Copyright | (c) 2013-2023 Brendan Hay |
---|---|
License | Mozilla Public License, v. 2.0. |
Maintainer | Brendan Hay |
Stability | auto-generated |
Portability | non-portable (GHC extensions) |
Safe Haskell | Safe-Inferred |
Language | Haskell2010 |
Allows a caller to assume an IAM role decorated as the SAML user specified in the SAML assertion included in the request. This decoration allows Lake Formation to enforce access policies against the SAML users and groups. This API operation requires SAML federation setup in the caller’s account as it can only be called with valid SAML assertions. Lake Formation does not scope down the permission of the assumed role. All permissions attached to the role via the SAML federation setup will be included in the role session.
This decorated role is expected to access data in Amazon S3 by getting
temporary access from Lake Formation which is authorized via the virtual
API GetDataAccess
. Therefore, all SAML roles that can be assumed via
AssumeDecoratedRoleWithSAML
must at a minimum include
lakeformation:GetDataAccess
in their role policies. A typical IAM
policy attached to such a role would look as follows:
Synopsis
- data AssumeDecoratedRoleWithSAML = AssumeDecoratedRoleWithSAML' {}
- newAssumeDecoratedRoleWithSAML :: Text -> Text -> Text -> AssumeDecoratedRoleWithSAML
- assumeDecoratedRoleWithSAML_durationSeconds :: Lens' AssumeDecoratedRoleWithSAML (Maybe Natural)
- assumeDecoratedRoleWithSAML_sAMLAssertion :: Lens' AssumeDecoratedRoleWithSAML Text
- assumeDecoratedRoleWithSAML_roleArn :: Lens' AssumeDecoratedRoleWithSAML Text
- assumeDecoratedRoleWithSAML_principalArn :: Lens' AssumeDecoratedRoleWithSAML Text
- data AssumeDecoratedRoleWithSAMLResponse = AssumeDecoratedRoleWithSAMLResponse' {}
- newAssumeDecoratedRoleWithSAMLResponse :: Int -> AssumeDecoratedRoleWithSAMLResponse
- assumeDecoratedRoleWithSAMLResponse_accessKeyId :: Lens' AssumeDecoratedRoleWithSAMLResponse (Maybe Text)
- assumeDecoratedRoleWithSAMLResponse_expiration :: Lens' AssumeDecoratedRoleWithSAMLResponse (Maybe UTCTime)
- assumeDecoratedRoleWithSAMLResponse_secretAccessKey :: Lens' AssumeDecoratedRoleWithSAMLResponse (Maybe Text)
- assumeDecoratedRoleWithSAMLResponse_sessionToken :: Lens' AssumeDecoratedRoleWithSAMLResponse (Maybe Text)
- assumeDecoratedRoleWithSAMLResponse_httpStatus :: Lens' AssumeDecoratedRoleWithSAMLResponse Int
Creating a Request
data AssumeDecoratedRoleWithSAML Source #
See: newAssumeDecoratedRoleWithSAML
smart constructor.
AssumeDecoratedRoleWithSAML' | |
|
Instances
newAssumeDecoratedRoleWithSAML Source #
:: Text | |
-> Text | |
-> Text | |
-> AssumeDecoratedRoleWithSAML |
Create a value of AssumeDecoratedRoleWithSAML
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:durationSeconds:AssumeDecoratedRoleWithSAML'
, assumeDecoratedRoleWithSAML_durationSeconds
- The time period, between 900 and 43,200 seconds, for the timeout of the
temporary credentials.
$sel:sAMLAssertion:AssumeDecoratedRoleWithSAML'
, assumeDecoratedRoleWithSAML_sAMLAssertion
- A SAML assertion consisting of an assertion statement for the user who
needs temporary credentials. This must match the SAML assertion that was
issued to IAM. This must be Base64 encoded.
AssumeDecoratedRoleWithSAML
, assumeDecoratedRoleWithSAML_roleArn
- The role that represents an IAM principal whose scope down policy allows
it to call credential vending APIs such as
GetTemporaryTableCredentials
. The caller must also have iam:PassRole
permission on this role.
$sel:principalArn:AssumeDecoratedRoleWithSAML'
, assumeDecoratedRoleWithSAML_principalArn
- The Amazon Resource Name (ARN) of the SAML provider in IAM that
describes the IdP.
Request Lenses
assumeDecoratedRoleWithSAML_durationSeconds :: Lens' AssumeDecoratedRoleWithSAML (Maybe Natural) Source #
The time period, between 900 and 43,200 seconds, for the timeout of the temporary credentials.
assumeDecoratedRoleWithSAML_sAMLAssertion :: Lens' AssumeDecoratedRoleWithSAML Text Source #
A SAML assertion consisting of an assertion statement for the user who needs temporary credentials. This must match the SAML assertion that was issued to IAM. This must be Base64 encoded.
assumeDecoratedRoleWithSAML_roleArn :: Lens' AssumeDecoratedRoleWithSAML Text Source #
The role that represents an IAM principal whose scope down policy allows
it to call credential vending APIs such as
GetTemporaryTableCredentials
. The caller must also have iam:PassRole
permission on this role.
assumeDecoratedRoleWithSAML_principalArn :: Lens' AssumeDecoratedRoleWithSAML Text Source #
The Amazon Resource Name (ARN) of the SAML provider in IAM that describes the IdP.
Destructuring the Response
data AssumeDecoratedRoleWithSAMLResponse Source #
See: newAssumeDecoratedRoleWithSAMLResponse
smart constructor.
AssumeDecoratedRoleWithSAMLResponse' | |
|
Instances
newAssumeDecoratedRoleWithSAMLResponse Source #
Create a value of AssumeDecoratedRoleWithSAMLResponse
with all optional fields omitted.
Use generic-lens or optics to modify other optional fields.
The following record fields are available, with the corresponding lenses provided for backwards compatibility:
$sel:accessKeyId:AssumeDecoratedRoleWithSAMLResponse'
, assumeDecoratedRoleWithSAMLResponse_accessKeyId
- The access key ID for the temporary credentials. (The access key
consists of an access key ID and a secret key).
$sel:expiration:AssumeDecoratedRoleWithSAMLResponse'
, assumeDecoratedRoleWithSAMLResponse_expiration
- The date and time when the temporary credentials expire.
$sel:secretAccessKey:AssumeDecoratedRoleWithSAMLResponse'
, assumeDecoratedRoleWithSAMLResponse_secretAccessKey
- The secret key for the temporary credentials. (The access key consists
of an access key ID and a secret key).
$sel:sessionToken:AssumeDecoratedRoleWithSAMLResponse'
, assumeDecoratedRoleWithSAMLResponse_sessionToken
- The session token for the temporary credentials.
$sel:httpStatus:AssumeDecoratedRoleWithSAMLResponse'
, assumeDecoratedRoleWithSAMLResponse_httpStatus
- The response's http status code.
Response Lenses
assumeDecoratedRoleWithSAMLResponse_accessKeyId :: Lens' AssumeDecoratedRoleWithSAMLResponse (Maybe Text) Source #
The access key ID for the temporary credentials. (The access key consists of an access key ID and a secret key).
assumeDecoratedRoleWithSAMLResponse_expiration :: Lens' AssumeDecoratedRoleWithSAMLResponse (Maybe UTCTime) Source #
The date and time when the temporary credentials expire.
assumeDecoratedRoleWithSAMLResponse_secretAccessKey :: Lens' AssumeDecoratedRoleWithSAMLResponse (Maybe Text) Source #
The secret key for the temporary credentials. (The access key consists of an access key ID and a secret key).
assumeDecoratedRoleWithSAMLResponse_sessionToken :: Lens' AssumeDecoratedRoleWithSAMLResponse (Maybe Text) Source #
The session token for the temporary credentials.
assumeDecoratedRoleWithSAMLResponse_httpStatus :: Lens' AssumeDecoratedRoleWithSAMLResponse Int Source #
The response's http status code.