19_role_assumption_workflow/
19_role_assumption_workflow.rs

1//! Role Assumption Workflow
2//!
3//! This example demonstrates:
4//! - AssumeRole pattern for elevated permissions
5//! - Temporary credentials with role permissions
6//! - Session-based access
7//!
8//! Scenario: User assuming a role for elevated access.
9//!
10//! Run with: `cargo run --example 19_role_assumption_workflow`
11
12use std::sync::{Arc, RwLock};
13use wami::provider::AwsProvider;
14use wami::service::{AssumeRoleService, RoleService, UserService};
15use wami::store::memory::InMemoryWamiStore;
16use wami::wami::identity::role::requests::CreateRoleRequest;
17use wami::wami::identity::user::requests::CreateUserRequest;
18use wami::wami::sts::assume_role::requests::AssumeRoleRequest;
19
20#[tokio::main]
21async fn main() -> Result<(), Box<dyn std::error::Error>> {
22    println!("=== Role Assumption Workflow ===\n");
23
24    let store = Arc::new(RwLock::new(InMemoryWamiStore::default()));
25    let _provider = Arc::new(AwsProvider::new());
26    let account_id = "123456789012";
27
28    let user_service = UserService::new(store.clone(), account_id.to_string());
29    let role_service = RoleService::new(store.clone(), account_id.to_string());
30    let sts_service = AssumeRoleService::new(store.clone(), account_id.to_string());
31
32    // Create user
33    println!("Step 1: Creating user...\n");
34    let alice = user_service
35        .create_user(CreateUserRequest {
36            user_name: "alice".to_string(),
37            path: Some("/".to_string()),
38            permissions_boundary: None,
39            tags: None,
40        })
41        .await?;
42    println!("āœ“ Created alice: {}", alice.arn);
43
44    // Create elevated role
45    println!("\nStep 2: Creating admin role...\n");
46    let trust_policy = r#"{"Version":"2012-10-17","Statement":[{"Effect":"Allow","Principal":{"AWS":"*"},"Action":"sts:AssumeRole"}]}"#;
47    let role = role_service
48        .create_role(CreateRoleRequest {
49            role_name: "AdminRole".to_string(),
50            path: Some("/".to_string()),
51            assume_role_policy_document: trust_policy.to_string(),
52            description: Some("Admin role for elevated access".to_string()),
53            max_session_duration: Some(3600),
54            permissions_boundary: None,
55            tags: None,
56        })
57        .await?;
58    println!("āœ“ Created AdminRole: {}", role.arn);
59
60    // Assume role
61    println!("\nStep 3: Alice assuming AdminRole...\n");
62    let assume_req = AssumeRoleRequest {
63        role_arn: role.arn.clone(),
64        role_session_name: "alice-admin-session".to_string(),
65        duration_seconds: Some(3600),
66        external_id: None,
67        policy: None,
68    };
69
70    let response = sts_service.assume_role(assume_req, &alice.arn).await?;
71    println!("āœ“ Successfully assumed role!");
72    println!("  Assumed Role ARN: {}", response.assumed_role_user.arn);
73    println!("  Access Key: {}", response.credentials.access_key_id);
74    println!("  Expiration: {}", response.credentials.expiration);
75
76    println!("\nāœ… Example completed successfully!");
77    println!("Key takeaways:");
78    println!("- AssumeRole provides temporary elevated permissions");
79    println!("- Trust policies control who can assume roles");
80    println!("- Session credentials expire automatically");
81
82    Ok(())
83}