{-# LANGUAGE DeriveGeneric #-} {-# LANGUAGE DuplicateRecordFields #-} {-# LANGUAGE NamedFieldPuns #-} {-# LANGUAGE OverloadedStrings #-} {-# LANGUAGE RecordWildCards #-} {-# LANGUAGE StrictData #-} {-# LANGUAGE TypeFamilies #-} {-# LANGUAGE NoImplicitPrelude #-} {-# OPTIONS_GHC -fno-warn-unused-binds #-} {-# OPTIONS_GHC -fno-warn-unused-imports #-} {-# OPTIONS_GHC -fno-warn-unused-matches #-} -- Derived from AWS service descriptions, licensed under Apache 2.0. -- | -- Module : Amazonka.STS.GetFederationToken -- Copyright : (c) 2013-2021 Brendan Hay -- License : Mozilla Public License, v. 2.0. -- Maintainer : Brendan Hay <brendan.g.hay+amazonka@gmail.com> -- Stability : auto-generated -- Portability : non-portable (GHC extensions) -- -- Returns a set of temporary security credentials (consisting of an access -- key ID, a secret access key, and a security token) for a federated user. -- A typical use is in a proxy application that gets temporary security -- credentials on behalf of distributed applications inside a corporate -- network. You must call the @GetFederationToken@ operation using the -- long-term security credentials of an IAM user. As a result, this call is -- appropriate in contexts where those credentials can be safely stored, -- usually in a server-based application. For a comparison of -- @GetFederationToken@ with the other API operations that produce -- temporary credentials, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html Requesting Temporary Security Credentials> -- and -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison Comparing the STS API operations> -- in the /IAM User Guide/. -- -- You can create a mobile-based or browser-based app that can authenticate -- users using a web identity provider like Login with Amazon, Facebook, -- Google, or an OpenID Connect-compatible identity provider. In this case, -- we recommend that you use -- <http://aws.amazon.com/cognito/ Amazon Cognito> or -- @AssumeRoleWithWebIdentity@. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity Federation Through a Web-based Identity Provider> -- in the /IAM User Guide/. -- -- You can also call @GetFederationToken@ using the security credentials of -- an Amazon Web Services account root user, but we do not recommend it. -- Instead, we recommend that you create an IAM user for the purpose of the -- proxy application. Then attach a policy to the IAM user that limits -- federated users to only the actions and resources that they need to -- access. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html IAM Best Practices> -- in the /IAM User Guide/. -- -- __Session duration__ -- -- The temporary credentials are valid for the specified duration, from 900 -- seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The -- default session duration is 43,200 seconds (12 hours). Temporary -- credentials that are obtained by using Amazon Web Services account root -- user credentials have a maximum duration of 3,600 seconds (1 hour). -- -- __Permissions__ -- -- You can use the temporary credentials created by @GetFederationToken@ in -- any Amazon Web Services service except the following: -- -- - You cannot call any IAM operations using the CLI or the Amazon Web -- Services API. -- -- - You cannot call any STS operations except @GetCallerIdentity@. -- -- You must pass an inline or managed -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session session policy> -- to this operation. You can pass a single JSON policy document to use as -- an inline session policy. You can also specify up to 10 managed policies -- to use as managed session policies. The plaintext that you use for both -- inline and managed session policies can\'t exceed 2,048 characters. -- -- Though the session policy parameters are optional, if you do not pass a -- policy, then the resulting federated user session has no permissions. -- When you pass session policies, the session permissions are the -- intersection of the IAM user policies and the session policies that you -- pass. This gives you a way to further restrict the permissions for a -- federated user. You cannot use session policies to grant more -- permissions than those that are defined in the permissions policy of the -- IAM user. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies> -- in the /IAM User Guide/. For information about using -- @GetFederationToken@ to create temporary security credentials, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken GetFederationToken—Federation Through a Custom Identity Broker>. -- -- You can use the credentials to access a resource that has a -- resource-based policy. If that policy specifically references the -- federated user session in the @Principal@ element of the policy, the -- session has the permissions allowed by the policy. These permissions are -- granted in addition to the permissions granted by the session policies. -- -- __Tags__ -- -- (Optional) You can pass tag key-value pairs to your session. These are -- called session tags. For more information about session tags, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html Passing Session Tags in STS> -- in the /IAM User Guide/. -- -- You can create a mobile-based or browser-based app that can authenticate -- users using a web identity provider like Login with Amazon, Facebook, -- Google, or an OpenID Connect-compatible identity provider. In this case, -- we recommend that you use -- <http://aws.amazon.com/cognito/ Amazon Cognito> or -- @AssumeRoleWithWebIdentity@. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity Federation Through a Web-based Identity Provider> -- in the /IAM User Guide/. -- -- You can also call @GetFederationToken@ using the security credentials of -- an Amazon Web Services account root user, but we do not recommend it. -- Instead, we recommend that you create an IAM user for the purpose of the -- proxy application. Then attach a policy to the IAM user that limits -- federated users to only the actions and resources that they need to -- access. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html IAM Best Practices> -- in the /IAM User Guide/. -- -- __Session duration__ -- -- The temporary credentials are valid for the specified duration, from 900 -- seconds (15 minutes) up to a maximum of 129,600 seconds (36 hours). The -- default session duration is 43,200 seconds (12 hours). Temporary -- credentials that are obtained by using Amazon Web Services account root -- user credentials have a maximum duration of 3,600 seconds (1 hour). -- -- __Permissions__ -- -- You can use the temporary credentials created by @GetFederationToken@ in -- any Amazon Web Services service except the following: -- -- - You cannot call any IAM operations using the CLI or the Amazon Web -- Services API. -- -- - You cannot call any STS operations except @GetCallerIdentity@. -- -- You must pass an inline or managed -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session session policy> -- to this operation. You can pass a single JSON policy document to use as -- an inline session policy. You can also specify up to 10 managed policies -- to use as managed session policies. The plain text that you use for both -- inline and managed session policies can\'t exceed 2,048 characters. -- -- Though the session policy parameters are optional, if you do not pass a -- policy, then the resulting federated user session has no permissions. -- When you pass session policies, the session permissions are the -- intersection of the IAM user policies and the session policies that you -- pass. This gives you a way to further restrict the permissions for a -- federated user. You cannot use session policies to grant more -- permissions than those that are defined in the permissions policy of the -- IAM user. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies> -- in the /IAM User Guide/. For information about using -- @GetFederationToken@ to create temporary security credentials, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken GetFederationToken—Federation Through a Custom Identity Broker>. -- -- You can use the credentials to access a resource that has a -- resource-based policy. If that policy specifically references the -- federated user session in the @Principal@ element of the policy, the -- session has the permissions allowed by the policy. These permissions are -- granted in addition to the permissions granted by the session policies. -- -- __Tags__ -- -- (Optional) You can pass tag key-value pairs to your session. These are -- called session tags. For more information about session tags, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html Passing Session Tags in STS> -- in the /IAM User Guide/. -- -- An administrator must grant you the permissions necessary to pass -- session tags. The administrator can also create granular permissions to -- allow you to pass only specific session tags. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html Tutorial: Using Tags for Attribute-Based Access Control> -- in the /IAM User Guide/. -- -- Tag key–value pairs are not case sensitive, but case is preserved. This -- means that you cannot have separate @Department@ and @department@ tag -- keys. Assume that the user that you are federating has the -- @Department@=@Marketing@ tag and you pass the @department@=@engineering@ -- session tag. @Department@ and @department@ are not saved as separate -- tags, and the session tag passed in the request takes precedence over -- the user tag. module Amazonka.STS.GetFederationToken ( -- * Creating a Request GetFederationToken (..), newGetFederationToken, -- * Request Lenses getFederationToken_policyArns, getFederationToken_durationSeconds, getFederationToken_policy, getFederationToken_tags, getFederationToken_name, -- * Destructuring the Response GetFederationTokenResponse (..), newGetFederationTokenResponse, -- * Response Lenses getFederationTokenResponse_packedPolicySize, getFederationTokenResponse_credentials, getFederationTokenResponse_federatedUser, getFederationTokenResponse_httpStatus, ) where import qualified Amazonka.Core as Core import qualified Amazonka.Lens as Lens import qualified Amazonka.Prelude as Prelude import qualified Amazonka.Request as Request import qualified Amazonka.Response as Response import Amazonka.STS.Types -- | /See:/ 'newGetFederationToken' smart constructor. data GetFederationToken = GetFederationToken' { -- | The Amazon Resource Names (ARNs) of the IAM managed policies that you -- want to use as a managed session policy. The policies must exist in the -- same account as the IAM user that is requesting federated access. -- -- You must pass an inline or managed -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session session policy> -- to this operation. You can pass a single JSON policy document to use as -- an inline session policy. You can also specify up to 10 managed policies -- to use as managed session policies. The plaintext that you use for both -- inline and managed session policies can\'t exceed 2,048 characters. You -- can provide up to 10 managed policy ARNs. For more information about -- ARNs, see -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces> -- in the Amazon Web Services General Reference. -- -- This parameter is optional. However, if you do not pass any session -- policies, then the resulting federated user session has no permissions. -- -- When you pass session policies, the session permissions are the -- intersection of the IAM user policies and the session policies that you -- pass. This gives you a way to further restrict the permissions for a -- federated user. You cannot use session policies to grant more -- permissions than those that are defined in the permissions policy of the -- IAM user. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies> -- in the /IAM User Guide/. -- -- The resulting credentials can be used to access a resource that has a -- resource-based policy. If that policy specifically references the -- federated user session in the @Principal@ element of the policy, the -- session has the permissions allowed by the policy. These permissions are -- granted in addition to the permissions that are granted by the session -- policies. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. GetFederationToken -> Maybe [PolicyDescriptorType] policyArns :: Prelude.Maybe [PolicyDescriptorType], -- | The duration, in seconds, that the session should last. Acceptable -- durations for federation sessions range from 900 seconds (15 minutes) to -- 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the -- default. Sessions obtained using Amazon Web Services account root user -- credentials are restricted to a maximum of 3,600 seconds (one hour). If -- the specified duration is longer than one hour, the session obtained by -- using root user credentials defaults to one hour. GetFederationToken -> Maybe Natural durationSeconds :: Prelude.Maybe Prelude.Natural, -- | An IAM policy in JSON format that you want to use as an inline session -- policy. -- -- You must pass an inline or managed -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session session policy> -- to this operation. You can pass a single JSON policy document to use as -- an inline session policy. You can also specify up to 10 managed policies -- to use as managed session policies. -- -- This parameter is optional. However, if you do not pass any session -- policies, then the resulting federated user session has no permissions. -- -- When you pass session policies, the session permissions are the -- intersection of the IAM user policies and the session policies that you -- pass. This gives you a way to further restrict the permissions for a -- federated user. You cannot use session policies to grant more -- permissions than those that are defined in the permissions policy of the -- IAM user. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies> -- in the /IAM User Guide/. -- -- The resulting credentials can be used to access a resource that has a -- resource-based policy. If that policy specifically references the -- federated user session in the @Principal@ element of the policy, the -- session has the permissions allowed by the policy. These permissions are -- granted in addition to the permissions that are granted by the session -- policies. -- -- The plaintext that you use for both inline and managed session policies -- can\'t exceed 2,048 characters. The JSON policy characters can be any -- ASCII character from the space character to the end of the valid -- character list (\\u0020 through \\u00FF). It can also include the tab -- (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. GetFederationToken -> Maybe Text policy :: Prelude.Maybe Prelude.Text, -- | A list of session tags. Each session tag consists of a key name and an -- associated value. For more information about session tags, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html Passing Session Tags in STS> -- in the /IAM User Guide/. -- -- This parameter is optional. You can pass up to 50 session tags. The -- plaintext session tag keys can’t exceed 128 characters and the values -- can’t exceed 256 characters. For these and additional limits, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length IAM and STS Character Limits> -- in the /IAM User Guide/. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. -- -- You can pass a session tag with the same key as a tag that is already -- attached to the user you are federating. When you do, session tags -- override a user tag with the same key. -- -- Tag key–value pairs are not case sensitive, but case is preserved. This -- means that you cannot have separate @Department@ and @department@ tag -- keys. Assume that the role has the @Department@=@Marketing@ tag and you -- pass the @department@=@engineering@ session tag. @Department@ and -- @department@ are not saved as separate tags, and the session tag passed -- in the request takes precedence over the role tag. :: Prelude.Maybe [Tag], -- | The name of the federated user. The name is used as an identifier for -- the temporary security credentials (such as @Bob@). For example, you can -- reference the federated user name in a resource-based policy, such as in -- an Amazon S3 bucket policy. -- -- The regex used to validate this parameter is a string of characters -- consisting of upper- and lower-case alphanumeric characters with no -- spaces. You can also include underscores or any of the following -- characters: =,.\@- GetFederationToken -> Text name :: Prelude.Text } deriving (GetFederationToken -> GetFederationToken -> Bool (GetFederationToken -> GetFederationToken -> Bool) -> (GetFederationToken -> GetFederationToken -> Bool) -> Eq GetFederationToken forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a /= :: GetFederationToken -> GetFederationToken -> Bool $c/= :: GetFederationToken -> GetFederationToken -> Bool == :: GetFederationToken -> GetFederationToken -> Bool $c== :: GetFederationToken -> GetFederationToken -> Bool Prelude.Eq, ReadPrec [GetFederationToken] ReadPrec GetFederationToken Int -> ReadS GetFederationToken ReadS [GetFederationToken] (Int -> ReadS GetFederationToken) -> ReadS [GetFederationToken] -> ReadPrec GetFederationToken -> ReadPrec [GetFederationToken] -> Read GetFederationToken forall a. (Int -> ReadS a) -> ReadS [a] -> ReadPrec a -> ReadPrec [a] -> Read a readListPrec :: ReadPrec [GetFederationToken] $creadListPrec :: ReadPrec [GetFederationToken] readPrec :: ReadPrec GetFederationToken $creadPrec :: ReadPrec GetFederationToken readList :: ReadS [GetFederationToken] $creadList :: ReadS [GetFederationToken] readsPrec :: Int -> ReadS GetFederationToken $creadsPrec :: Int -> ReadS GetFederationToken Prelude.Read, Int -> GetFederationToken -> ShowS [GetFederationToken] -> ShowS GetFederationToken -> String (Int -> GetFederationToken -> ShowS) -> (GetFederationToken -> String) -> ([GetFederationToken] -> ShowS) -> Show GetFederationToken forall a. (Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a showList :: [GetFederationToken] -> ShowS $cshowList :: [GetFederationToken] -> ShowS show :: GetFederationToken -> String $cshow :: GetFederationToken -> String showsPrec :: Int -> GetFederationToken -> ShowS $cshowsPrec :: Int -> GetFederationToken -> ShowS Prelude.Show, (forall x. GetFederationToken -> Rep GetFederationToken x) -> (forall x. Rep GetFederationToken x -> GetFederationToken) -> Generic GetFederationToken forall x. Rep GetFederationToken x -> GetFederationToken forall x. GetFederationToken -> Rep GetFederationToken x forall a. (forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a $cto :: forall x. Rep GetFederationToken x -> GetFederationToken $cfrom :: forall x. GetFederationToken -> Rep GetFederationToken x Prelude.Generic) -- | -- Create a value of 'GetFederationToken' with all optional fields omitted. -- -- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields. -- -- The following record fields are available, with the corresponding lenses provided -- for backwards compatibility: -- -- 'policyArns', 'getFederationToken_policyArns' - The Amazon Resource Names (ARNs) of the IAM managed policies that you -- want to use as a managed session policy. The policies must exist in the -- same account as the IAM user that is requesting federated access. -- -- You must pass an inline or managed -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session session policy> -- to this operation. You can pass a single JSON policy document to use as -- an inline session policy. You can also specify up to 10 managed policies -- to use as managed session policies. The plaintext that you use for both -- inline and managed session policies can\'t exceed 2,048 characters. You -- can provide up to 10 managed policy ARNs. For more information about -- ARNs, see -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces> -- in the Amazon Web Services General Reference. -- -- This parameter is optional. However, if you do not pass any session -- policies, then the resulting federated user session has no permissions. -- -- When you pass session policies, the session permissions are the -- intersection of the IAM user policies and the session policies that you -- pass. This gives you a way to further restrict the permissions for a -- federated user. You cannot use session policies to grant more -- permissions than those that are defined in the permissions policy of the -- IAM user. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies> -- in the /IAM User Guide/. -- -- The resulting credentials can be used to access a resource that has a -- resource-based policy. If that policy specifically references the -- federated user session in the @Principal@ element of the policy, the -- session has the permissions allowed by the policy. These permissions are -- granted in addition to the permissions that are granted by the session -- policies. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. -- -- 'durationSeconds', 'getFederationToken_durationSeconds' - The duration, in seconds, that the session should last. Acceptable -- durations for federation sessions range from 900 seconds (15 minutes) to -- 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the -- default. Sessions obtained using Amazon Web Services account root user -- credentials are restricted to a maximum of 3,600 seconds (one hour). If -- the specified duration is longer than one hour, the session obtained by -- using root user credentials defaults to one hour. -- -- 'policy', 'getFederationToken_policy' - An IAM policy in JSON format that you want to use as an inline session -- policy. -- -- You must pass an inline or managed -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session session policy> -- to this operation. You can pass a single JSON policy document to use as -- an inline session policy. You can also specify up to 10 managed policies -- to use as managed session policies. -- -- This parameter is optional. However, if you do not pass any session -- policies, then the resulting federated user session has no permissions. -- -- When you pass session policies, the session permissions are the -- intersection of the IAM user policies and the session policies that you -- pass. This gives you a way to further restrict the permissions for a -- federated user. You cannot use session policies to grant more -- permissions than those that are defined in the permissions policy of the -- IAM user. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies> -- in the /IAM User Guide/. -- -- The resulting credentials can be used to access a resource that has a -- resource-based policy. If that policy specifically references the -- federated user session in the @Principal@ element of the policy, the -- session has the permissions allowed by the policy. These permissions are -- granted in addition to the permissions that are granted by the session -- policies. -- -- The plaintext that you use for both inline and managed session policies -- can\'t exceed 2,048 characters. The JSON policy characters can be any -- ASCII character from the space character to the end of the valid -- character list (\\u0020 through \\u00FF). It can also include the tab -- (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. -- -- 'tags', 'getFederationToken_tags' - A list of session tags. Each session tag consists of a key name and an -- associated value. For more information about session tags, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html Passing Session Tags in STS> -- in the /IAM User Guide/. -- -- This parameter is optional. You can pass up to 50 session tags. The -- plaintext session tag keys can’t exceed 128 characters and the values -- can’t exceed 256 characters. For these and additional limits, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length IAM and STS Character Limits> -- in the /IAM User Guide/. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. -- -- You can pass a session tag with the same key as a tag that is already -- attached to the user you are federating. When you do, session tags -- override a user tag with the same key. -- -- Tag key–value pairs are not case sensitive, but case is preserved. This -- means that you cannot have separate @Department@ and @department@ tag -- keys. Assume that the role has the @Department@=@Marketing@ tag and you -- pass the @department@=@engineering@ session tag. @Department@ and -- @department@ are not saved as separate tags, and the session tag passed -- in the request takes precedence over the role tag. -- -- 'name', 'getFederationToken_name' - The name of the federated user. The name is used as an identifier for -- the temporary security credentials (such as @Bob@). For example, you can -- reference the federated user name in a resource-based policy, such as in -- an Amazon S3 bucket policy. -- -- The regex used to validate this parameter is a string of characters -- consisting of upper- and lower-case alphanumeric characters with no -- spaces. You can also include underscores or any of the following -- characters: =,.\@- newGetFederationToken :: -- | 'name' Prelude.Text -> GetFederationToken newGetFederationToken :: Text -> GetFederationToken newGetFederationToken Text pName_ = GetFederationToken' :: Maybe [PolicyDescriptorType] -> Maybe Natural -> Maybe Text -> Maybe [Tag] -> Text -> GetFederationToken GetFederationToken' { $sel:policyArns:GetFederationToken' :: Maybe [PolicyDescriptorType] policyArns = Maybe [PolicyDescriptorType] forall a. Maybe a Prelude.Nothing, $sel:durationSeconds:GetFederationToken' :: Maybe Natural durationSeconds = Maybe Natural forall a. Maybe a Prelude.Nothing, $sel:policy:GetFederationToken' :: Maybe Text policy = Maybe Text forall a. Maybe a Prelude.Nothing, $sel:tags:GetFederationToken' :: Maybe [Tag] tags = Maybe [Tag] forall a. Maybe a Prelude.Nothing, $sel:name:GetFederationToken' :: Text name = Text pName_ } -- | The Amazon Resource Names (ARNs) of the IAM managed policies that you -- want to use as a managed session policy. The policies must exist in the -- same account as the IAM user that is requesting federated access. -- -- You must pass an inline or managed -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session session policy> -- to this operation. You can pass a single JSON policy document to use as -- an inline session policy. You can also specify up to 10 managed policies -- to use as managed session policies. The plaintext that you use for both -- inline and managed session policies can\'t exceed 2,048 characters. You -- can provide up to 10 managed policy ARNs. For more information about -- ARNs, see -- <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces> -- in the Amazon Web Services General Reference. -- -- This parameter is optional. However, if you do not pass any session -- policies, then the resulting federated user session has no permissions. -- -- When you pass session policies, the session permissions are the -- intersection of the IAM user policies and the session policies that you -- pass. This gives you a way to further restrict the permissions for a -- federated user. You cannot use session policies to grant more -- permissions than those that are defined in the permissions policy of the -- IAM user. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies> -- in the /IAM User Guide/. -- -- The resulting credentials can be used to access a resource that has a -- resource-based policy. If that policy specifically references the -- federated user session in the @Principal@ element of the policy, the -- session has the permissions allowed by the policy. These permissions are -- granted in addition to the permissions that are granted by the session -- policies. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. getFederationToken_policyArns :: Lens.Lens' GetFederationToken (Prelude.Maybe [PolicyDescriptorType]) getFederationToken_policyArns :: (Maybe [PolicyDescriptorType] -> f (Maybe [PolicyDescriptorType])) -> GetFederationToken -> f GetFederationToken getFederationToken_policyArns = (GetFederationToken -> Maybe [PolicyDescriptorType]) -> (GetFederationToken -> Maybe [PolicyDescriptorType] -> GetFederationToken) -> Lens GetFederationToken GetFederationToken (Maybe [PolicyDescriptorType]) (Maybe [PolicyDescriptorType]) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\GetFederationToken' {Maybe [PolicyDescriptorType] policyArns :: Maybe [PolicyDescriptorType] $sel:policyArns:GetFederationToken' :: GetFederationToken -> Maybe [PolicyDescriptorType] policyArns} -> Maybe [PolicyDescriptorType] policyArns) (\s :: GetFederationToken s@GetFederationToken' {} Maybe [PolicyDescriptorType] a -> GetFederationToken s {$sel:policyArns:GetFederationToken' :: Maybe [PolicyDescriptorType] policyArns = Maybe [PolicyDescriptorType] a} :: GetFederationToken) ((Maybe [PolicyDescriptorType] -> f (Maybe [PolicyDescriptorType])) -> GetFederationToken -> f GetFederationToken) -> ((Maybe [PolicyDescriptorType] -> f (Maybe [PolicyDescriptorType])) -> Maybe [PolicyDescriptorType] -> f (Maybe [PolicyDescriptorType])) -> (Maybe [PolicyDescriptorType] -> f (Maybe [PolicyDescriptorType])) -> GetFederationToken -> f GetFederationToken forall b c a. (b -> c) -> (a -> b) -> a -> c Prelude.. AnIso [PolicyDescriptorType] [PolicyDescriptorType] [PolicyDescriptorType] [PolicyDescriptorType] -> Iso (Maybe [PolicyDescriptorType]) (Maybe [PolicyDescriptorType]) (Maybe [PolicyDescriptorType]) (Maybe [PolicyDescriptorType]) forall (f :: * -> *) (g :: * -> *) s t a b. (Functor f, Functor g) => AnIso s t a b -> Iso (f s) (g t) (f a) (g b) Lens.mapping AnIso [PolicyDescriptorType] [PolicyDescriptorType] [PolicyDescriptorType] [PolicyDescriptorType] forall s t a b. (Coercible s a, Coercible t b) => Iso s t a b Lens.coerced -- | The duration, in seconds, that the session should last. Acceptable -- durations for federation sessions range from 900 seconds (15 minutes) to -- 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the -- default. Sessions obtained using Amazon Web Services account root user -- credentials are restricted to a maximum of 3,600 seconds (one hour). If -- the specified duration is longer than one hour, the session obtained by -- using root user credentials defaults to one hour. getFederationToken_durationSeconds :: Lens.Lens' GetFederationToken (Prelude.Maybe Prelude.Natural) getFederationToken_durationSeconds :: (Maybe Natural -> f (Maybe Natural)) -> GetFederationToken -> f GetFederationToken getFederationToken_durationSeconds = (GetFederationToken -> Maybe Natural) -> (GetFederationToken -> Maybe Natural -> GetFederationToken) -> Lens GetFederationToken GetFederationToken (Maybe Natural) (Maybe Natural) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\GetFederationToken' {Maybe Natural durationSeconds :: Maybe Natural $sel:durationSeconds:GetFederationToken' :: GetFederationToken -> Maybe Natural durationSeconds} -> Maybe Natural durationSeconds) (\s :: GetFederationToken s@GetFederationToken' {} Maybe Natural a -> GetFederationToken s {$sel:durationSeconds:GetFederationToken' :: Maybe Natural durationSeconds = Maybe Natural a} :: GetFederationToken) -- | An IAM policy in JSON format that you want to use as an inline session -- policy. -- -- You must pass an inline or managed -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session session policy> -- to this operation. You can pass a single JSON policy document to use as -- an inline session policy. You can also specify up to 10 managed policies -- to use as managed session policies. -- -- This parameter is optional. However, if you do not pass any session -- policies, then the resulting federated user session has no permissions. -- -- When you pass session policies, the session permissions are the -- intersection of the IAM user policies and the session policies that you -- pass. This gives you a way to further restrict the permissions for a -- federated user. You cannot use session policies to grant more -- permissions than those that are defined in the permissions policy of the -- IAM user. For more information, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session Session Policies> -- in the /IAM User Guide/. -- -- The resulting credentials can be used to access a resource that has a -- resource-based policy. If that policy specifically references the -- federated user session in the @Principal@ element of the policy, the -- session has the permissions allowed by the policy. These permissions are -- granted in addition to the permissions that are granted by the session -- policies. -- -- The plaintext that you use for both inline and managed session policies -- can\'t exceed 2,048 characters. The JSON policy characters can be any -- ASCII character from the space character to the end of the valid -- character list (\\u0020 through \\u00FF). It can also include the tab -- (\\u0009), linefeed (\\u000A), and carriage return (\\u000D) characters. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. getFederationToken_policy :: Lens.Lens' GetFederationToken (Prelude.Maybe Prelude.Text) getFederationToken_policy :: (Maybe Text -> f (Maybe Text)) -> GetFederationToken -> f GetFederationToken getFederationToken_policy = (GetFederationToken -> Maybe Text) -> (GetFederationToken -> Maybe Text -> GetFederationToken) -> Lens GetFederationToken GetFederationToken (Maybe Text) (Maybe Text) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\GetFederationToken' {Maybe Text policy :: Maybe Text $sel:policy:GetFederationToken' :: GetFederationToken -> Maybe Text policy} -> Maybe Text policy) (\s :: GetFederationToken s@GetFederationToken' {} Maybe Text a -> GetFederationToken s {$sel:policy:GetFederationToken' :: Maybe Text policy = Maybe Text a} :: GetFederationToken) -- | A list of session tags. Each session tag consists of a key name and an -- associated value. For more information about session tags, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html Passing Session Tags in STS> -- in the /IAM User Guide/. -- -- This parameter is optional. You can pass up to 50 session tags. The -- plaintext session tag keys can’t exceed 128 characters and the values -- can’t exceed 256 characters. For these and additional limits, see -- <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length IAM and STS Character Limits> -- in the /IAM User Guide/. -- -- An Amazon Web Services conversion compresses the passed session policies -- and session tags into a packed binary format that has a separate limit. -- Your request can fail for this limit even if your plaintext meets the -- other requirements. The @PackedPolicySize@ response element indicates by -- percentage how close the policies and tags for your request are to the -- upper size limit. -- -- You can pass a session tag with the same key as a tag that is already -- attached to the user you are federating. When you do, session tags -- override a user tag with the same key. -- -- Tag key–value pairs are not case sensitive, but case is preserved. This -- means that you cannot have separate @Department@ and @department@ tag -- keys. Assume that the role has the @Department@=@Marketing@ tag and you -- pass the @department@=@engineering@ session tag. @Department@ and -- @department@ are not saved as separate tags, and the session tag passed -- in the request takes precedence over the role tag. getFederationToken_tags :: Lens.Lens' GetFederationToken (Prelude.Maybe [Tag]) = (GetFederationToken -> Maybe [Tag]) -> (GetFederationToken -> Maybe [Tag] -> GetFederationToken) -> Lens GetFederationToken GetFederationToken (Maybe [Tag]) (Maybe [Tag]) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\GetFederationToken' {Maybe [Tag] tags :: Maybe [Tag] $sel:tags:GetFederationToken' :: GetFederationToken -> Maybe [Tag] tags} -> Maybe [Tag] tags) (\s :: GetFederationToken s@GetFederationToken' {} Maybe [Tag] a -> GetFederationToken s {$sel:tags:GetFederationToken' :: Maybe [Tag] tags = Maybe [Tag] a} :: GetFederationToken) ((Maybe [Tag] -> f (Maybe [Tag])) -> GetFederationToken -> f GetFederationToken) -> ((Maybe [Tag] -> f (Maybe [Tag])) -> Maybe [Tag] -> f (Maybe [Tag])) -> (Maybe [Tag] -> f (Maybe [Tag])) -> GetFederationToken -> f GetFederationToken forall b c a. (b -> c) -> (a -> b) -> a -> c Prelude.. AnIso [Tag] [Tag] [Tag] [Tag] -> Iso (Maybe [Tag]) (Maybe [Tag]) (Maybe [Tag]) (Maybe [Tag]) forall (f :: * -> *) (g :: * -> *) s t a b. (Functor f, Functor g) => AnIso s t a b -> Iso (f s) (g t) (f a) (g b) Lens.mapping AnIso [Tag] [Tag] [Tag] [Tag] forall s t a b. (Coercible s a, Coercible t b) => Iso s t a b Lens.coerced -- | The name of the federated user. The name is used as an identifier for -- the temporary security credentials (such as @Bob@). For example, you can -- reference the federated user name in a resource-based policy, such as in -- an Amazon S3 bucket policy. -- -- The regex used to validate this parameter is a string of characters -- consisting of upper- and lower-case alphanumeric characters with no -- spaces. You can also include underscores or any of the following -- characters: =,.\@- getFederationToken_name :: Lens.Lens' GetFederationToken Prelude.Text getFederationToken_name :: (Text -> f Text) -> GetFederationToken -> f GetFederationToken getFederationToken_name = (GetFederationToken -> Text) -> (GetFederationToken -> Text -> GetFederationToken) -> Lens GetFederationToken GetFederationToken Text Text forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\GetFederationToken' {Text name :: Text $sel:name:GetFederationToken' :: GetFederationToken -> Text name} -> Text name) (\s :: GetFederationToken s@GetFederationToken' {} Text a -> GetFederationToken s {$sel:name:GetFederationToken' :: Text name = Text a} :: GetFederationToken) instance Core.AWSRequest GetFederationToken where type AWSResponse GetFederationToken = GetFederationTokenResponse request :: GetFederationToken -> Request GetFederationToken request = Service -> GetFederationToken -> Request GetFederationToken forall a. ToRequest a => Service -> a -> Request a Request.postQuery Service defaultService response :: Logger -> Service -> Proxy GetFederationToken -> ClientResponse ClientBody -> m (Either Error (ClientResponse (AWSResponse GetFederationToken))) response = Text -> (Int -> ResponseHeaders -> [Node] -> Either String (AWSResponse GetFederationToken)) -> Logger -> Service -> Proxy GetFederationToken -> ClientResponse ClientBody -> m (Either Error (ClientResponse (AWSResponse GetFederationToken))) forall (m :: * -> *) a. MonadResource m => Text -> (Int -> ResponseHeaders -> [Node] -> Either String (AWSResponse a)) -> Logger -> Service -> Proxy a -> ClientResponse ClientBody -> m (Either Error (ClientResponse (AWSResponse a))) Response.receiveXMLWrapper Text "GetFederationTokenResult" ( \Int s ResponseHeaders h [Node] x -> Maybe Natural -> Maybe AuthEnv -> Maybe FederatedUser -> Int -> GetFederationTokenResponse GetFederationTokenResponse' (Maybe Natural -> Maybe AuthEnv -> Maybe FederatedUser -> Int -> GetFederationTokenResponse) -> Either String (Maybe Natural) -> Either String (Maybe AuthEnv -> Maybe FederatedUser -> Int -> GetFederationTokenResponse) forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> ([Node] x [Node] -> Text -> Either String (Maybe Natural) forall a. FromXML a => [Node] -> Text -> Either String (Maybe a) Core..@? Text "PackedPolicySize") Either String (Maybe AuthEnv -> Maybe FederatedUser -> Int -> GetFederationTokenResponse) -> Either String (Maybe AuthEnv) -> Either String (Maybe FederatedUser -> Int -> GetFederationTokenResponse) forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b Prelude.<*> ([Node] x [Node] -> Text -> Either String (Maybe AuthEnv) forall a. FromXML a => [Node] -> Text -> Either String (Maybe a) Core..@? Text "Credentials") Either String (Maybe FederatedUser -> Int -> GetFederationTokenResponse) -> Either String (Maybe FederatedUser) -> Either String (Int -> GetFederationTokenResponse) forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b Prelude.<*> ([Node] x [Node] -> Text -> Either String (Maybe FederatedUser) forall a. FromXML a => [Node] -> Text -> Either String (Maybe a) Core..@? Text "FederatedUser") Either String (Int -> GetFederationTokenResponse) -> Either String Int -> Either String GetFederationTokenResponse forall (f :: * -> *) a b. Applicative f => f (a -> b) -> f a -> f b Prelude.<*> (Int -> Either String Int forall (f :: * -> *) a. Applicative f => a -> f a Prelude.pure (Int -> Int forall a. Enum a => a -> Int Prelude.fromEnum Int s)) ) instance Prelude.Hashable GetFederationToken instance Prelude.NFData GetFederationToken instance Core.ToHeaders GetFederationToken where toHeaders :: GetFederationToken -> ResponseHeaders toHeaders = ResponseHeaders -> GetFederationToken -> ResponseHeaders forall a b. a -> b -> a Prelude.const ResponseHeaders forall a. Monoid a => a Prelude.mempty instance Core.ToPath GetFederationToken where toPath :: GetFederationToken -> ByteString toPath = ByteString -> GetFederationToken -> ByteString forall a b. a -> b -> a Prelude.const ByteString "/" instance Core.ToQuery GetFederationToken where toQuery :: GetFederationToken -> QueryString toQuery GetFederationToken' {Maybe Natural Maybe [PolicyDescriptorType] Maybe [Tag] Maybe Text Text name :: Text tags :: Maybe [Tag] policy :: Maybe Text durationSeconds :: Maybe Natural policyArns :: Maybe [PolicyDescriptorType] $sel:name:GetFederationToken' :: GetFederationToken -> Text $sel:tags:GetFederationToken' :: GetFederationToken -> Maybe [Tag] $sel:policy:GetFederationToken' :: GetFederationToken -> Maybe Text $sel:durationSeconds:GetFederationToken' :: GetFederationToken -> Maybe Natural $sel:policyArns:GetFederationToken' :: GetFederationToken -> Maybe [PolicyDescriptorType] ..} = [QueryString] -> QueryString forall a. Monoid a => [a] -> a Prelude.mconcat [ ByteString "Action" ByteString -> ByteString -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: (ByteString "GetFederationToken" :: Prelude.ByteString), ByteString "Version" ByteString -> ByteString -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: (ByteString "2011-06-15" :: Prelude.ByteString), ByteString "PolicyArns" ByteString -> QueryString -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Maybe QueryString -> QueryString forall a. ToQuery a => a -> QueryString Core.toQuery (ByteString -> [PolicyDescriptorType] -> QueryString forall a. (IsList a, ToQuery (Item a)) => ByteString -> a -> QueryString Core.toQueryList ByteString "member" ([PolicyDescriptorType] -> QueryString) -> Maybe [PolicyDescriptorType] -> Maybe QueryString forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> Maybe [PolicyDescriptorType] policyArns), ByteString "DurationSeconds" ByteString -> Maybe Natural -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Maybe Natural durationSeconds, ByteString "Policy" ByteString -> Maybe Text -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Maybe Text policy, ByteString "Tags" ByteString -> QueryString -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Maybe QueryString -> QueryString forall a. ToQuery a => a -> QueryString Core.toQuery (ByteString -> [Tag] -> QueryString forall a. (IsList a, ToQuery (Item a)) => ByteString -> a -> QueryString Core.toQueryList ByteString "member" ([Tag] -> QueryString) -> Maybe [Tag] -> Maybe QueryString forall (f :: * -> *) a b. Functor f => (a -> b) -> f a -> f b Prelude.<$> Maybe [Tag] tags), ByteString "Name" ByteString -> Text -> QueryString forall a. ToQuery a => ByteString -> a -> QueryString Core.=: Text name ] -- | Contains the response to a successful GetFederationToken request, -- including temporary Amazon Web Services credentials that can be used to -- make Amazon Web Services requests. -- -- /See:/ 'newGetFederationTokenResponse' smart constructor. data GetFederationTokenResponse = GetFederationTokenResponse' { -- | A percentage value that indicates the packed size of the session -- policies and session tags combined passed in the request. The request -- fails if the packed size is greater than 100 percent, which means the -- policies and tags exceeded the allowed space. GetFederationTokenResponse -> Maybe Natural packedPolicySize :: Prelude.Maybe Prelude.Natural, -- | The temporary security credentials, which include an access key ID, a -- secret access key, and a security (or session) token. -- -- The size of the security token that STS API operations return is not -- fixed. We strongly recommend that you make no assumptions about the -- maximum size. GetFederationTokenResponse -> Maybe AuthEnv credentials :: Prelude.Maybe Core.AuthEnv, -- | Identifiers for the federated user associated with the credentials (such -- as @arn:aws:sts::123456789012:federated-user\/Bob@ or -- @123456789012:Bob@). You can use the federated user\'s ARN in your -- resource-based policies, such as an Amazon S3 bucket policy. GetFederationTokenResponse -> Maybe FederatedUser federatedUser :: Prelude.Maybe FederatedUser, -- | The response's http status code. GetFederationTokenResponse -> Int httpStatus :: Prelude.Int } deriving (GetFederationTokenResponse -> GetFederationTokenResponse -> Bool (GetFederationTokenResponse -> GetFederationTokenResponse -> Bool) -> (GetFederationTokenResponse -> GetFederationTokenResponse -> Bool) -> Eq GetFederationTokenResponse forall a. (a -> a -> Bool) -> (a -> a -> Bool) -> Eq a /= :: GetFederationTokenResponse -> GetFederationTokenResponse -> Bool $c/= :: GetFederationTokenResponse -> GetFederationTokenResponse -> Bool == :: GetFederationTokenResponse -> GetFederationTokenResponse -> Bool $c== :: GetFederationTokenResponse -> GetFederationTokenResponse -> Bool Prelude.Eq, Int -> GetFederationTokenResponse -> ShowS [GetFederationTokenResponse] -> ShowS GetFederationTokenResponse -> String (Int -> GetFederationTokenResponse -> ShowS) -> (GetFederationTokenResponse -> String) -> ([GetFederationTokenResponse] -> ShowS) -> Show GetFederationTokenResponse forall a. (Int -> a -> ShowS) -> (a -> String) -> ([a] -> ShowS) -> Show a showList :: [GetFederationTokenResponse] -> ShowS $cshowList :: [GetFederationTokenResponse] -> ShowS show :: GetFederationTokenResponse -> String $cshow :: GetFederationTokenResponse -> String showsPrec :: Int -> GetFederationTokenResponse -> ShowS $cshowsPrec :: Int -> GetFederationTokenResponse -> ShowS Prelude.Show, (forall x. GetFederationTokenResponse -> Rep GetFederationTokenResponse x) -> (forall x. Rep GetFederationTokenResponse x -> GetFederationTokenResponse) -> Generic GetFederationTokenResponse forall x. Rep GetFederationTokenResponse x -> GetFederationTokenResponse forall x. GetFederationTokenResponse -> Rep GetFederationTokenResponse x forall a. (forall x. a -> Rep a x) -> (forall x. Rep a x -> a) -> Generic a $cto :: forall x. Rep GetFederationTokenResponse x -> GetFederationTokenResponse $cfrom :: forall x. GetFederationTokenResponse -> Rep GetFederationTokenResponse x Prelude.Generic) -- | -- Create a value of 'GetFederationTokenResponse' with all optional fields omitted. -- -- Use <https://hackage.haskell.org/package/generic-lens generic-lens> or <https://hackage.haskell.org/package/optics optics> to modify other optional fields. -- -- The following record fields are available, with the corresponding lenses provided -- for backwards compatibility: -- -- 'packedPolicySize', 'getFederationTokenResponse_packedPolicySize' - A percentage value that indicates the packed size of the session -- policies and session tags combined passed in the request. The request -- fails if the packed size is greater than 100 percent, which means the -- policies and tags exceeded the allowed space. -- -- 'credentials', 'getFederationTokenResponse_credentials' - The temporary security credentials, which include an access key ID, a -- secret access key, and a security (or session) token. -- -- The size of the security token that STS API operations return is not -- fixed. We strongly recommend that you make no assumptions about the -- maximum size. -- -- 'federatedUser', 'getFederationTokenResponse_federatedUser' - Identifiers for the federated user associated with the credentials (such -- as @arn:aws:sts::123456789012:federated-user\/Bob@ or -- @123456789012:Bob@). You can use the federated user\'s ARN in your -- resource-based policies, such as an Amazon S3 bucket policy. -- -- 'httpStatus', 'getFederationTokenResponse_httpStatus' - The response's http status code. newGetFederationTokenResponse :: -- | 'httpStatus' Prelude.Int -> GetFederationTokenResponse newGetFederationTokenResponse :: Int -> GetFederationTokenResponse newGetFederationTokenResponse Int pHttpStatus_ = GetFederationTokenResponse' :: Maybe Natural -> Maybe AuthEnv -> Maybe FederatedUser -> Int -> GetFederationTokenResponse GetFederationTokenResponse' { $sel:packedPolicySize:GetFederationTokenResponse' :: Maybe Natural packedPolicySize = Maybe Natural forall a. Maybe a Prelude.Nothing, $sel:credentials:GetFederationTokenResponse' :: Maybe AuthEnv credentials = Maybe AuthEnv forall a. Maybe a Prelude.Nothing, $sel:federatedUser:GetFederationTokenResponse' :: Maybe FederatedUser federatedUser = Maybe FederatedUser forall a. Maybe a Prelude.Nothing, $sel:httpStatus:GetFederationTokenResponse' :: Int httpStatus = Int pHttpStatus_ } -- | A percentage value that indicates the packed size of the session -- policies and session tags combined passed in the request. The request -- fails if the packed size is greater than 100 percent, which means the -- policies and tags exceeded the allowed space. getFederationTokenResponse_packedPolicySize :: Lens.Lens' GetFederationTokenResponse (Prelude.Maybe Prelude.Natural) getFederationTokenResponse_packedPolicySize :: (Maybe Natural -> f (Maybe Natural)) -> GetFederationTokenResponse -> f GetFederationTokenResponse getFederationTokenResponse_packedPolicySize = (GetFederationTokenResponse -> Maybe Natural) -> (GetFederationTokenResponse -> Maybe Natural -> GetFederationTokenResponse) -> Lens GetFederationTokenResponse GetFederationTokenResponse (Maybe Natural) (Maybe Natural) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\GetFederationTokenResponse' {Maybe Natural packedPolicySize :: Maybe Natural $sel:packedPolicySize:GetFederationTokenResponse' :: GetFederationTokenResponse -> Maybe Natural packedPolicySize} -> Maybe Natural packedPolicySize) (\s :: GetFederationTokenResponse s@GetFederationTokenResponse' {} Maybe Natural a -> GetFederationTokenResponse s {$sel:packedPolicySize:GetFederationTokenResponse' :: Maybe Natural packedPolicySize = Maybe Natural a} :: GetFederationTokenResponse) -- | The temporary security credentials, which include an access key ID, a -- secret access key, and a security (or session) token. -- -- The size of the security token that STS API operations return is not -- fixed. We strongly recommend that you make no assumptions about the -- maximum size. getFederationTokenResponse_credentials :: Lens.Lens' GetFederationTokenResponse (Prelude.Maybe Core.AuthEnv) getFederationTokenResponse_credentials :: (Maybe AuthEnv -> f (Maybe AuthEnv)) -> GetFederationTokenResponse -> f GetFederationTokenResponse getFederationTokenResponse_credentials = (GetFederationTokenResponse -> Maybe AuthEnv) -> (GetFederationTokenResponse -> Maybe AuthEnv -> GetFederationTokenResponse) -> Lens GetFederationTokenResponse GetFederationTokenResponse (Maybe AuthEnv) (Maybe AuthEnv) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\GetFederationTokenResponse' {Maybe AuthEnv credentials :: Maybe AuthEnv $sel:credentials:GetFederationTokenResponse' :: GetFederationTokenResponse -> Maybe AuthEnv credentials} -> Maybe AuthEnv credentials) (\s :: GetFederationTokenResponse s@GetFederationTokenResponse' {} Maybe AuthEnv a -> GetFederationTokenResponse s {$sel:credentials:GetFederationTokenResponse' :: Maybe AuthEnv credentials = Maybe AuthEnv a} :: GetFederationTokenResponse) -- | Identifiers for the federated user associated with the credentials (such -- as @arn:aws:sts::123456789012:federated-user\/Bob@ or -- @123456789012:Bob@). You can use the federated user\'s ARN in your -- resource-based policies, such as an Amazon S3 bucket policy. getFederationTokenResponse_federatedUser :: Lens.Lens' GetFederationTokenResponse (Prelude.Maybe FederatedUser) getFederationTokenResponse_federatedUser :: (Maybe FederatedUser -> f (Maybe FederatedUser)) -> GetFederationTokenResponse -> f GetFederationTokenResponse getFederationTokenResponse_federatedUser = (GetFederationTokenResponse -> Maybe FederatedUser) -> (GetFederationTokenResponse -> Maybe FederatedUser -> GetFederationTokenResponse) -> Lens GetFederationTokenResponse GetFederationTokenResponse (Maybe FederatedUser) (Maybe FederatedUser) forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\GetFederationTokenResponse' {Maybe FederatedUser federatedUser :: Maybe FederatedUser $sel:federatedUser:GetFederationTokenResponse' :: GetFederationTokenResponse -> Maybe FederatedUser federatedUser} -> Maybe FederatedUser federatedUser) (\s :: GetFederationTokenResponse s@GetFederationTokenResponse' {} Maybe FederatedUser a -> GetFederationTokenResponse s {$sel:federatedUser:GetFederationTokenResponse' :: Maybe FederatedUser federatedUser = Maybe FederatedUser a} :: GetFederationTokenResponse) -- | The response's http status code. getFederationTokenResponse_httpStatus :: Lens.Lens' GetFederationTokenResponse Prelude.Int getFederationTokenResponse_httpStatus :: (Int -> f Int) -> GetFederationTokenResponse -> f GetFederationTokenResponse getFederationTokenResponse_httpStatus = (GetFederationTokenResponse -> Int) -> (GetFederationTokenResponse -> Int -> GetFederationTokenResponse) -> Lens GetFederationTokenResponse GetFederationTokenResponse Int Int forall s a b t. (s -> a) -> (s -> b -> t) -> Lens s t a b Lens.lens (\GetFederationTokenResponse' {Int httpStatus :: Int $sel:httpStatus:GetFederationTokenResponse' :: GetFederationTokenResponse -> Int httpStatus} -> Int httpStatus) (\s :: GetFederationTokenResponse s@GetFederationTokenResponse' {} Int a -> GetFederationTokenResponse s {$sel:httpStatus:GetFederationTokenResponse' :: Int httpStatus = Int a} :: GetFederationTokenResponse) instance Prelude.NFData GetFederationTokenResponse