Skip to main content

OrgMembershipResolver

Trait OrgMembershipResolver 

Source
pub trait OrgMembershipResolver: Send + Sync {
    // Required method
    fn can_assume_root_into(
        &self,
        caller_account: &str,
        target_account: &str,
    ) -> bool;
}
Expand description

Abstraction over “does the organization topology permit caller_account to mint centralized-root (sts:AssumeRoot) credentials for target_account”. Implemented by fakecloud-organizations, which owns the membership graph the IAM/STS crate has no visibility into.

Returns true only when an organization exists, target_account is a member of it, and caller_account is that org’s management account (or a registered delegated administrator for centralized root access). Any other case — no org, target not enrolled, caller not privileged — returns false, so a bare sts:AssumeRoot grant can no longer escalate to root over an arbitrary account. Same-account AssumeRoot is handled by the caller and never consults this resolver.

Required Methods§

Source

fn can_assume_root_into( &self, caller_account: &str, target_account: &str, ) -> bool

Dyn Compatibility§

This trait is dyn compatible.

In older versions of Rust, dyn compatibility was called "object safety".

Implementors§