{-# LANGUAGE DeriveGeneric #-} {-# LANGUAGE DuplicateRecordFields #-} {-# LANGUAGE NamedFieldPuns #-} {-# LANGUAGE OverloadedStrings #-} {-# LANGUAGE RecordWildCards #-} {-# LANGUAGE StrictData #-} {-# LANGUAGE TypeFamilies #-} {-# LANGUAGE NoImplicitPrelude #-} {-# OPTIONS_GHC -fno-warn-unused-binds #-} {-# OPTIONS_GHC -fno-warn-unused-imports #-} {-# OPTIONS_GHC -fno-warn-unused-matches #-} -- Derived from AWS service descriptions, licensed under Apache 2.0. -- | -- Module : Amazonka.STS.AssumeRoleWithWebIdentity -- Copyright : (c) 2013-2021 Brendan Hay -- License : Mozilla Public License, v. 2.0. -- Maintainer : Brendan Hay <brendan.g.hay+amazonka@gmail.com> -- Stability : auto-generated -- Portability : non-portable (GHC extensions) -- -- Returns a set of temporary security credentials for users who have been -- authenticated in a mobile or web application with a web identity -- provider. Example providers include Amazon Cognito, Login with Amazon, -- Facebook, Google, or any OpenID Connect-compatible identity provider. -- -- For mobile applications, we recommend that you use Amazon Cognito. You -- can use Amazon Cognito with the -- <http://aws.amazon.com/sdkforios/ Amazon Web Services SDK for iOS Developer Guide> -- and the -- <http://aws.amazon.com/sdkforandroid/ Amazon Web Services SDK for Android Developer Guide> -- to uniquely identify a user. You can also supply the user with a -- consistent identity throughout the lifetime of an application. -- -- To learn more about Amazon Cognito, see -- <https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840 Amazon Cognito Overview> -- in /Amazon Web Services SDK for Android Developer Guide/ and -- <https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664 Amazon Cognito Overview> -- in the /Amazon Web Services SDK for iOS Developer Guide/. -- -- Calling @AssumeRoleWithWebIdentity@ does not require the use of Amazon -- Web Services security credentials. Therefore, you can distribute an -- application (for example, on mobile devices) that requests temporary -- security credentials without including long-term Amazon Web Services -- credentials in the application. You also don\'t need to deploy -- server-based proxy services that use long-term Amazon Web Services -- credentials. Instead, the identity of the caller is validated by using a -- token from the web identity provider. For a comparison of -- @AssumeRoleWithWebIdentity@ with the other API operations that produce -- temporary credentials, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html Requesting Temporary Security Credentials> -- and -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison Comparing the STS API operations> -- in the /IAM User Guide/. -- -- The temporary security credentials returned by this API consist of an -- access key ID, a secret access key, and a security token. Applications -- can use these temporary security credentials to sign calls to Amazon Web -- Services service API operations. -- -- __Session Duration__ -- -- By default, the temporary security credentials created by -- @AssumeRoleWithWebIdentity@ last for one hour. However, you can use the -- optional @DurationSeconds@ parameter to specify the duration of your -- session. You can provide a value from 900 seconds (15 minutes) up to the -- maximum session duration setting for the role. This setting can have a -- value from 1 hour to 12 hours. To learn how to view the maximum value -- for your role, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session View the Maximum Session Duration Setting for a Role> -- in the /IAM User Guide/. The maximum session duration limit applies when -- you use the @AssumeRole*@ API operations or the @assume-role*@ CLI -- commands. However the limit does not apply when you use those operations -- to create a console URL. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html Using IAM Roles> -- in the /IAM User Guide/. -- -- __Permissions__ -- -- The temporary security credentials created by -- @AssumeRoleWithWebIdentity@ can be used to make API calls to any Amazon -- Web Services service with the following exception: you cannot call the -- STS @GetFederationToken@ or @GetSessionToken@ API operations. -- -- (Optional) You can pass inline or managed -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session session policies> -- to this operation. You can pass a single JSON policy document to use as -- an inline session policy. You can also specify up to 10 managed policies -- to use as managed session policies. The plaintext that you use for both -- inline and managed session policies can\'t exceed 2,048 characters. -- Passing policies to this operation returns new temporary credentials. -- The resulting session\'s permissions are the intersection of the role\'s -- identity-based policy and the session policies. You can use the role\'s -- temporary credentials in subsequent Amazon Web Services API calls to -- access resources in the account that owns the role. You cannot use -- session policies to grant more permissions than those allowed by the -- identity-based policy of the role that is being assumed. For more -- information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies> -- in the /IAM User Guide/. -- -- __Tags__ -- -- (Optional) You can configure your IdP to pass attributes into your web -- identity token as session tags. Each session tag consists of a key name -- and an associated value. For more information about session tags, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html Passing Session Tags in STS> -- in the /IAM User Guide/. -- -- You can pass up to 50 session tags. The plaintext session tag keys can’t -- exceed 128 characters and the values can’t exceed 256 characters. For -- these and additional limits, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length IAM and STS Character Limits> -- in the /IAM User Guide/. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. -- -- You can pass a session tag with the same key as a tag that is attached -- to the role. When you do, the session tag overrides the role tag with -- the same key. -- -- An administrator must grant you the permissions necessary to pass -- session tags. The administrator can also create granular permissions to -- allow you to pass only specific session tags. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html Tutorial: Using Tags for Attribute-Based Access Control> -- in the /IAM User Guide/. -- -- You can set the session tags as transitive. Transitive tags persist -- during role chaining. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining Chaining Roles with Session Tags> -- in the /IAM User Guide/. -- -- __Identities__ -- -- Before your application can call @AssumeRoleWithWebIdentity@, you must -- have an identity token from a supported identity provider and create a -- role that the application can assume. The role that your application -- assumes must trust the identity provider that is associated with the -- identity token. In other words, the identity provider must be specified -- in the role\'s trust policy. -- -- Calling @AssumeRoleWithWebIdentity@ can result in an entry in your -- CloudTrail logs. The entry includes the -- <http://openid.net/specs/openid-connect-core-1_0.html#Claims Subject> of -- the provided web identity token. We recommend that you avoid using any -- personally identifiable information (PII) in this field. For example, -- you could instead use a GUID or a pairwise identifier, as -- <http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes suggested in the OIDC specification>. -- -- For more information about how to use web identity federation and the -- @AssumeRoleWithWebIdentity@ API, see the following resources: -- -- - <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html Using Web Identity Federation API Operations for Mobile Apps> -- and -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity Federation Through a Web-based Identity Provider>. -- -- - <https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/ Web Identity Federation Playground>. -- Walk through the process of authenticating through Login with -- Amazon, Facebook, or Google, getting temporary security credentials, -- and then using those credentials to make a request to Amazon Web -- Services. -- -- - <http://aws.amazon.com/sdkforios/ Amazon Web Services SDK for iOS Developer Guide> -- and -- <http://aws.amazon.com/sdkforandroid/ Amazon Web Services SDK for Android Developer Guide>. -- These toolkits contain sample apps that show how to invoke the -- identity providers. The toolkits then show how to use the -- information from these providers to get and use temporary security -- credentials. -- -- - <http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications Web Identity Federation with Mobile Applications>. -- This article discusses web identity federation and shows an example -- of how to use web identity federation to get access to content in -- Amazon S3. module Amazonka.STS.AssumeRoleWithWebIdentity ( -- * Creating a Request AssumeRoleWithWebIdentity (..), newAssumeRoleWithWebIdentity, -- * Request Lenses assumeRoleWithWebIdentity_providerId, assumeRoleWithWebIdentity_policyArns, assumeRoleWithWebIdentity_durationSeconds, assumeRoleWithWebIdentity_policy, assumeRoleWithWebIdentity_roleArn, assumeRoleWithWebIdentity_roleSessionName, assumeRoleWithWebIdentity_webIdentityToken, -- * Destructuring the Response AssumeRoleWithWebIdentityResponse (..), newAssumeRoleWithWebIdentityResponse, -- * Response Lenses assumeRoleWithWebIdentityResponse_audience, assumeRoleWithWebIdentityResponse_subjectFromWebIdentityToken, assumeRoleWithWebIdentityResponse_packedPolicySize, assumeRoleWithWebIdentityResponse_credentials, assumeRoleWithWebIdentityResponse_assumedRoleUser, assumeRoleWithWebIdentityResponse_sourceIdentity, assumeRoleWithWebIdentityResponse_provider, assumeRoleWithWebIdentityResponse_httpStatus, ) where import qualified Amazonka.Core as Core import qualified Amazonka.Lens as Lens import qualified Amazonka.Prelude as Prelude import qualified Amazonka.Request as Request import qualified Amazonka.Response as Response import Amazonka.STS.Types -- | /See:/ 'newAssumeRoleWithWebIdentity' smart constructor. data AssumeRoleWithWebIdentity = AssumeRoleWithWebIdentity' { -- | The fully qualified host component of the domain name of the identity -- provider. -- -- Specify this value only for OAuth 2.0 access tokens. Currently -- @www.amazon.com@ and @graph.facebook.com@ are the only supported -- identity providers for OAuth 2.0 access tokens. Do not include URL -- schemes and port numbers. -- -- Do not specify this value for OpenID Connect ID tokens. AssumeRoleWithWebIdentity -> Maybe Text providerId :: Prelude.Maybe Prelude.Text, -- | The Amazon Resource Names (ARNs) of the IAM managed policies that you -- want to use as managed session policies. The policies must exist in the -- same account as the role. -- -- This parameter is optional. You can provide up to 10 managed policy -- ARNs. However, the plaintext that you use for both inline and managed -- session policies can\'t exceed 2,048 characters. For more information -- about ARNs, see -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces> -- in the Amazon Web Services General Reference. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. -- -- Passing policies to this operation returns new temporary credentials. -- The resulting session\'s permissions are the intersection of the role\'s -- identity-based policy and the session policies. You can use the role\'s -- temporary credentials in subsequent Amazon Web Services API calls to -- access resources in the account that owns the role. You cannot use -- session policies to grant more permissions than those allowed by the -- identity-based policy of the role that is being assumed. For more -- information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies> -- in the /IAM User Guide/. AssumeRoleWithWebIdentity -> Maybe [PolicyDescriptorType] policyArns :: Prelude.Maybe [PolicyDescriptorType], -- | The duration, in seconds, of the role session. The value can range from -- 900 seconds (15 minutes) up to the maximum session duration setting for -- the role. This setting can have a value from 1 hour to 12 hours. If you -- specify a value higher than this setting, the operation fails. For -- example, if you specify a session duration of 12 hours, but your -- administrator set the maximum session duration to 6 hours, your -- operation fails. To learn how to view the maximum value for your role, -- see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session View the Maximum Session Duration Setting for a Role> -- in the /IAM User Guide/. -- -- By default, the value is set to @3600@ seconds. -- -- The @DurationSeconds@ parameter is separate from the duration of a -- console session that you might request using the returned credentials. -- The request to the federation endpoint for a console sign-in token takes -- a @SessionDuration@ parameter that specifies the maximum length of the -- console session. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html Creating a URL that Enables Federated Users to Access the Management Console> -- in the /IAM User Guide/. AssumeRoleWithWebIdentity -> Maybe Natural durationSeconds :: Prelude.Maybe Prelude.Natural, -- | An IAM policy in JSON format that you want to use as an inline session -- policy. -- -- This parameter is optional. Passing policies to this operation returns -- new temporary credentials. The resulting session\'s permissions are the -- intersection of the role\'s identity-based policy and the session -- policies. You can use the role\'s temporary credentials in subsequent -- Amazon Web Services API calls to access resources in the account that -- owns the role. You cannot use session policies to grant more permissions -- than those allowed by the identity-based policy of the role that is -- being assumed. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies> -- in the /IAM User Guide/. -- -- The plaintext that you use for both inline and managed session policies -- can\'t exceed 2,048 characters. The JSON policy characters can be any -- ASCII character from the space character to the end of the valid -- character list (\\u0020 through \\u00FF). It can also include the tab -- (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. AssumeRoleWithWebIdentity -> Maybe Text policy :: Prelude.Maybe Prelude.Text, -- | The Amazon Resource Name (ARN) of the role that the caller is assuming. AssumeRoleWithWebIdentity -> Text roleArn :: Prelude.Text, -- | An identifier for the assumed role session. Typically, you pass the name -- or identifier that is associated with the user who is using your -- application. That way, the temporary security credentials that your -- application will use are associated with that user. This session name is -- included as part of the ARN and assumed role ID in the @AssumedRoleUser@ -- response element. -- -- The regex used to validate this parameter is a string of characters -- consisting of upper- and lower-case alphanumeric characters with no -- spaces. You can also include underscores or any of the following -- characters: =,.\@- AssumeRoleWithWebIdentity -> Text roleSessionName :: Prelude.Text, -- | The OAuth 2.0 access token or OpenID Connect ID token that is provided -- by the identity provider. Your application must get this token by -- authenticating the user who is using your application with a web -- identity provider before the application makes an -- @AssumeRoleWithWebIdentity@ call. AssumeRoleWithWebIdentity -> Text webIdentityToken :: Prelude.Text } deriving (AssumeRoleWithWebIdentity -> AssumeRoleWithWebIdentity -> Bool (AssumeRoleWithWebIdentity -> AssumeRoleWithWebIdentity -> Bool) -> (AssumeRoleWithWebIdentity -> AssumeRoleWithWebIdentity -> Bool) -> Eq AssumeRoleWithWebIdentity forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a /= :: AssumeRoleWithWebIdentity -> AssumeRoleWithWebIdentity -> Bool $c/= :: AssumeRoleWithWebIdentity -> AssumeRoleWithWebIdentity -> Bool == :: AssumeRoleWithWebIdentity -> AssumeRoleWithWebIdentity -> Bool $c== :: AssumeRoleWithWebIdentity -> AssumeRoleWithWebIdentity -> Bool Prelude.Eq, ReadPrec [AssumeRoleWithWebIdentity] ReadPrec AssumeRoleWithWebIdentity Int -> ReadS AssumeRoleWithWebIdentity ReadS [AssumeRoleWithWebIdentity] (Int -> ReadS AssumeRoleWithWebIdentity) -> ReadS [AssumeRoleWithWebIdentity] -> ReadPrec AssumeRoleWithWebIdentity -> ReadPrec [AssumeRoleWithWebIdentity] -> Read AssumeRoleWithWebIdentity forall a. (Int -> ReadS a) -> ReadS [a] -> ReadPrec a -> ReadPrec [a] -> Read a readListPrec :: ReadPrec [AssumeRoleWithWebIdentity] $creadListPrec :: ReadPrec [AssumeRoleWithWebIdentity] readPrec :: ReadPrec AssumeRoleWithWebIdentity $creadPrec :: ReadPrec AssumeRoleWithWebIdentity readList :: ReadS [AssumeRoleWithWebIdentity] $creadList :: ReadS [AssumeRoleWithWebIdentity] readsPrec :: Int -> ReadS AssumeRoleWithWebIdentity $creadsPrec :: Int -> ReadS AssumeRoleWithWebIdentity Prelude.Read, Int -> AssumeRoleWithWebIdentity -> ShowS [AssumeRoleWithWebIdentity] -> ShowS AssumeRoleWithWebIdentity -> String (Int -> AssumeRoleWithWebIdentity -> ShowS) -> (AssumeRoleWithWebIdentity -> String) -> ([AssumeRoleWithWebIdentity] -> ShowS) -> Show AssumeRoleWithWebIdentity forall a. (Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a showList :: [AssumeRoleWithWebIdentity] -> ShowS $cshowList :: [AssumeRoleWithWebIdentity] -> ShowS show :: AssumeRoleWithWebIdentity -> String $cshow :: AssumeRoleWithWebIdentity -> String showsPrec :: Int -> AssumeRoleWithWebIdentity -> ShowS $cshowsPrec :: Int -> AssumeRoleWithWebIdentity -> ShowS Prelude.Show, (forall x. AssumeRoleWithWebIdentity -> Rep AssumeRoleWithWebIdentity x) -> (forall x. Rep AssumeRoleWithWebIdentity x -> AssumeRoleWithWebIdentity) -> Generic AssumeRoleWithWebIdentity forall x. Rep AssumeRoleWithWebIdentity x -> AssumeRoleWithWebIdentity forall x. AssumeRoleWithWebIdentity -> Rep AssumeRoleWithWebIdentity x forall a. (forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a $cto :: forall x. Rep AssumeRoleWithWebIdentity x -> AssumeRoleWithWebIdentity $cfrom :: forall x. AssumeRoleWithWebIdentity -> Rep AssumeRoleWithWebIdentity x Prelude.Generic) -- | -- Create a value of 'AssumeRoleWithWebIdentity' with all optional fields omitted. -- -- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields. -- -- The following record fields are available, with the corresponding lenses provided -- for backwards compatibility: -- -- 'providerId', 'assumeRoleWithWebIdentity_providerId' - The fully qualified host component of the domain name of the identity -- provider. -- -- Specify this value only for OAuth 2.0 access tokens. Currently -- @www.amazon.com@ and @graph.facebook.com@ are the only supported -- identity providers for OAuth 2.0 access tokens. Do not include URL -- schemes and port numbers. -- -- Do not specify this value for OpenID Connect ID tokens. -- -- 'policyArns', 'assumeRoleWithWebIdentity_policyArns' - The Amazon Resource Names (ARNs) of the IAM managed policies that you -- want to use as managed session policies. The policies must exist in the -- same account as the role. -- -- This parameter is optional. You can provide up to 10 managed policy -- ARNs. However, the plaintext that you use for both inline and managed -- session policies can\'t exceed 2,048 characters. For more information -- about ARNs, see -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces> -- in the Amazon Web Services General Reference. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. -- -- Passing policies to this operation returns new temporary credentials. -- The resulting session\'s permissions are the intersection of the role\'s -- identity-based policy and the session policies. You can use the role\'s -- temporary credentials in subsequent Amazon Web Services API calls to -- access resources in the account that owns the role. You cannot use -- session policies to grant more permissions than those allowed by the -- identity-based policy of the role that is being assumed. For more -- information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies> -- in the /IAM User Guide/. -- -- 'durationSeconds', 'assumeRoleWithWebIdentity_durationSeconds' - The duration, in seconds, of the role session. The value can range from -- 900 seconds (15 minutes) up to the maximum session duration setting for -- the role. This setting can have a value from 1 hour to 12 hours. If you -- specify a value higher than this setting, the operation fails. For -- example, if you specify a session duration of 12 hours, but your -- administrator set the maximum session duration to 6 hours, your -- operation fails. To learn how to view the maximum value for your role, -- see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session View the Maximum Session Duration Setting for a Role> -- in the /IAM User Guide/. -- -- By default, the value is set to @3600@ seconds. -- -- The @DurationSeconds@ parameter is separate from the duration of a -- console session that you might request using the returned credentials. -- The request to the federation endpoint for a console sign-in token takes -- a @SessionDuration@ parameter that specifies the maximum length of the -- console session. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html Creating a URL that Enables Federated Users to Access the Management Console> -- in the /IAM User Guide/. -- -- 'policy', 'assumeRoleWithWebIdentity_policy' - An IAM policy in JSON format that you want to use as an inline session -- policy. -- -- This parameter is optional. Passing policies to this operation returns -- new temporary credentials. The resulting session\'s permissions are the -- intersection of the role\'s identity-based policy and the session -- policies. You can use the role\'s temporary credentials in subsequent -- Amazon Web Services API calls to access resources in the account that -- owns the role. You cannot use session policies to grant more permissions -- than those allowed by the identity-based policy of the role that is -- being assumed. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies> -- in the /IAM User Guide/. -- -- The plaintext that you use for both inline and managed session policies -- can\'t exceed 2,048 characters. The JSON policy characters can be any -- ASCII character from the space character to the end of the valid -- character list (\\u0020 through \\u00FF). It can also include the tab -- (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. -- -- 'roleArn', 'assumeRoleWithWebIdentity_roleArn' - The Amazon Resource Name (ARN) of the role that the caller is assuming. -- -- 'roleSessionName', 'assumeRoleWithWebIdentity_roleSessionName' - An identifier for the assumed role session. Typically, you pass the name -- or identifier that is associated with the user who is using your -- application. That way, the temporary security credentials that your -- application will use are associated with that user. This session name is -- included as part of the ARN and assumed role ID in the @AssumedRoleUser@ -- response element. -- -- The regex used to validate this parameter is a string of characters -- consisting of upper- and lower-case alphanumeric characters with no -- spaces. You can also include underscores or any of the following -- characters: =,.\@- -- -- 'webIdentityToken', 'assumeRoleWithWebIdentity_webIdentityToken' - The OAuth 2.0 access token or OpenID Connect ID token that is provided -- by the identity provider. Your application must get this token by -- authenticating the user who is using your application with a web -- identity provider before the application makes an -- @AssumeRoleWithWebIdentity@ call. newAssumeRoleWithWebIdentity :: -- | 'roleArn' Prelude.Text -> -- | 'roleSessionName' Prelude.Text -> -- | 'webIdentityToken' Prelude.Text -> AssumeRoleWithWebIdentity newAssumeRoleWithWebIdentity :: Text -> Text -> Text -> AssumeRoleWithWebIdentity newAssumeRoleWithWebIdentity Text pRoleArn_ Text pRoleSessionName_ Text pWebIdentityToken_ = AssumeRoleWithWebIdentity' :: Maybe Text -> Maybe [PolicyDescriptorType] -> Maybe Natural -> Maybe Text -> Text -> Text -> Text -> AssumeRoleWithWebIdentity AssumeRoleWithWebIdentity' { $sel:providerId:AssumeRoleWithWebIdentity' :: Maybe Text providerId = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:policyArns:AssumeRoleWithWebIdentity' :: Maybe [PolicyDescriptorType] policyArns = Maybe [PolicyDescriptorType] forall a. Maybe a Prelude.Nothing, $sel:durationSeconds:AssumeRoleWithWebIdentity' :: Maybe Natural durationSeconds = Maybe Natural forall a. Maybe a Prelude.Nothing, $sel:policy:AssumeRoleWithWebIdentity' :: Maybe Text policy = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:roleArn:AssumeRoleWithWebIdentity' :: Text roleArn = Text pRoleArn_, $sel:roleSessionName:AssumeRoleWithWebIdentity' :: Text roleSessionName = Text pRoleSessionName_, $sel:webIdentityToken:AssumeRoleWithWebIdentity' :: Text webIdentityToken = Text pWebIdentityToken_ } -- | The fully qualified host component of the domain name of the identity -- provider. -- -- Specify this value only for OAuth 2.0 access tokens. Currently -- @www.amazon.com@ and @graph.facebook.com@ are the only supported -- identity providers for OAuth 2.0 access tokens. Do not include URL -- schemes and port numbers. -- -- Do not specify this value for OpenID Connect ID tokens. assumeRoleWithWebIdentity_providerId :: Lens.Lens' AssumeRoleWithWebIdentity (Prelude.Maybe Prelude.Text) assumeRoleWithWebIdentity_providerId :: (Maybe Text -> f (Maybe Text)) -> AssumeRoleWithWebIdentity -> f AssumeRoleWithWebIdentity assumeRoleWithWebIdentity_providerId = (AssumeRoleWithWebIdentity -> Maybe Text) -> (AssumeRoleWithWebIdentity -> Maybe Text -> AssumeRoleWithWebIdentity) -> Lens AssumeRoleWithWebIdentity AssumeRoleWithWebIdentity (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleWithWebIdentity' {Maybe Text providerId :: Maybe Text $sel:providerId:AssumeRoleWithWebIdentity' :: AssumeRoleWithWebIdentity -> Maybe Text providerId} -> Maybe Text providerId) (\s :: AssumeRoleWithWebIdentity s@AssumeRoleWithWebIdentity' {} Maybe Text a -> AssumeRoleWithWebIdentity s {$sel:providerId:AssumeRoleWithWebIdentity' :: Maybe Text providerId = Maybe Text a} :: AssumeRoleWithWebIdentity) -- | The Amazon Resource Names (ARNs) of the IAM managed policies that you -- want to use as managed session policies. The policies must exist in the -- same account as the role. -- -- This parameter is optional. You can provide up to 10 managed policy -- ARNs. However, the plaintext that you use for both inline and managed -- session policies can\'t exceed 2,048 characters. For more information -- about ARNs, see -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces> -- in the Amazon Web Services General Reference. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. -- -- Passing policies to this operation returns new temporary credentials. -- The resulting session\'s permissions are the intersection of the role\'s -- identity-based policy and the session policies. You can use the role\'s -- temporary credentials in subsequent Amazon Web Services API calls to -- access resources in the account that owns the role. You cannot use -- session policies to grant more permissions than those allowed by the -- identity-based policy of the role that is being assumed. For more -- information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies> -- in the /IAM User Guide/. assumeRoleWithWebIdentity_policyArns :: Lens.Lens' AssumeRoleWithWebIdentity (Prelude.Maybe [PolicyDescriptorType]) assumeRoleWithWebIdentity_policyArns :: (Maybe [PolicyDescriptorType] -> f (Maybe [PolicyDescriptorType])) -> AssumeRoleWithWebIdentity -> f AssumeRoleWithWebIdentity assumeRoleWithWebIdentity_policyArns = (AssumeRoleWithWebIdentity -> Maybe [PolicyDescriptorType]) -> (AssumeRoleWithWebIdentity -> Maybe [PolicyDescriptorType] -> AssumeRoleWithWebIdentity) -> Lens AssumeRoleWithWebIdentity AssumeRoleWithWebIdentity (Maybe [PolicyDescriptorType]) (Maybe [PolicyDescriptorType]) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleWithWebIdentity' {Maybe [PolicyDescriptorType] policyArns :: Maybe [PolicyDescriptorType] $sel:policyArns:AssumeRoleWithWebIdentity' :: AssumeRoleWithWebIdentity -> Maybe [PolicyDescriptorType] policyArns} -> Maybe [PolicyDescriptorType] policyArns) (\s :: AssumeRoleWithWebIdentity s@AssumeRoleWithWebIdentity' {} Maybe [PolicyDescriptorType] a -> AssumeRoleWithWebIdentity s {$sel:policyArns:AssumeRoleWithWebIdentity' :: Maybe [PolicyDescriptorType] policyArns = Maybe [PolicyDescriptorType] a} :: AssumeRoleWithWebIdentity) ((Maybe [PolicyDescriptorType] -> f (Maybe [PolicyDescriptorType])) -> AssumeRoleWithWebIdentity -> f AssumeRoleWithWebIdentity) -> ((Maybe [PolicyDescriptorType] -> f (Maybe [PolicyDescriptorType])) -> Maybe [PolicyDescriptorType] -> f (Maybe [PolicyDescriptorType])) -> (Maybe [PolicyDescriptorType] -> f (Maybe [PolicyDescriptorType])) -> AssumeRoleWithWebIdentity -> f AssumeRoleWithWebIdentity forall b c a. (b -> c) -> (a -> b) -> a -> c Prelude.. AnIso [PolicyDescriptorType] [PolicyDescriptorType] [PolicyDescriptorType] [PolicyDescriptorType] -> Iso (Maybe [PolicyDescriptorType]) (Maybe [PolicyDescriptorType]) (Maybe [PolicyDescriptorType]) (Maybe [PolicyDescriptorType]) forall (f :: * -> *) (g :: * -> *) s t a b. (Functor f, Functor g) => AnIso s t a b -> Iso (f s) (g t) (f a) (g b) Lens.mapping AnIso [PolicyDescriptorType] [PolicyDescriptorType] [PolicyDescriptorType] [PolicyDescriptorType] forall s t a b. (Coercible s a, Coercible t b) => Iso s t a b Lens.coerced -- | The duration, in seconds, of the role session. The value can range from -- 900 seconds (15 minutes) up to the maximum session duration setting for -- the role. This setting can have a value from 1 hour to 12 hours. If you -- specify a value higher than this setting, the operation fails. For -- example, if you specify a session duration of 12 hours, but your -- administrator set the maximum session duration to 6 hours, your -- operation fails. To learn how to view the maximum value for your role, -- see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session View the Maximum Session Duration Setting for a Role> -- in the /IAM User Guide/. -- -- By default, the value is set to @3600@ seconds. -- -- The @DurationSeconds@ parameter is separate from the duration of a -- console session that you might request using the returned credentials. -- The request to the federation endpoint for a console sign-in token takes -- a @SessionDuration@ parameter that specifies the maximum length of the -- console session. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html Creating a URL that Enables Federated Users to Access the Management Console> -- in the /IAM User Guide/. assumeRoleWithWebIdentity_durationSeconds :: Lens.Lens' AssumeRoleWithWebIdentity (Prelude.Maybe Prelude.Natural) assumeRoleWithWebIdentity_durationSeconds :: (Maybe Natural -> f (Maybe Natural)) -> AssumeRoleWithWebIdentity -> f AssumeRoleWithWebIdentity assumeRoleWithWebIdentity_durationSeconds = (AssumeRoleWithWebIdentity -> Maybe Natural) -> (AssumeRoleWithWebIdentity -> Maybe Natural -> AssumeRoleWithWebIdentity) -> Lens AssumeRoleWithWebIdentity AssumeRoleWithWebIdentity (Maybe Natural) (Maybe Natural) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleWithWebIdentity' {Maybe Natural durationSeconds :: Maybe Natural $sel:durationSeconds:AssumeRoleWithWebIdentity' :: AssumeRoleWithWebIdentity -> Maybe Natural durationSeconds} -> Maybe Natural durationSeconds) (\s :: AssumeRoleWithWebIdentity s@AssumeRoleWithWebIdentity' {} Maybe Natural a -> AssumeRoleWithWebIdentity s {$sel:durationSeconds:AssumeRoleWithWebIdentity' :: Maybe Natural durationSeconds = Maybe Natural a} :: AssumeRoleWithWebIdentity) -- | An IAM policy in JSON format that you want to use as an inline session -- policy. -- -- This parameter is optional. Passing policies to this operation returns -- new temporary credentials. The resulting session\'s permissions are the -- intersection of the role\'s identity-based policy and the session -- policies. You can use the role\'s temporary credentials in subsequent -- Amazon Web Services API calls to access resources in the account that -- owns the role. You cannot use session policies to grant more permissions -- than those allowed by the identity-based policy of the role that is -- being assumed. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies> -- in the /IAM User Guide/. -- -- The plaintext that you use for both inline and managed session policies -- can\'t exceed 2,048 characters. The JSON policy characters can be any -- ASCII character from the space character to the end of the valid -- character list (\\u0020 through \\u00FF). It can also include the tab -- (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. assumeRoleWithWebIdentity_policy :: Lens.Lens' AssumeRoleWithWebIdentity (Prelude.Maybe Prelude.Text) assumeRoleWithWebIdentity_policy :: (Maybe Text -> f (Maybe Text)) -> AssumeRoleWithWebIdentity -> f AssumeRoleWithWebIdentity assumeRoleWithWebIdentity_policy = (AssumeRoleWithWebIdentity -> Maybe Text) -> (AssumeRoleWithWebIdentity -> Maybe Text -> AssumeRoleWithWebIdentity) -> Lens AssumeRoleWithWebIdentity AssumeRoleWithWebIdentity (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleWithWebIdentity' {Maybe Text policy :: Maybe Text $sel:policy:AssumeRoleWithWebIdentity' :: AssumeRoleWithWebIdentity -> Maybe Text policy} -> Maybe Text policy) (\s :: AssumeRoleWithWebIdentity s@AssumeRoleWithWebIdentity' {} Maybe Text a -> AssumeRoleWithWebIdentity s {$sel:policy:AssumeRoleWithWebIdentity' :: Maybe Text policy = Maybe Text a} :: AssumeRoleWithWebIdentity) -- | The Amazon Resource Name (ARN) of the role that the caller is assuming. assumeRoleWithWebIdentity_roleArn :: Lens.Lens' AssumeRoleWithWebIdentity Prelude.Text assumeRoleWithWebIdentity_roleArn :: (Text -> f Text) -> AssumeRoleWithWebIdentity -> f AssumeRoleWithWebIdentity assumeRoleWithWebIdentity_roleArn = (AssumeRoleWithWebIdentity -> Text) -> (AssumeRoleWithWebIdentity -> Text -> AssumeRoleWithWebIdentity) -> Lens AssumeRoleWithWebIdentity AssumeRoleWithWebIdentity Text Text forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleWithWebIdentity' {Text roleArn :: Text $sel:roleArn:AssumeRoleWithWebIdentity' :: AssumeRoleWithWebIdentity -> Text roleArn} -> Text roleArn) (\s :: AssumeRoleWithWebIdentity s@AssumeRoleWithWebIdentity' {} Text a -> AssumeRoleWithWebIdentity s {$sel:roleArn:AssumeRoleWithWebIdentity' :: Text roleArn = Text a} :: AssumeRoleWithWebIdentity) -- | An identifier for the assumed role session. Typically, you pass the name -- or identifier that is associated with the user who is using your -- application. That way, the temporary security credentials that your -- application will use are associated with that user. This session name is -- included as part of the ARN and assumed role ID in the @AssumedRoleUser@ -- response element. -- -- The regex used to validate this parameter is a string of characters -- consisting of upper- and lower-case alphanumeric characters with no -- spaces. You can also include underscores or any of the following -- characters: =,.\@- assumeRoleWithWebIdentity_roleSessionName :: Lens.Lens' AssumeRoleWithWebIdentity Prelude.Text assumeRoleWithWebIdentity_roleSessionName :: (Text -> f Text) -> AssumeRoleWithWebIdentity -> f AssumeRoleWithWebIdentity assumeRoleWithWebIdentity_roleSessionName = (AssumeRoleWithWebIdentity -> Text) -> (AssumeRoleWithWebIdentity -> Text -> AssumeRoleWithWebIdentity) -> Lens AssumeRoleWithWebIdentity AssumeRoleWithWebIdentity Text Text forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleWithWebIdentity' {Text roleSessionName :: Text $sel:roleSessionName:AssumeRoleWithWebIdentity' :: AssumeRoleWithWebIdentity -> Text roleSessionName} -> Text roleSessionName) (\s :: AssumeRoleWithWebIdentity s@AssumeRoleWithWebIdentity' {} Text a -> AssumeRoleWithWebIdentity s {$sel:roleSessionName:AssumeRoleWithWebIdentity' :: Text roleSessionName = Text a} :: AssumeRoleWithWebIdentity) -- | The OAuth 2.0 access token or OpenID Connect ID token that is provided -- by the identity provider. Your application must get this token by -- authenticating the user who is using your application with a web -- identity provider before the application makes an -- @AssumeRoleWithWebIdentity@ call. assumeRoleWithWebIdentity_webIdentityToken :: Lens.Lens' AssumeRoleWithWebIdentity Prelude.Text assumeRoleWithWebIdentity_webIdentityToken :: (Text -> f Text) -> AssumeRoleWithWebIdentity -> f AssumeRoleWithWebIdentity assumeRoleWithWebIdentity_webIdentityToken = (AssumeRoleWithWebIdentity -> Text) -> (AssumeRoleWithWebIdentity -> Text -> AssumeRoleWithWebIdentity) -> Lens AssumeRoleWithWebIdentity AssumeRoleWithWebIdentity Text Text forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleWithWebIdentity' {Text webIdentityToken :: Text $sel:webIdentityToken:AssumeRoleWithWebIdentity' :: AssumeRoleWithWebIdentity -> Text webIdentityToken} -> Text webIdentityToken) (\s :: AssumeRoleWithWebIdentity s@AssumeRoleWithWebIdentity' {} Text a -> AssumeRoleWithWebIdentity s {$sel:webIdentityToken:AssumeRoleWithWebIdentity' :: Text webIdentityToken = Text a} :: AssumeRoleWithWebIdentity) instance Core.AWSRequest AssumeRoleWithWebIdentity where type AWSResponse AssumeRoleWithWebIdentity = AssumeRoleWithWebIdentityResponse request :: AssumeRoleWithWebIdentity -> Request AssumeRoleWithWebIdentity request = Service -> AssumeRoleWithWebIdentity -> Request AssumeRoleWithWebIdentity forall a. ToRequest a => Service -> a -> Request a Request.postQuery Service defaultService response :: Logger -> Service -> Proxy AssumeRoleWithWebIdentity -> ClientResponse ClientBody -> m (Either Error (ClientResponse (AWSResponse AssumeRoleWithWebIdentity))) response = Text -> (Int -> ResponseHeaders -> [Node] -> Either String (AWSResponse AssumeRoleWithWebIdentity)) -> Logger -> Service -> Proxy AssumeRoleWithWebIdentity -> ClientResponse ClientBody -> m (Either Error (ClientResponse (AWSResponse AssumeRoleWithWebIdentity))) forall (m :: * -> *) a. MonadResource m => Text -> (Int -> ResponseHeaders -> [Node] -> Either String (AWSResponse a)) -> Logger -> Service -> Proxy a -> ClientResponse ClientBody -> m (Either Error (ClientResponse (AWSResponse a))) Response.receiveXMLWrapper Text "AssumeRoleWithWebIdentityResult" ( \Int s ResponseHeaders h [Node] x -> Maybe Text -> Maybe Text -> Maybe Natural -> Maybe AuthEnv -> Maybe AssumedRoleUser -> Maybe Text -> Maybe Text -> Int -> AssumeRoleWithWebIdentityResponse AssumeRoleWithWebIdentityResponse' (Maybe Text -> Maybe Text -> Maybe Natural -> Maybe AuthEnv -> Maybe AssumedRoleUser -> Maybe Text -> Maybe Text -> Int -> AssumeRoleWithWebIdentityResponse) -> Either String (Maybe Text) -> Either String (Maybe Text -> Maybe Natural -> Maybe AuthEnv -> Maybe AssumedRoleUser -> Maybe Text -> Maybe Text -> Int -> AssumeRoleWithWebIdentityResponse) forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> ([Node] x [Node] -> Text -> Either String (Maybe Text) forall a. FromXML a => [Node] -> Text -> Either String (Maybe a) Core..@? Text "Audience") Either String (Maybe Text -> Maybe Natural -> Maybe AuthEnv -> Maybe AssumedRoleUser -> Maybe Text -> Maybe Text -> Int -> AssumeRoleWithWebIdentityResponse) -> Either String (Maybe Text) -> Either String (Maybe Natural -> Maybe AuthEnv -> Maybe AssumedRoleUser -> Maybe Text -> Maybe Text -> Int -> AssumeRoleWithWebIdentityResponse) forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b Prelude.<*> ([Node] x [Node] -> Text -> Either String (Maybe Text) forall a. FromXML a => [Node] -> Text -> Either String (Maybe a) Core..@? Text "SubjectFromWebIdentityToken") Either String (Maybe Natural -> Maybe AuthEnv -> Maybe AssumedRoleUser -> Maybe Text -> Maybe Text -> Int -> AssumeRoleWithWebIdentityResponse) -> Either String (Maybe Natural) -> Either String (Maybe AuthEnv -> Maybe AssumedRoleUser -> Maybe Text -> Maybe Text -> Int -> AssumeRoleWithWebIdentityResponse) forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b Prelude.<*> ([Node] x [Node] -> Text -> Either String (Maybe Natural) forall a. FromXML a => [Node] -> Text -> Either String (Maybe a) Core..@? Text "PackedPolicySize") Either String (Maybe AuthEnv -> Maybe AssumedRoleUser -> Maybe Text -> Maybe Text -> Int -> AssumeRoleWithWebIdentityResponse) -> Either String (Maybe AuthEnv) -> Either String (Maybe AssumedRoleUser -> Maybe Text -> Maybe Text -> Int -> AssumeRoleWithWebIdentityResponse) forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b Prelude.<*> ([Node] x [Node] -> Text -> Either String (Maybe AuthEnv) forall a. FromXML a => [Node] -> Text -> Either String (Maybe a) Core..@? Text "Credentials") Either String (Maybe AssumedRoleUser -> Maybe Text -> Maybe Text -> Int -> AssumeRoleWithWebIdentityResponse) -> Either String (Maybe AssumedRoleUser) -> Either String (Maybe Text -> Maybe Text -> Int -> AssumeRoleWithWebIdentityResponse) forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b Prelude.<*> ([Node] x [Node] -> Text -> Either String (Maybe AssumedRoleUser) forall a. FromXML a => [Node] -> Text -> Either String (Maybe a) Core..@? Text "AssumedRoleUser") Either String (Maybe Text -> Maybe Text -> Int -> AssumeRoleWithWebIdentityResponse) -> Either String (Maybe Text) -> Either String (Maybe Text -> Int -> AssumeRoleWithWebIdentityResponse) forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b Prelude.<*> ([Node] x [Node] -> Text -> Either String (Maybe Text) forall a. FromXML a => [Node] -> Text -> Either String (Maybe a) Core..@? Text "SourceIdentity") Either String (Maybe Text -> Int -> AssumeRoleWithWebIdentityResponse) -> Either String (Maybe Text) -> Either String (Int -> AssumeRoleWithWebIdentityResponse) forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b Prelude.<*> ([Node] x [Node] -> Text -> Either String (Maybe Text) forall a. FromXML a => [Node] -> Text -> Either String (Maybe a) Core..@? Text "Provider") Either String (Int -> AssumeRoleWithWebIdentityResponse) -> Either String Int -> Either String AssumeRoleWithWebIdentityResponse forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b Prelude.<*> (Int -> Either String Int forall (f :: * -> *) a. Applicative f => a -> f a Prelude.pure (Int -> Int forall a. Enum a => a -> Int Prelude.fromEnum Int s)) ) instance Prelude.Hashable AssumeRoleWithWebIdentity instance Prelude.NFData AssumeRoleWithWebIdentity instance Core.ToHeaders AssumeRoleWithWebIdentity where toHeaders :: AssumeRoleWithWebIdentity -> ResponseHeaders toHeaders = ResponseHeaders -> AssumeRoleWithWebIdentity -> ResponseHeaders forall a b. a -> b -> a Prelude.const ResponseHeaders forall a. Monoid a => a Prelude.mempty instance Core.ToPath AssumeRoleWithWebIdentity where toPath :: AssumeRoleWithWebIdentity -> ByteString toPath = ByteString -> AssumeRoleWithWebIdentity -> ByteString forall a b. a -> b -> a Prelude.const ByteString "/" instance Core.ToQuery AssumeRoleWithWebIdentity where toQuery :: AssumeRoleWithWebIdentity -> QueryString toQuery AssumeRoleWithWebIdentity' {Maybe Natural Maybe [PolicyDescriptorType] Maybe Text Text webIdentityToken :: Text roleSessionName :: Text roleArn :: Text policy :: Maybe Text durationSeconds :: Maybe Natural policyArns :: Maybe [PolicyDescriptorType] providerId :: Maybe Text $sel:webIdentityToken:AssumeRoleWithWebIdentity' :: AssumeRoleWithWebIdentity -> Text $sel:roleSessionName:AssumeRoleWithWebIdentity' :: AssumeRoleWithWebIdentity -> Text $sel:roleArn:AssumeRoleWithWebIdentity' :: AssumeRoleWithWebIdentity -> Text $sel:policy:AssumeRoleWithWebIdentity' :: AssumeRoleWithWebIdentity -> Maybe Text $sel:durationSeconds:AssumeRoleWithWebIdentity' :: AssumeRoleWithWebIdentity -> Maybe Natural $sel:policyArns:AssumeRoleWithWebIdentity' :: AssumeRoleWithWebIdentity -> Maybe [PolicyDescriptorType] $sel:providerId:AssumeRoleWithWebIdentity' :: AssumeRoleWithWebIdentity -> Maybe Text ..} = [QueryString] -> QueryString forall a. Monoid a => [a] -> a Prelude.mconcat [ ByteString "Action" ByteString -> ByteString -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: (ByteString "AssumeRoleWithWebIdentity" :: Prelude.ByteString), ByteString "Version" ByteString -> ByteString -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: (ByteString "2011-06-15" :: Prelude.ByteString), ByteString "ProviderId" ByteString -> Maybe Text -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Maybe Text providerId, ByteString "PolicyArns" ByteString -> QueryString -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Maybe QueryString -> QueryString forall a. ToQuery a => a -> QueryString Core.toQuery (ByteString -> [PolicyDescriptorType] -> QueryString forall a. (IsList a, ToQuery (Item a)) => ByteString -> a -> QueryString Core.toQueryList ByteString "member" ([PolicyDescriptorType] -> QueryString) -> Maybe [PolicyDescriptorType] -> Maybe QueryString forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> Maybe [PolicyDescriptorType] policyArns), ByteString "DurationSeconds" ByteString -> Maybe Natural -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Maybe Natural durationSeconds, ByteString "Policy" ByteString -> Maybe Text -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Maybe Text policy, ByteString "RoleArn" ByteString -> Text -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Text roleArn, ByteString "RoleSessionName" ByteString -> Text -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Text roleSessionName, ByteString "WebIdentityToken" ByteString -> Text -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Text webIdentityToken ] -- | Contains the response to a successful AssumeRoleWithWebIdentity request, -- including temporary Amazon Web Services credentials that can be used to -- make Amazon Web Services requests. -- -- /See:/ 'newAssumeRoleWithWebIdentityResponse' smart constructor. data AssumeRoleWithWebIdentityResponse = AssumeRoleWithWebIdentityResponse' { -- | The intended audience (also known as client ID) of the web identity -- token. This is traditionally the client identifier issued to the -- application that requested the web identity token. AssumeRoleWithWebIdentityResponse -> Maybe Text audience :: Prelude.Maybe Prelude.Text, -- | The unique user identifier that is returned by the identity provider. -- This identifier is associated with the @WebIdentityToken@ that was -- submitted with the @AssumeRoleWithWebIdentity@ call. The identifier is -- typically unique to the user and the application that acquired the -- @WebIdentityToken@ (pairwise identifier). For OpenID Connect ID tokens, -- this field contains the value returned by the identity provider as the -- token\'s @sub@ (Subject) claim. AssumeRoleWithWebIdentityResponse -> Maybe Text subjectFromWebIdentityToken :: Prelude.Maybe Prelude.Text, -- | A percentage value that indicates the packed size of the session -- policies and session tags combined passed in the request. The request -- fails if the packed size is greater than 100 percent, which means the -- policies and tags exceeded the allowed space. AssumeRoleWithWebIdentityResponse -> Maybe Natural packedPolicySize :: Prelude.Maybe Prelude.Natural, -- | The temporary security credentials, which include an access key ID, a -- secret access key, and a security token. -- -- The size of the security token that STS API operations return is not -- fixed. We strongly recommend that you make no assumptions about the -- maximum size. AssumeRoleWithWebIdentityResponse -> Maybe AuthEnv credentials :: Prelude.Maybe Core.AuthEnv, -- | The Amazon Resource Name (ARN) and the assumed role ID, which are -- identifiers that you can use to refer to the resulting temporary -- security credentials. For example, you can reference these credentials -- as a principal in a resource-based policy by using the ARN or assumed -- role ID. The ARN and ID include the @RoleSessionName@ that you specified -- when you called @AssumeRole@. AssumeRoleWithWebIdentityResponse -> Maybe AssumedRoleUser assumedRoleUser :: Prelude.Maybe AssumedRoleUser, -- | The value of the source identity that is returned in the JSON web token -- (JWT) from the identity provider. -- -- You can require users to set a source identity value when they assume a -- role. You do this by using the @sts:SourceIdentity@ condition key in a -- role trust policy. That way, actions that are taken with the role are -- associated with that user. After the source identity is set, the value -- cannot be changed. It is present in the request for all actions that are -- taken by the role and persists across -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining chained role> -- sessions. You can configure your identity provider to use an attribute -- associated with your users, like user name or email, as the source -- identity when calling @AssumeRoleWithWebIdentity@. You do this by adding -- a claim to the JSON web token. To learn more about OIDC tokens and -- claims, see -- <https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html Using Tokens with User Pools> -- in the /Amazon Cognito Developer Guide/. For more information about -- using source identity, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html Monitor and control actions taken with assumed roles> -- in the /IAM User Guide/. -- -- The regex used to validate this parameter is a string of characters -- consisting of upper- and lower-case alphanumeric characters with no -- spaces. You can also include underscores or any of the following -- characters: =,.\@- AssumeRoleWithWebIdentityResponse -> Maybe Text sourceIdentity :: Prelude.Maybe Prelude.Text, -- | The issuing authority of the web identity token presented. For OpenID -- Connect ID tokens, this contains the value of the @iss@ field. For OAuth -- 2.0 access tokens, this contains the value of the @ProviderId@ parameter -- that was passed in the @AssumeRoleWithWebIdentity@ request. AssumeRoleWithWebIdentityResponse -> Maybe Text provider :: Prelude.Maybe Prelude.Text, -- | The response's http status code. AssumeRoleWithWebIdentityResponse -> Int httpStatus :: Prelude.Int } deriving (AssumeRoleWithWebIdentityResponse -> AssumeRoleWithWebIdentityResponse -> Bool (AssumeRoleWithWebIdentityResponse -> AssumeRoleWithWebIdentityResponse -> Bool) -> (AssumeRoleWithWebIdentityResponse -> AssumeRoleWithWebIdentityResponse -> Bool) -> Eq AssumeRoleWithWebIdentityResponse forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a /= :: AssumeRoleWithWebIdentityResponse -> AssumeRoleWithWebIdentityResponse -> Bool $c/= :: AssumeRoleWithWebIdentityResponse -> AssumeRoleWithWebIdentityResponse -> Bool == :: AssumeRoleWithWebIdentityResponse -> AssumeRoleWithWebIdentityResponse -> Bool $c== :: AssumeRoleWithWebIdentityResponse -> AssumeRoleWithWebIdentityResponse -> Bool Prelude.Eq, Int -> AssumeRoleWithWebIdentityResponse -> ShowS [AssumeRoleWithWebIdentityResponse] -> ShowS AssumeRoleWithWebIdentityResponse -> String (Int -> AssumeRoleWithWebIdentityResponse -> ShowS) -> (AssumeRoleWithWebIdentityResponse -> String) -> ([AssumeRoleWithWebIdentityResponse] -> ShowS) -> Show AssumeRoleWithWebIdentityResponse forall a. (Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a showList :: [AssumeRoleWithWebIdentityResponse] -> ShowS $cshowList :: [AssumeRoleWithWebIdentityResponse] -> ShowS show :: AssumeRoleWithWebIdentityResponse -> String $cshow :: AssumeRoleWithWebIdentityResponse -> String showsPrec :: Int -> AssumeRoleWithWebIdentityResponse -> ShowS $cshowsPrec :: Int -> AssumeRoleWithWebIdentityResponse -> ShowS Prelude.Show, (forall x. AssumeRoleWithWebIdentityResponse -> Rep AssumeRoleWithWebIdentityResponse x) -> (forall x. Rep AssumeRoleWithWebIdentityResponse x -> AssumeRoleWithWebIdentityResponse) -> Generic AssumeRoleWithWebIdentityResponse forall x. Rep AssumeRoleWithWebIdentityResponse x -> AssumeRoleWithWebIdentityResponse forall x. AssumeRoleWithWebIdentityResponse -> Rep AssumeRoleWithWebIdentityResponse x forall a. (forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a $cto :: forall x. Rep AssumeRoleWithWebIdentityResponse x -> AssumeRoleWithWebIdentityResponse $cfrom :: forall x. AssumeRoleWithWebIdentityResponse -> Rep AssumeRoleWithWebIdentityResponse x Prelude.Generic) -- | -- Create a value of 'AssumeRoleWithWebIdentityResponse' with all optional fields omitted. -- -- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields. -- -- The following record fields are available, with the corresponding lenses provided -- for backwards compatibility: -- -- 'audience', 'assumeRoleWithWebIdentityResponse_audience' - The intended audience (also known as client ID) of the web identity -- token. This is traditionally the client identifier issued to the -- application that requested the web identity token. -- -- 'subjectFromWebIdentityToken', 'assumeRoleWithWebIdentityResponse_subjectFromWebIdentityToken' - The unique user identifier that is returned by the identity provider. -- This identifier is associated with the @WebIdentityToken@ that was -- submitted with the @AssumeRoleWithWebIdentity@ call. The identifier is -- typically unique to the user and the application that acquired the -- @WebIdentityToken@ (pairwise identifier). For OpenID Connect ID tokens, -- this field contains the value returned by the identity provider as the -- token\'s @sub@ (Subject) claim. -- -- 'packedPolicySize', 'assumeRoleWithWebIdentityResponse_packedPolicySize' - A percentage value that indicates the packed size of the session -- policies and session tags combined passed in the request. The request -- fails if the packed size is greater than 100 percent, which means the -- policies and tags exceeded the allowed space. -- -- 'credentials', 'assumeRoleWithWebIdentityResponse_credentials' - The temporary security credentials, which include an access key ID, a -- secret access key, and a security token. -- -- The size of the security token that STS API operations return is not -- fixed. We strongly recommend that you make no assumptions about the -- maximum size. -- -- 'assumedRoleUser', 'assumeRoleWithWebIdentityResponse_assumedRoleUser' - The Amazon Resource Name (ARN) and the assumed role ID, which are -- identifiers that you can use to refer to the resulting temporary -- security credentials. For example, you can reference these credentials -- as a principal in a resource-based policy by using the ARN or assumed -- role ID. The ARN and ID include the @RoleSessionName@ that you specified -- when you called @AssumeRole@. -- -- 'sourceIdentity', 'assumeRoleWithWebIdentityResponse_sourceIdentity' - The value of the source identity that is returned in the JSON web token -- (JWT) from the identity provider. -- -- You can require users to set a source identity value when they assume a -- role. You do this by using the @sts:SourceIdentity@ condition key in a -- role trust policy. That way, actions that are taken with the role are -- associated with that user. After the source identity is set, the value -- cannot be changed. It is present in the request for all actions that are -- taken by the role and persists across -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining chained role> -- sessions. You can configure your identity provider to use an attribute -- associated with your users, like user name or email, as the source -- identity when calling @AssumeRoleWithWebIdentity@. You do this by adding -- a claim to the JSON web token. To learn more about OIDC tokens and -- claims, see -- <https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html Using Tokens with User Pools> -- in the /Amazon Cognito Developer Guide/. For more information about -- using source identity, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html Monitor and control actions taken with assumed roles> -- in the /IAM User Guide/. -- -- The regex used to validate this parameter is a string of characters -- consisting of upper- and lower-case alphanumeric characters with no -- spaces. You can also include underscores or any of the following -- characters: =,.\@- -- -- 'provider', 'assumeRoleWithWebIdentityResponse_provider' - The issuing authority of the web identity token presented. For OpenID -- Connect ID tokens, this contains the value of the @iss@ field. For OAuth -- 2.0 access tokens, this contains the value of the @ProviderId@ parameter -- that was passed in the @AssumeRoleWithWebIdentity@ request. -- -- 'httpStatus', 'assumeRoleWithWebIdentityResponse_httpStatus' - The response's http status code. newAssumeRoleWithWebIdentityResponse :: -- | 'httpStatus' Prelude.Int -> AssumeRoleWithWebIdentityResponse newAssumeRoleWithWebIdentityResponse :: Int -> AssumeRoleWithWebIdentityResponse newAssumeRoleWithWebIdentityResponse Int pHttpStatus_ = AssumeRoleWithWebIdentityResponse' :: Maybe Text -> Maybe Text -> Maybe Natural -> Maybe AuthEnv -> Maybe AssumedRoleUser -> Maybe Text -> Maybe Text -> Int -> AssumeRoleWithWebIdentityResponse AssumeRoleWithWebIdentityResponse' { $sel:audience:AssumeRoleWithWebIdentityResponse' :: Maybe Text audience = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:subjectFromWebIdentityToken:AssumeRoleWithWebIdentityResponse' :: Maybe Text subjectFromWebIdentityToken = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:packedPolicySize:AssumeRoleWithWebIdentityResponse' :: Maybe Natural packedPolicySize = Maybe Natural forall a. Maybe a Prelude.Nothing, $sel:credentials:AssumeRoleWithWebIdentityResponse' :: Maybe AuthEnv credentials = Maybe AuthEnv forall a. Maybe a Prelude.Nothing, $sel:assumedRoleUser:AssumeRoleWithWebIdentityResponse' :: Maybe AssumedRoleUser assumedRoleUser = Maybe AssumedRoleUser forall a. Maybe a Prelude.Nothing, $sel:sourceIdentity:AssumeRoleWithWebIdentityResponse' :: Maybe Text sourceIdentity = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:provider:AssumeRoleWithWebIdentityResponse' :: Maybe Text provider = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:httpStatus:AssumeRoleWithWebIdentityResponse' :: Int httpStatus = Int pHttpStatus_ } -- | The intended audience (also known as client ID) of the web identity -- token. This is traditionally the client identifier issued to the -- application that requested the web identity token. assumeRoleWithWebIdentityResponse_audience :: Lens.Lens' AssumeRoleWithWebIdentityResponse (Prelude.Maybe Prelude.Text) assumeRoleWithWebIdentityResponse_audience :: (Maybe Text -> f (Maybe Text)) -> AssumeRoleWithWebIdentityResponse -> f AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentityResponse_audience = (AssumeRoleWithWebIdentityResponse -> Maybe Text) -> (AssumeRoleWithWebIdentityResponse -> Maybe Text -> AssumeRoleWithWebIdentityResponse) -> Lens AssumeRoleWithWebIdentityResponse AssumeRoleWithWebIdentityResponse (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleWithWebIdentityResponse' {Maybe Text audience :: Maybe Text $sel:audience:AssumeRoleWithWebIdentityResponse' :: AssumeRoleWithWebIdentityResponse -> Maybe Text audience} -> Maybe Text audience) (\s :: AssumeRoleWithWebIdentityResponse s@AssumeRoleWithWebIdentityResponse' {} Maybe Text a -> AssumeRoleWithWebIdentityResponse s {$sel:audience:AssumeRoleWithWebIdentityResponse' :: Maybe Text audience = Maybe Text a} :: AssumeRoleWithWebIdentityResponse) -- | The unique user identifier that is returned by the identity provider. -- This identifier is associated with the @WebIdentityToken@ that was -- submitted with the @AssumeRoleWithWebIdentity@ call. The identifier is -- typically unique to the user and the application that acquired the -- @WebIdentityToken@ (pairwise identifier). For OpenID Connect ID tokens, -- this field contains the value returned by the identity provider as the -- token\'s @sub@ (Subject) claim. assumeRoleWithWebIdentityResponse_subjectFromWebIdentityToken :: Lens.Lens' AssumeRoleWithWebIdentityResponse (Prelude.Maybe Prelude.Text) assumeRoleWithWebIdentityResponse_subjectFromWebIdentityToken :: (Maybe Text -> f (Maybe Text)) -> AssumeRoleWithWebIdentityResponse -> f AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentityResponse_subjectFromWebIdentityToken = (AssumeRoleWithWebIdentityResponse -> Maybe Text) -> (AssumeRoleWithWebIdentityResponse -> Maybe Text -> AssumeRoleWithWebIdentityResponse) -> Lens AssumeRoleWithWebIdentityResponse AssumeRoleWithWebIdentityResponse (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleWithWebIdentityResponse' {Maybe Text subjectFromWebIdentityToken :: Maybe Text $sel:subjectFromWebIdentityToken:AssumeRoleWithWebIdentityResponse' :: AssumeRoleWithWebIdentityResponse -> Maybe Text subjectFromWebIdentityToken} -> Maybe Text subjectFromWebIdentityToken) (\s :: AssumeRoleWithWebIdentityResponse s@AssumeRoleWithWebIdentityResponse' {} Maybe Text a -> AssumeRoleWithWebIdentityResponse s {$sel:subjectFromWebIdentityToken:AssumeRoleWithWebIdentityResponse' :: Maybe Text subjectFromWebIdentityToken = Maybe Text a} :: AssumeRoleWithWebIdentityResponse) -- | A percentage value that indicates the packed size of the session -- policies and session tags combined passed in the request. The request -- fails if the packed size is greater than 100 percent, which means the -- policies and tags exceeded the allowed space. assumeRoleWithWebIdentityResponse_packedPolicySize :: Lens.Lens' AssumeRoleWithWebIdentityResponse (Prelude.Maybe Prelude.Natural) assumeRoleWithWebIdentityResponse_packedPolicySize :: (Maybe Natural -> f (Maybe Natural)) -> AssumeRoleWithWebIdentityResponse -> f AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentityResponse_packedPolicySize = (AssumeRoleWithWebIdentityResponse -> Maybe Natural) -> (AssumeRoleWithWebIdentityResponse -> Maybe Natural -> AssumeRoleWithWebIdentityResponse) -> Lens AssumeRoleWithWebIdentityResponse AssumeRoleWithWebIdentityResponse (Maybe Natural) (Maybe Natural) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleWithWebIdentityResponse' {Maybe Natural packedPolicySize :: Maybe Natural $sel:packedPolicySize:AssumeRoleWithWebIdentityResponse' :: AssumeRoleWithWebIdentityResponse -> Maybe Natural packedPolicySize} -> Maybe Natural packedPolicySize) (\s :: AssumeRoleWithWebIdentityResponse s@AssumeRoleWithWebIdentityResponse' {} Maybe Natural a -> AssumeRoleWithWebIdentityResponse s {$sel:packedPolicySize:AssumeRoleWithWebIdentityResponse' :: Maybe Natural packedPolicySize = Maybe Natural a} :: AssumeRoleWithWebIdentityResponse) -- | The temporary security credentials, which include an access key ID, a -- secret access key, and a security token. -- -- The size of the security token that STS API operations return is not -- fixed. We strongly recommend that you make no assumptions about the -- maximum size. assumeRoleWithWebIdentityResponse_credentials :: Lens.Lens' AssumeRoleWithWebIdentityResponse (Prelude.Maybe Core.AuthEnv) assumeRoleWithWebIdentityResponse_credentials :: (Maybe AuthEnv -> f (Maybe AuthEnv)) -> AssumeRoleWithWebIdentityResponse -> f AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentityResponse_credentials = (AssumeRoleWithWebIdentityResponse -> Maybe AuthEnv) -> (AssumeRoleWithWebIdentityResponse -> Maybe AuthEnv -> AssumeRoleWithWebIdentityResponse) -> Lens AssumeRoleWithWebIdentityResponse AssumeRoleWithWebIdentityResponse (Maybe AuthEnv) (Maybe AuthEnv) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleWithWebIdentityResponse' {Maybe AuthEnv credentials :: Maybe AuthEnv $sel:credentials:AssumeRoleWithWebIdentityResponse' :: AssumeRoleWithWebIdentityResponse -> Maybe AuthEnv credentials} -> Maybe AuthEnv credentials) (\s :: AssumeRoleWithWebIdentityResponse s@AssumeRoleWithWebIdentityResponse' {} Maybe AuthEnv a -> AssumeRoleWithWebIdentityResponse s {$sel:credentials:AssumeRoleWithWebIdentityResponse' :: Maybe AuthEnv credentials = Maybe AuthEnv a} :: AssumeRoleWithWebIdentityResponse) -- | The Amazon Resource Name (ARN) and the assumed role ID, which are -- identifiers that you can use to refer to the resulting temporary -- security credentials. For example, you can reference these credentials -- as a principal in a resource-based policy by using the ARN or assumed -- role ID. The ARN and ID include the @RoleSessionName@ that you specified -- when you called @AssumeRole@. assumeRoleWithWebIdentityResponse_assumedRoleUser :: Lens.Lens' AssumeRoleWithWebIdentityResponse (Prelude.Maybe AssumedRoleUser) assumeRoleWithWebIdentityResponse_assumedRoleUser :: (Maybe AssumedRoleUser -> f (Maybe AssumedRoleUser)) -> AssumeRoleWithWebIdentityResponse -> f AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentityResponse_assumedRoleUser = (AssumeRoleWithWebIdentityResponse -> Maybe AssumedRoleUser) -> (AssumeRoleWithWebIdentityResponse -> Maybe AssumedRoleUser -> AssumeRoleWithWebIdentityResponse) -> Lens AssumeRoleWithWebIdentityResponse AssumeRoleWithWebIdentityResponse (Maybe AssumedRoleUser) (Maybe AssumedRoleUser) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleWithWebIdentityResponse' {Maybe AssumedRoleUser assumedRoleUser :: Maybe AssumedRoleUser $sel:assumedRoleUser:AssumeRoleWithWebIdentityResponse' :: AssumeRoleWithWebIdentityResponse -> Maybe AssumedRoleUser assumedRoleUser} -> Maybe AssumedRoleUser assumedRoleUser) (\s :: AssumeRoleWithWebIdentityResponse s@AssumeRoleWithWebIdentityResponse' {} Maybe AssumedRoleUser a -> AssumeRoleWithWebIdentityResponse s {$sel:assumedRoleUser:AssumeRoleWithWebIdentityResponse' :: Maybe AssumedRoleUser assumedRoleUser = Maybe AssumedRoleUser a} :: AssumeRoleWithWebIdentityResponse) -- | The value of the source identity that is returned in the JSON web token -- (JWT) from the identity provider. -- -- You can require users to set a source identity value when they assume a -- role. You do this by using the @sts:SourceIdentity@ condition key in a -- role trust policy. That way, actions that are taken with the role are -- associated with that user. After the source identity is set, the value -- cannot be changed. It is present in the request for all actions that are -- taken by the role and persists across -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining chained role> -- sessions. You can configure your identity provider to use an attribute -- associated with your users, like user name or email, as the source -- identity when calling @AssumeRoleWithWebIdentity@. You do this by adding -- a claim to the JSON web token. To learn more about OIDC tokens and -- claims, see -- <https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html Using Tokens with User Pools> -- in the /Amazon Cognito Developer Guide/. For more information about -- using source identity, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html Monitor and control actions taken with assumed roles> -- in the /IAM User Guide/. -- -- The regex used to validate this parameter is a string of characters -- consisting of upper- and lower-case alphanumeric characters with no -- spaces. You can also include underscores or any of the following -- characters: =,.\@- assumeRoleWithWebIdentityResponse_sourceIdentity :: Lens.Lens' AssumeRoleWithWebIdentityResponse (Prelude.Maybe Prelude.Text) assumeRoleWithWebIdentityResponse_sourceIdentity :: (Maybe Text -> f (Maybe Text)) -> AssumeRoleWithWebIdentityResponse -> f AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentityResponse_sourceIdentity = (AssumeRoleWithWebIdentityResponse -> Maybe Text) -> (AssumeRoleWithWebIdentityResponse -> Maybe Text -> AssumeRoleWithWebIdentityResponse) -> Lens AssumeRoleWithWebIdentityResponse AssumeRoleWithWebIdentityResponse (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleWithWebIdentityResponse' {Maybe Text sourceIdentity :: Maybe Text $sel:sourceIdentity:AssumeRoleWithWebIdentityResponse' :: AssumeRoleWithWebIdentityResponse -> Maybe Text sourceIdentity} -> Maybe Text sourceIdentity) (\s :: AssumeRoleWithWebIdentityResponse s@AssumeRoleWithWebIdentityResponse' {} Maybe Text a -> AssumeRoleWithWebIdentityResponse s {$sel:sourceIdentity:AssumeRoleWithWebIdentityResponse' :: Maybe Text sourceIdentity = Maybe Text a} :: AssumeRoleWithWebIdentityResponse) -- | The issuing authority of the web identity token presented. For OpenID -- Connect ID tokens, this contains the value of the @iss@ field. For OAuth -- 2.0 access tokens, this contains the value of the @ProviderId@ parameter -- that was passed in the @AssumeRoleWithWebIdentity@ request. assumeRoleWithWebIdentityResponse_provider :: Lens.Lens' AssumeRoleWithWebIdentityResponse (Prelude.Maybe Prelude.Text) assumeRoleWithWebIdentityResponse_provider :: (Maybe Text -> f (Maybe Text)) -> AssumeRoleWithWebIdentityResponse -> f AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentityResponse_provider = (AssumeRoleWithWebIdentityResponse -> Maybe Text) -> (AssumeRoleWithWebIdentityResponse -> Maybe Text -> AssumeRoleWithWebIdentityResponse) -> Lens AssumeRoleWithWebIdentityResponse AssumeRoleWithWebIdentityResponse (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleWithWebIdentityResponse' {Maybe Text provider :: Maybe Text $sel:provider:AssumeRoleWithWebIdentityResponse' :: AssumeRoleWithWebIdentityResponse -> Maybe Text provider} -> Maybe Text provider) (\s :: AssumeRoleWithWebIdentityResponse s@AssumeRoleWithWebIdentityResponse' {} Maybe Text a -> AssumeRoleWithWebIdentityResponse s {$sel:provider:AssumeRoleWithWebIdentityResponse' :: Maybe Text provider = Maybe Text a} :: AssumeRoleWithWebIdentityResponse) -- | The response's http status code. assumeRoleWithWebIdentityResponse_httpStatus :: Lens.Lens' AssumeRoleWithWebIdentityResponse Prelude.Int assumeRoleWithWebIdentityResponse_httpStatus :: (Int -> f Int) -> AssumeRoleWithWebIdentityResponse -> f AssumeRoleWithWebIdentityResponse assumeRoleWithWebIdentityResponse_httpStatus = (AssumeRoleWithWebIdentityResponse -> Int) -> (AssumeRoleWithWebIdentityResponse -> Int -> AssumeRoleWithWebIdentityResponse) -> Lens AssumeRoleWithWebIdentityResponse AssumeRoleWithWebIdentityResponse Int Int forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\AssumeRoleWithWebIdentityResponse' {Int httpStatus :: Int $sel:httpStatus:AssumeRoleWithWebIdentityResponse' :: AssumeRoleWithWebIdentityResponse -> Int httpStatus} -> Int httpStatus) (\s :: AssumeRoleWithWebIdentityResponse s@AssumeRoleWithWebIdentityResponse' {} Int a -> AssumeRoleWithWebIdentityResponse s {$sel:httpStatus:AssumeRoleWithWebIdentityResponse' :: Int httpStatus = Int a} :: AssumeRoleWithWebIdentityResponse) instance Prelude.NFData AssumeRoleWithWebIdentityResponse