# This file is automatically generated by botocraft. Do not edit directly.
# mypy: disable-error-code="index, override, assignment, union-attr, misc"
from botocraft.mixins.tags import TagsDictMixin
from pydantic import Field
from datetime import datetime
from botocraft.services.common import Tag
from .abstract import (
Boto3Model,
ReadonlyBoto3Model,
PrimaryBoto3Model,
ReadonlyPrimaryBoto3Model,
Boto3ModelManager,
ReadonlyBoto3ModelManager,
)
import builtins
from typing import ClassVar, Literal, Any, cast
# ===============
# Managers
# ===============
[docs]class AssumeRoleManager(Boto3ModelManager):
service_name: str = "sts"
[docs] def assume(
self,
RoleArn: str,
RoleSessionName: str,
*,
PolicyArns: "builtins.list[STSPolicyDescriptorType] | None" = None,
Policy: "str | None" = None,
DurationSeconds: "int | None" = None,
Tags: "builtins.list[Tag] | None" = None,
TransitiveTagKeys: "builtins.list[str] | None" = None,
ExternalId: "str | None" = None,
SerialNumber: "str | None" = None,
TokenCode: "str | None" = None,
SourceIdentity: "str | None" = None,
ProvidedContexts: "builtins.list[STSProvidedContext] | None" = None,
) -> "AssumeRole":
"""
Returns a set of temporary security credentials that you can use to access Amazon Web Services resources. These
temporary credentials consist of an access key ID, a secret access key, and a security token. Typically, you use
``AssumeRole`` within your account or for cross-account access. For a comparison of ``AssumeRole`` with other API
operations that produce temporary credentials, see `Requesting Temporary Security
Credentials <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html>`_ and `Compare STS
credentials <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html>`_ in the *IAM User
Guide*.
Args:
RoleArn: The Amazon Resource Name (ARN) of the role to assume.
RoleSessionName: An identifier for the assumed role session.
Keyword Args:
PolicyArns: The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as managed session
policies. The policies must exist in the same account as the role.
Policy: An IAM policy in JSON format that you want to use as an inline session policy.
DurationSeconds: The duration, in seconds, of the role session. The value specified can range from 900 seconds (15
minutes) up to the maximum session duration set for the role. The maximum session duration setting can have a value
from 1 hour to 12 hours. If you specify a value higher than this setting or the administrator setting (whichever is
lower), the operation fails. For example, if you specify a session duration of 12 hours, but your administrator set
the maximum session duration to 6 hours, your operation fails.
Tags: A list of session tags that you want to pass. Each session tag consists of a key name and an associated value.
For more information about session tags, see `Tagging Amazon Web Services STS Sessions
<https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html>`_ in the *IAM User Guide*.
TransitiveTagKeys: A list of keys for session tags that you want to set as transitive. If you set a tag key as
transitive, the corresponding key and value passes to subsequent sessions in a role chain. For more information, see
`Chaining Roles with Session Tags <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-
tags_role-chaining>`_ in the *IAM User Guide*.
ExternalId: A unique identifier that might be required when you assume a role in another account. If the
administrator of the account to which the role belongs provided you with an external ID, then provide that value in
the ``ExternalId`` parameter. This value can be any string, such as a passphrase or account number. A cross-account
role is usually set up to trust everyone in an account. Therefore, the administrator of the trusting account might
send an external ID to the administrator of the trusted account. That way, only someone with the ID can assume the
role, rather than everyone in the account. For more information about the external ID, see `How to Use an External
ID When Granting Access to Your Amazon Web Services Resources to a Third Party
<https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for- user_externalid.html>`_ in the *IAM User
Guide*.
SerialNumber: The identification number of the MFA device that is associated with the user who is making the
``AssumeRole`` call. Specify this value if the trust policy of the role being assumed includes a condition that
requires MFA authentication. The value is either the serial number for a hardware device (such as ``GAHT12345678``)
or an Amazon Resource Name (ARN) for a virtual device (such as ``arn:aws:iam::123456789012:mfa/user``).
TokenCode: The value provided by the MFA device, if the trust policy of the role being assumed requires MFA. (In
other words, if the policy includes a condition that tests for MFA). If the role being assumed requires MFA and if
the ``TokenCode`` value is missing or expired, the ``AssumeRole`` call returns an "access denied" error.
SourceIdentity: The source identity specified by the principal that is calling the ``AssumeRole`` operation. The
source identity value persists across `chained role
<https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#iam-term-role-chaining>`_ sessions.
ProvidedContexts: A list of previously acquired trusted context assertions in the format of a JSON array. The
trusted context assertion is signed and encrypted by Amazon Web Services STS.
"""
args: dict[str, Any] = dict(
RoleArn=self.serialize(RoleArn),
RoleSessionName=self.serialize(RoleSessionName),
PolicyArns=self.serialize(PolicyArns),
Policy=self.serialize(Policy),
DurationSeconds=self.serialize(DurationSeconds),
Tags=self.serialize(Tags),
TransitiveTagKeys=self.serialize(TransitiveTagKeys),
ExternalId=self.serialize(ExternalId),
SerialNumber=self.serialize(SerialNumber),
TokenCode=self.serialize(TokenCode),
SourceIdentity=self.serialize(SourceIdentity),
ProvidedContexts=self.serialize(ProvidedContexts),
)
_response = self.client.assume_role(
**{k: v for k, v in args.items() if v is not None}
)
response = AssumeRole(**_response)
results: "AssumeRole" = None
if response is not None:
results = response
self.sessionize(results)
return cast("AssumeRole", results)
[docs] def assume_with_saml(
self,
RoleArn: str,
PrincipalArn: str,
SAMLAssertion: str,
*,
PolicyArns: "builtins.list[STSPolicyDescriptorType] | None" = None,
Policy: "str | None" = None,
DurationSeconds: "int | None" = None,
) -> "AssumeRole | None":
"""
Returns a set of temporary security credentials for users who have been authenticated via a SAML authentication
response. This operation provides a mechanism for tying an enterprise identity store or directory to role-based Amazon
Web Services access without user-specific credentials or configuration. For a comparison of ``AssumeRoleWithSAML`` with
the other API operations that produce temporary credentials, see `Requesting Temporary Security
Credentials <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html>`_ and `Compare STS
credentials <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_sts-comparison.html>`_ in the *IAM User
Guide*.
Args:
RoleArn: The Amazon Resource Name (ARN) of the role that the caller is assuming.
PrincipalArn: The Amazon Resource Name (ARN) of the SAML provider in IAM that describes the IdP.
SAMLAssertion: The base64 encoded SAML authentication response provided by the IdP.
Keyword Args:
PolicyArns: The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as managed session
policies. The policies must exist in the same account as the role.
Policy: An IAM policy in JSON format that you want to use as an inline session policy.
DurationSeconds: The duration, in seconds, of the role session. Your role session lasts for the duration that you
specify for the ``DurationSeconds`` parameter, or until the time specified in the SAML authentication response's
``SessionNotOnOrAfter`` value, whichever is shorter. You can provide a ``DurationSeconds`` value from 900 seconds
(15 minutes) up to the maximum session duration setting for the role. This setting can have a value from 1 hour to
12 hours. If you specify a value higher than this setting, the operation fails. For example, if you specify a
session duration of 12 hours, but your administrator set the maximum session duration to 6 hours, your operation
fails. To learn how to view the maximum value for your role, see `View the Maximum Session Duration Setting for a
Role <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session>`_ in
the *IAM User Guide*.
"""
args: dict[str, Any] = dict(
RoleArn=self.serialize(RoleArn),
PrincipalArn=self.serialize(PrincipalArn),
SAMLAssertion=self.serialize(SAMLAssertion),
PolicyArns=self.serialize(PolicyArns),
Policy=self.serialize(Policy),
DurationSeconds=self.serialize(DurationSeconds),
)
_response = self.client.assume_role_with_saml(
**{k: v for k, v in args.items() if v is not None}
)
response = AssumeRoleWithSAMLResponse(**_response)
results: "AssumeRole | None" = None
if response is not None:
results = response
self.sessionize(results)
return cast("AssumeRole | None", results)
[docs] def assume_with_web_identity(
self,
RoleArn: str,
RoleSessionName: str,
WebIdentityToken: str,
*,
ProviderId: "str | None" = None,
PolicyArns: "builtins.list[STSPolicyDescriptorType] | None" = None,
Policy: "str | None" = None,
DurationSeconds: "int | None" = None,
) -> "AssumeRole | None":
"""
Returns a set of temporary security credentials for users who have been authenticated in a mobile or web application
with a web identity provider. Example providers include the OAuth 2.0 providers Login with Amazon and Facebook, or any
OpenID Connect-compatible identity provider such as Google or `Amazon Cognito federated
identities <https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html>`_.
Args:
RoleArn: The Amazon Resource Name (ARN) of the role that the caller is assuming.
RoleSessionName: An identifier for the assumed role session. Typically, you pass the name or identifier that is
associated with the user who is using your application. That way, the temporary security credentials that your
application will use are associated with that user. This session name is included as part of the ARN and assumed
role ID in the ``AssumedRoleUser`` response element.
WebIdentityToken: The OAuth 2.0 access token or OpenID Connect ID token that is provided by the identity provider.
Your application must get this token by authenticating the user who is using your application with a web identity
provider before the application makes an ``AssumeRoleWithWebIdentity`` call. Timestamps in the token must be
formatted as either an integer or a long integer. Tokens must be signed using either RSA keys (RS256, RS384, or
RS512) or ECDSA keys (ES256, ES384, or ES512).
Keyword Args:
ProviderId: The fully qualified host component of the domain name of the OAuth 2.0 identity provider. Do not specify
this value for an OpenID Connect identity provider.
PolicyArns: The Amazon Resource Names (ARNs) of the IAM managed policies that you want to use as managed session
policies. The policies must exist in the same account as the role.
Policy: An IAM policy in JSON format that you want to use as an inline session policy.
DurationSeconds: The duration, in seconds, of the role session. The value can range from 900 seconds (15 minutes) up
to the maximum session duration setting for the role. This setting can have a value from 1 hour to 12 hours. If you
specify a value higher than this setting, the operation fails. For example, if you specify a session duration of 12
hours, but your administrator set the maximum session duration to 6 hours, your operation fails. To learn how to
view the maximum value for your role, see `View the Maximum Session Duration Setting for a Role
<https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session>`_ in the
*IAM User Guide*.
"""
args: dict[str, Any] = dict(
RoleArn=self.serialize(RoleArn),
RoleSessionName=self.serialize(RoleSessionName),
WebIdentityToken=self.serialize(WebIdentityToken),
ProviderId=self.serialize(ProviderId),
PolicyArns=self.serialize(PolicyArns),
Policy=self.serialize(Policy),
DurationSeconds=self.serialize(DurationSeconds),
)
_response = self.client.assume_role_with_web_identity(
**{k: v for k, v in args.items() if v is not None}
)
response = AssumeRoleWithWebIdentityResponse(**_response)
results: "AssumeRole | None" = None
if response is not None:
results = response
self.sessionize(results)
return cast("AssumeRole | None", results)
[docs]class CallerIdentityManager(Boto3ModelManager):
service_name: str = "sts"
[docs] def get(
self,
) -> "CallerIdentity | None":
"""
Returns details about the IAM user or role whose credentials are used to call
the operation.
"""
args: dict[str, Any] = dict()
_response = self.client.get_caller_identity(
**{k: v for k, v in args.items() if v is not None}
)
response = CallerIdentity(**_response)
if response:
self.sessionize(response)
return response
return None
# ==============
# Service Models
# ==============
[docs]class STSCredentials(Boto3Model):
"""
Amazon Web Services credentials for API authentication.
"""
AccessKeyId: str
"""
The access key ID that identifies the temporary security credentials.
"""
SecretAccessKey: str
"""
The secret access key that can be used to sign requests.
"""
SessionToken: str
"""
The token that users must pass to the service API to use the temporary credentials.
"""
Expiration: datetime
"""
The date on which the current credentials expire.
"""
[docs]class STSAssumedRoleUser(Boto3Model):
"""
The identifiers for the temporary security credentials that the operation returns.
"""
AssumedRoleId: str
"""
A unique identifier that contains the role ID and the role session name of the role
that is being assumed.
The role ID is generated by Amazon Web Services when the role is created.
"""
Arn: str
"""
The ARN of the temporary security credentials that are returned from the AssumeRole
action.
For more information about ARNs and how to use them in policies, see
`IAM Identifiers <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_identifiers.html>`_
in the *IAM User Guide*.
"""
[docs]class AssumeRole(ReadonlyPrimaryBoto3Model):
"""
Contains the response to a successful AssumeRole request, including temporary Amazon
Web Services credentials that can be used to make Amazon Web Services requests.
"""
manager_class: ClassVar[type[Boto3ModelManager]] = AssumeRoleManager
Credentials: "STSCredentials | None" = None
"""
The temporary security credentials, which include an access key ID, a secret access
key, and a security (or session) token.
"""
AssumedRoleUser: "STSAssumedRoleUser | None" = None
"""
The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers that
you can use to refer to the resulting temporary security credentials.
For example, you can reference these credentials as a principal in a resource-based
policy by using the ARN or assumed role ID. The ARN and ID include the ``RoleSessionName`` that you specified when you
called ``AssumeRole``.
"""
PackedPolicySize: "int | None" = None
"""
A percentage value that indicates the packed size of the session policies and
session tags combined passed in the request.
The request fails if the packed size is greater than 100 percent, which means the
policies and tags exceeded the allowed space.
"""
SourceIdentity: "str | None" = None
"""
The source identity specified by the principal that is calling the ``AssumeRole``
operation.
"""
Subject: str | None = None
"""
The subject of the assumed role.
"""
SubjectType: str | None = None
"""
The type of the subject of the assumed role (SAML only).
"""
Issuer: str | None = None
"""
The issuer of the assumed role (SAML Only).
"""
Provider: str | None = None
"""
The provider of the assumed role (Web Identity Only).
"""
Audience: str | None = None
"""
The audience of the assumed role (SAML Only).
"""
NameQualifier: str | None = None
"""
The name qualifier of the assumed role (SAML Only).
"""
SubjectFromWebIdentityToken: str | None = None
"""
The subject from the web identity token (Web Identity Only).
"""
@property
def pk(self) -> str | None:
"""
Return the primary key of the model. This is the value of the
:py:attr:`Credentials.AccessKeyId` attribute.
Returns:
The primary key of the model instance.
"""
return self.Credentials.AccessKeyId
@property
def arn(self) -> str | None:
"""
Return the ARN of the model. This is the value of the
:py:attr:`AssumedRoleUser.Arn` attribute.
Returns:
The ARN of the model instance.
"""
return self.AssumedRoleUser.Arn
def __hash__(self) -> int:
"""
Return the hash of the model.
This is the value of the
:py:attr:`Credentials.AccessKeyId` attribute.
"""
return hash(self.Credentials.AccessKeyId)
[docs]class CallerIdentity(ReadonlyPrimaryBoto3Model):
"""
Contains the response to a successful GetCallerIdentity request, including
information about the entity making the request.
"""
manager_class: ClassVar[type[Boto3ModelManager]] = CallerIdentityManager
UserId: "str | None" = None
"""
The unique identifier of the calling entity.
The exact value depends on the type of entity that is making the call. The values
returned are those listed in the **aws:userid** column in the
`Principal table <https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_variables.html#principaltable>`_
found on the
**Policy Variables** reference page in the *IAM User Guide*.
"""
Account: "str | None" = None
"""
The Amazon Web Services account ID number of the account that owns or contains the
calling entity.
"""
Arn: "str | None" = None
"""
The Amazon Web Services ARN associated with the calling entity.
"""
@property
def pk(self) -> str | None:
"""
Return the primary key of the model. This is the value of the
:py:attr:`Account` attribute.
Returns:
The primary key of the model instance.
"""
return self.Account
@property
def arn(self) -> str | None:
"""
Return the ARN of the model. This is the value of the :py:attr:`Arn`
attribute.
Returns:
The ARN of the model instance.
"""
return self.Arn
@property
def name(self) -> str | None:
"""
Return the name of the model. This is the value of the :py:attr:`UserId`
attribute.
Returns:
The name of the model instance.
"""
return self.UserId
def __hash__(self) -> int:
"""
Return the hash of the model.
This is the value of the
:py:attr:`Account` attribute.
"""
return hash(self.Account)
# =======================
# Request/Response Models
# =======================
[docs]class STSPolicyDescriptorType(Boto3Model):
"""
A reference to the IAM managed policy that is passed as a session policy for a role
session or a federated user session.
"""
arn: "str | None" = None
"""
The Amazon Resource Name (ARN) of the IAM managed policy to use as a session policy
for the role.
For more information
about ARNs, see `Amazon Resource Names (ARNs) and Amazon Web Services Service
Namespaces <https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html>`_ in the *Amazon Web Services
General Reference*.
"""
[docs]class STSProvidedContext(Boto3Model):
"""
Contains information about the provided context.
This includes the signed and encrypted trusted context assertion and the context
provider ARN from which the trusted context assertion was generated.
"""
ProviderArn: "str | None" = None
"""
The context provider ARN from which the trusted context assertion was generated.
"""
ContextAssertion: "str | None" = None
"""
The signed and encrypted trusted context assertion generated by the context
provider.
The trusted context assertion is signed and encrypted by Amazon Web Services STS.
"""
[docs]class AssumeRoleWithSAMLResponse(Boto3Model):
"""
Contains the response to a successful AssumeRoleWithSAML request, including
temporary Amazon Web Services credentials that can be used to make Amazon Web
Services requests.
"""
Credentials: "STSCredentials | None" = None
"""
The temporary security credentials, which include an access key ID, a secret access
key, and a security (or session) token.
"""
AssumedRoleUser: "STSAssumedRoleUser | None" = None
"""
The identifiers for the temporary security credentials that the operation returns.
"""
PackedPolicySize: "int | None" = None
"""
A percentage value that indicates the packed size of the session policies and
session tags combined passed in the request.
The request fails if the packed size is greater than 100 percent, which means the
policies and tags exceeded the allowed space.
"""
Subject: "str | None" = None
"""
The value of the ``NameID`` element in the ``Subject`` element of the SAML
assertion.
"""
SubjectType: "str | None" = None
"""
The format of the name ID, as defined by the ``Format`` attribute in the ``NameID``
element of the SAML assertion.
Typical examples of the format are ``transient`` or ``persistent``.
"""
Issuer: "str | None" = None
"""
The value of the ``Issuer`` element of the SAML assertion.
"""
Audience: "str | None" = None
"""
The value of the ``Recipient`` attribute of the ``SubjectConfirmationData`` element
of the SAML assertion.
"""
NameQualifier: "str | None" = None
"""
A hash value based on the concatenation of the following:
"""
SourceIdentity: "str | None" = None
"""
The value in the ``SourceIdentity`` attribute in the SAML assertion.
The source identity value persists across
`chained role <https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html#iam-term-role-chaining>`_
sessions.
"""
[docs]class AssumeRoleWithWebIdentityResponse(Boto3Model):
"""
Contains the response to a successful AssumeRoleWithWebIdentity request, including
temporary Amazon Web Services credentials that can be used to make Amazon Web
Services requests.
"""
Credentials: "STSCredentials | None" = None
"""
The temporary security credentials, which include an access key ID, a secret access
key, and a security token.
"""
SubjectFromWebIdentityToken: "str | None" = None
"""
The unique user identifier that is returned by the identity provider.
This identifier is associated with the
``WebIdentityToken`` that was submitted with the ``AssumeRoleWithWebIdentity`` call. The identifier is typically unique
to the user and the application that acquired the ``WebIdentityToken`` (pairwise identifier). For OpenID Connect ID
tokens, this field contains the value returned by the identity provider as the token's ``sub`` (Subject) claim.
"""
AssumedRoleUser: "STSAssumedRoleUser | None" = None
"""
The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers that
you can use to refer to the resulting temporary security credentials.
For example, you can reference these credentials as a principal in a resource-based
policy by using the ARN or assumed role ID. The ARN and ID include the ``RoleSessionName`` that you specified when you
called ``AssumeRole``.
"""
PackedPolicySize: "int | None" = None
"""
A percentage value that indicates the packed size of the session policies and
session tags combined passed in the request.
The request fails if the packed size is greater than 100 percent, which means the
policies and tags exceeded the allowed space.
"""
Provider: "str | None" = None
"""
The issuing authority of the web identity token presented.
For OpenID Connect ID tokens, this contains the value of the
``iss`` field. For OAuth 2.0 access tokens, this contains the value of the ``ProviderId`` parameter that was passed in
the ``AssumeRoleWithWebIdentity`` request.
"""
Audience: "str | None" = None
"""
The intended audience (also known as client ID) of the web identity token.
This is traditionally the client identifier issued to the application that requested
the web identity token.
"""
SourceIdentity: "str | None" = None
"""
The value of the source identity that is returned in the JSON web token (JWT) from
the identity provider.
"""