1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
|
// Code generated by smithy-go-codegen DO NOT EDIT.
package s3
import (
"context"
"fmt"
awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware"
"github.com/aws/aws-sdk-go-v2/aws/signer/v4"
s3cust "github.com/aws/aws-sdk-go-v2/service/s3/internal/customizations"
"github.com/aws/aws-sdk-go-v2/service/s3/types"
"github.com/aws/smithy-go/middleware"
"github.com/aws/smithy-go/ptr"
smithyhttp "github.com/aws/smithy-go/transport/http"
)
// Creates a session that establishes temporary security credentials to support
// fast authentication and authorization for the Zonal endpoint APIs on directory
// buckets. For more information about Zonal endpoint APIs that include the
// Availability Zone in the request endpoint, see S3 Express One Zone APIs (https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-APIs.html)
// in the Amazon S3 User Guide. To make Zonal endpoint API requests on a directory
// bucket, use the CreateSession API operation. Specifically, you grant
// s3express:CreateSession permission to a bucket in a bucket policy or an IAM
// identity-based policy. Then, you use IAM credentials to make the CreateSession
// API request on the bucket, which returns temporary security credentials that
// include the access key ID, secret access key, session token, and expiration.
// These credentials have associated permissions to access the Zonal endpoint APIs.
// After the session is created, you don’t need to use other policies to grant
// permissions to each Zonal endpoint API individually. Instead, in your Zonal
// endpoint API requests, you sign your requests by applying the temporary security
// credentials of the session to the request headers and following the SigV4
// protocol for authentication. You also apply the session token to the
// x-amz-s3session-token request header for authorization. Temporary security
// credentials are scoped to the bucket and expire after 5 minutes. After the
// expiration time, any calls that you make with those credentials will fail. You
// must use IAM credentials again to make a CreateSession API request that
// generates a new set of temporary credentials for use. Temporary credentials
// cannot be extended or refreshed beyond the original specified interval. If you
// use Amazon Web Services SDKs, SDKs handle the session token refreshes
// automatically to avoid service interruptions when a session expires. We
// recommend that you use the Amazon Web Services SDKs to initiate and manage
// requests to the CreateSession API. For more information, see Performance
// guidelines and design patterns (https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-optimizing-performance-guidelines-design-patterns.html#s3-express-optimizing-performance-session-authentication)
// in the Amazon S3 User Guide.
// - You must make requests for this API operation to the Zonal endpoint. These
// endpoints support virtual-hosted-style requests in the format
// https://bucket_name.s3express-az_id.region.amazonaws.com . Path-style requests
// are not supported. For more information, see Regional and Zonal endpoints (https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-Regions-and-Zones.html)
// in the Amazon S3 User Guide.
// - CopyObject API operation - Unlike other Zonal endpoint APIs, the CopyObject
// API operation doesn't use the temporary security credentials returned from the
// CreateSession API operation for authentication and authorization. For
// information about authentication and authorization of the CopyObject API
// operation on directory buckets, see CopyObject (https://docs.aws.amazon.com/AmazonS3/latest/API/API_CopyObject.html)
// .
// - HeadBucket API operation - Unlike other Zonal endpoint APIs, the HeadBucket
// API operation doesn't use the temporary security credentials returned from the
// CreateSession API operation for authentication and authorization. For
// information about authentication and authorization of the HeadBucket API
// operation on directory buckets, see HeadBucket (https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html)
// .
//
// Permissions To obtain temporary security credentials, you must create a bucket
// policy or an IAM identity-based policy that grants s3express:CreateSession
// permission to the bucket. In a policy, you can have the s3express:SessionMode
// condition key to control who can create a ReadWrite or ReadOnly session. For
// more information about ReadWrite or ReadOnly sessions, see
// x-amz-create-session-mode (https://docs.aws.amazon.com/AmazonS3/latest/API/API_CreateSession.html#API_CreateSession_RequestParameters)
// . For example policies, see Example bucket policies for S3 Express One Zone (https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-example-bucket-policies.html)
// and Amazon Web Services Identity and Access Management (IAM) identity-based
// policies for S3 Express One Zone (https://docs.aws.amazon.com/AmazonS3/latest/userguide/s3-express-security-iam-identity-policies.html)
// in the Amazon S3 User Guide. To grant cross-account access to Zonal endpoint
// APIs, the bucket policy should also grant both accounts the
// s3express:CreateSession permission. HTTP Host header syntax Directory buckets -
// The HTTP Host header syntax is Bucket_name.s3express-az_id.region.amazonaws.com .
func (c *Client) CreateSession(ctx context.Context, params *CreateSessionInput, optFns ...func(*Options)) (*CreateSessionOutput, error) {
if params == nil {
params = &CreateSessionInput{}
}
result, metadata, err := c.invokeOperation(ctx, "CreateSession", params, optFns, c.addOperationCreateSessionMiddlewares)
if err != nil {
return nil, err
}
out := result.(*CreateSessionOutput)
out.ResultMetadata = metadata
return out, nil
}
type CreateSessionInput struct {
// The name of the bucket that you create a session for.
//
// This member is required.
Bucket *string
// Specifies the mode of the session that will be created, either ReadWrite or
// ReadOnly . By default, a ReadWrite session is created. A ReadWrite session is
// capable of executing all the Zonal endpoint APIs on a directory bucket. A
// ReadOnly session is constrained to execute the following Zonal endpoint APIs:
// GetObject , HeadObject , ListObjectsV2 , GetObjectAttributes , ListParts , and
// ListMultipartUploads .
SessionMode types.SessionMode
noSmithyDocumentSerde
}
func (in *CreateSessionInput) bindEndpointParams(p *EndpointParameters) {
p.Bucket = in.Bucket
p.DisableS3ExpressSessionAuth = ptr.Bool(true)
}
type CreateSessionOutput struct {
// The established temporary security credentials for the created session..
//
// This member is required.
Credentials *types.SessionCredentials
// Metadata pertaining to the operation's result.
ResultMetadata middleware.Metadata
noSmithyDocumentSerde
}
func (c *Client) addOperationCreateSessionMiddlewares(stack *middleware.Stack, options Options) (err error) {
if err := stack.Serialize.Add(&setOperationInputMiddleware{}, middleware.After); err != nil {
return err
}
err = stack.Serialize.Add(&awsRestxml_serializeOpCreateSession{}, middleware.After)
if err != nil {
return err
}
err = stack.Deserialize.Add(&awsRestxml_deserializeOpCreateSession{}, middleware.After)
if err != nil {
return err
}
if err := addProtocolFinalizerMiddlewares(stack, options, "CreateSession"); err != nil {
return fmt.Errorf("add protocol finalizers: %v", err)
}
if err = addlegacyEndpointContextSetter(stack, options); err != nil {
return err
}
if err = addSetLoggerMiddleware(stack, options); err != nil {
return err
}
if err = awsmiddleware.AddClientRequestIDMiddleware(stack); err != nil {
return err
}
if err = smithyhttp.AddComputeContentLengthMiddleware(stack); err != nil {
return err
}
if err = addResolveEndpointMiddleware(stack, options); err != nil {
return err
}
if err = v4.AddComputePayloadSHA256Middleware(stack); err != nil {
return err
}
if err = addRetryMiddlewares(stack, options); err != nil {
return err
}
if err = awsmiddleware.AddRawResponseToMetadata(stack); err != nil {
return err
}
if err = awsmiddleware.AddRecordResponseTiming(stack); err != nil {
return err
}
if err = addClientUserAgent(stack, options); err != nil {
return err
}
if err = smithyhttp.AddErrorCloseResponseBodyMiddleware(stack); err != nil {
return err
}
if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil {
return err
}
if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
return err
}
if err = addPutBucketContextMiddleware(stack); err != nil {
return err
}
if err = addOpCreateSessionValidationMiddleware(stack); err != nil {
return err
}
if err = stack.Initialize.Add(newServiceMetadataMiddleware_opCreateSession(options.Region), middleware.Before); err != nil {
return err
}
if err = addMetadataRetrieverMiddleware(stack); err != nil {
return err
}
if err = awsmiddleware.AddRecursionDetection(stack); err != nil {
return err
}
if err = addCreateSessionUpdateEndpoint(stack, options); err != nil {
return err
}
if err = addResponseErrorMiddleware(stack); err != nil {
return err
}
if err = v4.AddContentSHA256HeaderMiddleware(stack); err != nil {
return err
}
if err = disableAcceptEncodingGzip(stack); err != nil {
return err
}
if err = addRequestResponseLogging(stack, options); err != nil {
return err
}
if err = addDisableHTTPSMiddleware(stack, options); err != nil {
return err
}
if err = addSerializeImmutableHostnameBucketMiddleware(stack, options); err != nil {
return err
}
return nil
}
func (v *CreateSessionInput) bucket() (string, bool) {
if v.Bucket == nil {
return "", false
}
return *v.Bucket, true
}
func newServiceMetadataMiddleware_opCreateSession(region string) *awsmiddleware.RegisterServiceMetadata {
return &awsmiddleware.RegisterServiceMetadata{
Region: region,
ServiceID: ServiceID,
OperationName: "CreateSession",
}
}
// getCreateSessionBucketMember returns a pointer to string denoting a provided
// bucket member valueand a boolean indicating if the input has a modeled bucket
// name,
func getCreateSessionBucketMember(input interface{}) (*string, bool) {
in := input.(*CreateSessionInput)
if in.Bucket == nil {
return nil, false
}
return in.Bucket, true
}
func addCreateSessionUpdateEndpoint(stack *middleware.Stack, options Options) error {
return s3cust.UpdateEndpoint(stack, s3cust.UpdateEndpointOptions{
Accessor: s3cust.UpdateEndpointParameterAccessor{
GetBucketFromInput: getCreateSessionBucketMember,
},
UsePathStyle: options.UsePathStyle,
UseAccelerate: options.UseAccelerate,
SupportsAccelerate: true,
TargetS3ObjectLambda: false,
EndpointResolver: options.EndpointResolver,
EndpointResolverOptions: options.EndpointOptions,
UseARNRegion: options.UseARNRegion,
DisableMultiRegionAccessPoints: options.DisableMultiRegionAccessPoints,
})
}
|
