{-# LANGUAGE DeriveGeneric #-} {-# LANGUAGE DuplicateRecordFields #-} {-# LANGUAGE NamedFieldPuns #-} {-# LANGUAGE OverloadedStrings #-} {-# LANGUAGE RecordWildCards #-} {-# LANGUAGE StrictData #-} {-# LANGUAGE TypeFamilies #-} {-# LANGUAGE NoImplicitPrelude #-} {-# OPTIONS_GHC -fno-warn-unused-binds #-} {-# OPTIONS_GHC -fno-warn-unused-imports #-} {-# OPTIONS_GHC -fno-warn-unused-matches #-} -- Derived from AWS service descriptions, licensed under Apache 2.0. -- | -- Module : Amazonka.STS.AssumeRole -- Copyright : (c) 2013-2021 Brendan Hay -- License : Mozilla Public License, v. 2.0. -- Maintainer : Brendan Hay <brendan.g.hay+amazonka@gmail.com> -- Stability : auto-generated -- Portability : non-portable (GHC extensions) -- -- Returns a set of temporary security credentials that you can use to -- access Amazon Web Services resources that you might not normally have -- access to. These temporary credentials consist of an access key ID, a -- secret access key, and a security token. Typically, you use @AssumeRole@ -- within your account or for cross-account access. For a comparison of -- @AssumeRole@ with other API operations that produce temporary -- credentials, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html Requesting Temporary Security Credentials> -- and -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison Comparing the STS API operations> -- in the /IAM User Guide/. -- -- __Permissions__ -- -- The temporary security credentials created by @AssumeRole@ can be used -- to make API calls to any Amazon Web Services service with the following -- exception: You cannot call the STS @GetFederationToken@ or -- @GetSessionToken@ API operations. -- -- (Optional) You can pass inline or managed -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session session policies> -- to this operation. You can pass a single JSON policy document to use as -- an inline session policy. You can also specify up to 10 managed policies -- to use as managed session policies. The plaintext that you use for both -- inline and managed session policies can\'t exceed 2,048 characters. -- Passing policies to this operation returns new temporary credentials. -- The resulting session\'s permissions are the intersection of the role\'s -- identity-based policy and the session policies. You can use the role\'s -- temporary credentials in subsequent Amazon Web Services API calls to -- access resources in the account that owns the role. You cannot use -- session policies to grant more permissions than those allowed by the -- identity-based policy of the role that is being assumed. For more -- information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies> -- in the /IAM User Guide/. -- -- To assume a role from a different account, your account must be trusted -- by the role. The trust relationship is defined in the role\'s trust -- policy when the role is created. That trust policy states which accounts -- are allowed to delegate that access to users in the account. -- -- A user who wants to access a role in a different account must also have -- permissions that are delegated from the user account administrator. The -- administrator must attach a policy that allows the user to call -- @AssumeRole@ for the ARN of the role in the other account. If the user -- is in the same account as the role, then you can do either of the -- following: -- -- - Attach a policy to the user (identical to the previous user in a -- different account). -- -- - Add the user as a principal directly in the role\'s trust policy. -- -- In this case, the trust policy acts as an IAM resource-based policy. -- Users in the same account as the role do not need explicit permission to -- assume the role. For more information about trust policies and -- resource-based policies, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html IAM Policies> -- in the /IAM User Guide/. -- -- __Tags__ -- -- (Optional) You can pass tag key-value pairs to your session. These tags -- are called session tags. For more information about session tags, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html Passing Session Tags in STS> -- in the /IAM User Guide/. -- -- An administrator must grant you the permissions necessary to pass -- session tags. The administrator can also create granular permissions to -- allow you to pass only specific session tags. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html Tutorial: Using Tags for Attribute-Based Access Control> -- in the /IAM User Guide/. -- -- You can set the session tags as transitive. Transitive tags persist -- during role chaining. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining Chaining Roles with Session Tags> -- in the /IAM User Guide/. -- -- __Using MFA with AssumeRole__ -- -- (Optional) You can include multi-factor authentication (MFA) information -- when you call @AssumeRole@. This is useful for cross-account scenarios -- to ensure that the user that assumes the role has been authenticated -- with an Amazon Web Services MFA device. In that scenario, the trust -- policy of the role being assumed includes a condition that tests for MFA -- authentication. If the caller does not include valid MFA information, -- the request to assume the role is denied. The condition in a trust -- policy that tests for MFA authentication might look like the following -- example. -- -- @\"Condition\": {\"Bool\": {\"aws:MultiFactorAuthPresent\": true}}@ -- -- For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html Configuring MFA-Protected API Access> -- in the /IAM User Guide/ guide. -- -- To use MFA with @AssumeRole@, you pass values for the @SerialNumber@ and -- @TokenCode@ parameters. The @SerialNumber@ value identifies the user\'s -- hardware or virtual MFA device. The @TokenCode@ is the time-based -- one-time password (TOTP) that the MFA device produces. module Amazonka.STS.AssumeRole ( -- * Creating a Request AssumeRole (..), newAssumeRole, -- * Request Lenses assumeRole_transitiveTagKeys, assumeRole_tokenCode, assumeRole_policyArns, assumeRole_durationSeconds, assumeRole_policy, assumeRole_externalId, assumeRole_sourceIdentity, assumeRole_serialNumber, assumeRole_tags, assumeRole_roleArn, assumeRole_roleSessionName, -- * Destructuring the Response AssumeRoleResponse (..), newAssumeRoleResponse, -- * Response Lenses assumeRoleResponse_packedPolicySize, assumeRoleResponse_credentials, assumeRoleResponse_assumedRoleUser, assumeRoleResponse_sourceIdentity, assumeRoleResponse_httpStatus, ) where import qualified Amazonka.Core as Core import qualified Amazonka.Lens as Lens import qualified Amazonka.Prelude as Prelude import qualified Amazonka.Request as Request import qualified Amazonka.Response as Response import Amazonka.STS.Types -- | /See:/ 'newAssumeRole' smart constructor. data AssumeRole = AssumeRole' { -- | A list of keys for session tags that you want to set as transitive. If -- you set a tag key as transitive, the corresponding key and value passes -- to subsequent sessions in a role chain. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining Chaining Roles with Session Tags> -- in the /IAM User Guide/. -- -- This parameter is optional. When you set session tags as transitive, the -- session policy and session tags packed binary limit is not affected. -- -- If you choose not to specify a transitive tag key, then no tags are -- passed from this session to any subsequent sessions. AssumeRole -> Maybe [Text] transitiveTagKeys :: Prelude.Maybe [Prelude.Text], -- | The value provided by the MFA device, if the trust policy of the role -- being assumed requires MFA. (In other words, if the policy includes a -- condition that tests for MFA). If the role being assumed requires MFA -- and if the @TokenCode@ value is missing or expired, the @AssumeRole@ -- call returns an \"access denied\" error. -- -- The format for this parameter, as described by its regex pattern, is a -- sequence of six numeric digits. AssumeRole -> Maybe Text tokenCode :: Prelude.Maybe Prelude.Text, -- | The Amazon Resource Names (ARNs) of the IAM managed policies that you -- want to use as managed session policies. The policies must exist in the -- same account as the role. -- -- This parameter is optional. You can provide up to 10 managed policy -- ARNs. However, the plaintext that you use for both inline and managed -- session policies can\'t exceed 2,048 characters. For more information -- about ARNs, see -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces> -- in the Amazon Web Services General Reference. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. -- -- Passing policies to this operation returns new temporary credentials. -- The resulting session\'s permissions are the intersection of the role\'s -- identity-based policy and the session policies. You can use the role\'s -- temporary credentials in subsequent Amazon Web Services API calls to -- access resources in the account that owns the role. You cannot use -- session policies to grant more permissions than those allowed by the -- identity-based policy of the role that is being assumed. For more -- information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies> -- in the /IAM User Guide/. AssumeRole -> Maybe [PolicyDescriptorType] policyArns :: Prelude.Maybe [PolicyDescriptorType], -- | The duration, in seconds, of the role session. The value specified can -- can range from 900 seconds (15 minutes) up to the maximum session -- duration that is set for the role. The maximum session duration setting -- can have a value from 1 hour to 12 hours. If you specify a value higher -- than this setting or the administrator setting (whichever is lower), the -- operation fails. For example, if you specify a session duration of 12 -- hours, but your administrator set the maximum session duration to 6 -- hours, your operation fails. To learn how to view the maximum value for -- your role, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session View the Maximum Session Duration Setting for a Role> -- in the /IAM User Guide/. -- -- By default, the value is set to @3600@ seconds. -- -- The @DurationSeconds@ parameter is separate from the duration of a -- console session that you might request using the returned credentials. -- The request to the federation endpoint for a console sign-in token takes -- a @SessionDuration@ parameter that specifies the maximum length of the -- console session. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html Creating a URL that Enables Federated Users to Access the Management Console> -- in the /IAM User Guide/. AssumeRole -> Maybe Natural durationSeconds :: Prelude.Maybe Prelude.Natural, -- | An IAM policy in JSON format that you want to use as an inline session -- policy. -- -- This parameter is optional. Passing policies to this operation returns -- new temporary credentials. The resulting session\'s permissions are the -- intersection of the role\'s identity-based policy and the session -- policies. You can use the role\'s temporary credentials in subsequent -- Amazon Web Services API calls to access resources in the account that -- owns the role. You cannot use session policies to grant more permissions -- than those allowed by the identity-based policy of the role that is -- being assumed. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies> -- in the /IAM User Guide/. -- -- The plaintext that you use for both inline and managed session policies -- can\'t exceed 2,048 characters. The JSON policy characters can be any -- ASCII character from the space character to the end of the valid -- character list (\\u0020 through \\u00FF). It can also include the tab -- (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. AssumeRole -> Maybe Text policy :: Prelude.Maybe Prelude.Text, -- | A unique identifier that might be required when you assume a role in -- another account. If the administrator of the account to which the role -- belongs provided you with an external ID, then provide that value in the -- @ExternalId@ parameter. This value can be any string, such as a -- passphrase or account number. A cross-account role is usually set up to -- trust everyone in an account. Therefore, the administrator of the -- trusting account might send an external ID to the administrator of the -- trusted account. That way, only someone with the ID can assume the role, -- rather than everyone in the account. For more information about the -- external ID, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html How to Use an External ID When Granting Access to Your Amazon Web Services Resources to a Third Party> -- in the /IAM User Guide/. -- -- The regex used to validate this parameter is a string of characters -- consisting of upper- and lower-case alphanumeric characters with no -- spaces. You can also include underscores or any of the following -- characters: =,.\@:\/- AssumeRole -> Maybe Text externalId :: Prelude.Maybe Prelude.Text, -- | The source identity specified by the principal that is calling the -- @AssumeRole@ operation. -- -- You can require users to specify a source identity when they assume a -- role. You do this by using the @sts:SourceIdentity@ condition key in a -- role trust policy. You can use source identity information in CloudTrail -- logs to determine who took actions with a role. You can use the -- @aws:SourceIdentity@ condition key to further control access to Amazon -- Web Services resources based on the value of source identity. For more -- information about using source identity, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html Monitor and control actions taken with assumed roles> -- in the /IAM User Guide/. -- -- The regex used to validate this parameter is a string of characters -- consisting of upper- and lower-case alphanumeric characters with no -- spaces. You can also include underscores or any of the following -- characters: =,.\@-. You cannot use a value that begins with the text -- @aws:@. This prefix is reserved for Amazon Web Services internal use. AssumeRole -> Maybe Text sourceIdentity :: Prelude.Maybe Prelude.Text, -- | The identification number of the MFA device that is associated with the -- user who is making the @AssumeRole@ call. Specify this value if the -- trust policy of the role being assumed includes a condition that -- requires MFA authentication. The value is either the serial number for a -- hardware device (such as @GAHT12345678@) or an Amazon Resource Name -- (ARN) for a virtual device (such as -- @arn:aws:iam::123456789012:mfa\/user@). -- -- The regex used to validate this parameter is a string of characters -- consisting of upper- and lower-case alphanumeric characters with no -- spaces. You can also include underscores or any of the following -- characters: =,.\@- AssumeRole -> Maybe Text serialNumber :: Prelude.Maybe Prelude.Text, -- | A list of session tags that you want to pass. Each session tag consists -- of a key name and an associated value. For more information about -- session tags, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html Tagging STS Sessions> -- in the /IAM User Guide/. -- -- This parameter is optional. You can pass up to 50 session tags. The -- plaintext session tag keys can’t exceed 128 characters, and the values -- can’t exceed 256 characters. For these and additional limits, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length IAM and STS Character Limits> -- in the /IAM User Guide/. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. -- -- You can pass a session tag with the same key as a tag that is already -- attached to the role. When you do, session tags override a role tag with -- the same key. -- -- Tag key–value pairs are not case sensitive, but case is preserved. This -- means that you cannot have separate @Department@ and @department@ tag -- keys. Assume that the role has the @Department@=@Marketing@ tag and you -- pass the @department@=@engineering@ session tag. @Department@ and -- @department@ are not saved as separate tags, and the session tag passed -- in the request takes precedence over the role tag. -- -- Additionally, if you used temporary credentials to perform this -- operation, the new session inherits any transitive session tags from the -- calling session. If you pass a session tag with the same key as an -- inherited tag, the operation fails. To view the inherited tags for a -- session, see the CloudTrail logs. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/session-tags.html#id_session-tags_ctlogs Viewing Session Tags in CloudTrail> -- in the /IAM User Guide/. :: Prelude.Maybe [Tag], -- | The Amazon Resource Name (ARN) of the role to assume. AssumeRole -> Text roleArn :: Prelude.Text, -- | An identifier for the assumed role session. -- -- Use the role session name to uniquely identify a session when the same -- role is assumed by different principals or for different reasons. In -- cross-account scenarios, the role session name is visible to, and can be -- logged by the account that owns the role. The role session name is also -- used in the ARN of the assumed role principal. This means that -- subsequent cross-account API requests that use the temporary security -- credentials will expose the role session name to the external account in -- their CloudTrail logs. -- -- The regex used to validate this parameter is a string of characters -- consisting of upper- and lower-case alphanumeric characters with no -- spaces. You can also include underscores or any of the following -- characters: =,.\@- AssumeRole -> Text roleSessionName :: Prelude.Text } deriving (AssumeRole -> AssumeRole -> Bool (AssumeRole -> AssumeRole -> Bool) -> (AssumeRole -> AssumeRole -> Bool) -> Eq AssumeRole forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a /= :: AssumeRole -> AssumeRole -> Bool $c/= :: AssumeRole -> AssumeRole -> Bool == :: AssumeRole -> AssumeRole -> Bool $c== :: AssumeRole -> AssumeRole -> Bool Prelude.Eq, ReadPrec [AssumeRole] ReadPrec AssumeRole Int -> ReadS AssumeRole ReadS [AssumeRole] (Int -> ReadS AssumeRole) -> ReadS [AssumeRole] -> ReadPrec AssumeRole -> ReadPrec [AssumeRole] -> Read AssumeRole forall a. (Int -> ReadS a) -> ReadS [a] -> ReadPrec a -> ReadPrec [a] -> Read a readListPrec :: ReadPrec [AssumeRole] $creadListPrec :: ReadPrec [AssumeRole] readPrec :: ReadPrec AssumeRole $creadPrec :: ReadPrec AssumeRole readList :: ReadS [AssumeRole] $creadList :: ReadS [AssumeRole] readsPrec :: Int -> ReadS AssumeRole $creadsPrec :: Int -> ReadS AssumeRole Prelude.Read, Int -> AssumeRole -> ShowS [AssumeRole] -> ShowS AssumeRole -> String (Int -> AssumeRole -> ShowS) -> (AssumeRole -> String) -> ([AssumeRole] -> ShowS) -> Show AssumeRole forall a. (Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a showList :: [AssumeRole] -> ShowS $cshowList :: [AssumeRole] -> ShowS show :: AssumeRole -> String $cshow :: AssumeRole -> String showsPrec :: Int -> AssumeRole -> ShowS $cshowsPrec :: Int -> AssumeRole -> ShowS Prelude.Show, (forall x. AssumeRole -> Rep AssumeRole x) -> (forall x. Rep AssumeRole x -> AssumeRole) -> Generic AssumeRole forall x. Rep AssumeRole x -> AssumeRole forall x. AssumeRole -> Rep AssumeRole x forall a. (forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a $cto :: forall x. Rep AssumeRole x -> AssumeRole $cfrom :: forall x. AssumeRole -> Rep AssumeRole x Prelude.Generic) -- | -- Create a value of 'AssumeRole' with all optional fields omitted. -- -- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields. -- -- The following record fields are available, with the corresponding lenses provided -- for backwards compatibility: -- -- 'transitiveTagKeys', 'assumeRole_transitiveTagKeys' - A list of keys for session tags that you want to set as transitive. If -- you set a tag key as transitive, the corresponding key and value passes -- to subsequent sessions in a role chain. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining Chaining Roles with Session Tags> -- in the /IAM User Guide/. -- -- This parameter is optional. When you set session tags as transitive, the -- session policy and session tags packed binary limit is not affected. -- -- If you choose not to specify a transitive tag key, then no tags are -- passed from this session to any subsequent sessions. -- -- 'tokenCode', 'assumeRole_tokenCode' - The value provided by the MFA device, if the trust policy of the role -- being assumed requires MFA. (In other words, if the policy includes a -- condition that tests for MFA). If the role being assumed requires MFA -- and if the @TokenCode@ value is missing or expired, the @AssumeRole@ -- call returns an \"access denied\" error. -- -- The format for this parameter, as described by its regex pattern, is a -- sequence of six numeric digits. -- -- 'policyArns', 'assumeRole_policyArns' - The Amazon Resource Names (ARNs) of the IAM managed policies that you -- want to use as managed session policies. The policies must exist in the -- same account as the role. -- -- This parameter is optional. You can provide up to 10 managed policy -- ARNs. However, the plaintext that you use for both inline and managed -- session policies can\'t exceed 2,048 characters. For more information -- about ARNs, see -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces> -- in the Amazon Web Services General Reference. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. -- -- Passing policies to this operation returns new temporary credentials. -- The resulting session\'s permissions are the intersection of the role\'s -- identity-based policy and the session policies. You can use the role\'s -- temporary credentials in subsequent Amazon Web Services API calls to -- access resources in the account that owns the role. You cannot use -- session policies to grant more permissions than those allowed by the -- identity-based policy of the role that is being assumed. For more -- information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies> -- in the /IAM User Guide/. -- -- 'durationSeconds', 'assumeRole_durationSeconds' - The duration, in seconds, of the role session. The value specified can -- can range from 900 seconds (15 minutes) up to the maximum session -- duration that is set for the role. The maximum session duration setting -- can have a value from 1 hour to 12 hours. If you specify a value higher -- than this setting or the administrator setting (whichever is lower), the -- operation fails. For example, if you specify a session duration of 12 -- hours, but your administrator set the maximum session duration to 6 -- hours, your operation fails. To learn how to view the maximum value for -- your role, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session View the Maximum Session Duration Setting for a Role> -- in the /IAM User Guide/. -- -- By default, the value is set to @3600@ seconds. -- -- The @DurationSeconds@ parameter is separate from the duration of a -- console session that you might request using the returned credentials. -- The request to the federation endpoint for a console sign-in token takes -- a @SessionDuration@ parameter that specifies the maximum length of the -- console session. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html Creating a URL that Enables Federated Users to Access the Management Console> -- in the /IAM User Guide/. -- -- 'policy', 'assumeRole_policy' - An IAM policy in JSON format that you want to use as an inline session -- policy. -- -- This parameter is optional. Passing policies to this operation returns -- new temporary credentials. The resulting session\'s permissions are the -- intersection of the role\'s identity-based policy and the session -- policies. You can use the role\'s temporary credentials in subsequent -- Amazon Web Services API calls to access resources in the account that -- owns the role. You cannot use session policies to grant more permissions -- than those allowed by the identity-based policy of the role that is -- being assumed. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies> -- in the /IAM User Guide/. -- -- The plaintext that you use for both inline and managed session policies -- can\'t exceed 2,048 characters. The JSON policy characters can be any -- ASCII character from the space character to the end of the valid -- character list (\\u0020 through \\u00FF). It can also include the tab -- (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. -- -- 'externalId', 'assumeRole_externalId' - A unique identifier that might be required when you assume a role in -- another account. If the administrator of the account to which the role -- belongs provided you with an external ID, then provide that value in the -- @ExternalId@ parameter. This value can be any string, such as a -- passphrase or account number. A cross-account role is usually set up to -- trust everyone in an account. Therefore, the administrator of the -- trusting account might send an external ID to the administrator of the -- trusted account. That way, only someone with the ID can assume the role, -- rather than everyone in the account. For more information about the -- external ID, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html How to Use an External ID When Granting Access to Your Amazon Web Services Resources to a Third Party> -- in the /IAM User Guide/. -- -- The regex used to validate this parameter is a string of characters -- consisting of upper- and lower-case alphanumeric characters with no -- spaces. You can also include underscores or any of the following -- characters: =,.\@:\/- -- -- 'sourceIdentity', 'assumeRole_sourceIdentity' - The source identity specified by the principal that is calling the -- @AssumeRole@ operation. -- -- You can require users to specify a source identity when they assume a -- role. You do this by using the @sts:SourceIdentity@ condition key in a -- role trust policy. You can use source identity information in CloudTrail -- logs to determine who took actions with a role. You can use the -- @aws:SourceIdentity@ condition key to further control access to Amazon -- Web Services resources based on the value of source identity. For more -- information about using source identity, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html Monitor and control actions taken with assumed roles> -- in the /IAM User Guide/. -- -- The regex used to validate this parameter is a string of characters -- consisting of upper- and lower-case alphanumeric characters with no -- spaces. You can also include underscores or any of the following -- characters: =,.\@-. You cannot use a value that begins with the text -- @aws:@. This prefix is reserved for Amazon Web Services internal use. -- -- 'serialNumber', 'assumeRole_serialNumber' - The identification number of the MFA device that is associated with the -- user who is making the @AssumeRole@ call. Specify this value if the -- trust policy of the role being assumed includes a condition that -- requires MFA authentication. The value is either the serial number for a -- hardware device (such as @GAHT12345678@) or an Amazon Resource Name -- (ARN) for a virtual device (such as -- @arn:aws:iam::123456789012:mfa\/user@). -- -- The regex used to validate this parameter is a string of characters -- consisting of upper- and lower-case alphanumeric characters with no -- spaces. You can also include underscores or any of the following -- characters: =,.\@- -- -- 'tags', 'assumeRole_tags' - A list of session tags that you want to pass. Each session tag consists -- of a key name and an associated value. For more information about -- session tags, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html Tagging STS Sessions> -- in the /IAM User Guide/. -- -- This parameter is optional. You can pass up to 50 session tags. The -- plaintext session tag keys can’t exceed 128 characters, and the values -- can’t exceed 256 characters. For these and additional limits, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length IAM and STS Character Limits> -- in the /IAM User Guide/. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. -- -- You can pass a session tag with the same key as a tag that is already -- attached to the role. When you do, session tags override a role tag with -- the same key. -- -- Tag key–value pairs are not case sensitive, but case is preserved. This -- means that you cannot have separate @Department@ and @department@ tag -- keys. Assume that the role has the @Department@=@Marketing@ tag and you -- pass the @department@=@engineering@ session tag. @Department@ and -- @department@ are not saved as separate tags, and the session tag passed -- in the request takes precedence over the role tag. -- -- Additionally, if you used temporary credentials to perform this -- operation, the new session inherits any transitive session tags from the -- calling session. If you pass a session tag with the same key as an -- inherited tag, the operation fails. To view the inherited tags for a -- session, see the CloudTrail logs. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/session-tags.html#id_session-tags_ctlogs Viewing Session Tags in CloudTrail> -- in the /IAM User Guide/. -- -- 'roleArn', 'assumeRole_roleArn' - The Amazon Resource Name (ARN) of the role to assume. -- -- 'roleSessionName', 'assumeRole_roleSessionName' - An identifier for the assumed role session. -- -- Use the role session name to uniquely identify a session when the same -- role is assumed by different principals or for different reasons. In -- cross-account scenarios, the role session name is visible to, and can be -- logged by the account that owns the role. The role session name is also -- used in the ARN of the assumed role principal. This means that -- subsequent cross-account API requests that use the temporary security -- credentials will expose the role session name to the external account in -- their CloudTrail logs. -- -- The regex used to validate this parameter is a string of characters -- consisting of upper- and lower-case alphanumeric characters with no -- spaces. You can also include underscores or any of the following -- characters: =,.\@- newAssumeRole :: -- | 'roleArn' Prelude.Text -> -- | 'roleSessionName' Prelude.Text -> AssumeRole newAssumeRole :: Text -> Text -> AssumeRole newAssumeRole Text pRoleArn_ Text pRoleSessionName_ = AssumeRole' :: Maybe [Text] -> Maybe Text -> Maybe [PolicyDescriptorType] -> Maybe Natural -> Maybe Text -> Maybe Text -> Maybe Text -> Maybe Text -> Maybe [Tag] -> Text -> Text -> AssumeRole AssumeRole' { $sel:transitiveTagKeys:AssumeRole' :: Maybe [Text] transitiveTagKeys = Maybe [Text] forall a. Maybe a Prelude.Nothing, $sel:tokenCode:AssumeRole' :: Maybe Text tokenCode = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:policyArns:AssumeRole' :: Maybe [PolicyDescriptorType] policyArns = Maybe [PolicyDescriptorType] forall a. Maybe a Prelude.Nothing, $sel:durationSeconds:AssumeRole' :: Maybe Natural durationSeconds = Maybe Natural forall a. Maybe a Prelude.Nothing, $sel:policy:AssumeRole' :: Maybe Text policy = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:externalId:AssumeRole' :: Maybe Text externalId = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:sourceIdentity:AssumeRole' :: Maybe Text sourceIdentity = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:serialNumber:AssumeRole' :: Maybe Text serialNumber = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:tags:AssumeRole' :: Maybe [Tag] tags = Maybe [Tag] forall a. Maybe a Prelude.Nothing, $sel:roleArn:AssumeRole' :: Text roleArn = Text pRoleArn_, $sel:roleSessionName:AssumeRole' :: Text roleSessionName = Text pRoleSessionName_ } -- | A list of keys for session tags that you want to set as transitive. If -- you set a tag key as transitive, the corresponding key and value passes -- to subsequent sessions in a role chain. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining Chaining Roles with Session Tags> -- in the /IAM User Guide/. -- -- This parameter is optional. When you set session tags as transitive, the -- session policy and session tags packed binary limit is not affected. -- -- If you choose not to specify a transitive tag key, then no tags are -- passed from this session to any subsequent sessions. assumeRole_transitiveTagKeys :: Lens.Lens' AssumeRole (Prelude.Maybe [Prelude.Text]) assumeRole_transitiveTagKeys :: (Maybe [Text] -> f (Maybe [Text])) -> AssumeRole -> f AssumeRole assumeRole_transitiveTagKeys = (AssumeRole -> Maybe [Text]) -> (AssumeRole -> Maybe [Text] -> AssumeRole) -> Lens AssumeRole AssumeRole (Maybe [Text]) (Maybe [Text]) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRole' {Maybe [Text] transitiveTagKeys :: Maybe [Text] $sel:transitiveTagKeys:AssumeRole' :: AssumeRole -> Maybe [Text] transitiveTagKeys} -> Maybe [Text] transitiveTagKeys) (\s :: AssumeRole s@AssumeRole' {} Maybe [Text] a -> AssumeRole s {$sel:transitiveTagKeys:AssumeRole' :: Maybe [Text] transitiveTagKeys = Maybe [Text] a} :: AssumeRole) ((Maybe [Text] -> f (Maybe [Text])) -> AssumeRole -> f AssumeRole) -> ((Maybe [Text] -> f (Maybe [Text])) -> Maybe [Text] -> f (Maybe [Text])) -> (Maybe [Text] -> f (Maybe [Text])) -> AssumeRole -> f AssumeRole forall b c a. (b -> c) -> (a -> b) -> a -> c Prelude.. AnIso [Text] [Text] [Text] [Text] -> Iso (Maybe [Text]) (Maybe [Text]) (Maybe [Text]) (Maybe [Text]) forall (f :: * -> *) (g :: * -> *) s t a b. (Functor f, Functor g) => AnIso s t a b -> Iso (f s) (g t) (f a) (g b) Lens.mapping AnIso [Text] [Text] [Text] [Text] forall s t a b. (Coercible s a, Coercible t b) => Iso s t a b Lens.coerced -- | The value provided by the MFA device, if the trust policy of the role -- being assumed requires MFA. (In other words, if the policy includes a -- condition that tests for MFA). If the role being assumed requires MFA -- and if the @TokenCode@ value is missing or expired, the @AssumeRole@ -- call returns an \"access denied\" error. -- -- The format for this parameter, as described by its regex pattern, is a -- sequence of six numeric digits. assumeRole_tokenCode :: Lens.Lens' AssumeRole (Prelude.Maybe Prelude.Text) assumeRole_tokenCode :: (Maybe Text -> f (Maybe Text)) -> AssumeRole -> f AssumeRole assumeRole_tokenCode = (AssumeRole -> Maybe Text) -> (AssumeRole -> Maybe Text -> AssumeRole) -> Lens AssumeRole AssumeRole (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRole' {Maybe Text tokenCode :: Maybe Text $sel:tokenCode:AssumeRole' :: AssumeRole -> Maybe Text tokenCode} -> Maybe Text tokenCode) (\s :: AssumeRole s@AssumeRole' {} Maybe Text a -> AssumeRole s {$sel:tokenCode:AssumeRole' :: Maybe Text tokenCode = Maybe Text a} :: AssumeRole) -- | The Amazon Resource Names (ARNs) of the IAM managed policies that you -- want to use as managed session policies. The policies must exist in the -- same account as the role. -- -- This parameter is optional. You can provide up to 10 managed policy -- ARNs. However, the plaintext that you use for both inline and managed -- session policies can\'t exceed 2,048 characters. For more information -- about ARNs, see -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces> -- in the Amazon Web Services General Reference. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. -- -- Passing policies to this operation returns new temporary credentials. -- The resulting session\'s permissions are the intersection of the role\'s -- identity-based policy and the session policies. You can use the role\'s -- temporary credentials in subsequent Amazon Web Services API calls to -- access resources in the account that owns the role. You cannot use -- session policies to grant more permissions than those allowed by the -- identity-based policy of the role that is being assumed. For more -- information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies> -- in the /IAM User Guide/. assumeRole_policyArns :: Lens.Lens' AssumeRole (Prelude.Maybe [PolicyDescriptorType]) assumeRole_policyArns :: (Maybe [PolicyDescriptorType] -> f (Maybe [PolicyDescriptorType])) -> AssumeRole -> f AssumeRole assumeRole_policyArns = (AssumeRole -> Maybe [PolicyDescriptorType]) -> (AssumeRole -> Maybe [PolicyDescriptorType] -> AssumeRole) -> Lens AssumeRole AssumeRole (Maybe [PolicyDescriptorType]) (Maybe [PolicyDescriptorType]) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRole' {Maybe [PolicyDescriptorType] policyArns :: Maybe [PolicyDescriptorType] $sel:policyArns:AssumeRole' :: AssumeRole -> Maybe [PolicyDescriptorType] policyArns} -> Maybe [PolicyDescriptorType] policyArns) (\s :: AssumeRole s@AssumeRole' {} Maybe [PolicyDescriptorType] a -> AssumeRole s {$sel:policyArns:AssumeRole' :: Maybe [PolicyDescriptorType] policyArns = Maybe [PolicyDescriptorType] a} :: AssumeRole) ((Maybe [PolicyDescriptorType] -> f (Maybe [PolicyDescriptorType])) -> AssumeRole -> f AssumeRole) -> ((Maybe [PolicyDescriptorType] -> f (Maybe [PolicyDescriptorType])) -> Maybe [PolicyDescriptorType] -> f (Maybe [PolicyDescriptorType])) -> (Maybe [PolicyDescriptorType] -> f (Maybe [PolicyDescriptorType])) -> AssumeRole -> f AssumeRole forall b c a. (b -> c) -> (a -> b) -> a -> c Prelude.. AnIso [PolicyDescriptorType] [PolicyDescriptorType] [PolicyDescriptorType] [PolicyDescriptorType] -> Iso (Maybe [PolicyDescriptorType]) (Maybe [PolicyDescriptorType]) (Maybe [PolicyDescriptorType]) (Maybe [PolicyDescriptorType]) forall (f :: * -> *) (g :: * -> *) s t a b. (Functor f, Functor g) => AnIso s t a b -> Iso (f s) (g t) (f a) (g b) Lens.mapping AnIso [PolicyDescriptorType] [PolicyDescriptorType] [PolicyDescriptorType] [PolicyDescriptorType] forall s t a b. (Coercible s a, Coercible t b) => Iso s t a b Lens.coerced -- | The duration, in seconds, of the role session. The value specified can -- can range from 900 seconds (15 minutes) up to the maximum session -- duration that is set for the role. The maximum session duration setting -- can have a value from 1 hour to 12 hours. If you specify a value higher -- than this setting or the administrator setting (whichever is lower), the -- operation fails. For example, if you specify a session duration of 12 -- hours, but your administrator set the maximum session duration to 6 -- hours, your operation fails. To learn how to view the maximum value for -- your role, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session View the Maximum Session Duration Setting for a Role> -- in the /IAM User Guide/. -- -- By default, the value is set to @3600@ seconds. -- -- The @DurationSeconds@ parameter is separate from the duration of a -- console session that you might request using the returned credentials. -- The request to the federation endpoint for a console sign-in token takes -- a @SessionDuration@ parameter that specifies the maximum length of the -- console session. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html Creating a URL that Enables Federated Users to Access the Management Console> -- in the /IAM User Guide/. assumeRole_durationSeconds :: Lens.Lens' AssumeRole (Prelude.Maybe Prelude.Natural) assumeRole_durationSeconds :: (Maybe Natural -> f (Maybe Natural)) -> AssumeRole -> f AssumeRole assumeRole_durationSeconds = (AssumeRole -> Maybe Natural) -> (AssumeRole -> Maybe Natural -> AssumeRole) -> Lens AssumeRole AssumeRole (Maybe Natural) (Maybe Natural) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRole' {Maybe Natural durationSeconds :: Maybe Natural $sel:durationSeconds:AssumeRole' :: AssumeRole -> Maybe Natural durationSeconds} -> Maybe Natural durationSeconds) (\s :: AssumeRole s@AssumeRole' {} Maybe Natural a -> AssumeRole s {$sel:durationSeconds:AssumeRole' :: Maybe Natural durationSeconds = Maybe Natural a} :: AssumeRole) -- | An IAM policy in JSON format that you want to use as an inline session -- policy. -- -- This parameter is optional. Passing policies to this operation returns -- new temporary credentials. The resulting session\'s permissions are the -- intersection of the role\'s identity-based policy and the session -- policies. You can use the role\'s temporary credentials in subsequent -- Amazon Web Services API calls to access resources in the account that -- owns the role. You cannot use session policies to grant more permissions -- than those allowed by the identity-based policy of the role that is -- being assumed. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies> -- in the /IAM User Guide/. -- -- The plaintext that you use for both inline and managed session policies -- can\'t exceed 2,048 characters. The JSON policy characters can be any -- ASCII character from the space character to the end of the valid -- character list (\\u0020 through \\u00FF). It can also include the tab -- (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. assumeRole_policy :: Lens.Lens' AssumeRole (Prelude.Maybe Prelude.Text) assumeRole_policy :: (Maybe Text -> f (Maybe Text)) -> AssumeRole -> f AssumeRole assumeRole_policy = (AssumeRole -> Maybe Text) -> (AssumeRole -> Maybe Text -> AssumeRole) -> Lens AssumeRole AssumeRole (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRole' {Maybe Text policy :: Maybe Text $sel:policy:AssumeRole' :: AssumeRole -> Maybe Text policy} -> Maybe Text policy) (\s :: AssumeRole s@AssumeRole' {} Maybe Text a -> AssumeRole s {$sel:policy:AssumeRole' :: Maybe Text policy = Maybe Text a} :: AssumeRole) -- | A unique identifier that might be required when you assume a role in -- another account. If the administrator of the account to which the role -- belongs provided you with an external ID, then provide that value in the -- @ExternalId@ parameter. This value can be any string, such as a -- passphrase or account number. A cross-account role is usually set up to -- trust everyone in an account. Therefore, the administrator of the -- trusting account might send an external ID to the administrator of the -- trusted account. That way, only someone with the ID can assume the role, -- rather than everyone in the account. For more information about the -- external ID, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html How to Use an External ID When Granting Access to Your Amazon Web Services Resources to a Third Party> -- in the /IAM User Guide/. -- -- The regex used to validate this parameter is a string of characters -- consisting of upper- and lower-case alphanumeric characters with no -- spaces. You can also include underscores or any of the following -- characters: =,.\@:\/- assumeRole_externalId :: Lens.Lens' AssumeRole (Prelude.Maybe Prelude.Text) assumeRole_externalId :: (Maybe Text -> f (Maybe Text)) -> AssumeRole -> f AssumeRole assumeRole_externalId = (AssumeRole -> Maybe Text) -> (AssumeRole -> Maybe Text -> AssumeRole) -> Lens AssumeRole AssumeRole (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRole' {Maybe Text externalId :: Maybe Text $sel:externalId:AssumeRole' :: AssumeRole -> Maybe Text externalId} -> Maybe Text externalId) (\s :: AssumeRole s@AssumeRole' {} Maybe Text a -> AssumeRole s {$sel:externalId:AssumeRole' :: Maybe Text externalId = Maybe Text a} :: AssumeRole) -- | The source identity specified by the principal that is calling the -- @AssumeRole@ operation. -- -- You can require users to specify a source identity when they assume a -- role. You do this by using the @sts:SourceIdentity@ condition key in a -- role trust policy. You can use source identity information in CloudTrail -- logs to determine who took actions with a role. You can use the -- @aws:SourceIdentity@ condition key to further control access to Amazon -- Web Services resources based on the value of source identity. For more -- information about using source identity, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html Monitor and control actions taken with assumed roles> -- in the /IAM User Guide/. -- -- The regex used to validate this parameter is a string of characters -- consisting of upper- and lower-case alphanumeric characters with no -- spaces. You can also include underscores or any of the following -- characters: =,.\@-. You cannot use a value that begins with the text -- @aws:@. This prefix is reserved for Amazon Web Services internal use. assumeRole_sourceIdentity :: Lens.Lens' AssumeRole (Prelude.Maybe Prelude.Text) assumeRole_sourceIdentity :: (Maybe Text -> f (Maybe Text)) -> AssumeRole -> f AssumeRole assumeRole_sourceIdentity = (AssumeRole -> Maybe Text) -> (AssumeRole -> Maybe Text -> AssumeRole) -> Lens AssumeRole AssumeRole (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRole' {Maybe Text sourceIdentity :: Maybe Text $sel:sourceIdentity:AssumeRole' :: AssumeRole -> Maybe Text sourceIdentity} -> Maybe Text sourceIdentity) (\s :: AssumeRole s@AssumeRole' {} Maybe Text a -> AssumeRole s {$sel:sourceIdentity:AssumeRole' :: Maybe Text sourceIdentity = Maybe Text a} :: AssumeRole) -- | The identification number of the MFA device that is associated with the -- user who is making the @AssumeRole@ call. Specify this value if the -- trust policy of the role being assumed includes a condition that -- requires MFA authentication. The value is either the serial number for a -- hardware device (such as @GAHT12345678@) or an Amazon Resource Name -- (ARN) for a virtual device (such as -- @arn:aws:iam::123456789012:mfa\/user@). -- -- The regex used to validate this parameter is a string of characters -- consisting of upper- and lower-case alphanumeric characters with no -- spaces. You can also include underscores or any of the following -- characters: =,.\@- assumeRole_serialNumber :: Lens.Lens' AssumeRole (Prelude.Maybe Prelude.Text) assumeRole_serialNumber :: (Maybe Text -> f (Maybe Text)) -> AssumeRole -> f AssumeRole assumeRole_serialNumber = (AssumeRole -> Maybe Text) -> (AssumeRole -> Maybe Text -> AssumeRole) -> Lens AssumeRole AssumeRole (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRole' {Maybe Text serialNumber :: Maybe Text $sel:serialNumber:AssumeRole' :: AssumeRole -> Maybe Text serialNumber} -> Maybe Text serialNumber) (\s :: AssumeRole s@AssumeRole' {} Maybe Text a -> AssumeRole s {$sel:serialNumber:AssumeRole' :: Maybe Text serialNumber = Maybe Text a} :: AssumeRole) -- | A list of session tags that you want to pass. Each session tag consists -- of a key name and an associated value. For more information about -- session tags, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html Tagging STS Sessions> -- in the /IAM User Guide/. -- -- This parameter is optional. You can pass up to 50 session tags. The -- plaintext session tag keys can’t exceed 128 characters, and the values -- can’t exceed 256 characters. For these and additional limits, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length IAM and STS Character Limits> -- in the /IAM User Guide/. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. -- -- You can pass a session tag with the same key as a tag that is already -- attached to the role. When you do, session tags override a role tag with -- the same key. -- -- Tag key–value pairs are not case sensitive, but case is preserved. This -- means that you cannot have separate @Department@ and @department@ tag -- keys. Assume that the role has the @Department@=@Marketing@ tag and you -- pass the @department@=@engineering@ session tag. @Department@ and -- @department@ are not saved as separate tags, and the session tag passed -- in the request takes precedence over the role tag. -- -- Additionally, if you used temporary credentials to perform this -- operation, the new session inherits any transitive session tags from the -- calling session. If you pass a session tag with the same key as an -- inherited tag, the operation fails. To view the inherited tags for a -- session, see the CloudTrail logs. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/session-tags.html#id_session-tags_ctlogs Viewing Session Tags in CloudTrail> -- in the /IAM User Guide/. assumeRole_tags :: Lens.Lens' AssumeRole (Prelude.Maybe [Tag]) = (AssumeRole -> Maybe [Tag]) -> (AssumeRole -> Maybe [Tag] -> AssumeRole) -> Lens AssumeRole AssumeRole (Maybe [Tag]) (Maybe [Tag]) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRole' {Maybe [Tag] tags :: Maybe [Tag] $sel:tags:AssumeRole' :: AssumeRole -> Maybe [Tag] tags} -> Maybe [Tag] tags) (\s :: AssumeRole s@AssumeRole' {} Maybe [Tag] a -> AssumeRole s {$sel:tags:AssumeRole' :: Maybe [Tag] tags = Maybe [Tag] a} :: AssumeRole) ((Maybe [Tag] -> f (Maybe [Tag])) -> AssumeRole -> f AssumeRole) -> ((Maybe [Tag] -> f (Maybe [Tag])) -> Maybe [Tag] -> f (Maybe [Tag])) -> (Maybe [Tag] -> f (Maybe [Tag])) -> AssumeRole -> f AssumeRole forall b c a. (b -> c) -> (a -> b) -> a -> c Prelude.. AnIso [Tag] [Tag] [Tag] [Tag] -> Iso (Maybe [Tag]) (Maybe [Tag]) (Maybe [Tag]) (Maybe [Tag]) forall (f :: * -> *) (g :: * -> *) s t a b. (Functor f, Functor g) => AnIso s t a b -> Iso (f s) (g t) (f a) (g b) Lens.mapping AnIso [Tag] [Tag] [Tag] [Tag] forall s t a b. (Coercible s a, Coercible t b) => Iso s t a b Lens.coerced -- | The Amazon Resource Name (ARN) of the role to assume. assumeRole_roleArn :: Lens.Lens' AssumeRole Prelude.Text assumeRole_roleArn :: (Text -> f Text) -> AssumeRole -> f AssumeRole assumeRole_roleArn = (AssumeRole -> Text) -> (AssumeRole -> Text -> AssumeRole) -> Lens AssumeRole AssumeRole Text Text forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRole' {Text roleArn :: Text $sel:roleArn:AssumeRole' :: AssumeRole -> Text roleArn} -> Text roleArn) (\s :: AssumeRole s@AssumeRole' {} Text a -> AssumeRole s {$sel:roleArn:AssumeRole' :: Text roleArn = Text a} :: AssumeRole) -- | An identifier for the assumed role session. -- -- Use the role session name to uniquely identify a session when the same -- role is assumed by different principals or for different reasons. In -- cross-account scenarios, the role session name is visible to, and can be -- logged by the account that owns the role. The role session name is also -- used in the ARN of the assumed role principal. This means that -- subsequent cross-account API requests that use the temporary security -- credentials will expose the role session name to the external account in -- their CloudTrail logs. -- -- The regex used to validate this parameter is a string of characters -- consisting of upper- and lower-case alphanumeric characters with no -- spaces. You can also include underscores or any of the following -- characters: =,.\@- assumeRole_roleSessionName :: Lens.Lens' AssumeRole Prelude.Text assumeRole_roleSessionName :: (Text -> f Text) -> AssumeRole -> f AssumeRole assumeRole_roleSessionName = (AssumeRole -> Text) -> (AssumeRole -> Text -> AssumeRole) -> Lens AssumeRole AssumeRole Text Text forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRole' {Text roleSessionName :: Text $sel:roleSessionName:AssumeRole' :: AssumeRole -> Text roleSessionName} -> Text roleSessionName) (\s :: AssumeRole s@AssumeRole' {} Text a -> AssumeRole s {$sel:roleSessionName:AssumeRole' :: Text roleSessionName = Text a} :: AssumeRole) instance Core.AWSRequest AssumeRole where type AWSResponse AssumeRole = AssumeRoleResponse request :: AssumeRole -> Request AssumeRole request = Service -> AssumeRole -> Request AssumeRole forall a. ToRequest a => Service -> a -> Request a Request.postQuery Service defaultService response :: Logger -> Service -> Proxy AssumeRole -> ClientResponse ClientBody -> m (Either Error (ClientResponse (AWSResponse AssumeRole))) response = Text -> (Int -> ResponseHeaders -> [Node] -> Either String (AWSResponse AssumeRole)) -> Logger -> Service -> Proxy AssumeRole -> ClientResponse ClientBody -> m (Either Error (ClientResponse (AWSResponse AssumeRole))) forall (m :: * -> *) a. MonadResource m => Text -> (Int -> ResponseHeaders -> [Node] -> Either String (AWSResponse a)) -> Logger -> Service -> Proxy a -> ClientResponse ClientBody -> m (Either Error (ClientResponse (AWSResponse a))) Response.receiveXMLWrapper Text "AssumeRoleResult" ( \Int s ResponseHeaders h [Node] x -> Maybe Natural -> Maybe AuthEnv -> Maybe AssumedRoleUser -> Maybe Text -> Int -> AssumeRoleResponse AssumeRoleResponse' (Maybe Natural -> Maybe AuthEnv -> Maybe AssumedRoleUser -> Maybe Text -> Int -> AssumeRoleResponse) -> Either String (Maybe Natural) -> Either String (Maybe AuthEnv -> Maybe AssumedRoleUser -> Maybe Text -> Int -> AssumeRoleResponse) forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> ([Node] x [Node] -> Text -> Either String (Maybe Natural) forall a. FromXML a => [Node] -> Text -> Either String (Maybe a) Core..@? Text "PackedPolicySize") Either String (Maybe AuthEnv -> Maybe AssumedRoleUser -> Maybe Text -> Int -> AssumeRoleResponse) -> Either String (Maybe AuthEnv) -> Either String (Maybe AssumedRoleUser -> Maybe Text -> Int -> AssumeRoleResponse) forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b Prelude.<*> ([Node] x [Node] -> Text -> Either String (Maybe AuthEnv) forall a. FromXML a => [Node] -> Text -> Either String (Maybe a) Core..@? Text "Credentials") Either String (Maybe AssumedRoleUser -> Maybe Text -> Int -> AssumeRoleResponse) -> Either String (Maybe AssumedRoleUser) -> Either String (Maybe Text -> Int -> AssumeRoleResponse) forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b Prelude.<*> ([Node] x [Node] -> Text -> Either String (Maybe AssumedRoleUser) forall a. FromXML a => [Node] -> Text -> Either String (Maybe a) Core..@? Text "AssumedRoleUser") Either String (Maybe Text -> Int -> AssumeRoleResponse) -> Either String (Maybe Text) -> Either String (Int -> AssumeRoleResponse) forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b Prelude.<*> ([Node] x [Node] -> Text -> Either String (Maybe Text) forall a. FromXML a => [Node] -> Text -> Either String (Maybe a) Core..@? Text "SourceIdentity") Either String (Int -> AssumeRoleResponse) -> Either String Int -> Either String AssumeRoleResponse forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b Prelude.<*> (Int -> Either String Int forall (f :: * -> *) a. Applicative f => a -> f a Prelude.pure (Int -> Int forall a. Enum a => a -> Int Prelude.fromEnum Int s)) ) instance Prelude.Hashable AssumeRole instance Prelude.NFData AssumeRole instance Core.ToHeaders AssumeRole where toHeaders :: AssumeRole -> ResponseHeaders toHeaders = ResponseHeaders -> AssumeRole -> ResponseHeaders forall a b. a -> b -> a Prelude.const ResponseHeaders forall a. Monoid a => a Prelude.mempty instance Core.ToPath AssumeRole where toPath :: AssumeRole -> ByteString toPath = ByteString -> AssumeRole -> ByteString forall a b. a -> b -> a Prelude.const ByteString "/" instance Core.ToQuery AssumeRole where toQuery :: AssumeRole -> QueryString toQuery AssumeRole' {Maybe Natural Maybe [Text] Maybe [PolicyDescriptorType] Maybe [Tag] Maybe Text Text roleSessionName :: Text roleArn :: Text tags :: Maybe [Tag] serialNumber :: Maybe Text sourceIdentity :: Maybe Text externalId :: Maybe Text policy :: Maybe Text durationSeconds :: Maybe Natural policyArns :: Maybe [PolicyDescriptorType] tokenCode :: Maybe Text transitiveTagKeys :: Maybe [Text] $sel:roleSessionName:AssumeRole' :: AssumeRole -> Text $sel:roleArn:AssumeRole' :: AssumeRole -> Text $sel:tags:AssumeRole' :: AssumeRole -> Maybe [Tag] $sel:serialNumber:AssumeRole' :: AssumeRole -> Maybe Text $sel:sourceIdentity:AssumeRole' :: AssumeRole -> Maybe Text $sel:externalId:AssumeRole' :: AssumeRole -> Maybe Text $sel:policy:AssumeRole' :: AssumeRole -> Maybe Text $sel:durationSeconds:AssumeRole' :: AssumeRole -> Maybe Natural $sel:policyArns:AssumeRole' :: AssumeRole -> Maybe [PolicyDescriptorType] $sel:tokenCode:AssumeRole' :: AssumeRole -> Maybe Text $sel:transitiveTagKeys:AssumeRole' :: AssumeRole -> Maybe [Text] ..} = [QueryString] -> QueryString forall a. Monoid a => [a] -> a Prelude.mconcat [ ByteString "Action" ByteString -> ByteString -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: (ByteString "AssumeRole" :: Prelude.ByteString), ByteString "Version" ByteString -> ByteString -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: (ByteString "2011-06-15" :: Prelude.ByteString), ByteString "TransitiveTagKeys" ByteString -> QueryString -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Maybe QueryString -> QueryString forall a. ToQuery a => a -> QueryString Core.toQuery ( ByteString -> [Text] -> QueryString forall a. (IsList a, ToQuery (Item a)) => ByteString -> a -> QueryString Core.toQueryList ByteString "member" ([Text] -> QueryString) -> Maybe [Text] -> Maybe QueryString forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> Maybe [Text] transitiveTagKeys ), ByteString "TokenCode" ByteString -> Maybe Text -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Maybe Text tokenCode, ByteString "PolicyArns" ByteString -> QueryString -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Maybe QueryString -> QueryString forall a. ToQuery a => a -> QueryString Core.toQuery (ByteString -> [PolicyDescriptorType] -> QueryString forall a. (IsList a, ToQuery (Item a)) => ByteString -> a -> QueryString Core.toQueryList ByteString "member" ([PolicyDescriptorType] -> QueryString) -> Maybe [PolicyDescriptorType] -> Maybe QueryString forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> Maybe [PolicyDescriptorType] policyArns), ByteString "DurationSeconds" ByteString -> Maybe Natural -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Maybe Natural durationSeconds, ByteString "Policy" ByteString -> Maybe Text -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Maybe Text policy, ByteString "ExternalId" ByteString -> Maybe Text -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Maybe Text externalId, ByteString "SourceIdentity" ByteString -> Maybe Text -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Maybe Text sourceIdentity, ByteString "SerialNumber" ByteString -> Maybe Text -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Maybe Text serialNumber, ByteString "Tags" ByteString -> QueryString -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Maybe QueryString -> QueryString forall a. ToQuery a => a -> QueryString Core.toQuery (ByteString -> [Tag] -> QueryString forall a. (IsList a, ToQuery (Item a)) => ByteString -> a -> QueryString Core.toQueryList ByteString "member" ([Tag] -> QueryString) -> Maybe [Tag] -> Maybe QueryString forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> Maybe [Tag] tags), ByteString "RoleArn" ByteString -> Text -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Text roleArn, ByteString "RoleSessionName" ByteString -> Text -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Text roleSessionName ] -- | Contains the response to a successful AssumeRole request, including -- temporary Amazon Web Services credentials that can be used to make -- Amazon Web Services requests. -- -- /See:/ 'newAssumeRoleResponse' smart constructor. data AssumeRoleResponse = AssumeRoleResponse' { -- | A percentage value that indicates the packed size of the session -- policies and session tags combined passed in the request. The request -- fails if the packed size is greater than 100 percent, which means the -- policies and tags exceeded the allowed space. AssumeRoleResponse -> Maybe Natural packedPolicySize :: Prelude.Maybe Prelude.Natural, -- | The temporary security credentials, which include an access key ID, a -- secret access key, and a security (or session) token. -- -- The size of the security token that STS API operations return is not -- fixed. We strongly recommend that you make no assumptions about the -- maximum size. AssumeRoleResponse -> Maybe AuthEnv credentials :: Prelude.Maybe Core.AuthEnv, -- | The Amazon Resource Name (ARN) and the assumed role ID, which are -- identifiers that you can use to refer to the resulting temporary -- security credentials. For example, you can reference these credentials -- as a principal in a resource-based policy by using the ARN or assumed -- role ID. The ARN and ID include the @RoleSessionName@ that you specified -- when you called @AssumeRole@. AssumeRoleResponse -> Maybe AssumedRoleUser assumedRoleUser :: Prelude.Maybe AssumedRoleUser, -- | The source identity specified by the principal that is calling the -- @AssumeRole@ operation. -- -- You can require users to specify a source identity when they assume a -- role. You do this by using the @sts:SourceIdentity@ condition key in a -- role trust policy. You can use source identity information in CloudTrail -- logs to determine who took actions with a role. You can use the -- @aws:SourceIdentity@ condition key to further control access to Amazon -- Web Services resources based on the value of source identity. For more -- information about using source identity, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html Monitor and control actions taken with assumed roles> -- in the /IAM User Guide/. -- -- The regex used to validate this parameter is a string of characters -- consisting of upper- and lower-case alphanumeric characters with no -- spaces. You can also include underscores or any of the following -- characters: =,.\@- AssumeRoleResponse -> Maybe Text sourceIdentity :: Prelude.Maybe Prelude.Text, -- | The response's http status code. AssumeRoleResponse -> Int httpStatus :: Prelude.Int } deriving (AssumeRoleResponse -> AssumeRoleResponse -> Bool (AssumeRoleResponse -> AssumeRoleResponse -> Bool) -> (AssumeRoleResponse -> AssumeRoleResponse -> Bool) -> Eq AssumeRoleResponse forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a /= :: AssumeRoleResponse -> AssumeRoleResponse -> Bool $c/= :: AssumeRoleResponse -> AssumeRoleResponse -> Bool == :: AssumeRoleResponse -> AssumeRoleResponse -> Bool $c== :: AssumeRoleResponse -> AssumeRoleResponse -> Bool Prelude.Eq, Int -> AssumeRoleResponse -> ShowS [AssumeRoleResponse] -> ShowS AssumeRoleResponse -> String (Int -> AssumeRoleResponse -> ShowS) -> (AssumeRoleResponse -> String) -> ([AssumeRoleResponse] -> ShowS) -> Show AssumeRoleResponse forall a. (Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a showList :: [AssumeRoleResponse] -> ShowS $cshowList :: [AssumeRoleResponse] -> ShowS show :: AssumeRoleResponse -> String $cshow :: AssumeRoleResponse -> String showsPrec :: Int -> AssumeRoleResponse -> ShowS $cshowsPrec :: Int -> AssumeRoleResponse -> ShowS Prelude.Show, (forall x. AssumeRoleResponse -> Rep AssumeRoleResponse x) -> (forall x. Rep AssumeRoleResponse x -> AssumeRoleResponse) -> Generic AssumeRoleResponse forall x. Rep AssumeRoleResponse x -> AssumeRoleResponse forall x. AssumeRoleResponse -> Rep AssumeRoleResponse x forall a. (forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a $cto :: forall x. Rep AssumeRoleResponse x -> AssumeRoleResponse $cfrom :: forall x. AssumeRoleResponse -> Rep AssumeRoleResponse x Prelude.Generic) -- | -- Create a value of 'AssumeRoleResponse' with all optional fields omitted. -- -- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields. -- -- The following record fields are available, with the corresponding lenses provided -- for backwards compatibility: -- -- 'packedPolicySize', 'assumeRoleResponse_packedPolicySize' - A percentage value that indicates the packed size of the session -- policies and session tags combined passed in the request. The request -- fails if the packed size is greater than 100 percent, which means the -- policies and tags exceeded the allowed space. -- -- 'credentials', 'assumeRoleResponse_credentials' - The temporary security credentials, which include an access key ID, a -- secret access key, and a security (or session) token. -- -- The size of the security token that STS API operations return is not -- fixed. We strongly recommend that you make no assumptions about the -- maximum size. -- -- 'assumedRoleUser', 'assumeRoleResponse_assumedRoleUser' - The Amazon Resource Name (ARN) and the assumed role ID, which are -- identifiers that you can use to refer to the resulting temporary -- security credentials. For example, you can reference these credentials -- as a principal in a resource-based policy by using the ARN or assumed -- role ID. The ARN and ID include the @RoleSessionName@ that you specified -- when you called @AssumeRole@. -- -- 'sourceIdentity', 'assumeRoleResponse_sourceIdentity' - The source identity specified by the principal that is calling the -- @AssumeRole@ operation. -- -- You can require users to specify a source identity when they assume a -- role. You do this by using the @sts:SourceIdentity@ condition key in a -- role trust policy. You can use source identity information in CloudTrail -- logs to determine who took actions with a role. You can use the -- @aws:SourceIdentity@ condition key to further control access to Amazon -- Web Services resources based on the value of source identity. For more -- information about using source identity, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html Monitor and control actions taken with assumed roles> -- in the /IAM User Guide/. -- -- The regex used to validate this parameter is a string of characters -- consisting of upper- and lower-case alphanumeric characters with no -- spaces. You can also include underscores or any of the following -- characters: =,.\@- -- -- 'httpStatus', 'assumeRoleResponse_httpStatus' - The response's http status code. newAssumeRoleResponse :: -- | 'httpStatus' Prelude.Int -> AssumeRoleResponse newAssumeRoleResponse :: Int -> AssumeRoleResponse newAssumeRoleResponse Int pHttpStatus_ = AssumeRoleResponse' :: Maybe Natural -> Maybe AuthEnv -> Maybe AssumedRoleUser -> Maybe Text -> Int -> AssumeRoleResponse AssumeRoleResponse' { $sel:packedPolicySize:AssumeRoleResponse' :: Maybe Natural packedPolicySize = Maybe Natural forall a. Maybe a Prelude.Nothing, $sel:credentials:AssumeRoleResponse' :: Maybe AuthEnv credentials = Maybe AuthEnv forall a. Maybe a Prelude.Nothing, $sel:assumedRoleUser:AssumeRoleResponse' :: Maybe AssumedRoleUser assumedRoleUser = Maybe AssumedRoleUser forall a. Maybe a Prelude.Nothing, $sel:sourceIdentity:AssumeRoleResponse' :: Maybe Text sourceIdentity = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:httpStatus:AssumeRoleResponse' :: Int httpStatus = Int pHttpStatus_ } -- | A percentage value that indicates the packed size of the session -- policies and session tags combined passed in the request. The request -- fails if the packed size is greater than 100 percent, which means the -- policies and tags exceeded the allowed space. assumeRoleResponse_packedPolicySize :: Lens.Lens' AssumeRoleResponse (Prelude.Maybe Prelude.Natural) assumeRoleResponse_packedPolicySize :: (Maybe Natural -> f (Maybe Natural)) -> AssumeRoleResponse -> f AssumeRoleResponse assumeRoleResponse_packedPolicySize = (AssumeRoleResponse -> Maybe Natural) -> (AssumeRoleResponse -> Maybe Natural -> AssumeRoleResponse) -> Lens AssumeRoleResponse AssumeRoleResponse (Maybe Natural) (Maybe Natural) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleResponse' {Maybe Natural packedPolicySize :: Maybe Natural $sel:packedPolicySize:AssumeRoleResponse' :: AssumeRoleResponse -> Maybe Natural packedPolicySize} -> Maybe Natural packedPolicySize) (\s :: AssumeRoleResponse s@AssumeRoleResponse' {} Maybe Natural a -> AssumeRoleResponse s {$sel:packedPolicySize:AssumeRoleResponse' :: Maybe Natural packedPolicySize = Maybe Natural a} :: AssumeRoleResponse) -- | The temporary security credentials, which include an access key ID, a -- secret access key, and a security (or session) token. -- -- The size of the security token that STS API operations return is not -- fixed. We strongly recommend that you make no assumptions about the -- maximum size. assumeRoleResponse_credentials :: Lens.Lens' AssumeRoleResponse (Prelude.Maybe Core.AuthEnv) assumeRoleResponse_credentials :: (Maybe AuthEnv -> f (Maybe AuthEnv)) -> AssumeRoleResponse -> f AssumeRoleResponse assumeRoleResponse_credentials = (AssumeRoleResponse -> Maybe AuthEnv) -> (AssumeRoleResponse -> Maybe AuthEnv -> AssumeRoleResponse) -> Lens AssumeRoleResponse AssumeRoleResponse (Maybe AuthEnv) (Maybe AuthEnv) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleResponse' {Maybe AuthEnv credentials :: Maybe AuthEnv $sel:credentials:AssumeRoleResponse' :: AssumeRoleResponse -> Maybe AuthEnv credentials} -> Maybe AuthEnv credentials) (\s :: AssumeRoleResponse s@AssumeRoleResponse' {} Maybe AuthEnv a -> AssumeRoleResponse s {$sel:credentials:AssumeRoleResponse' :: Maybe AuthEnv credentials = Maybe AuthEnv a} :: AssumeRoleResponse) -- | The Amazon Resource Name (ARN) and the assumed role ID, which are -- identifiers that you can use to refer to the resulting temporary -- security credentials. For example, you can reference these credentials -- as a principal in a resource-based policy by using the ARN or assumed -- role ID. The ARN and ID include the @RoleSessionName@ that you specified -- when you called @AssumeRole@. assumeRoleResponse_assumedRoleUser :: Lens.Lens' AssumeRoleResponse (Prelude.Maybe AssumedRoleUser) assumeRoleResponse_assumedRoleUser :: (Maybe AssumedRoleUser -> f (Maybe AssumedRoleUser)) -> AssumeRoleResponse -> f AssumeRoleResponse assumeRoleResponse_assumedRoleUser = (AssumeRoleResponse -> Maybe AssumedRoleUser) -> (AssumeRoleResponse -> Maybe AssumedRoleUser -> AssumeRoleResponse) -> Lens AssumeRoleResponse AssumeRoleResponse (Maybe AssumedRoleUser) (Maybe AssumedRoleUser) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleResponse' {Maybe AssumedRoleUser assumedRoleUser :: Maybe AssumedRoleUser $sel:assumedRoleUser:AssumeRoleResponse' :: AssumeRoleResponse -> Maybe AssumedRoleUser assumedRoleUser} -> Maybe AssumedRoleUser assumedRoleUser) (\s :: AssumeRoleResponse s@AssumeRoleResponse' {} Maybe AssumedRoleUser a -> AssumeRoleResponse s {$sel:assumedRoleUser:AssumeRoleResponse' :: Maybe AssumedRoleUser assumedRoleUser = Maybe AssumedRoleUser a} :: AssumeRoleResponse) -- | The source identity specified by the principal that is calling the -- @AssumeRole@ operation. -- -- You can require users to specify a source identity when they assume a -- role. You do this by using the @sts:SourceIdentity@ condition key in a -- role trust policy. You can use source identity information in CloudTrail -- logs to determine who took actions with a role. You can use the -- @aws:SourceIdentity@ condition key to further control access to Amazon -- Web Services resources based on the value of source identity. For more -- information about using source identity, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html Monitor and control actions taken with assumed roles> -- in the /IAM User Guide/. -- -- The regex used to validate this parameter is a string of characters -- consisting of upper- and lower-case alphanumeric characters with no -- spaces. You can also include underscores or any of the following -- characters: =,.\@- assumeRoleResponse_sourceIdentity :: Lens.Lens' AssumeRoleResponse (Prelude.Maybe Prelude.Text) assumeRoleResponse_sourceIdentity :: (Maybe Text -> f (Maybe Text)) -> AssumeRoleResponse -> f AssumeRoleResponse assumeRoleResponse_sourceIdentity = (AssumeRoleResponse -> Maybe Text) -> (AssumeRoleResponse -> Maybe Text -> AssumeRoleResponse) -> Lens AssumeRoleResponse AssumeRoleResponse (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleResponse' {Maybe Text sourceIdentity :: Maybe Text $sel:sourceIdentity:AssumeRoleResponse' :: AssumeRoleResponse -> Maybe Text sourceIdentity} -> Maybe Text sourceIdentity) (\s :: AssumeRoleResponse s@AssumeRoleResponse' {} Maybe Text a -> AssumeRoleResponse s {$sel:sourceIdentity:AssumeRoleResponse' :: Maybe Text sourceIdentity = Maybe Text a} :: AssumeRoleResponse) -- | The response's http status code. assumeRoleResponse_httpStatus :: Lens.Lens' AssumeRoleResponse Prelude.Int assumeRoleResponse_httpStatus :: (Int -> f Int) -> AssumeRoleResponse -> f AssumeRoleResponse assumeRoleResponse_httpStatus = (AssumeRoleResponse -> Int) -> (AssumeRoleResponse -> Int -> AssumeRoleResponse) -> Lens AssumeRoleResponse AssumeRoleResponse Int Int forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleResponse' {Int httpStatus :: Int $sel:httpStatus:AssumeRoleResponse' :: AssumeRoleResponse -> Int httpStatus} -> Int httpStatus) (\s :: AssumeRoleResponse s@AssumeRoleResponse' {} Int a -> AssumeRoleResponse s {$sel:httpStatus:AssumeRoleResponse' :: Int httpStatus = Int a} :: AssumeRoleResponse) instance Prelude.NFData AssumeRoleResponse