AssumeDecoratedRoleWithSAML - Lake Formation


Allows a caller to assume an IAM role decorated as the SAML user specified in the SAML assertion included in the request. This decoration allows Lake Formation to enforce access policies against the SAML users and groups. This API operation requires SAML federation setup in the caller’s account as it can only be called with valid SAML assertions. Lake Formation does not scope down the permission of the assumed role. All permissions attached to the role via the SAML federation setup will be included in the role session.

This decorated role is expected to access data in Amazon S3 by getting temporary access from Lake Formation which is authorized via the virtual API GetDataAccess. Therefore, all SAML roles that can be assumed via AssumeDecoratedRoleWithSAML must at a minimum include lakeformation:GetDataAccess in their role policies. A typical IAM policy attached to such a role would look as follows:

Request Syntax

{ "DurationSeconds": number, "PrincipalArn": "string", "RoleArn": "string", "SAMLAssertion": "string" }

Request Parameters

For information about the parameters that are common to all actions, see Common Parameters.

The request accepts the following data in JSON format.


The time period, between 900 and 43,200 seconds, for the timeout of the temporary credentials.

Type: Integer

Valid Range: Minimum value of 900. Maximum value of 43200.

Required: No


The Amazon Resource Name (ARN) of the SAML provider in IAM that describes the IdP.

Type: String

Pattern: arn:aws:iam::[0-9]*:saml-provider/.*

Required: Yes


The role that represents an IAM principal whose scope down policy allows it to call credential vending APIs such as GetTemporaryTableCredentials. The caller must also have iam:PassRole permission on this role.

Type: String

Pattern: arn:aws:iam::[0-9]*:role/.*

Required: Yes


A SAML assertion consisting of an assertion statement for the user who needs temporary credentials. This must match the SAML assertion that was issued to IAM. This must be Base64 encoded.

Type: String

Length Constraints: Minimum length of 4. Maximum length of 100000.

Required: Yes

Response Syntax

{ "AccessKeyId": "string", "Expiration": number, "SecretAccessKey": "string", "SessionToken": "string" }

Response Elements

If the action is successful, the service sends back an HTTP 200 response.

The following data is returned in JSON format by the service.


The access key ID for the temporary credentials. (The access key consists of an access key ID and a secret key).

Type: String


The date and time when the temporary credentials expire.

Type: Timestamp


The secret key for the temporary credentials. (The access key consists of an access key ID and a secret key).

Type: String


The session token for the temporary credentials.

Type: String


For information about the errors that are common to all actions, see Common Errors.


Access to a resource was denied.

HTTP Status Code: 400


A specified entity does not exist.

HTTP Status Code: 400


An internal service error occurred.

HTTP Status Code: 500


The input provided was not valid.

HTTP Status Code: 400


The operation timed out.

HTTP Status Code: 400


IAM policy

This example illustrates one usage of AssumeDecoratedRoleWithSAML.

{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "glue:*Database*", "glue:*Table*", "glue:*Partition*", "glue:*UserDefinedFunction*", "lakeformation:GetDataAccess" ], "Resource": [ "*" ] } ] }

See Also

For more information about using this API in one of the language-specific AWS SDKs, see the following: