Struct IamState 

pub struct IamState {

    pub account_id: String,
    pub users: HashMap<String, IamUser>,
    pub access_keys: HashMap<String, Vec<IamAccessKey>>,
    pub roles: HashMap<String, IamRole>,
    pub policies: HashMap<String, IamPolicy>,
    pub role_policies: HashMap<String, Vec<String>>,
    pub role_inline_policies: HashMap<String, HashMap<String, String>>,
    pub user_policies: HashMap<String, Vec<String>>,
    pub user_inline_policies: HashMap<String, HashMap<String, String>>,
    pub groups: HashMap<String, IamGroup>,
    pub instance_profiles: HashMap<String, IamInstanceProfile>,
    pub login_profiles: HashMap<String, LoginProfile>,
    pub saml_providers: HashMap<String, SamlProvider>,
    pub oidc_providers: HashMap<String, OidcProvider>,
    pub server_certificates: HashMap<String, ServerCertificate>,
    pub signing_certificates: HashMap<String, Vec<SigningCertificate>>,
    pub account_aliases: Vec<String>,
    pub account_password_policy: Option<AccountPasswordPolicy>,
    pub virtual_mfa_devices: HashMap<String, VirtualMfaDevice>,
    pub service_linked_role_deletions: HashMap<String, ServiceLinkedRoleDeletion>,
    pub credential_identities: HashMap<String, CredentialIdentity>,
    pub sts_temp_credentials: HashMap<String, StsTempCredential>,
    pub credential_report_generated: bool,
    pub ssh_public_keys: HashMap<String, Vec<SshPublicKey>>,
    pub access_key_last_used: HashMap<String, AccessKeyLastUsed>,
}

Fields

account_id: String

users: HashMap<String, IamUser>

access_keys: HashMap<String, Vec<IamAccessKey>>

roles: HashMap<String, IamRole>

policies: HashMap<String, IamPolicy>

role_policies: HashMap<String, Vec<String>>

role_inline_policies: HashMap<String, HashMap<String, String>>

user_policies: HashMap<String, Vec<String>>

user_inline_policies: HashMap<String, HashMap<String, String>>

groups: HashMap<String, IamGroup>

instance_profiles: HashMap<String, IamInstanceProfile>

login_profiles: HashMap<String, LoginProfile>

saml_providers: HashMap<String, SamlProvider>

oidc_providers: HashMap<String, OidcProvider>

server_certificates: HashMap<String, ServerCertificate>

signing_certificates: HashMap<String, Vec<SigningCertificate>>

account_aliases: Vec<String>

account_password_policy: Option<AccountPasswordPolicy>

virtual_mfa_devices: HashMap<String, VirtualMfaDevice>

service_linked_role_deletions: HashMap<String, ServiceLinkedRoleDeletion>

credential_identities: HashMap<String, CredentialIdentity>

Maps access key ID to the identity that should be returned by GetCallerIdentity.

sts_temp_credentials: HashMap<String, StsTempCredential>

Temporary credentials issued by STS, keyed by access key ID. Includes the secret access key and session token — required for SigV4 verification and IAM enforcement. Expired entries are purged lazily on lookup.

credential_report_generated: bool

ssh_public_keys: HashMap<String, Vec<SshPublicKey>>

access_key_last_used: HashMap<String, AccessKeyLastUsed>

Implementations

impl IamState

pub fn new(account_id: &str) -> Self

pub fn reset(&mut self)

pub fn credential_secret(&mut self, access_key_id: &str) -> Option<SecretLookup>

Look up the secret access key, session token, and resolved principal for a given access key ID.

Searches IAM user access keys first, then STS temporary credentials. Expired STS temporary credentials are purged in-place and skipped.

Returns None if the AKID is unknown or its STS credential has expired.

Required for SigV4 signature verification (batch 3) and principal resolution (batch 4). Callers must hold a write lock on IamState to allow the lazy purge; read-only callers should use IamState::credential_secret_readonly.

pub fn credential_secret_readonly( &self, access_key_id: &str, ) -> Option<SecretLookup>

Read-only variant of IamState::credential_secret that does not purge expired entries. Prefer the mutable variant wherever possible to keep the temp-credential table small.