aws-sdk-core 3.105.0 → 3.130.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +1304 -0
- data/LICENSE.txt +202 -0
- data/VERSION +1 -1
- data/lib/aws-defaults/default_configuration.rb +153 -0
- data/lib/aws-defaults/defaults_mode_config_resolver.rb +107 -0
- data/lib/aws-defaults.rb +3 -0
- data/lib/aws-sdk-core/arn.rb +13 -0
- data/lib/aws-sdk-core/assume_role_credentials.rb +20 -1
- data/lib/aws-sdk-core/assume_role_web_identity_credentials.rb +9 -4
- data/lib/aws-sdk-core/client_stubs.rb +5 -1
- data/lib/aws-sdk-core/credential_provider_chain.rb +2 -1
- data/lib/aws-sdk-core/ec2_metadata.rb +238 -0
- data/lib/aws-sdk-core/ecs_credentials.rb +5 -0
- data/lib/aws-sdk-core/errors.rb +6 -2
- data/lib/aws-sdk-core/instance_profile_credentials.rb +119 -18
- data/lib/aws-sdk-core/json/json_engine.rb +10 -8
- data/lib/aws-sdk-core/json/oj_engine.rb +33 -6
- data/lib/aws-sdk-core/json/parser.rb +8 -0
- data/lib/aws-sdk-core/json.rb +8 -26
- data/lib/aws-sdk-core/log/formatter.rb +1 -1
- data/lib/aws-sdk-core/log/param_filter.rb +9 -1
- data/lib/aws-sdk-core/pageable_response.rb +72 -26
- data/lib/aws-sdk-core/pager.rb +3 -0
- data/lib/aws-sdk-core/param_validator.rb +29 -0
- data/lib/aws-sdk-core/plugins/checksum_algorithm.rb +340 -0
- data/lib/aws-sdk-core/plugins/credentials_configuration.rb +3 -1
- data/lib/aws-sdk-core/plugins/defaults_mode.rb +40 -0
- data/lib/aws-sdk-core/plugins/endpoint_pattern.rb +6 -6
- data/lib/aws-sdk-core/plugins/http_checksum.rb +8 -1
- data/lib/aws-sdk-core/plugins/protocols/api_gateway.rb +17 -0
- data/lib/aws-sdk-core/plugins/protocols/rest_json.rb +16 -1
- data/lib/aws-sdk-core/plugins/recursion_detection.rb +27 -0
- data/lib/aws-sdk-core/plugins/regional_endpoint.rb +48 -2
- data/lib/aws-sdk-core/plugins/response_paging.rb +1 -1
- data/lib/aws-sdk-core/plugins/retries/error_inspector.rb +5 -3
- data/lib/aws-sdk-core/plugins/retry_errors.rb +25 -8
- data/lib/aws-sdk-core/plugins/signature_v4.rb +15 -24
- data/lib/aws-sdk-core/plugins/stub_responses.rb +5 -1
- data/lib/aws-sdk-core/process_credentials.rb +3 -2
- data/lib/aws-sdk-core/refreshing_credentials.rb +42 -11
- data/lib/aws-sdk-core/rest/request/body.rb +19 -1
- data/lib/aws-sdk-core/rest/request/headers.rb +18 -6
- data/lib/aws-sdk-core/rest/response/headers.rb +3 -1
- data/lib/aws-sdk-core/shared_config.rb +28 -8
- data/lib/aws-sdk-core/shared_credentials.rb +7 -1
- data/lib/aws-sdk-core/sso_credentials.rb +35 -10
- data/lib/aws-sdk-core/structure.rb +10 -1
- data/lib/aws-sdk-core/stubbing/protocols/json.rb +1 -1
- data/lib/aws-sdk-core/stubbing/protocols/rest_json.rb +1 -1
- data/lib/aws-sdk-core/stubbing/protocols/rest_xml.rb +0 -2
- data/lib/aws-sdk-core/xml/builder.rb +2 -2
- data/lib/aws-sdk-core/xml/doc_builder.rb +6 -1
- data/lib/aws-sdk-core/xml/parser/engines/ox.rb +1 -1
- data/lib/aws-sdk-core/xml/parser/frame.rb +23 -0
- data/lib/aws-sdk-core/xml/parser.rb +5 -0
- data/lib/aws-sdk-core.rb +11 -3
- data/lib/aws-sdk-sso/client.rb +28 -6
- data/lib/aws-sdk-sso/client_api.rb +1 -1
- data/lib/aws-sdk-sso/errors.rb +1 -1
- data/lib/aws-sdk-sso/resource.rb +1 -1
- data/lib/aws-sdk-sso/types.rb +1 -1
- data/lib/aws-sdk-sso.rb +7 -4
- data/lib/aws-sdk-sts/client.rb +515 -429
- data/lib/aws-sdk-sts/client_api.rb +7 -1
- data/lib/aws-sdk-sts/errors.rb +1 -1
- data/lib/aws-sdk-sts/plugins/sts_regional_endpoints.rb +5 -1
- data/lib/aws-sdk-sts/presigner.rb +7 -1
- data/lib/aws-sdk-sts/resource.rb +1 -1
- data/lib/aws-sdk-sts/types.rb +332 -193
- data/lib/aws-sdk-sts.rb +7 -2
- data/lib/seahorse/client/configuration.rb +4 -0
- data/lib/seahorse/client/h2/connection.rb +15 -13
- data/lib/seahorse/client/h2/handler.rb +4 -5
- data/lib/seahorse/client/net_http/connection_pool.rb +7 -0
- data/lib/seahorse/client/net_http/handler.rb +17 -8
- data/lib/seahorse/client/net_http/patches.rb +13 -84
- data/lib/seahorse/client/plugins/content_length.rb +11 -5
- data/lib/seahorse/client/plugins/h2.rb +4 -1
- data/lib/seahorse/client/plugins/net_http.rb +37 -3
- data/lib/seahorse/client/plugins/response_target.rb +0 -1
- data/lib/seahorse/model/operation.rb +3 -0
- data/lib/seahorse/model/shapes.rb +25 -0
- data/lib/seahorse/util.rb +6 -1
- metadata +17 -10
- data/lib/aws-sdk-sso/plugins/content_type.rb +0 -25
data/lib/aws-sdk-sts/types.rb
CHANGED
@@ -3,7 +3,7 @@
|
|
3
3
|
# WARNING ABOUT GENERATED CODE
|
4
4
|
#
|
5
5
|
# This file is generated. See the contributing guide for more information:
|
6
|
-
# https://github.com/aws/aws-sdk-ruby/blob/
|
6
|
+
# https://github.com/aws/aws-sdk-ruby/blob/version-3/CONTRIBUTING.md
|
7
7
|
#
|
8
8
|
# WARNING ABOUT GENERATED CODE
|
9
9
|
|
@@ -33,6 +33,7 @@ module Aws::STS
|
|
33
33
|
# external_id: "externalIdType",
|
34
34
|
# serial_number: "serialNumberType",
|
35
35
|
# token_code: "tokenCodeType",
|
36
|
+
# source_identity: "sourceIdentityType",
|
36
37
|
# }
|
37
38
|
#
|
38
39
|
# @!attribute [rw] role_arn
|
@@ -49,7 +50,7 @@ module Aws::STS
|
|
49
50
|
# role session name is also used in the ARN of the assumed role
|
50
51
|
# principal. This means that subsequent cross-account API requests
|
51
52
|
# that use the temporary security credentials will expose the role
|
52
|
-
# session name to the external account in their
|
53
|
+
# session name to the external account in their CloudTrail logs.
|
53
54
|
#
|
54
55
|
# The regex used to validate this parameter is a string of characters
|
55
56
|
# consisting of upper- and lower-case alphanumeric characters with no
|
@@ -63,17 +64,18 @@ module Aws::STS
|
|
63
64
|
# in the same account as the role.
|
64
65
|
#
|
65
66
|
# This parameter is optional. You can provide up to 10 managed policy
|
66
|
-
# ARNs. However, the
|
67
|
+
# ARNs. However, the plaintext that you use for both inline and
|
67
68
|
# managed session policies can't exceed 2,048 characters. For more
|
68
|
-
# information about ARNs, see [Amazon Resource Names (ARNs) and
|
69
|
-
# Service Namespaces][1] in the
|
69
|
+
# information about ARNs, see [Amazon Resource Names (ARNs) and Amazon
|
70
|
+
# Web Services Service Namespaces][1] in the Amazon Web Services
|
71
|
+
# General Reference.
|
70
72
|
#
|
71
|
-
# <note markdown="1"> An
|
72
|
-
# tags into a packed binary format that has a
|
73
|
-
# request can fail for this limit even if your
|
74
|
-
# other requirements. The `PackedPolicySize`
|
75
|
-
# indicates by percentage how close the policies and
|
76
|
-
# request are to the upper size limit.
|
73
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
74
|
+
# policies and session tags into a packed binary format that has a
|
75
|
+
# separate limit. Your request can fail for this limit even if your
|
76
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
77
|
+
# response element indicates by percentage how close the policies and
|
78
|
+
# tags for your request are to the upper size limit.
|
77
79
|
#
|
78
80
|
# </note>
|
79
81
|
#
|
@@ -81,10 +83,10 @@ module Aws::STS
|
|
81
83
|
# credentials. The resulting session's permissions are the
|
82
84
|
# intersection of the role's identity-based policy and the session
|
83
85
|
# policies. You can use the role's temporary credentials in
|
84
|
-
# subsequent
|
85
|
-
# owns the role. You cannot use session policies to grant
|
86
|
-
# permissions than those allowed by the identity-based policy of
|
87
|
-
# role that is being assumed. For more information, see [Session
|
86
|
+
# subsequent Amazon Web Services API calls to access resources in the
|
87
|
+
# account that owns the role. You cannot use session policies to grant
|
88
|
+
# more permissions than those allowed by the identity-based policy of
|
89
|
+
# the role that is being assumed. For more information, see [Session
|
88
90
|
# Policies][2] in the *IAM User Guide*.
|
89
91
|
#
|
90
92
|
#
|
@@ -101,25 +103,25 @@ module Aws::STS
|
|
101
103
|
# returns new temporary credentials. The resulting session's
|
102
104
|
# permissions are the intersection of the role's identity-based
|
103
105
|
# policy and the session policies. You can use the role's temporary
|
104
|
-
# credentials in subsequent
|
105
|
-
# account that owns the role. You cannot use session
|
106
|
-
# more permissions than those allowed by the
|
107
|
-
# the role that is being assumed. For more
|
108
|
-
# Policies][1] in the *IAM User Guide*.
|
106
|
+
# credentials in subsequent Amazon Web Services API calls to access
|
107
|
+
# resources in the account that owns the role. You cannot use session
|
108
|
+
# policies to grant more permissions than those allowed by the
|
109
|
+
# identity-based policy of the role that is being assumed. For more
|
110
|
+
# information, see [Session Policies][1] in the *IAM User Guide*.
|
109
111
|
#
|
110
|
-
# The
|
112
|
+
# The plaintext that you use for both inline and managed session
|
111
113
|
# policies can't exceed 2,048 characters. The JSON policy characters
|
112
114
|
# can be any ASCII character from the space character to the end of
|
113
115
|
# the valid character list (\\u0020 through \\u00FF). It can also
|
114
116
|
# include the tab (\\u0009), linefeed (\\u000A), and carriage return
|
115
117
|
# (\\u000D) characters.
|
116
118
|
#
|
117
|
-
# <note markdown="1"> An
|
118
|
-
# tags into a packed binary format that has a
|
119
|
-
# request can fail for this limit even if your
|
120
|
-
# other requirements. The `PackedPolicySize`
|
121
|
-
# indicates by percentage how close the policies and
|
122
|
-
# request are to the upper size limit.
|
119
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
120
|
+
# policies and session tags into a packed binary format that has a
|
121
|
+
# separate limit. Your request can fail for this limit even if your
|
122
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
123
|
+
# response element indicates by percentage how close the policies and
|
124
|
+
# tags for your request are to the upper size limit.
|
123
125
|
#
|
124
126
|
# </note>
|
125
127
|
#
|
@@ -129,15 +131,26 @@ module Aws::STS
|
|
129
131
|
# @return [String]
|
130
132
|
#
|
131
133
|
# @!attribute [rw] duration_seconds
|
132
|
-
# The duration, in seconds, of the role session. The value
|
133
|
-
# from 900 seconds (15 minutes) up to the maximum session
|
134
|
-
#
|
135
|
-
# 12 hours. If you specify a value higher
|
136
|
-
#
|
137
|
-
#
|
138
|
-
#
|
139
|
-
#
|
140
|
-
#
|
134
|
+
# The duration, in seconds, of the role session. The value specified
|
135
|
+
# can range from 900 seconds (15 minutes) up to the maximum session
|
136
|
+
# duration set for the role. The maximum session duration setting can
|
137
|
+
# have a value from 1 hour to 12 hours. If you specify a value higher
|
138
|
+
# than this setting or the administrator setting (whichever is lower),
|
139
|
+
# the operation fails. For example, if you specify a session duration
|
140
|
+
# of 12 hours, but your administrator set the maximum session duration
|
141
|
+
# to 6 hours, your operation fails.
|
142
|
+
#
|
143
|
+
# Role chaining limits your Amazon Web Services CLI or Amazon Web
|
144
|
+
# Services API role session to a maximum of one hour. When you use the
|
145
|
+
# `AssumeRole` API operation to assume a role, you can specify the
|
146
|
+
# duration of your role session with the `DurationSeconds` parameter.
|
147
|
+
# You can specify a parameter value of up to 43200 seconds (12 hours),
|
148
|
+
# depending on the maximum session duration setting for your role.
|
149
|
+
# However, if you assume a role using role chaining and provide a
|
150
|
+
# `DurationSeconds` parameter value greater than one hour, the
|
151
|
+
# operation fails. To learn how to view the maximum value for your
|
152
|
+
# role, see [View the Maximum Session Duration Setting for a Role][1]
|
153
|
+
# in the *IAM User Guide*.
|
141
154
|
#
|
142
155
|
# By default, the value is set to `3600` seconds.
|
143
156
|
#
|
@@ -146,8 +159,8 @@ module Aws::STS
|
|
146
159
|
# credentials. The request to the federation endpoint for a console
|
147
160
|
# sign-in token takes a `SessionDuration` parameter that specifies the
|
148
161
|
# maximum length of the console session. For more information, see
|
149
|
-
# [Creating a URL that Enables Federated Users to Access the
|
150
|
-
# Management Console][2] in the *IAM User Guide*.
|
162
|
+
# [Creating a URL that Enables Federated Users to Access the Amazon
|
163
|
+
# Web Services Management Console][2] in the *IAM User Guide*.
|
151
164
|
#
|
152
165
|
# </note>
|
153
166
|
#
|
@@ -160,20 +173,20 @@ module Aws::STS
|
|
160
173
|
# @!attribute [rw] tags
|
161
174
|
# A list of session tags that you want to pass. Each session tag
|
162
175
|
# consists of a key name and an associated value. For more information
|
163
|
-
# about session tags, see [Tagging
|
164
|
-
# User Guide*.
|
176
|
+
# about session tags, see [Tagging Amazon Web Services STS
|
177
|
+
# Sessions][1] in the *IAM User Guide*.
|
165
178
|
#
|
166
179
|
# This parameter is optional. You can pass up to 50 session tags. The
|
167
|
-
#
|
180
|
+
# plaintext session tag keys can’t exceed 128 characters, and the
|
168
181
|
# values can’t exceed 256 characters. For these and additional limits,
|
169
182
|
# see [IAM and STS Character Limits][2] in the *IAM User Guide*.
|
170
183
|
#
|
171
|
-
# <note markdown="1"> An
|
172
|
-
# tags into a packed binary format that has a
|
173
|
-
# request can fail for this limit even if your
|
174
|
-
# other requirements. The `PackedPolicySize`
|
175
|
-
# indicates by percentage how close the policies and
|
176
|
-
# request are to the upper size limit.
|
184
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
185
|
+
# policies and session tags into a packed binary format that has a
|
186
|
+
# separate limit. Your request can fail for this limit even if your
|
187
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
188
|
+
# response element indicates by percentage how close the policies and
|
189
|
+
# tags for your request are to the upper size limit.
|
177
190
|
#
|
178
191
|
# </note>
|
179
192
|
#
|
@@ -193,14 +206,14 @@ module Aws::STS
|
|
193
206
|
# operation, the new session inherits any transitive session tags from
|
194
207
|
# the calling session. If you pass a session tag with the same key as
|
195
208
|
# an inherited tag, the operation fails. To view the inherited tags
|
196
|
-
# for a session, see the
|
197
|
-
#
|
209
|
+
# for a session, see the CloudTrail logs. For more information, see
|
210
|
+
# [Viewing Session Tags in CloudTrail][3] in the *IAM User Guide*.
|
198
211
|
#
|
199
212
|
#
|
200
213
|
#
|
201
214
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
202
215
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
|
203
|
-
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
216
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_ctlogs
|
204
217
|
# @return [Array<Types::Tag>]
|
205
218
|
#
|
206
219
|
# @!attribute [rw] transitive_tag_keys
|
@@ -232,8 +245,8 @@ module Aws::STS
|
|
232
245
|
# the administrator of the trusted account. That way, only someone
|
233
246
|
# with the ID can assume the role, rather than everyone in the
|
234
247
|
# account. For more information about the external ID, see [How to Use
|
235
|
-
# an External ID When Granting Access to Your
|
236
|
-
# Party][1] in the *IAM User Guide*.
|
248
|
+
# an External ID When Granting Access to Your Amazon Web Services
|
249
|
+
# Resources to a Third Party][1] in the *IAM User Guide*.
|
237
250
|
#
|
238
251
|
# The regex used to validate this parameter is a string of characters
|
239
252
|
# consisting of upper- and lower-case alphanumeric characters with no
|
@@ -262,15 +275,41 @@ module Aws::STS
|
|
262
275
|
#
|
263
276
|
# @!attribute [rw] token_code
|
264
277
|
# The value provided by the MFA device, if the trust policy of the
|
265
|
-
# role being assumed requires MFA (
|
266
|
-
# condition that tests for MFA). If the role being assumed
|
267
|
-
# MFA and if the `TokenCode` value is missing or expired, the
|
278
|
+
# role being assumed requires MFA. (In other words, if the policy
|
279
|
+
# includes a condition that tests for MFA). If the role being assumed
|
280
|
+
# requires MFA and if the `TokenCode` value is missing or expired, the
|
268
281
|
# `AssumeRole` call returns an "access denied" error.
|
269
282
|
#
|
270
283
|
# The format for this parameter, as described by its regex pattern, is
|
271
284
|
# a sequence of six numeric digits.
|
272
285
|
# @return [String]
|
273
286
|
#
|
287
|
+
# @!attribute [rw] source_identity
|
288
|
+
# The source identity specified by the principal that is calling the
|
289
|
+
# `AssumeRole` operation.
|
290
|
+
#
|
291
|
+
# You can require users to specify a source identity when they assume
|
292
|
+
# a role. You do this by using the `sts:SourceIdentity` condition key
|
293
|
+
# in a role trust policy. You can use source identity information in
|
294
|
+
# CloudTrail logs to determine who took actions with a role. You can
|
295
|
+
# use the `aws:SourceIdentity` condition key to further control access
|
296
|
+
# to Amazon Web Services resources based on the value of source
|
297
|
+
# identity. For more information about using source identity, see
|
298
|
+
# [Monitor and control actions taken with assumed roles][1] in the
|
299
|
+
# *IAM User Guide*.
|
300
|
+
#
|
301
|
+
# The regex used to validate this parameter is a string of characters
|
302
|
+
# consisting of upper- and lower-case alphanumeric characters with no
|
303
|
+
# spaces. You can also include underscores or any of the following
|
304
|
+
# characters: =,.@-. You cannot use a value that begins with the text
|
305
|
+
# `aws:`. This prefix is reserved for Amazon Web Services internal
|
306
|
+
# use.
|
307
|
+
#
|
308
|
+
#
|
309
|
+
#
|
310
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
|
311
|
+
# @return [String]
|
312
|
+
#
|
274
313
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleRequest AWS API Documentation
|
275
314
|
#
|
276
315
|
class AssumeRoleRequest < Struct.new(
|
@@ -283,13 +322,15 @@ module Aws::STS
|
|
283
322
|
:transitive_tag_keys,
|
284
323
|
:external_id,
|
285
324
|
:serial_number,
|
286
|
-
:token_code
|
325
|
+
:token_code,
|
326
|
+
:source_identity)
|
287
327
|
SENSITIVE = []
|
288
328
|
include Aws::Structure
|
289
329
|
end
|
290
330
|
|
291
331
|
# Contains the response to a successful AssumeRole request, including
|
292
|
-
# temporary
|
332
|
+
# temporary Amazon Web Services credentials that can be used to make
|
333
|
+
# Amazon Web Services requests.
|
293
334
|
#
|
294
335
|
# @!attribute [rw] credentials
|
295
336
|
# The temporary security credentials, which include an access key ID,
|
@@ -318,12 +359,37 @@ module Aws::STS
|
|
318
359
|
# means the policies and tags exceeded the allowed space.
|
319
360
|
# @return [Integer]
|
320
361
|
#
|
362
|
+
# @!attribute [rw] source_identity
|
363
|
+
# The source identity specified by the principal that is calling the
|
364
|
+
# `AssumeRole` operation.
|
365
|
+
#
|
366
|
+
# You can require users to specify a source identity when they assume
|
367
|
+
# a role. You do this by using the `sts:SourceIdentity` condition key
|
368
|
+
# in a role trust policy. You can use source identity information in
|
369
|
+
# CloudTrail logs to determine who took actions with a role. You can
|
370
|
+
# use the `aws:SourceIdentity` condition key to further control access
|
371
|
+
# to Amazon Web Services resources based on the value of source
|
372
|
+
# identity. For more information about using source identity, see
|
373
|
+
# [Monitor and control actions taken with assumed roles][1] in the
|
374
|
+
# *IAM User Guide*.
|
375
|
+
#
|
376
|
+
# The regex used to validate this parameter is a string of characters
|
377
|
+
# consisting of upper- and lower-case alphanumeric characters with no
|
378
|
+
# spaces. You can also include underscores or any of the following
|
379
|
+
# characters: =,.@-
|
380
|
+
#
|
381
|
+
#
|
382
|
+
#
|
383
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
|
384
|
+
# @return [String]
|
385
|
+
#
|
321
386
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleResponse AWS API Documentation
|
322
387
|
#
|
323
388
|
class AssumeRoleResponse < Struct.new(
|
324
389
|
:credentials,
|
325
390
|
:assumed_role_user,
|
326
|
-
:packed_policy_size
|
391
|
+
:packed_policy_size,
|
392
|
+
:source_identity)
|
327
393
|
SENSITIVE = []
|
328
394
|
include Aws::Structure
|
329
395
|
end
|
@@ -355,8 +421,7 @@ module Aws::STS
|
|
355
421
|
# @return [String]
|
356
422
|
#
|
357
423
|
# @!attribute [rw] saml_assertion
|
358
|
-
# The
|
359
|
-
# IdP.
|
424
|
+
# The base64 encoded SAML authentication response provided by the IdP.
|
360
425
|
#
|
361
426
|
# For more information, see [Configuring a Relying Party and Adding
|
362
427
|
# Claims][1] in the *IAM User Guide*.
|
@@ -372,17 +437,18 @@ module Aws::STS
|
|
372
437
|
# in the same account as the role.
|
373
438
|
#
|
374
439
|
# This parameter is optional. You can provide up to 10 managed policy
|
375
|
-
# ARNs. However, the
|
440
|
+
# ARNs. However, the plaintext that you use for both inline and
|
376
441
|
# managed session policies can't exceed 2,048 characters. For more
|
377
|
-
# information about ARNs, see [Amazon Resource Names (ARNs) and
|
378
|
-
# Service Namespaces][1] in the
|
442
|
+
# information about ARNs, see [Amazon Resource Names (ARNs) and Amazon
|
443
|
+
# Web Services Service Namespaces][1] in the Amazon Web Services
|
444
|
+
# General Reference.
|
379
445
|
#
|
380
|
-
# <note markdown="1"> An
|
381
|
-
# tags into a packed binary format that has a
|
382
|
-
# request can fail for this limit even if your
|
383
|
-
# other requirements. The `PackedPolicySize`
|
384
|
-
# indicates by percentage how close the policies and
|
385
|
-
# request are to the upper size limit.
|
446
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
447
|
+
# policies and session tags into a packed binary format that has a
|
448
|
+
# separate limit. Your request can fail for this limit even if your
|
449
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
450
|
+
# response element indicates by percentage how close the policies and
|
451
|
+
# tags for your request are to the upper size limit.
|
386
452
|
#
|
387
453
|
# </note>
|
388
454
|
#
|
@@ -390,10 +456,10 @@ module Aws::STS
|
|
390
456
|
# credentials. The resulting session's permissions are the
|
391
457
|
# intersection of the role's identity-based policy and the session
|
392
458
|
# policies. You can use the role's temporary credentials in
|
393
|
-
# subsequent
|
394
|
-
# owns the role. You cannot use session policies to grant
|
395
|
-
# permissions than those allowed by the identity-based policy of
|
396
|
-
# role that is being assumed. For more information, see [Session
|
459
|
+
# subsequent Amazon Web Services API calls to access resources in the
|
460
|
+
# account that owns the role. You cannot use session policies to grant
|
461
|
+
# more permissions than those allowed by the identity-based policy of
|
462
|
+
# the role that is being assumed. For more information, see [Session
|
397
463
|
# Policies][2] in the *IAM User Guide*.
|
398
464
|
#
|
399
465
|
#
|
@@ -410,25 +476,25 @@ module Aws::STS
|
|
410
476
|
# returns new temporary credentials. The resulting session's
|
411
477
|
# permissions are the intersection of the role's identity-based
|
412
478
|
# policy and the session policies. You can use the role's temporary
|
413
|
-
# credentials in subsequent
|
414
|
-
# account that owns the role. You cannot use session
|
415
|
-
# more permissions than those allowed by the
|
416
|
-
# the role that is being assumed. For more
|
417
|
-
# Policies][1] in the *IAM User Guide*.
|
479
|
+
# credentials in subsequent Amazon Web Services API calls to access
|
480
|
+
# resources in the account that owns the role. You cannot use session
|
481
|
+
# policies to grant more permissions than those allowed by the
|
482
|
+
# identity-based policy of the role that is being assumed. For more
|
483
|
+
# information, see [Session Policies][1] in the *IAM User Guide*.
|
418
484
|
#
|
419
|
-
# The
|
485
|
+
# The plaintext that you use for both inline and managed session
|
420
486
|
# policies can't exceed 2,048 characters. The JSON policy characters
|
421
487
|
# can be any ASCII character from the space character to the end of
|
422
488
|
# the valid character list (\\u0020 through \\u00FF). It can also
|
423
489
|
# include the tab (\\u0009), linefeed (\\u000A), and carriage return
|
424
490
|
# (\\u000D) characters.
|
425
491
|
#
|
426
|
-
# <note markdown="1"> An
|
427
|
-
# tags into a packed binary format that has a
|
428
|
-
# request can fail for this limit even if your
|
429
|
-
# other requirements. The `PackedPolicySize`
|
430
|
-
# indicates by percentage how close the policies and
|
431
|
-
# request are to the upper size limit.
|
492
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
493
|
+
# policies and session tags into a packed binary format that has a
|
494
|
+
# separate limit. Your request can fail for this limit even if your
|
495
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
496
|
+
# response element indicates by percentage how close the policies and
|
497
|
+
# tags for your request are to the upper size limit.
|
432
498
|
#
|
433
499
|
# </note>
|
434
500
|
#
|
@@ -459,8 +525,8 @@ module Aws::STS
|
|
459
525
|
# credentials. The request to the federation endpoint for a console
|
460
526
|
# sign-in token takes a `SessionDuration` parameter that specifies the
|
461
527
|
# maximum length of the console session. For more information, see
|
462
|
-
# [Creating a URL that Enables Federated Users to Access the
|
463
|
-
# Management Console][2] in the *IAM User Guide*.
|
528
|
+
# [Creating a URL that Enables Federated Users to Access the Amazon
|
529
|
+
# Web Services Management Console][2] in the *IAM User Guide*.
|
464
530
|
#
|
465
531
|
# </note>
|
466
532
|
#
|
@@ -479,13 +545,13 @@ module Aws::STS
|
|
479
545
|
:policy_arns,
|
480
546
|
:policy,
|
481
547
|
:duration_seconds)
|
482
|
-
SENSITIVE = [
|
548
|
+
SENSITIVE = []
|
483
549
|
include Aws::Structure
|
484
550
|
end
|
485
551
|
|
486
552
|
# Contains the response to a successful AssumeRoleWithSAML request,
|
487
|
-
# including temporary
|
488
|
-
# requests.
|
553
|
+
# including temporary Amazon Web Services credentials that can be used
|
554
|
+
# to make Amazon Web Services requests.
|
489
555
|
#
|
490
556
|
# @!attribute [rw] credentials
|
491
557
|
# The temporary security credentials, which include an access key ID,
|
@@ -537,11 +603,17 @@ module Aws::STS
|
|
537
603
|
# @return [String]
|
538
604
|
#
|
539
605
|
# @!attribute [rw] name_qualifier
|
540
|
-
# A hash value based on the concatenation of the
|
541
|
-
#
|
542
|
-
#
|
543
|
-
#
|
544
|
-
#
|
606
|
+
# A hash value based on the concatenation of the following:
|
607
|
+
#
|
608
|
+
# * The `Issuer` response value.
|
609
|
+
#
|
610
|
+
# * The Amazon Web Services account ID.
|
611
|
+
#
|
612
|
+
# * The friendly name (the last part of the ARN) of the SAML provider
|
613
|
+
# in IAM.
|
614
|
+
#
|
615
|
+
# The combination of `NameQualifier` and `Subject` can be used to
|
616
|
+
# uniquely identify a federated user.
|
545
617
|
#
|
546
618
|
# The following pseudocode shows how the hash value is calculated:
|
547
619
|
#
|
@@ -549,6 +621,34 @@ module Aws::STS
|
|
549
621
|
# "/MySAMLIdP" ) )`
|
550
622
|
# @return [String]
|
551
623
|
#
|
624
|
+
# @!attribute [rw] source_identity
|
625
|
+
# The value in the `SourceIdentity` attribute in the SAML assertion.
|
626
|
+
#
|
627
|
+
# You can require users to set a source identity value when they
|
628
|
+
# assume a role. You do this by using the `sts:SourceIdentity`
|
629
|
+
# condition key in a role trust policy. That way, actions that are
|
630
|
+
# taken with the role are associated with that user. After the source
|
631
|
+
# identity is set, the value cannot be changed. It is present in the
|
632
|
+
# request for all actions that are taken by the role and persists
|
633
|
+
# across [chained role][1] sessions. You can configure your SAML
|
634
|
+
# identity provider to use an attribute associated with your users,
|
635
|
+
# like user name or email, as the source identity when calling
|
636
|
+
# `AssumeRoleWithSAML`. You do this by adding an attribute to the SAML
|
637
|
+
# assertion. For more information about using source identity, see
|
638
|
+
# [Monitor and control actions taken with assumed roles][2] in the
|
639
|
+
# *IAM User Guide*.
|
640
|
+
#
|
641
|
+
# The regex used to validate this parameter is a string of characters
|
642
|
+
# consisting of upper- and lower-case alphanumeric characters with no
|
643
|
+
# spaces. You can also include underscores or any of the following
|
644
|
+
# characters: =,.@-
|
645
|
+
#
|
646
|
+
#
|
647
|
+
#
|
648
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining
|
649
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
|
650
|
+
# @return [String]
|
651
|
+
#
|
552
652
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAMLResponse AWS API Documentation
|
553
653
|
#
|
554
654
|
class AssumeRoleWithSAMLResponse < Struct.new(
|
@@ -559,7 +659,8 @@ module Aws::STS
|
|
559
659
|
:subject_type,
|
560
660
|
:issuer,
|
561
661
|
:audience,
|
562
|
-
:name_qualifier
|
662
|
+
:name_qualifier,
|
663
|
+
:source_identity)
|
563
664
|
SENSITIVE = []
|
564
665
|
include Aws::Structure
|
565
666
|
end
|
@@ -609,13 +710,13 @@ module Aws::STS
|
|
609
710
|
# @return [String]
|
610
711
|
#
|
611
712
|
# @!attribute [rw] provider_id
|
612
|
-
# The fully qualified host component of the domain name of the
|
613
|
-
# identity provider.
|
713
|
+
# The fully qualified host component of the domain name of the OAuth
|
714
|
+
# 2.0 identity provider. Do not specify this value for an OpenID
|
715
|
+
# Connect identity provider.
|
614
716
|
#
|
615
|
-
#
|
616
|
-
#
|
617
|
-
#
|
618
|
-
# schemes and port numbers.
|
717
|
+
# Currently `www.amazon.com` and `graph.facebook.com` are the only
|
718
|
+
# supported identity providers for OAuth 2.0 access tokens. Do not
|
719
|
+
# include URL schemes and port numbers.
|
619
720
|
#
|
620
721
|
# Do not specify this value for OpenID Connect ID tokens.
|
621
722
|
# @return [String]
|
@@ -626,17 +727,18 @@ module Aws::STS
|
|
626
727
|
# in the same account as the role.
|
627
728
|
#
|
628
729
|
# This parameter is optional. You can provide up to 10 managed policy
|
629
|
-
# ARNs. However, the
|
730
|
+
# ARNs. However, the plaintext that you use for both inline and
|
630
731
|
# managed session policies can't exceed 2,048 characters. For more
|
631
|
-
# information about ARNs, see [Amazon Resource Names (ARNs) and
|
632
|
-
# Service Namespaces][1] in the
|
732
|
+
# information about ARNs, see [Amazon Resource Names (ARNs) and Amazon
|
733
|
+
# Web Services Service Namespaces][1] in the Amazon Web Services
|
734
|
+
# General Reference.
|
633
735
|
#
|
634
|
-
# <note markdown="1"> An
|
635
|
-
# tags into a packed binary format that has a
|
636
|
-
# request can fail for this limit even if your
|
637
|
-
# other requirements. The `PackedPolicySize`
|
638
|
-
# indicates by percentage how close the policies and
|
639
|
-
# request are to the upper size limit.
|
736
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
737
|
+
# policies and session tags into a packed binary format that has a
|
738
|
+
# separate limit. Your request can fail for this limit even if your
|
739
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
740
|
+
# response element indicates by percentage how close the policies and
|
741
|
+
# tags for your request are to the upper size limit.
|
640
742
|
#
|
641
743
|
# </note>
|
642
744
|
#
|
@@ -644,10 +746,10 @@ module Aws::STS
|
|
644
746
|
# credentials. The resulting session's permissions are the
|
645
747
|
# intersection of the role's identity-based policy and the session
|
646
748
|
# policies. You can use the role's temporary credentials in
|
647
|
-
# subsequent
|
648
|
-
# owns the role. You cannot use session policies to grant
|
649
|
-
# permissions than those allowed by the identity-based policy of
|
650
|
-
# role that is being assumed. For more information, see [Session
|
749
|
+
# subsequent Amazon Web Services API calls to access resources in the
|
750
|
+
# account that owns the role. You cannot use session policies to grant
|
751
|
+
# more permissions than those allowed by the identity-based policy of
|
752
|
+
# the role that is being assumed. For more information, see [Session
|
651
753
|
# Policies][2] in the *IAM User Guide*.
|
652
754
|
#
|
653
755
|
#
|
@@ -664,25 +766,25 @@ module Aws::STS
|
|
664
766
|
# returns new temporary credentials. The resulting session's
|
665
767
|
# permissions are the intersection of the role's identity-based
|
666
768
|
# policy and the session policies. You can use the role's temporary
|
667
|
-
# credentials in subsequent
|
668
|
-
# account that owns the role. You cannot use session
|
669
|
-
# more permissions than those allowed by the
|
670
|
-
# the role that is being assumed. For more
|
671
|
-
# Policies][1] in the *IAM User Guide*.
|
769
|
+
# credentials in subsequent Amazon Web Services API calls to access
|
770
|
+
# resources in the account that owns the role. You cannot use session
|
771
|
+
# policies to grant more permissions than those allowed by the
|
772
|
+
# identity-based policy of the role that is being assumed. For more
|
773
|
+
# information, see [Session Policies][1] in the *IAM User Guide*.
|
672
774
|
#
|
673
|
-
# The
|
775
|
+
# The plaintext that you use for both inline and managed session
|
674
776
|
# policies can't exceed 2,048 characters. The JSON policy characters
|
675
777
|
# can be any ASCII character from the space character to the end of
|
676
778
|
# the valid character list (\\u0020 through \\u00FF). It can also
|
677
779
|
# include the tab (\\u0009), linefeed (\\u000A), and carriage return
|
678
780
|
# (\\u000D) characters.
|
679
781
|
#
|
680
|
-
# <note markdown="1"> An
|
681
|
-
# tags into a packed binary format that has a
|
682
|
-
# request can fail for this limit even if your
|
683
|
-
# other requirements. The `PackedPolicySize`
|
684
|
-
# indicates by percentage how close the policies and
|
685
|
-
# request are to the upper size limit.
|
782
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
783
|
+
# policies and session tags into a packed binary format that has a
|
784
|
+
# separate limit. Your request can fail for this limit even if your
|
785
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
786
|
+
# response element indicates by percentage how close the policies and
|
787
|
+
# tags for your request are to the upper size limit.
|
686
788
|
#
|
687
789
|
# </note>
|
688
790
|
#
|
@@ -709,8 +811,8 @@ module Aws::STS
|
|
709
811
|
# credentials. The request to the federation endpoint for a console
|
710
812
|
# sign-in token takes a `SessionDuration` parameter that specifies the
|
711
813
|
# maximum length of the console session. For more information, see
|
712
|
-
# [Creating a URL that Enables Federated Users to Access the
|
713
|
-
# Management Console][2] in the *IAM User Guide*.
|
814
|
+
# [Creating a URL that Enables Federated Users to Access the Amazon
|
815
|
+
# Web Services Management Console][2] in the *IAM User Guide*.
|
714
816
|
#
|
715
817
|
# </note>
|
716
818
|
#
|
@@ -730,13 +832,13 @@ module Aws::STS
|
|
730
832
|
:policy_arns,
|
731
833
|
:policy,
|
732
834
|
:duration_seconds)
|
733
|
-
SENSITIVE = [
|
835
|
+
SENSITIVE = []
|
734
836
|
include Aws::Structure
|
735
837
|
end
|
736
838
|
|
737
839
|
# Contains the response to a successful AssumeRoleWithWebIdentity
|
738
|
-
# request, including temporary
|
739
|
-
#
|
840
|
+
# request, including temporary Amazon Web Services credentials that can
|
841
|
+
# be used to make Amazon Web Services requests.
|
740
842
|
#
|
741
843
|
# @!attribute [rw] credentials
|
742
844
|
# The temporary security credentials, which include an access key ID,
|
@@ -789,6 +891,38 @@ module Aws::STS
|
|
789
891
|
# application that requested the web identity token.
|
790
892
|
# @return [String]
|
791
893
|
#
|
894
|
+
# @!attribute [rw] source_identity
|
895
|
+
# The value of the source identity that is returned in the JSON web
|
896
|
+
# token (JWT) from the identity provider.
|
897
|
+
#
|
898
|
+
# You can require users to set a source identity value when they
|
899
|
+
# assume a role. You do this by using the `sts:SourceIdentity`
|
900
|
+
# condition key in a role trust policy. That way, actions that are
|
901
|
+
# taken with the role are associated with that user. After the source
|
902
|
+
# identity is set, the value cannot be changed. It is present in the
|
903
|
+
# request for all actions that are taken by the role and persists
|
904
|
+
# across [chained role][1] sessions. You can configure your identity
|
905
|
+
# provider to use an attribute associated with your users, like user
|
906
|
+
# name or email, as the source identity when calling
|
907
|
+
# `AssumeRoleWithWebIdentity`. You do this by adding a claim to the
|
908
|
+
# JSON web token. To learn more about OIDC tokens and claims, see
|
909
|
+
# [Using Tokens with User Pools][2] in the *Amazon Cognito Developer
|
910
|
+
# Guide*. For more information about using source identity, see
|
911
|
+
# [Monitor and control actions taken with assumed roles][3] in the
|
912
|
+
# *IAM User Guide*.
|
913
|
+
#
|
914
|
+
# The regex used to validate this parameter is a string of characters
|
915
|
+
# consisting of upper- and lower-case alphanumeric characters with no
|
916
|
+
# spaces. You can also include underscores or any of the following
|
917
|
+
# characters: =,.@-
|
918
|
+
#
|
919
|
+
#
|
920
|
+
#
|
921
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining
|
922
|
+
# [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html
|
923
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
|
924
|
+
# @return [String]
|
925
|
+
#
|
792
926
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentityResponse AWS API Documentation
|
793
927
|
#
|
794
928
|
class AssumeRoleWithWebIdentityResponse < Struct.new(
|
@@ -797,7 +931,8 @@ module Aws::STS
|
|
797
931
|
:assumed_role_user,
|
798
932
|
:packed_policy_size,
|
799
933
|
:provider,
|
800
|
-
:audience
|
934
|
+
:audience,
|
935
|
+
:source_identity)
|
801
936
|
SENSITIVE = []
|
802
937
|
include Aws::Structure
|
803
938
|
end
|
@@ -808,7 +943,7 @@ module Aws::STS
|
|
808
943
|
# @!attribute [rw] assumed_role_id
|
809
944
|
# A unique identifier that contains the role ID and the role session
|
810
945
|
# name of the role that is being assumed. The role ID is generated by
|
811
|
-
#
|
946
|
+
# Amazon Web Services when the role is created.
|
812
947
|
# @return [String]
|
813
948
|
#
|
814
949
|
# @!attribute [rw] arn
|
@@ -831,7 +966,7 @@ module Aws::STS
|
|
831
966
|
include Aws::Structure
|
832
967
|
end
|
833
968
|
|
834
|
-
#
|
969
|
+
# Amazon Web Services credentials for API authentication.
|
835
970
|
#
|
836
971
|
# @!attribute [rw] access_key_id
|
837
972
|
# The access key ID that identifies the temporary security
|
@@ -883,10 +1018,10 @@ module Aws::STS
|
|
883
1018
|
|
884
1019
|
# A document that contains additional information about the
|
885
1020
|
# authorization status of a request from an encoded message that is
|
886
|
-
# returned in response to an
|
1021
|
+
# returned in response to an Amazon Web Services request.
|
887
1022
|
#
|
888
1023
|
# @!attribute [rw] decoded_message
|
889
|
-
#
|
1024
|
+
# The API returns a response with the decoded message.
|
890
1025
|
# @return [String]
|
891
1026
|
#
|
892
1027
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessageResponse AWS API Documentation
|
@@ -963,7 +1098,7 @@ module Aws::STS
|
|
963
1098
|
end
|
964
1099
|
|
965
1100
|
# @!attribute [rw] account
|
966
|
-
# The number used to identify the
|
1101
|
+
# The number used to identify the Amazon Web Services account.
|
967
1102
|
# @return [String]
|
968
1103
|
#
|
969
1104
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfoResponse AWS API Documentation
|
@@ -996,12 +1131,12 @@ module Aws::STS
|
|
996
1131
|
# @return [String]
|
997
1132
|
#
|
998
1133
|
# @!attribute [rw] account
|
999
|
-
# The
|
1000
|
-
# calling entity.
|
1134
|
+
# The Amazon Web Services account ID number of the account that owns
|
1135
|
+
# or contains the calling entity.
|
1001
1136
|
# @return [String]
|
1002
1137
|
#
|
1003
1138
|
# @!attribute [rw] arn
|
1004
|
-
# The
|
1139
|
+
# The Amazon Web Services ARN associated with the calling entity.
|
1005
1140
|
# @return [String]
|
1006
1141
|
#
|
1007
1142
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentityResponse AWS API Documentation
|
@@ -1074,19 +1209,19 @@ module Aws::STS
|
|
1074
1209
|
# are granted in addition to the permissions that are granted by the
|
1075
1210
|
# session policies.
|
1076
1211
|
#
|
1077
|
-
# The
|
1212
|
+
# The plaintext that you use for both inline and managed session
|
1078
1213
|
# policies can't exceed 2,048 characters. The JSON policy characters
|
1079
1214
|
# can be any ASCII character from the space character to the end of
|
1080
1215
|
# the valid character list (\\u0020 through \\u00FF). It can also
|
1081
1216
|
# include the tab (\\u0009), linefeed (\\u000A), and carriage return
|
1082
1217
|
# (\\u000D) characters.
|
1083
1218
|
#
|
1084
|
-
# <note markdown="1"> An
|
1085
|
-
# tags into a packed binary format that has a
|
1086
|
-
# request can fail for this limit even if your
|
1087
|
-
# other requirements. The `PackedPolicySize`
|
1088
|
-
# indicates by percentage how close the policies and
|
1089
|
-
# request are to the upper size limit.
|
1219
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
1220
|
+
# policies and session tags into a packed binary format that has a
|
1221
|
+
# separate limit. Your request can fail for this limit even if your
|
1222
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
1223
|
+
# response element indicates by percentage how close the policies and
|
1224
|
+
# tags for your request are to the upper size limit.
|
1090
1225
|
#
|
1091
1226
|
# </note>
|
1092
1227
|
#
|
@@ -1104,11 +1239,12 @@ module Aws::STS
|
|
1104
1239
|
# You must pass an inline or managed [session policy][1] to this
|
1105
1240
|
# operation. You can pass a single JSON policy document to use as an
|
1106
1241
|
# inline session policy. You can also specify up to 10 managed
|
1107
|
-
# policies to use as managed session policies. The
|
1242
|
+
# policies to use as managed session policies. The plaintext that you
|
1108
1243
|
# use for both inline and managed session policies can't exceed 2,048
|
1109
1244
|
# characters. You can provide up to 10 managed policy ARNs. For more
|
1110
|
-
# information about ARNs, see [Amazon Resource Names (ARNs) and
|
1111
|
-
# Service Namespaces][2] in the
|
1245
|
+
# information about ARNs, see [Amazon Resource Names (ARNs) and Amazon
|
1246
|
+
# Web Services Service Namespaces][2] in the Amazon Web Services
|
1247
|
+
# General Reference.
|
1112
1248
|
#
|
1113
1249
|
# This parameter is optional. However, if you do not pass any session
|
1114
1250
|
# policies, then the resulting federated user session has no
|
@@ -1129,12 +1265,12 @@ module Aws::STS
|
|
1129
1265
|
# are granted in addition to the permissions that are granted by the
|
1130
1266
|
# session policies.
|
1131
1267
|
#
|
1132
|
-
# <note markdown="1"> An
|
1133
|
-
# tags into a packed binary format that has a
|
1134
|
-
# request can fail for this limit even if your
|
1135
|
-
# other requirements. The `PackedPolicySize`
|
1136
|
-
# indicates by percentage how close the policies and
|
1137
|
-
# request are to the upper size limit.
|
1268
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
1269
|
+
# policies and session tags into a packed binary format that has a
|
1270
|
+
# separate limit. Your request can fail for this limit even if your
|
1271
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
1272
|
+
# response element indicates by percentage how close the policies and
|
1273
|
+
# tags for your request are to the upper size limit.
|
1138
1274
|
#
|
1139
1275
|
# </note>
|
1140
1276
|
#
|
@@ -1148,10 +1284,11 @@ module Aws::STS
|
|
1148
1284
|
# The duration, in seconds, that the session should last. Acceptable
|
1149
1285
|
# durations for federation sessions range from 900 seconds (15
|
1150
1286
|
# minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12
|
1151
|
-
# hours) as the default. Sessions obtained using
|
1152
|
-
# credentials are restricted to a maximum of 3,600
|
1153
|
-
# If the specified duration is longer than one
|
1154
|
-
# obtained by using root user credentials defaults
|
1287
|
+
# hours) as the default. Sessions obtained using Amazon Web Services
|
1288
|
+
# account root user credentials are restricted to a maximum of 3,600
|
1289
|
+
# seconds (one hour). If the specified duration is longer than one
|
1290
|
+
# hour, the session obtained by using root user credentials defaults
|
1291
|
+
# to one hour.
|
1155
1292
|
# @return [Integer]
|
1156
1293
|
#
|
1157
1294
|
# @!attribute [rw] tags
|
@@ -1160,16 +1297,16 @@ module Aws::STS
|
|
1160
1297
|
# [Passing Session Tags in STS][1] in the *IAM User Guide*.
|
1161
1298
|
#
|
1162
1299
|
# This parameter is optional. You can pass up to 50 session tags. The
|
1163
|
-
#
|
1300
|
+
# plaintext session tag keys can’t exceed 128 characters and the
|
1164
1301
|
# values can’t exceed 256 characters. For these and additional limits,
|
1165
1302
|
# see [IAM and STS Character Limits][2] in the *IAM User Guide*.
|
1166
1303
|
#
|
1167
|
-
# <note markdown="1"> An
|
1168
|
-
# tags into a packed binary format that has a
|
1169
|
-
# request can fail for this limit even if your
|
1170
|
-
# other requirements. The `PackedPolicySize`
|
1171
|
-
# indicates by percentage how close the policies and
|
1172
|
-
# request are to the upper size limit.
|
1304
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
1305
|
+
# policies and session tags into a packed binary format that has a
|
1306
|
+
# separate limit. Your request can fail for this limit even if your
|
1307
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
1308
|
+
# response element indicates by percentage how close the policies and
|
1309
|
+
# tags for your request are to the upper size limit.
|
1173
1310
|
#
|
1174
1311
|
# </note>
|
1175
1312
|
#
|
@@ -1204,8 +1341,8 @@ module Aws::STS
|
|
1204
1341
|
end
|
1205
1342
|
|
1206
1343
|
# Contains the response to a successful GetFederationToken request,
|
1207
|
-
# including temporary
|
1208
|
-
# requests.
|
1344
|
+
# including temporary Amazon Web Services credentials that can be used
|
1345
|
+
# to make Amazon Web Services requests.
|
1209
1346
|
#
|
1210
1347
|
# @!attribute [rw] credentials
|
1211
1348
|
# The temporary security credentials, which include an access key ID,
|
@@ -1255,10 +1392,10 @@ module Aws::STS
|
|
1255
1392
|
# The duration, in seconds, that the credentials should remain valid.
|
1256
1393
|
# Acceptable durations for IAM user sessions range from 900 seconds
|
1257
1394
|
# (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12
|
1258
|
-
# hours) as the default. Sessions for
|
1259
|
-
# restricted to a maximum of 3,600 seconds (one hour). If
|
1260
|
-
# is longer than one hour, the session for
|
1261
|
-
# to one hour.
|
1395
|
+
# hours) as the default. Sessions for Amazon Web Services account
|
1396
|
+
# owners are restricted to a maximum of 3,600 seconds (one hour). If
|
1397
|
+
# the duration is longer than one hour, the session for Amazon Web
|
1398
|
+
# Services account owners defaults to one hour.
|
1262
1399
|
# @return [Integer]
|
1263
1400
|
#
|
1264
1401
|
# @!attribute [rw] serial_number
|
@@ -1268,8 +1405,8 @@ module Aws::STS
|
|
1268
1405
|
# The value is either the serial number for a hardware device (such as
|
1269
1406
|
# `GAHT12345678`) or an Amazon Resource Name (ARN) for a virtual
|
1270
1407
|
# device (such as `arn:aws:iam::123456789012:mfa/user`). You can find
|
1271
|
-
# the device for an IAM user by going to the
|
1272
|
-
# and viewing the user's security credentials.
|
1408
|
+
# the device for an IAM user by going to the Amazon Web Services
|
1409
|
+
# Management Console and viewing the user's security credentials.
|
1273
1410
|
#
|
1274
1411
|
# The regex used to validate this parameter is a string of characters
|
1275
1412
|
# consisting of upper- and lower-case alphanumeric characters with no
|
@@ -1300,8 +1437,8 @@ module Aws::STS
|
|
1300
1437
|
end
|
1301
1438
|
|
1302
1439
|
# Contains the response to a successful GetSessionToken request,
|
1303
|
-
# including temporary
|
1304
|
-
# requests.
|
1440
|
+
# including temporary Amazon Web Services credentials that can be used
|
1441
|
+
# to make Amazon Web Services requests.
|
1305
1442
|
#
|
1306
1443
|
# @!attribute [rw] credentials
|
1307
1444
|
# The temporary security credentials, which include an access key ID,
|
@@ -1373,9 +1510,9 @@ module Aws::STS
|
|
1373
1510
|
include Aws::Structure
|
1374
1511
|
end
|
1375
1512
|
|
1376
|
-
# The web identity token that was passed could not be validated by
|
1377
|
-
# Get a new identity token from the identity
|
1378
|
-
# request.
|
1513
|
+
# The web identity token that was passed could not be validated by
|
1514
|
+
# Amazon Web Services. Get a new identity token from the identity
|
1515
|
+
# provider and then retry the request.
|
1379
1516
|
#
|
1380
1517
|
# @!attribute [rw] message
|
1381
1518
|
# @return [String]
|
@@ -1403,12 +1540,13 @@ module Aws::STS
|
|
1403
1540
|
end
|
1404
1541
|
|
1405
1542
|
# The request was rejected because the total packed size of the session
|
1406
|
-
# policies and session tags combined was too large. An
|
1407
|
-
# compresses the session policy document, session
|
1408
|
-
# session tags into a packed binary format that has a
|
1409
|
-
# The error message indicates by percentage how close
|
1410
|
-
# tags are to the upper size limit. For more
|
1411
|
-
# Session Tags in STS][1] in the *IAM User
|
1543
|
+
# policies and session tags combined was too large. An Amazon Web
|
1544
|
+
# Services conversion compresses the session policy document, session
|
1545
|
+
# policy ARNs, and session tags into a packed binary format that has a
|
1546
|
+
# separate limit. The error message indicates by percentage how close
|
1547
|
+
# the policies and tags are to the upper size limit. For more
|
1548
|
+
# information, see [Passing Session Tags in STS][1] in the *IAM User
|
1549
|
+
# Guide*.
|
1412
1550
|
#
|
1413
1551
|
# You could receive this error even though you meet other defined
|
1414
1552
|
# session policy and session tag limits. For more information, see [IAM
|
@@ -1417,7 +1555,7 @@ module Aws::STS
|
|
1417
1555
|
#
|
1418
1556
|
#
|
1419
1557
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
1420
|
-
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1558
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length
|
1421
1559
|
#
|
1422
1560
|
# @!attribute [rw] message
|
1423
1561
|
# @return [String]
|
@@ -1443,8 +1581,8 @@ module Aws::STS
|
|
1443
1581
|
# @!attribute [rw] arn
|
1444
1582
|
# The Amazon Resource Name (ARN) of the IAM managed policy to use as a
|
1445
1583
|
# session policy for the role. For more information about ARNs, see
|
1446
|
-
# [Amazon Resource Names (ARNs) and
|
1447
|
-
# *
|
1584
|
+
# [Amazon Resource Names (ARNs) and Amazon Web Services Service
|
1585
|
+
# Namespaces][1] in the *Amazon Web Services General Reference*.
|
1448
1586
|
#
|
1449
1587
|
#
|
1450
1588
|
#
|
@@ -1462,8 +1600,8 @@ module Aws::STS
|
|
1462
1600
|
# STS is not activated in the requested region for the account that is
|
1463
1601
|
# being asked to generate credentials. The account administrator must
|
1464
1602
|
# use the IAM console to activate STS in that region. For more
|
1465
|
-
# information, see [Activating and Deactivating
|
1466
|
-
# Region][1] in the *IAM User Guide*.
|
1603
|
+
# information, see [Activating and Deactivating Amazon Web Services STS
|
1604
|
+
# in an Amazon Web Services Region][1] in the *IAM User Guide*.
|
1467
1605
|
#
|
1468
1606
|
#
|
1469
1607
|
#
|
@@ -1483,7 +1621,8 @@ module Aws::STS
|
|
1483
1621
|
# You can pass custom key-value pair attributes when you assume a role
|
1484
1622
|
# or federate a user. These are called session tags. You can then use
|
1485
1623
|
# the session tags to control access to resources. For more information,
|
1486
|
-
# see [Tagging
|
1624
|
+
# see [Tagging Amazon Web Services STS Sessions][1] in the *IAM User
|
1625
|
+
# Guide*.
|
1487
1626
|
#
|
1488
1627
|
#
|
1489
1628
|
#
|