Copyright	(c) 2013-2018 Brendan Hay
License	Mozilla Public License, v. 2.0.
Maintainer	Brendan Hay <brendan.g.hay+amazonka@gmail.com>
Stability	auto-generated
Portability	non-portable (GHC extensions)
Safe Haskell	None
Language	Haskell2010

Network.AWS.STS

Contents

Service Configuration
Errors
Waiters
Operations
Types
- AssumedRoleUser
- FederatedUser

Description

AWS Security Token Service

The AWS Security Token Service (STS) is a web service that enables you to request temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users or for users that you authenticate (federated users). This guide provides descriptions of the STS API. For more detailed information about using this service, go to Temporary Security Credentials .

For information about setting up signatures and authorization through the API, go to Signing AWS API Requests in the AWS General Reference . For general information about the Query API, go to Making Query Requests in Using IAM . For information about using security tokens with other AWS products, go to AWS Services That Work with IAM in the IAM User Guide .

If you're new to AWS and need additional technical information about a specific AWS product, you can find the product's technical documentation at http://aws.amazon.com/documentation/ .

Endpoints

The AWS Security Token Service (STS) has a default endpoint of https://sts.amazonaws.com that maps to the US East (N. Virginia) region. Additional regions are available and are activated by default. For more information, see Activating and Deactivating AWS STS in an AWS Region in the IAM User Guide .

For information about STS endpoints, see Regions and Endpoints in the AWS General Reference .

Recording API requests

STS supports AWS CloudTrail, which is a service that records AWS calls for your AWS account and delivers log files to an Amazon S3 bucket. By using information collected by CloudTrail, you can determine what requests were successfully made to STS, who made the request, when it was made, and so on. To learn more about CloudTrail, including how to turn it on and find your log files, see the AWS CloudTrail User Guide .

Synopsis

Service Configuration

sts :: Service Source #

API version 2011-06-15 of the Amazon Security Token Service SDK configuration.

Errors

Error matchers are designed for use with the functions provided by Control.Exception.Lens. This allows catching (and rethrowing) service specific errors returned by STS.

MalformedPolicyDocumentException

_MalformedPolicyDocumentException :: AsError a => Getting (First ServiceError) a ServiceError Source #

The request was rejected because the policy document was malformed. The error message describes the specific error.

InvalidAuthorizationMessageException

_InvalidAuthorizationMessageException :: AsError a => Getting (First ServiceError) a ServiceError Source #

The error returned if the message passed to DecodeAuthorizationMessage was invalid. This can happen if the token contains invalid characters, such as linebreaks.

PackedPolicyTooLargeException

_PackedPolicyTooLargeException :: AsError a => Getting (First ServiceError) a ServiceError Source #

The request was rejected because the policy document was too large. The error message describes how big the policy document is, in packed form, as a percentage of what the API allows.

RegionDisabledException

_RegionDisabledException :: AsError a => Getting (First ServiceError) a ServiceError Source #

STS is not activated in the requested region for the account that is being asked to generate credentials. The account administrator must use the IAM console to activate STS in that region. For more information, see Activating and Deactivating AWS STS in an AWS Region in the IAM User Guide .

IdPCommunicationErrorException

_IdPCommunicationErrorException :: AsError a => Getting (First ServiceError) a ServiceError Source #

The request could not be fulfilled because the non-AWS identity provider (IDP) that was asked to verify the incoming identity token could not be reached. This is often a transient error caused by network conditions. Retry the request a limited number of times so that you don't exceed the request rate. If the error persists, the non-AWS identity provider might be down or not responding.

InvalidIdentityTokenException

_InvalidIdentityTokenException :: AsError a => Getting (First ServiceError) a ServiceError Source #

The web identity token that was passed could not be validated by AWS. Get a new identity token from the identity provider and then retry the request.

ExpiredTokenException

_ExpiredTokenException :: AsError a => Getting (First ServiceError) a ServiceError Source #

The web identity token that was passed is expired or is not valid. Get a new identity token from the identity provider and then retry the request.

IdPRejectedClaimException

_IdPRejectedClaimException :: AsError a => Getting (First ServiceError) a ServiceError Source #

The identity provider (IdP) reported that authentication failed. This might be because the claim is invalid.

If this error is returned for the AssumeRoleWithWebIdentity operation, it can also mean that the claim has expired or has been explicitly revoked.

Waiters

Waiters poll by repeatedly sending a request until some remote success condition configured by the Wait specification is fulfilled. The Wait specification determines how many attempts should be made, in addition to delay and retry strategies.

Operations

Some AWS operations return results that are incomplete and require subsequent requests in order to obtain the entire result set. The process of sending subsequent requests to continue where a previous request left off is called pagination. For example, the ListObjects operation of Amazon S3 returns up to 1000 objects at a time, and you must send subsequent requests with the appropriate Marker in order to retrieve the next page of results.

Operations that have an AWSPager instance can transparently perform subsequent requests, correctly setting Markers and other request facets to iterate through the entire result set of a truncated API operation. Operations which support this have an additional note in the documentation.

Many operations have the ability to filter results on the server side. See the individual operation parameters for details.

GetCallerIdentity

module Network.AWS.STS.GetCallerIdentity

AssumeRole

module Network.AWS.STS.AssumeRole

DecodeAuthorizationMessage

module Network.AWS.STS.DecodeAuthorizationMessage

AssumeRoleWithWebIdentity

module Network.AWS.STS.AssumeRoleWithWebIdentity

GetFederationToken

module Network.AWS.STS.GetFederationToken

GetSessionToken

module Network.AWS.STS.GetSessionToken

AssumeRoleWithSAML

module Network.AWS.STS.AssumeRoleWithSAML

Types

AssumedRoleUser

data AssumedRoleUser Source #

The identifiers for the temporary security credentials that the operation returns.

See: assumedRoleUser smart constructor.

Instances

Eq AssumedRoleUser Source #
Methods (==) :: AssumedRoleUser -> AssumedRoleUser -> Bool # (/=) :: AssumedRoleUser -> AssumedRoleUser -> Bool #
Data AssumedRoleUser Source #
Methods gfoldl :: (forall d b. Data d => c (d -> b) -> d -> c b) -> (forall g. g -> c g) -> AssumedRoleUser -> c AssumedRoleUser # gunfold :: (forall b r. Data b => c (b -> r) -> c r) -> (forall r. r -> c r) -> Constr -> c AssumedRoleUser # toConstr :: AssumedRoleUser -> Constr # dataTypeOf :: AssumedRoleUser -> DataType # dataCast1 :: Typeable (* -> ) t => (forall d. Data d => c (t d)) -> Maybe (c AssumedRoleUser) # dataCast2 :: Typeable ( -> * -> *) t => (forall d e. (Data d, Data e) => c (t d e)) -> Maybe (c AssumedRoleUser) # gmapT :: (forall b. Data b => b -> b) -> AssumedRoleUser -> AssumedRoleUser # gmapQl :: (r -> r' -> r) -> r -> (forall d. Data d => d -> r') -> AssumedRoleUser -> r # gmapQr :: (r' -> r -> r) -> r -> (forall d. Data d => d -> r') -> AssumedRoleUser -> r # gmapQ :: (forall d. Data d => d -> u) -> AssumedRoleUser -> [u] # gmapQi :: Int -> (forall d. Data d => d -> u) -> AssumedRoleUser -> u # gmapM :: Monad m => (forall d. Data d => d -> m d) -> AssumedRoleUser -> m AssumedRoleUser # gmapMp :: MonadPlus m => (forall d. Data d => d -> m d) -> AssumedRoleUser -> m AssumedRoleUser # gmapMo :: MonadPlus m => (forall d. Data d => d -> m d) -> AssumedRoleUser -> m AssumedRoleUser #
Read AssumedRoleUser Source #
Methods readsPrec :: Int -> ReadS AssumedRoleUser # readList :: ReadS [AssumedRoleUser] # readPrec :: ReadPrec AssumedRoleUser # readListPrec :: ReadPrec [AssumedRoleUser] #
Show AssumedRoleUser Source #
Methods showsPrec :: Int -> AssumedRoleUser -> ShowS # show :: AssumedRoleUser -> String # showList :: [AssumedRoleUser] -> ShowS #
Generic AssumedRoleUser Source #
Associated Types type Rep AssumedRoleUser :: * -> * # Methods from :: AssumedRoleUser -> Rep AssumedRoleUser x # to :: Rep AssumedRoleUser x -> AssumedRoleUser #
Hashable AssumedRoleUser Source #
Methods hashWithSalt :: Int -> AssumedRoleUser -> Int # hash :: AssumedRoleUser -> Int #
NFData AssumedRoleUser Source #
Methods rnf :: AssumedRoleUser -> () #
FromXML AssumedRoleUser Source #
Methods parseXML :: [Node] -> Either String AssumedRoleUser #
type Rep AssumedRoleUser Source #
type Rep AssumedRoleUser = D1 * (MetaData "AssumedRoleUser" "Network.AWS.STS.Types.Product" "amazonka-sts-1.6.0-EPNeUQLPr8ffz5DpzRv1Q" False) (C1 * (MetaCons "AssumedRoleUser'" PrefixI True) ((::) (S1 * (MetaSel (Just Symbol "_aruAssumedRoleId") NoSourceUnpackedness SourceStrict DecidedStrict) (Rec0 * Text)) (S1 * (MetaSel (Just Symbol "_aruARN") NoSourceUnpackedness SourceStrict DecidedStrict) (Rec0 * Text))))

assumedRoleUser Source #

Arguments

:: Text	`aruAssumedRoleId`
-> Text	`aruARN`
-> AssumedRoleUser

Creates a value of AssumedRoleUser with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

aruAssumedRoleId - A unique identifier that contains the role ID and the role session name of the role that is being assumed. The role ID is generated by AWS when the role is created.
aruARN - The ARN of the temporary security credentials that are returned from the AssumeRole action. For more information about ARNs and how to use them in policies, see IAM Identifiers in Using IAM .

aruAssumedRoleId :: Lens' AssumedRoleUser Text Source #

A unique identifier that contains the role ID and the role session name of the role that is being assumed. The role ID is generated by AWS when the role is created.

aruARN :: Lens' AssumedRoleUser Text Source #

The ARN of the temporary security credentials that are returned from the AssumeRole action. For more information about ARNs and how to use them in policies, see IAM Identifiers in Using IAM .

FederatedUser

data FederatedUser Source #

Identifiers for the federated user that is associated with the credentials.

See: federatedUser smart constructor.

Instances

Eq FederatedUser Source #
Methods (==) :: FederatedUser -> FederatedUser -> Bool # (/=) :: FederatedUser -> FederatedUser -> Bool #
Data FederatedUser Source #
Methods gfoldl :: (forall d b. Data d => c (d -> b) -> d -> c b) -> (forall g. g -> c g) -> FederatedUser -> c FederatedUser # gunfold :: (forall b r. Data b => c (b -> r) -> c r) -> (forall r. r -> c r) -> Constr -> c FederatedUser # toConstr :: FederatedUser -> Constr # dataTypeOf :: FederatedUser -> DataType # dataCast1 :: Typeable (* -> ) t => (forall d. Data d => c (t d)) -> Maybe (c FederatedUser) # dataCast2 :: Typeable ( -> * -> *) t => (forall d e. (Data d, Data e) => c (t d e)) -> Maybe (c FederatedUser) # gmapT :: (forall b. Data b => b -> b) -> FederatedUser -> FederatedUser # gmapQl :: (r -> r' -> r) -> r -> (forall d. Data d => d -> r') -> FederatedUser -> r # gmapQr :: (r' -> r -> r) -> r -> (forall d. Data d => d -> r') -> FederatedUser -> r # gmapQ :: (forall d. Data d => d -> u) -> FederatedUser -> [u] # gmapQi :: Int -> (forall d. Data d => d -> u) -> FederatedUser -> u # gmapM :: Monad m => (forall d. Data d => d -> m d) -> FederatedUser -> m FederatedUser # gmapMp :: MonadPlus m => (forall d. Data d => d -> m d) -> FederatedUser -> m FederatedUser # gmapMo :: MonadPlus m => (forall d. Data d => d -> m d) -> FederatedUser -> m FederatedUser #
Read FederatedUser Source #
Methods readsPrec :: Int -> ReadS FederatedUser # readList :: ReadS [FederatedUser] # readPrec :: ReadPrec FederatedUser # readListPrec :: ReadPrec [FederatedUser] #
Show FederatedUser Source #
Methods showsPrec :: Int -> FederatedUser -> ShowS # show :: FederatedUser -> String # showList :: [FederatedUser] -> ShowS #
Generic FederatedUser Source #
Associated Types type Rep FederatedUser :: * -> * # Methods from :: FederatedUser -> Rep FederatedUser x # to :: Rep FederatedUser x -> FederatedUser #
Hashable FederatedUser Source #
Methods hashWithSalt :: Int -> FederatedUser -> Int # hash :: FederatedUser -> Int #
NFData FederatedUser Source #
Methods rnf :: FederatedUser -> () #
FromXML FederatedUser Source #
Methods parseXML :: [Node] -> Either String FederatedUser #
type Rep FederatedUser Source #
type Rep FederatedUser = D1 * (MetaData "FederatedUser" "Network.AWS.STS.Types.Product" "amazonka-sts-1.6.0-EPNeUQLPr8ffz5DpzRv1Q" False) (C1 * (MetaCons "FederatedUser'" PrefixI True) ((::) (S1 * (MetaSel (Just Symbol "_fuFederatedUserId") NoSourceUnpackedness SourceStrict DecidedStrict) (Rec0 * Text)) (S1 * (MetaSel (Just Symbol "_fuARN") NoSourceUnpackedness SourceStrict DecidedStrict) (Rec0 * Text))))

federatedUser Source #

Arguments

:: Text	`fuFederatedUserId`
-> Text	`fuARN`
-> FederatedUser

Creates a value of FederatedUser with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

fuFederatedUserId - The string that identifies the federated user associated with the credentials, similar to the unique ID of an IAM user.
fuARN - The ARN that specifies the federated user that is associated with the credentials. For more information about ARNs and how to use them in policies, see IAM Identifiers in Using IAM .

fuFederatedUserId :: Lens' FederatedUser Text Source #

The string that identifies the federated user associated with the credentials, similar to the unique ID of an IAM user.

fuARN :: Lens' FederatedUser Text Source #

The ARN that specifies the federated user that is associated with the credentials. For more information about ARNs and how to use them in policies, see IAM Identifiers in Using IAM .