Class AssumeDecoratedRoleWithSAMLCommandProtected

Allows a caller to assume an IAM role decorated as the SAML user specified in the SAML assertion included in the request. This decoration allows Lake Formation to enforce access policies against the SAML users and groups. This API operation requires SAML federation setup in the caller’s account as it can only be called with valid SAML assertions. Lake Formation does not scope down the permission of the assumed role. All permissions attached to the role via the SAML federation setup will be included in the role session.

This decorated role is expected to access data in Amazon S3 by getting temporary access from Lake Formation which is authorized via the virtual API GetDataAccess. Therefore, all SAML roles that can be assumed via AssumeDecoratedRoleWithSAML must at a minimum include lakeformation:GetDataAccess in their role policies. A typical IAM policy attached to such a role would look as follows:

Example

Use a bare-bones client and the command you need to make an API call.

import { LakeFormationClient, AssumeDecoratedRoleWithSAMLCommand } from "@aws-sdk/client-lakeformation"; // ES Modules import
// const { LakeFormationClient, AssumeDecoratedRoleWithSAMLCommand } = require("@aws-sdk/client-lakeformation"); // CommonJS import
const client = new LakeFormationClient(config);
const input = { // AssumeDecoratedRoleWithSAMLRequest
  SAMLAssertion: "STRING_VALUE", // required
  RoleArn: "STRING_VALUE", // required
  PrincipalArn: "STRING_VALUE", // required
  DurationSeconds: Number("int"),
};
const command = new AssumeDecoratedRoleWithSAMLCommand(input);
const response = await client.send(command);
// { // AssumeDecoratedRoleWithSAMLResponse
//   AccessKeyId: "STRING_VALUE",
//   SecretAccessKey: "STRING_VALUE",
//   SessionToken: "STRING_VALUE",
//   Expiration: new Date("TIMESTAMP"),
// };

Param

AssumeDecoratedRoleWithSAMLCommandInput

Returns

AssumeDecoratedRoleWithSAMLCommandOutput

See

• AssumeDecoratedRoleWithSAMLCommandInput for command's input shape.
• AssumeDecoratedRoleWithSAMLCommandOutput for command's response shape.
• config for LakeFormationClient's config shape.

Throws

AccessDeniedException (client fault)

Access to a resource was denied.

Throws

EntityNotFoundException (client fault)

A specified entity does not exist.

Throws

InternalServiceException (server fault)

An internal service error occurred.

Throws

InvalidInputException (client fault)

The input provided was not valid.

Throws

OperationTimeoutException (client fault)

The operation timed out.

Throws

LakeFormationServiceException

Base exception class for all service exceptions from LakeFormation service.