Expand description
Re-export of fakecloud_core::auth_message.
The encoder and decoder live in fakecloud-core so the dispatch
layer can produce deny tokens inline (the deny decision is computed
before any service-specific handler runs). The IAM crate keeps the
crate::auth_message::encode_deny / decode_message paths as
re-exports so the STS service code that decodes the token doesn’t
reach across crate boundaries explicitly.
Functions§
- decode_
message - Reverse
encode_deny. Returns the JSON document the encoder stashed, or anInvalidAuthorizationMessageException-shaped error when the token isn’t recognizable. Tokens that decode but don’t look like deny payloads are still returned verbatim — AWS’s behavior is to hand back whatever JSON it finds rather than try to interpret it. - encode_
deny - Build an encoded authorization message describing a deny decision.
The shape mirrors what AWS returns from
DecodeAuthorizationMessage: anallowedflag, anexplicitDenyflag, and amatchedStatements.itemsarray. Optional supplementary keys (action,principal,context) are included so an operator inspecting the decoded blob can see why the request failed.