STSConnection)
86 self.region = region
87 self.anon = anon
88 self._mutex = threading.Semaphore()
89 provider = 'aws'
90 # If an anonymous request is sent, do not try to look for credentials.
91 # So we pass in dummy values for the access key id, secret access
92 # key, and session token. It does not matter that they are
93 # not actual values because the request is anonymous.
94 if self.anon:
95 provider = Provider('aws', NO_CREDENTIALS_PROVIDED,
96 NO_CREDENTIALS_PROVIDED,
97 NO_CREDENTIALS_PROVIDED)
98 super(STSConnection, self).__init__(aws_access_key_id,
99 aws_secret_access_key,
100 is_secure, port, proxy, proxy_port,
101 proxy_user, proxy_pass,
102 self.region.endpoint, debug,
103 https_connection_factory, path,
104 validate_certs=validate_certs,
105 security_token=security_token,
106 profile_name=profile_name,
107 provider=provider)
108
109 def _required_auth_capability(self):
110 if self.anon:
111 return ['sts-anon']
112 else:
113 return ['hmac-v4']
114
115 def _check_token_cache(self, token_key, duration=None, window_seconds=60):
116 token = _session_token_cache.get(token_key, None)
117 if token:
118 now = datetime.datetime.utcnow()
119 expires = boto.utils.parse_ts(token.expiration)
120 delta = expires - now
121 if delta < datetime.timedelta(seconds=window_seconds):
122 msg = 'Cached session token %s is expired' % token_key
123 boto.log.debug(msg)
124 token = None
125 return token
126
127 def _get_session_token(self, duration=None,
128 mfa_serial_number=None, mfa_token=None):
129 params = {}
130 if duration:
131 params['DurationSeconds'] = duration
132 if mfa_serial_number:
133 params['SerialNumber'] = mfa_serial_number
134 if mfa_token:
135 params['TokenCode'] = mfa_token
136 return self.get_object('GetSessionToken', params,
137 Credentials, verb='POST')
138
139 def get_session_token(self, duration=None, force_new=False,
140 mfa_serial_number=None, mfa_token=None):
141 """
142 Return a valid session token. Because retrieving new tokens
143 from the Secure Token Service is a fairly heavyweight operation
144 this module caches previously retrieved tokens and returns
145 them when appropriate. Each token is cached with a key
146 consisting of the region name of the STS endpoint
147 concatenated with the requesting user's access id. If there
148 is a token in the cache meeting with this key, the session
149 expiration is checked to make sure it is still valid and if
150 so, the cached token is returned. Otherwise, a new session
151 token is requested from STS and it is placed into the cache
152 and returned.
153
154 :type duration: int
155 :param duration: The number of seconds the credentials should
156 remain valid.
157
158 :type force_new: bool
159 :param force_new: If this parameter is True, a new session token
160 will be retrieved from the Secure Token Service regardless
161 of whether there is a valid cached token or not.
162
163 :type mfa_serial_number: str
164 :param mfa_serial_number: The serial number of an MFA device.
165 If this is provided and if the mfa_passcode provided is
166 valid, the temporary session token will be authorized with
167 to perform operations requiring the MFA device authentication.
168
169 :type mfa_token: str
170 :param mfa_token: The 6 digit token associated with the
171 MFA device.
172 """
173 token_key = '%s:%s' % (self.region.name, self.provider.access_key)
174 token = self._check_token_cache(token_key, duration)
175 if force_new or not token:
176 boto.log.debug('fetching a new token for %s' % token_key)
177 try:
178 self._mutex.acquire()
179 token = self._get_session_token(duration,
180 mfa_serial_number,
181 mfa_token)
182 _session_token_cache[token_key] = token
183 finally:
184 self._mutex.release()
185 return token
186
187 def get_federation_token(self, name, duration=None, policy=None):
188 """
189 Returns a set of temporary security credentials (consisting of
190 an access key ID, a secret access key, and a security token)
191 for a federated user. A typical use is in a proxy application
192 that is getting temporary security credentials on behalf of
193 distributed applications inside a corporate network. Because
194 you must call the `GetFederationToken` action using the long-
195 term security credentials of an IAM user, this call is
196 appropriate in contexts where those credentials can be safely
197 stored, usually in a server-based application.
198
199 **Note:** Do not use this call in mobile applications or
200 client-based web applications that directly get temporary
201 security credentials. For those types of applications, use
202 `AssumeRoleWithWebIdentity`.
203
204 The `GetFederationToken` action must be called by using the
205 long-term AWS security credentials of the AWS account or an
206 IAM user. Credentials that are created by IAM users are valid
207 for the specified duration, between 900 seconds (15 minutes)
208 and 129600 seconds (36 hours); credentials that are created by
209 using account credentials have a maximum duration of 3600
210 seconds (1 hour).
211
212 The permissions that are granted to the federated user are the
213 intersection of the policy that is passed with the
214 `GetFederationToken` request and policies that are associated
215 with of the entity making the `GetFederationToken` call.
216
217 For more information about how permissions work, see
218 `Controlling Permissions in Temporary Credentials`_ in Using
219 Temporary Security Credentials . For information about using
220 `GetFederationToken` to create temporary security credentials,
221 see `Creating Temporary Credentials to Enable Access for
222 Federated Users`_ in Using Temporary Security Credentials .
223
224 :type name: string
225 :param name: The name of the federated user. The name is used as an
226 identifier for the temporary security credentials (such as `Bob`).
227 For example, you can reference the federated user name in a
228 resource-based policy, such as in an Amazon S3 bucket policy.
229
230 :type policy: string
231 :param policy: A policy that specifies the permissions that are granted
232 to the federated user. By default, federated users have no
233 permissions; they do not inherit any from the IAM user. When you
234 specify a policy, the federated user's permissions are intersection
235 of the specified policy and the IAM user's policy. If you don't
236 specify a policy, federated users can only access AWS resources
237 that explicitly allow those federated users in a resource policy,
238 such as in an Amazon S3 bucket policy.
239
240 :type duration: integer
241 :param duration: The duration, in seconds, that the session
242 should last. Acceptable durations for federation sessions range
243 from 900 seconds (15 minutes) to 129600 seconds (36 hours), with
244 43200 seconds (12 hours) as the default. Sessions for AWS account
245 owners are restricted to a maximum of 3600 seconds (one hour). If
246 the duration is longer than one hour, the session for AWS account
247 owners defaults to one hour.
248
249 """
250 params = {'Name': name}
251 if duration:
252 params['DurationSeconds'] = duration
253 if policy:
254 params['Policy'] = policy
255 return self.get_object('GetFederationToken', params,
256 FederationToken, verb='POST')
257
258 def assume_role(self, role_arn, role_session_name, policy=None,
259 duration_seconds=None, external_id=None,
260 mfa_serial_number=None,
261 mfa_token=None):
262 """
263 Returns a set of temporary security credentials (consisting of
264 an access key ID, a secret access key, and a security token)
265 that you can use to access AWS resources that you might not
266 normally have access to. Typically, you use `AssumeRole` for
267 cross-account access or federation.
268
269 For cross-account access, imagine that you own multiple
270 accounts and need to access resources in each account. You
271 could create long-term credentials in each account to access
272 those resources. However, managing all those credentials and
273 remembering which one can access which account can be time
274 consuming. Instead, you can create one set of long-term
275 credentials in one account and then use temporary security
276 credentials to access all the other accounts by assuming roles
277 in those accounts. For more information about roles, see
278 `Roles`_ in Using IAM .
279
280 For federation, you can, for example, grant single sign-on
281 access to the AWS Management Console. If you already have an
282 identity and authentication system in your corporate network,
283 you don't have to recreate user identities in AWS in order to
284 grant those user identities access to AWS. Instead, after a
285 user has been authenticated, you call `AssumeRole` (and
286 specify the role with the appropriate permissions) to get
287 temporary security credentials for that user. With those
288 temporary security credentials, you construct a sign-in URL
289 that users can use to access the console. For more
290 information, see `Scenarios for Granting Temporary Access`_ in
291 AWS Security Token Service .
292
293 The temporary security credentials are valid for the duration
294 that you specified when calling `AssumeRole`, which can be
295 from 900 seconds (15 minutes) to 3600 seconds (1 hour). The
296 default is 1 hour.
297
298 The temporary security credentials that are returned from the
299 `AssumeRoleWithWebIdentity` response have the permissions that
300 are associated with the access policy of the role being
301 assumed and any policies that are associated with the AWS
302 resource being accessed. You can further restrict the
303 permissions of the temporary security credentials by passing a
304 policy in the request. The resulting permissions are an
305 intersection of the role's access policy and the policy that
306 you passed. These policies and any applicable resource-based
307 policies are evaluated when calls to AWS service APIs are made
308 using the temporary security credentials.
309
310 To assume a role, your AWS account must be trusted by the
311 role. The trust relationship is defined in the role's trust
312 policy when the IAM role is created. You must also have a
313 policy that allows you to call `sts:AssumeRole`.
314
315 **Important:** You cannot call `Assumerole` by using AWS
316 account credentials; access will be denied. You must use IAM
317 user credentials to call `AssumeRole`.
318
319 :type role_arn: string
320 :param role_arn: The Amazon Resource Name (ARN) of the role that the
321 caller is assuming.
322
323 :type role_session_name: string
324 :param role_session_name: An identifier for the assumed role session.
325 The session name is included as part of the `AssumedRoleUser`.
326
327 :type policy: string
328 :param policy: A supplemental policy that is associated with the
329 temporary security credentials from the `AssumeRole` call. The
330 resulting permissions of the temporary security credentials are an
331 intersection of this policy and the access policy that is
332 associated with the role. Use this policy to further restrict the
333 permissions of the temporary security credentials.
334
335 :type duration_seconds: integer
336 :param duration_seconds: The duration, in seconds, of the role session.
337 The value can range from 900 seconds (15 minutes) to 3600 seconds
338 (1 hour). By default, the value is set to 3600 seconds.
339
340 :type external_id: string
341 :param external_id: A unique identifier that is used by third parties
342 to assume a role in their customers' accounts. For each role that
343 the third party can assume, they should instruct their customers to
344 create a role with the external ID that the third party generated.
345 Each time the third party assumes the role, they must pass the
346 customer's external ID. The external ID is useful in order to help
347 third parties bind a role to the customer who created it. For more
348 information about the external ID, see `About the External ID`_ in
349 Using Temporary Security Credentials .
350
351 :type mfa_serial_number: string
352 :param mfa_serial_number: The identification number of the MFA device that
353 is associated with the user who is making the AssumeRole call.
354 Specify this value if the trust policy of the role being assumed
355 includes a condition that requires MFA authentication. The value is
356 either the serial number for a hardware device (such as
357 GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device
358 (such as arn:aws:iam::123456789012:mfa/user). Minimum length of 9.
359 Maximum length of 256.
360
361 :type mfa_token: string
362 :param mfa_token: The value provided by the MFA device, if the trust
363 policy of the role being assumed requires MFA (that is, if the
364 policy includes a condition that tests for MFA). If the role being
365 assumed requires MFA and if the TokenCode value is missing or
366 expired, the AssumeRole call returns an "access denied" errror.
367 Minimum length of 6. Maximum length of 6.
368
369 """
370 params = {
371 'RoleArn': role_arn,
372 'RoleSessionName': role_session_name
373 }
374 if policy is not None:
375 params['Policy'] = policy
376 if duration_seconds is not None:
377 params['DurationSeconds'] = duration_seconds
378 if external_id is not None:
379 params['ExternalId'] = external_id
380 if mfa_serial_number is not None:
381 params['SerialNumber'] = mfa_serial_number
382 if mfa_token is not None:
383 params['TokenCode'] = mfa_token
384 return self.get_object('AssumeRole', params, AssumedRole, verb='POST')
385
386 def assume_role_with_saml(self, role_arn, principal_arn, saml_assertion,
387 policy=None, duration_seconds=None):
388 """
389 Returns a set of temporary security credentials for users who
390 have been authenticated via a SAML authentication response.
391 This operation provides a mechanism for tying an enterprise
392 identity store or directory to role-based AWS access without
393 user-specific credentials or configuration.
394
395 The temporary security credentials returned by this operation
396 consist of an access key ID, a secret access key, and a
397 security token. Applications can use these temporary security
398 credentials to sign calls to AWS services. The credentials are
399 valid for the duration that you specified when calling
400 `AssumeRoleWithSAML`, which can be up to 3600 seconds (1 hour)
401 or until the time specified in the SAML authentication
402 response's `NotOnOrAfter` value, whichever is shorter.
403
404 The maximum duration for a session is 1 hour, and the minimum
405 duration is 15 minutes, even if values outside this range are
406 specified.
407
408 Optionally, you can pass an AWS IAM access policy to this
409 operation. The temporary security credentials that are
410 returned by the operation have the permissions that are
411 associated with the access policy of the role being assumed,
412 except for any permissions explicitly denied by the policy you
413 pass. This gives you a way to further restrict the permissions
414 for the federated user. These policies and any applicable
415 resource-based policies are evaluated when calls to AWS are
416 made using the temporary security credentials.
417
418 Before your application can call `AssumeRoleWithSAML`, you
419 must configure your SAML identity provider (IdP) to issue the
420 claims required by AWS. Additionally, you must use AWS
421 Identity and Access Management (AWS IAM) to create a SAML
422 provider entity in your AWS account that represents your
423 identity provider, and create an AWS IAM role that specifies
424 this SAML provider in its trust policy.
425
426 Calling `AssumeRoleWithSAML` does not require the use of AWS
427 security credentials. The identity of the caller is validated
428 by using keys in the metadata document that is uploaded for
429 the SAML provider entity for your identity provider.
430
431 For more information, see the following resources:
432
433
434 + `Creating Temporary Security Credentials for SAML
435 Federation`_ in the Using Temporary Security Credentials
436 guide.
437 + `SAML Providers`_ in the Using IAM guide.
438 + `Configuring a Relying Party and Claims in the Using IAM
439 guide. `_
440 + `Creating a Role for SAML-Based Federation`_ in the Using
441 IAM guide.
442
443 :type role_arn: string
444 :param role_arn: The Amazon Resource Name (ARN) of the role that the
445 caller is assuming.
446
447 :type principal_arn: string
448 :param principal_arn: The Amazon Resource Name (ARN) of the SAML
449 provider in AWS IAM that describes the IdP.
450
451 :type saml_assertion: string
452 :param saml_assertion: The base-64 encoded SAML authentication response
453 provided by the IdP.
454 For more information, see `Configuring a Relying Party and Adding
455 Claims`_ in the Using IAM guide.
456
457 :type policy: string
458 :param policy:
459 An AWS IAM policy in JSON format.
460
461 The temporary security credentials that are returned by this operation
462 have the permissions that are associated with the access policy of
463 the role being assumed, except for any permissions explicitly
464 denied by the policy you pass. These policies and any applicable
465 resource-based policies are evaluated when calls to AWS are made
466 using the temporary security credentials.
467
468 The policy must be 2048 bytes or shorter, and its packed size must be
469 less than 450 bytes.
470
471 :type duration_seconds: integer
472 :param duration_seconds:
473 The duration, in seconds, of the role session. The value can range from
474 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the
475 value is set to 3600 seconds. An expiration can also be specified
476 in the SAML authentication response's `NotOnOrAfter` value. The
477 actual expiration time is whichever value is shorter.
478
479 The maximum duration for a session is 1 hour, and the minimum duration
480 is 15 minutes, even if values outside this range are specified.
481
482 """
483 params = {
484 'RoleArn': role_arn,
485 'PrincipalArn': principal_arn,
486 'SAMLAssertion': saml_assertion,
487 }
488 if policy is not None:
489 params['Policy'] = policy
490 if duration_seconds is not None:
491 params['DurationSeconds'] = duration_seconds
492 return self.get_object('AssumeRoleWithSAML', params, AssumedRole,
493 verb='POST')
494
495 def assume_role_with_web_identity(self, role_arn, role_session_name,
496 web_identity_token, provider_id=None,
497 policy=None, duration_seconds=None):
498 """
499 Returns a set of temporary security credentials for users who
500 have been authenticated in a mobile or web application with a
501 web identity provider, such as Login with Amazon, Facebook, or
502 Google. `AssumeRoleWithWebIdentity` is an API call that does
503 not require the use of AWS security credentials. Therefore,
504 you can distribute an application (for example, on mobile
505 devices) that requests temporary security credentials without
506 including long-term AWS credentials in the application or by
507 deploying server-based proxy services that use long-term AWS
508 credentials. For more information, see `Creating a Mobile
509 Application with Third-Party Sign-In`_ in AWS Security Token
510 Service .
511
512 The temporary security credentials consist of an access key
513 ID, a secret access key, and a security token. Applications
514 can use these temporary security credentials to sign calls to
515 AWS service APIs. The credentials are valid for the duration
516 that you specified when calling `AssumeRoleWithWebIdentity`,
517 which can be from 900 seconds (15 minutes) to 3600 seconds (1
518 hour). By default, the temporary security credentials are
519 valid for 1 hour.
520
521 The temporary security credentials that are returned from the
522 `AssumeRoleWithWebIdentity` response have the permissions that
523 are associated with the access policy of the role being
524 assumed. You can further restrict the permissions of the
525 temporary security credentials by passing a policy in the
526 request. The resulting permissions are an intersection of the
527 role's access policy and the policy that you passed. These
528 policies and any applicable resource-based policies are
529 evaluated when calls to AWS service APIs are made using the
530 temporary security credentials.
531
532 Before your application can call `AssumeRoleWithWebIdentity`,
533 you must have an identity token from a supported identity
534 provider and create a role that the application can assume.
535 The role that your application assumes must trust the identity
536 provider that is associated with the identity token. In other
537 words, the identity provider must be specified in the role's
538 trust policy. For more information, see ` Creating Temporary
539 Security Credentials for Mobile Apps Using Third-Party
540 Identity Providers`_.
541
542 :type role_arn: string
543 :param role_arn: The Amazon Resource Name (ARN) of the role that the
544 caller is assuming.
545
546 :type role_session_name: string
547 :param role_session_name: An identifier for the assumed role session.
548 Typically, you pass the name or identifier that is associated with
549 the user who is using your application. That way, the temporary
550 security credentials that your application will use are associated
551 with that user. This session name is included as part of the ARN
552 and assumed role ID in the `AssumedRoleUser` response element.
553
554 :type web_identity_token: string
555 :param web_identity_token: The OAuth 2.0 access token or OpenID Connect
556 ID token that is provided by the identity provider. Your
557 application must get this token by authenticating the user who is
558 using your application with a web identity provider before the
559 application makes an `AssumeRoleWithWebIdentity` call.
560
561 :type provider_id: string
562 :param provider_id: Specify this value only for OAuth access tokens. Do
563 not specify this value for OpenID Connect ID tokens, such as
564 `accounts.google.com`. This is the fully-qualified host component
565 of the domain name of the identity provider. Do not include URL
566 schemes and port numbers. Currently, `www.amazon.com` and
567 `graph.facebook.com` are supported.
568
569 :type policy: string
570 :param policy: A supplemental policy that is associated with the
571 temporary security credentials from the `AssumeRoleWithWebIdentity`
572 call. The resulting permissions of the temporary security
573 credentials are an intersection of this policy and the access
574 policy that is associated with the role. Use this policy to further
575 restrict the permissions of the temporary security credentials.
576
577 :type duration_seconds: integer
578 :param duration_seconds: The duration, in seconds, of the role session.
579 The value can range from 900 seconds (15 minutes) to 3600 seconds
580 (1 hour). By default, the value is set to 3600 seconds.
581
582 """
583 params = {
584 'RoleArn': role_arn,
585 'RoleSessionName': role_session_name,
586 'WebIdentityToken': web_identity_token,
587 }
588 if provider_id is not None:
589 params['ProviderId'] = provider_id
590 if policy is not None:
591 params['Policy'] = policy
592 if duration_seconds is not None:
593 params['DurationSeconds'] = duration_seconds
594 return self.get_object(
595 'AssumeRoleWithWebIdentity',
596 params,
597 AssumedRole,
598 verb='POST'
599 )
600
601 def decode_authorization_message(self, encoded_message):
602 """
603 Decodes additional information about the authorization status
604 of a request from an encoded message returned in response to
605 an AWS request.
606
607 For example, if a user is not authorized to perform an action
608 that he or she has requested, the request returns a
609 `Client.UnauthorizedOperation` response (an HTTP 403
610 response). Some AWS actions additionally return an encoded
611 message that can provide details about this authorization
612 failure.
613 Only certain AWS actions return an encoded authorization
614 message. The documentation for an individual action indicates
615 whether that action returns an encoded message in addition to
616 returning an HTTP code.
617 The message is encoded because the details of the
618 authorization status can constitute privileged information
619 that the user who requested the action should not see. To
620 decode an authorization status message, a user must be granted
621 permissions via an IAM policy to request the
622 `DecodeAuthorizationMessage` (
623 `sts:DecodeAuthorizationMessage`) action.
624
625 The decoded message includes the following type of
626 information:
627
628
629 + Whether the request was denied due to an explicit deny or
630 due to the absence of an explicit allow. For more information,
631 see `Determining Whether a Request is Allowed or Denied`_ in
632 Using IAM .
633 + The principal who made the request.
634 + The requested action.
635 + The requested resource.
636 + The values of condition keys in the context of the user's
637 request.
638
639 :type encoded_message: string
640 :param encoded_message: The encoded message that was returned with the
641 response.
642
643 """
644 params = {
645 'EncodedMessage': encoded_message,
646 }
647 return self.get_object(
648 'DecodeAuthorizationMessage',
649 params,
650 DecodeAuthorizationMessage,
651 verb='POST'
652 )