Struct StsResourcePolicyProvider 

pub struct StsResourcePolicyProvider { /* private fields */ }

Implementations

impl StsResourcePolicyProvider

pub fn new(state: SharedIamState) -> Self

pub fn shared(state: SharedIamState) -> Arc<dyn ResourcePolicyProvider>

Trait Implementations

impl ResourcePolicyProvider for StsResourcePolicyProvider

fn resource_policy(&self, service: &str, resource_arn: &str) -> Option<String>

Fetch the resource-based policy document attached to resource_arn on service. Both arguments are lowercase-ish ("s3", "arn:aws:s3:::my-bucket"); implementations should match the service prefix they own and return None for anything else so providers can be composed safely.

fn resource_owner_account( &self, _service: &str, _resource_arn: &str, ) -> Option<String>

Resolve the 12-digit account that owns resource_arn on service, when the ARN itself does not carry it. S3 ARNs have an empty account field (arn:aws:s3:::bucket), so without this the dispatcher would fall back to the caller’s account and treat every S3 request as same-account — letting account A reach account B’s bucket without B’s bucket policy granting it (bug-audit 2026-05-28, 5.3). Providers whose ARNs already carry the account (SQS/SNS/Lambda/…) return None and let the dispatcher parse it from the ARN. Default None.

fn public_acl_allows( &self, _service: &str, _resource_arn: &str, _action: &str, ) -> bool

Whether a public-read ACL on resource_arn grants action to an anonymous (unsigned) caller. Distinct from a bucket policy: S3 ACLs are a separate grant surface, so an object/bucket with an AllUsers group grant is publicly readable even without a bucket policy. action is the bare AWS action name ("GetObject", "ListBucket", …).