1 // Code generated by smithy-go-codegen DO NOT EDIT.
2 3 package sts
4 5 import (
6 "context"
7 "fmt"
8 awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware"
9 "github.com/aws/aws-sdk-go-v2/service/sts/types"
10 "github.com/aws/smithy-go/middleware"
11 smithyhttp "github.com/aws/smithy-go/transport/http"
12 )
13 14 // Returns a set of short term credentials you can use to perform privileged tasks
15 // on a member account in your organization. You must use credentials from an
16 // Organizations management account or a delegated administrator account for IAM to
17 // call AssumeRoot . You cannot use root user credentials to make this call.
18 //
19 // Before you can launch a privileged session, you must have centralized root
20 // access in your organization. For steps to enable this feature, see [Centralize root access for member accounts]in the IAM
21 // User Guide.
22 //
23 // The STS global endpoint is not supported for AssumeRoot. You must send this
24 // request to a Regional STS endpoint. For more information, see [Endpoints].
25 //
26 // You can track AssumeRoot in CloudTrail logs to determine what actions were
27 // performed in a session. For more information, see [Track privileged tasks in CloudTrail]in the IAM User Guide.
28 //
29 // When granting access to privileged tasks you should only grant the necessary
30 // permissions required to perform that task. For more information, see [Security best practices in IAM]. In
31 // addition, you can use [service control policies](SCPs) to manage and limit permissions in your
32 // organization. See [General examples]in the Organizations User Guide for more information on SCPs.
33 //
34 // [Endpoints]: https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html#sts-endpoints
35 // [Security best practices in IAM]: https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html
36 // [Track privileged tasks in CloudTrail]: https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-track-privileged-tasks.html
37 // [General examples]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps_examples_general.html
38 // [service control policies]: https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html
39 // [Centralize root access for member accounts]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_root-enable-root-access.html
40 func (c *Client) AssumeRoot(ctx context.Context, params *AssumeRootInput, optFns ...func(*Options)) (*AssumeRootOutput, error) {
41 if params == nil {
42 params = &AssumeRootInput{}
43 }
44 45 result, metadata, err := c.invokeOperation(ctx, "AssumeRoot", params, optFns, c.addOperationAssumeRootMiddlewares)
46 if err != nil {
47 return nil, err
48 }
49 50 out := result.(*AssumeRootOutput)
51 out.ResultMetadata = metadata
52 return out, nil
53 }
54 55 type AssumeRootInput struct {
56 57 // The member account principal ARN or account ID.
58 //
59 // This member is required.
60 TargetPrincipal *string
61 62 // The identity based policy that scopes the session to the privileged tasks that
63 // can be performed. You must
64 //
65 // use one of following Amazon Web Services managed policies to scope root session
66 // actions:
67 //
68 // [IAMAuditRootUserCredentials]
69 //
70 // [IAMCreateRootUserPassword]
71 //
72 // [IAMDeleteRootUserCredentials]
73 //
74 // [S3UnlockBucketPolicy]
75 //
76 // [SQSUnlockQueuePolicy]
77 //
78 // [IAMDeleteRootUserCredentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMDeleteRootUserCredentials
79 // [IAMCreateRootUserPassword]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMCreateRootUserPassword
80 // [IAMAuditRootUserCredentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-IAMAuditRootUserCredentials
81 // [S3UnlockBucketPolicy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-S3UnlockBucketPolicy
82 // [SQSUnlockQueuePolicy]: https://docs.aws.amazon.com/IAM/latest/UserGuide/security-iam-awsmanpol.html#security-iam-awsmanpol-SQSUnlockQueuePolicy
83 //
84 // This member is required.
85 TaskPolicyArn *types.PolicyDescriptorType
86 87 // The duration, in seconds, of the privileged session. The value can range from 0
88 // seconds up to the maximum session duration of 900 seconds (15 minutes). If you
89 // specify a value higher than this setting, the operation fails.
90 //
91 // By default, the value is set to 900 seconds.
92 DurationSeconds *int32
93 94 noSmithyDocumentSerde
95 }
96 97 type AssumeRootOutput struct {
98 99 // The temporary security credentials, which include an access key ID, a secret
100 // access key, and a security token.
101 //
102 // The size of the security token that STS API operations return is not fixed. We
103 // strongly recommend that you make no assumptions about the maximum size.
104 Credentials *types.Credentials
105 106 // The source identity specified by the principal that is calling the AssumeRoot
107 // operation.
108 //
109 // You can use the aws:SourceIdentity condition key to control access based on the
110 // value of source identity. For more information about using source identity, see [Monitor and control actions taken with assumed roles]
111 // in the IAM User Guide.
112 //
113 // The regex used to validate this parameter is a string of characters consisting
114 // of upper- and lower-case alphanumeric characters with no spaces. You can also
115 // include underscores or any of the following characters: =,.@-
116 //
117 // [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
118 SourceIdentity *string
119 120 // Metadata pertaining to the operation's result.
121 ResultMetadata middleware.Metadata
122 123 noSmithyDocumentSerde
124 }
125 126 func (c *Client) addOperationAssumeRootMiddlewares(stack *middleware.Stack, options Options) (err error) {
127 if err := stack.Serialize.Add(&setOperationInputMiddleware{}, middleware.After); err != nil {
128 return err
129 }
130 err = stack.Serialize.Add(&awsAwsquery_serializeOpAssumeRoot{}, middleware.After)
131 if err != nil {
132 return err
133 }
134 err = stack.Deserialize.Add(&awsAwsquery_deserializeOpAssumeRoot{}, middleware.After)
135 if err != nil {
136 return err
137 }
138 if err := addProtocolFinalizerMiddlewares(stack, options, "AssumeRoot"); err != nil {
139 return fmt.Errorf("add protocol finalizers: %v", err)
140 }
141 142 if err = addlegacyEndpointContextSetter(stack, options); err != nil {
143 return err
144 }
145 if err = addSetLoggerMiddleware(stack, options); err != nil {
146 return err
147 }
148 if err = addClientRequestID(stack); err != nil {
149 return err
150 }
151 if err = addComputeContentLength(stack); err != nil {
152 return err
153 }
154 if err = addResolveEndpointMiddleware(stack, options); err != nil {
155 return err
156 }
157 if err = addComputePayloadSHA256(stack); err != nil {
158 return err
159 }
160 if err = addRetry(stack, options); err != nil {
161 return err
162 }
163 if err = addRawResponseToMetadata(stack); err != nil {
164 return err
165 }
166 if err = addRecordResponseTiming(stack); err != nil {
167 return err
168 }
169 if err = addSpanRetryLoop(stack, options); err != nil {
170 return err
171 }
172 if err = addClientUserAgent(stack, options); err != nil {
173 return err
174 }
175 if err = smithyhttp.AddErrorCloseResponseBodyMiddleware(stack); err != nil {
176 return err
177 }
178 if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil {
179 return err
180 }
181 if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
182 return err
183 }
184 if err = addTimeOffsetBuild(stack, c); err != nil {
185 return err
186 }
187 if err = addUserAgentRetryMode(stack, options); err != nil {
188 return err
189 }
190 if err = addCredentialSource(stack, options); err != nil {
191 return err
192 }
193 if err = addOpAssumeRootValidationMiddleware(stack); err != nil {
194 return err
195 }
196 if err = stack.Initialize.Add(newServiceMetadataMiddleware_opAssumeRoot(options.Region), middleware.Before); err != nil {
197 return err
198 }
199 if err = addRecursionDetection(stack); err != nil {
200 return err
201 }
202 if err = addRequestIDRetrieverMiddleware(stack); err != nil {
203 return err
204 }
205 if err = addResponseErrorMiddleware(stack); err != nil {
206 return err
207 }
208 if err = addRequestResponseLogging(stack, options); err != nil {
209 return err
210 }
211 if err = addDisableHTTPSMiddleware(stack, options); err != nil {
212 return err
213 }
214 if err = addInterceptBeforeRetryLoop(stack, options); err != nil {
215 return err
216 }
217 if err = addInterceptAttempt(stack, options); err != nil {
218 return err
219 }
220 if err = addInterceptors(stack, options); err != nil {
221 return err
222 }
223 return nil
224 }
225 226 func newServiceMetadataMiddleware_opAssumeRoot(region string) *awsmiddleware.RegisterServiceMetadata {
227 return &awsmiddleware.RegisterServiceMetadata{
228 Region: region,
229 ServiceID: ServiceID,
230 OperationName: "AssumeRoot",
231 }
232 }
233