1// Code generated by smithy-go-codegen DO NOT EDIT.
2
3package sts
4
5import (
6 "context"
7 "fmt"
8 awsmiddleware "github.com/aws/aws-sdk-go-v2/aws/middleware"
9 "github.com/aws/aws-sdk-go-v2/aws/signer/v4"
10 "github.com/aws/aws-sdk-go-v2/service/sts/types"
11 "github.com/aws/smithy-go/middleware"
12 smithyhttp "github.com/aws/smithy-go/transport/http"
13)
14
15// Returns a set of temporary security credentials that you can use to access
16// Amazon Web Services resources. These temporary credentials consist of an access
17// key ID, a secret access key, and a security token. Typically, you use AssumeRole
18// within your account or for cross-account access. For a comparison of AssumeRole
19// with other API operations that produce temporary credentials, see [Requesting Temporary Security Credentials]and [Comparing the Amazon Web Services STS API operations] in the
20// IAM User Guide.
21//
22// # Permissions
23//
24// The temporary security credentials created by AssumeRole can be used to make
25// API calls to any Amazon Web Services service with the following exception: You
26// cannot call the Amazon Web Services STS GetFederationToken or GetSessionToken
27// API operations.
28//
29// (Optional) You can pass inline or managed [session policies] to this operation. You can pass a
30// single JSON policy document to use as an inline session policy. You can also
31// specify up to 10 managed policy Amazon Resource Names (ARNs) to use as managed
32// session policies. The plaintext that you use for both inline and managed session
33// policies can't exceed 2,048 characters. Passing policies to this operation
34// returns new temporary credentials. The resulting session's permissions are the
35// intersection of the role's identity-based policy and the session policies. You
36// can use the role's temporary credentials in subsequent Amazon Web Services API
37// calls to access resources in the account that owns the role. You cannot use
38// session policies to grant more permissions than those allowed by the
39// identity-based policy of the role that is being assumed. For more information,
40// see [Session Policies]in the IAM User Guide.
41//
42// When you create a role, you create two policies: a role trust policy that
43// specifies who can assume the role, and a permissions policy that specifies what
44// can be done with the role. You specify the trusted principal that is allowed to
45// assume the role in the role trust policy.
46//
47// To assume a role from a different account, your Amazon Web Services account
48// must be trusted by the role. The trust relationship is defined in the role's
49// trust policy when the role is created. That trust policy states which accounts
50// are allowed to delegate that access to users in the account.
51//
52// A user who wants to access a role in a different account must also have
53// permissions that are delegated from the account administrator. The administrator
54// must attach a policy that allows the user to call AssumeRole for the ARN of the
55// role in the other account.
56//
57// To allow a user to assume a role in the same account, you can do either of the
58// following:
59//
60// - Attach a policy to the user that allows the user to call AssumeRole (as long
61// as the role's trust policy trusts the account).
62//
63// - Add the user as a principal directly in the role's trust policy.
64//
65// You can do either because the roleβs trust policy acts as an IAM resource-based
66// policy. When a resource-based policy grants access to a principal in the same
67// account, no additional identity-based policy is required. For more information
68// about trust policies and resource-based policies, see [IAM Policies]in the IAM User Guide.
69//
70// # Tags
71//
72// (Optional) You can pass tag key-value pairs to your session. These tags are
73// called session tags. For more information about session tags, see [Passing Session Tags in STS]in the IAM
74// User Guide.
75//
76// An administrator must grant you the permissions necessary to pass session tags.
77// The administrator can also create granular permissions to allow you to pass only
78// specific session tags. For more information, see [Tutorial: Using Tags for Attribute-Based Access Control]in the IAM User Guide.
79//
80// You can set the session tags as transitive. Transitive tags persist during role
81// chaining. For more information, see [Chaining Roles with Session Tags]in the IAM User Guide.
82//
83// # Using MFA with AssumeRole
84//
85// (Optional) You can include multi-factor authentication (MFA) information when
86// you call AssumeRole . This is useful for cross-account scenarios to ensure that
87// the user that assumes the role has been authenticated with an Amazon Web
88// Services MFA device. In that scenario, the trust policy of the role being
89// assumed includes a condition that tests for MFA authentication. If the caller
90// does not include valid MFA information, the request to assume the role is
91// denied. The condition in a trust policy that tests for MFA authentication might
92// look like the following example.
93//
94// "Condition": {"Bool": {"aws:MultiFactorAuthPresent": true}}
95//
96// For more information, see [Configuring MFA-Protected API Access] in the IAM User Guide guide.
97//
98// To use MFA with AssumeRole , you pass values for the SerialNumber and TokenCode
99// parameters. The SerialNumber value identifies the user's hardware or virtual
100// MFA device. The TokenCode is the time-based one-time password (TOTP) that the
101// MFA device produces.
102//
103// [Configuring MFA-Protected API Access]: https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
104// [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
105// [Passing Session Tags in STS]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
106// [Chaining Roles with Session Tags]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
107// [Comparing the Amazon Web Services STS API operations]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
108// [session policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
109// [IAM Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
110// [Requesting Temporary Security Credentials]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
111// [Tutorial: Using Tags for Attribute-Based Access Control]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
112func (c *Client) AssumeRole(ctx context.Context, params *AssumeRoleInput, optFns ...func(*Options)) (*AssumeRoleOutput, error) {
113 if params == nil {
114 params = &AssumeRoleInput{}
115 }
116
117 result, metadata, err := c.invokeOperation(ctx, "AssumeRole", params, optFns, c.addOperationAssumeRoleMiddlewares)
118 if err != nil {
119 return nil, err
120 }
121
122 out := result.(*AssumeRoleOutput)
123 out.ResultMetadata = metadata
124 return out, nil
125}
126
127type AssumeRoleInput struct {
128
129 // The Amazon Resource Name (ARN) of the role to assume.
130 //
131 // This member is required.
132 RoleArn *string
133
134 // An identifier for the assumed role session.
135 //
136 // Use the role session name to uniquely identify a session when the same role is
137 // assumed by different principals or for different reasons. In cross-account
138 // scenarios, the role session name is visible to, and can be logged by the account
139 // that owns the role. The role session name is also used in the ARN of the assumed
140 // role principal. This means that subsequent cross-account API requests that use
141 // the temporary security credentials will expose the role session name to the
142 // external account in their CloudTrail logs.
143 //
144 // The regex used to validate this parameter is a string of characters consisting
145 // of upper- and lower-case alphanumeric characters with no spaces. You can also
146 // include underscores or any of the following characters: =,.@-
147 //
148 // This member is required.
149 RoleSessionName *string
150
151 // The duration, in seconds, of the role session. The value specified can range
152 // from 900 seconds (15 minutes) up to the maximum session duration set for the
153 // role. The maximum session duration setting can have a value from 1 hour to 12
154 // hours. If you specify a value higher than this setting or the administrator
155 // setting (whichever is lower), the operation fails. For example, if you specify a
156 // session duration of 12 hours, but your administrator set the maximum session
157 // duration to 6 hours, your operation fails.
158 //
159 // Role chaining limits your Amazon Web Services CLI or Amazon Web Services API
160 // role session to a maximum of one hour. When you use the AssumeRole API
161 // operation to assume a role, you can specify the duration of your role session
162 // with the DurationSeconds parameter. You can specify a parameter value of up to
163 // 43200 seconds (12 hours), depending on the maximum session duration setting for
164 // your role. However, if you assume a role using role chaining and provide a
165 // DurationSeconds parameter value greater than one hour, the operation fails. To
166 // learn how to view the maximum value for your role, see [View the Maximum Session Duration Setting for a Role]in the IAM User Guide.
167 //
168 // By default, the value is set to 3600 seconds.
169 //
170 // The DurationSeconds parameter is separate from the duration of a console
171 // session that you might request using the returned credentials. The request to
172 // the federation endpoint for a console sign-in token takes a SessionDuration
173 // parameter that specifies the maximum length of the console session. For more
174 // information, see [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]in the IAM User Guide.
175 //
176 // [View the Maximum Session Duration Setting for a Role]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
177 // [Creating a URL that Enables Federated Users to Access the Amazon Web Services Management Console]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_enable-console-custom-url.html
178 DurationSeconds *int32
179
180 // A unique identifier that might be required when you assume a role in another
181 // account. If the administrator of the account to which the role belongs provided
182 // you with an external ID, then provide that value in the ExternalId parameter.
183 // This value can be any string, such as a passphrase or account number. A
184 // cross-account role is usually set up to trust everyone in an account. Therefore,
185 // the administrator of the trusting account might send an external ID to the
186 // administrator of the trusted account. That way, only someone with the ID can
187 // assume the role, rather than everyone in the account. For more information about
188 // the external ID, see [How to Use an External ID When Granting Access to Your Amazon Web Services Resources to a Third Party]in the IAM User Guide.
189 //
190 // The regex used to validate this parameter is a string of characters consisting
191 // of upper- and lower-case alphanumeric characters with no spaces. You can also
192 // include underscores or any of the following characters: =,.@:/-
193 //
194 // [How to Use an External ID When Granting Access to Your Amazon Web Services Resources to a Third Party]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-user_externalid.html
195 ExternalId *string
196
197 // An IAM policy in JSON format that you want to use as an inline session policy.
198 //
199 // This parameter is optional. Passing policies to this operation returns new
200 // temporary credentials. The resulting session's permissions are the intersection
201 // of the role's identity-based policy and the session policies. You can use the
202 // role's temporary credentials in subsequent Amazon Web Services API calls to
203 // access resources in the account that owns the role. You cannot use session
204 // policies to grant more permissions than those allowed by the identity-based
205 // policy of the role that is being assumed. For more information, see [Session Policies]in the IAM
206 // User Guide.
207 //
208 // The plaintext that you use for both inline and managed session policies can't
209 // exceed 2,048 characters. The JSON policy characters can be any ASCII character
210 // from the space character to the end of the valid character list (\u0020 through
211 // \u00FF). It can also include the tab (\u0009), linefeed (\u000A), and carriage
212 // return (\u000D) characters.
213 //
214 // An Amazon Web Services conversion compresses the passed inline session policy,
215 // managed policy ARNs, and session tags into a packed binary format that has a
216 // separate limit. Your request can fail for this limit even if your plaintext
217 // meets the other requirements. The PackedPolicySize response element indicates
218 // by percentage how close the policies and tags for your request are to the upper
219 // size limit.
220 //
221 // [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
222 Policy *string
223
224 // The Amazon Resource Names (ARNs) of the IAM managed policies that you want to
225 // use as managed session policies. The policies must exist in the same account as
226 // the role.
227 //
228 // This parameter is optional. You can provide up to 10 managed policy ARNs.
229 // However, the plaintext that you use for both inline and managed session policies
230 // can't exceed 2,048 characters. For more information about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]in the
231 // Amazon Web Services General Reference.
232 //
233 // An Amazon Web Services conversion compresses the passed inline session policy,
234 // managed policy ARNs, and session tags into a packed binary format that has a
235 // separate limit. Your request can fail for this limit even if your plaintext
236 // meets the other requirements. The PackedPolicySize response element indicates
237 // by percentage how close the policies and tags for your request are to the upper
238 // size limit.
239 //
240 // Passing policies to this operation returns new temporary credentials. The
241 // resulting session's permissions are the intersection of the role's
242 // identity-based policy and the session policies. You can use the role's temporary
243 // credentials in subsequent Amazon Web Services API calls to access resources in
244 // the account that owns the role. You cannot use session policies to grant more
245 // permissions than those allowed by the identity-based policy of the role that is
246 // being assumed. For more information, see [Session Policies]in the IAM User Guide.
247 //
248 // [Session Policies]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
249 // [Amazon Resource Names (ARNs) and Amazon Web Services Service Namespaces]: https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
250 PolicyArns []types.PolicyDescriptorType
251
252 // A list of previously acquired trusted context assertions in the format of a
253 // JSON array. The trusted context assertion is signed and encrypted by Amazon Web
254 // Services STS.
255 //
256 // The following is an example of a ProvidedContext value that includes a single
257 // trusted context assertion and the ARN of the context provider from which the
258 // trusted context assertion was generated.
259 //
260 // [{"ProviderArn":"arn:aws:iam::aws:contextProvider/IdentityCenter","ContextAssertion":"trusted-context-assertion"}]
261 ProvidedContexts []types.ProvidedContext
262
263 // The identification number of the MFA device that is associated with the user
264 // who is making the AssumeRole call. Specify this value if the trust policy of
265 // the role being assumed includes a condition that requires MFA authentication.
266 // The value is either the serial number for a hardware device (such as
267 // GAHT12345678 ) or an Amazon Resource Name (ARN) for a virtual device (such as
268 // arn:aws:iam::123456789012:mfa/user ).
269 //
270 // The regex used to validate this parameter is a string of characters consisting
271 // of upper- and lower-case alphanumeric characters with no spaces. You can also
272 // include underscores or any of the following characters: =,.@-
273 SerialNumber *string
274
275 // The source identity specified by the principal that is calling the AssumeRole
276 // operation.
277 //
278 // You can require users to specify a source identity when they assume a role. You
279 // do this by using the sts:SourceIdentity condition key in a role trust policy.
280 // You can use source identity information in CloudTrail logs to determine who took
281 // actions with a role. You can use the aws:SourceIdentity condition key to
282 // further control access to Amazon Web Services resources based on the value of
283 // source identity. For more information about using source identity, see [Monitor and control actions taken with assumed roles]in the
284 // IAM User Guide.
285 //
286 // The regex used to validate this parameter is a string of characters consisting
287 // of upper- and lower-case alphanumeric characters with no spaces. You can also
288 // include underscores or any of the following characters: =,.@-. You cannot use a
289 // value that begins with the text aws: . This prefix is reserved for Amazon Web
290 // Services internal use.
291 //
292 // [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
293 SourceIdentity *string
294
295 // A list of session tags that you want to pass. Each session tag consists of a
296 // key name and an associated value. For more information about session tags, see [Tagging Amazon Web Services STS Sessions]
297 // in the IAM User Guide.
298 //
299 // This parameter is optional. You can pass up to 50 session tags. The plaintext
300 // session tag keys canβt exceed 128 characters, and the values canβt exceed 256
301 // characters. For these and additional limits, see [IAM and STS Character Limits]in the IAM User Guide.
302 //
303 // An Amazon Web Services conversion compresses the passed inline session policy,
304 // managed policy ARNs, and session tags into a packed binary format that has a
305 // separate limit. Your request can fail for this limit even if your plaintext
306 // meets the other requirements. The PackedPolicySize response element indicates
307 // by percentage how close the policies and tags for your request are to the upper
308 // size limit.
309 //
310 // You can pass a session tag with the same key as a tag that is already attached
311 // to the role. When you do, session tags override a role tag with the same key.
312 //
313 // Tag keyβvalue pairs are not case sensitive, but case is preserved. This means
314 // that you cannot have separate Department and department tag keys. Assume that
315 // the role has the Department = Marketing tag and you pass the department =
316 // engineering session tag. Department and department are not saved as separate
317 // tags, and the session tag passed in the request takes precedence over the role
318 // tag.
319 //
320 // Additionally, if you used temporary credentials to perform this operation, the
321 // new session inherits any transitive session tags from the calling session. If
322 // you pass a session tag with the same key as an inherited tag, the operation
323 // fails. To view the inherited tags for a session, see the CloudTrail logs. For
324 // more information, see [Viewing Session Tags in CloudTrail]in the IAM User Guide.
325 //
326 // [Tagging Amazon Web Services STS Sessions]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
327 // [IAM and STS Character Limits]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
328 // [Viewing Session Tags in CloudTrail]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_ctlogs
329 Tags []types.Tag
330
331 // The value provided by the MFA device, if the trust policy of the role being
332 // assumed requires MFA. (In other words, if the policy includes a condition that
333 // tests for MFA). If the role being assumed requires MFA and if the TokenCode
334 // value is missing or expired, the AssumeRole call returns an "access denied"
335 // error.
336 //
337 // The format for this parameter, as described by its regex pattern, is a sequence
338 // of six numeric digits.
339 TokenCode *string
340
341 // A list of keys for session tags that you want to set as transitive. If you set
342 // a tag key as transitive, the corresponding key and value passes to subsequent
343 // sessions in a role chain. For more information, see [Chaining Roles with Session Tags]in the IAM User Guide.
344 //
345 // This parameter is optional. When you set session tags as transitive, the
346 // session policy and session tags packed binary limit is not affected.
347 //
348 // If you choose not to specify a transitive tag key, then no tags are passed from
349 // this session to any subsequent sessions.
350 //
351 // [Chaining Roles with Session Tags]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
352 TransitiveTagKeys []string
353
354 noSmithyDocumentSerde
355}
356
357// Contains the response to a successful AssumeRole request, including temporary Amazon Web
358// Services credentials that can be used to make Amazon Web Services requests.
359type AssumeRoleOutput struct {
360
361 // The Amazon Resource Name (ARN) and the assumed role ID, which are identifiers
362 // that you can use to refer to the resulting temporary security credentials. For
363 // example, you can reference these credentials as a principal in a resource-based
364 // policy by using the ARN or assumed role ID. The ARN and ID include the
365 // RoleSessionName that you specified when you called AssumeRole .
366 AssumedRoleUser *types.AssumedRoleUser
367
368 // The temporary security credentials, which include an access key ID, a secret
369 // access key, and a security (or session) token.
370 //
371 // The size of the security token that STS API operations return is not fixed. We
372 // strongly recommend that you make no assumptions about the maximum size.
373 Credentials *types.Credentials
374
375 // A percentage value that indicates the packed size of the session policies and
376 // session tags combined passed in the request. The request fails if the packed
377 // size is greater than 100 percent, which means the policies and tags exceeded the
378 // allowed space.
379 PackedPolicySize *int32
380
381 // The source identity specified by the principal that is calling the AssumeRole
382 // operation.
383 //
384 // You can require users to specify a source identity when they assume a role. You
385 // do this by using the sts:SourceIdentity condition key in a role trust policy.
386 // You can use source identity information in CloudTrail logs to determine who took
387 // actions with a role. You can use the aws:SourceIdentity condition key to
388 // further control access to Amazon Web Services resources based on the value of
389 // source identity. For more information about using source identity, see [Monitor and control actions taken with assumed roles]in the
390 // IAM User Guide.
391 //
392 // The regex used to validate this parameter is a string of characters consisting
393 // of upper- and lower-case alphanumeric characters with no spaces. You can also
394 // include underscores or any of the following characters: =,.@-
395 //
396 // [Monitor and control actions taken with assumed roles]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
397 SourceIdentity *string
398
399 // Metadata pertaining to the operation's result.
400 ResultMetadata middleware.Metadata
401
402 noSmithyDocumentSerde
403}
404
405func (c *Client) addOperationAssumeRoleMiddlewares(stack *middleware.Stack, options Options) (err error) {
406 if err := stack.Serialize.Add(&setOperationInputMiddleware{}, middleware.After); err != nil {
407 return err
408 }
409 err = stack.Serialize.Add(&awsAwsquery_serializeOpAssumeRole{}, middleware.After)
410 if err != nil {
411 return err
412 }
413 err = stack.Deserialize.Add(&awsAwsquery_deserializeOpAssumeRole{}, middleware.After)
414 if err != nil {
415 return err
416 }
417 if err := addProtocolFinalizerMiddlewares(stack, options, "AssumeRole"); err != nil {
418 return fmt.Errorf("add protocol finalizers: %v", err)
419 }
420
421 if err = addlegacyEndpointContextSetter(stack, options); err != nil {
422 return err
423 }
424 if err = addSetLoggerMiddleware(stack, options); err != nil {
425 return err
426 }
427 if err = addClientRequestID(stack); err != nil {
428 return err
429 }
430 if err = addComputeContentLength(stack); err != nil {
431 return err
432 }
433 if err = addResolveEndpointMiddleware(stack, options); err != nil {
434 return err
435 }
436 if err = addComputePayloadSHA256(stack); err != nil {
437 return err
438 }
439 if err = addRetry(stack, options); err != nil {
440 return err
441 }
442 if err = addRawResponseToMetadata(stack); err != nil {
443 return err
444 }
445 if err = addRecordResponseTiming(stack); err != nil {
446 return err
447 }
448 if err = addClientUserAgent(stack, options); err != nil {
449 return err
450 }
451 if err = smithyhttp.AddErrorCloseResponseBodyMiddleware(stack); err != nil {
452 return err
453 }
454 if err = smithyhttp.AddCloseResponseBodyMiddleware(stack); err != nil {
455 return err
456 }
457 if err = addSetLegacyContextSigningOptionsMiddleware(stack); err != nil {
458 return err
459 }
460 if err = addTimeOffsetBuild(stack, c); err != nil {
461 return err
462 }
463 if err = addUserAgentRetryMode(stack, options); err != nil {
464 return err
465 }
466 if err = addOpAssumeRoleValidationMiddleware(stack); err != nil {
467 return err
468 }
469 if err = stack.Initialize.Add(newServiceMetadataMiddleware_opAssumeRole(options.Region), middleware.Before); err != nil {
470 return err
471 }
472 if err = addRecursionDetection(stack); err != nil {
473 return err
474 }
475 if err = addRequestIDRetrieverMiddleware(stack); err != nil {
476 return err
477 }
478 if err = addResponseErrorMiddleware(stack); err != nil {
479 return err
480 }
481 if err = addRequestResponseLogging(stack, options); err != nil {
482 return err
483 }
484 if err = addDisableHTTPSMiddleware(stack, options); err != nil {
485 return err
486 }
487 return nil
488}
489
490func newServiceMetadataMiddleware_opAssumeRole(region string) *awsmiddleware.RegisterServiceMetadata {
491 return &awsmiddleware.RegisterServiceMetadata{
492 Region: region,
493 ServiceID: ServiceID,
494 OperationName: "AssumeRole",
495 }
496}
497
498// PresignAssumeRole is used to generate a presigned HTTP Request which contains
499// presigned URL, signed headers and HTTP method used.
500func (c *PresignClient) PresignAssumeRole(ctx context.Context, params *AssumeRoleInput, optFns ...func(*PresignOptions)) (*v4.PresignedHTTPRequest, error) {
501 if params == nil {
502 params = &AssumeRoleInput{}
503 }
504 options := c.options.copy()
505 for _, fn := range optFns {
506 fn(&options)
507 }
508 clientOptFns := append(options.ClientOptions, withNopHTTPClientAPIOption)
509
510 result, _, err := c.client.invokeOperation(ctx, "AssumeRole", params, clientOptFns,
511 c.client.addOperationAssumeRoleMiddlewares,
512 presignConverter(options).convertToPresignMiddleware,
513 )
514 if err != nil {
515 return nil, err
516 }
517
518 out := result.(*v4.PresignedHTTPRequest)
519 return out, nil
520}