Jump to Content

This API Documentation is now deprecated

We are excited to announce our new API Documentation.

Class AssumeDecoratedRoleWithSAMLCommandProtected

Allows a caller to assume an IAM role decorated as the SAML user specified in the SAML assertion included in the request. This decoration allows Lake Formation to enforce access policies against the SAML users and groups. This API operation requires SAML federation setup in the caller’s account as it can only be called with valid SAML assertions. Lake Formation does not scope down the permission of the assumed role. All permissions attached to the role via the SAML federation setup will be included in the role session.

This decorated role is expected to access data in Amazon S3 by getting temporary access from Lake Formation which is authorized via the virtual API GetDataAccess. Therefore, all SAML roles that can be assumed via AssumeDecoratedRoleWithSAML must at a minimum include lakeformation:GetDataAccess in their role policies. A typical IAM policy attached to such a role would look as follows:

Example

Use a bare-bones client and the command you need to make an API call.

import { LakeFormationClient, AssumeDecoratedRoleWithSAMLCommand } from "@aws-sdk/client-lakeformation"; // ES Modules import
// const { LakeFormationClient, AssumeDecoratedRoleWithSAMLCommand } = require("@aws-sdk/client-lakeformation"); // CommonJS import
const client = new LakeFormationClient(config);
const input = { // AssumeDecoratedRoleWithSAMLRequest
SAMLAssertion: "STRING_VALUE", // required
RoleArn: "STRING_VALUE", // required
PrincipalArn: "STRING_VALUE", // required
DurationSeconds: Number("int"),
};
const command = new AssumeDecoratedRoleWithSAMLCommand(input);
const response = await client.send(command);
// { // AssumeDecoratedRoleWithSAMLResponse
// AccessKeyId: "STRING_VALUE",
// SecretAccessKey: "STRING_VALUE",
// SessionToken: "STRING_VALUE",
// Expiration: new Date("TIMESTAMP"),
// };

Param

AssumeDecoratedRoleWithSAMLCommandInput

Returns

AssumeDecoratedRoleWithSAMLCommandOutput

See

Throws

AccessDeniedException (client fault)

Access to a resource was denied.

Throws

EntityNotFoundException (client fault)

A specified entity does not exist.

Throws

InternalServiceException (server fault)

An internal service error occurred.

Throws

InvalidInputException (client fault)

The input provided was not valid.

Throws

OperationTimeoutException (client fault)

The operation timed out.

Throws

LakeFormationServiceException

Base exception class for all service exceptions from LakeFormation service.

Hierarchy

Constructors

Properties

Methods

Constructors

Properties

Methods