{-# LANGUAGE DeriveGeneric #-} {-# LANGUAGE DuplicateRecordFields #-} {-# LANGUAGE NamedFieldPuns #-} {-# LANGUAGE OverloadedStrings #-} {-# LANGUAGE RecordWildCards #-} {-# LANGUAGE StrictData #-} {-# LANGUAGE TypeFamilies #-} {-# LANGUAGE NoImplicitPrelude #-} {-# OPTIONS_GHC -fno-warn-unused-binds #-} {-# OPTIONS_GHC -fno-warn-unused-imports #-} {-# OPTIONS_GHC -fno-warn-unused-matches #-} -- Derived from AWS service descriptions, licensed under Apache 2.0. -- | -- Module : Amazonka.STS.AssumeRoleWithSAML -- Copyright : (c) 2013-2021 Brendan Hay -- License : Mozilla Public License, v. 2.0. -- Maintainer : Brendan Hay <brendan.g.hay+amazonka@gmail.com> -- Stability : auto-generated -- Portability : non-portable (GHC extensions) -- -- Returns a set of temporary security credentials for users who have been -- authenticated via a SAML authentication response. This operation -- provides a mechanism for tying an enterprise identity store or directory -- to role-based Amazon Web Services access without user-specific -- credentials or configuration. For a comparison of @AssumeRoleWithSAML@ -- with the other API operations that produce temporary credentials, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html Requesting Temporary Security Credentials> -- and -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison Comparing the STS API operations> -- in the /IAM User Guide/. -- -- The temporary security credentials returned by this operation consist of -- an access key ID, a secret access key, and a security token. -- Applications can use these temporary security credentials to sign calls -- to Amazon Web Services services. -- -- __Session Duration__ -- -- By default, the temporary security credentials created by -- @AssumeRoleWithSAML@ last for one hour. However, you can use the -- optional @DurationSeconds@ parameter to specify the duration of your -- session. Your role session lasts for the duration that you specify, or -- until the time specified in the SAML authentication response\'s -- @SessionNotOnOrAfter@ value, whichever is shorter. You can provide a -- @DurationSeconds@ value from 900 seconds (15 minutes) up to the maximum -- session duration setting for the role. This setting can have a value -- from 1 hour to 12 hours. To learn how to view the maximum value for your -- role, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session View the Maximum Session Duration Setting for a Role> -- in the /IAM User Guide/. The maximum session duration limit applies when -- you use the @AssumeRole*@ API operations or the @assume-role*@ CLI -- commands. However the limit does not apply when you use those operations -- to create a console URL. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html Using IAM Roles> -- in the /IAM User Guide/. -- -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining Role chaining> -- limits your CLI or Amazon Web Services API role session to a maximum of -- one hour. When you use the @AssumeRole@ API operation to assume a role, -- you can specify the duration of your role session with the -- @DurationSeconds@ parameter. You can specify a parameter value of up to -- 43200 seconds (12 hours), depending on the maximum session duration -- setting for your role. However, if you assume a role using role chaining -- and provide a @DurationSeconds@ parameter value greater than one hour, -- the operation fails. -- -- __Permissions__ -- -- The temporary security credentials created by @AssumeRoleWithSAML@ can -- be used to make API calls to any Amazon Web Services service with the -- following exception: you cannot call the STS @GetFederationToken@ or -- @GetSessionToken@ API operations. -- -- (Optional) You can pass inline or managed -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session session policies> -- to this operation. You can pass a single JSON policy document to use as -- an inline session policy. You can also specify up to 10 managed policies -- to use as managed session policies. The plaintext that you use for both -- inline and managed session policies can\'t exceed 2,048 characters. -- Passing policies to this operation returns new temporary credentials. -- The resulting session\'s permissions are the intersection of the role\'s -- identity-based policy and the session policies. You can use the role\'s -- temporary credentials in subsequent Amazon Web Services API calls to -- access resources in the account that owns the role. You cannot use -- session policies to grant more permissions than those allowed by the -- identity-based policy of the role that is being assumed. For more -- information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies> -- in the /IAM User Guide/. -- -- Calling @AssumeRoleWithSAML@ does not require the use of Amazon Web -- Services security credentials. The identity of the caller is validated -- by using keys in the metadata document that is uploaded for the SAML -- provider entity for your identity provider. -- -- Calling @AssumeRoleWithSAML@ can result in an entry in your CloudTrail -- logs. The entry includes the value in the @NameID@ element of the SAML -- assertion. We recommend that you use a @NameIDType@ that is not -- associated with any personally identifiable information (PII). For -- example, you could instead use the persistent identifier -- (@urn:oasis:names:tc:SAML:2.0:nameid-format:persistent@). -- -- __Tags__ -- -- (Optional) You can configure your IdP to pass attributes into your SAML -- assertion as session tags. Each session tag consists of a key name and -- an associated value. For more information about session tags, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html Passing Session Tags in STS> -- in the /IAM User Guide/. -- -- You can pass up to 50 session tags. The plaintext session tag keys can’t -- exceed 128 characters and the values can’t exceed 256 characters. For -- these and additional limits, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length IAM and STS Character Limits> -- in the /IAM User Guide/. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. -- -- You can pass a session tag with the same key as a tag that is attached -- to the role. When you do, session tags override the role\'s tags with -- the same key. -- -- An administrator must grant you the permissions necessary to pass -- session tags. The administrator can also create granular permissions to -- allow you to pass only specific session tags. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html Tutorial: Using Tags for Attribute-Based Access Control> -- in the /IAM User Guide/. -- -- You can set the session tags as transitive. Transitive tags persist -- during role chaining. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining Chaining Roles with Session Tags> -- in the /IAM User Guide/. -- -- __SAML Configuration__ -- -- Before your application can call @AssumeRoleWithSAML@, you must -- configure your SAML identity provider (IdP) to issue the claims required -- by Amazon Web Services. Additionally, you must use Identity and Access -- Management (IAM) to create a SAML provider entity in your Amazon Web -- Services account that represents your identity provider. You must also -- create an IAM role that specifies this SAML provider in its trust -- policy. -- -- For more information, see the following resources: -- -- - <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html About SAML 2.0-based Federation> -- in the /IAM User Guide/. -- -- - <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html Creating SAML Identity Providers> -- in the /IAM User Guide/. -- -- - <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html Configuring a Relying Party and Claims> -- in the /IAM User Guide/. -- -- - <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html Creating a Role for SAML 2.0 Federation> -- in the /IAM User Guide/. module Amazonka.STS.AssumeRoleWithSAML ( -- * Creating a Request AssumeRoleWithSAML (..), newAssumeRoleWithSAML, -- * Request Lenses assumeRoleWithSAML_policyArns, assumeRoleWithSAML_durationSeconds, assumeRoleWithSAML_policy, assumeRoleWithSAML_roleArn, assumeRoleWithSAML_principalArn, assumeRoleWithSAML_sAMLAssertion, -- * Destructuring the Response AssumeRoleWithSAMLResponse (..), newAssumeRoleWithSAMLResponse, -- * Response Lenses assumeRoleWithSAMLResponse_subject, assumeRoleWithSAMLResponse_audience, assumeRoleWithSAMLResponse_packedPolicySize, assumeRoleWithSAMLResponse_credentials, assumeRoleWithSAMLResponse_subjectType, assumeRoleWithSAMLResponse_nameQualifier, assumeRoleWithSAMLResponse_assumedRoleUser, assumeRoleWithSAMLResponse_sourceIdentity, assumeRoleWithSAMLResponse_issuer, assumeRoleWithSAMLResponse_httpStatus, ) where import qualified Amazonka.Core as Core import qualified Amazonka.Lens as Lens import qualified Amazonka.Prelude as Prelude import qualified Amazonka.Request as Request import qualified Amazonka.Response as Response import Amazonka.STS.Types -- | /See:/ 'newAssumeRoleWithSAML' smart constructor. data AssumeRoleWithSAML = AssumeRoleWithSAML' { -- | The Amazon Resource Names (ARNs) of the IAM managed policies that you -- want to use as managed session policies. The policies must exist in the -- same account as the role. -- -- This parameter is optional. You can provide up to 10 managed policy -- ARNs. However, the plaintext that you use for both inline and managed -- session policies can\'t exceed 2,048 characters. For more information -- about ARNs, see -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces> -- in the Amazon Web Services General Reference. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. -- -- Passing policies to this operation returns new temporary credentials. -- The resulting session\'s permissions are the intersection of the role\'s -- identity-based policy and the session policies. You can use the role\'s -- temporary credentials in subsequent Amazon Web Services API calls to -- access resources in the account that owns the role. You cannot use -- session policies to grant more permissions than those allowed by the -- identity-based policy of the role that is being assumed. For more -- information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies> -- in the /IAM User Guide/. AssumeRoleWithSAML -> Maybe [PolicyDescriptorType] policyArns :: Prelude.Maybe [PolicyDescriptorType], -- | The duration, in seconds, of the role session. Your role session lasts -- for the duration that you specify for the @DurationSeconds@ parameter, -- or until the time specified in the SAML authentication response\'s -- @SessionNotOnOrAfter@ value, whichever is shorter. You can provide a -- @DurationSeconds@ value from 900 seconds (15 minutes) up to the maximum -- session duration setting for the role. This setting can have a value -- from 1 hour to 12 hours. If you specify a value higher than this -- setting, the operation fails. For example, if you specify a session -- duration of 12 hours, but your administrator set the maximum session -- duration to 6 hours, your operation fails. To learn how to view the -- maximum value for your role, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session View the Maximum Session Duration Setting for a Role> -- in the /IAM User Guide/. -- -- By default, the value is set to @3600@ seconds. -- -- The @DurationSeconds@ parameter is separate from the duration of a -- console session that you might request using the returned credentials. -- The request to the federation endpoint for a console sign-in token takes -- a @SessionDuration@ parameter that specifies the maximum length of the -- console session. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html Creating a URL that Enables Federated Users to Access the Management Console> -- in the /IAM User Guide/. AssumeRoleWithSAML -> Maybe Natural durationSeconds :: Prelude.Maybe Prelude.Natural, -- | An IAM policy in JSON format that you want to use as an inline session -- policy. -- -- This parameter is optional. Passing policies to this operation returns -- new temporary credentials. The resulting session\'s permissions are the -- intersection of the role\'s identity-based policy and the session -- policies. You can use the role\'s temporary credentials in subsequent -- Amazon Web Services API calls to access resources in the account that -- owns the role. You cannot use session policies to grant more permissions -- than those allowed by the identity-based policy of the role that is -- being assumed. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies> -- in the /IAM User Guide/. -- -- The plaintext that you use for both inline and managed session policies -- can\'t exceed 2,048 characters. The JSON policy characters can be any -- ASCII character from the space character to the end of the valid -- character list (\\u0020 through \\u00FF). It can also include the tab -- (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. AssumeRoleWithSAML -> Maybe Text policy :: Prelude.Maybe Prelude.Text, -- | The Amazon Resource Name (ARN) of the role that the caller is assuming. AssumeRoleWithSAML -> Text roleArn :: Prelude.Text, -- | The Amazon Resource Name (ARN) of the SAML provider in IAM that -- describes the IdP. AssumeRoleWithSAML -> Text principalArn :: Prelude.Text, -- | The base64 encoded SAML authentication response provided by the IdP. -- -- For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html Configuring a Relying Party and Adding Claims> -- in the /IAM User Guide/. AssumeRoleWithSAML -> Text sAMLAssertion :: Prelude.Text } deriving (AssumeRoleWithSAML -> AssumeRoleWithSAML -> Bool (AssumeRoleWithSAML -> AssumeRoleWithSAML -> Bool) -> (AssumeRoleWithSAML -> AssumeRoleWithSAML -> Bool) -> Eq AssumeRoleWithSAML forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a /= :: AssumeRoleWithSAML -> AssumeRoleWithSAML -> Bool $c/= :: AssumeRoleWithSAML -> AssumeRoleWithSAML -> Bool == :: AssumeRoleWithSAML -> AssumeRoleWithSAML -> Bool $c== :: AssumeRoleWithSAML -> AssumeRoleWithSAML -> Bool Prelude.Eq, ReadPrec [AssumeRoleWithSAML] ReadPrec AssumeRoleWithSAML Int -> ReadS AssumeRoleWithSAML ReadS [AssumeRoleWithSAML] (Int -> ReadS AssumeRoleWithSAML) -> ReadS [AssumeRoleWithSAML] -> ReadPrec AssumeRoleWithSAML -> ReadPrec [AssumeRoleWithSAML] -> Read AssumeRoleWithSAML forall a. (Int -> ReadS a) -> ReadS [a] -> ReadPrec a -> ReadPrec [a] -> Read a readListPrec :: ReadPrec [AssumeRoleWithSAML] $creadListPrec :: ReadPrec [AssumeRoleWithSAML] readPrec :: ReadPrec AssumeRoleWithSAML $creadPrec :: ReadPrec AssumeRoleWithSAML readList :: ReadS [AssumeRoleWithSAML] $creadList :: ReadS [AssumeRoleWithSAML] readsPrec :: Int -> ReadS AssumeRoleWithSAML $creadsPrec :: Int -> ReadS AssumeRoleWithSAML Prelude.Read, Int -> AssumeRoleWithSAML -> ShowS [AssumeRoleWithSAML] -> ShowS AssumeRoleWithSAML -> String (Int -> AssumeRoleWithSAML -> ShowS) -> (AssumeRoleWithSAML -> String) -> ([AssumeRoleWithSAML] -> ShowS) -> Show AssumeRoleWithSAML forall a. (Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a showList :: [AssumeRoleWithSAML] -> ShowS $cshowList :: [AssumeRoleWithSAML] -> ShowS show :: AssumeRoleWithSAML -> String $cshow :: AssumeRoleWithSAML -> String showsPrec :: Int -> AssumeRoleWithSAML -> ShowS $cshowsPrec :: Int -> AssumeRoleWithSAML -> ShowS Prelude.Show, (forall x. AssumeRoleWithSAML -> Rep AssumeRoleWithSAML x) -> (forall x. Rep AssumeRoleWithSAML x -> AssumeRoleWithSAML) -> Generic AssumeRoleWithSAML forall x. Rep AssumeRoleWithSAML x -> AssumeRoleWithSAML forall x. AssumeRoleWithSAML -> Rep AssumeRoleWithSAML x forall a. (forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a $cto :: forall x. Rep AssumeRoleWithSAML x -> AssumeRoleWithSAML $cfrom :: forall x. AssumeRoleWithSAML -> Rep AssumeRoleWithSAML x Prelude.Generic) -- | -- Create a value of 'AssumeRoleWithSAML' with all optional fields omitted. -- -- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields. -- -- The following record fields are available, with the corresponding lenses provided -- for backwards compatibility: -- -- 'policyArns', 'assumeRoleWithSAML_policyArns' - The Amazon Resource Names (ARNs) of the IAM managed policies that you -- want to use as managed session policies. The policies must exist in the -- same account as the role. -- -- This parameter is optional. You can provide up to 10 managed policy -- ARNs. However, the plaintext that you use for both inline and managed -- session policies can\'t exceed 2,048 characters. For more information -- about ARNs, see -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces> -- in the Amazon Web Services General Reference. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. -- -- Passing policies to this operation returns new temporary credentials. -- The resulting session\'s permissions are the intersection of the role\'s -- identity-based policy and the session policies. You can use the role\'s -- temporary credentials in subsequent Amazon Web Services API calls to -- access resources in the account that owns the role. You cannot use -- session policies to grant more permissions than those allowed by the -- identity-based policy of the role that is being assumed. For more -- information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies> -- in the /IAM User Guide/. -- -- 'durationSeconds', 'assumeRoleWithSAML_durationSeconds' - The duration, in seconds, of the role session. Your role session lasts -- for the duration that you specify for the @DurationSeconds@ parameter, -- or until the time specified in the SAML authentication response\'s -- @SessionNotOnOrAfter@ value, whichever is shorter. You can provide a -- @DurationSeconds@ value from 900 seconds (15 minutes) up to the maximum -- session duration setting for the role. This setting can have a value -- from 1 hour to 12 hours. If you specify a value higher than this -- setting, the operation fails. For example, if you specify a session -- duration of 12 hours, but your administrator set the maximum session -- duration to 6 hours, your operation fails. To learn how to view the -- maximum value for your role, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session View the Maximum Session Duration Setting for a Role> -- in the /IAM User Guide/. -- -- By default, the value is set to @3600@ seconds. -- -- The @DurationSeconds@ parameter is separate from the duration of a -- console session that you might request using the returned credentials. -- The request to the federation endpoint for a console sign-in token takes -- a @SessionDuration@ parameter that specifies the maximum length of the -- console session. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html Creating a URL that Enables Federated Users to Access the Management Console> -- in the /IAM User Guide/. -- -- 'policy', 'assumeRoleWithSAML_policy' - An IAM policy in JSON format that you want to use as an inline session -- policy. -- -- This parameter is optional. Passing policies to this operation returns -- new temporary credentials. The resulting session\'s permissions are the -- intersection of the role\'s identity-based policy and the session -- policies. You can use the role\'s temporary credentials in subsequent -- Amazon Web Services API calls to access resources in the account that -- owns the role. You cannot use session policies to grant more permissions -- than those allowed by the identity-based policy of the role that is -- being assumed. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies> -- in the /IAM User Guide/. -- -- The plaintext that you use for both inline and managed session policies -- can\'t exceed 2,048 characters. The JSON policy characters can be any -- ASCII character from the space character to the end of the valid -- character list (\\u0020 through \\u00FF). It can also include the tab -- (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. -- -- 'roleArn', 'assumeRoleWithSAML_roleArn' - The Amazon Resource Name (ARN) of the role that the caller is assuming. -- -- 'principalArn', 'assumeRoleWithSAML_principalArn' - The Amazon Resource Name (ARN) of the SAML provider in IAM that -- describes the IdP. -- -- 'sAMLAssertion', 'assumeRoleWithSAML_sAMLAssertion' - The base64 encoded SAML authentication response provided by the IdP. -- -- For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html Configuring a Relying Party and Adding Claims> -- in the /IAM User Guide/. newAssumeRoleWithSAML :: -- | 'roleArn' Prelude.Text -> -- | 'principalArn' Prelude.Text -> -- | 'sAMLAssertion' Prelude.Text -> AssumeRoleWithSAML newAssumeRoleWithSAML :: Text -> Text -> Text -> AssumeRoleWithSAML newAssumeRoleWithSAML Text pRoleArn_ Text pPrincipalArn_ Text pSAMLAssertion_ = AssumeRoleWithSAML' :: Maybe [PolicyDescriptorType] -> Maybe Natural -> Maybe Text -> Text -> Text -> Text -> AssumeRoleWithSAML AssumeRoleWithSAML' { $sel:policyArns:AssumeRoleWithSAML' :: Maybe [PolicyDescriptorType] policyArns = Maybe [PolicyDescriptorType] forall a. Maybe a Prelude.Nothing, $sel:durationSeconds:AssumeRoleWithSAML' :: Maybe Natural durationSeconds = Maybe Natural forall a. Maybe a Prelude.Nothing, $sel:policy:AssumeRoleWithSAML' :: Maybe Text policy = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:roleArn:AssumeRoleWithSAML' :: Text roleArn = Text pRoleArn_, $sel:principalArn:AssumeRoleWithSAML' :: Text principalArn = Text pPrincipalArn_, $sel:sAMLAssertion:AssumeRoleWithSAML' :: Text sAMLAssertion = Text pSAMLAssertion_ } -- | The Amazon Resource Names (ARNs) of the IAM managed policies that you -- want to use as managed session policies. The policies must exist in the -- same account as the role. -- -- This parameter is optional. You can provide up to 10 managed policy -- ARNs. However, the plaintext that you use for both inline and managed -- session policies can\'t exceed 2,048 characters. For more information -- about ARNs, see -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces> -- in the Amazon Web Services General Reference. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. -- -- Passing policies to this operation returns new temporary credentials. -- The resulting session\'s permissions are the intersection of the role\'s -- identity-based policy and the session policies. You can use the role\'s -- temporary credentials in subsequent Amazon Web Services API calls to -- access resources in the account that owns the role. You cannot use -- session policies to grant more permissions than those allowed by the -- identity-based policy of the role that is being assumed. For more -- information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies> -- in the /IAM User Guide/. assumeRoleWithSAML_policyArns :: Lens.Lens' AssumeRoleWithSAML (Prelude.Maybe [PolicyDescriptorType]) assumeRoleWithSAML_policyArns :: (Maybe [PolicyDescriptorType] -> f (Maybe [PolicyDescriptorType])) -> AssumeRoleWithSAML -> f AssumeRoleWithSAML assumeRoleWithSAML_policyArns = (AssumeRoleWithSAML -> Maybe [PolicyDescriptorType]) -> (AssumeRoleWithSAML -> Maybe [PolicyDescriptorType] -> AssumeRoleWithSAML) -> Lens AssumeRoleWithSAML AssumeRoleWithSAML (Maybe [PolicyDescriptorType]) (Maybe [PolicyDescriptorType]) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleWithSAML' {Maybe [PolicyDescriptorType] policyArns :: Maybe [PolicyDescriptorType] $sel:policyArns:AssumeRoleWithSAML' :: AssumeRoleWithSAML -> Maybe [PolicyDescriptorType] policyArns} -> Maybe [PolicyDescriptorType] policyArns) (\s :: AssumeRoleWithSAML s@AssumeRoleWithSAML' {} Maybe [PolicyDescriptorType] a -> AssumeRoleWithSAML s {$sel:policyArns:AssumeRoleWithSAML' :: Maybe [PolicyDescriptorType] policyArns = Maybe [PolicyDescriptorType] a} :: AssumeRoleWithSAML) ((Maybe [PolicyDescriptorType] -> f (Maybe [PolicyDescriptorType])) -> AssumeRoleWithSAML -> f AssumeRoleWithSAML) -> ((Maybe [PolicyDescriptorType] -> f (Maybe [PolicyDescriptorType])) -> Maybe [PolicyDescriptorType] -> f (Maybe [PolicyDescriptorType])) -> (Maybe [PolicyDescriptorType] -> f (Maybe [PolicyDescriptorType])) -> AssumeRoleWithSAML -> f AssumeRoleWithSAML forall b c a. (b -> c) -> (a -> b) -> a -> c Prelude.. AnIso [PolicyDescriptorType] [PolicyDescriptorType] [PolicyDescriptorType] [PolicyDescriptorType] -> Iso (Maybe [PolicyDescriptorType]) (Maybe [PolicyDescriptorType]) (Maybe [PolicyDescriptorType]) (Maybe [PolicyDescriptorType]) forall (f :: * -> *) (g :: * -> *) s t a b. (Functor f, Functor g) => AnIso s t a b -> Iso (f s) (g t) (f a) (g b) Lens.mapping AnIso [PolicyDescriptorType] [PolicyDescriptorType] [PolicyDescriptorType] [PolicyDescriptorType] forall s t a b. (Coercible s a, Coercible t b) => Iso s t a b Lens.coerced -- | The duration, in seconds, of the role session. Your role session lasts -- for the duration that you specify for the @DurationSeconds@ parameter, -- or until the time specified in the SAML authentication response\'s -- @SessionNotOnOrAfter@ value, whichever is shorter. You can provide a -- @DurationSeconds@ value from 900 seconds (15 minutes) up to the maximum -- session duration setting for the role. This setting can have a value -- from 1 hour to 12 hours. If you specify a value higher than this -- setting, the operation fails. For example, if you specify a session -- duration of 12 hours, but your administrator set the maximum session -- duration to 6 hours, your operation fails. To learn how to view the -- maximum value for your role, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session View the Maximum Session Duration Setting for a Role> -- in the /IAM User Guide/. -- -- By default, the value is set to @3600@ seconds. -- -- The @DurationSeconds@ parameter is separate from the duration of a -- console session that you might request using the returned credentials. -- The request to the federation endpoint for a console sign-in token takes -- a @SessionDuration@ parameter that specifies the maximum length of the -- console session. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html Creating a URL that Enables Federated Users to Access the Management Console> -- in the /IAM User Guide/. assumeRoleWithSAML_durationSeconds :: Lens.Lens' AssumeRoleWithSAML (Prelude.Maybe Prelude.Natural) assumeRoleWithSAML_durationSeconds :: (Maybe Natural -> f (Maybe Natural)) -> AssumeRoleWithSAML -> f AssumeRoleWithSAML assumeRoleWithSAML_durationSeconds = (AssumeRoleWithSAML -> Maybe Natural) -> (AssumeRoleWithSAML -> Maybe Natural -> AssumeRoleWithSAML) -> Lens AssumeRoleWithSAML AssumeRoleWithSAML (Maybe Natural) (Maybe Natural) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleWithSAML' {Maybe Natural durationSeconds :: Maybe Natural $sel:durationSeconds:AssumeRoleWithSAML' :: AssumeRoleWithSAML -> Maybe Natural durationSeconds} -> Maybe Natural durationSeconds) (\s :: AssumeRoleWithSAML s@AssumeRoleWithSAML' {} Maybe Natural a -> AssumeRoleWithSAML s {$sel:durationSeconds:AssumeRoleWithSAML' :: Maybe Natural durationSeconds = Maybe Natural a} :: AssumeRoleWithSAML) -- | An IAM policy in JSON format that you want to use as an inline session -- policy. -- -- This parameter is optional. Passing policies to this operation returns -- new temporary credentials. The resulting session\'s permissions are the -- intersection of the role\'s identity-based policy and the session -- policies. You can use the role\'s temporary credentials in subsequent -- Amazon Web Services API calls to access resources in the account that -- owns the role. You cannot use session policies to grant more permissions -- than those allowed by the identity-based policy of the role that is -- being assumed. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies> -- in the /IAM User Guide/. -- -- The plaintext that you use for both inline and managed session policies -- can\'t exceed 2,048 characters. The JSON policy characters can be any -- ASCII character from the space character to the end of the valid -- character list (\\u0020 through \\u00FF). It can also include the tab -- (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. assumeRoleWithSAML_policy :: Lens.Lens' AssumeRoleWithSAML (Prelude.Maybe Prelude.Text) assumeRoleWithSAML_policy :: (Maybe Text -> f (Maybe Text)) -> AssumeRoleWithSAML -> f AssumeRoleWithSAML assumeRoleWithSAML_policy = (AssumeRoleWithSAML -> Maybe Text) -> (AssumeRoleWithSAML -> Maybe Text -> AssumeRoleWithSAML) -> Lens AssumeRoleWithSAML AssumeRoleWithSAML (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleWithSAML' {Maybe Text policy :: Maybe Text $sel:policy:AssumeRoleWithSAML' :: AssumeRoleWithSAML -> Maybe Text policy} -> Maybe Text policy) (\s :: AssumeRoleWithSAML s@AssumeRoleWithSAML' {} Maybe Text a -> AssumeRoleWithSAML s {$sel:policy:AssumeRoleWithSAML' :: Maybe Text policy = Maybe Text a} :: AssumeRoleWithSAML) -- | The Amazon Resource Name (ARN) of the role that the caller is assuming. assumeRoleWithSAML_roleArn :: Lens.Lens' AssumeRoleWithSAML Prelude.Text assumeRoleWithSAML_roleArn :: (Text -> f Text) -> AssumeRoleWithSAML -> f AssumeRoleWithSAML assumeRoleWithSAML_roleArn = (AssumeRoleWithSAML -> Text) -> (AssumeRoleWithSAML -> Text -> AssumeRoleWithSAML) -> Lens AssumeRoleWithSAML AssumeRoleWithSAML Text Text forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleWithSAML' {Text roleArn :: Text $sel:roleArn:AssumeRoleWithSAML' :: AssumeRoleWithSAML -> Text roleArn} -> Text roleArn) (\s :: AssumeRoleWithSAML s@AssumeRoleWithSAML' {} Text a -> AssumeRoleWithSAML s {$sel:roleArn:AssumeRoleWithSAML' :: Text roleArn = Text a} :: AssumeRoleWithSAML) -- | The Amazon Resource Name (ARN) of the SAML provider in IAM that -- describes the IdP. assumeRoleWithSAML_principalArn :: Lens.Lens' AssumeRoleWithSAML Prelude.Text assumeRoleWithSAML_principalArn :: (Text -> f Text) -> AssumeRoleWithSAML -> f AssumeRoleWithSAML assumeRoleWithSAML_principalArn = (AssumeRoleWithSAML -> Text) -> (AssumeRoleWithSAML -> Text -> AssumeRoleWithSAML) -> Lens AssumeRoleWithSAML AssumeRoleWithSAML Text Text forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleWithSAML' {Text principalArn :: Text $sel:principalArn:AssumeRoleWithSAML' :: AssumeRoleWithSAML -> Text principalArn} -> Text principalArn) (\s :: AssumeRoleWithSAML s@AssumeRoleWithSAML' {} Text a -> AssumeRoleWithSAML s {$sel:principalArn:AssumeRoleWithSAML' :: Text principalArn = Text a} :: AssumeRoleWithSAML) -- | The base64 encoded SAML authentication response provided by the IdP. -- -- For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/create-role-saml-IdP-tasks.html Configuring a Relying Party and Adding Claims> -- in the /IAM User Guide/. assumeRoleWithSAML_sAMLAssertion :: Lens.Lens' AssumeRoleWithSAML Prelude.Text assumeRoleWithSAML_sAMLAssertion :: (Text -> f Text) -> AssumeRoleWithSAML -> f AssumeRoleWithSAML assumeRoleWithSAML_sAMLAssertion = (AssumeRoleWithSAML -> Text) -> (AssumeRoleWithSAML -> Text -> AssumeRoleWithSAML) -> Lens AssumeRoleWithSAML AssumeRoleWithSAML Text Text forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleWithSAML' {Text sAMLAssertion :: Text $sel:sAMLAssertion:AssumeRoleWithSAML' :: AssumeRoleWithSAML -> Text sAMLAssertion} -> Text sAMLAssertion) (\s :: AssumeRoleWithSAML s@AssumeRoleWithSAML' {} Text a -> AssumeRoleWithSAML s {$sel:sAMLAssertion:AssumeRoleWithSAML' :: Text sAMLAssertion = Text a} :: AssumeRoleWithSAML) instance Core.AWSRequest AssumeRoleWithSAML where type AWSResponse AssumeRoleWithSAML = AssumeRoleWithSAMLResponse request :: AssumeRoleWithSAML -> Request AssumeRoleWithSAML request = Service -> AssumeRoleWithSAML -> Request AssumeRoleWithSAML forall a. ToRequest a => Service -> a -> Request a Request.postQuery Service defaultService response :: Logger -> Service -> Proxy AssumeRoleWithSAML -> ClientResponse ClientBody -> m (Either Error (ClientResponse (AWSResponse AssumeRoleWithSAML))) response = Text -> (Int -> ResponseHeaders -> [Node] -> Either String (AWSResponse AssumeRoleWithSAML)) -> Logger -> Service -> Proxy AssumeRoleWithSAML -> ClientResponse ClientBody -> m (Either Error (ClientResponse (AWSResponse AssumeRoleWithSAML))) forall (m :: * -> *) a. MonadResource m => Text -> (Int -> ResponseHeaders -> [Node] -> Either String (AWSResponse a)) -> Logger -> Service -> Proxy a -> ClientResponse ClientBody -> m (Either Error (ClientResponse (AWSResponse a))) Response.receiveXMLWrapper Text "AssumeRoleWithSAMLResult" ( \Int s ResponseHeaders h [Node] x -> Maybe Text -> Maybe Text -> Maybe Natural -> Maybe AuthEnv -> Maybe Text -> Maybe Text -> Maybe AssumedRoleUser -> Maybe Text -> Maybe Text -> Int -> AssumeRoleWithSAMLResponse AssumeRoleWithSAMLResponse' (Maybe Text -> Maybe Text -> Maybe Natural -> Maybe AuthEnv -> Maybe Text -> Maybe Text -> Maybe AssumedRoleUser -> Maybe Text -> Maybe Text -> Int -> AssumeRoleWithSAMLResponse) -> Either String (Maybe Text) -> Either String (Maybe Text -> Maybe Natural -> Maybe AuthEnv -> Maybe Text -> Maybe Text -> Maybe AssumedRoleUser -> Maybe Text -> Maybe Text -> Int -> AssumeRoleWithSAMLResponse) forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> ([Node] x [Node] -> Text -> Either String (Maybe Text) forall a. FromXML a => [Node] -> Text -> Either String (Maybe a) Core..@? Text "Subject") Either String (Maybe Text -> Maybe Natural -> Maybe AuthEnv -> Maybe Text -> Maybe Text -> Maybe AssumedRoleUser -> Maybe Text -> Maybe Text -> Int -> AssumeRoleWithSAMLResponse) -> Either String (Maybe Text) -> Either String (Maybe Natural -> Maybe AuthEnv -> Maybe Text -> Maybe Text -> Maybe AssumedRoleUser -> Maybe Text -> Maybe Text -> Int -> AssumeRoleWithSAMLResponse) forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b Prelude.<*> ([Node] x [Node] -> Text -> Either String (Maybe Text) forall a. FromXML a => [Node] -> Text -> Either String (Maybe a) Core..@? Text "Audience") Either String (Maybe Natural -> Maybe AuthEnv -> Maybe Text -> Maybe Text -> Maybe AssumedRoleUser -> Maybe Text -> Maybe Text -> Int -> AssumeRoleWithSAMLResponse) -> Either String (Maybe Natural) -> Either String (Maybe AuthEnv -> Maybe Text -> Maybe Text -> Maybe AssumedRoleUser -> Maybe Text -> Maybe Text -> Int -> AssumeRoleWithSAMLResponse) forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b Prelude.<*> ([Node] x [Node] -> Text -> Either String (Maybe Natural) forall a. FromXML a => [Node] -> Text -> Either String (Maybe a) Core..@? Text "PackedPolicySize") Either String (Maybe AuthEnv -> Maybe Text -> Maybe Text -> Maybe AssumedRoleUser -> Maybe Text -> Maybe Text -> Int -> AssumeRoleWithSAMLResponse) -> Either String (Maybe AuthEnv) -> Either String (Maybe Text -> Maybe Text -> Maybe AssumedRoleUser -> Maybe Text -> Maybe Text -> Int -> AssumeRoleWithSAMLResponse) forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b Prelude.<*> ([Node] x [Node] -> Text -> Either String (Maybe AuthEnv) forall a. FromXML a => [Node] -> Text -> Either String (Maybe a) Core..@? Text "Credentials") Either String (Maybe Text -> Maybe Text -> Maybe AssumedRoleUser -> Maybe Text -> Maybe Text -> Int -> AssumeRoleWithSAMLResponse) -> Either String (Maybe Text) -> Either String (Maybe Text -> Maybe AssumedRoleUser -> Maybe Text -> Maybe Text -> Int -> AssumeRoleWithSAMLResponse) forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b Prelude.<*> ([Node] x [Node] -> Text -> Either String (Maybe Text) forall a. FromXML a => [Node] -> Text -> Either String (Maybe a) Core..@? Text "SubjectType") Either String (Maybe Text -> Maybe AssumedRoleUser -> Maybe Text -> Maybe Text -> Int -> AssumeRoleWithSAMLResponse) -> Either String (Maybe Text) -> Either String (Maybe AssumedRoleUser -> Maybe Text -> Maybe Text -> Int -> AssumeRoleWithSAMLResponse) forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b Prelude.<*> ([Node] x [Node] -> Text -> Either String (Maybe Text) forall a. FromXML a => [Node] -> Text -> Either String (Maybe a) Core..@? Text "NameQualifier") Either String (Maybe AssumedRoleUser -> Maybe Text -> Maybe Text -> Int -> AssumeRoleWithSAMLResponse) -> Either String (Maybe AssumedRoleUser) -> Either String (Maybe Text -> Maybe Text -> Int -> AssumeRoleWithSAMLResponse) forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b Prelude.<*> ([Node] x [Node] -> Text -> Either String (Maybe AssumedRoleUser) forall a. FromXML a => [Node] -> Text -> Either String (Maybe a) Core..@? Text "AssumedRoleUser") Either String (Maybe Text -> Maybe Text -> Int -> AssumeRoleWithSAMLResponse) -> Either String (Maybe Text) -> Either String (Maybe Text -> Int -> AssumeRoleWithSAMLResponse) forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b Prelude.<*> ([Node] x [Node] -> Text -> Either String (Maybe Text) forall a. FromXML a => [Node] -> Text -> Either String (Maybe a) Core..@? Text "SourceIdentity") Either String (Maybe Text -> Int -> AssumeRoleWithSAMLResponse) -> Either String (Maybe Text) -> Either String (Int -> AssumeRoleWithSAMLResponse) forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b Prelude.<*> ([Node] x [Node] -> Text -> Either String (Maybe Text) forall a. FromXML a => [Node] -> Text -> Either String (Maybe a) Core..@? Text "Issuer") Either String (Int -> AssumeRoleWithSAMLResponse) -> Either String Int -> Either String AssumeRoleWithSAMLResponse forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b Prelude.<*> (Int -> Either String Int forall (f :: * -> *) a. Applicative f => a -> f a Prelude.pure (Int -> Int forall a. Enum a => a -> Int Prelude.fromEnum Int s)) ) instance Prelude.Hashable AssumeRoleWithSAML instance Prelude.NFData AssumeRoleWithSAML instance Core.ToHeaders AssumeRoleWithSAML where toHeaders :: AssumeRoleWithSAML -> ResponseHeaders toHeaders = ResponseHeaders -> AssumeRoleWithSAML -> ResponseHeaders forall a b. a -> b -> a Prelude.const ResponseHeaders forall a. Monoid a => a Prelude.mempty instance Core.ToPath AssumeRoleWithSAML where toPath :: AssumeRoleWithSAML -> ByteString toPath = ByteString -> AssumeRoleWithSAML -> ByteString forall a b. a -> b -> a Prelude.const ByteString "/" instance Core.ToQuery AssumeRoleWithSAML where toQuery :: AssumeRoleWithSAML -> QueryString toQuery AssumeRoleWithSAML' {Maybe Natural Maybe [PolicyDescriptorType] Maybe Text Text sAMLAssertion :: Text principalArn :: Text roleArn :: Text policy :: Maybe Text durationSeconds :: Maybe Natural policyArns :: Maybe [PolicyDescriptorType] $sel:sAMLAssertion:AssumeRoleWithSAML' :: AssumeRoleWithSAML -> Text $sel:principalArn:AssumeRoleWithSAML' :: AssumeRoleWithSAML -> Text $sel:roleArn:AssumeRoleWithSAML' :: AssumeRoleWithSAML -> Text $sel:policy:AssumeRoleWithSAML' :: AssumeRoleWithSAML -> Maybe Text $sel:durationSeconds:AssumeRoleWithSAML' :: AssumeRoleWithSAML -> Maybe Natural $sel:policyArns:AssumeRoleWithSAML' :: AssumeRoleWithSAML -> Maybe [PolicyDescriptorType] ..} = [QueryString] -> QueryString forall a. Monoid a => [a] -> a Prelude.mconcat [ ByteString "Action" ByteString -> ByteString -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: (ByteString "AssumeRoleWithSAML" :: Prelude.ByteString), ByteString "Version" ByteString -> ByteString -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: (ByteString "2011-06-15" :: Prelude.ByteString), ByteString "PolicyArns" ByteString -> QueryString -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Maybe QueryString -> QueryString forall a. ToQuery a => a -> QueryString Core.toQuery (ByteString -> [PolicyDescriptorType] -> QueryString forall a. (IsList a, ToQuery (Item a)) => ByteString -> a -> QueryString Core.toQueryList ByteString "member" ([PolicyDescriptorType] -> QueryString) -> Maybe [PolicyDescriptorType] -> Maybe QueryString forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> Maybe [PolicyDescriptorType] policyArns), ByteString "DurationSeconds" ByteString -> Maybe Natural -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Maybe Natural durationSeconds, ByteString "Policy" ByteString -> Maybe Text -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Maybe Text policy, ByteString "RoleArn" ByteString -> Text -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Text roleArn, ByteString "PrincipalArn" ByteString -> Text -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Text principalArn, ByteString "SAMLAssertion" ByteString -> Text -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Text sAMLAssertion ] -- | Contains the response to a successful AssumeRoleWithSAML request, -- including temporary Amazon Web Services credentials that can be used to -- make Amazon Web Services requests. -- -- /See:/ 'newAssumeRoleWithSAMLResponse' smart constructor. data AssumeRoleWithSAMLResponse = AssumeRoleWithSAMLResponse' { -- | The value of the @NameID@ element in the @Subject@ element of the SAML -- assertion. AssumeRoleWithSAMLResponse -> Maybe Text subject :: Prelude.Maybe Prelude.Text, -- | The value of the @Recipient@ attribute of the @SubjectConfirmationData@ -- element of the SAML assertion. AssumeRoleWithSAMLResponse -> Maybe Text audience :: Prelude.Maybe Prelude.Text, -- | A percentage value that indicates the packed size of the session -- policies and session tags combined passed in the request. The request -- fails if the packed size is greater than 100 percent, which means the -- policies and tags exceeded the allowed space. AssumeRoleWithSAMLResponse -> Maybe Natural packedPolicySize :: Prelude.Maybe Prelude.Natural, -- | The temporary security credentials, which include an access key ID, a -- secret access key, and a security (or session) token. -- -- The size of the security token that STS API operations return is not -- fixed. We strongly recommend that you make no assumptions about the -- maximum size. AssumeRoleWithSAMLResponse -> Maybe AuthEnv credentials :: Prelude.Maybe Core.AuthEnv, -- | The format of the name ID, as defined by the @Format@ attribute in the -- @NameID@ element of the SAML assertion. Typical examples of the format -- are @transient@ or @persistent@. -- -- If the format includes the prefix -- @urn:oasis:names:tc:SAML:2.0:nameid-format@, that prefix is removed. For -- example, @urn:oasis:names:tc:SAML:2.0:nameid-format:transient@ is -- returned as @transient@. If the format includes any other prefix, the -- format is returned with no modifications. AssumeRoleWithSAMLResponse -> Maybe Text subjectType :: Prelude.Maybe Prelude.Text, -- | A hash value based on the concatenation of the following: -- -- - The @Issuer@ response value. -- -- - The Amazon Web Services account ID. -- -- - The friendly name (the last part of the ARN) of the SAML provider in -- IAM. -- -- The combination of @NameQualifier@ and @Subject@ can be used to uniquely -- identify a federated user. -- -- The following pseudocode shows how the hash value is calculated: -- -- @BASE64 ( SHA1 ( \"https:\/\/example.com\/saml\" + \"123456789012\" + \"\/MySAMLIdP\" ) )@ AssumeRoleWithSAMLResponse -> Maybe Text nameQualifier :: Prelude.Maybe Prelude.Text, -- | The identifiers for the temporary security credentials that the -- operation returns. AssumeRoleWithSAMLResponse -> Maybe AssumedRoleUser assumedRoleUser :: Prelude.Maybe AssumedRoleUser, -- | The value in the @SourceIdentity@ attribute in the SAML assertion. -- -- You can require users to set a source identity value when they assume a -- role. You do this by using the @sts:SourceIdentity@ condition key in a -- role trust policy. That way, actions that are taken with the role are -- associated with that user. After the source identity is set, the value -- cannot be changed. It is present in the request for all actions that are -- taken by the role and persists across -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining chained role> -- sessions. You can configure your SAML identity provider to use an -- attribute associated with your users, like user name or email, as the -- source identity when calling @AssumeRoleWithSAML@. You do this by adding -- an attribute to the SAML assertion. For more information about using -- source identity, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html Monitor and control actions taken with assumed roles> -- in the /IAM User Guide/. -- -- The regex used to validate this parameter is a string of characters -- consisting of upper- and lower-case alphanumeric characters with no -- spaces. You can also include underscores or any of the following -- characters: =,.\@- AssumeRoleWithSAMLResponse -> Maybe Text sourceIdentity :: Prelude.Maybe Prelude.Text, -- | The value of the @Issuer@ element of the SAML assertion. AssumeRoleWithSAMLResponse -> Maybe Text issuer :: Prelude.Maybe Prelude.Text, -- | The response's http status code. AssumeRoleWithSAMLResponse -> Int httpStatus :: Prelude.Int } deriving (AssumeRoleWithSAMLResponse -> AssumeRoleWithSAMLResponse -> Bool (AssumeRoleWithSAMLResponse -> AssumeRoleWithSAMLResponse -> Bool) -> (AssumeRoleWithSAMLResponse -> AssumeRoleWithSAMLResponse -> Bool) -> Eq AssumeRoleWithSAMLResponse forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a /= :: AssumeRoleWithSAMLResponse -> AssumeRoleWithSAMLResponse -> Bool $c/= :: AssumeRoleWithSAMLResponse -> AssumeRoleWithSAMLResponse -> Bool == :: AssumeRoleWithSAMLResponse -> AssumeRoleWithSAMLResponse -> Bool $c== :: AssumeRoleWithSAMLResponse -> AssumeRoleWithSAMLResponse -> Bool Prelude.Eq, Int -> AssumeRoleWithSAMLResponse -> ShowS [AssumeRoleWithSAMLResponse] -> ShowS AssumeRoleWithSAMLResponse -> String (Int -> AssumeRoleWithSAMLResponse -> ShowS) -> (AssumeRoleWithSAMLResponse -> String) -> ([AssumeRoleWithSAMLResponse] -> ShowS) -> Show AssumeRoleWithSAMLResponse forall a. (Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a showList :: [AssumeRoleWithSAMLResponse] -> ShowS $cshowList :: [AssumeRoleWithSAMLResponse] -> ShowS show :: AssumeRoleWithSAMLResponse -> String $cshow :: AssumeRoleWithSAMLResponse -> String showsPrec :: Int -> AssumeRoleWithSAMLResponse -> ShowS $cshowsPrec :: Int -> AssumeRoleWithSAMLResponse -> ShowS Prelude.Show, (forall x. AssumeRoleWithSAMLResponse -> Rep AssumeRoleWithSAMLResponse x) -> (forall x. Rep AssumeRoleWithSAMLResponse x -> AssumeRoleWithSAMLResponse) -> Generic AssumeRoleWithSAMLResponse forall x. Rep AssumeRoleWithSAMLResponse x -> AssumeRoleWithSAMLResponse forall x. AssumeRoleWithSAMLResponse -> Rep AssumeRoleWithSAMLResponse x forall a. (forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a $cto :: forall x. Rep AssumeRoleWithSAMLResponse x -> AssumeRoleWithSAMLResponse $cfrom :: forall x. AssumeRoleWithSAMLResponse -> Rep AssumeRoleWithSAMLResponse x Prelude.Generic) -- | -- Create a value of 'AssumeRoleWithSAMLResponse' with all optional fields omitted. -- -- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields. -- -- The following record fields are available, with the corresponding lenses provided -- for backwards compatibility: -- -- 'subject', 'assumeRoleWithSAMLResponse_subject' - The value of the @NameID@ element in the @Subject@ element of the SAML -- assertion. -- -- 'audience', 'assumeRoleWithSAMLResponse_audience' - The value of the @Recipient@ attribute of the @SubjectConfirmationData@ -- element of the SAML assertion. -- -- 'packedPolicySize', 'assumeRoleWithSAMLResponse_packedPolicySize' - A percentage value that indicates the packed size of the session -- policies and session tags combined passed in the request. The request -- fails if the packed size is greater than 100 percent, which means the -- policies and tags exceeded the allowed space. -- -- 'credentials', 'assumeRoleWithSAMLResponse_credentials' - The temporary security credentials, which include an access key ID, a -- secret access key, and a security (or session) token. -- -- The size of the security token that STS API operations return is not -- fixed. We strongly recommend that you make no assumptions about the -- maximum size. -- -- 'subjectType', 'assumeRoleWithSAMLResponse_subjectType' - The format of the name ID, as defined by the @Format@ attribute in the -- @NameID@ element of the SAML assertion. Typical examples of the format -- are @transient@ or @persistent@. -- -- If the format includes the prefix -- @urn:oasis:names:tc:SAML:2.0:nameid-format@, that prefix is removed. For -- example, @urn:oasis:names:tc:SAML:2.0:nameid-format:transient@ is -- returned as @transient@. If the format includes any other prefix, the -- format is returned with no modifications. -- -- 'nameQualifier', 'assumeRoleWithSAMLResponse_nameQualifier' - A hash value based on the concatenation of the following: -- -- - The @Issuer@ response value. -- -- - The Amazon Web Services account ID. -- -- - The friendly name (the last part of the ARN) of the SAML provider in -- IAM. -- -- The combination of @NameQualifier@ and @Subject@ can be used to uniquely -- identify a federated user. -- -- The following pseudocode shows how the hash value is calculated: -- -- @BASE64 ( SHA1 ( \"https:\/\/example.com\/saml\" + \"123456789012\" + \"\/MySAMLIdP\" ) )@ -- -- 'assumedRoleUser', 'assumeRoleWithSAMLResponse_assumedRoleUser' - The identifiers for the temporary security credentials that the -- operation returns. -- -- 'sourceIdentity', 'assumeRoleWithSAMLResponse_sourceIdentity' - The value in the @SourceIdentity@ attribute in the SAML assertion. -- -- You can require users to set a source identity value when they assume a -- role. You do this by using the @sts:SourceIdentity@ condition key in a -- role trust policy. That way, actions that are taken with the role are -- associated with that user. After the source identity is set, the value -- cannot be changed. It is present in the request for all actions that are -- taken by the role and persists across -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining chained role> -- sessions. You can configure your SAML identity provider to use an -- attribute associated with your users, like user name or email, as the -- source identity when calling @AssumeRoleWithSAML@. You do this by adding -- an attribute to the SAML assertion. For more information about using -- source identity, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html Monitor and control actions taken with assumed roles> -- in the /IAM User Guide/. -- -- The regex used to validate this parameter is a string of characters -- consisting of upper- and lower-case alphanumeric characters with no -- spaces. You can also include underscores or any of the following -- characters: =,.\@- -- -- 'issuer', 'assumeRoleWithSAMLResponse_issuer' - The value of the @Issuer@ element of the SAML assertion. -- -- 'httpStatus', 'assumeRoleWithSAMLResponse_httpStatus' - The response's http status code. newAssumeRoleWithSAMLResponse :: -- | 'httpStatus' Prelude.Int -> AssumeRoleWithSAMLResponse newAssumeRoleWithSAMLResponse :: Int -> AssumeRoleWithSAMLResponse newAssumeRoleWithSAMLResponse Int pHttpStatus_ = AssumeRoleWithSAMLResponse' :: Maybe Text -> Maybe Text -> Maybe Natural -> Maybe AuthEnv -> Maybe Text -> Maybe Text -> Maybe AssumedRoleUser -> Maybe Text -> Maybe Text -> Int -> AssumeRoleWithSAMLResponse AssumeRoleWithSAMLResponse' { $sel:subject:AssumeRoleWithSAMLResponse' :: Maybe Text subject = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:audience:AssumeRoleWithSAMLResponse' :: Maybe Text audience = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:packedPolicySize:AssumeRoleWithSAMLResponse' :: Maybe Natural packedPolicySize = Maybe Natural forall a. Maybe a Prelude.Nothing, $sel:credentials:AssumeRoleWithSAMLResponse' :: Maybe AuthEnv credentials = Maybe AuthEnv forall a. Maybe a Prelude.Nothing, $sel:subjectType:AssumeRoleWithSAMLResponse' :: Maybe Text subjectType = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:nameQualifier:AssumeRoleWithSAMLResponse' :: Maybe Text nameQualifier = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:assumedRoleUser:AssumeRoleWithSAMLResponse' :: Maybe AssumedRoleUser assumedRoleUser = Maybe AssumedRoleUser forall a. Maybe a Prelude.Nothing, $sel:sourceIdentity:AssumeRoleWithSAMLResponse' :: Maybe Text sourceIdentity = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:issuer:AssumeRoleWithSAMLResponse' :: Maybe Text issuer = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:httpStatus:AssumeRoleWithSAMLResponse' :: Int httpStatus = Int pHttpStatus_ } -- | The value of the @NameID@ element in the @Subject@ element of the SAML -- assertion. assumeRoleWithSAMLResponse_subject :: Lens.Lens' AssumeRoleWithSAMLResponse (Prelude.Maybe Prelude.Text) assumeRoleWithSAMLResponse_subject :: (Maybe Text -> f (Maybe Text)) -> AssumeRoleWithSAMLResponse -> f AssumeRoleWithSAMLResponse assumeRoleWithSAMLResponse_subject = (AssumeRoleWithSAMLResponse -> Maybe Text) -> (AssumeRoleWithSAMLResponse -> Maybe Text -> AssumeRoleWithSAMLResponse) -> Lens AssumeRoleWithSAMLResponse AssumeRoleWithSAMLResponse (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleWithSAMLResponse' {Maybe Text subject :: Maybe Text $sel:subject:AssumeRoleWithSAMLResponse' :: AssumeRoleWithSAMLResponse -> Maybe Text subject} -> Maybe Text subject) (\s :: AssumeRoleWithSAMLResponse s@AssumeRoleWithSAMLResponse' {} Maybe Text a -> AssumeRoleWithSAMLResponse s {$sel:subject:AssumeRoleWithSAMLResponse' :: Maybe Text subject = Maybe Text a} :: AssumeRoleWithSAMLResponse) -- | The value of the @Recipient@ attribute of the @SubjectConfirmationData@ -- element of the SAML assertion. assumeRoleWithSAMLResponse_audience :: Lens.Lens' AssumeRoleWithSAMLResponse (Prelude.Maybe Prelude.Text) assumeRoleWithSAMLResponse_audience :: (Maybe Text -> f (Maybe Text)) -> AssumeRoleWithSAMLResponse -> f AssumeRoleWithSAMLResponse assumeRoleWithSAMLResponse_audience = (AssumeRoleWithSAMLResponse -> Maybe Text) -> (AssumeRoleWithSAMLResponse -> Maybe Text -> AssumeRoleWithSAMLResponse) -> Lens AssumeRoleWithSAMLResponse AssumeRoleWithSAMLResponse (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleWithSAMLResponse' {Maybe Text audience :: Maybe Text $sel:audience:AssumeRoleWithSAMLResponse' :: AssumeRoleWithSAMLResponse -> Maybe Text audience} -> Maybe Text audience) (\s :: AssumeRoleWithSAMLResponse s@AssumeRoleWithSAMLResponse' {} Maybe Text a -> AssumeRoleWithSAMLResponse s {$sel:audience:AssumeRoleWithSAMLResponse' :: Maybe Text audience = Maybe Text a} :: AssumeRoleWithSAMLResponse) -- | A percentage value that indicates the packed size of the session -- policies and session tags combined passed in the request. The request -- fails if the packed size is greater than 100 percent, which means the -- policies and tags exceeded the allowed space. assumeRoleWithSAMLResponse_packedPolicySize :: Lens.Lens' AssumeRoleWithSAMLResponse (Prelude.Maybe Prelude.Natural) assumeRoleWithSAMLResponse_packedPolicySize :: (Maybe Natural -> f (Maybe Natural)) -> AssumeRoleWithSAMLResponse -> f AssumeRoleWithSAMLResponse assumeRoleWithSAMLResponse_packedPolicySize = (AssumeRoleWithSAMLResponse -> Maybe Natural) -> (AssumeRoleWithSAMLResponse -> Maybe Natural -> AssumeRoleWithSAMLResponse) -> Lens AssumeRoleWithSAMLResponse AssumeRoleWithSAMLResponse (Maybe Natural) (Maybe Natural) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleWithSAMLResponse' {Maybe Natural packedPolicySize :: Maybe Natural $sel:packedPolicySize:AssumeRoleWithSAMLResponse' :: AssumeRoleWithSAMLResponse -> Maybe Natural packedPolicySize} -> Maybe Natural packedPolicySize) (\s :: AssumeRoleWithSAMLResponse s@AssumeRoleWithSAMLResponse' {} Maybe Natural a -> AssumeRoleWithSAMLResponse s {$sel:packedPolicySize:AssumeRoleWithSAMLResponse' :: Maybe Natural packedPolicySize = Maybe Natural a} :: AssumeRoleWithSAMLResponse) -- | The temporary security credentials, which include an access key ID, a -- secret access key, and a security (or session) token. -- -- The size of the security token that STS API operations return is not -- fixed. We strongly recommend that you make no assumptions about the -- maximum size. assumeRoleWithSAMLResponse_credentials :: Lens.Lens' AssumeRoleWithSAMLResponse (Prelude.Maybe Core.AuthEnv) assumeRoleWithSAMLResponse_credentials :: (Maybe AuthEnv -> f (Maybe AuthEnv)) -> AssumeRoleWithSAMLResponse -> f AssumeRoleWithSAMLResponse assumeRoleWithSAMLResponse_credentials = (AssumeRoleWithSAMLResponse -> Maybe AuthEnv) -> (AssumeRoleWithSAMLResponse -> Maybe AuthEnv -> AssumeRoleWithSAMLResponse) -> Lens AssumeRoleWithSAMLResponse AssumeRoleWithSAMLResponse (Maybe AuthEnv) (Maybe AuthEnv) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleWithSAMLResponse' {Maybe AuthEnv credentials :: Maybe AuthEnv $sel:credentials:AssumeRoleWithSAMLResponse' :: AssumeRoleWithSAMLResponse -> Maybe AuthEnv credentials} -> Maybe AuthEnv credentials) (\s :: AssumeRoleWithSAMLResponse s@AssumeRoleWithSAMLResponse' {} Maybe AuthEnv a -> AssumeRoleWithSAMLResponse s {$sel:credentials:AssumeRoleWithSAMLResponse' :: Maybe AuthEnv credentials = Maybe AuthEnv a} :: AssumeRoleWithSAMLResponse) -- | The format of the name ID, as defined by the @Format@ attribute in the -- @NameID@ element of the SAML assertion. Typical examples of the format -- are @transient@ or @persistent@. -- -- If the format includes the prefix -- @urn:oasis:names:tc:SAML:2.0:nameid-format@, that prefix is removed. For -- example, @urn:oasis:names:tc:SAML:2.0:nameid-format:transient@ is -- returned as @transient@. If the format includes any other prefix, the -- format is returned with no modifications. assumeRoleWithSAMLResponse_subjectType :: Lens.Lens' AssumeRoleWithSAMLResponse (Prelude.Maybe Prelude.Text) assumeRoleWithSAMLResponse_subjectType :: (Maybe Text -> f (Maybe Text)) -> AssumeRoleWithSAMLResponse -> f AssumeRoleWithSAMLResponse assumeRoleWithSAMLResponse_subjectType = (AssumeRoleWithSAMLResponse -> Maybe Text) -> (AssumeRoleWithSAMLResponse -> Maybe Text -> AssumeRoleWithSAMLResponse) -> Lens AssumeRoleWithSAMLResponse AssumeRoleWithSAMLResponse (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleWithSAMLResponse' {Maybe Text subjectType :: Maybe Text $sel:subjectType:AssumeRoleWithSAMLResponse' :: AssumeRoleWithSAMLResponse -> Maybe Text subjectType} -> Maybe Text subjectType) (\s :: AssumeRoleWithSAMLResponse s@AssumeRoleWithSAMLResponse' {} Maybe Text a -> AssumeRoleWithSAMLResponse s {$sel:subjectType:AssumeRoleWithSAMLResponse' :: Maybe Text subjectType = Maybe Text a} :: AssumeRoleWithSAMLResponse) -- | A hash value based on the concatenation of the following: -- -- - The @Issuer@ response value. -- -- - The Amazon Web Services account ID. -- -- - The friendly name (the last part of the ARN) of the SAML provider in -- IAM. -- -- The combination of @NameQualifier@ and @Subject@ can be used to uniquely -- identify a federated user. -- -- The following pseudocode shows how the hash value is calculated: -- -- @BASE64 ( SHA1 ( \"https:\/\/example.com\/saml\" + \"123456789012\" + \"\/MySAMLIdP\" ) )@ assumeRoleWithSAMLResponse_nameQualifier :: Lens.Lens' AssumeRoleWithSAMLResponse (Prelude.Maybe Prelude.Text) assumeRoleWithSAMLResponse_nameQualifier :: (Maybe Text -> f (Maybe Text)) -> AssumeRoleWithSAMLResponse -> f AssumeRoleWithSAMLResponse assumeRoleWithSAMLResponse_nameQualifier = (AssumeRoleWithSAMLResponse -> Maybe Text) -> (AssumeRoleWithSAMLResponse -> Maybe Text -> AssumeRoleWithSAMLResponse) -> Lens AssumeRoleWithSAMLResponse AssumeRoleWithSAMLResponse (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleWithSAMLResponse' {Maybe Text nameQualifier :: Maybe Text $sel:nameQualifier:AssumeRoleWithSAMLResponse' :: AssumeRoleWithSAMLResponse -> Maybe Text nameQualifier} -> Maybe Text nameQualifier) (\s :: AssumeRoleWithSAMLResponse s@AssumeRoleWithSAMLResponse' {} Maybe Text a -> AssumeRoleWithSAMLResponse s {$sel:nameQualifier:AssumeRoleWithSAMLResponse' :: Maybe Text nameQualifier = Maybe Text a} :: AssumeRoleWithSAMLResponse) -- | The identifiers for the temporary security credentials that the -- operation returns. assumeRoleWithSAMLResponse_assumedRoleUser :: Lens.Lens' AssumeRoleWithSAMLResponse (Prelude.Maybe AssumedRoleUser) assumeRoleWithSAMLResponse_assumedRoleUser :: (Maybe AssumedRoleUser -> f (Maybe AssumedRoleUser)) -> AssumeRoleWithSAMLResponse -> f AssumeRoleWithSAMLResponse assumeRoleWithSAMLResponse_assumedRoleUser = (AssumeRoleWithSAMLResponse -> Maybe AssumedRoleUser) -> (AssumeRoleWithSAMLResponse -> Maybe AssumedRoleUser -> AssumeRoleWithSAMLResponse) -> Lens AssumeRoleWithSAMLResponse AssumeRoleWithSAMLResponse (Maybe AssumedRoleUser) (Maybe AssumedRoleUser) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleWithSAMLResponse' {Maybe AssumedRoleUser assumedRoleUser :: Maybe AssumedRoleUser $sel:assumedRoleUser:AssumeRoleWithSAMLResponse' :: AssumeRoleWithSAMLResponse -> Maybe AssumedRoleUser assumedRoleUser} -> Maybe AssumedRoleUser assumedRoleUser) (\s :: AssumeRoleWithSAMLResponse s@AssumeRoleWithSAMLResponse' {} Maybe AssumedRoleUser a -> AssumeRoleWithSAMLResponse s {$sel:assumedRoleUser:AssumeRoleWithSAMLResponse' :: Maybe AssumedRoleUser assumedRoleUser = Maybe AssumedRoleUser a} :: AssumeRoleWithSAMLResponse) -- | The value in the @SourceIdentity@ attribute in the SAML assertion. -- -- You can require users to set a source identity value when they assume a -- role. You do this by using the @sts:SourceIdentity@ condition key in a -- role trust policy. That way, actions that are taken with the role are -- associated with that user. After the source identity is set, the value -- cannot be changed. It is present in the request for all actions that are -- taken by the role and persists across -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining chained role> -- sessions. You can configure your SAML identity provider to use an -- attribute associated with your users, like user name or email, as the -- source identity when calling @AssumeRoleWithSAML@. You do this by adding -- an attribute to the SAML assertion. For more information about using -- source identity, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html Monitor and control actions taken with assumed roles> -- in the /IAM User Guide/. -- -- The regex used to validate this parameter is a string of characters -- consisting of upper- and lower-case alphanumeric characters with no -- spaces. You can also include underscores or any of the following -- characters: =,.\@- assumeRoleWithSAMLResponse_sourceIdentity :: Lens.Lens' AssumeRoleWithSAMLResponse (Prelude.Maybe Prelude.Text) assumeRoleWithSAMLResponse_sourceIdentity :: (Maybe Text -> f (Maybe Text)) -> AssumeRoleWithSAMLResponse -> f AssumeRoleWithSAMLResponse assumeRoleWithSAMLResponse_sourceIdentity = (AssumeRoleWithSAMLResponse -> Maybe Text) -> (AssumeRoleWithSAMLResponse -> Maybe Text -> AssumeRoleWithSAMLResponse) -> Lens AssumeRoleWithSAMLResponse AssumeRoleWithSAMLResponse (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleWithSAMLResponse' {Maybe Text sourceIdentity :: Maybe Text $sel:sourceIdentity:AssumeRoleWithSAMLResponse' :: AssumeRoleWithSAMLResponse -> Maybe Text sourceIdentity} -> Maybe Text sourceIdentity) (\s :: AssumeRoleWithSAMLResponse s@AssumeRoleWithSAMLResponse' {} Maybe Text a -> AssumeRoleWithSAMLResponse s {$sel:sourceIdentity:AssumeRoleWithSAMLResponse' :: Maybe Text sourceIdentity = Maybe Text a} :: AssumeRoleWithSAMLResponse) -- | The value of the @Issuer@ element of the SAML assertion. assumeRoleWithSAMLResponse_issuer :: Lens.Lens' AssumeRoleWithSAMLResponse (Prelude.Maybe Prelude.Text) assumeRoleWithSAMLResponse_issuer :: (Maybe Text -> f (Maybe Text)) -> AssumeRoleWithSAMLResponse -> f AssumeRoleWithSAMLResponse assumeRoleWithSAMLResponse_issuer = (AssumeRoleWithSAMLResponse -> Maybe Text) -> (AssumeRoleWithSAMLResponse -> Maybe Text -> AssumeRoleWithSAMLResponse) -> Lens AssumeRoleWithSAMLResponse AssumeRoleWithSAMLResponse (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleWithSAMLResponse' {Maybe Text issuer :: Maybe Text $sel:issuer:AssumeRoleWithSAMLResponse' :: AssumeRoleWithSAMLResponse -> Maybe Text issuer} -> Maybe Text issuer) (\s :: AssumeRoleWithSAMLResponse s@AssumeRoleWithSAMLResponse' {} Maybe Text a -> AssumeRoleWithSAMLResponse s {$sel:issuer:AssumeRoleWithSAMLResponse' :: Maybe Text issuer = Maybe Text a} :: AssumeRoleWithSAMLResponse) -- | The response's http status code. assumeRoleWithSAMLResponse_httpStatus :: Lens.Lens' AssumeRoleWithSAMLResponse Prelude.Int assumeRoleWithSAMLResponse_httpStatus :: (Int -> f Int) -> AssumeRoleWithSAMLResponse -> f AssumeRoleWithSAMLResponse assumeRoleWithSAMLResponse_httpStatus = (AssumeRoleWithSAMLResponse -> Int) -> (AssumeRoleWithSAMLResponse -> Int -> AssumeRoleWithSAMLResponse) -> Lens AssumeRoleWithSAMLResponse AssumeRoleWithSAMLResponse Int Int forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleWithSAMLResponse' {Int httpStatus :: Int $sel:httpStatus:AssumeRoleWithSAMLResponse' :: AssumeRoleWithSAMLResponse -> Int httpStatus} -> Int httpStatus) (\s :: AssumeRoleWithSAMLResponse s@AssumeRoleWithSAMLResponse' {} Int a -> AssumeRoleWithSAMLResponse s {$sel:httpStatus:AssumeRoleWithSAMLResponse' :: Int httpStatus = Int a} :: AssumeRoleWithSAMLResponse) instance Prelude.NFData AssumeRoleWithSAMLResponse