1# Copyright (c) 2011 Mitch Garnaat http://garnaat.org/ 2# Copyright (c) 2011, Eucalyptus Systems, Inc. 3# Copyright (c) 2013 Amazon.com, Inc. or its affiliates. All Rights Reserved 4# 5# Permission is hereby granted, free of charge, to any person obtaining a 6# copy of this software and associated documentation files (the 7# "Software"), to deal in the Software without restriction, including 8# without limitation the rights to use, copy, modify, merge, publish, dis- 9# tribute, sublicense, and/or sell copies of the Software, and to permit 10# persons to whom the Software is furnished to do so, subject to the fol- 11# lowing conditions: 12# 13# The above copyright notice and this permission notice shall be included 14# in all copies or substantial portions of the Software. 15# 16# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS 17# OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABIL- 18# ITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT 19# SHALL THE AUTHOR BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, 20# WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 21# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS 22# IN THE SOFTWARE. 23 24from boto.connection import AWSQueryConnection 25from boto.provider import Provider, NO_CREDENTIALS_PROVIDED 26from boto.regioninfo import RegionInfo 27from boto.sts.credentials import Credentials, FederationToken, AssumedRole 28from boto.sts.credentials import DecodeAuthorizationMessage 29import boto 30import boto.utils 31import datetime 32import threading 33 34_session_token_cache = {} 35 36 37class STSConnection(AWSQueryConnection): 38 """ 39 AWS Security Token Service 40 The AWS Security Token Service is a web service that enables you 41 to request temporary, limited-privilege credentials for AWS 42 Identity and Access Management (IAM) users or for users that you 43 authenticate (federated users). This guide provides descriptions 44 of the AWS Security Token Service API. 45 46 For more detailed information about using this service, go to 47 `Using Temporary Security Credentials`_. 48 49 For information about setting up signatures and authorization 50 through the API, go to `Signing AWS API Requests`_ in the AWS 51 General Reference . For general information about the Query API, 52 go to `Making Query Requests`_ in Using IAM . For information 53 about using security tokens with other AWS products, go to `Using 54 Temporary Security Credentials to Access AWS`_ in Using Temporary 55 Security Credentials . 56 57 If you're new to AWS and need additional technical information 58 about a specific AWS product, you can find the product's technical 59 documentation at `http://aws.amazon.com/documentation/`_. 60 61 We will refer to Amazon Identity and Access Management using the 62 abbreviated form IAM. All copyrights and legal protections still 63 apply. 64 """ 65 DefaultRegionName = 'us-east-1' 66 DefaultRegionEndpoint = 'sts.amazonaws.com' 67 APIVersion = '2011-06-15' 68 69 def __init__(self, aws_access_key_id=None, aws_secret_access_key=None, 70 is_secure=True, port=None, proxy=None, proxy_port=None, 71 proxy_user=None, proxy_pass=None, debug=0, 72 https_connection_factory=None, region=None, path='/', 73 converter=None, validate_certs=True, anon=False, 74 security_token=None, profile_name=None): 75 """ 76 :type anon: boolean 77 :param anon: If this parameter is True, the ``STSConnection`` object 78 will make anonymous requests, and it will not use AWS 79 Credentials or even search for AWS Credentials to make these 80 requests. 81 """ 82 if not region: 83 region = RegionInfo(self, self.DefaultRegionName, 84 self.DefaultRegionEndpoint, 85 connection_cls=STSConnection) 86 self.region = region 87 self.anon = anon 88 self._mutex = threading.Semaphore() 89 provider = 'aws' 90 # If an anonymous request is sent, do not try to look for credentials. 91 # So we pass in dummy values for the access key id, secret access 92 # key, and session token. It does not matter that they are 93 # not actual values because the request is anonymous. 94 if self.anon: 95 provider = Provider('aws', NO_CREDENTIALS_PROVIDED, 96 NO_CREDENTIALS_PROVIDED, 97 NO_CREDENTIALS_PROVIDED) 98 super(STSConnection, self).__init__(aws_access_key_id, 99 aws_secret_access_key, 100 is_secure, port, proxy, proxy_port, 101 proxy_user, proxy_pass, 102 self.region.endpoint, debug, 103 https_connection_factory, path, 104 validate_certs=validate_certs, 105 security_token=security_token, 106 profile_name=profile_name, 107 provider=provider) 108 109 def _required_auth_capability(self): 110 if self.anon: 111 return ['sts-anon'] 112 else: 113 return ['hmac-v4'] 114 115 def _check_token_cache(self, token_key, duration=None, window_seconds=60): 116 token = _session_token_cache.get(token_key, None) 117 if token: 118 now = datetime.datetime.utcnow() 119 expires = boto.utils.parse_ts(token.expiration) 120 delta = expires - now 121 if delta < datetime.timedelta(seconds=window_seconds): 122 msg = 'Cached session token %s is expired' % token_key 123 boto.log.debug(msg) 124 token = None 125 return token 126 127 def _get_session_token(self, duration=None, 128 mfa_serial_number=None, mfa_token=None): 129 params = {} 130 if duration: 131 params['DurationSeconds'] = duration 132 if mfa_serial_number: 133 params['SerialNumber'] = mfa_serial_number 134 if mfa_token: 135 params['TokenCode'] = mfa_token 136 return self.get_object('GetSessionToken', params, 137 Credentials, verb='POST') 138 139 def get_session_token(self, duration=None, force_new=False, 140 mfa_serial_number=None, mfa_token=None): 141 """ 142 Return a valid session token. Because retrieving new tokens 143 from the Secure Token Service is a fairly heavyweight operation 144 this module caches previously retrieved tokens and returns 145 them when appropriate. Each token is cached with a key 146 consisting of the region name of the STS endpoint 147 concatenated with the requesting user's access id. If there 148 is a token in the cache meeting with this key, the session 149 expiration is checked to make sure it is still valid and if 150 so, the cached token is returned. Otherwise, a new session 151 token is requested from STS and it is placed into the cache 152 and returned. 153 154 :type duration: int 155 :param duration: The number of seconds the credentials should 156 remain valid. 157 158 :type force_new: bool 159 :param force_new: If this parameter is True, a new session token 160 will be retrieved from the Secure Token Service regardless 161 of whether there is a valid cached token or not. 162 163 :type mfa_serial_number: str 164 :param mfa_serial_number: The serial number of an MFA device. 165 If this is provided and if the mfa_passcode provided is 166 valid, the temporary session token will be authorized with 167 to perform operations requiring the MFA device authentication. 168 169 :type mfa_token: str 170 :param mfa_token: The 6 digit token associated with the 171 MFA device. 172 """ 173 token_key = '%s:%s' % (self.region.name, self.provider.access_key) 174 token = self._check_token_cache(token_key, duration) 175 if force_new or not token: 176 boto.log.debug('fetching a new token for %s' % token_key) 177 try: 178 self._mutex.acquire() 179 token = self._get_session_token(duration, 180 mfa_serial_number, 181 mfa_token) 182 _session_token_cache[token_key] = token 183 finally: 184 self._mutex.release() 185 return token 186 187 def get_federation_token(self, name, duration=None, policy=None): 188 """ 189 Returns a set of temporary security credentials (consisting of 190 an access key ID, a secret access key, and a security token) 191 for a federated user. A typical use is in a proxy application 192 that is getting temporary security credentials on behalf of 193 distributed applications inside a corporate network. Because 194 you must call the `GetFederationToken` action using the long- 195 term security credentials of an IAM user, this call is 196 appropriate in contexts where those credentials can be safely 197 stored, usually in a server-based application. 198 199 **Note:** Do not use this call in mobile applications or 200 client-based web applications that directly get temporary 201 security credentials. For those types of applications, use 202 `AssumeRoleWithWebIdentity`. 203 204 The `GetFederationToken` action must be called by using the 205 long-term AWS security credentials of the AWS account or an 206 IAM user. Credentials that are created by IAM users are valid 207 for the specified duration, between 900 seconds (15 minutes) 208 and 129600 seconds (36 hours); credentials that are created by 209 using account credentials have a maximum duration of 3600 210 seconds (1 hour). 211 212 The permissions that are granted to the federated user are the 213 intersection of the policy that is passed with the 214 `GetFederationToken` request and policies that are associated 215 with of the entity making the `GetFederationToken` call. 216 217 For more information about how permissions work, see 218 `Controlling Permissions in Temporary Credentials`_ in Using 219 Temporary Security Credentials . For information about using 220 `GetFederationToken` to create temporary security credentials, 221 see `Creating Temporary Credentials to Enable Access for 222 Federated Users`_ in Using Temporary Security Credentials . 223 224 :type name: string 225 :param name: The name of the federated user. The name is used as an 226 identifier for the temporary security credentials (such as `Bob`). 227 For example, you can reference the federated user name in a 228 resource-based policy, such as in an Amazon S3 bucket policy. 229 230 :type policy: string 231 :param policy: A policy that specifies the permissions that are granted 232 to the federated user. By default, federated users have no 233 permissions; they do not inherit any from the IAM user. When you 234 specify a policy, the federated user's permissions are intersection 235 of the specified policy and the IAM user's policy. If you don't 236 specify a policy, federated users can only access AWS resources 237 that explicitly allow those federated users in a resource policy, 238 such as in an Amazon S3 bucket policy. 239 240 :type duration: integer 241 :param duration: The duration, in seconds, that the session 242 should last. Acceptable durations for federation sessions range 243 from 900 seconds (15 minutes) to 129600 seconds (36 hours), with 244 43200 seconds (12 hours) as the default. Sessions for AWS account 245 owners are restricted to a maximum of 3600 seconds (one hour). If 246 the duration is longer than one hour, the session for AWS account 247 owners defaults to one hour. 248 249 """ 250 params = {'Name': name} 251 if duration: 252 params['DurationSeconds'] = duration 253 if policy: 254 params['Policy'] = policy 255 return self.get_object('GetFederationToken', params, 256 FederationToken, verb='POST') 257 258 def assume_role(self, role_arn, role_session_name, policy=None, 259 duration_seconds=None, external_id=None, 260 mfa_serial_number=None, 261 mfa_token=None): 262 """ 263 Returns a set of temporary security credentials (consisting of 264 an access key ID, a secret access key, and a security token) 265 that you can use to access AWS resources that you might not 266 normally have access to. Typically, you use `AssumeRole` for 267 cross-account access or federation. 268 269 For cross-account access, imagine that you own multiple 270 accounts and need to access resources in each account. You 271 could create long-term credentials in each account to access 272 those resources. However, managing all those credentials and 273 remembering which one can access which account can be time 274 consuming. Instead, you can create one set of long-term 275 credentials in one account and then use temporary security 276 credentials to access all the other accounts by assuming roles 277 in those accounts. For more information about roles, see 278 `Roles`_ in Using IAM . 279 280 For federation, you can, for example, grant single sign-on 281 access to the AWS Management Console. If you already have an 282 identity and authentication system in your corporate network, 283 you don't have to recreate user identities in AWS in order to 284 grant those user identities access to AWS. Instead, after a 285 user has been authenticated, you call `AssumeRole` (and 286 specify the role with the appropriate permissions) to get 287 temporary security credentials for that user. With those 288 temporary security credentials, you construct a sign-in URL 289 that users can use to access the console. For more 290 information, see `Scenarios for Granting Temporary Access`_ in 291 AWS Security Token Service . 292 293 The temporary security credentials are valid for the duration 294 that you specified when calling `AssumeRole`, which can be 295 from 900 seconds (15 minutes) to 3600 seconds (1 hour). The 296 default is 1 hour. 297 298 The temporary security credentials that are returned from the 299 `AssumeRoleWithWebIdentity` response have the permissions that 300 are associated with the access policy of the role being 301 assumed and any policies that are associated with the AWS 302 resource being accessed. You can further restrict the 303 permissions of the temporary security credentials by passing a 304 policy in the request. The resulting permissions are an 305 intersection of the role's access policy and the policy that 306 you passed. These policies and any applicable resource-based 307 policies are evaluated when calls to AWS service APIs are made 308 using the temporary security credentials. 309 310 To assume a role, your AWS account must be trusted by the 311 role. The trust relationship is defined in the role's trust 312 policy when the IAM role is created. You must also have a 313 policy that allows you to call `sts:AssumeRole`. 314 315 **Important:** You cannot call `Assumerole` by using AWS 316 account credentials; access will be denied. You must use IAM 317 user credentials to call `AssumeRole`. 318 319 :type role_arn: string 320 :param role_arn: The Amazon Resource Name (ARN) of the role that the 321 caller is assuming. 322 323 :type role_session_name: string 324 :param role_session_name: An identifier for the assumed role session. 325 The session name is included as part of the `AssumedRoleUser`. 326 327 :type policy: string 328 :param policy: A supplemental policy that is associated with the 329 temporary security credentials from the `AssumeRole` call. The 330 resulting permissions of the temporary security credentials are an 331 intersection of this policy and the access policy that is 332 associated with the role. Use this policy to further restrict the 333 permissions of the temporary security credentials. 334 335 :type duration_seconds: integer 336 :param duration_seconds: The duration, in seconds, of the role session. 337 The value can range from 900 seconds (15 minutes) to 3600 seconds 338 (1 hour). By default, the value is set to 3600 seconds. 339 340 :type external_id: string 341 :param external_id: A unique identifier that is used by third parties 342 to assume a role in their customers' accounts. For each role that 343 the third party can assume, they should instruct their customers to 344 create a role with the external ID that the third party generated. 345 Each time the third party assumes the role, they must pass the 346 customer's external ID. The external ID is useful in order to help 347 third parties bind a role to the customer who created it. For more 348 information about the external ID, see `About the External ID`_ in 349 Using Temporary Security Credentials . 350 351 :type mfa_serial_number: string 352 :param mfa_serial_number: The identification number of the MFA device that 353 is associated with the user who is making the AssumeRole call. 354 Specify this value if the trust policy of the role being assumed 355 includes a condition that requires MFA authentication. The value is 356 either the serial number for a hardware device (such as 357 GAHT12345678) or an Amazon Resource Name (ARN) for a virtual device 358 (such as arn:aws:iam::123456789012:mfa/user). Minimum length of 9. 359 Maximum length of 256. 360 361 :type mfa_token: string 362 :param mfa_token: The value provided by the MFA device, if the trust 363 policy of the role being assumed requires MFA (that is, if the 364 policy includes a condition that tests for MFA). If the role being 365 assumed requires MFA and if the TokenCode value is missing or 366 expired, the AssumeRole call returns an "access denied" errror. 367 Minimum length of 6. Maximum length of 6. 368 369 """ 370 params = { 371 'RoleArn': role_arn, 372 'RoleSessionName': role_session_name 373 } 374 if policy is not None: 375 params['Policy'] = policy 376 if duration_seconds is not None: 377 params['DurationSeconds'] = duration_seconds 378 if external_id is not None: 379 params['ExternalId'] = external_id 380 if mfa_serial_number is not None: 381 params['SerialNumber'] = mfa_serial_number 382 if mfa_token is not None: 383 params['TokenCode'] = mfa_token 384 return self.get_object('AssumeRole', params, AssumedRole, verb='POST') 385 386 def assume_role_with_saml(self, role_arn, principal_arn, saml_assertion, 387 policy=None, duration_seconds=None): 388 """ 389 Returns a set of temporary security credentials for users who 390 have been authenticated via a SAML authentication response. 391 This operation provides a mechanism for tying an enterprise 392 identity store or directory to role-based AWS access without 393 user-specific credentials or configuration. 394 395 The temporary security credentials returned by this operation 396 consist of an access key ID, a secret access key, and a 397 security token. Applications can use these temporary security 398 credentials to sign calls to AWS services. The credentials are 399 valid for the duration that you specified when calling 400 `AssumeRoleWithSAML`, which can be up to 3600 seconds (1 hour) 401 or until the time specified in the SAML authentication 402 response's `NotOnOrAfter` value, whichever is shorter. 403 404 The maximum duration for a session is 1 hour, and the minimum 405 duration is 15 minutes, even if values outside this range are 406 specified. 407 408 Optionally, you can pass an AWS IAM access policy to this 409 operation. The temporary security credentials that are 410 returned by the operation have the permissions that are 411 associated with the access policy of the role being assumed, 412 except for any permissions explicitly denied by the policy you 413 pass. This gives you a way to further restrict the permissions 414 for the federated user. These policies and any applicable 415 resource-based policies are evaluated when calls to AWS are 416 made using the temporary security credentials. 417 418 Before your application can call `AssumeRoleWithSAML`, you 419 must configure your SAML identity provider (IdP) to issue the 420 claims required by AWS. Additionally, you must use AWS 421 Identity and Access Management (AWS IAM) to create a SAML 422 provider entity in your AWS account that represents your 423 identity provider, and create an AWS IAM role that specifies 424 this SAML provider in its trust policy. 425 426 Calling `AssumeRoleWithSAML` does not require the use of AWS 427 security credentials. The identity of the caller is validated 428 by using keys in the metadata document that is uploaded for 429 the SAML provider entity for your identity provider. 430 431 For more information, see the following resources: 432 433 434 + `Creating Temporary Security Credentials for SAML 435 Federation`_ in the Using Temporary Security Credentials 436 guide. 437 + `SAML Providers`_ in the Using IAM guide. 438 + `Configuring a Relying Party and Claims in the Using IAM 439 guide. `_ 440 + `Creating a Role for SAML-Based Federation`_ in the Using 441 IAM guide. 442 443 :type role_arn: string 444 :param role_arn: The Amazon Resource Name (ARN) of the role that the 445 caller is assuming. 446 447 :type principal_arn: string 448 :param principal_arn: The Amazon Resource Name (ARN) of the SAML 449 provider in AWS IAM that describes the IdP. 450 451 :type saml_assertion: string 452 :param saml_assertion: The base-64 encoded SAML authentication response 453 provided by the IdP. 454 For more information, see `Configuring a Relying Party and Adding 455 Claims`_ in the Using IAM guide. 456 457 :type policy: string 458 :param policy: 459 An AWS IAM policy in JSON format. 460 461 The temporary security credentials that are returned by this operation 462 have the permissions that are associated with the access policy of 463 the role being assumed, except for any permissions explicitly 464 denied by the policy you pass. These policies and any applicable 465 resource-based policies are evaluated when calls to AWS are made 466 using the temporary security credentials. 467 468 The policy must be 2048 bytes or shorter, and its packed size must be 469 less than 450 bytes. 470 471 :type duration_seconds: integer 472 :param duration_seconds: 473 The duration, in seconds, of the role session. The value can range from 474 900 seconds (15 minutes) to 3600 seconds (1 hour). By default, the 475 value is set to 3600 seconds. An expiration can also be specified 476 in the SAML authentication response's `NotOnOrAfter` value. The 477 actual expiration time is whichever value is shorter. 478 479 The maximum duration for a session is 1 hour, and the minimum duration 480 is 15 minutes, even if values outside this range are specified. 481 482 """ 483 params = { 484 'RoleArn': role_arn, 485 'PrincipalArn': principal_arn, 486 'SAMLAssertion': saml_assertion, 487 } 488 if policy is not None: 489 params['Policy'] = policy 490 if duration_seconds is not None: 491 params['DurationSeconds'] = duration_seconds 492 return self.get_object('AssumeRoleWithSAML', params, AssumedRole, 493 verb='POST') 494 495 def assume_role_with_web_identity(self, role_arn, role_session_name, 496 web_identity_token, provider_id=None, 497 policy=None, duration_seconds=None): 498 """ 499 Returns a set of temporary security credentials for users who 500 have been authenticated in a mobile or web application with a 501 web identity provider, such as Login with Amazon, Facebook, or 502 Google. `AssumeRoleWithWebIdentity` is an API call that does 503 not require the use of AWS security credentials. Therefore, 504 you can distribute an application (for example, on mobile 505 devices) that requests temporary security credentials without 506 including long-term AWS credentials in the application or by 507 deploying server-based proxy services that use long-term AWS 508 credentials. For more information, see `Creating a Mobile 509 Application with Third-Party Sign-In`_ in AWS Security Token 510 Service . 511 512 The temporary security credentials consist of an access key 513 ID, a secret access key, and a security token. Applications 514 can use these temporary security credentials to sign calls to 515 AWS service APIs. The credentials are valid for the duration 516 that you specified when calling `AssumeRoleWithWebIdentity`, 517 which can be from 900 seconds (15 minutes) to 3600 seconds (1 518 hour). By default, the temporary security credentials are 519 valid for 1 hour. 520 521 The temporary security credentials that are returned from the 522 `AssumeRoleWithWebIdentity` response have the permissions that 523 are associated with the access policy of the role being 524 assumed. You can further restrict the permissions of the 525 temporary security credentials by passing a policy in the 526 request. The resulting permissions are an intersection of the 527 role's access policy and the policy that you passed. These 528 policies and any applicable resource-based policies are 529 evaluated when calls to AWS service APIs are made using the 530 temporary security credentials. 531 532 Before your application can call `AssumeRoleWithWebIdentity`, 533 you must have an identity token from a supported identity 534 provider and create a role that the application can assume. 535 The role that your application assumes must trust the identity 536 provider that is associated with the identity token. In other 537 words, the identity provider must be specified in the role's 538 trust policy. For more information, see ` Creating Temporary 539 Security Credentials for Mobile Apps Using Third-Party 540 Identity Providers`_. 541 542 :type role_arn: string 543 :param role_arn: The Amazon Resource Name (ARN) of the role that the 544 caller is assuming. 545 546 :type role_session_name: string 547 :param role_session_name: An identifier for the assumed role session. 548 Typically, you pass the name or identifier that is associated with 549 the user who is using your application. That way, the temporary 550 security credentials that your application will use are associated 551 with that user. This session name is included as part of the ARN 552 and assumed role ID in the `AssumedRoleUser` response element. 553 554 :type web_identity_token: string 555 :param web_identity_token: The OAuth 2.0 access token or OpenID Connect 556 ID token that is provided by the identity provider. Your 557 application must get this token by authenticating the user who is 558 using your application with a web identity provider before the 559 application makes an `AssumeRoleWithWebIdentity` call. 560 561 :type provider_id: string 562 :param provider_id: Specify this value only for OAuth access tokens. Do 563 not specify this value for OpenID Connect ID tokens, such as 564 `accounts.google.com`. This is the fully-qualified host component 565 of the domain name of the identity provider. Do not include URL 566 schemes and port numbers. Currently, `www.amazon.com` and 567 `graph.facebook.com` are supported. 568 569 :type policy: string 570 :param policy: A supplemental policy that is associated with the 571 temporary security credentials from the `AssumeRoleWithWebIdentity` 572 call. The resulting permissions of the temporary security 573 credentials are an intersection of this policy and the access 574 policy that is associated with the role. Use this policy to further 575 restrict the permissions of the temporary security credentials. 576 577 :type duration_seconds: integer 578 :param duration_seconds: The duration, in seconds, of the role session. 579 The value can range from 900 seconds (15 minutes) to 3600 seconds 580 (1 hour). By default, the value is set to 3600 seconds. 581 582 """ 583 params = { 584 'RoleArn': role_arn, 585 'RoleSessionName': role_session_name, 586 'WebIdentityToken': web_identity_token, 587 } 588 if provider_id is not None: 589 params['ProviderId'] = provider_id 590 if policy is not None: 591 params['Policy'] = policy 592 if duration_seconds is not None: 593 params['DurationSeconds'] = duration_seconds 594 return self.get_object( 595 'AssumeRoleWithWebIdentity', 596 params, 597 AssumedRole, 598 verb='POST' 599 ) 600 601 def decode_authorization_message(self, encoded_message): 602 """ 603 Decodes additional information about the authorization status 604 of a request from an encoded message returned in response to 605 an AWS request. 606 607 For example, if a user is not authorized to perform an action 608 that he or she has requested, the request returns a 609 `Client.UnauthorizedOperation` response (an HTTP 403 610 response). Some AWS actions additionally return an encoded 611 message that can provide details about this authorization 612 failure. 613 Only certain AWS actions return an encoded authorization 614 message. The documentation for an individual action indicates 615 whether that action returns an encoded message in addition to 616 returning an HTTP code. 617 The message is encoded because the details of the 618 authorization status can constitute privileged information 619 that the user who requested the action should not see. To 620 decode an authorization status message, a user must be granted 621 permissions via an IAM policy to request the 622 `DecodeAuthorizationMessage` ( 623 `sts:DecodeAuthorizationMessage`) action. 624 625 The decoded message includes the following type of 626 information: 627 628 629 + Whether the request was denied due to an explicit deny or 630 due to the absence of an explicit allow. For more information, 631 see `Determining Whether a Request is Allowed or Denied`_ in 632 Using IAM . 633 + The principal who made the request. 634 + The requested action. 635 + The requested resource. 636 + The values of condition keys in the context of the user's 637 request. 638 639 :type encoded_message: string 640 :param encoded_message: The encoded message that was returned with the 641 response. 642 643 """ 644 params = { 645 'EncodedMessage': encoded_message, 646 } 647 return self.get_object( 648 'DecodeAuthorizationMessage', 649 params, 650 DecodeAuthorizationMessage, 651 verb='POST' 652 ) 653