[ aws . lakeformation ]
assume-decorated-role-with-saml¶
Description¶
Allows a caller to assume an IAM role decorated as the SAML user specified in the SAML assertion included in the request. This decoration allows Lake Formation to enforce access policies against the SAML users and groups. This API operation requires SAML federation setup in the caller’s account as it can only be called with valid SAML assertions. Lake Formation does not scope down the permission of the assumed role. All permissions attached to the role via the SAML federation setup will be included in the role session.
This decorated role is expected to access data in Amazon S3 by getting temporary access from Lake Formation which is authorized via the virtual API GetDataAccess . Therefore, all SAML roles that can be assumed via AssumeDecoratedRoleWithSAML must at a minimum include lakeformation:GetDataAccess in their role policies. A typical IAM policy attached to such a role would look as follows:
See also: AWS API Documentation
See ‘aws help’ for descriptions of global parameters.
Synopsis¶
assume-decorated-role-with-saml
--saml-assertion <value>
--role-arn <value>
--principal-arn <value>
[--duration-seconds <value>]
[--cli-input-json | --cli-input-yaml]
[--generate-cli-skeleton <value>]
Options¶
--saml-assertion (string)
A SAML assertion consisting of an assertion statement for the user who needs temporary credentials. This must match the SAML assertion that was issued to IAM. This must be Base64 encoded.
--role-arn (string)
The role that represents an IAM principal whose scope down policy allows it to call credential vending APIs such as
GetTemporaryTableCredentials. The caller must also have iam:PassRole permission on this role.
--principal-arn (string)
The Amazon Resource Name (ARN) of the SAML provider in IAM that describes the IdP.
--duration-seconds (integer)
The time period, between 900 and 43,200 seconds, for the timeout of the temporary credentials.
--cli-input-json | --cli-input-yaml (string)
Reads arguments from the JSON string provided. The JSON string follows the format provided by --generate-cli-skeleton. If other arguments are provided on the command line, those values will override the JSON-provided values. It is not possible to pass arbitrary binary values using a JSON-provided value as the string will be taken literally. This may not be specified along with --cli-input-yaml.
--generate-cli-skeleton (string)
Prints a JSON skeleton to standard output without sending an API request. If provided with no value or the value input, prints a sample input JSON that can be used as an argument for --cli-input-json. Similarly, if provided yaml-input it will print a sample input YAML that can be used with --cli-input-yaml. If provided with the value output, it validates the command inputs and returns a sample output JSON for that command. The generated JSON skeleton is not stable between versions of the AWS CLI and there are no backwards compatibility guarantees in the JSON skeleton generated.
See ‘aws help’ for descriptions of global parameters.
Output¶
AccessKeyId -> (string)
The access key ID for the temporary credentials. (The access key consists of an access key ID and a secret key).
SecretAccessKey -> (string)
The secret key for the temporary credentials. (The access key consists of an access key ID and a secret key).
SessionToken -> (string)
The session token for the temporary credentials.
Expiration -> (timestamp)
The date and time when the temporary credentials expire.