Documentation
¶
Index ¶
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
This section is empty.
Types ¶
type CloudFormation ¶
type CloudFormation interface {
// Activates a public third-party extension, making it available for use in stack
// templates. For more information, see Using public extensions
// (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry-public.html)
// in the CloudFormation User Guide. Once you have activated a public third-party
// extension in your account and region, use SetTypeConfiguration to specify
// configuration properties for the extension. For more information, see
// Configuring extensions at the account level
// (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry-register.html#registry-set-configuration)
// in the CloudFormation User Guide.
ActivateType(ctx context.Context, params *ActivateTypeInput, optFns ...func(*Options)) (*ActivateTypeOutput, error)
// Returns configuration data for the specified CloudFormation extensions, from the
// CloudFormation registry for the account and region. For more information, see
// Configuring extensions at the account level
// (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry-register.html#registry-set-configuration)
// in the CloudFormation User Guide.
BatchDescribeTypeConfigurations(ctx context.Context, params *BatchDescribeTypeConfigurationsInput, optFns ...func(*Options)) (*BatchDescribeTypeConfigurationsOutput, error)
// Cancels an update on the specified stack. If the call completes successfully,
// the stack rolls back the update and reverts to the previous stack configuration.
// You can cancel only stacks that are in the UPDATE_IN_PROGRESS state.
CancelUpdateStack(ctx context.Context, params *CancelUpdateStackInput, optFns ...func(*Options)) (*CancelUpdateStackOutput, error)
// For a specified stack that's in the UPDATE_ROLLBACK_FAILED state, continues
// rolling it back to the UPDATE_ROLLBACK_COMPLETE state. Depending on the cause of
// the failure, you can manually fix the error
// (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/troubleshooting.html#troubleshooting-errors-update-rollback-failed)
// and continue the rollback. By continuing the rollback, you can return your stack
// to a working state (the UPDATE_ROLLBACK_COMPLETE state), and then try to update
// the stack again. A stack goes into the UPDATE_ROLLBACK_FAILED state when
// CloudFormation can't roll back all changes after a failed stack update. For
// example, you might have a stack that's rolling back to an old database instance
// that was deleted outside of CloudFormation. Because CloudFormation doesn't know
// the database was deleted, it assumes that the database instance still exists and
// attempts to roll back to it, causing the update rollback to fail.
ContinueUpdateRollback(ctx context.Context, params *ContinueUpdateRollbackInput, optFns ...func(*Options)) (*ContinueUpdateRollbackOutput, error)
// Creates a list of changes that will be applied to a stack so that you can review
// the changes before executing them. You can create a change set for a stack that
// doesn't exist or an existing stack. If you create a change set for a stack that
// doesn't exist, the change set shows all of the resources that CloudFormation
// will create. If you create a change set for an existing stack, CloudFormation
// compares the stack's information with the information that you submit in the
// change set and lists the differences. Use change sets to understand which
// resources CloudFormation will create or change, and how it will change resources
// in an existing stack, before you create or update a stack. To create a change
// set for a stack that doesn't exist, for the ChangeSetType parameter, specify
// CREATE. To create a change set for an existing stack, specify UPDATE for the
// ChangeSetType parameter. To create a change set for an import operation, specify
// IMPORT for the ChangeSetType parameter. After the CreateChangeSet call
// successfully completes, CloudFormation starts creating the change set. To check
// the status of the change set or to review it, use the DescribeChangeSet action.
// When you are satisfied with the changes the change set will make, execute the
// change set by using the ExecuteChangeSet action. CloudFormation doesn't make
// changes until you execute the change set. To create a change set for the entire
// stack hierarchy, set IncludeNestedStacks to True.
CreateChangeSet(ctx context.Context, params *CreateChangeSetInput, optFns ...func(*Options)) (*CreateChangeSetOutput, error)
// Creates a stack as specified in the template. After the call completes
// successfully, the stack creation starts. You can check the status of the stack
// through the DescribeStacksoperation.
CreateStack(ctx context.Context, params *CreateStackInput, optFns ...func(*Options)) (*CreateStackOutput, error)
// Creates stack instances for the specified accounts, within the specified Amazon
// Web Services Regions. A stack instance refers to a stack in a specific account
// and Region. You must specify at least one value for either Accounts or
// DeploymentTargets, and you must specify at least one value for Regions.
CreateStackInstances(ctx context.Context, params *CreateStackInstancesInput, optFns ...func(*Options)) (*CreateStackInstancesOutput, error)
// Creates a stack set.
CreateStackSet(ctx context.Context, params *CreateStackSetInput, optFns ...func(*Options)) (*CreateStackSetOutput, error)
// Deactivates a public extension that was previously activated in this account and
// region. Once deactivated, an extension can't be used in any CloudFormation
// operation. This includes stack update operations where the stack template
// includes the extension, even if no updates are being made to the extension. In
// addition, deactivated extensions aren't automatically updated if a new version
// of the extension is released.
DeactivateType(ctx context.Context, params *DeactivateTypeInput, optFns ...func(*Options)) (*DeactivateTypeOutput, error)
// Deletes the specified change set. Deleting change sets ensures that no one
// executes the wrong change set. If the call successfully completes,
// CloudFormation successfully deleted the change set. If IncludeNestedStacks
// specifies True during the creation of the nested change set, then
// DeleteChangeSet will delete all change sets that belong to the stacks hierarchy
// and will also delete all change sets for nested stacks with the status of
// REVIEW_IN_PROGRESS.
DeleteChangeSet(ctx context.Context, params *DeleteChangeSetInput, optFns ...func(*Options)) (*DeleteChangeSetOutput, error)
// Deletes a specified stack. Once the call completes successfully, stack deletion
// starts. Deleted stacks don't show up in the DescribeStacks operation if the
// deletion has been completed successfully.
DeleteStack(ctx context.Context, params *DeleteStackInput, optFns ...func(*Options)) (*DeleteStackOutput, error)
// Deletes stack instances for the specified accounts, in the specified Amazon Web
// Services Regions.
DeleteStackInstances(ctx context.Context, params *DeleteStackInstancesInput, optFns ...func(*Options)) (*DeleteStackInstancesOutput, error)
// Deletes a stack set. Before you can delete a stack set, all of its member stack
// instances must be deleted. For more information about how to do this, see
// DeleteStackInstances.
DeleteStackSet(ctx context.Context, params *DeleteStackSetInput, optFns ...func(*Options)) (*DeleteStackSetOutput, error)
// Marks an extension or extension version as DEPRECATED in the CloudFormation
// registry, removing it from active use. Deprecated extensions or extension
// versions cannot be used in CloudFormation operations. To deregister an entire
// extension, you must individually deregister all active versions of that
// extension. If an extension has only a single active version, deregistering that
// version results in the extension itself being deregistered and marked as
// deprecated in the registry. You can't deregister the default version of an
// extension if there are other active version of that extension. If you do
// deregister the default version of an extension, the extension type itself is
// deregistered as well and marked as deprecated. To view the deprecation status of
// an extension or extension version, use DescribeType
// (https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_DescribeType.html).
DeregisterType(ctx context.Context, params *DeregisterTypeInput, optFns ...func(*Options)) (*DeregisterTypeOutput, error)
// Retrieves your account's CloudFormation limits, such as the maximum number of
// stacks that you can create in your account. For more information about account
// limits, see CloudFormation Quotas
// (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/cloudformation-limits.html)
// in the CloudFormation User Guide.
DescribeAccountLimits(ctx context.Context, params *DescribeAccountLimitsInput, optFns ...func(*Options)) (*DescribeAccountLimitsOutput, error)
// Returns the inputs for the change set and a list of changes that CloudFormation
// will make if you execute the change set. For more information, see Updating
// Stacks Using Change Sets
// (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks-changesets.html)
// in the CloudFormation User Guide.
DescribeChangeSet(ctx context.Context, params *DescribeChangeSetInput, optFns ...func(*Options)) (*DescribeChangeSetOutput, error)
// Returns hook-related information for the change set and a list of changes that
// CloudFormation makes when you run the change set.
DescribeChangeSetHooks(ctx context.Context, params *DescribeChangeSetHooksInput, optFns ...func(*Options)) (*DescribeChangeSetHooksOutput, error)
// Returns information about a CloudFormation extension publisher. If you don't
// supply a PublisherId, and you have registered as an extension publisher,
// DescribePublisher returns information about your own publisher account. For more
// information on registering as a publisher, see:
//
// * RegisterPublisher
// (https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_RegisterPublisher.html)
//
// *
// Publishing extensions to make them available for public use
// (https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/publish-extension.html)
// in the CloudFormation CLI User Guide
DescribePublisher(ctx context.Context, params *DescribePublisherInput, optFns ...func(*Options)) (*DescribePublisherOutput, error)
// Returns information about a stack drift detection operation. A stack drift
// detection operation detects whether a stack's actual configuration differs, or
// has drifted, from it's expected configuration, as defined in the stack template
// and any values specified as template parameters. A stack is considered to have
// drifted if one or more of its resources have drifted. For more information on
// stack and resource drift, see Detecting Unregulated Configuration Changes to
// Stacks and Resources
// (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html).
// Use DetectStackDrift to initiate a stack drift detection operation.
// DetectStackDrift returns a StackDriftDetectionId you can use to monitor the
// progress of the operation using DescribeStackDriftDetectionStatus. Once the
// drift detection operation has completed, use DescribeStackResourceDrifts to
// return drift information about the stack and its resources.
DescribeStackDriftDetectionStatus(ctx context.Context, params *DescribeStackDriftDetectionStatusInput, optFns ...func(*Options)) (*DescribeStackDriftDetectionStatusOutput, error)
// Returns all stack related events for a specified stack in reverse chronological
// order. For more information about a stack's event history, go to Stacks
// (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/concept-stack.html)
// in the CloudFormation User Guide. You can list events for stacks that have
// failed to create or have been deleted by specifying the unique stack identifier
// (stack ID).
DescribeStackEvents(ctx context.Context, params *DescribeStackEventsInput, optFns ...func(*Options)) (*DescribeStackEventsOutput, error)
// Returns the stack instance that's associated with the specified stack set,
// Amazon Web Services account, and Region. For a list of stack instances that are
// associated with a specific stack set, use ListStackInstances.
DescribeStackInstance(ctx context.Context, params *DescribeStackInstanceInput, optFns ...func(*Options)) (*DescribeStackInstanceOutput, error)
// Returns a description of the specified resource in the specified stack. For
// deleted stacks, DescribeStackResource returns resource information for up to 90
// days after the stack has been deleted.
DescribeStackResource(ctx context.Context, params *DescribeStackResourceInput, optFns ...func(*Options)) (*DescribeStackResourceOutput, error)
// Returns drift information for the resources that have been checked for drift in
// the specified stack. This includes actual and expected configuration values for
// resources where CloudFormation detects configuration drift. For a given stack,
// there will be one StackResourceDrift for each stack resource that has been
// checked for drift. Resources that haven't yet been checked for drift aren't
// included. Resources that don't currently support drift detection aren't checked,
// and so not included. For a list of resources that support drift detection, see
// Resources that Support Drift Detection
// (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift-resource-list.html).
// Use DetectStackResourceDrift to detect drift on individual resources, or
// DetectStackDrift to detect drift on all supported resources for a given stack.
DescribeStackResourceDrifts(ctx context.Context, params *DescribeStackResourceDriftsInput, optFns ...func(*Options)) (*DescribeStackResourceDriftsOutput, error)
// Returns Amazon Web Services resource descriptions for running and deleted
// stacks. If StackName is specified, all the associated resources that are part of
// the stack are returned. If PhysicalResourceId is specified, the associated
// resources of the stack that the resource belongs to are returned. Only the first
// 100 resources will be returned. If your stack has more resources than this, you
// should use ListStackResources instead. For deleted stacks,
// DescribeStackResources returns resource information for up to 90 days after the
// stack has been deleted. You must specify either StackName or PhysicalResourceId,
// but not both. In addition, you can specify LogicalResourceId to filter the
// returned result. For more information about resources, the LogicalResourceId and
// PhysicalResourceId, go to the CloudFormation User Guide
// (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/). A
// ValidationError is returned if you specify both StackName and PhysicalResourceId
// in the same request.
DescribeStackResources(ctx context.Context, params *DescribeStackResourcesInput, optFns ...func(*Options)) (*DescribeStackResourcesOutput, error)
// Returns the description of the specified stack set.
DescribeStackSet(ctx context.Context, params *DescribeStackSetInput, optFns ...func(*Options)) (*DescribeStackSetOutput, error)
// Returns the description of the specified stack set operation.
DescribeStackSetOperation(ctx context.Context, params *DescribeStackSetOperationInput, optFns ...func(*Options)) (*DescribeStackSetOperationOutput, error)
// Returns the description for the specified stack; if no stack name was specified,
// then it returns the description for all the stacks created. If the stack doesn't
// exist, an ValidationError is returned.
DescribeStacks(ctx context.Context, params *DescribeStacksInput, optFns ...func(*Options)) (*DescribeStacksOutput, error)
// Returns detailed information about an extension that has been registered. If you
// specify a VersionId, DescribeType returns information about that specific
// extension version. Otherwise, it returns information about the default extension
// version.
DescribeType(ctx context.Context, params *DescribeTypeInput, optFns ...func(*Options)) (*DescribeTypeOutput, error)
// Returns information about an extension's registration, including its current
// status and type and version identifiers. When you initiate a registration
// request using RegisterType, you can then use DescribeTypeRegistration to monitor
// the progress of that registration request. Once the registration request has
// completed, use DescribeType to return detailed information about an extension.
DescribeTypeRegistration(ctx context.Context, params *DescribeTypeRegistrationInput, optFns ...func(*Options)) (*DescribeTypeRegistrationOutput, error)
// Detects whether a stack's actual configuration differs, or has drifted, from
// it's expected configuration, as defined in the stack template and any values
// specified as template parameters. For each resource in the stack that supports
// drift detection, CloudFormation compares the actual configuration of the
// resource with its expected template configuration. Only resource properties
// explicitly defined in the stack template are checked for drift. A stack is
// considered to have drifted if one or more of its resources differ from their
// expected template configurations. For more information, see Detecting
// Unregulated Configuration Changes to Stacks and Resources
// (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html).
// Use DetectStackDrift to detect drift on all supported resources for a given
// stack, or DetectStackResourceDrift to detect drift on individual resources. For
// a list of stack resources that currently support drift detection, see Resources
// that Support Drift Detection
// (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift-resource-list.html).
// DetectStackDrift can take up to several minutes, depending on the number of
// resources contained within the stack. Use DescribeStackDriftDetectionStatus to
// monitor the progress of a detect stack drift operation. Once the drift detection
// operation has completed, use DescribeStackResourceDrifts to return drift
// information about the stack and its resources. When detecting drift on a stack,
// CloudFormation doesn't detect drift on any nested stacks belonging to that
// stack. Perform DetectStackDrift directly on the nested stack itself.
DetectStackDrift(ctx context.Context, params *DetectStackDriftInput, optFns ...func(*Options)) (*DetectStackDriftOutput, error)
// Returns information about whether a resource's actual configuration differs, or
// has drifted, from it's expected configuration, as defined in the stack template
// and any values specified as template parameters. This information includes
// actual and expected property values for resources in which CloudFormation
// detects drift. Only resource properties explicitly defined in the stack template
// are checked for drift. For more information about stack and resource drift, see
// Detecting Unregulated Configuration Changes to Stacks and Resources
// (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift.html).
// Use DetectStackResourceDrift to detect drift on individual resources, or
// DetectStackDrift to detect drift on all resources in a given stack that support
// drift detection. Resources that don't currently support drift detection can't be
// checked. For a list of resources that support drift detection, see Resources
// that Support Drift Detection
// (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-drift-resource-list.html).
DetectStackResourceDrift(ctx context.Context, params *DetectStackResourceDriftInput, optFns ...func(*Options)) (*DetectStackResourceDriftOutput, error)
// Detect drift on a stack set. When CloudFormation performs drift detection on a
// stack set, it performs drift detection on the stack associated with each stack
// instance in the stack set. For more information, see How CloudFormation performs
// drift detection on a stack set
// (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-drift.html).
// DetectStackSetDrift returns the OperationId of the stack set drift detection
// operation. Use this operation id with DescribeStackSetOperation to monitor the
// progress of the drift detection operation. The drift detection operation may
// take some time, depending on the number of stack instances included in the stack
// set, in addition to the number of resources included in each stack. Once the
// operation has completed, use the following actions to return drift
// information:
//
// * Use DescribeStackSet to return detailed information about the
// stack set, including detailed information about the last completed drift
// operation performed on the stack set. (Information about drift operations that
// are in progress isn't included.)
//
// * Use ListStackInstances to return a list of
// stack instances belonging to the stack set, including the drift status and last
// drift time checked of each instance.
//
// * Use DescribeStackInstance to return
// detailed information about a specific stack instance, including its drift status
// and last drift time checked.
//
// For more information on performing a drift
// detection operation on a stack set, see Detecting unmanaged changes in stack
// sets
// (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/stacksets-drift.html).
// You can only run a single drift detection operation on a given stack set at one
// time. To stop a drift detection stack set operation, use StopStackSetOperation.
DetectStackSetDrift(ctx context.Context, params *DetectStackSetDriftInput, optFns ...func(*Options)) (*DetectStackSetDriftOutput, error)
// Returns the estimated monthly cost of a template. The return value is an Amazon
// Web Services Simple Monthly Calculator URL with a query string that describes
// the resources required to run the template.
EstimateTemplateCost(ctx context.Context, params *EstimateTemplateCostInput, optFns ...func(*Options)) (*EstimateTemplateCostOutput, error)
// Updates a stack using the input information that was provided when the specified
// change set was created. After the call successfully completes, CloudFormation
// starts updating the stack. Use the DescribeStacks action to view the status of
// the update. When you execute a change set, CloudFormation deletes all other
// change sets associated with the stack because they aren't valid for the updated
// stack. If a stack policy is associated with the stack, CloudFormation enforces
// the policy during the update. You can't specify a temporary stack policy that
// overrides the current policy. To create a change set for the entire stack
// hierarchy, IncludeNestedStacks must have been set to True.
ExecuteChangeSet(ctx context.Context, params *ExecuteChangeSetInput, optFns ...func(*Options)) (*ExecuteChangeSetOutput, error)
// Returns the stack policy for a specified stack. If a stack doesn't have a
// policy, a null value is returned.
GetStackPolicy(ctx context.Context, params *GetStackPolicyInput, optFns ...func(*Options)) (*GetStackPolicyOutput, error)
// Returns the template body for a specified stack. You can get the template for
// running or deleted stacks. For deleted stacks, GetTemplate returns the template
// for up to 90 days after the stack has been deleted. If the template doesn't
// exist, a ValidationError is returned.
GetTemplate(ctx context.Context, params *GetTemplateInput, optFns ...func(*Options)) (*GetTemplateOutput, error)
// Returns information about a new or existing template. The GetTemplateSummary
// action is useful for viewing parameter information, such as default parameter
// values and parameter types, before you create or update a stack or stack set.
// You can use the GetTemplateSummary action when you submit a template, or you can
// get template information for a stack set, or a running or deleted stack. For
// deleted stacks, GetTemplateSummary returns the template information for up to 90
// days after the stack has been deleted. If the template doesn't exist, a
// ValidationError is returned.
GetTemplateSummary(ctx context.Context, params *GetTemplateSummaryInput, optFns ...func(*Options)) (*GetTemplateSummaryOutput, error)
// Import existing stacks into a new stack sets. Use the stack import operation to
// import up to 10 stacks into a new stack set in the same account as the source
// stack or in a different administrator account and Region, by specifying the
// stack ID of the stack you intend to import. ImportStacksToStackSet is only
// supported by self-managed permissions.
ImportStacksToStackSet(ctx context.Context, params *ImportStacksToStackSetInput, optFns ...func(*Options)) (*ImportStacksToStackSetOutput, error)
// Returns the ID and status of each active change set for a stack. For example,
// CloudFormation lists change sets that are in the CREATE_IN_PROGRESS or
// CREATE_PENDING state.
ListChangeSets(ctx context.Context, params *ListChangeSetsInput, optFns ...func(*Options)) (*ListChangeSetsOutput, error)
// Lists all exported output values in the account and Region in which you call
// this action. Use this action to see the exported output values that you can
// import into other stacks. To import values, use the Fn::ImportValue
// (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-importvalue.html)
// function. For more information, see CloudFormation export stack output values
// (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-stack-exports.html).
ListExports(ctx context.Context, params *ListExportsInput, optFns ...func(*Options)) (*ListExportsOutput, error)
// Lists all stacks that are importing an exported output value. To modify or
// remove an exported output value, first use this action to see which stacks are
// using it. To see the exported output values in your account, see ListExports.
// For more information about importing an exported output value, see the
// Fn::ImportValue
// (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/intrinsic-function-reference-importvalue.html)
// function.
ListImports(ctx context.Context, params *ListImportsInput, optFns ...func(*Options)) (*ListImportsOutput, error)
// Returns summary information about stack instances that are associated with the
// specified stack set. You can filter for stack instances that are associated with
// a specific Amazon Web Services account name or Region, or that have a specific
// status.
ListStackInstances(ctx context.Context, params *ListStackInstancesInput, optFns ...func(*Options)) (*ListStackInstancesOutput, error)
// Returns descriptions of all resources of the specified stack. For deleted
// stacks, ListStackResources returns resource information for up to 90 days after
// the stack has been deleted.
ListStackResources(ctx context.Context, params *ListStackResourcesInput, optFns ...func(*Options)) (*ListStackResourcesOutput, error)
// Returns summary information about the results of a stack set operation.
ListStackSetOperationResults(ctx context.Context, params *ListStackSetOperationResultsInput, optFns ...func(*Options)) (*ListStackSetOperationResultsOutput, error)
// Returns summary information about operations performed on a stack set.
ListStackSetOperations(ctx context.Context, params *ListStackSetOperationsInput, optFns ...func(*Options)) (*ListStackSetOperationsOutput, error)
// Returns summary information about stack sets that are associated with the
// user.
//
// * [Self-managed permissions] If you set the CallAs parameter to SELF
// while signed in to your Amazon Web Services account, ListStackSets returns all
// self-managed stack sets in your Amazon Web Services account.
//
// * [Service-managed
// permissions] If you set the CallAs parameter to SELF while signed in to the
// organization's management account, ListStackSets returns all stack sets in the
// management account.
//
// * [Service-managed permissions] If you set the CallAs
// parameter to DELEGATED_ADMIN while signed in to your member account,
// ListStackSets returns all stack sets with service-managed permissions in the
// management account.
ListStackSets(ctx context.Context, params *ListStackSetsInput, optFns ...func(*Options)) (*ListStackSetsOutput, error)
// Returns the summary information for stacks whose status matches the specified
// StackStatusFilter. Summary information for stacks that have been deleted is kept
// for 90 days after the stack is deleted. If no StackStatusFilter is specified,
// summary information for all stacks is returned (including existing stacks and
// stacks that have been deleted).
ListStacks(ctx context.Context, params *ListStacksInput, optFns ...func(*Options)) (*ListStacksOutput, error)
// Returns a list of registration tokens for the specified extension(s).
ListTypeRegistrations(ctx context.Context, params *ListTypeRegistrationsInput, optFns ...func(*Options)) (*ListTypeRegistrationsOutput, error)
// Returns summary information about the versions of an extension.
ListTypeVersions(ctx context.Context, params *ListTypeVersionsInput, optFns ...func(*Options)) (*ListTypeVersionsOutput, error)
// Returns summary information about extension that have been registered with
// CloudFormation.
ListTypes(ctx context.Context, params *ListTypesInput, optFns ...func(*Options)) (*ListTypesOutput, error)
// Publishes the specified extension to the CloudFormation registry as a public
// extension in this region. Public extensions are available for use by all
// CloudFormation users. For more information on publishing extensions, see
// Publishing extensions to make them available for public use
// (https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/publish-extension.html)
// in the CloudFormation CLI User Guide. To publish an extension, you must be
// registered as a publisher with CloudFormation. For more information, see
// RegisterPublisher
// (https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_RegisterPublisher.html).
PublishType(ctx context.Context, params *PublishTypeInput, optFns ...func(*Options)) (*PublishTypeOutput, error)
// Reports progress of a resource handler to CloudFormation. Reserved for use by
// the CloudFormation CLI
// (https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/what-is-cloudformation-cli.html).
// Don't use this API in your code.
RecordHandlerProgress(ctx context.Context, params *RecordHandlerProgressInput, optFns ...func(*Options)) (*RecordHandlerProgressOutput, error)
// Registers your account as a publisher of public extensions in the CloudFormation
// registry. Public extensions are available for use by all CloudFormation users.
// This publisher ID applies to your account in all Amazon Web Services Regions.
// For information on requirements for registering as a public extension publisher,
// see Registering your account to publish CloudFormation extensions
// (https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/publish-extension.html#publish-extension-prereqs)
// in the CloudFormation CLI User Guide.
RegisterPublisher(ctx context.Context, params *RegisterPublisherInput, optFns ...func(*Options)) (*RegisterPublisherOutput, error)
// Registers an extension with the CloudFormation service. Registering an extension
// makes it available for use in CloudFormation templates in your Amazon Web
// Services account, and includes:
//
// * Validating the extension schema.
//
// *
// Determining which handlers, if any, have been specified for the extension.
//
// *
// Making the extension available for use in your account.
//
// For more information on
// how to develop extensions and ready them for registration, see Creating Resource
// Providers
// (https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/resource-types.html)
// in the CloudFormation CLI User Guide. You can have a maximum of 50 resource
// extension versions registered at a time. This maximum is per account and per
// region. Use DeregisterType to deregister specific extension versions if
// necessary. Once you have initiated a registration request using RegisterType,
// you can use DescribeTypeRegistration to monitor the progress of the registration
// request. Once you have registered a private extension in your account and
// region, use SetTypeConfiguration to specify configuration properties for the
// extension. For more information, see Configuring extensions at the account level
// (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry-register.html#registry-set-configuration)
// in the CloudFormation User Guide.
RegisterType(ctx context.Context, params *RegisterTypeInput, optFns ...func(*Options)) (*RegisterTypeOutput, error)
// When specifying RollbackStack, you preserve the state of previously provisioned
// resources when an operation fails. You can check the status of the stack through
// the DescribeStacks operation. Rolls back the specified stack to the last known
// stable state from CREATE_FAILED or UPDATE_FAILED stack statuses. This operation
// will delete a stack if it doesn't contain a last known stable state. A last
// known stable state includes any status in a *_COMPLETE. This includes the
// following stack statuses.
//
// * CREATE_COMPLETE
//
// * UPDATE_COMPLETE
//
// *
// UPDATE_ROLLBACK_COMPLETE
//
// * IMPORT_COMPLETE
//
// * IMPORT_ROLLBACK_COMPLETE
RollbackStack(ctx context.Context, params *RollbackStackInput, optFns ...func(*Options)) (*RollbackStackOutput, error)
// Sets a stack policy for a specified stack.
SetStackPolicy(ctx context.Context, params *SetStackPolicyInput, optFns ...func(*Options)) (*SetStackPolicyOutput, error)
// Specifies the configuration data for a registered CloudFormation extension, in
// the given account and region. To view the current configuration data for an
// extension, refer to the ConfigurationSchema element of DescribeType. For more
// information, see Configuring extensions at the account level
// (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/registry-register.html#registry-set-configuration)
// in the CloudFormation User Guide. It's strongly recommended that you use dynamic
// references to restrict sensitive configuration definitions, such as third-party
// credentials. For more details on dynamic references, see Using dynamic
// references to specify template values (https://docs.aws.amazon.com/) in the
// CloudFormation User Guide.
SetTypeConfiguration(ctx context.Context, params *SetTypeConfigurationInput, optFns ...func(*Options)) (*SetTypeConfigurationOutput, error)
// Specify the default version of an extension. The default version of an extension
// will be used in CloudFormation operations.
SetTypeDefaultVersion(ctx context.Context, params *SetTypeDefaultVersionInput, optFns ...func(*Options)) (*SetTypeDefaultVersionOutput, error)
// Sends a signal to the specified resource with a success or failure status. You
// can use the SignalResource operation in conjunction with a creation policy or
// update policy. CloudFormation doesn't proceed with a stack creation or update
// until resources receive the required number of signals or the timeout period is
// exceeded. The SignalResource operation is useful in cases where you want to send
// signals from anywhere other than an Amazon EC2 instance.
SignalResource(ctx context.Context, params *SignalResourceInput, optFns ...func(*Options)) (*SignalResourceOutput, error)
// Stops an in-progress operation on a stack set and its associated stack
// instances. StackSets will cancel all the unstarted stack instance deployments
// and wait for those are in-progress to complete.
StopStackSetOperation(ctx context.Context, params *StopStackSetOperationInput, optFns ...func(*Options)) (*StopStackSetOperationOutput, error)
// Tests a registered extension to make sure it meets all necessary requirements
// for being published in the CloudFormation registry.
//
// * For resource types, this
// includes passing all contracts tests defined for the type.
//
// * For modules, this
// includes determining if the module's model meets all necessary
// requirements.
//
// For more information, see Testing your public extension prior to
// publishing
// (https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/publish-extension.html#publish-extension-testing)
// in the CloudFormation CLI User Guide. If you don't specify a version,
// CloudFormation uses the default version of the extension in your account and
// region for testing. To perform testing, CloudFormation assumes the execution
// role specified when the type was registered. For more information, see
// RegisterType. Once you've initiated testing on an extension using TestType, you
// can use DescribeType
// (https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_DescribeType.html)
// to monitor the current test status and test status description for the
// extension. An extension must have a test status of PASSED before it can be
// published. For more information, see Publishing extensions to make them
// available for public use
// (https://docs.aws.amazon.com/cloudformation-cli/latest/userguide/resource-type-publish.html)
// in the CloudFormation CLI User Guide.
TestType(ctx context.Context, params *TestTypeInput, optFns ...func(*Options)) (*TestTypeOutput, error)
// Updates a stack as specified in the template. After the call completes
// successfully, the stack update starts. You can check the status of the stack
// through the DescribeStacks action. To get a copy of the template for an existing
// stack, you can use the GetTemplate action. For more information about creating
// an update template, updating a stack, and monitoring the progress of the update,
// see Updating a Stack
// (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-updating-stacks.html).
UpdateStack(ctx context.Context, params *UpdateStackInput, optFns ...func(*Options)) (*UpdateStackOutput, error)
// Updates the parameter values for stack instances for the specified accounts,
// within the specified Amazon Web Services Regions. A stack instance refers to a
// stack in a specific account and Region. You can only update stack instances in
// Amazon Web Services Regions and accounts where they already exist; to create
// additional stack instances, use CreateStackInstances
// (https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_CreateStackInstances.html).
// During stack set updates, any parameters overridden for a stack instance aren't
// updated, but retain their overridden value. You can only update the parameter
// values that are specified in the stack set; to add or delete a parameter itself,
// use UpdateStackSet
// (https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_UpdateStackSet.html)
// to update the stack set template. If you add a parameter to a template, before
// you can override the parameter value specified in the stack set you must first
// use UpdateStackSet
// (https://docs.aws.amazon.com/AWSCloudFormation/latest/APIReference/API_UpdateStackSet.html)
// to update all stack instances with the updated template and parameter value
// specified in the stack set. Once a stack instance has been updated with the new
// parameter, you can then override the parameter value using UpdateStackInstances.
UpdateStackInstances(ctx context.Context, params *UpdateStackInstancesInput, optFns ...func(*Options)) (*UpdateStackInstancesOutput, error)
// Updates the stack set, and associated stack instances in the specified accounts
// and Amazon Web Services Regions. Even if the stack set operation created by
// updating the stack set fails (completely or partially, below or above a
// specified failure tolerance), the stack set is updated with your changes.
// Subsequent CreateStackInstances calls on the specified stack set use the updated
// stack set.
UpdateStackSet(ctx context.Context, params *UpdateStackSetInput, optFns ...func(*Options)) (*UpdateStackSetOutput, error)
// Updates termination protection for the specified stack. If a user attempts to
// delete a stack with termination protection enabled, the operation fails and the
// stack remains unchanged. For more information, see Protecting a Stack From Being
// Deleted
// (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-protect-stacks.html)
// in the CloudFormation User Guide. For nested stacks
// (https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/using-cfn-nested-stacks.html),
// termination protection is set on the root stack and can't be changed directly on
// the nested stack.
UpdateTerminationProtection(ctx context.Context, params *UpdateTerminationProtectionInput, optFns ...func(*Options)) (*UpdateTerminationProtectionOutput, error)
// Validates a specified template. CloudFormation first checks if the template is
// valid JSON. If it isn't, CloudFormation checks if the template is valid YAML. If
// both these checks fail, CloudFormation returns a template validation error.
ValidateTemplate(ctx context.Context, params *ValidateTemplateInput, optFns ...func(*Options)) (*ValidateTemplateOutput, error)
}
CloudFormation provides an interface to the AWS CloudFormation service.
type STS ¶
type STS interface {
// Returns a set of temporary security credentials that you can use to access
// Amazon Web Services resources that you might not normally have access to. These
// temporary credentials consist of an access key ID, a secret access key, and a
// security token. Typically, you use AssumeRole within your account or for
// cross-account access. For a comparison of AssumeRole with other API operations
// that produce temporary credentials, see Requesting Temporary Security
// Credentials
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
// and Comparing the Amazon Web Services STS API operations
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
// in the IAM User Guide. Permissions The temporary security credentials created by
// AssumeRole can be used to make API calls to any Amazon Web Services service with
// the following exception: You cannot call the Amazon Web Services STS
// GetFederationToken or GetSessionToken API operations. (Optional) You can pass
// inline or managed session policies
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policies to use as
// managed session policies. The plaintext that you use for both inline and managed
// session policies can't exceed 2,048 characters. Passing policies to this
// operation returns new temporary credentials. The resulting session's permissions
// are the intersection of the role's identity-based policy and the session
// policies. You can use the role's temporary credentials in subsequent Amazon Web
// Services API calls to access resources in the account that owns the role. You
// cannot use session policies to grant more permissions than those allowed by the
// identity-based policy of the role that is being assumed. For more information,
// see Session Policies
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. When you create a role, you create two policies: A role
// trust policy that specifies who can assume the role and a permissions policy
// that specifies what can be done with the role. You specify the trusted principal
// who is allowed to assume the role in the role trust policy. To assume a role
// from a different account, your Amazon Web Services account must be trusted by
// the role. The trust relationship is defined in the role's trust policy when the
// role is created. That trust policy states which accounts are allowed to delegate
// that access to users in the account. A user who wants to access a role in a
// different account must also have permissions that are delegated from the user
// account administrator. The administrator must attach a policy that allows the
// user to call AssumeRole for the ARN of the role in the other account. To allow a
// user to assume a role in the same account, you can do either of the
// following:
//
// * Attach a policy to the user that allows the user to call
// AssumeRole (as long as the role's trust policy trusts the account).
//
// * Add the
// user as a principal directly in the role's trust policy.
//
// You can do either
// because the role’s trust policy acts as an IAM resource-based policy. When a
// resource-based policy grants access to a principal in the same account, no
// additional identity-based policy is required. For more information about trust
// policies and resource-based policies, see IAM Policies
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) in the
// IAM User Guide. Tags (Optional) You can pass tag key-value pairs to your
// session. These tags are called session tags. For more information about session
// tags, see Passing Session Tags in STS
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) in the
// IAM User Guide. An administrator must grant you the permissions necessary to
// pass session tags. The administrator can also create granular permissions to
// allow you to pass only specific session tags. For more information, see
// Tutorial: Using Tags for Attribute-Based Access Control
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
// in the IAM User Guide. You can set the session tags as transitive. Transitive
// tags persist during role chaining. For more information, see Chaining Roles with
// Session Tags
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
// in the IAM User Guide. Using MFA with AssumeRole (Optional) You can include
// multi-factor authentication (MFA) information when you call AssumeRole. This is
// useful for cross-account scenarios to ensure that the user that assumes the role
// has been authenticated with an Amazon Web Services MFA device. In that scenario,
// the trust policy of the role being assumed includes a condition that tests for
// MFA authentication. If the caller does not include valid MFA information, the
// request to assume the role is denied. The condition in a trust policy that tests
// for MFA authentication might look like the following example. "Condition":
// {"Bool": {"aws:MultiFactorAuthPresent": true}} For more information, see
// Configuring MFA-Protected API Access
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html) in the
// IAM User Guide guide. To use MFA with AssumeRole, you pass values for the
// SerialNumber and TokenCode parameters. The SerialNumber value identifies the
// user's hardware or virtual MFA device. The TokenCode is the time-based one-time
// password (TOTP) that the MFA device produces.
AssumeRole(ctx context.Context, params *AssumeRoleInput, optFns ...func(*Options)) (*AssumeRoleOutput, error)
// Returns a set of temporary security credentials for users who have been
// authenticated via a SAML authentication response. This operation provides a
// mechanism for tying an enterprise identity store or directory to role-based
// Amazon Web Services access without user-specific credentials or configuration.
// For a comparison of AssumeRoleWithSAML with the other API operations that
// produce temporary credentials, see Requesting Temporary Security Credentials
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
// and Comparing the Amazon Web Services STS API operations
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
// in the IAM User Guide. The temporary security credentials returned by this
// operation consist of an access key ID, a secret access key, and a security
// token. Applications can use these temporary security credentials to sign calls
// to Amazon Web Services services. Session Duration By default, the temporary
// security credentials created by AssumeRoleWithSAML last for one hour. However,
// you can use the optional DurationSeconds parameter to specify the duration of
// your session. Your role session lasts for the duration that you specify, or
// until the time specified in the SAML authentication response's
// SessionNotOnOrAfter value, whichever is shorter. You can provide a
// DurationSeconds value from 900 seconds (15 minutes) up to the maximum session
// duration setting for the role. This setting can have a value from 1 hour to 12
// hours. To learn how to view the maximum value for your role, see View the
// Maximum Session Duration Setting for a Role
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
// in the IAM User Guide. The maximum session duration limit applies when you use
// the AssumeRole* API operations or the assume-role* CLI commands. However the
// limit does not apply when you use those operations to create a console URL. For
// more information, see Using IAM Roles
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) in the IAM
// User Guide. Role chaining
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining)
// limits your CLI or Amazon Web Services API role session to a maximum of one
// hour. When you use the AssumeRole API operation to assume a role, you can
// specify the duration of your role session with the DurationSeconds parameter.
// You can specify a parameter value of up to 43200 seconds (12 hours), depending
// on the maximum session duration setting for your role. However, if you assume a
// role using role chaining and provide a DurationSeconds parameter value greater
// than one hour, the operation fails. Permissions The temporary security
// credentials created by AssumeRoleWithSAML can be used to make API calls to any
// Amazon Web Services service with the following exception: you cannot call the
// STS GetFederationToken or GetSessionToken API operations. (Optional) You can
// pass inline or managed session policies
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policies to use as
// managed session policies. The plaintext that you use for both inline and managed
// session policies can't exceed 2,048 characters. Passing policies to this
// operation returns new temporary credentials. The resulting session's permissions
// are the intersection of the role's identity-based policy and the session
// policies. You can use the role's temporary credentials in subsequent Amazon Web
// Services API calls to access resources in the account that owns the role. You
// cannot use session policies to grant more permissions than those allowed by the
// identity-based policy of the role that is being assumed. For more information,
// see Session Policies
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. Calling AssumeRoleWithSAML does not require the use of
// Amazon Web Services security credentials. The identity of the caller is
// validated by using keys in the metadata document that is uploaded for the SAML
// provider entity for your identity provider. Calling AssumeRoleWithSAML can
// result in an entry in your CloudTrail logs. The entry includes the value in the
// NameID element of the SAML assertion. We recommend that you use a NameIDType
// that is not associated with any personally identifiable information (PII). For
// example, you could instead use the persistent identifier
// (urn:oasis:names:tc:SAML:2.0:nameid-format:persistent). Tags (Optional) You can
// configure your IdP to pass attributes into your SAML assertion as session tags.
// Each session tag consists of a key name and an associated value. For more
// information about session tags, see Passing Session Tags in STS
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) in the
// IAM User Guide. You can pass up to 50 session tags. The plaintext session tag
// keys can’t exceed 128 characters and the values can’t exceed 256 characters. For
// these and additional limits, see IAM and STS Character Limits
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
// in the IAM User Guide. An Amazon Web Services conversion compresses the passed
// session policies and session tags into a packed binary format that has a
// separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates by
// percentage how close the policies and tags for your request are to the upper
// size limit. You can pass a session tag with the same key as a tag that is
// attached to the role. When you do, session tags override the role's tags with
// the same key. An administrator must grant you the permissions necessary to pass
// session tags. The administrator can also create granular permissions to allow
// you to pass only specific session tags. For more information, see Tutorial:
// Using Tags for Attribute-Based Access Control
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
// in the IAM User Guide. You can set the session tags as transitive. Transitive
// tags persist during role chaining. For more information, see Chaining Roles with
// Session Tags
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
// in the IAM User Guide. SAML Configuration Before your application can call
// AssumeRoleWithSAML, you must configure your SAML identity provider (IdP) to
// issue the claims required by Amazon Web Services. Additionally, you must use
// Identity and Access Management (IAM) to create a SAML provider entity in your
// Amazon Web Services account that represents your identity provider. You must
// also create an IAM role that specifies this SAML provider in its trust policy.
// For more information, see the following resources:
//
// * About SAML 2.0-based
// Federation
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html)
// in the IAM User Guide.
//
// * Creating SAML Identity Providers
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html)
// in the IAM User Guide.
//
// * Configuring a Relying Party and Claims
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html)
// in the IAM User Guide.
//
// * Creating a Role for SAML 2.0 Federation
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html)
// in the IAM User Guide.
AssumeRoleWithSAML(ctx context.Context, params *AssumeRoleWithSAMLInput, optFns ...func(*Options)) (*AssumeRoleWithSAMLOutput, error)
// Returns a set of temporary security credentials for users who have been
// authenticated in a mobile or web application with a web identity provider.
// Example providers include the OAuth 2.0 providers Login with Amazon and
// Facebook, or any OpenID Connect-compatible identity provider such as Google or
// Amazon Cognito federated identities
// (https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-identity.html).
// For mobile applications, we recommend that you use Amazon Cognito. You can use
// Amazon Cognito with the Amazon Web Services SDK for iOS Developer Guide
// (http://aws.amazon.com/sdkforios/) and the Amazon Web Services SDK for Android
// Developer Guide (http://aws.amazon.com/sdkforandroid/) to uniquely identify a
// user. You can also supply the user with a consistent identity throughout the
// lifetime of an application. To learn more about Amazon Cognito, see Amazon
// Cognito Overview
// (https://docs.aws.amazon.com/mobile/sdkforandroid/developerguide/cognito-auth.html#d0e840)
// in Amazon Web Services SDK for Android Developer Guide and Amazon Cognito
// Overview
// (https://docs.aws.amazon.com/mobile/sdkforios/developerguide/cognito-auth.html#d0e664)
// in the Amazon Web Services SDK for iOS Developer Guide. Calling
// AssumeRoleWithWebIdentity does not require the use of Amazon Web Services
// security credentials. Therefore, you can distribute an application (for example,
// on mobile devices) that requests temporary security credentials without
// including long-term Amazon Web Services credentials in the application. You also
// don't need to deploy server-based proxy services that use long-term Amazon Web
// Services credentials. Instead, the identity of the caller is validated by using
// a token from the web identity provider. For a comparison of
// AssumeRoleWithWebIdentity with the other API operations that produce temporary
// credentials, see Requesting Temporary Security Credentials
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
// and Comparing the Amazon Web Services STS API operations
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
// in the IAM User Guide. The temporary security credentials returned by this API
// consist of an access key ID, a secret access key, and a security token.
// Applications can use these temporary security credentials to sign calls to
// Amazon Web Services service API operations. Session Duration By default, the
// temporary security credentials created by AssumeRoleWithWebIdentity last for one
// hour. However, you can use the optional DurationSeconds parameter to specify the
// duration of your session. You can provide a value from 900 seconds (15 minutes)
// up to the maximum session duration setting for the role. This setting can have a
// value from 1 hour to 12 hours. To learn how to view the maximum value for your
// role, see View the Maximum Session Duration Setting for a Role
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session)
// in the IAM User Guide. The maximum session duration limit applies when you use
// the AssumeRole* API operations or the assume-role* CLI commands. However the
// limit does not apply when you use those operations to create a console URL. For
// more information, see Using IAM Roles
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html) in the IAM
// User Guide. Permissions The temporary security credentials created by
// AssumeRoleWithWebIdentity can be used to make API calls to any Amazon Web
// Services service with the following exception: you cannot call the STS
// GetFederationToken or GetSessionToken API operations. (Optional) You can pass
// inline or managed session policies
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policies to use as
// managed session policies. The plaintext that you use for both inline and managed
// session policies can't exceed 2,048 characters. Passing policies to this
// operation returns new temporary credentials. The resulting session's permissions
// are the intersection of the role's identity-based policy and the session
// policies. You can use the role's temporary credentials in subsequent Amazon Web
// Services API calls to access resources in the account that owns the role. You
// cannot use session policies to grant more permissions than those allowed by the
// identity-based policy of the role that is being assumed. For more information,
// see Session Policies
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. Tags (Optional) You can configure your IdP to pass
// attributes into your web identity token as session tags. Each session tag
// consists of a key name and an associated value. For more information about
// session tags, see Passing Session Tags in STS
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) in the
// IAM User Guide. You can pass up to 50 session tags. The plaintext session tag
// keys can’t exceed 128 characters and the values can’t exceed 256 characters. For
// these and additional limits, see IAM and STS Character Limits
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length)
// in the IAM User Guide. An Amazon Web Services conversion compresses the passed
// session policies and session tags into a packed binary format that has a
// separate limit. Your request can fail for this limit even if your plaintext
// meets the other requirements. The PackedPolicySize response element indicates by
// percentage how close the policies and tags for your request are to the upper
// size limit. You can pass a session tag with the same key as a tag that is
// attached to the role. When you do, the session tag overrides the role tag with
// the same key. An administrator must grant you the permissions necessary to pass
// session tags. The administrator can also create granular permissions to allow
// you to pass only specific session tags. For more information, see Tutorial:
// Using Tags for Attribute-Based Access Control
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
// in the IAM User Guide. You can set the session tags as transitive. Transitive
// tags persist during role chaining. For more information, see Chaining Roles with
// Session Tags
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining)
// in the IAM User Guide. Identities Before your application can call
// AssumeRoleWithWebIdentity, you must have an identity token from a supported
// identity provider and create a role that the application can assume. The role
// that your application assumes must trust the identity provider that is
// associated with the identity token. In other words, the identity provider must
// be specified in the role's trust policy. Calling AssumeRoleWithWebIdentity can
// result in an entry in your CloudTrail logs. The entry includes the Subject
// (http://openid.net/specs/openid-connect-core-1_0.html#Claims) of the provided
// web identity token. We recommend that you avoid using any personally
// identifiable information (PII) in this field. For example, you could instead use
// a GUID or a pairwise identifier, as suggested in the OIDC specification
// (http://openid.net/specs/openid-connect-core-1_0.html#SubjectIDTypes). For more
// information about how to use web identity federation and the
// AssumeRoleWithWebIdentity API, see the following resources:
//
// * Using Web
// Identity Federation API Operations for Mobile Apps
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_oidc_manual.html)
// and Federation Through a Web-based Identity Provider
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity).
//
// *
// Web Identity Federation Playground
// (https://aws.amazon.com/blogs/aws/the-aws-web-identity-federation-playground/).
// Walk through the process of authenticating through Login with Amazon, Facebook,
// or Google, getting temporary security credentials, and then using those
// credentials to make a request to Amazon Web Services.
//
// * Amazon Web Services SDK
// for iOS Developer Guide (http://aws.amazon.com/sdkforios/) and Amazon Web
// Services SDK for Android Developer Guide (http://aws.amazon.com/sdkforandroid/).
// These toolkits contain sample apps that show how to invoke the identity
// providers. The toolkits then show how to use the information from these
// providers to get and use temporary security credentials.
//
// * Web Identity
// Federation with Mobile Applications
// (http://aws.amazon.com/articles/web-identity-federation-with-mobile-applications).
// This article discusses web identity federation and shows an example of how to
// use web identity federation to get access to content in Amazon S3.
AssumeRoleWithWebIdentity(ctx context.Context, params *AssumeRoleWithWebIdentityInput, optFns ...func(*Options)) (*AssumeRoleWithWebIdentityOutput, error)
// Decodes additional information about the authorization status of a request from
// an encoded message returned in response to an Amazon Web Services request. For
// example, if a user is not authorized to perform an operation that he or she has
// requested, the request returns a Client.UnauthorizedOperation response (an HTTP
// 403 response). Some Amazon Web Services operations additionally return an
// encoded message that can provide details about this authorization failure. Only
// certain Amazon Web Services operations return an encoded authorization message.
// The documentation for an individual operation indicates whether that operation
// returns an encoded message in addition to returning an HTTP code. The message is
// encoded because the details of the authorization status can contain privileged
// information that the user who requested the operation should not see. To decode
// an authorization status message, a user must be granted permissions through an
// IAM policy
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) to
// request the DecodeAuthorizationMessage (sts:DecodeAuthorizationMessage) action.
// The decoded message includes the following type of information:
//
// * Whether the
// request was denied due to an explicit deny or due to the absence of an explicit
// allow. For more information, see Determining Whether a Request is Allowed or
// Denied
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_evaluation-logic.html#policy-eval-denyallow)
// in the IAM User Guide.
//
// * The principal who made the request.
//
// * The requested
// action.
//
// * The requested resource.
//
// * The values of condition keys in the
// context of the user's request.
DecodeAuthorizationMessage(ctx context.Context, params *DecodeAuthorizationMessageInput, optFns ...func(*Options)) (*DecodeAuthorizationMessageOutput, error)
// Returns the account identifier for the specified access key ID. Access keys
// consist of two parts: an access key ID (for example, AKIAIOSFODNN7EXAMPLE) and a
// secret access key (for example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY). For
// more information about access keys, see Managing Access Keys for IAM Users
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html)
// in the IAM User Guide. When you pass an access key ID to this operation, it
// returns the ID of the Amazon Web Services account to which the keys belong.
// Access key IDs beginning with AKIA are long-term credentials for an IAM user or
// the Amazon Web Services account root user. Access key IDs beginning with ASIA
// are temporary credentials that are created using STS operations. If the account
// in the response belongs to you, you can sign in as the root user and review your
// root user access keys. Then, you can pull a credentials report
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_getting-report.html)
// to learn which IAM user owns the keys. To learn who requested the temporary
// credentials for an ASIA access key, view the STS events in your CloudTrail logs
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/cloudtrail-integration.html)
// in the IAM User Guide. This operation does not indicate the state of the access
// key. The key might be active, inactive, or deleted. Active keys might not have
// permissions to perform an operation. Providing a deleted access key might return
// an error that the key doesn't exist.
GetAccessKeyInfo(ctx context.Context, params *GetAccessKeyInfoInput, optFns ...func(*Options)) (*GetAccessKeyInfoOutput, error)
// Returns details about the IAM user or role whose credentials are used to call
// the operation. No permissions are required to perform this operation. If an
// administrator adds a policy to your IAM user or role that explicitly denies
// access to the sts:GetCallerIdentity action, you can still perform this
// operation. Permissions are not required because the same information is returned
// when an IAM user or role is denied access. To view an example response, see I Am
// Not Authorized to Perform: iam:DeleteVirtualMFADevice
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_access-denied-delete-mfa)
// in the IAM User Guide.
GetCallerIdentity(ctx context.Context, params *GetCallerIdentityInput, optFns ...func(*Options)) (*GetCallerIdentityOutput, error)
// Returns a set of temporary security credentials (consisting of an access key ID,
// a secret access key, and a security token) for a federated user. A typical use
// is in a proxy application that gets temporary security credentials on behalf of
// distributed applications inside a corporate network. You must call the
// GetFederationToken operation using the long-term security credentials of an IAM
// user. As a result, this call is appropriate in contexts where those credentials
// can be safely stored, usually in a server-based application. For a comparison of
// GetFederationToken with the other API operations that produce temporary
// credentials, see Requesting Temporary Security Credentials
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
// and Comparing the Amazon Web Services STS API operations
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
// in the IAM User Guide. You can create a mobile-based or browser-based app that
// can authenticate users using a web identity provider like Login with Amazon,
// Facebook, Google, or an OpenID Connect-compatible identity provider. In this
// case, we recommend that you use Amazon Cognito (http://aws.amazon.com/cognito/)
// or AssumeRoleWithWebIdentity. For more information, see Federation Through a
// Web-based Identity Provider
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity)
// in the IAM User Guide. You can also call GetFederationToken using the security
// credentials of an Amazon Web Services account root user, but we do not recommend
// it. Instead, we recommend that you create an IAM user for the purpose of the
// proxy application. Then attach a policy to the IAM user that limits federated
// users to only the actions and resources that they need to access. For more
// information, see IAM Best Practices
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html) in the
// IAM User Guide. Session duration The temporary credentials are valid for the
// specified duration, from 900 seconds (15 minutes) up to a maximum of 129,600
// seconds (36 hours). The default session duration is 43,200 seconds (12 hours).
// Temporary credentials obtained by using the Amazon Web Services account root
// user credentials have a maximum duration of 3,600 seconds (1 hour). Permissions
// You can use the temporary credentials created by GetFederationToken in any
// Amazon Web Services service except the following:
//
// * You cannot call any IAM
// operations using the CLI or the Amazon Web Services API.
//
// * You cannot call any
// STS operations except GetCallerIdentity.
//
// You must pass an inline or managed
// session policy
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// to this operation. You can pass a single JSON policy document to use as an
// inline session policy. You can also specify up to 10 managed policies to use as
// managed session policies. The plaintext that you use for both inline and managed
// session policies can't exceed 2,048 characters. Though the session policy
// parameters are optional, if you do not pass a policy, then the resulting
// federated user session has no permissions. When you pass session policies, the
// session permissions are the intersection of the IAM user policies and the
// session policies that you pass. This gives you a way to further restrict the
// permissions for a federated user. You cannot use session policies to grant more
// permissions than those that are defined in the permissions policy of the IAM
// user. For more information, see Session Policies
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session)
// in the IAM User Guide. For information about using GetFederationToken to create
// temporary security credentials, see GetFederationToken—Federation Through a
// Custom Identity Broker
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getfederationtoken).
// You can use the credentials to access a resource that has a resource-based
// policy. If that policy specifically references the federated user session in the
// Principal element of the policy, the session has the permissions allowed by the
// policy. These permissions are granted in addition to the permissions granted by
// the session policies. Tags (Optional) You can pass tag key-value pairs to your
// session. These are called session tags. For more information about session tags,
// see Passing Session Tags in STS
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html) in the
// IAM User Guide. You can create a mobile-based or browser-based app that can
// authenticate users using a web identity provider like Login with Amazon,
// Facebook, Google, or an OpenID Connect-compatible identity provider. In this
// case, we recommend that you use Amazon Cognito (http://aws.amazon.com/cognito/)
// or AssumeRoleWithWebIdentity. For more information, see Federation Through a
// Web-based Identity Provider
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_assumerolewithwebidentity)
// in the IAM User Guide. An administrator must grant you the permissions necessary
// to pass session tags. The administrator can also create granular permissions to
// allow you to pass only specific session tags. For more information, see
// Tutorial: Using Tags for Attribute-Based Access Control
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html)
// in the IAM User Guide. Tag key–value pairs are not case sensitive, but case is
// preserved. This means that you cannot have separate Department and department
// tag keys. Assume that the user that you are federating has the
// Department=Marketing tag and you pass the department=engineering session tag.
// Department and department are not saved as separate tags, and the session tag
// passed in the request takes precedence over the user tag.
GetFederationToken(ctx context.Context, params *GetFederationTokenInput, optFns ...func(*Options)) (*GetFederationTokenOutput, error)
// Returns a set of temporary credentials for an Amazon Web Services account or IAM
// user. The credentials consist of an access key ID, a secret access key, and a
// security token. Typically, you use GetSessionToken if you want to use MFA to
// protect programmatic calls to specific Amazon Web Services API operations like
// Amazon EC2 StopInstances. MFA-enabled IAM users would need to call
// GetSessionToken and submit an MFA code that is associated with their MFA device.
// Using the temporary security credentials that are returned from the call, IAM
// users can then make programmatic calls to API operations that require MFA
// authentication. If you do not supply a correct MFA code, then the API returns an
// access denied error. For a comparison of GetSessionToken with the other API
// operations that produce temporary credentials, see Requesting Temporary Security
// Credentials
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html)
// and Comparing the Amazon Web Services STS API operations
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison)
// in the IAM User Guide. Session Duration The GetSessionToken operation must be
// called by using the long-term Amazon Web Services security credentials of the
// Amazon Web Services account root user or an IAM user. Credentials that are
// created by IAM users are valid for the duration that you specify. This duration
// can range from 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36
// hours), with a default of 43,200 seconds (12 hours). Credentials based on
// account credentials can range from 900 seconds (15 minutes) up to 3,600 seconds
// (1 hour), with a default of 1 hour. Permissions The temporary security
// credentials created by GetSessionToken can be used to make API calls to any
// Amazon Web Services service with the following exceptions:
//
// * You cannot call
// any IAM API operations unless MFA authentication information is included in the
// request.
//
// * You cannot call any STS API except AssumeRole or
// GetCallerIdentity.
//
// We recommend that you do not call GetSessionToken with
// Amazon Web Services account root user credentials. Instead, follow our best
// practices
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/best-practices.html#create-iam-users)
// by creating one or more IAM users, giving them the necessary permissions, and
// using IAM users for everyday interaction with Amazon Web Services. The
// credentials that are returned by GetSessionToken are based on permissions
// associated with the user whose credentials were used to call the operation. If
// GetSessionToken is called using Amazon Web Services account root user
// credentials, the temporary credentials have root user permissions. Similarly, if
// GetSessionToken is called using the credentials of an IAM user, the temporary
// credentials have the same permissions as the IAM user. For more information
// about using GetSessionToken to create temporary credentials, go to Temporary
// Credentials for Users in Untrusted Environments
// (https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#api_getsessiontoken)
// in the IAM User Guide.
GetSessionToken(ctx context.Context, params *GetSessionTokenInput, optFns ...func(*Options)) (*GetSessionTokenOutput, error)
}
STS provides an interface to the AWS STS service.
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.