API version '2011-06-15' of the Amazon Security Token Service SDK configuration.

The request was rejected because the policy document was malformed. The error message describes the specific error.

The error returned if the message passed to DecodeAuthorizationMessage was invalid. This can happen if the token contains invalid characters, such as linebreaks.

The request was rejected because the policy document was too large. The error message describes how big the policy document is, in packed form, as a percentage of what the API allows.

The request could not be fulfilled because the non-AWS identity provider (IDP) that was asked to verify the incoming identity token could not be reached. This is often a transient error caused by network conditions. Retry the request a limited number of times so that you don't exceed the request rate. If the error persists, the non-AWS identity provider might be down or not responding.

The web identity token that was passed could not be validated by AWS. Get a new identity token from the identity provider and then retry the request.

The web identity token that was passed is expired or is not valid. Get a new identity token from the identity provider and then retry the request.

The identity provider (IdP) reported that authentication failed. This might be because the claim is invalid.

If this error is returned for the AssumeRoleWithWebIdentity operation, it can also mean that the claim has expired or has been explicitly revoked.

The identifiers for the temporary security credentials that the operation returns.

See: assumedRoleUser smart constructor.

Creates a value of AssumedRoleUser with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• aruAssumedRoleId
• aruARN

A unique identifier that contains the role ID and the role session name of the role that is being assumed. The role ID is generated by AWS when the role is created.

The ARN of the temporary security credentials that are returned from the AssumeRole action. For more information about ARNs and how to use them in policies, see IAM Identifiers in Using IAM.

AWS credentials for API authentication.

See: credentials smart constructor.

Creates a value of Credentials with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• cAccessKeyId
• cSecretAccessKey
• cSessionToken
• cExpiration

The access key ID that identifies the temporary security credentials.

The secret access key that can be used to sign requests.

The token that users must pass to the service API to use the temporary credentials.

The date on which the current credentials expire.

Identifiers for the federated user that is associated with the credentials.

See: federatedUser smart constructor.

Creates a value of FederatedUser with the minimum fields required to make a request.

Use one of the following lenses to modify other fields as desired:

• fuFederatedUserId
• fuARN

The string that identifies the federated user associated with the credentials, similar to the unique ID of an IAM user.

The ARN that specifies the federated user that is associated with the credentials. For more information about ARNs and how to use them in policies, see IAM Identifiers in Using IAM.