-- Hoogle documentation, generated by Haddock
-- See Hoogle, http://www.haskell.org/hoogle/


-- | Amazon Security Token Service SDK.
--   
--   The types from this library are intended to be used with
--   <a>amazonka</a>, which provides mechanisms for specifying AuthN/AuthZ
--   information, sending requests, and receiving responses.
--   
--   Lenses are used for constructing and manipulating types, due to the
--   depth of nesting of AWS types and transparency regarding
--   de/serialisation into more palatable Haskell values. The provided
--   lenses should be compatible with any of the major lens libraries such
--   as <a>lens</a> or <a>lens-family-core</a>.
--   
--   See <a>Network.AWS.STS</a> or <a>the AWS documentation</a> to get
--   started.
@package amazonka-sts
@version 1.6.1


module Network.AWS.STS.Types

-- | API version <tt>2011-06-15</tt> of the Amazon Security Token Service
--   SDK configuration.
sts :: Service

-- | The request was rejected because the policy document was malformed.
--   The error message describes the specific error.
_MalformedPolicyDocumentException :: AsError a => Getting (First ServiceError) a ServiceError

-- | The error returned if the message passed to
--   <tt>DecodeAuthorizationMessage</tt> was invalid. This can happen if
--   the token contains invalid characters, such as linebreaks.
_InvalidAuthorizationMessageException :: AsError a => Getting (First ServiceError) a ServiceError

-- | The request was rejected because the policy document was too large.
--   The error message describes how big the policy document is, in packed
--   form, as a percentage of what the API allows.
_PackedPolicyTooLargeException :: AsError a => Getting (First ServiceError) a ServiceError

-- | STS is not activated in the requested region for the account that is
--   being asked to generate credentials. The account administrator must
--   use the IAM console to activate STS in that region. For more
--   information, see <a>Activating and Deactivating AWS STS in an AWS
--   Region</a> in the <i>IAM User Guide</i> .
_RegionDisabledException :: AsError a => Getting (First ServiceError) a ServiceError

-- | The request could not be fulfilled because the non-AWS identity
--   provider (IDP) that was asked to verify the incoming identity token
--   could not be reached. This is often a transient error caused by
--   network conditions. Retry the request a limited number of times so
--   that you don't exceed the request rate. If the error persists, the
--   non-AWS identity provider might be down or not responding.
_IdPCommunicationErrorException :: AsError a => Getting (First ServiceError) a ServiceError

-- | The web identity token that was passed could not be validated by AWS.
--   Get a new identity token from the identity provider and then retry the
--   request.
_InvalidIdentityTokenException :: AsError a => Getting (First ServiceError) a ServiceError

-- | The web identity token that was passed is expired or is not valid. Get
--   a new identity token from the identity provider and then retry the
--   request.
_ExpiredTokenException :: AsError a => Getting (First ServiceError) a ServiceError

-- | The identity provider (IdP) reported that authentication failed. This
--   might be because the claim is invalid.
--   
--   If this error is returned for the <tt>AssumeRoleWithWebIdentity</tt>
--   operation, it can also mean that the claim has expired or has been
--   explicitly revoked.
_IdPRejectedClaimException :: AsError a => Getting (First ServiceError) a ServiceError

-- | The identifiers for the temporary security credentials that the
--   operation returns.
--   
--   <i>See:</i> <a>assumedRoleUser</a> smart constructor.
data AssumedRoleUser

-- | Creates a value of <a>AssumedRoleUser</a> with the minimum fields
--   required to make a request.
--   
--   Use one of the following lenses to modify other fields as desired:
--   
--   <ul>
--   <li><a>aruAssumedRoleId</a> - A unique identifier that contains the
--   role ID and the role session name of the role that is being assumed.
--   The role ID is generated by AWS when the role is created.</li>
--   <li><a>aruARN</a> - The ARN of the temporary security credentials that
--   are returned from the <tt>AssumeRole</tt> action. For more information
--   about ARNs and how to use them in policies, see <a>IAM Identifiers</a>
--   in <i>Using IAM</i> .</li>
--   </ul>
assumedRoleUser :: Text -> Text -> AssumedRoleUser

-- | A unique identifier that contains the role ID and the role session
--   name of the role that is being assumed. The role ID is generated by
--   AWS when the role is created.
aruAssumedRoleId :: Lens' AssumedRoleUser Text

-- | The ARN of the temporary security credentials that are returned from
--   the <tt>AssumeRole</tt> action. For more information about ARNs and
--   how to use them in policies, see <a>IAM Identifiers</a> in <i>Using
--   IAM</i> .
aruARN :: Lens' AssumedRoleUser Text

-- | Identifiers for the federated user that is associated with the
--   credentials.
--   
--   <i>See:</i> <a>federatedUser</a> smart constructor.
data FederatedUser

-- | Creates a value of <a>FederatedUser</a> with the minimum fields
--   required to make a request.
--   
--   Use one of the following lenses to modify other fields as desired:
--   
--   <ul>
--   <li><a>fuFederatedUserId</a> - The string that identifies the
--   federated user associated with the credentials, similar to the unique
--   ID of an IAM user.</li>
--   <li><a>fuARN</a> - The ARN that specifies the federated user that is
--   associated with the credentials. For more information about ARNs and
--   how to use them in policies, see <a>IAM Identifiers</a> in <i>Using
--   IAM</i> .</li>
--   </ul>
federatedUser :: Text -> Text -> FederatedUser

-- | The string that identifies the federated user associated with the
--   credentials, similar to the unique ID of an IAM user.
fuFederatedUserId :: Lens' FederatedUser Text

-- | The ARN that specifies the federated user that is associated with the
--   credentials. For more information about ARNs and how to use them in
--   policies, see <a>IAM Identifiers</a> in <i>Using IAM</i> .
fuARN :: Lens' FederatedUser Text


-- | Returns a set of temporary credentials for an AWS account or IAM user.
--   The credentials consist of an access key ID, a secret access key, and
--   a security token. Typically, you use <tt>GetSessionToken</tt> if you
--   want to use MFA to protect programmatic calls to specific AWS APIs
--   like Amazon EC2 <tt>StopInstances</tt> . MFA-enabled IAM users would
--   need to call <tt>GetSessionToken</tt> and submit an MFA code that is
--   associated with their MFA device. Using the temporary security
--   credentials that are returned from the call, IAM users can then make
--   programmatic calls to APIs that require MFA authentication. If you do
--   not supply a correct MFA code, then the API returns an access denied
--   error. For a comparison of <tt>GetSessionToken</tt> with the other
--   APIs that produce temporary credentials, see <a>Requesting Temporary
--   Security Credentials</a> and <a>Comparing the AWS STS APIs</a> in the
--   <i>IAM User Guide</i> .
--   
--   The <tt>GetSessionToken</tt> action must be called by using the
--   long-term AWS security credentials of the AWS account or an IAM user.
--   Credentials that are created by IAM users are valid for the duration
--   that you specify, from 900 seconds (15 minutes) up to a maximum of
--   129600 seconds (36 hours), with a default of 43200 seconds (12 hours);
--   credentials that are created by using account credentials can range
--   from 900 seconds (15 minutes) up to a maximum of 3600 seconds (1
--   hour), with a default of 1 hour.
--   
--   The temporary security credentials created by <tt>GetSessionToken</tt>
--   can be used to make API calls to any AWS service with the following
--   exceptions:
--   
--   <ul>
--   <li>You cannot call any IAM APIs unless MFA authentication information
--   is included in the request.</li>
--   <li>You cannot call any STS API <i>except</i> <tt>AssumeRole</tt> or
--   <tt>GetCallerIdentity</tt> .</li>
--   </ul>
--   
--   The permissions associated with the temporary security credentials
--   returned by <tt>GetSessionToken</tt> are based on the permissions
--   associated with account or IAM user whose credentials are used to call
--   the action. If <tt>GetSessionToken</tt> is called using root account
--   credentials, the temporary credentials have root account permissions.
--   Similarly, if <tt>GetSessionToken</tt> is called using the credentials
--   of an IAM user, the temporary credentials have the same permissions as
--   the IAM user.
--   
--   For more information about using <tt>GetSessionToken</tt> to create
--   temporary credentials, go to <a>Temporary Credentials for Users in
--   Untrusted Environments</a> in the <i>IAM User Guide</i> .
module Network.AWS.STS.GetSessionToken

-- | Creates a value of <a>GetSessionToken</a> with the minimum fields
--   required to make a request.
--   
--   Use one of the following lenses to modify other fields as desired:
--   
--   <ul>
--   <li><a>gstTokenCode</a> - The value provided by the MFA device, if MFA
--   is required. If any policy requires the IAM user to submit an MFA
--   code, specify this value. If MFA authentication is required, and the
--   user does not provide a code when requesting a set of temporary
--   security credentials, the user will receive an "access denied"
--   response when requesting resources that require MFA authentication.
--   The format for this parameter, as described by its regex pattern, is a
--   sequence of six numeric digits.</li>
--   <li><a>gstDurationSeconds</a> - The duration, in seconds, that the
--   credentials should remain valid. Acceptable durations for IAM user
--   sessions range from 900 seconds (15 minutes) to 129600 seconds (36
--   hours), with 43200 seconds (12 hours) as the default. Sessions for AWS
--   account owners are restricted to a maximum of 3600 seconds (one hour).
--   If the duration is longer than one hour, the session for AWS account
--   owners defaults to one hour.</li>
--   <li><a>gstSerialNumber</a> - The identification number of the MFA
--   device that is associated with the IAM user who is making the
--   <tt>GetSessionToken</tt> call. Specify this value if the IAM user has
--   a policy that requires MFA authentication. The value is either the
--   serial number for a hardware device (such as <tt>GAHT12345678</tt> )
--   or an Amazon Resource Name (ARN) for a virtual device (such as
--   <tt>arn:aws:iam::123456789012:mfa/user</tt> ). You can find the device
--   for an IAM user by going to the AWS Management Console and viewing the
--   user's security credentials. The regex used to validated this
--   parameter is a string of characters consisting of upper- and
--   lower-case alphanumeric characters with no spaces. You can also
--   include underscores or any of the following characters: =,.@:/-</li>
--   </ul>
getSessionToken :: GetSessionToken

-- | <i>See:</i> <a>getSessionToken</a> smart constructor.
data GetSessionToken

-- | The value provided by the MFA device, if MFA is required. If any
--   policy requires the IAM user to submit an MFA code, specify this
--   value. If MFA authentication is required, and the user does not
--   provide a code when requesting a set of temporary security
--   credentials, the user will receive an "access denied" response when
--   requesting resources that require MFA authentication. The format for
--   this parameter, as described by its regex pattern, is a sequence of
--   six numeric digits.
gstTokenCode :: Lens' GetSessionToken (Maybe Text)

-- | The duration, in seconds, that the credentials should remain valid.
--   Acceptable durations for IAM user sessions range from 900 seconds (15
--   minutes) to 129600 seconds (36 hours), with 43200 seconds (12 hours)
--   as the default. Sessions for AWS account owners are restricted to a
--   maximum of 3600 seconds (one hour). If the duration is longer than one
--   hour, the session for AWS account owners defaults to one hour.
gstDurationSeconds :: Lens' GetSessionToken (Maybe Natural)

-- | The identification number of the MFA device that is associated with
--   the IAM user who is making the <tt>GetSessionToken</tt> call. Specify
--   this value if the IAM user has a policy that requires MFA
--   authentication. The value is either the serial number for a hardware
--   device (such as <tt>GAHT12345678</tt> ) or an Amazon Resource Name
--   (ARN) for a virtual device (such as
--   <tt>arn:aws:iam::123456789012:mfa/user</tt> ). You can find the device
--   for an IAM user by going to the AWS Management Console and viewing the
--   user's security credentials. The regex used to validated this
--   parameter is a string of characters consisting of upper- and
--   lower-case alphanumeric characters with no spaces. You can also
--   include underscores or any of the following characters: =,.@:/-
gstSerialNumber :: Lens' GetSessionToken (Maybe Text)

-- | Creates a value of <a>GetSessionTokenResponse</a> with the minimum
--   fields required to make a request.
--   
--   Use one of the following lenses to modify other fields as desired:
--   
--   <ul>
--   <li><a>gstrsCredentials</a> - The temporary security credentials,
--   which include an access key ID, a secret access key, and a security
--   (or session) token. <b>Note:</b> The size of the security token that
--   STS APIs return is not fixed. We strongly recommend that you make no
--   assumptions about the maximum size. As of this writing, the typical
--   size is less than 4096 bytes, but that can vary. Also, future updates
--   to AWS might require larger sizes.</li>
--   <li><a>gstrsResponseStatus</a> - -- | The response status code.</li>
--   </ul>
getSessionTokenResponse :: Int -> GetSessionTokenResponse

-- | Contains the response to a successful <a>GetSessionToken</a> request,
--   including temporary AWS credentials that can be used to make AWS
--   requests.
--   
--   <i>See:</i> <a>getSessionTokenResponse</a> smart constructor.
data GetSessionTokenResponse

-- | The temporary security credentials, which include an access key ID, a
--   secret access key, and a security (or session) token. <b>Note:</b> The
--   size of the security token that STS APIs return is not fixed. We
--   strongly recommend that you make no assumptions about the maximum
--   size. As of this writing, the typical size is less than 4096 bytes,
--   but that can vary. Also, future updates to AWS might require larger
--   sizes.
gstrsCredentials :: Lens' GetSessionTokenResponse (Maybe AuthEnv)

-- | <ul>
--   <li>- | The response status code.</li>
--   </ul>
gstrsResponseStatus :: Lens' GetSessionTokenResponse Int
instance GHC.Generics.Generic Network.AWS.STS.GetSessionToken.GetSessionTokenResponse
instance Data.Data.Data Network.AWS.STS.GetSessionToken.GetSessionTokenResponse
instance GHC.Show.Show Network.AWS.STS.GetSessionToken.GetSessionTokenResponse
instance GHC.Classes.Eq Network.AWS.STS.GetSessionToken.GetSessionTokenResponse
instance GHC.Generics.Generic Network.AWS.STS.GetSessionToken.GetSessionToken
instance Data.Data.Data Network.AWS.STS.GetSessionToken.GetSessionToken
instance GHC.Show.Show Network.AWS.STS.GetSessionToken.GetSessionToken
instance GHC.Read.Read Network.AWS.STS.GetSessionToken.GetSessionToken
instance GHC.Classes.Eq Network.AWS.STS.GetSessionToken.GetSessionToken
instance Network.AWS.Types.AWSRequest Network.AWS.STS.GetSessionToken.GetSessionToken
instance Control.DeepSeq.NFData Network.AWS.STS.GetSessionToken.GetSessionTokenResponse
instance Data.Hashable.Class.Hashable Network.AWS.STS.GetSessionToken.GetSessionToken
instance Control.DeepSeq.NFData Network.AWS.STS.GetSessionToken.GetSessionToken
instance Network.AWS.Data.Headers.ToHeaders Network.AWS.STS.GetSessionToken.GetSessionToken
instance Network.AWS.Data.Path.ToPath Network.AWS.STS.GetSessionToken.GetSessionToken
instance Network.AWS.Data.Query.ToQuery Network.AWS.STS.GetSessionToken.GetSessionToken


-- | Returns a set of temporary security credentials (consisting of an
--   access key ID, a secret access key, and a security token) for a
--   federated user. A typical use is in a proxy application that gets
--   temporary security credentials on behalf of distributed applications
--   inside a corporate network. Because you must call the
--   <tt>GetFederationToken</tt> action using the long-term security
--   credentials of an IAM user, this call is appropriate in contexts where
--   those credentials can be safely stored, usually in a server-based
--   application. For a comparison of <tt>GetFederationToken</tt> with the
--   other APIs that produce temporary credentials, see <a>Requesting
--   Temporary Security Credentials</a> and <a>Comparing the AWS STS
--   APIs</a> in the <i>IAM User Guide</i> .
--   
--   The <tt>GetFederationToken</tt> action must be called by using the
--   long-term AWS security credentials of an IAM user. You can also call
--   <tt>GetFederationToken</tt> using the security credentials of an AWS
--   root account, but we do not recommended it. Instead, we recommend that
--   you create an IAM user for the purpose of the proxy application and
--   then attach a policy to the IAM user that limits federated users to
--   only the actions and resources that they need access to. For more
--   information, see <a>IAM Best Practices</a> in the <i>IAM User
--   Guide</i> .
--   
--   The temporary security credentials that are obtained by using the
--   long-term credentials of an IAM user are valid for the specified
--   duration, from 900 seconds (15 minutes) up to a maximium of 129600
--   seconds (36 hours). The default is 43200 seconds (12 hours). Temporary
--   credentials that are obtained by using AWS root account credentials
--   have a maximum duration of 3600 seconds (1 hour).
--   
--   The temporary security credentials created by
--   <tt>GetFederationToken</tt> can be used to make API calls to any AWS
--   service with the following exceptions:
--   
--   <ul>
--   <li>You cannot use these credentials to call any IAM APIs.</li>
--   <li>You cannot call any STS APIs except <tt>GetCallerIdentity</tt>
--   .</li>
--   </ul>
--   
--   <b>Permissions</b>
--   
--   The permissions for the temporary security credentials returned by
--   <tt>GetFederationToken</tt> are determined by a combination of the
--   following:
--   
--   <ul>
--   <li>The policy or policies that are attached to the IAM user whose
--   credentials are used to call <tt>GetFederationToken</tt> .</li>
--   <li>The policy that is passed as a parameter in the call.</li>
--   </ul>
--   
--   The passed policy is attached to the temporary security credentials
--   that result from the <tt>GetFederationToken</tt> API call--that is, to
--   the <i>federated user</i> . When the federated user makes an AWS
--   request, AWS evaluates the policy attached to the federated user in
--   combination with the policy or policies attached to the IAM user whose
--   credentials were used to call <tt>GetFederationToken</tt> . AWS allows
--   the federated user's request only when both the federated user
--   <i><b>and</b> </i> the IAM user are explicitly allowed to perform the
--   requested action. The passed policy cannot grant more permissions than
--   those that are defined in the IAM user policy.
--   
--   A typical use case is that the permissions of the IAM user whose
--   credentials are used to call <tt>GetFederationToken</tt> are designed
--   to allow access to all the actions and resources that any federated
--   user will need. Then, for individual users, you pass a policy to the
--   operation that scopes down the permissions to a level that's
--   appropriate to that individual user, using a policy that allows only a
--   subset of permissions that are granted to the IAM user.
--   
--   If you do not pass a policy, the resulting temporary security
--   credentials have no effective permissions. The only exception is when
--   the temporary security credentials are used to access a resource that
--   has a resource-based policy that specifically allows the federated
--   user to access the resource.
--   
--   For more information about how permissions work, see <a>Permissions
--   for GetFederationToken</a> . For information about using
--   <tt>GetFederationToken</tt> to create temporary security credentials,
--   see <a>GetFederationToken—Federation Through a Custom Identity
--   Broker</a> .
module Network.AWS.STS.GetFederationToken

-- | Creates a value of <a>GetFederationToken</a> with the minimum fields
--   required to make a request.
--   
--   Use one of the following lenses to modify other fields as desired:
--   
--   <ul>
--   <li><a>gftDurationSeconds</a> - The duration, in seconds, that the
--   session should last. Acceptable durations for federation sessions
--   range from 900 seconds (15 minutes) to 129600 seconds (36 hours), with
--   43200 seconds (12 hours) as the default. Sessions obtained using AWS
--   account (root) credentials are restricted to a maximum of 3600 seconds
--   (one hour). If the specified duration is longer than one hour, the
--   session obtained by using AWS account (root) credentials defaults to
--   one hour.</li>
--   <li><a>gftPolicy</a> - An IAM policy in JSON format that is passed
--   with the <tt>GetFederationToken</tt> call and evaluated along with the
--   policy or policies that are attached to the IAM user whose credentials
--   are used to call <tt>GetFederationToken</tt> . The passed policy is
--   used to scope down the permissions that are available to the IAM user,
--   by allowing only a subset of the permissions that are granted to the
--   IAM user. The passed policy cannot grant more permissions than those
--   granted to the IAM user. The final permissions for the federated user
--   are the most restrictive set based on the intersection of the passed
--   policy and the IAM user policy. If you do not pass a policy, the
--   resulting temporary security credentials have no effective
--   permissions. The only exception is when the temporary security
--   credentials are used to access a resource that has a resource-based
--   policy that specifically allows the federated user to access the
--   resource. The format for this parameter, as described by its regex
--   pattern, is a string of characters up to 2048 characters in length.
--   The characters can be any ASCII character from the space character to
--   the end of the valid character list (u0020-u00FF). It can also include
--   the tab (u0009), linefeed (u000A), and carriage return (u000D)
--   characters. For more information about how permissions work, see
--   <a>Permissions for GetFederationToken</a> .</li>
--   <li><a>gftName</a> - The name of the federated user. The name is used
--   as an identifier for the temporary security credentials (such as
--   <tt>Bob</tt> ). For example, you can reference the federated user name
--   in a resource-based policy, such as in an Amazon S3 bucket policy. The
--   regex used to validate this parameter is a string of characters
--   consisting of upper- and lower-case alphanumeric characters with no
--   spaces. You can also include underscores or any of the following
--   characters: =,.@-</li>
--   </ul>
getFederationToken :: Text -> GetFederationToken

-- | <i>See:</i> <a>getFederationToken</a> smart constructor.
data GetFederationToken

-- | The duration, in seconds, that the session should last. Acceptable
--   durations for federation sessions range from 900 seconds (15 minutes)
--   to 129600 seconds (36 hours), with 43200 seconds (12 hours) as the
--   default. Sessions obtained using AWS account (root) credentials are
--   restricted to a maximum of 3600 seconds (one hour). If the specified
--   duration is longer than one hour, the session obtained by using AWS
--   account (root) credentials defaults to one hour.
gftDurationSeconds :: Lens' GetFederationToken (Maybe Natural)

-- | An IAM policy in JSON format that is passed with the
--   <tt>GetFederationToken</tt> call and evaluated along with the policy
--   or policies that are attached to the IAM user whose credentials are
--   used to call <tt>GetFederationToken</tt> . The passed policy is used
--   to scope down the permissions that are available to the IAM user, by
--   allowing only a subset of the permissions that are granted to the IAM
--   user. The passed policy cannot grant more permissions than those
--   granted to the IAM user. The final permissions for the federated user
--   are the most restrictive set based on the intersection of the passed
--   policy and the IAM user policy. If you do not pass a policy, the
--   resulting temporary security credentials have no effective
--   permissions. The only exception is when the temporary security
--   credentials are used to access a resource that has a resource-based
--   policy that specifically allows the federated user to access the
--   resource. The format for this parameter, as described by its regex
--   pattern, is a string of characters up to 2048 characters in length.
--   The characters can be any ASCII character from the space character to
--   the end of the valid character list (u0020-u00FF). It can also include
--   the tab (u0009), linefeed (u000A), and carriage return (u000D)
--   characters. For more information about how permissions work, see
--   <a>Permissions for GetFederationToken</a> .
gftPolicy :: Lens' GetFederationToken (Maybe Text)

-- | The name of the federated user. The name is used as an identifier for
--   the temporary security credentials (such as <tt>Bob</tt> ). For
--   example, you can reference the federated user name in a resource-based
--   policy, such as in an Amazon S3 bucket policy. The regex used to
--   validate this parameter is a string of characters consisting of upper-
--   and lower-case alphanumeric characters with no spaces. You can also
--   include underscores or any of the following characters: =,.@-
gftName :: Lens' GetFederationToken Text

-- | Creates a value of <a>GetFederationTokenResponse</a> with the minimum
--   fields required to make a request.
--   
--   Use one of the following lenses to modify other fields as desired:
--   
--   <ul>
--   <li><a>gftrsPackedPolicySize</a> - A percentage value indicating the
--   size of the policy in packed form. The service rejects policies for
--   which the packed size is greater than 100 percent of the allowed
--   value.</li>
--   <li><a>gftrsCredentials</a> - The temporary security credentials,
--   which include an access key ID, a secret access key, and a security
--   (or session) token. <b>Note:</b> The size of the security token that
--   STS APIs return is not fixed. We strongly recommend that you make no
--   assumptions about the maximum size. As of this writing, the typical
--   size is less than 4096 bytes, but that can vary. Also, future updates
--   to AWS might require larger sizes.</li>
--   <li><a>gftrsFederatedUser</a> - Identifiers for the federated user
--   associated with the credentials (such as
--   <tt>arn:aws:sts::123456789012:federated-user/Bob</tt> or
--   <tt>123456789012:Bob</tt> ). You can use the federated user's ARN in
--   your resource-based policies, such as an Amazon S3 bucket policy.</li>
--   <li><a>gftrsResponseStatus</a> - -- | The response status code.</li>
--   </ul>
getFederationTokenResponse :: Int -> GetFederationTokenResponse

-- | Contains the response to a successful <a>GetFederationToken</a>
--   request, including temporary AWS credentials that can be used to make
--   AWS requests.
--   
--   <i>See:</i> <a>getFederationTokenResponse</a> smart constructor.
data GetFederationTokenResponse

-- | A percentage value indicating the size of the policy in packed form.
--   The service rejects policies for which the packed size is greater than
--   100 percent of the allowed value.
gftrsPackedPolicySize :: Lens' GetFederationTokenResponse (Maybe Natural)

-- | The temporary security credentials, which include an access key ID, a
--   secret access key, and a security (or session) token. <b>Note:</b> The
--   size of the security token that STS APIs return is not fixed. We
--   strongly recommend that you make no assumptions about the maximum
--   size. As of this writing, the typical size is less than 4096 bytes,
--   but that can vary. Also, future updates to AWS might require larger
--   sizes.
gftrsCredentials :: Lens' GetFederationTokenResponse (Maybe AuthEnv)

-- | Identifiers for the federated user associated with the credentials
--   (such as <tt>arn:aws:sts::123456789012:federated-user/Bob</tt> or
--   <tt>123456789012:Bob</tt> ). You can use the federated user's ARN in
--   your resource-based policies, such as an Amazon S3 bucket policy.
gftrsFederatedUser :: Lens' GetFederationTokenResponse (Maybe FederatedUser)

-- | <ul>
--   <li>- | The response status code.</li>
--   </ul>
gftrsResponseStatus :: Lens' GetFederationTokenResponse Int
instance GHC.Generics.Generic Network.AWS.STS.GetFederationToken.GetFederationTokenResponse
instance Data.Data.Data Network.AWS.STS.GetFederationToken.GetFederationTokenResponse
instance GHC.Show.Show Network.AWS.STS.GetFederationToken.GetFederationTokenResponse
instance GHC.Classes.Eq Network.AWS.STS.GetFederationToken.GetFederationTokenResponse
instance GHC.Generics.Generic Network.AWS.STS.GetFederationToken.GetFederationToken
instance Data.Data.Data Network.AWS.STS.GetFederationToken.GetFederationToken
instance GHC.Show.Show Network.AWS.STS.GetFederationToken.GetFederationToken
instance GHC.Read.Read Network.AWS.STS.GetFederationToken.GetFederationToken
instance GHC.Classes.Eq Network.AWS.STS.GetFederationToken.GetFederationToken
instance Network.AWS.Types.AWSRequest Network.AWS.STS.GetFederationToken.GetFederationToken
instance Control.DeepSeq.NFData Network.AWS.STS.GetFederationToken.GetFederationTokenResponse
instance Data.Hashable.Class.Hashable Network.AWS.STS.GetFederationToken.GetFederationToken
instance Control.DeepSeq.NFData Network.AWS.STS.GetFederationToken.GetFederationToken
instance Network.AWS.Data.Headers.ToHeaders Network.AWS.STS.GetFederationToken.GetFederationToken
instance Network.AWS.Data.Path.ToPath Network.AWS.STS.GetFederationToken.GetFederationToken
instance Network.AWS.Data.Query.ToQuery Network.AWS.STS.GetFederationToken.GetFederationToken


-- | Returns details about the IAM identity whose credentials are used to
--   call the API.
module Network.AWS.STS.GetCallerIdentity

-- | Creates a value of <a>GetCallerIdentity</a> with the minimum fields
--   required to make a request.
getCallerIdentity :: GetCallerIdentity

-- | <i>See:</i> <a>getCallerIdentity</a> smart constructor.
data GetCallerIdentity

-- | Creates a value of <a>GetCallerIdentityResponse</a> with the minimum
--   fields required to make a request.
--   
--   Use one of the following lenses to modify other fields as desired:
--   
--   <ul>
--   <li><a>gcirsARN</a> - The AWS ARN associated with the calling
--   entity.</li>
--   <li><a>gcirsAccount</a> - The AWS account ID number of the account
--   that owns or contains the calling entity.</li>
--   <li><a>gcirsUserId</a> - The unique identifier of the calling entity.
--   The exact value depends on the type of entity making the call. The
--   values returned are those listed in the <b>aws:userid</b> column in
--   the <a>Principal table</a> found on the <b>Policy Variables</b>
--   reference page in the <i>IAM User Guide</i> .</li>
--   <li><a>gcirsResponseStatus</a> - -- | The response status code.</li>
--   </ul>
getCallerIdentityResponse :: Int -> GetCallerIdentityResponse

-- | Contains the response to a successful <a>GetCallerIdentity</a>
--   request, including information about the entity making the request.
--   
--   <i>See:</i> <a>getCallerIdentityResponse</a> smart constructor.
data GetCallerIdentityResponse

-- | The AWS ARN associated with the calling entity.
gcirsARN :: Lens' GetCallerIdentityResponse (Maybe Text)

-- | The AWS account ID number of the account that owns or contains the
--   calling entity.
gcirsAccount :: Lens' GetCallerIdentityResponse (Maybe Text)

-- | The unique identifier of the calling entity. The exact value depends
--   on the type of entity making the call. The values returned are those
--   listed in the <b>aws:userid</b> column in the <a>Principal table</a>
--   found on the <b>Policy Variables</b> reference page in the <i>IAM User
--   Guide</i> .
gcirsUserId :: Lens' GetCallerIdentityResponse (Maybe Text)

-- | <ul>
--   <li>- | The response status code.</li>
--   </ul>
gcirsResponseStatus :: Lens' GetCallerIdentityResponse Int
instance GHC.Generics.Generic Network.AWS.STS.GetCallerIdentity.GetCallerIdentityResponse
instance Data.Data.Data Network.AWS.STS.GetCallerIdentity.GetCallerIdentityResponse
instance GHC.Show.Show Network.AWS.STS.GetCallerIdentity.GetCallerIdentityResponse
instance GHC.Read.Read Network.AWS.STS.GetCallerIdentity.GetCallerIdentityResponse
instance GHC.Classes.Eq Network.AWS.STS.GetCallerIdentity.GetCallerIdentityResponse
instance GHC.Generics.Generic Network.AWS.STS.GetCallerIdentity.GetCallerIdentity
instance Data.Data.Data Network.AWS.STS.GetCallerIdentity.GetCallerIdentity
instance GHC.Show.Show Network.AWS.STS.GetCallerIdentity.GetCallerIdentity
instance GHC.Read.Read Network.AWS.STS.GetCallerIdentity.GetCallerIdentity
instance GHC.Classes.Eq Network.AWS.STS.GetCallerIdentity.GetCallerIdentity
instance Network.AWS.Types.AWSRequest Network.AWS.STS.GetCallerIdentity.GetCallerIdentity
instance Control.DeepSeq.NFData Network.AWS.STS.GetCallerIdentity.GetCallerIdentityResponse
instance Data.Hashable.Class.Hashable Network.AWS.STS.GetCallerIdentity.GetCallerIdentity
instance Control.DeepSeq.NFData Network.AWS.STS.GetCallerIdentity.GetCallerIdentity
instance Network.AWS.Data.Headers.ToHeaders Network.AWS.STS.GetCallerIdentity.GetCallerIdentity
instance Network.AWS.Data.Path.ToPath Network.AWS.STS.GetCallerIdentity.GetCallerIdentity
instance Network.AWS.Data.Query.ToQuery Network.AWS.STS.GetCallerIdentity.GetCallerIdentity


-- | Decodes additional information about the authorization status of a
--   request from an encoded message returned in response to an AWS
--   request.
--   
--   For example, if a user is not authorized to perform an action that he
--   or she has requested, the request returns a
--   <tt>Client.UnauthorizedOperation</tt> response (an HTTP 403 response).
--   Some AWS actions additionally return an encoded message that can
--   provide details about this authorization failure.
--   
--   The message is encoded because the details of the authorization status
--   can constitute privileged information that the user who requested the
--   action should not see. To decode an authorization status message, a
--   user must be granted permissions via an IAM policy to request the
--   <tt>DecodeAuthorizationMessage</tt>
--   (<tt>sts:DecodeAuthorizationMessage</tt> ) action.
--   
--   The decoded message includes the following type of information:
--   
--   <ul>
--   <li>Whether the request was denied due to an explicit deny or due to
--   the absence of an explicit allow. For more information, see
--   <a>Determining Whether a Request is Allowed or Denied</a> in the
--   <i>IAM User Guide</i> .</li>
--   <li>The principal who made the request.</li>
--   <li>The requested action.</li>
--   <li>The requested resource.</li>
--   <li>The values of condition keys in the context of the user's
--   request.</li>
--   </ul>
module Network.AWS.STS.DecodeAuthorizationMessage

-- | Creates a value of <a>DecodeAuthorizationMessage</a> with the minimum
--   fields required to make a request.
--   
--   Use one of the following lenses to modify other fields as desired:
--   
--   <ul>
--   <li><a>damEncodedMessage</a> - The encoded message that was returned
--   with the response.</li>
--   </ul>
decodeAuthorizationMessage :: Text -> DecodeAuthorizationMessage

-- | <i>See:</i> <a>decodeAuthorizationMessage</a> smart constructor.
data DecodeAuthorizationMessage

-- | The encoded message that was returned with the response.
damEncodedMessage :: Lens' DecodeAuthorizationMessage Text

-- | Creates a value of <a>DecodeAuthorizationMessageResponse</a> with the
--   minimum fields required to make a request.
--   
--   Use one of the following lenses to modify other fields as desired:
--   
--   <ul>
--   <li><a>damrsDecodedMessage</a> - An XML document that contains the
--   decoded message.</li>
--   <li><a>damrsResponseStatus</a> - -- | The response status code.</li>
--   </ul>
decodeAuthorizationMessageResponse :: Int -> DecodeAuthorizationMessageResponse

-- | A document that contains additional information about the
--   authorization status of a request from an encoded message that is
--   returned in response to an AWS request.
--   
--   <i>See:</i> <a>decodeAuthorizationMessageResponse</a> smart
--   constructor.
data DecodeAuthorizationMessageResponse

-- | An XML document that contains the decoded message.
damrsDecodedMessage :: Lens' DecodeAuthorizationMessageResponse (Maybe Text)

-- | <ul>
--   <li>- | The response status code.</li>
--   </ul>
damrsResponseStatus :: Lens' DecodeAuthorizationMessageResponse Int
instance GHC.Generics.Generic Network.AWS.STS.DecodeAuthorizationMessage.DecodeAuthorizationMessageResponse
instance Data.Data.Data Network.AWS.STS.DecodeAuthorizationMessage.DecodeAuthorizationMessageResponse
instance GHC.Show.Show Network.AWS.STS.DecodeAuthorizationMessage.DecodeAuthorizationMessageResponse
instance GHC.Read.Read Network.AWS.STS.DecodeAuthorizationMessage.DecodeAuthorizationMessageResponse
instance GHC.Classes.Eq Network.AWS.STS.DecodeAuthorizationMessage.DecodeAuthorizationMessageResponse
instance GHC.Generics.Generic Network.AWS.STS.DecodeAuthorizationMessage.DecodeAuthorizationMessage
instance Data.Data.Data Network.AWS.STS.DecodeAuthorizationMessage.DecodeAuthorizationMessage
instance GHC.Show.Show Network.AWS.STS.DecodeAuthorizationMessage.DecodeAuthorizationMessage
instance GHC.Read.Read Network.AWS.STS.DecodeAuthorizationMessage.DecodeAuthorizationMessage
instance GHC.Classes.Eq Network.AWS.STS.DecodeAuthorizationMessage.DecodeAuthorizationMessage
instance Network.AWS.Types.AWSRequest Network.AWS.STS.DecodeAuthorizationMessage.DecodeAuthorizationMessage
instance Control.DeepSeq.NFData Network.AWS.STS.DecodeAuthorizationMessage.DecodeAuthorizationMessageResponse
instance Data.Hashable.Class.Hashable Network.AWS.STS.DecodeAuthorizationMessage.DecodeAuthorizationMessage
instance Control.DeepSeq.NFData Network.AWS.STS.DecodeAuthorizationMessage.DecodeAuthorizationMessage
instance Network.AWS.Data.Headers.ToHeaders Network.AWS.STS.DecodeAuthorizationMessage.DecodeAuthorizationMessage
instance Network.AWS.Data.Path.ToPath Network.AWS.STS.DecodeAuthorizationMessage.DecodeAuthorizationMessage
instance Network.AWS.Data.Query.ToQuery Network.AWS.STS.DecodeAuthorizationMessage.DecodeAuthorizationMessage


-- | Returns a set of temporary security credentials for users who have
--   been authenticated in a mobile or web application with a web identity
--   provider, such as Amazon Cognito, Login with Amazon, Facebook, Google,
--   or any OpenID Connect-compatible identity provider.
--   
--   Calling <tt>AssumeRoleWithWebIdentity</tt> does not require the use of
--   AWS security credentials. Therefore, you can distribute an application
--   (for example, on mobile devices) that requests temporary security
--   credentials without including long-term AWS credentials in the
--   application, and without deploying server-based proxy services that
--   use long-term AWS credentials. Instead, the identity of the caller is
--   validated by using a token from the web identity provider. For a
--   comparison of <tt>AssumeRoleWithWebIdentity</tt> with the other APIs
--   that produce temporary credentials, see <a>Requesting Temporary
--   Security Credentials</a> and <a>Comparing the AWS STS APIs</a> in the
--   <i>IAM User Guide</i> .
--   
--   The temporary security credentials returned by this API consist of an
--   access key ID, a secret access key, and a security token. Applications
--   can use these temporary security credentials to sign calls to AWS
--   service APIs.
--   
--   By default, the temporary security credentials created by
--   <tt>AssumeRoleWithWebIdentity</tt> last for one hour. However, you can
--   use the optional <tt>DurationSeconds</tt> parameter to specify the
--   duration of your session. You can provide a value from 900 seconds (15
--   minutes) up to the maximum session duration setting for the role. This
--   setting can have a value from 1 hour to 12 hours. To learn how to view
--   the maximum value for your role, see <a>View the Maximum Session
--   Duration Setting for a Role</a> in the <i>IAM User Guide</i> . The
--   maximum session duration limit applies when you use the
--   <tt>AssumeRole*</tt> API operations or the <tt>assume-role*</tt> CLI
--   operations but does not apply when you use those operations to create
--   a console URL. For more information, see <a>Using IAM Roles</a> in the
--   <i>IAM User Guide</i> .
--   
--   The temporary security credentials created by
--   <tt>AssumeRoleWithWebIdentity</tt> can be used to make API calls to
--   any AWS service with the following exception: you cannot call the STS
--   service's <tt>GetFederationToken</tt> or <tt>GetSessionToken</tt>
--   APIs.
--   
--   Optionally, you can pass an IAM access policy to this operation. If
--   you choose not to pass a policy, the temporary security credentials
--   that are returned by the operation have the permissions that are
--   defined in the access policy of the role that is being assumed. If you
--   pass a policy to this operation, the temporary security credentials
--   that are returned by the operation have the permissions that are
--   allowed by both the access policy of the role that is being assumed,
--   <i><b>and</b> </i> the policy that you pass. This gives you a way to
--   further restrict the permissions for the resulting temporary security
--   credentials. You cannot use the passed policy to grant permissions
--   that are in excess of those allowed by the access policy of the role
--   that is being assumed. For more information, see <a>Permissions for
--   AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity</a> in
--   the <i>IAM User Guide</i> .
--   
--   Before your application can call <tt>AssumeRoleWithWebIdentity</tt> ,
--   you must have an identity token from a supported identity provider and
--   create a role that the application can assume. The role that your
--   application assumes must trust the identity provider that is
--   associated with the identity token. In other words, the identity
--   provider must be specified in the role's trust policy.
--   
--   <i>Important:</i> Calling <tt>AssumeRoleWithWebIdentity</tt> can
--   result in an entry in your AWS CloudTrail logs. The entry includes the
--   <a>Subject</a> of the provided Web Identity Token. We recommend that
--   you avoid using any personally identifiable information (PII) in this
--   field. For example, you could instead use a GUID or a pairwise
--   identifier, as <a>suggested in the OIDC specification</a> .
--   
--   For more information about how to use web identity federation and the
--   <tt>AssumeRoleWithWebIdentity</tt> API, see the following resources:
--   
--   <ul>
--   <li><a>Using Web Identity Federation APIs for Mobile Apps</a> and
--   <a>Federation Through a Web-based Identity Provider</a> .</li>
--   <li><a>Web Identity Federation Playground</a> . This interactive
--   website lets you walk through the process of authenticating via Login
--   with Amazon, Facebook, or Google, getting temporary security
--   credentials, and then using those credentials to make a request to
--   AWS.</li>
--   <li><a>AWS SDK for iOS</a> and <a>AWS SDK for Android</a> . These
--   toolkits contain sample apps that show how to invoke the identity
--   providers, and then how to use the information from these providers to
--   get and use temporary security credentials.</li>
--   <li><a>Web Identity Federation with Mobile Applications</a> . This
--   article discusses web identity federation and shows an example of how
--   to use web identity federation to get access to content in Amazon
--   S3.</li>
--   </ul>
module Network.AWS.STS.AssumeRoleWithWebIdentity

-- | Creates a value of <a>AssumeRoleWithWebIdentity</a> with the minimum
--   fields required to make a request.
--   
--   Use one of the following lenses to modify other fields as desired:
--   
--   <ul>
--   <li><a>arwwiProviderId</a> - The fully qualified host component of the
--   domain name of the identity provider. Specify this value only for
--   OAuth 2.0 access tokens. Currently <tt>www.amazon.com</tt> and
--   <tt>graph.facebook.com</tt> are the only supported identity providers
--   for OAuth 2.0 access tokens. Do not include URL schemes and port
--   numbers. Do not specify this value for OpenID Connect ID tokens.</li>
--   <li><a>arwwiDurationSeconds</a> - The duration, in seconds, of the
--   role session. The value can range from 900 seconds (15 minutes) up to
--   the maximum session duration setting for the role. This setting can
--   have a value from 1 hour to 12 hours. If you specify a value higher
--   than this setting, the operation fails. For example, if you specify a
--   session duration of 12 hours, but your administrator set the maximum
--   session duration to 6 hours, your operation fails. To learn how to
--   view the maximum value for your role, see <a>View the Maximum Session
--   Duration Setting for a Role</a> in the <i>IAM User Guide</i> . By
--   default, the value is set to 3600 seconds.</li>
--   <li><a>arwwiPolicy</a> - An IAM policy in JSON format. The policy
--   parameter is optional. If you pass a policy, the temporary security
--   credentials that are returned by the operation have the permissions
--   that are allowed by both the access policy of the role that is being
--   assumed, <i><b>and</b> </i> the policy that you pass. This gives you a
--   way to further restrict the permissions for the resulting temporary
--   security credentials. You cannot use the passed policy to grant
--   permissions that are in excess of those allowed by the access policy
--   of the role that is being assumed. For more information, see
--   <a>Permissions for AssumeRoleWithWebIdentity</a> in the <i>IAM User
--   Guide</i> . The format for this parameter, as described by its regex
--   pattern, is a string of characters up to 2048 characters in length.
--   The characters can be any ASCII character from the space character to
--   the end of the valid character list (u0020-u00FF). It can also include
--   the tab (u0009), linefeed (u000A), and carriage return (u000D)
--   characters.</li>
--   <li><a>arwwiRoleARN</a> - The Amazon Resource Name (ARN) of the role
--   that the caller is assuming.</li>
--   <li><a>arwwiRoleSessionName</a> - An identifier for the assumed role
--   session. Typically, you pass the name or identifier that is associated
--   with the user who is using your application. That way, the temporary
--   security credentials that your application will use are associated
--   with that user. This session name is included as part of the ARN and
--   assumed role ID in the <tt>AssumedRoleUser</tt> response element. The
--   regex used to validate this parameter is a string of characters
--   consisting of upper- and lower-case alphanumeric characters with no
--   spaces. You can also include underscores or any of the following
--   characters: =,.@-</li>
--   <li><a>arwwiWebIdentityToken</a> - The OAuth 2.0 access token or
--   OpenID Connect ID token that is provided by the identity provider.
--   Your application must get this token by authenticating the user who is
--   using your application with a web identity provider before the
--   application makes an <tt>AssumeRoleWithWebIdentity</tt> call.</li>
--   </ul>
assumeRoleWithWebIdentity :: Text -> Text -> Text -> AssumeRoleWithWebIdentity

-- | <i>See:</i> <a>assumeRoleWithWebIdentity</a> smart constructor.
data AssumeRoleWithWebIdentity

-- | The fully qualified host component of the domain name of the identity
--   provider. Specify this value only for OAuth 2.0 access tokens.
--   Currently <tt>www.amazon.com</tt> and <tt>graph.facebook.com</tt> are
--   the only supported identity providers for OAuth 2.0 access tokens. Do
--   not include URL schemes and port numbers. Do not specify this value
--   for OpenID Connect ID tokens.
arwwiProviderId :: Lens' AssumeRoleWithWebIdentity (Maybe Text)

-- | The duration, in seconds, of the role session. The value can range
--   from 900 seconds (15 minutes) up to the maximum session duration
--   setting for the role. This setting can have a value from 1 hour to 12
--   hours. If you specify a value higher than this setting, the operation
--   fails. For example, if you specify a session duration of 12 hours, but
--   your administrator set the maximum session duration to 6 hours, your
--   operation fails. To learn how to view the maximum value for your role,
--   see <a>View the Maximum Session Duration Setting for a Role</a> in the
--   <i>IAM User Guide</i> . By default, the value is set to 3600 seconds.
arwwiDurationSeconds :: Lens' AssumeRoleWithWebIdentity (Maybe Natural)

-- | An IAM policy in JSON format. The policy parameter is optional. If you
--   pass a policy, the temporary security credentials that are returned by
--   the operation have the permissions that are allowed by both the access
--   policy of the role that is being assumed, <i><b>and</b> </i> the
--   policy that you pass. This gives you a way to further restrict the
--   permissions for the resulting temporary security credentials. You
--   cannot use the passed policy to grant permissions that are in excess
--   of those allowed by the access policy of the role that is being
--   assumed. For more information, see <a>Permissions for
--   AssumeRoleWithWebIdentity</a> in the <i>IAM User Guide</i> . The
--   format for this parameter, as described by its regex pattern, is a
--   string of characters up to 2048 characters in length. The characters
--   can be any ASCII character from the space character to the end of the
--   valid character list (u0020-u00FF). It can also include the tab
--   (u0009), linefeed (u000A), and carriage return (u000D) characters.
arwwiPolicy :: Lens' AssumeRoleWithWebIdentity (Maybe Text)

-- | The Amazon Resource Name (ARN) of the role that the caller is
--   assuming.
arwwiRoleARN :: Lens' AssumeRoleWithWebIdentity Text

-- | An identifier for the assumed role session. Typically, you pass the
--   name or identifier that is associated with the user who is using your
--   application. That way, the temporary security credentials that your
--   application will use are associated with that user. This session name
--   is included as part of the ARN and assumed role ID in the
--   <tt>AssumedRoleUser</tt> response element. The regex used to validate
--   this parameter is a string of characters consisting of upper- and
--   lower-case alphanumeric characters with no spaces. You can also
--   include underscores or any of the following characters: =,.@-
arwwiRoleSessionName :: Lens' AssumeRoleWithWebIdentity Text

-- | The OAuth 2.0 access token or OpenID Connect ID token that is provided
--   by the identity provider. Your application must get this token by
--   authenticating the user who is using your application with a web
--   identity provider before the application makes an
--   <tt>AssumeRoleWithWebIdentity</tt> call.
arwwiWebIdentityToken :: Lens' AssumeRoleWithWebIdentity Text

-- | Creates a value of <a>AssumeRoleWithWebIdentityResponse</a> with the
--   minimum fields required to make a request.
--   
--   Use one of the following lenses to modify other fields as desired:
--   
--   <ul>
--   <li><a>arwwirsAudience</a> - The intended audience (also known as
--   client ID) of the web identity token. This is traditionally the client
--   identifier issued to the application that requested the web identity
--   token.</li>
--   <li><a>arwwirsSubjectFromWebIdentityToken</a> - The unique user
--   identifier that is returned by the identity provider. This identifier
--   is associated with the <tt>WebIdentityToken</tt> that was submitted
--   with the <tt>AssumeRoleWithWebIdentity</tt> call. The identifier is
--   typically unique to the user and the application that acquired the
--   <tt>WebIdentityToken</tt> (pairwise identifier). For OpenID Connect ID
--   tokens, this field contains the value returned by the identity
--   provider as the token's <tt>sub</tt> (Subject) claim.</li>
--   <li><a>arwwirsPackedPolicySize</a> - A percentage value that indicates
--   the size of the policy in packed form. The service rejects any policy
--   with a packed size greater than 100 percent, which means the policy
--   exceeded the allowed space.</li>
--   <li><a>arwwirsCredentials</a> - The temporary security credentials,
--   which include an access key ID, a secret access key, and a security
--   token. <b>Note:</b> The size of the security token that STS APIs
--   return is not fixed. We strongly recommend that you make no
--   assumptions about the maximum size. As of this writing, the typical
--   size is less than 4096 bytes, but that can vary. Also, future updates
--   to AWS might require larger sizes.</li>
--   <li><a>arwwirsAssumedRoleUser</a> - The Amazon Resource Name (ARN) and
--   the assumed role ID, which are identifiers that you can use to refer
--   to the resulting temporary security credentials. For example, you can
--   reference these credentials as a principal in a resource-based policy
--   by using the ARN or assumed role ID. The ARN and ID include the
--   <tt>RoleSessionName</tt> that you specified when you called
--   <tt>AssumeRole</tt> .</li>
--   <li><a>arwwirsProvider</a> - The issuing authority of the web identity
--   token presented. For OpenID Connect ID Tokens this contains the value
--   of the <tt>iss</tt> field. For OAuth 2.0 access tokens, this contains
--   the value of the <tt>ProviderId</tt> parameter that was passed in the
--   <tt>AssumeRoleWithWebIdentity</tt> request.</li>
--   <li><a>arwwirsResponseStatus</a> - -- | The response status code.</li>
--   </ul>
assumeRoleWithWebIdentityResponse :: Int -> AssumeRoleWithWebIdentityResponse

-- | Contains the response to a successful <a>AssumeRoleWithWebIdentity</a>
--   request, including temporary AWS credentials that can be used to make
--   AWS requests.
--   
--   <i>See:</i> <a>assumeRoleWithWebIdentityResponse</a> smart
--   constructor.
data AssumeRoleWithWebIdentityResponse

-- | The intended audience (also known as client ID) of the web identity
--   token. This is traditionally the client identifier issued to the
--   application that requested the web identity token.
arwwirsAudience :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)

-- | The unique user identifier that is returned by the identity provider.
--   This identifier is associated with the <tt>WebIdentityToken</tt> that
--   was submitted with the <tt>AssumeRoleWithWebIdentity</tt> call. The
--   identifier is typically unique to the user and the application that
--   acquired the <tt>WebIdentityToken</tt> (pairwise identifier). For
--   OpenID Connect ID tokens, this field contains the value returned by
--   the identity provider as the token's <tt>sub</tt> (Subject) claim.
arwwirsSubjectFromWebIdentityToken :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)

-- | A percentage value that indicates the size of the policy in packed
--   form. The service rejects any policy with a packed size greater than
--   100 percent, which means the policy exceeded the allowed space.
arwwirsPackedPolicySize :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Natural)

-- | The temporary security credentials, which include an access key ID, a
--   secret access key, and a security token. <b>Note:</b> The size of the
--   security token that STS APIs return is not fixed. We strongly
--   recommend that you make no assumptions about the maximum size. As of
--   this writing, the typical size is less than 4096 bytes, but that can
--   vary. Also, future updates to AWS might require larger sizes.
arwwirsCredentials :: Lens' AssumeRoleWithWebIdentityResponse (Maybe AuthEnv)

-- | The Amazon Resource Name (ARN) and the assumed role ID, which are
--   identifiers that you can use to refer to the resulting temporary
--   security credentials. For example, you can reference these credentials
--   as a principal in a resource-based policy by using the ARN or assumed
--   role ID. The ARN and ID include the <tt>RoleSessionName</tt> that you
--   specified when you called <tt>AssumeRole</tt> .
arwwirsAssumedRoleUser :: Lens' AssumeRoleWithWebIdentityResponse (Maybe AssumedRoleUser)

-- | The issuing authority of the web identity token presented. For OpenID
--   Connect ID Tokens this contains the value of the <tt>iss</tt> field.
--   For OAuth 2.0 access tokens, this contains the value of the
--   <tt>ProviderId</tt> parameter that was passed in the
--   <tt>AssumeRoleWithWebIdentity</tt> request.
arwwirsProvider :: Lens' AssumeRoleWithWebIdentityResponse (Maybe Text)

-- | <ul>
--   <li>- | The response status code.</li>
--   </ul>
arwwirsResponseStatus :: Lens' AssumeRoleWithWebIdentityResponse Int
instance GHC.Generics.Generic Network.AWS.STS.AssumeRoleWithWebIdentity.AssumeRoleWithWebIdentityResponse
instance Data.Data.Data Network.AWS.STS.AssumeRoleWithWebIdentity.AssumeRoleWithWebIdentityResponse
instance GHC.Show.Show Network.AWS.STS.AssumeRoleWithWebIdentity.AssumeRoleWithWebIdentityResponse
instance GHC.Classes.Eq Network.AWS.STS.AssumeRoleWithWebIdentity.AssumeRoleWithWebIdentityResponse
instance GHC.Generics.Generic Network.AWS.STS.AssumeRoleWithWebIdentity.AssumeRoleWithWebIdentity
instance Data.Data.Data Network.AWS.STS.AssumeRoleWithWebIdentity.AssumeRoleWithWebIdentity
instance GHC.Show.Show Network.AWS.STS.AssumeRoleWithWebIdentity.AssumeRoleWithWebIdentity
instance GHC.Read.Read Network.AWS.STS.AssumeRoleWithWebIdentity.AssumeRoleWithWebIdentity
instance GHC.Classes.Eq Network.AWS.STS.AssumeRoleWithWebIdentity.AssumeRoleWithWebIdentity
instance Network.AWS.Types.AWSRequest Network.AWS.STS.AssumeRoleWithWebIdentity.AssumeRoleWithWebIdentity
instance Control.DeepSeq.NFData Network.AWS.STS.AssumeRoleWithWebIdentity.AssumeRoleWithWebIdentityResponse
instance Data.Hashable.Class.Hashable Network.AWS.STS.AssumeRoleWithWebIdentity.AssumeRoleWithWebIdentity
instance Control.DeepSeq.NFData Network.AWS.STS.AssumeRoleWithWebIdentity.AssumeRoleWithWebIdentity
instance Network.AWS.Data.Headers.ToHeaders Network.AWS.STS.AssumeRoleWithWebIdentity.AssumeRoleWithWebIdentity
instance Network.AWS.Data.Path.ToPath Network.AWS.STS.AssumeRoleWithWebIdentity.AssumeRoleWithWebIdentity
instance Network.AWS.Data.Query.ToQuery Network.AWS.STS.AssumeRoleWithWebIdentity.AssumeRoleWithWebIdentity


-- | Returns a set of temporary security credentials for users who have
--   been authenticated via a SAML authentication response. This operation
--   provides a mechanism for tying an enterprise identity store or
--   directory to role-based AWS access without user-specific credentials
--   or configuration. For a comparison of <tt>AssumeRoleWithSAML</tt> with
--   the other APIs that produce temporary credentials, see <a>Requesting
--   Temporary Security Credentials</a> and <a>Comparing the AWS STS
--   APIs</a> in the <i>IAM User Guide</i> .
--   
--   The temporary security credentials returned by this operation consist
--   of an access key ID, a secret access key, and a security token.
--   Applications can use these temporary security credentials to sign
--   calls to AWS services.
--   
--   By default, the temporary security credentials created by
--   <tt>AssumeRoleWithSAML</tt> last for one hour. However, you can use
--   the optional <tt>DurationSeconds</tt> parameter to specify the
--   duration of your session. Your role session lasts for the duration
--   that you specify, or until the time specified in the SAML
--   authentication response's <tt>SessionNotOnOrAfter</tt> value,
--   whichever is shorter. You can provide a <tt>DurationSeconds</tt> value
--   from 900 seconds (15 minutes) up to the maximum session duration
--   setting for the role. This setting can have a value from 1 hour to 12
--   hours. To learn how to view the maximum value for your role, see
--   <a>View the Maximum Session Duration Setting for a Role</a> in the
--   <i>IAM User Guide</i> . The maximum session duration limit applies
--   when you use the <tt>AssumeRole*</tt> API operations or the
--   <tt>assume-role*</tt> CLI operations but does not apply when you use
--   those operations to create a console URL. For more information, see
--   <a>Using IAM Roles</a> in the <i>IAM User Guide</i> .
--   
--   The temporary security credentials created by
--   <tt>AssumeRoleWithSAML</tt> can be used to make API calls to any AWS
--   service with the following exception: you cannot call the STS
--   service's <tt>GetFederationToken</tt> or <tt>GetSessionToken</tt>
--   APIs.
--   
--   Optionally, you can pass an IAM access policy to this operation. If
--   you choose not to pass a policy, the temporary security credentials
--   that are returned by the operation have the permissions that are
--   defined in the access policy of the role that is being assumed. If you
--   pass a policy to this operation, the temporary security credentials
--   that are returned by the operation have the permissions that are
--   allowed by the intersection of both the access policy of the role that
--   is being assumed, <i><b>and</b> </i> the policy that you pass. This
--   means that both policies must grant the permission for the action to
--   be allowed. This gives you a way to further restrict the permissions
--   for the resulting temporary security credentials. You cannot use the
--   passed policy to grant permissions that are in excess of those allowed
--   by the access policy of the role that is being assumed. For more
--   information, see <a>Permissions for AssumeRole, AssumeRoleWithSAML,
--   and AssumeRoleWithWebIdentity</a> in the <i>IAM User Guide</i> .
--   
--   Before your application can call <tt>AssumeRoleWithSAML</tt> , you
--   must configure your SAML identity provider (IdP) to issue the claims
--   required by AWS. Additionally, you must use AWS Identity and Access
--   Management (IAM) to create a SAML provider entity in your AWS account
--   that represents your identity provider, and create an IAM role that
--   specifies this SAML provider in its trust policy.
--   
--   Calling <tt>AssumeRoleWithSAML</tt> does not require the use of AWS
--   security credentials. The identity of the caller is validated by using
--   keys in the metadata document that is uploaded for the SAML provider
--   entity for your identity provider.
--   
--   <i>Important:</i> Calling <tt>AssumeRoleWithSAML</tt> can result in an
--   entry in your AWS CloudTrail logs. The entry includes the value in the
--   <tt>NameID</tt> element of the SAML assertion. We recommend that you
--   use a NameIDType that is not associated with any personally
--   identifiable information (PII). For example, you could instead use the
--   Persistent Identifier
--   (<tt>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</tt> ).
--   
--   For more information, see the following resources:
--   
--   <ul>
--   <li><a>About SAML 2.0-based Federation</a> in the <i>IAM User
--   Guide</i> .</li>
--   <li><a>Creating SAML Identity Providers</a> in the <i>IAM User
--   Guide</i> .</li>
--   <li><a>Configuring a Relying Party and Claims</a> in the <i>IAM User
--   Guide</i> .</li>
--   <li><a>Creating a Role for SAML 2.0 Federation</a> in the <i>IAM User
--   Guide</i> .</li>
--   </ul>
module Network.AWS.STS.AssumeRoleWithSAML

-- | Creates a value of <a>AssumeRoleWithSAML</a> with the minimum fields
--   required to make a request.
--   
--   Use one of the following lenses to modify other fields as desired:
--   
--   <ul>
--   <li><a>arwsamlDurationSeconds</a> - The duration, in seconds, of the
--   role session. Your role session lasts for the duration that you
--   specify for the <tt>DurationSeconds</tt> parameter, or until the time
--   specified in the SAML authentication response's
--   <tt>SessionNotOnOrAfter</tt> value, whichever is shorter. You can
--   provide a <tt>DurationSeconds</tt> value from 900 seconds (15 minutes)
--   up to the maximum session duration setting for the role. This setting
--   can have a value from 1 hour to 12 hours. If you specify a value
--   higher than this setting, the operation fails. For example, if you
--   specify a session duration of 12 hours, but your administrator set the
--   maximum session duration to 6 hours, your operation fails. To learn
--   how to view the maximum value for your role, see <a>View the Maximum
--   Session Duration Setting for a Role</a> in the <i>IAM User Guide</i> .
--   By default, the value is set to 3600 seconds.</li>
--   <li><a>arwsamlPolicy</a> - An IAM policy in JSON format. The policy
--   parameter is optional. If you pass a policy, the temporary security
--   credentials that are returned by the operation have the permissions
--   that are allowed by both the access policy of the role that is being
--   assumed, <i><b>and</b> </i> the policy that you pass. This gives you a
--   way to further restrict the permissions for the resulting temporary
--   security credentials. You cannot use the passed policy to grant
--   permissions that are in excess of those allowed by the access policy
--   of the role that is being assumed. For more information,
--   <a>Permissions for AssumeRole, AssumeRoleWithSAML, and
--   AssumeRoleWithWebIdentity</a> in the <i>IAM User Guide</i> . The
--   format for this parameter, as described by its regex pattern, is a
--   string of characters up to 2048 characters in length. The characters
--   can be any ASCII character from the space character to the end of the
--   valid character list (u0020-u00FF). It can also include the tab
--   (u0009), linefeed (u000A), and carriage return (u000D)
--   characters.</li>
--   <li><a>arwsamlRoleARN</a> - The Amazon Resource Name (ARN) of the role
--   that the caller is assuming.</li>
--   <li><a>arwsamlPrincipalARN</a> - The Amazon Resource Name (ARN) of the
--   SAML provider in IAM that describes the IdP.</li>
--   <li><a>arwsamlSAMLAssertion</a> - The base-64 encoded SAML
--   authentication response provided by the IdP. For more information, see
--   <a>Configuring a Relying Party and Adding Claims</a> in the <i>Using
--   IAM</i> guide.</li>
--   </ul>
assumeRoleWithSAML :: Text -> Text -> Text -> AssumeRoleWithSAML

-- | <i>See:</i> <a>assumeRoleWithSAML</a> smart constructor.
data AssumeRoleWithSAML

-- | The duration, in seconds, of the role session. Your role session lasts
--   for the duration that you specify for the <tt>DurationSeconds</tt>
--   parameter, or until the time specified in the SAML authentication
--   response's <tt>SessionNotOnOrAfter</tt> value, whichever is shorter.
--   You can provide a <tt>DurationSeconds</tt> value from 900 seconds (15
--   minutes) up to the maximum session duration setting for the role. This
--   setting can have a value from 1 hour to 12 hours. If you specify a
--   value higher than this setting, the operation fails. For example, if
--   you specify a session duration of 12 hours, but your administrator set
--   the maximum session duration to 6 hours, your operation fails. To
--   learn how to view the maximum value for your role, see <a>View the
--   Maximum Session Duration Setting for a Role</a> in the <i>IAM User
--   Guide</i> . By default, the value is set to 3600 seconds.
arwsamlDurationSeconds :: Lens' AssumeRoleWithSAML (Maybe Natural)

-- | An IAM policy in JSON format. The policy parameter is optional. If you
--   pass a policy, the temporary security credentials that are returned by
--   the operation have the permissions that are allowed by both the access
--   policy of the role that is being assumed, <i><b>and</b> </i> the
--   policy that you pass. This gives you a way to further restrict the
--   permissions for the resulting temporary security credentials. You
--   cannot use the passed policy to grant permissions that are in excess
--   of those allowed by the access policy of the role that is being
--   assumed. For more information, <a>Permissions for AssumeRole,
--   AssumeRoleWithSAML, and AssumeRoleWithWebIdentity</a> in the <i>IAM
--   User Guide</i> . The format for this parameter, as described by its
--   regex pattern, is a string of characters up to 2048 characters in
--   length. The characters can be any ASCII character from the space
--   character to the end of the valid character list (u0020-u00FF). It can
--   also include the tab (u0009), linefeed (u000A), and carriage return
--   (u000D) characters.
arwsamlPolicy :: Lens' AssumeRoleWithSAML (Maybe Text)

-- | The Amazon Resource Name (ARN) of the role that the caller is
--   assuming.
arwsamlRoleARN :: Lens' AssumeRoleWithSAML Text

-- | The Amazon Resource Name (ARN) of the SAML provider in IAM that
--   describes the IdP.
arwsamlPrincipalARN :: Lens' AssumeRoleWithSAML Text

-- | The base-64 encoded SAML authentication response provided by the IdP.
--   For more information, see <a>Configuring a Relying Party and Adding
--   Claims</a> in the <i>Using IAM</i> guide.
arwsamlSAMLAssertion :: Lens' AssumeRoleWithSAML Text

-- | Creates a value of <a>AssumeRoleWithSAMLResponse</a> with the minimum
--   fields required to make a request.
--   
--   Use one of the following lenses to modify other fields as desired:
--   
--   <ul>
--   <li><a>arwsamlrsSubject</a> - The value of the <tt>NameID</tt> element
--   in the <tt>Subject</tt> element of the SAML assertion.</li>
--   <li><a>arwsamlrsAudience</a> - The value of the <tt>Recipient</tt>
--   attribute of the <tt>SubjectConfirmationData</tt> element of the SAML
--   assertion.</li>
--   <li><a>arwsamlrsPackedPolicySize</a> - A percentage value that
--   indicates the size of the policy in packed form. The service rejects
--   any policy with a packed size greater than 100 percent, which means
--   the policy exceeded the allowed space.</li>
--   <li><a>arwsamlrsCredentials</a> - The temporary security credentials,
--   which include an access key ID, a secret access key, and a security
--   (or session) token. <b>Note:</b> The size of the security token that
--   STS APIs return is not fixed. We strongly recommend that you make no
--   assumptions about the maximum size. As of this writing, the typical
--   size is less than 4096 bytes, but that can vary. Also, future updates
--   to AWS might require larger sizes.</li>
--   <li><a>arwsamlrsSubjectType</a> - The format of the name ID, as
--   defined by the <tt>Format</tt> attribute in the <tt>NameID</tt>
--   element of the SAML assertion. Typical examples of the format are
--   <tt>transient</tt> or <tt>persistent</tt> . If the format includes the
--   prefix <tt>urn:oasis:names:tc:SAML:2.0:nameid-format</tt> , that
--   prefix is removed. For example,
--   <tt>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</tt> is
--   returned as <tt>transient</tt> . If the format includes any other
--   prefix, the format is returned with no modifications.</li>
--   <li><a>arwsamlrsNameQualifier</a> - A hash value based on the
--   concatenation of the <tt>Issuer</tt> response value, the AWS account
--   ID, and the friendly name (the last part of the ARN) of the SAML
--   provider in IAM. The combination of <tt>NameQualifier</tt> and
--   <tt>Subject</tt> can be used to uniquely identify a federated user.
--   The following pseudocode shows how the hash value is calculated:
--   <tt>BASE64 ( SHA1 ( "<a>https://example.com/saml"</a> + "123456789012"
--   + "/MySAMLIdP" ) )</tt></li>
--   <li><a>arwsamlrsAssumedRoleUser</a> - The identifiers for the
--   temporary security credentials that the operation returns.</li>
--   <li><a>arwsamlrsIssuer</a> - The value of the <tt>Issuer</tt> element
--   of the SAML assertion.</li>
--   <li><a>arwsamlrsResponseStatus</a> - -- | The response status
--   code.</li>
--   </ul>
assumeRoleWithSAMLResponse :: Int -> AssumeRoleWithSAMLResponse

-- | Contains the response to a successful <a>AssumeRoleWithSAML</a>
--   request, including temporary AWS credentials that can be used to make
--   AWS requests.
--   
--   <i>See:</i> <a>assumeRoleWithSAMLResponse</a> smart constructor.
data AssumeRoleWithSAMLResponse

-- | The value of the <tt>NameID</tt> element in the <tt>Subject</tt>
--   element of the SAML assertion.
arwsamlrsSubject :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)

-- | The value of the <tt>Recipient</tt> attribute of the
--   <tt>SubjectConfirmationData</tt> element of the SAML assertion.
arwsamlrsAudience :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)

-- | A percentage value that indicates the size of the policy in packed
--   form. The service rejects any policy with a packed size greater than
--   100 percent, which means the policy exceeded the allowed space.
arwsamlrsPackedPolicySize :: Lens' AssumeRoleWithSAMLResponse (Maybe Natural)

-- | The temporary security credentials, which include an access key ID, a
--   secret access key, and a security (or session) token. <b>Note:</b> The
--   size of the security token that STS APIs return is not fixed. We
--   strongly recommend that you make no assumptions about the maximum
--   size. As of this writing, the typical size is less than 4096 bytes,
--   but that can vary. Also, future updates to AWS might require larger
--   sizes.
arwsamlrsCredentials :: Lens' AssumeRoleWithSAMLResponse (Maybe AuthEnv)

-- | The format of the name ID, as defined by the <tt>Format</tt> attribute
--   in the <tt>NameID</tt> element of the SAML assertion. Typical examples
--   of the format are <tt>transient</tt> or <tt>persistent</tt> . If the
--   format includes the prefix
--   <tt>urn:oasis:names:tc:SAML:2.0:nameid-format</tt> , that prefix is
--   removed. For example,
--   <tt>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</tt> is
--   returned as <tt>transient</tt> . If the format includes any other
--   prefix, the format is returned with no modifications.
arwsamlrsSubjectType :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)

-- | A hash value based on the concatenation of the <tt>Issuer</tt>
--   response value, the AWS account ID, and the friendly name (the last
--   part of the ARN) of the SAML provider in IAM. The combination of
--   <tt>NameQualifier</tt> and <tt>Subject</tt> can be used to uniquely
--   identify a federated user. The following pseudocode shows how the hash
--   value is calculated: <tt>BASE64 ( SHA1 (
--   "<a>https://example.com/saml"</a> + "123456789012" + "/MySAMLIdP" )
--   )</tt>
arwsamlrsNameQualifier :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)

-- | The identifiers for the temporary security credentials that the
--   operation returns.
arwsamlrsAssumedRoleUser :: Lens' AssumeRoleWithSAMLResponse (Maybe AssumedRoleUser)

-- | The value of the <tt>Issuer</tt> element of the SAML assertion.
arwsamlrsIssuer :: Lens' AssumeRoleWithSAMLResponse (Maybe Text)

-- | <ul>
--   <li>- | The response status code.</li>
--   </ul>
arwsamlrsResponseStatus :: Lens' AssumeRoleWithSAMLResponse Int
instance GHC.Generics.Generic Network.AWS.STS.AssumeRoleWithSAML.AssumeRoleWithSAMLResponse
instance Data.Data.Data Network.AWS.STS.AssumeRoleWithSAML.AssumeRoleWithSAMLResponse
instance GHC.Show.Show Network.AWS.STS.AssumeRoleWithSAML.AssumeRoleWithSAMLResponse
instance GHC.Classes.Eq Network.AWS.STS.AssumeRoleWithSAML.AssumeRoleWithSAMLResponse
instance GHC.Generics.Generic Network.AWS.STS.AssumeRoleWithSAML.AssumeRoleWithSAML
instance Data.Data.Data Network.AWS.STS.AssumeRoleWithSAML.AssumeRoleWithSAML
instance GHC.Show.Show Network.AWS.STS.AssumeRoleWithSAML.AssumeRoleWithSAML
instance GHC.Read.Read Network.AWS.STS.AssumeRoleWithSAML.AssumeRoleWithSAML
instance GHC.Classes.Eq Network.AWS.STS.AssumeRoleWithSAML.AssumeRoleWithSAML
instance Network.AWS.Types.AWSRequest Network.AWS.STS.AssumeRoleWithSAML.AssumeRoleWithSAML
instance Control.DeepSeq.NFData Network.AWS.STS.AssumeRoleWithSAML.AssumeRoleWithSAMLResponse
instance Data.Hashable.Class.Hashable Network.AWS.STS.AssumeRoleWithSAML.AssumeRoleWithSAML
instance Control.DeepSeq.NFData Network.AWS.STS.AssumeRoleWithSAML.AssumeRoleWithSAML
instance Network.AWS.Data.Headers.ToHeaders Network.AWS.STS.AssumeRoleWithSAML.AssumeRoleWithSAML
instance Network.AWS.Data.Path.ToPath Network.AWS.STS.AssumeRoleWithSAML.AssumeRoleWithSAML
instance Network.AWS.Data.Query.ToQuery Network.AWS.STS.AssumeRoleWithSAML.AssumeRoleWithSAML


-- | Returns a set of temporary security credentials (consisting of an
--   access key ID, a secret access key, and a security token) that you can
--   use to access AWS resources that you might not normally have access
--   to. Typically, you use <tt>AssumeRole</tt> for cross-account access or
--   federation. For a comparison of <tt>AssumeRole</tt> with the other
--   APIs that produce temporary credentials, see <a>Requesting Temporary
--   Security Credentials</a> and <a>Comparing the AWS STS APIs</a> in the
--   <i>IAM User Guide</i> .
--   
--   <b>Important:</b> You cannot call <tt>AssumeRole</tt> by using AWS
--   root account credentials; access is denied. You must use credentials
--   for an IAM user or an IAM role to call <tt>AssumeRole</tt> .
--   
--   For cross-account access, imagine that you own multiple accounts and
--   need to access resources in each account. You could create long-term
--   credentials in each account to access those resources. However,
--   managing all those credentials and remembering which one can access
--   which account can be time consuming. Instead, you can create one set
--   of long-term credentials in one account and then use temporary
--   security credentials to access all the other accounts by assuming
--   roles in those accounts. For more information about roles, see <a>IAM
--   Roles (Delegation and Federation)</a> in the <i>IAM User Guide</i> .
--   
--   For federation, you can, for example, grant single sign-on access to
--   the AWS Management Console. If you already have an identity and
--   authentication system in your corporate network, you don't have to
--   recreate user identities in AWS in order to grant those user
--   identities access to AWS. Instead, after a user has been
--   authenticated, you call <tt>AssumeRole</tt> (and specify the role with
--   the appropriate permissions) to get temporary security credentials for
--   that user. With those temporary security credentials, you construct a
--   sign-in URL that users can use to access the console. For more
--   information, see <a>Common Scenarios for Temporary Credentials</a> in
--   the <i>IAM User Guide</i> .
--   
--   By default, the temporary security credentials created by
--   <tt>AssumeRole</tt> last for one hour. However, you can use the
--   optional <tt>DurationSeconds</tt> parameter to specify the duration of
--   your session. You can provide a value from 900 seconds (15 minutes) up
--   to the maximum session duration setting for the role. This setting can
--   have a value from 1 hour to 12 hours. To learn how to view the maximum
--   value for your role, see <a>View the Maximum Session Duration Setting
--   for a Role</a> in the <i>IAM User Guide</i> . The maximum session
--   duration limit applies when you use the <tt>AssumeRole*</tt> API
--   operations or the <tt>assume-role*</tt> CLI operations but does not
--   apply when you use those operations to create a console URL. For more
--   information, see <a>Using IAM Roles</a> in the <i>IAM User Guide</i> .
--   
--   The temporary security credentials created by <tt>AssumeRole</tt> can
--   be used to make API calls to any AWS service with the following
--   exception: you cannot call the STS service's
--   <tt>GetFederationToken</tt> or <tt>GetSessionToken</tt> APIs.
--   
--   Optionally, you can pass an IAM access policy to this operation. If
--   you choose not to pass a policy, the temporary security credentials
--   that are returned by the operation have the permissions that are
--   defined in the access policy of the role that is being assumed. If you
--   pass a policy to this operation, the temporary security credentials
--   that are returned by the operation have the permissions that are
--   allowed by both the access policy of the role that is being assumed,
--   <i><b>and</b> </i> the policy that you pass. This gives you a way to
--   further restrict the permissions for the resulting temporary security
--   credentials. You cannot use the passed policy to grant permissions
--   that are in excess of those allowed by the access policy of the role
--   that is being assumed. For more information, see <a>Permissions for
--   AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity</a> in
--   the <i>IAM User Guide</i> .
--   
--   To assume a role, your AWS account must be trusted by the role. The
--   trust relationship is defined in the role's trust policy when the role
--   is created. That trust policy states which accounts are allowed to
--   delegate access to this account's role.
--   
--   The user who wants to access the role must also have permissions
--   delegated from the role's administrator. If the user is in a different
--   account than the role, then the user's administrator must attach a
--   policy that allows the user to call AssumeRole on the ARN of the role
--   in the other account. If the user is in the same account as the role,
--   then you can either attach a policy to the user (identical to the
--   previous different account user), or you can add the user as a
--   principal directly in the role's trust policy. In this case, the trust
--   policy acts as the only resource-based policy in IAM, and users in the
--   same account as the role do not need explicit permission to assume the
--   role. For more information about trust policies and resource-based
--   policies, see <a>IAM Policies</a> in the <i>IAM User Guide</i> .
--   
--   <b>Using MFA with AssumeRole</b>
--   
--   You can optionally include multi-factor authentication (MFA)
--   information when you call <tt>AssumeRole</tt> . This is useful for
--   cross-account scenarios in which you want to make sure that the user
--   who is assuming the role has been authenticated using an AWS MFA
--   device. In that scenario, the trust policy of the role being assumed
--   includes a condition that tests for MFA authentication; if the caller
--   does not include valid MFA information, the request to assume the role
--   is denied. The condition in a trust policy that tests for MFA
--   authentication might look like the following example.
--   
--   <pre>
--   <a>Condition</a>: {<a>Bool</a>: {"aws:MultiFactorAuthPresent": true}}
--   </pre>
--   
--   For more information, see <a>Configuring MFA-Protected API Access</a>
--   in the <i>IAM User Guide</i> guide.
--   
--   To use MFA with <tt>AssumeRole</tt> , you pass values for the
--   <tt>SerialNumber</tt> and <tt>TokenCode</tt> parameters. The
--   <tt>SerialNumber</tt> value identifies the user's hardware or virtual
--   MFA device. The <tt>TokenCode</tt> is the time-based one-time password
--   (TOTP) that the MFA devices produces.
module Network.AWS.STS.AssumeRole

-- | Creates a value of <a>AssumeRole</a> with the minimum fields required
--   to make a request.
--   
--   Use one of the following lenses to modify other fields as desired:
--   
--   <ul>
--   <li><a>arTokenCode</a> - The value provided by the MFA device, if the
--   trust policy of the role being assumed requires MFA (that is, if the
--   policy includes a condition that tests for MFA). If the role being
--   assumed requires MFA and if the <tt>TokenCode</tt> value is missing or
--   expired, the <tt>AssumeRole</tt> call returns an "access denied"
--   error. The format for this parameter, as described by its regex
--   pattern, is a sequence of six numeric digits.</li>
--   <li><a>arDurationSeconds</a> - The duration, in seconds, of the role
--   session. The value can range from 900 seconds (15 minutes) up to the
--   maximum session duration setting for the role. This setting can have a
--   value from 1 hour to 12 hours. If you specify a value higher than this
--   setting, the operation fails. For example, if you specify a session
--   duration of 12 hours, but your administrator set the maximum session
--   duration to 6 hours, your operation fails. To learn how to view the
--   maximum value for your role, see <a>View the Maximum Session Duration
--   Setting for a Role</a> in the <i>IAM User Guide</i> . By default, the
--   value is set to 3600 seconds.</li>
--   <li><a>arPolicy</a> - An IAM policy in JSON format. This parameter is
--   optional. If you pass a policy, the temporary security credentials
--   that are returned by the operation have the permissions that are
--   allowed by both (the intersection of) the access policy of the role
--   that is being assumed, <i>and</i> the policy that you pass. This gives
--   you a way to further restrict the permissions for the resulting
--   temporary security credentials. You cannot use the passed policy to
--   grant permissions that are in excess of those allowed by the access
--   policy of the role that is being assumed. For more information, see
--   <a>Permissions for AssumeRole, AssumeRoleWithSAML, and
--   AssumeRoleWithWebIdentity</a> in the <i>IAM User Guide</i> . The
--   format for this parameter, as described by its regex pattern, is a
--   string of characters up to 2048 characters in length. The characters
--   can be any ASCII character from the space character to the end of the
--   valid character list (u0020-u00FF). It can also include the tab
--   (u0009), linefeed (u000A), and carriage return (u000D)
--   characters.</li>
--   <li><a>arExternalId</a> - A unique identifier that is used by third
--   parties when assuming roles in their customers' accounts. For each
--   role that the third party can assume, they should instruct their
--   customers to ensure the role's trust policy checks for the external ID
--   that the third party generated. Each time the third party assumes the
--   role, they should pass the customer's external ID. The external ID is
--   useful in order to help third parties bind a role to the customer who
--   created it. For more information about the external ID, see <a>How to
--   Use an External ID When Granting Access to Your AWS Resources to a
--   Third Party</a> in the <i>IAM User Guide</i> . The regex used to
--   validated this parameter is a string of characters consisting of
--   upper- and lower-case alphanumeric characters with no spaces. You can
--   also include underscores or any of the following characters:
--   =,.@:/-</li>
--   <li><a>arSerialNumber</a> - The identification number of the MFA
--   device that is associated with the user who is making the
--   <tt>AssumeRole</tt> call. Specify this value if the trust policy of
--   the role being assumed includes a condition that requires MFA
--   authentication. The value is either the serial number for a hardware
--   device (such as <tt>GAHT12345678</tt> ) or an Amazon Resource Name
--   (ARN) for a virtual device (such as
--   <tt>arn:aws:iam::123456789012:mfa/user</tt> ). The regex used to
--   validate this parameter is a string of characters consisting of upper-
--   and lower-case alphanumeric characters with no spaces. You can also
--   include underscores or any of the following characters: =,.@-</li>
--   <li><a>arRoleARN</a> - The Amazon Resource Name (ARN) of the role to
--   assume.</li>
--   <li><a>arRoleSessionName</a> - An identifier for the assumed role
--   session. Use the role session name to uniquely identify a session when
--   the same role is assumed by different principals or for different
--   reasons. In cross-account scenarios, the role session name is visible
--   to, and can be logged by the account that owns the role. The role
--   session name is also used in the ARN of the assumed role principal.
--   This means that subsequent cross-account API requests using the
--   temporary security credentials will expose the role session name to
--   the external account in their CloudTrail logs. The regex used to
--   validate this parameter is a string of characters consisting of upper-
--   and lower-case alphanumeric characters with no spaces. You can also
--   include underscores or any of the following characters: =,.@-</li>
--   </ul>
assumeRole :: Text -> Text -> AssumeRole

-- | <i>See:</i> <a>assumeRole</a> smart constructor.
data AssumeRole

-- | The value provided by the MFA device, if the trust policy of the role
--   being assumed requires MFA (that is, if the policy includes a
--   condition that tests for MFA). If the role being assumed requires MFA
--   and if the <tt>TokenCode</tt> value is missing or expired, the
--   <tt>AssumeRole</tt> call returns an "access denied" error. The format
--   for this parameter, as described by its regex pattern, is a sequence
--   of six numeric digits.
arTokenCode :: Lens' AssumeRole (Maybe Text)

-- | The duration, in seconds, of the role session. The value can range
--   from 900 seconds (15 minutes) up to the maximum session duration
--   setting for the role. This setting can have a value from 1 hour to 12
--   hours. If you specify a value higher than this setting, the operation
--   fails. For example, if you specify a session duration of 12 hours, but
--   your administrator set the maximum session duration to 6 hours, your
--   operation fails. To learn how to view the maximum value for your role,
--   see <a>View the Maximum Session Duration Setting for a Role</a> in the
--   <i>IAM User Guide</i> . By default, the value is set to 3600 seconds.
arDurationSeconds :: Lens' AssumeRole (Maybe Natural)

-- | An IAM policy in JSON format. This parameter is optional. If you pass
--   a policy, the temporary security credentials that are returned by the
--   operation have the permissions that are allowed by both (the
--   intersection of) the access policy of the role that is being assumed,
--   <i>and</i> the policy that you pass. This gives you a way to further
--   restrict the permissions for the resulting temporary security
--   credentials. You cannot use the passed policy to grant permissions
--   that are in excess of those allowed by the access policy of the role
--   that is being assumed. For more information, see <a>Permissions for
--   AssumeRole, AssumeRoleWithSAML, and AssumeRoleWithWebIdentity</a> in
--   the <i>IAM User Guide</i> . The format for this parameter, as
--   described by its regex pattern, is a string of characters up to 2048
--   characters in length. The characters can be any ASCII character from
--   the space character to the end of the valid character list
--   (u0020-u00FF). It can also include the tab (u0009), linefeed (u000A),
--   and carriage return (u000D) characters.
arPolicy :: Lens' AssumeRole (Maybe Text)

-- | A unique identifier that is used by third parties when assuming roles
--   in their customers' accounts. For each role that the third party can
--   assume, they should instruct their customers to ensure the role's
--   trust policy checks for the external ID that the third party
--   generated. Each time the third party assumes the role, they should
--   pass the customer's external ID. The external ID is useful in order to
--   help third parties bind a role to the customer who created it. For
--   more information about the external ID, see <a>How to Use an External
--   ID When Granting Access to Your AWS Resources to a Third Party</a> in
--   the <i>IAM User Guide</i> . The regex used to validated this parameter
--   is a string of characters consisting of upper- and lower-case
--   alphanumeric characters with no spaces. You can also include
--   underscores or any of the following characters: =,.@:/-
arExternalId :: Lens' AssumeRole (Maybe Text)

-- | The identification number of the MFA device that is associated with
--   the user who is making the <tt>AssumeRole</tt> call. Specify this
--   value if the trust policy of the role being assumed includes a
--   condition that requires MFA authentication. The value is either the
--   serial number for a hardware device (such as <tt>GAHT12345678</tt> )
--   or an Amazon Resource Name (ARN) for a virtual device (such as
--   <tt>arn:aws:iam::123456789012:mfa/user</tt> ). The regex used to
--   validate this parameter is a string of characters consisting of upper-
--   and lower-case alphanumeric characters with no spaces. You can also
--   include underscores or any of the following characters: =,.@-
arSerialNumber :: Lens' AssumeRole (Maybe Text)

-- | The Amazon Resource Name (ARN) of the role to assume.
arRoleARN :: Lens' AssumeRole Text

-- | An identifier for the assumed role session. Use the role session name
--   to uniquely identify a session when the same role is assumed by
--   different principals or for different reasons. In cross-account
--   scenarios, the role session name is visible to, and can be logged by
--   the account that owns the role. The role session name is also used in
--   the ARN of the assumed role principal. This means that subsequent
--   cross-account API requests using the temporary security credentials
--   will expose the role session name to the external account in their
--   CloudTrail logs. The regex used to validate this parameter is a string
--   of characters consisting of upper- and lower-case alphanumeric
--   characters with no spaces. You can also include underscores or any of
--   the following characters: =,.@-
arRoleSessionName :: Lens' AssumeRole Text

-- | Creates a value of <a>AssumeRoleResponse</a> with the minimum fields
--   required to make a request.
--   
--   Use one of the following lenses to modify other fields as desired:
--   
--   <ul>
--   <li><a>arrsPackedPolicySize</a> - A percentage value that indicates
--   the size of the policy in packed form. The service rejects any policy
--   with a packed size greater than 100 percent, which means the policy
--   exceeded the allowed space.</li>
--   <li><a>arrsCredentials</a> - The temporary security credentials, which
--   include an access key ID, a secret access key, and a security (or
--   session) token. <b>Note:</b> The size of the security token that STS
--   APIs return is not fixed. We strongly recommend that you make no
--   assumptions about the maximum size. As of this writing, the typical
--   size is less than 4096 bytes, but that can vary. Also, future updates
--   to AWS might require larger sizes.</li>
--   <li><a>arrsAssumedRoleUser</a> - The Amazon Resource Name (ARN) and
--   the assumed role ID, which are identifiers that you can use to refer
--   to the resulting temporary security credentials. For example, you can
--   reference these credentials as a principal in a resource-based policy
--   by using the ARN or assumed role ID. The ARN and ID include the
--   <tt>RoleSessionName</tt> that you specified when you called
--   <tt>AssumeRole</tt> .</li>
--   <li><a>arrsResponseStatus</a> - -- | The response status code.</li>
--   </ul>
assumeRoleResponse :: Int -> AssumeRoleResponse

-- | Contains the response to a successful <a>AssumeRole</a> request,
--   including temporary AWS credentials that can be used to make AWS
--   requests.
--   
--   <i>See:</i> <a>assumeRoleResponse</a> smart constructor.
data AssumeRoleResponse

-- | A percentage value that indicates the size of the policy in packed
--   form. The service rejects any policy with a packed size greater than
--   100 percent, which means the policy exceeded the allowed space.
arrsPackedPolicySize :: Lens' AssumeRoleResponse (Maybe Natural)

-- | The temporary security credentials, which include an access key ID, a
--   secret access key, and a security (or session) token. <b>Note:</b> The
--   size of the security token that STS APIs return is not fixed. We
--   strongly recommend that you make no assumptions about the maximum
--   size. As of this writing, the typical size is less than 4096 bytes,
--   but that can vary. Also, future updates to AWS might require larger
--   sizes.
arrsCredentials :: Lens' AssumeRoleResponse (Maybe AuthEnv)

-- | The Amazon Resource Name (ARN) and the assumed role ID, which are
--   identifiers that you can use to refer to the resulting temporary
--   security credentials. For example, you can reference these credentials
--   as a principal in a resource-based policy by using the ARN or assumed
--   role ID. The ARN and ID include the <tt>RoleSessionName</tt> that you
--   specified when you called <tt>AssumeRole</tt> .
arrsAssumedRoleUser :: Lens' AssumeRoleResponse (Maybe AssumedRoleUser)

-- | <ul>
--   <li>- | The response status code.</li>
--   </ul>
arrsResponseStatus :: Lens' AssumeRoleResponse Int
instance GHC.Generics.Generic Network.AWS.STS.AssumeRole.AssumeRoleResponse
instance Data.Data.Data Network.AWS.STS.AssumeRole.AssumeRoleResponse
instance GHC.Show.Show Network.AWS.STS.AssumeRole.AssumeRoleResponse
instance GHC.Classes.Eq Network.AWS.STS.AssumeRole.AssumeRoleResponse
instance GHC.Generics.Generic Network.AWS.STS.AssumeRole.AssumeRole
instance Data.Data.Data Network.AWS.STS.AssumeRole.AssumeRole
instance GHC.Show.Show Network.AWS.STS.AssumeRole.AssumeRole
instance GHC.Read.Read Network.AWS.STS.AssumeRole.AssumeRole
instance GHC.Classes.Eq Network.AWS.STS.AssumeRole.AssumeRole
instance Network.AWS.Types.AWSRequest Network.AWS.STS.AssumeRole.AssumeRole
instance Control.DeepSeq.NFData Network.AWS.STS.AssumeRole.AssumeRoleResponse
instance Data.Hashable.Class.Hashable Network.AWS.STS.AssumeRole.AssumeRole
instance Control.DeepSeq.NFData Network.AWS.STS.AssumeRole.AssumeRole
instance Network.AWS.Data.Headers.ToHeaders Network.AWS.STS.AssumeRole.AssumeRole
instance Network.AWS.Data.Path.ToPath Network.AWS.STS.AssumeRole.AssumeRole
instance Network.AWS.Data.Query.ToQuery Network.AWS.STS.AssumeRole.AssumeRole


module Network.AWS.STS.Waiters


-- | <b>AWS Security Token Service</b>
--   
--   The AWS Security Token Service (STS) is a web service that enables you
--   to request temporary, limited-privilege credentials for AWS Identity
--   and Access Management (IAM) users or for users that you authenticate
--   (federated users). This guide provides descriptions of the STS API.
--   For more detailed information about using this service, go to
--   <a>Temporary Security Credentials</a> .
--   
--   For information about setting up signatures and authorization through
--   the API, go to <a>Signing AWS API Requests</a> in the <i>AWS General
--   Reference</i> . For general information about the Query API, go to
--   <a>Making Query Requests</a> in <i>Using IAM</i> . For information
--   about using security tokens with other AWS products, go to <a>AWS
--   Services That Work with IAM</a> in the <i>IAM User Guide</i> .
--   
--   If you're new to AWS and need additional technical information about a
--   specific AWS product, you can find the product's technical
--   documentation at <a>http://aws.amazon.com/documentation/</a> .
--   
--   <b>Endpoints</b>
--   
--   The AWS Security Token Service (STS) has a default endpoint of
--   <a>https://sts.amazonaws.com</a> that maps to the US East (N.
--   Virginia) region. Additional regions are available and are activated
--   by default. For more information, see <a>Activating and Deactivating
--   AWS STS in an AWS Region</a> in the <i>IAM User Guide</i> .
--   
--   For information about STS endpoints, see <a>Regions and Endpoints</a>
--   in the <i>AWS General Reference</i> .
--   
--   <b>Recording API requests</b>
--   
--   STS supports AWS CloudTrail, which is a service that records AWS calls
--   for your AWS account and delivers log files to an Amazon S3 bucket. By
--   using information collected by CloudTrail, you can determine what
--   requests were successfully made to STS, who made the request, when it
--   was made, and so on. To learn more about CloudTrail, including how to
--   turn it on and find your log files, see the <a>AWS CloudTrail User
--   Guide</a> .
module Network.AWS.STS

-- | API version <tt>2011-06-15</tt> of the Amazon Security Token Service
--   SDK configuration.
sts :: Service

-- | The request was rejected because the policy document was malformed.
--   The error message describes the specific error.
_MalformedPolicyDocumentException :: AsError a => Getting (First ServiceError) a ServiceError

-- | The error returned if the message passed to
--   <tt>DecodeAuthorizationMessage</tt> was invalid. This can happen if
--   the token contains invalid characters, such as linebreaks.
_InvalidAuthorizationMessageException :: AsError a => Getting (First ServiceError) a ServiceError

-- | The request was rejected because the policy document was too large.
--   The error message describes how big the policy document is, in packed
--   form, as a percentage of what the API allows.
_PackedPolicyTooLargeException :: AsError a => Getting (First ServiceError) a ServiceError

-- | STS is not activated in the requested region for the account that is
--   being asked to generate credentials. The account administrator must
--   use the IAM console to activate STS in that region. For more
--   information, see <a>Activating and Deactivating AWS STS in an AWS
--   Region</a> in the <i>IAM User Guide</i> .
_RegionDisabledException :: AsError a => Getting (First ServiceError) a ServiceError

-- | The request could not be fulfilled because the non-AWS identity
--   provider (IDP) that was asked to verify the incoming identity token
--   could not be reached. This is often a transient error caused by
--   network conditions. Retry the request a limited number of times so
--   that you don't exceed the request rate. If the error persists, the
--   non-AWS identity provider might be down or not responding.
_IdPCommunicationErrorException :: AsError a => Getting (First ServiceError) a ServiceError

-- | The web identity token that was passed could not be validated by AWS.
--   Get a new identity token from the identity provider and then retry the
--   request.
_InvalidIdentityTokenException :: AsError a => Getting (First ServiceError) a ServiceError

-- | The web identity token that was passed is expired or is not valid. Get
--   a new identity token from the identity provider and then retry the
--   request.
_ExpiredTokenException :: AsError a => Getting (First ServiceError) a ServiceError

-- | The identity provider (IdP) reported that authentication failed. This
--   might be because the claim is invalid.
--   
--   If this error is returned for the <tt>AssumeRoleWithWebIdentity</tt>
--   operation, it can also mean that the claim has expired or has been
--   explicitly revoked.
_IdPRejectedClaimException :: AsError a => Getting (First ServiceError) a ServiceError

-- | The identifiers for the temporary security credentials that the
--   operation returns.
--   
--   <i>See:</i> <a>assumedRoleUser</a> smart constructor.
data AssumedRoleUser

-- | Creates a value of <a>AssumedRoleUser</a> with the minimum fields
--   required to make a request.
--   
--   Use one of the following lenses to modify other fields as desired:
--   
--   <ul>
--   <li><a>aruAssumedRoleId</a> - A unique identifier that contains the
--   role ID and the role session name of the role that is being assumed.
--   The role ID is generated by AWS when the role is created.</li>
--   <li><a>aruARN</a> - The ARN of the temporary security credentials that
--   are returned from the <tt>AssumeRole</tt> action. For more information
--   about ARNs and how to use them in policies, see <a>IAM Identifiers</a>
--   in <i>Using IAM</i> .</li>
--   </ul>
assumedRoleUser :: Text -> Text -> AssumedRoleUser

-- | A unique identifier that contains the role ID and the role session
--   name of the role that is being assumed. The role ID is generated by
--   AWS when the role is created.
aruAssumedRoleId :: Lens' AssumedRoleUser Text

-- | The ARN of the temporary security credentials that are returned from
--   the <tt>AssumeRole</tt> action. For more information about ARNs and
--   how to use them in policies, see <a>IAM Identifiers</a> in <i>Using
--   IAM</i> .
aruARN :: Lens' AssumedRoleUser Text

-- | Identifiers for the federated user that is associated with the
--   credentials.
--   
--   <i>See:</i> <a>federatedUser</a> smart constructor.
data FederatedUser

-- | Creates a value of <a>FederatedUser</a> with the minimum fields
--   required to make a request.
--   
--   Use one of the following lenses to modify other fields as desired:
--   
--   <ul>
--   <li><a>fuFederatedUserId</a> - The string that identifies the
--   federated user associated with the credentials, similar to the unique
--   ID of an IAM user.</li>
--   <li><a>fuARN</a> - The ARN that specifies the federated user that is
--   associated with the credentials. For more information about ARNs and
--   how to use them in policies, see <a>IAM Identifiers</a> in <i>Using
--   IAM</i> .</li>
--   </ul>
federatedUser :: Text -> Text -> FederatedUser

-- | The string that identifies the federated user associated with the
--   credentials, similar to the unique ID of an IAM user.
fuFederatedUserId :: Lens' FederatedUser Text

-- | The ARN that specifies the federated user that is associated with the
--   credentials. For more information about ARNs and how to use them in
--   policies, see <a>IAM Identifiers</a> in <i>Using IAM</i> .
fuARN :: Lens' FederatedUser Text
