Copyright	(c) 2013-2023 Brendan Hay
License	Mozilla Public License, v. 2.0.
Maintainer	Brendan Hay
Stability	auto-generated
Portability	non-portable (GHC extensions)
Safe Haskell	Safe-Inferred
Language	Haskell2010

Amazonka.LakeFormation.AssumeDecoratedRoleWithSAML

Contents

Creating a Request
Request Lenses
Destructuring the Response
Response Lenses

Description

Allows a caller to assume an IAM role decorated as the SAML user specified in the SAML assertion included in the request. This decoration allows Lake Formation to enforce access policies against the SAML users and groups. This API operation requires SAML federation setup in the caller’s account as it can only be called with valid SAML assertions. Lake Formation does not scope down the permission of the assumed role. All permissions attached to the role via the SAML federation setup will be included in the role session.

This decorated role is expected to access data in Amazon S3 by getting temporary access from Lake Formation which is authorized via the virtual API GetDataAccess. Therefore, all SAML roles that can be assumed via AssumeDecoratedRoleWithSAML must at a minimum include lakeformation:GetDataAccess in their role policies. A typical IAM policy attached to such a role would look as follows:

Synopsis

Creating a Request

data AssumeDecoratedRoleWithSAML Source #

See: newAssumeDecoratedRoleWithSAML smart constructor.

Constructors

AssumeDecoratedRoleWithSAML'

Fields

durationSeconds :: Maybe Natural
The time period, between 900 and 43,200 seconds, for the timeout of the temporary credentials.
sAMLAssertion :: Text
A SAML assertion consisting of an assertion statement for the user who needs temporary credentials. This must match the SAML assertion that was issued to IAM. This must be Base64 encoded.
roleArn :: Text
The role that represents an IAM principal whose scope down policy allows it to call credential vending APIs such as GetTemporaryTableCredentials. The caller must also have iam:PassRole permission on this role.
principalArn :: Text
The Amazon Resource Name (ARN) of the SAML provider in IAM that describes the IdP.

Instances

Instances details

ToJSON AssumeDecoratedRoleWithSAML Source #
Instance details Defined in Amazonka.LakeFormation.AssumeDecoratedRoleWithSAML Methods toJSON :: AssumeDecoratedRoleWithSAML -> Value # toEncoding :: AssumeDecoratedRoleWithSAML -> Encoding # toJSONList :: [AssumeDecoratedRoleWithSAML] -> Value # toEncodingList :: [AssumeDecoratedRoleWithSAML] -> Encoding #
ToHeaders AssumeDecoratedRoleWithSAML Source #
Instance details Defined in Amazonka.LakeFormation.AssumeDecoratedRoleWithSAML Methods toHeaders :: AssumeDecoratedRoleWithSAML -> [Header] #
ToPath AssumeDecoratedRoleWithSAML Source #
Instance details Defined in Amazonka.LakeFormation.AssumeDecoratedRoleWithSAML Methods toPath :: AssumeDecoratedRoleWithSAML -> ByteString #
ToQuery AssumeDecoratedRoleWithSAML Source #
Instance details Defined in Amazonka.LakeFormation.AssumeDecoratedRoleWithSAML Methods toQuery :: AssumeDecoratedRoleWithSAML -> QueryString #
AWSRequest AssumeDecoratedRoleWithSAML Source #
Instance details Defined in Amazonka.LakeFormation.AssumeDecoratedRoleWithSAML Associated Types type AWSResponse AssumeDecoratedRoleWithSAML # Methods request :: (Service -> Service) -> AssumeDecoratedRoleWithSAML -> Request AssumeDecoratedRoleWithSAML # response :: MonadResource m => (ByteStringLazy -> IO ByteStringLazy) -> Service -> Proxy AssumeDecoratedRoleWithSAML -> ClientResponse ClientBody -> m (Either Error (ClientResponse (AWSResponse AssumeDecoratedRoleWithSAML))) #
Generic AssumeDecoratedRoleWithSAML Source #
Instance details Defined in Amazonka.LakeFormation.AssumeDecoratedRoleWithSAML Associated Types type Rep AssumeDecoratedRoleWithSAML :: Type -> Type # Methods from :: AssumeDecoratedRoleWithSAML -> Rep AssumeDecoratedRoleWithSAML x # to :: Rep AssumeDecoratedRoleWithSAML x -> AssumeDecoratedRoleWithSAML #
Read AssumeDecoratedRoleWithSAML Source #
Instance details Defined in Amazonka.LakeFormation.AssumeDecoratedRoleWithSAML Methods readsPrec :: Int -> ReadS AssumeDecoratedRoleWithSAML # readList :: ReadS [AssumeDecoratedRoleWithSAML] # readPrec :: ReadPrec AssumeDecoratedRoleWithSAML # readListPrec :: ReadPrec [AssumeDecoratedRoleWithSAML] #
Show AssumeDecoratedRoleWithSAML Source #
Instance details Defined in Amazonka.LakeFormation.AssumeDecoratedRoleWithSAML Methods showsPrec :: Int -> AssumeDecoratedRoleWithSAML -> ShowS # show :: AssumeDecoratedRoleWithSAML -> String # showList :: [AssumeDecoratedRoleWithSAML] -> ShowS #
NFData AssumeDecoratedRoleWithSAML Source #
Instance details Defined in Amazonka.LakeFormation.AssumeDecoratedRoleWithSAML Methods rnf :: AssumeDecoratedRoleWithSAML -> () #
Eq AssumeDecoratedRoleWithSAML Source #
Instance details Defined in Amazonka.LakeFormation.AssumeDecoratedRoleWithSAML Methods (==) :: AssumeDecoratedRoleWithSAML -> AssumeDecoratedRoleWithSAML -> Bool # (/=) :: AssumeDecoratedRoleWithSAML -> AssumeDecoratedRoleWithSAML -> Bool #
Hashable AssumeDecoratedRoleWithSAML Source #
Instance details Defined in Amazonka.LakeFormation.AssumeDecoratedRoleWithSAML Methods hashWithSalt :: Int -> AssumeDecoratedRoleWithSAML -> Int # hash :: AssumeDecoratedRoleWithSAML -> Int #
type AWSResponse AssumeDecoratedRoleWithSAML Source #
Instance details Defined in Amazonka.LakeFormation.AssumeDecoratedRoleWithSAML type AWSResponse AssumeDecoratedRoleWithSAML = AssumeDecoratedRoleWithSAMLResponse
type Rep AssumeDecoratedRoleWithSAML Source #
Instance details Defined in Amazonka.LakeFormation.AssumeDecoratedRoleWithSAML type Rep AssumeDecoratedRoleWithSAML = D1 ('MetaData "AssumeDecoratedRoleWithSAML" "Amazonka.LakeFormation.AssumeDecoratedRoleWithSAML" "amazonka-lakeformation-2.0-HHqQokxI1tpCfoS44CTFPa" 'False) (C1 ('MetaCons "AssumeDecoratedRoleWithSAML'" 'PrefixI 'True) ((S1 ('MetaSel ('Just "durationSeconds") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 (Maybe Natural)) :: S1 ('MetaSel ('Just "sAMLAssertion") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Text)) :: (S1 ('MetaSel ('Just "roleArn") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Text) :*: S1 ('MetaSel ('Just "principalArn") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Text))))

newAssumeDecoratedRoleWithSAML Source #

Arguments

:: Text	`$sel:sAMLAssertion:AssumeDecoratedRoleWithSAML'`
-> Text	`AssumeDecoratedRoleWithSAML`
-> Text	`$sel:principalArn:AssumeDecoratedRoleWithSAML'`
-> AssumeDecoratedRoleWithSAML

Create a value of AssumeDecoratedRoleWithSAML with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.

The following record fields are available, with the corresponding lenses provided for backwards compatibility:

$sel:durationSeconds:AssumeDecoratedRoleWithSAML', assumeDecoratedRoleWithSAML_durationSeconds - The time period, between 900 and 43,200 seconds, for the timeout of the temporary credentials.

$sel:sAMLAssertion:AssumeDecoratedRoleWithSAML', assumeDecoratedRoleWithSAML_sAMLAssertion - A SAML assertion consisting of an assertion statement for the user who needs temporary credentials. This must match the SAML assertion that was issued to IAM. This must be Base64 encoded.

AssumeDecoratedRoleWithSAML, assumeDecoratedRoleWithSAML_roleArn - The role that represents an IAM principal whose scope down policy allows it to call credential vending APIs such as GetTemporaryTableCredentials. The caller must also have iam:PassRole permission on this role.

$sel:principalArn:AssumeDecoratedRoleWithSAML', assumeDecoratedRoleWithSAML_principalArn - The Amazon Resource Name (ARN) of the SAML provider in IAM that describes the IdP.

Request Lenses

assumeDecoratedRoleWithSAML_durationSeconds :: Lens' AssumeDecoratedRoleWithSAML (Maybe Natural) Source #

The time period, between 900 and 43,200 seconds, for the timeout of the temporary credentials.

assumeDecoratedRoleWithSAML_sAMLAssertion :: Lens' AssumeDecoratedRoleWithSAML Text Source #

A SAML assertion consisting of an assertion statement for the user who needs temporary credentials. This must match the SAML assertion that was issued to IAM. This must be Base64 encoded.

assumeDecoratedRoleWithSAML_roleArn :: Lens' AssumeDecoratedRoleWithSAML Text Source #

The role that represents an IAM principal whose scope down policy allows it to call credential vending APIs such as GetTemporaryTableCredentials. The caller must also have iam:PassRole permission on this role.

assumeDecoratedRoleWithSAML_principalArn :: Lens' AssumeDecoratedRoleWithSAML Text Source #

The Amazon Resource Name (ARN) of the SAML provider in IAM that describes the IdP.

Destructuring the Response

data AssumeDecoratedRoleWithSAMLResponse Source #

See: newAssumeDecoratedRoleWithSAMLResponse smart constructor.

Constructors

AssumeDecoratedRoleWithSAMLResponse'

Fields

accessKeyId :: Maybe Text
The access key ID for the temporary credentials. (The access key consists of an access key ID and a secret key).
expiration :: Maybe POSIX
The date and time when the temporary credentials expire.
secretAccessKey :: Maybe Text
The secret key for the temporary credentials. (The access key consists of an access key ID and a secret key).
sessionToken :: Maybe Text
The session token for the temporary credentials.
httpStatus :: Int
The response's http status code.

Instances

Instances details

Generic AssumeDecoratedRoleWithSAMLResponse Source #
Instance details Defined in Amazonka.LakeFormation.AssumeDecoratedRoleWithSAML Associated Types type Rep AssumeDecoratedRoleWithSAMLResponse :: Type -> Type # Methods from :: AssumeDecoratedRoleWithSAMLResponse -> Rep AssumeDecoratedRoleWithSAMLResponse x # to :: Rep AssumeDecoratedRoleWithSAMLResponse x -> AssumeDecoratedRoleWithSAMLResponse #
Read AssumeDecoratedRoleWithSAMLResponse Source #
Instance details Defined in Amazonka.LakeFormation.AssumeDecoratedRoleWithSAML Methods readsPrec :: Int -> ReadS AssumeDecoratedRoleWithSAMLResponse # readList :: ReadS [AssumeDecoratedRoleWithSAMLResponse] # readPrec :: ReadPrec AssumeDecoratedRoleWithSAMLResponse # readListPrec :: ReadPrec [AssumeDecoratedRoleWithSAMLResponse] #
Show AssumeDecoratedRoleWithSAMLResponse Source #
Instance details Defined in Amazonka.LakeFormation.AssumeDecoratedRoleWithSAML Methods showsPrec :: Int -> AssumeDecoratedRoleWithSAMLResponse -> ShowS # show :: AssumeDecoratedRoleWithSAMLResponse -> String # showList :: [AssumeDecoratedRoleWithSAMLResponse] -> ShowS #
NFData AssumeDecoratedRoleWithSAMLResponse Source #
Instance details Defined in Amazonka.LakeFormation.AssumeDecoratedRoleWithSAML Methods rnf :: AssumeDecoratedRoleWithSAMLResponse -> () #
Eq AssumeDecoratedRoleWithSAMLResponse Source #
Instance details Defined in Amazonka.LakeFormation.AssumeDecoratedRoleWithSAML Methods (==) :: AssumeDecoratedRoleWithSAMLResponse -> AssumeDecoratedRoleWithSAMLResponse -> Bool # (/=) :: AssumeDecoratedRoleWithSAMLResponse -> AssumeDecoratedRoleWithSAMLResponse -> Bool #
type Rep AssumeDecoratedRoleWithSAMLResponse Source #
Instance details Defined in Amazonka.LakeFormation.AssumeDecoratedRoleWithSAML type Rep AssumeDecoratedRoleWithSAMLResponse = D1 ('MetaData "AssumeDecoratedRoleWithSAMLResponse" "Amazonka.LakeFormation.AssumeDecoratedRoleWithSAML" "amazonka-lakeformation-2.0-HHqQokxI1tpCfoS44CTFPa" 'False) (C1 ('MetaCons "AssumeDecoratedRoleWithSAMLResponse'" 'PrefixI 'True) ((S1 ('MetaSel ('Just "accessKeyId") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 (Maybe Text)) :: S1 ('MetaSel ('Just "expiration") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 (Maybe POSIX))) :: (S1 ('MetaSel ('Just "secretAccessKey") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 (Maybe Text)) :: (S1 ('MetaSel ('Just "sessionToken") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 (Maybe Text)) :: S1 ('MetaSel ('Just "httpStatus") 'NoSourceUnpackedness 'NoSourceStrictness 'DecidedStrict) (Rec0 Int)))))

newAssumeDecoratedRoleWithSAMLResponse Source #

Arguments

:: Int	`$sel:httpStatus:AssumeDecoratedRoleWithSAMLResponse'`
-> AssumeDecoratedRoleWithSAMLResponse

Create a value of AssumeDecoratedRoleWithSAMLResponse with all optional fields omitted.

Use generic-lens or optics to modify other optional fields.

The following record fields are available, with the corresponding lenses provided for backwards compatibility:

$sel:accessKeyId:AssumeDecoratedRoleWithSAMLResponse', assumeDecoratedRoleWithSAMLResponse_accessKeyId - The access key ID for the temporary credentials. (The access key consists of an access key ID and a secret key).

$sel:expiration:AssumeDecoratedRoleWithSAMLResponse', assumeDecoratedRoleWithSAMLResponse_expiration - The date and time when the temporary credentials expire.

$sel:secretAccessKey:AssumeDecoratedRoleWithSAMLResponse', assumeDecoratedRoleWithSAMLResponse_secretAccessKey - The secret key for the temporary credentials. (The access key consists of an access key ID and a secret key).

$sel:sessionToken:AssumeDecoratedRoleWithSAMLResponse', assumeDecoratedRoleWithSAMLResponse_sessionToken - The session token for the temporary credentials.

$sel:httpStatus:AssumeDecoratedRoleWithSAMLResponse', assumeDecoratedRoleWithSAMLResponse_httpStatus - The response's http status code.

Response Lenses

assumeDecoratedRoleWithSAMLResponse_accessKeyId :: Lens' AssumeDecoratedRoleWithSAMLResponse (Maybe Text) Source #

The access key ID for the temporary credentials. (The access key consists of an access key ID and a secret key).

assumeDecoratedRoleWithSAMLResponse_expiration :: Lens' AssumeDecoratedRoleWithSAMLResponse (Maybe UTCTime) Source #

The date and time when the temporary credentials expire.

assumeDecoratedRoleWithSAMLResponse_secretAccessKey :: Lens' AssumeDecoratedRoleWithSAMLResponse (Maybe Text) Source #

The secret key for the temporary credentials. (The access key consists of an access key ID and a secret key).

assumeDecoratedRoleWithSAMLResponse_sessionToken :: Lens' AssumeDecoratedRoleWithSAMLResponse (Maybe Text) Source #

The session token for the temporary credentials.

assumeDecoratedRoleWithSAMLResponse_httpStatus :: Lens' AssumeDecoratedRoleWithSAMLResponse Int Source #

The response's http status code.