pub trait OrgMembershipResolver: Send + Sync {
// Required method
fn can_assume_root_into(
&self,
caller_account: &str,
target_account: &str,
) -> bool;
}Expand description
Abstraction over “does the organization topology permit caller_account to
mint centralized-root (sts:AssumeRoot) credentials for target_account”.
Implemented by fakecloud-organizations, which owns the membership graph
the IAM/STS crate has no visibility into.
Returns true only when an organization exists, target_account is a
member of it, and caller_account is that org’s management account (or a
registered delegated administrator for centralized root access). Any other
case — no org, target not enrolled, caller not privileged — returns
false, so a bare sts:AssumeRoot grant can no longer escalate to root
over an arbitrary account. Same-account AssumeRoot is handled by the caller
and never consults this resolver.
Required Methods§
fn can_assume_root_into( &self, caller_account: &str, target_account: &str, ) -> bool
Dyn Compatibility§
This trait is dyn compatible.
In older versions of Rust, dyn compatibility was called "object safety".