Allows a caller to assume an IAM role decorated as the SAML user specified in the SAML assertion included in the request. This decoration allows Lake Formation to enforce access policies against the SAML users and groups. This API operation requires SAML federation setup in the caller’s account as it can only be called with valid SAML assertions.
Lake Formation does not scope down the permission of the assumed role. All permissions attached to the role via the SAML federation setup will be included in the role session.
This decorated role is expected to access data in Amazon S3 by getting temporary access from Lake Formation which is authorized via the virtual API GetDataAccess. Therefore, all SAML roles that can be assumed via AssumeDecoratedRoleWithSAML must at a minimum include lakeformation:GetDataAccess in their role policies. A typical IAM policy attached to such a role would look as follows:
Example
Use a bare-bones client and the command you need to make an API call.
Allows a caller to assume an IAM role decorated as the SAML user specified in the SAML assertion included in the request. This decoration allows Lake Formation to enforce access policies against the SAML users and groups. This API operation requires SAML federation setup in the caller’s account as it can only be called with valid SAML assertions. Lake Formation does not scope down the permission of the assumed role. All permissions attached to the role via the SAML federation setup will be included in the role session.
This decorated role is expected to access data in Amazon S3 by getting temporary access from Lake Formation which is authorized via the virtual API
GetDataAccess
. Therefore, all SAML roles that can be assumed viaAssumeDecoratedRoleWithSAML
must at a minimum includelakeformation:GetDataAccess
in their role policies. A typical IAM policy attached to such a role would look as follows:Example
Use a bare-bones client and the command you need to make an API call.
Param
AssumeDecoratedRoleWithSAMLCommandInput
Returns
AssumeDecoratedRoleWithSAMLCommandOutput
See
input
shape.response
shape.config
shape.Throws
AccessDeniedException (client fault)
Access to a resource was denied.
Throws
EntityNotFoundException (client fault)
A specified entity does not exist.
Throws
InternalServiceException (server fault)
An internal service error occurred.
Throws
InvalidInputException (client fault)
The input provided was not valid.
Throws
OperationTimeoutException (client fault)
The operation timed out.
Throws
LakeFormationServiceException
Base exception class for all service exceptions from LakeFormation service.