aws-sdk-core 3.113.0 → 3.114.3

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: ddf234ecd190b1e81f3a2c337b375a7abf5cf0c999b5ec7c168cfb24e4cac3f5
4
- data.tar.gz: 62420db8af65a10505e7f7e10d71b48ae697ea11121bd21866b42c3fa363c9b2
3
+ metadata.gz: a2a923ececa57310eb125e17602c198dd858b3960e1a337d330eb1227aff96d0
4
+ data.tar.gz: f3d256f8d55d40e00e1647946eae2df2d6380de20f874e219015ae47de6af456
5
5
  SHA512:
6
- metadata.gz: e0b0dcc6cf916bfadf75409b23bb6eb8132dc6b97f700549397ed06be47b3d108d4ee2fbd4082c120f29c1da996586368e25f0bd7e5ab7c04eaf7cbaa6210168
7
- data.tar.gz: 0ad3980ab3a63a15bfae33c0e5fabaecafc1ab709f1f7a275545422a232257de49f34c0b2dd539269a057e04f34157d545d8e31d9b4842a7d59277be56319b73
6
+ metadata.gz: 8d1be434b0538cc3608d27bda7e1be4a5f4ae43dc12dc81c66edf577cd5221351b8053996008a413bef6f81cf1a6cf7f68f11292c2c5308addd6fb2c993b2d3a
7
+ data.tar.gz: 6acdb965572b57ca443761b9d23c34f662d7ad391345c65a534d3409f5caaa427b3dc929774e8c0393eb21ee0829d92b8d7adf039b8e928a069441e2ee7f1c3c
data/CHANGELOG.md CHANGED
@@ -1,6 +1,31 @@
1
1
  Unreleased Changes
2
2
  ------------------
3
3
 
4
+ 3.114.3 (2021-06-15)
5
+ ------------------
6
+
7
+ * Issue - Fixed an issue with `Aws::PageableResponse` where it was modifying original params hash, causing frozen hashes to fail.
8
+
9
+ 3.114.2 (2021-06-09)
10
+ ------------------
11
+
12
+ * Issue - Fixed an issue with `Aws::PageableResponse` where intentionally nil tokens were not merged into the params for the next call.
13
+
14
+ 3.114.1 (2021-06-02)
15
+ ------------------
16
+
17
+ * Issue - Change XML Builder to not indent by default
18
+
19
+ 3.114.0 (2021-04-13)
20
+ ------------------
21
+
22
+ * Feature - Updated Aws::STS::Client with the latest API changes.
23
+
24
+ 3.113.1 (2021-03-29)
25
+ ------------------
26
+
27
+ * Issue - Ensure end of line characters are correctly encoded in XML.
28
+
4
29
  3.113.0 (2021-03-10)
5
30
  ------------------
6
31
 
data/VERSION CHANGED
@@ -1 +1 @@
1
- 3.113.0
1
+ 3.114.3
@@ -115,7 +115,13 @@ module Aws
115
115
  # @return [Hash] Returns the hash of request parameters for the
116
116
  # next page, merging any given params.
117
117
  def next_page_params(params)
118
- context[:original_params].merge(@pager.next_tokens(self).merge(params))
118
+ # Remove all previous tokens from original params
119
+ # Sometimes a token can be nil and merge would not include it.
120
+ tokens = @pager.tokens.values.map(&:to_sym)
121
+
122
+ params_without_tokens = context[:original_params].reject { |k, _v| tokens.include?(k) }
123
+ params_without_tokens.merge!(@pager.next_tokens(self).merge(params))
124
+ params_without_tokens
119
125
  end
120
126
 
121
127
  # Raised when calling {PageableResponse#next_page} on a pager that
@@ -18,6 +18,9 @@ module Aws
18
18
  # @return [Symbol, nil]
19
19
  attr_reader :limit_key
20
20
 
21
+ # @return [Hash, nil]
22
+ attr_reader :tokens
23
+
21
24
  # @param [Seahorse::Client::Response] response
22
25
  # @return [Hash]
23
26
  def next_tokens(response)
@@ -8,8 +8,7 @@ module Aws
8
8
  # AWS CLI with the correct profile.
9
9
  #
10
10
  # For more background on AWS SSO see the official
11
- # {what is SSO}[https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html]
12
- # page.
11
+ # {https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html what is SSO Userguide}
13
12
  #
14
13
  # ## Refreshing Credentials from SSO
15
14
  #
@@ -29,7 +29,7 @@ module Aws
29
29
  private
30
30
 
31
31
  def content_type(api)
32
- "application/x-amz-json-#{api.metadata['jsonVerison']}"
32
+ "application/x-amz-json-#{api.metadata['jsonVersion']}"
33
33
  end
34
34
 
35
35
  def build_body(operation, data)
@@ -11,7 +11,7 @@ module Aws
11
11
  def initialize(rules, options = {})
12
12
  @rules = rules
13
13
  @xml = options[:target] || []
14
- indent = options[:indent] || ' '
14
+ indent = options[:indent] || ''
15
15
  pad = options[:pad] || ''
16
16
  @builder = DocBuilder.new(target: @xml, indent: indent, pad: pad)
17
17
  end
@@ -67,7 +67,12 @@ module Aws
67
67
  end
68
68
 
69
69
  def escape(string, text_or_attr)
70
- string.to_s.encode(:xml => text_or_attr)
70
+ string.to_s
71
+ .encode(:xml => text_or_attr)
72
+ .gsub("\u{000D}", '
') # Carriage Return
73
+ .gsub("\u{000A}", '
') # Line Feed
74
+ .gsub("\u{0085}", '…') # Next Line
75
+ .gsub("\u{2028}", '
') # Line Separator
71
76
  end
72
77
 
73
78
  def attributes(attr)
data/lib/aws-sdk-sso.rb CHANGED
@@ -50,6 +50,6 @@ require_relative 'aws-sdk-sso/customizations'
50
50
  # @!group service
51
51
  module Aws::SSO
52
52
 
53
- GEM_VERSION = '3.113.0'
53
+ GEM_VERSION = '3.114.3'
54
54
 
55
55
  end
@@ -523,7 +523,7 @@ module Aws::SSO
523
523
  params: params,
524
524
  config: config)
525
525
  context[:gem_name] = 'aws-sdk-core'
526
- context[:gem_version] = '3.113.0'
526
+ context[:gem_version] = '3.114.3'
527
527
  Seahorse::Client::Request.new(handlers, context)
528
528
  end
529
529
 
data/lib/aws-sdk-sts.rb CHANGED
@@ -50,6 +50,6 @@ require_relative 'aws-sdk-sts/customizations'
50
50
  # @!group service
51
51
  module Aws::STS
52
52
 
53
- GEM_VERSION = '3.113.0'
53
+ GEM_VERSION = '3.114.3'
54
54
 
55
55
  end
@@ -343,35 +343,6 @@ module Aws::STS
343
343
  # [Requesting Temporary Security Credentials][1] and [Comparing the AWS
344
344
  # STS API operations][2] in the *IAM User Guide*.
345
345
  #
346
- # You cannot use AWS account root user credentials to call `AssumeRole`.
347
- # You must use credentials for an IAM user or an IAM role to call
348
- # `AssumeRole`.
349
- #
350
- # For cross-account access, imagine that you own multiple accounts and
351
- # need to access resources in each account. You could create long-term
352
- # credentials in each account to access those resources. However,
353
- # managing all those credentials and remembering which one can access
354
- # which account can be time consuming. Instead, you can create one set
355
- # of long-term credentials in one account. Then use temporary security
356
- # credentials to access all the other accounts by assuming roles in
357
- # those accounts. For more information about roles, see [IAM Roles][3]
358
- # in the *IAM User Guide*.
359
- #
360
- # **Session Duration**
361
- #
362
- # By default, the temporary security credentials created by `AssumeRole`
363
- # last for one hour. However, you can use the optional `DurationSeconds`
364
- # parameter to specify the duration of your session. You can provide a
365
- # value from 900 seconds (15 minutes) up to the maximum session duration
366
- # setting for the role. This setting can have a value from 1 hour to 12
367
- # hours. To learn how to view the maximum value for your role, see [View
368
- # the Maximum Session Duration Setting for a Role][4] in the *IAM User
369
- # Guide*. The maximum session duration limit applies when you use the
370
- # `AssumeRole*` API operations or the `assume-role*` CLI commands.
371
- # However the limit does not apply when you use those operations to
372
- # create a console URL. For more information, see [Using IAM Roles][5]
373
- # in the *IAM User Guide*.
374
- #
375
346
  # **Permissions**
376
347
  #
377
348
  # The temporary security credentials created by `AssumeRole` can be used
@@ -379,10 +350,10 @@ module Aws::STS
379
350
  # cannot call the AWS STS `GetFederationToken` or `GetSessionToken` API
380
351
  # operations.
381
352
  #
382
- # (Optional) You can pass inline or managed [session policies][6] to
353
+ # (Optional) You can pass inline or managed [session policies][3] to
383
354
  # this operation. You can pass a single JSON policy document to use as
384
355
  # an inline session policy. You can also specify up to 10 managed
385
- # policies to use as managed session policies. The plain text that you
356
+ # policies to use as managed session policies. The plaintext that you
386
357
  # use for both inline and managed session policies can't exceed 2,048
387
358
  # characters. Passing policies to this operation returns new temporary
388
359
  # credentials. The resulting session's permissions are the intersection
@@ -391,7 +362,7 @@ module Aws::STS
391
362
  # access resources in the account that owns the role. You cannot use
392
363
  # session policies to grant more permissions than those allowed by the
393
364
  # identity-based policy of the role that is being assumed. For more
394
- # information, see [Session Policies][6] in the *IAM User Guide*.
365
+ # information, see [Session Policies][3] in the *IAM User Guide*.
395
366
  #
396
367
  # To assume a role from a different account, your AWS account must be
397
368
  # trusted by the role. The trust relationship is defined in the role's
@@ -413,24 +384,24 @@ module Aws::STS
413
384
  # In this case, the trust policy acts as an IAM resource-based policy.
414
385
  # Users in the same account as the role do not need explicit permission
415
386
  # to assume the role. For more information about trust policies and
416
- # resource-based policies, see [IAM Policies][7] in the *IAM User
387
+ # resource-based policies, see [IAM Policies][4] in the *IAM User
417
388
  # Guide*.
418
389
  #
419
390
  # **Tags**
420
391
  #
421
392
  # (Optional) You can pass tag key-value pairs to your session. These
422
393
  # tags are called session tags. For more information about session tags,
423
- # see [Passing Session Tags in STS][8] in the *IAM User Guide*.
394
+ # see [Passing Session Tags in STS][5] in the *IAM User Guide*.
424
395
  #
425
396
  # An administrator must grant you the permissions necessary to pass
426
397
  # session tags. The administrator can also create granular permissions
427
398
  # to allow you to pass only specific session tags. For more information,
428
- # see [Tutorial: Using Tags for Attribute-Based Access Control][9] in
399
+ # see [Tutorial: Using Tags for Attribute-Based Access Control][6] in
429
400
  # the *IAM User Guide*.
430
401
  #
431
402
  # You can set the session tags as transitive. Transitive tags persist
432
403
  # during role chaining. For more information, see [Chaining Roles with
433
- # Session Tags][10] in the *IAM User Guide*.
404
+ # Session Tags][7] in the *IAM User Guide*.
434
405
  #
435
406
  # **Using MFA with AssumeRole**
436
407
  #
@@ -446,8 +417,8 @@ module Aws::STS
446
417
  #
447
418
  # `"Condition": \{"Bool": \{"aws:MultiFactorAuthPresent": true\}\}`
448
419
  #
449
- # For more information, see [Configuring MFA-Protected API Access][11]
450
- # in the *IAM User Guide* guide.
420
+ # For more information, see [Configuring MFA-Protected API Access][8] in
421
+ # the *IAM User Guide* guide.
451
422
  #
452
423
  # To use MFA with `AssumeRole`, you pass values for the `SerialNumber`
453
424
  # and `TokenCode` parameters. The `SerialNumber` value identifies the
@@ -458,15 +429,12 @@ module Aws::STS
458
429
  #
459
430
  # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
460
431
  # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
461
- # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
462
- # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
463
- # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
464
- # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
465
- # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
466
- # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
467
- # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
468
- # [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
469
- # [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
432
+ # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
433
+ # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
434
+ # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
435
+ # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
436
+ # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
437
+ # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
470
438
  #
471
439
  # @option params [required, String] :role_arn
472
440
  # The Amazon Resource Name (ARN) of the role to assume.
@@ -494,17 +462,17 @@ module Aws::STS
494
462
  # the same account as the role.
495
463
  #
496
464
  # This parameter is optional. You can provide up to 10 managed policy
497
- # ARNs. However, the plain text that you use for both inline and managed
465
+ # ARNs. However, the plaintext that you use for both inline and managed
498
466
  # session policies can't exceed 2,048 characters. For more information
499
467
  # about ARNs, see [Amazon Resource Names (ARNs) and AWS Service
500
468
  # Namespaces][1] in the AWS General Reference.
501
469
  #
502
470
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
503
471
  # tags into a packed binary format that has a separate limit. Your
504
- # request can fail for this limit even if your plain text meets the
505
- # other requirements. The `PackedPolicySize` response element indicates
506
- # by percentage how close the policies and tags for your request are to
507
- # the upper size limit.
472
+ # request can fail for this limit even if your plaintext meets the other
473
+ # requirements. The `PackedPolicySize` response element indicates by
474
+ # percentage how close the policies and tags for your request are to the
475
+ # upper size limit.
508
476
  #
509
477
  # </note>
510
478
  #
@@ -536,7 +504,7 @@ module Aws::STS
536
504
  # assumed. For more information, see [Session Policies][1] in the *IAM
537
505
  # User Guide*.
538
506
  #
539
- # The plain text that you use for both inline and managed session
507
+ # The plaintext that you use for both inline and managed session
540
508
  # policies can't exceed 2,048 characters. The JSON policy characters
541
509
  # can be any ASCII character from the space character to the end of the
542
510
  # valid character list (\\u0020 through \\u00FF). It can also include
@@ -545,10 +513,10 @@ module Aws::STS
545
513
  #
546
514
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
547
515
  # tags into a packed binary format that has a separate limit. Your
548
- # request can fail for this limit even if your plain text meets the
549
- # other requirements. The `PackedPolicySize` response element indicates
550
- # by percentage how close the policies and tags for your request are to
551
- # the upper size limit.
516
+ # request can fail for this limit even if your plaintext meets the other
517
+ # requirements. The `PackedPolicySize` response element indicates by
518
+ # percentage how close the policies and tags for your request are to the
519
+ # upper size limit.
552
520
  #
553
521
  # </note>
554
522
  #
@@ -557,15 +525,16 @@ module Aws::STS
557
525
  # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
558
526
  #
559
527
  # @option params [Integer] :duration_seconds
560
- # The duration, in seconds, of the role session. The value can range
561
- # from 900 seconds (15 minutes) up to the maximum session duration
562
- # setting for the role. This setting can have a value from 1 hour to 12
563
- # hours. If you specify a value higher than this setting, the operation
564
- # fails. For example, if you specify a session duration of 12 hours, but
565
- # your administrator set the maximum session duration to 6 hours, your
566
- # operation fails. To learn how to view the maximum value for your role,
567
- # see [View the Maximum Session Duration Setting for a Role][1] in the
568
- # *IAM User Guide*.
528
+ # The duration, in seconds, of the role session. The value specified can
529
+ # can range from 900 seconds (15 minutes) up to the maximum session
530
+ # duration that is set for the role. The maximum session duration
531
+ # setting can have a value from 1 hour to 12 hours. If you specify a
532
+ # value higher than this setting or the administrator setting (whichever
533
+ # is lower), the operation fails. For example, if you specify a session
534
+ # duration of 12 hours, but your administrator set the maximum session
535
+ # duration to 6 hours, your operation fails. To learn how to view the
536
+ # maximum value for your role, see [View the Maximum Session Duration
537
+ # Setting for a Role][1] in the *IAM User Guide*.
569
538
  #
570
539
  # By default, the value is set to `3600` seconds.
571
540
  #
@@ -591,16 +560,16 @@ module Aws::STS
591
560
  # Guide*.
592
561
  #
593
562
  # This parameter is optional. You can pass up to 50 session tags. The
594
- # plain text session tag keys can’t exceed 128 characters, and the
595
- # values can’t exceed 256 characters. For these and additional limits,
596
- # see [IAM and STS Character Limits][2] in the *IAM User Guide*.
563
+ # plaintext session tag keys can’t exceed 128 characters, and the values
564
+ # can’t exceed 256 characters. For these and additional limits, see [IAM
565
+ # and STS Character Limits][2] in the *IAM User Guide*.
597
566
  #
598
567
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
599
568
  # tags into a packed binary format that has a separate limit. Your
600
- # request can fail for this limit even if your plain text meets the
601
- # other requirements. The `PackedPolicySize` response element indicates
602
- # by percentage how close the policies and tags for your request are to
603
- # the upper size limit.
569
+ # request can fail for this limit even if your plaintext meets the other
570
+ # requirements. The `PackedPolicySize` response element indicates by
571
+ # percentage how close the policies and tags for your request are to the
572
+ # upper size limit.
604
573
  #
605
574
  # </note>
606
575
  #
@@ -683,7 +652,7 @@ module Aws::STS
683
652
  #
684
653
  # @option params [String] :token_code
685
654
  # The value provided by the MFA device, if the trust policy of the role
686
- # being assumed requires MFA (that is, if the policy includes a
655
+ # being assumed requires MFA. (In other words, if the policy includes a
687
656
  # condition that tests for MFA). If the role being assumed requires MFA
688
657
  # and if the `TokenCode` value is missing or expired, the `AssumeRole`
689
658
  # call returns an "access denied" error.
@@ -691,11 +660,35 @@ module Aws::STS
691
660
  # The format for this parameter, as described by its regex pattern, is a
692
661
  # sequence of six numeric digits.
693
662
  #
663
+ # @option params [String] :source_identity
664
+ # The source identity specified by the principal that is calling the
665
+ # `AssumeRole` operation.
666
+ #
667
+ # You can require users to specify a source identity when they assume a
668
+ # role. You do this by using the `sts:SourceIdentity` condition key in a
669
+ # role trust policy. You can use source identity information in AWS
670
+ # CloudTrail logs to determine who took actions with a role. You can use
671
+ # the `aws:SourceIdentity` condition key to further control access to
672
+ # AWS resources based on the value of source identity. For more
673
+ # information about using source identity, see [Monitor and control
674
+ # actions taken with assumed roles][1] in the *IAM User Guide*.
675
+ #
676
+ # The regex used to validate this parameter is a string of characters
677
+ # consisting of upper- and lower-case alphanumeric characters with no
678
+ # spaces. You can also include underscores or any of the following
679
+ # characters: =,.@-. You cannot use a value that begins with the text
680
+ # `aws:`. This prefix is reserved for AWS internal use.
681
+ #
682
+ #
683
+ #
684
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
685
+ #
694
686
  # @return [Types::AssumeRoleResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
695
687
  #
696
688
  # * {Types::AssumeRoleResponse#credentials #credentials} => Types::Credentials
697
689
  # * {Types::AssumeRoleResponse#assumed_role_user #assumed_role_user} => Types::AssumedRoleUser
698
690
  # * {Types::AssumeRoleResponse#packed_policy_size #packed_policy_size} => Integer
691
+ # * {Types::AssumeRoleResponse#source_identity #source_identity} => String
699
692
  #
700
693
  #
701
694
  # @example Example: To assume a role
@@ -762,6 +755,7 @@ module Aws::STS
762
755
  # external_id: "externalIdType",
763
756
  # serial_number: "serialNumberType",
764
757
  # token_code: "tokenCodeType",
758
+ # source_identity: "sourceIdentityType",
765
759
  # })
766
760
  #
767
761
  # @example Response structure
@@ -773,6 +767,7 @@ module Aws::STS
773
767
  # resp.assumed_role_user.assumed_role_id #=> String
774
768
  # resp.assumed_role_user.arn #=> String
775
769
  # resp.packed_policy_size #=> Integer
770
+ # resp.source_identity #=> String
776
771
  #
777
772
  # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole AWS API Documentation
778
773
  #
@@ -815,6 +810,17 @@ module Aws::STS
815
810
  # use those operations to create a console URL. For more information,
816
811
  # see [Using IAM Roles][4] in the *IAM User Guide*.
817
812
  #
813
+ # <note markdown="1"> [Role chaining][5] limits your AWS CLI or AWS API role session to a
814
+ # maximum of one hour. When you use the `AssumeRole` API operation to
815
+ # assume a role, you can specify the duration of your role session with
816
+ # the `DurationSeconds` parameter. You can specify a parameter value of
817
+ # up to 43200 seconds (12 hours), depending on the maximum session
818
+ # duration setting for your role. However, if you assume a role using
819
+ # role chaining and provide a `DurationSeconds` parameter value greater
820
+ # than one hour, the operation fails.
821
+ #
822
+ # </note>
823
+ #
818
824
  # **Permissions**
819
825
  #
820
826
  # The temporary security credentials created by `AssumeRoleWithSAML` can
@@ -822,10 +828,10 @@ module Aws::STS
822
828
  # exception: you cannot call the STS `GetFederationToken` or
823
829
  # `GetSessionToken` API operations.
824
830
  #
825
- # (Optional) You can pass inline or managed [session policies][5] to
831
+ # (Optional) You can pass inline or managed [session policies][6] to
826
832
  # this operation. You can pass a single JSON policy document to use as
827
833
  # an inline session policy. You can also specify up to 10 managed
828
- # policies to use as managed session policies. The plain text that you
834
+ # policies to use as managed session policies. The plaintext that you
829
835
  # use for both inline and managed session policies can't exceed 2,048
830
836
  # characters. Passing policies to this operation returns new temporary
831
837
  # credentials. The resulting session's permissions are the intersection
@@ -834,7 +840,7 @@ module Aws::STS
834
840
  # access resources in the account that owns the role. You cannot use
835
841
  # session policies to grant more permissions than those allowed by the
836
842
  # identity-based policy of the role that is being assumed. For more
837
- # information, see [Session Policies][5] in the *IAM User Guide*.
843
+ # information, see [Session Policies][6] in the *IAM User Guide*.
838
844
  #
839
845
  # Calling `AssumeRoleWithSAML` does not require the use of AWS security
840
846
  # credentials. The identity of the caller is validated by using keys in
@@ -853,19 +859,19 @@ module Aws::STS
853
859
  # (Optional) You can configure your IdP to pass attributes into your
854
860
  # SAML assertion as session tags. Each session tag consists of a key
855
861
  # name and an associated value. For more information about session tags,
856
- # see [Passing Session Tags in STS][6] in the *IAM User Guide*.
862
+ # see [Passing Session Tags in STS][7] in the *IAM User Guide*.
857
863
  #
858
- # You can pass up to 50 session tags. The plain text session tag keys
864
+ # You can pass up to 50 session tags. The plaintext session tag keys
859
865
  # can’t exceed 128 characters and the values can’t exceed 256
860
866
  # characters. For these and additional limits, see [IAM and STS
861
- # Character Limits][7] in the *IAM User Guide*.
867
+ # Character Limits][8] in the *IAM User Guide*.
862
868
  #
863
869
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
864
870
  # tags into a packed binary format that has a separate limit. Your
865
- # request can fail for this limit even if your plain text meets the
866
- # other requirements. The `PackedPolicySize` response element indicates
867
- # by percentage how close the policies and tags for your request are to
868
- # the upper size limit.
871
+ # request can fail for this limit even if your plaintext meets the other
872
+ # requirements. The `PackedPolicySize` response element indicates by
873
+ # percentage how close the policies and tags for your request are to the
874
+ # upper size limit.
869
875
  #
870
876
  # </note>
871
877
  #
@@ -876,12 +882,12 @@ module Aws::STS
876
882
  # An administrator must grant you the permissions necessary to pass
877
883
  # session tags. The administrator can also create granular permissions
878
884
  # to allow you to pass only specific session tags. For more information,
879
- # see [Tutorial: Using Tags for Attribute-Based Access Control][8] in
885
+ # see [Tutorial: Using Tags for Attribute-Based Access Control][9] in
880
886
  # the *IAM User Guide*.
881
887
  #
882
888
  # You can set the session tags as transitive. Transitive tags persist
883
889
  # during role chaining. For more information, see [Chaining Roles with
884
- # Session Tags][9] in the *IAM User Guide*.
890
+ # Session Tags][10] in the *IAM User Guide*.
885
891
  #
886
892
  # **SAML Configuration**
887
893
  #
@@ -894,14 +900,14 @@ module Aws::STS
894
900
  #
895
901
  # For more information, see the following resources:
896
902
  #
897
- # * [About SAML 2.0-based Federation][10] in the *IAM User Guide*.
903
+ # * [About SAML 2.0-based Federation][11] in the *IAM User Guide*.
898
904
  #
899
- # * [Creating SAML Identity Providers][11] in the *IAM User Guide*.
905
+ # * [Creating SAML Identity Providers][12] in the *IAM User Guide*.
900
906
  #
901
- # * [Configuring a Relying Party and Claims][12] in the *IAM User
907
+ # * [Configuring a Relying Party and Claims][13] in the *IAM User
902
908
  # Guide*.
903
909
  #
904
- # * [Creating a Role for SAML 2.0 Federation][13] in the *IAM User
910
+ # * [Creating a Role for SAML 2.0 Federation][14] in the *IAM User
905
911
  # Guide*.
906
912
  #
907
913
  #
@@ -910,15 +916,16 @@ module Aws::STS
910
916
  # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
911
917
  # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
912
918
  # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
913
- # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
914
- # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
915
- # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
916
- # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
917
- # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
918
- # [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
919
- # [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
920
- # [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html
921
- # [13]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
919
+ # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining
920
+ # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
921
+ # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
922
+ # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
923
+ # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
924
+ # [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
925
+ # [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
926
+ # [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
927
+ # [13]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html
928
+ # [14]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
922
929
  #
923
930
  # @option params [required, String] :role_arn
924
931
  # The Amazon Resource Name (ARN) of the role that the caller is
@@ -929,7 +936,7 @@ module Aws::STS
929
936
  # describes the IdP.
930
937
  #
931
938
  # @option params [required, String] :saml_assertion
932
- # The base-64 encoded SAML authentication response provided by the IdP.
939
+ # The base64 encoded SAML authentication response provided by the IdP.
933
940
  #
934
941
  # For more information, see [Configuring a Relying Party and Adding
935
942
  # Claims][1] in the *IAM User Guide*.
@@ -944,17 +951,17 @@ module Aws::STS
944
951
  # the same account as the role.
945
952
  #
946
953
  # This parameter is optional. You can provide up to 10 managed policy
947
- # ARNs. However, the plain text that you use for both inline and managed
954
+ # ARNs. However, the plaintext that you use for both inline and managed
948
955
  # session policies can't exceed 2,048 characters. For more information
949
956
  # about ARNs, see [Amazon Resource Names (ARNs) and AWS Service
950
957
  # Namespaces][1] in the AWS General Reference.
951
958
  #
952
959
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
953
960
  # tags into a packed binary format that has a separate limit. Your
954
- # request can fail for this limit even if your plain text meets the
955
- # other requirements. The `PackedPolicySize` response element indicates
956
- # by percentage how close the policies and tags for your request are to
957
- # the upper size limit.
961
+ # request can fail for this limit even if your plaintext meets the other
962
+ # requirements. The `PackedPolicySize` response element indicates by
963
+ # percentage how close the policies and tags for your request are to the
964
+ # upper size limit.
958
965
  #
959
966
  # </note>
960
967
  #
@@ -986,7 +993,7 @@ module Aws::STS
986
993
  # assumed. For more information, see [Session Policies][1] in the *IAM
987
994
  # User Guide*.
988
995
  #
989
- # The plain text that you use for both inline and managed session
996
+ # The plaintext that you use for both inline and managed session
990
997
  # policies can't exceed 2,048 characters. The JSON policy characters
991
998
  # can be any ASCII character from the space character to the end of the
992
999
  # valid character list (\\u0020 through \\u00FF). It can also include
@@ -995,10 +1002,10 @@ module Aws::STS
995
1002
  #
996
1003
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
997
1004
  # tags into a packed binary format that has a separate limit. Your
998
- # request can fail for this limit even if your plain text meets the
999
- # other requirements. The `PackedPolicySize` response element indicates
1000
- # by percentage how close the policies and tags for your request are to
1001
- # the upper size limit.
1005
+ # request can fail for this limit even if your plaintext meets the other
1006
+ # requirements. The `PackedPolicySize` response element indicates by
1007
+ # percentage how close the policies and tags for your request are to the
1008
+ # upper size limit.
1002
1009
  #
1003
1010
  # </note>
1004
1011
  #
@@ -1047,6 +1054,7 @@ module Aws::STS
1047
1054
  # * {Types::AssumeRoleWithSAMLResponse#issuer #issuer} => String
1048
1055
  # * {Types::AssumeRoleWithSAMLResponse#audience #audience} => String
1049
1056
  # * {Types::AssumeRoleWithSAMLResponse#name_qualifier #name_qualifier} => String
1057
+ # * {Types::AssumeRoleWithSAMLResponse#source_identity #source_identity} => String
1050
1058
  #
1051
1059
  #
1052
1060
  # @example Example: To assume a role using a SAML assertion
@@ -1107,6 +1115,7 @@ module Aws::STS
1107
1115
  # resp.issuer #=> String
1108
1116
  # resp.audience #=> String
1109
1117
  # resp.name_qualifier #=> String
1118
+ # resp.source_identity #=> String
1110
1119
  #
1111
1120
  # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML AWS API Documentation
1112
1121
  #
@@ -1176,7 +1185,7 @@ module Aws::STS
1176
1185
  # (Optional) You can pass inline or managed [session policies][9] to
1177
1186
  # this operation. You can pass a single JSON policy document to use as
1178
1187
  # an inline session policy. You can also specify up to 10 managed
1179
- # policies to use as managed session policies. The plain text that you
1188
+ # policies to use as managed session policies. The plaintext that you
1180
1189
  # use for both inline and managed session policies can't exceed 2,048
1181
1190
  # characters. Passing policies to this operation returns new temporary
1182
1191
  # credentials. The resulting session's permissions are the intersection
@@ -1194,17 +1203,17 @@ module Aws::STS
1194
1203
  # name and an associated value. For more information about session tags,
1195
1204
  # see [Passing Session Tags in STS][10] in the *IAM User Guide*.
1196
1205
  #
1197
- # You can pass up to 50 session tags. The plain text session tag keys
1206
+ # You can pass up to 50 session tags. The plaintext session tag keys
1198
1207
  # can’t exceed 128 characters and the values can’t exceed 256
1199
1208
  # characters. For these and additional limits, see [IAM and STS
1200
1209
  # Character Limits][11] in the *IAM User Guide*.
1201
1210
  #
1202
1211
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1203
1212
  # tags into a packed binary format that has a separate limit. Your
1204
- # request can fail for this limit even if your plain text meets the
1205
- # other requirements. The `PackedPolicySize` response element indicates
1206
- # by percentage how close the policies and tags for your request are to
1207
- # the upper size limit.
1213
+ # request can fail for this limit even if your plaintext meets the other
1214
+ # requirements. The `PackedPolicySize` response element indicates by
1215
+ # percentage how close the policies and tags for your request are to the
1216
+ # upper size limit.
1208
1217
  #
1209
1218
  # </note>
1210
1219
  #
@@ -1233,7 +1242,7 @@ module Aws::STS
1233
1242
  #
1234
1243
  # Calling `AssumeRoleWithWebIdentity` can result in an entry in your AWS
1235
1244
  # CloudTrail logs. The entry includes the [Subject][14] of the provided
1236
- # Web Identity Token. We recommend that you avoid using any personally
1245
+ # web identity token. We recommend that you avoid using any personally
1237
1246
  # identifiable information (PII) in this field. For example, you could
1238
1247
  # instead use a GUID or a pairwise identifier, as [suggested in the OIDC
1239
1248
  # specification][15].
@@ -1322,17 +1331,17 @@ module Aws::STS
1322
1331
  # the same account as the role.
1323
1332
  #
1324
1333
  # This parameter is optional. You can provide up to 10 managed policy
1325
- # ARNs. However, the plain text that you use for both inline and managed
1334
+ # ARNs. However, the plaintext that you use for both inline and managed
1326
1335
  # session policies can't exceed 2,048 characters. For more information
1327
1336
  # about ARNs, see [Amazon Resource Names (ARNs) and AWS Service
1328
1337
  # Namespaces][1] in the AWS General Reference.
1329
1338
  #
1330
1339
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1331
1340
  # tags into a packed binary format that has a separate limit. Your
1332
- # request can fail for this limit even if your plain text meets the
1333
- # other requirements. The `PackedPolicySize` response element indicates
1334
- # by percentage how close the policies and tags for your request are to
1335
- # the upper size limit.
1341
+ # request can fail for this limit even if your plaintext meets the other
1342
+ # requirements. The `PackedPolicySize` response element indicates by
1343
+ # percentage how close the policies and tags for your request are to the
1344
+ # upper size limit.
1336
1345
  #
1337
1346
  # </note>
1338
1347
  #
@@ -1364,7 +1373,7 @@ module Aws::STS
1364
1373
  # assumed. For more information, see [Session Policies][1] in the *IAM
1365
1374
  # User Guide*.
1366
1375
  #
1367
- # The plain text that you use for both inline and managed session
1376
+ # The plaintext that you use for both inline and managed session
1368
1377
  # policies can't exceed 2,048 characters. The JSON policy characters
1369
1378
  # can be any ASCII character from the space character to the end of the
1370
1379
  # valid character list (\\u0020 through \\u00FF). It can also include
@@ -1373,10 +1382,10 @@ module Aws::STS
1373
1382
  #
1374
1383
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1375
1384
  # tags into a packed binary format that has a separate limit. Your
1376
- # request can fail for this limit even if your plain text meets the
1377
- # other requirements. The `PackedPolicySize` response element indicates
1378
- # by percentage how close the policies and tags for your request are to
1379
- # the upper size limit.
1385
+ # request can fail for this limit even if your plaintext meets the other
1386
+ # requirements. The `PackedPolicySize` response element indicates by
1387
+ # percentage how close the policies and tags for your request are to the
1388
+ # upper size limit.
1380
1389
  #
1381
1390
  # </note>
1382
1391
  #
@@ -1420,6 +1429,7 @@ module Aws::STS
1420
1429
  # * {Types::AssumeRoleWithWebIdentityResponse#packed_policy_size #packed_policy_size} => Integer
1421
1430
  # * {Types::AssumeRoleWithWebIdentityResponse#provider #provider} => String
1422
1431
  # * {Types::AssumeRoleWithWebIdentityResponse#audience #audience} => String
1432
+ # * {Types::AssumeRoleWithWebIdentityResponse#source_identity #source_identity} => String
1423
1433
  #
1424
1434
  #
1425
1435
  # @example Example: To assume a role as an OpenID Connect-federated user
@@ -1479,6 +1489,7 @@ module Aws::STS
1479
1489
  # resp.packed_policy_size #=> Integer
1480
1490
  # resp.provider #=> String
1481
1491
  # resp.audience #=> String
1492
+ # resp.source_identity #=> String
1482
1493
  #
1483
1494
  # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity AWS API Documentation
1484
1495
  #
@@ -1763,6 +1774,72 @@ module Aws::STS
1763
1774
  # You must pass an inline or managed [session policy][6] to this
1764
1775
  # operation. You can pass a single JSON policy document to use as an
1765
1776
  # inline session policy. You can also specify up to 10 managed policies
1777
+ # to use as managed session policies. The plaintext that you use for
1778
+ # both inline and managed session policies can't exceed 2,048
1779
+ # characters.
1780
+ #
1781
+ # Though the session policy parameters are optional, if you do not pass
1782
+ # a policy, then the resulting federated user session has no
1783
+ # permissions. When you pass session policies, the session permissions
1784
+ # are the intersection of the IAM user policies and the session policies
1785
+ # that you pass. This gives you a way to further restrict the
1786
+ # permissions for a federated user. You cannot use session policies to
1787
+ # grant more permissions than those that are defined in the permissions
1788
+ # policy of the IAM user. For more information, see [Session
1789
+ # Policies][6] in the *IAM User Guide*. For information about using
1790
+ # `GetFederationToken` to create temporary security credentials, see
1791
+ # [GetFederationToken—Federation Through a Custom Identity Broker][7].
1792
+ #
1793
+ # You can use the credentials to access a resource that has a
1794
+ # resource-based policy. If that policy specifically references the
1795
+ # federated user session in the `Principal` element of the policy, the
1796
+ # session has the permissions allowed by the policy. These permissions
1797
+ # are granted in addition to the permissions granted by the session
1798
+ # policies.
1799
+ #
1800
+ # **Tags**
1801
+ #
1802
+ # (Optional) You can pass tag key-value pairs to your session. These are
1803
+ # called session tags. For more information about session tags, see
1804
+ # [Passing Session Tags in STS][8] in the *IAM User Guide*.
1805
+ #
1806
+ # <note markdown="1"> You can create a mobile-based or browser-based app that can
1807
+ # authenticate users using a web identity provider like Login with
1808
+ # Amazon, Facebook, Google, or an OpenID Connect-compatible identity
1809
+ # provider. In this case, we recommend that you use [Amazon Cognito][3]
1810
+ # or `AssumeRoleWithWebIdentity`. For more information, see [Federation
1811
+ # Through a Web-based Identity Provider][4] in the *IAM User Guide*.
1812
+ #
1813
+ # </note>
1814
+ #
1815
+ # You can also call `GetFederationToken` using the security credentials
1816
+ # of an AWS account root user, but we do not recommend it. Instead, we
1817
+ # recommend that you create an IAM user for the purpose of the proxy
1818
+ # application. Then attach a policy to the IAM user that limits
1819
+ # federated users to only the actions and resources that they need to
1820
+ # access. For more information, see [IAM Best Practices][5] in the *IAM
1821
+ # User Guide*.
1822
+ #
1823
+ # **Session duration**
1824
+ #
1825
+ # The temporary credentials are valid for the specified duration, from
1826
+ # 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36
1827
+ # hours). The default session duration is 43,200 seconds (12 hours).
1828
+ # Temporary credentials that are obtained by using AWS account root user
1829
+ # credentials have a maximum duration of 3,600 seconds (1 hour).
1830
+ #
1831
+ # **Permissions**
1832
+ #
1833
+ # You can use the temporary credentials created by `GetFederationToken`
1834
+ # in any AWS service except the following:
1835
+ #
1836
+ # * You cannot call any IAM operations using the AWS CLI or the AWS API.
1837
+ #
1838
+ # * You cannot call any STS operations except `GetCallerIdentity`.
1839
+ #
1840
+ # You must pass an inline or managed [session policy][6] to this
1841
+ # operation. You can pass a single JSON policy document to use as an
1842
+ # inline session policy. You can also specify up to 10 managed policies
1766
1843
  # to use as managed session policies. The plain text that you use for
1767
1844
  # both inline and managed session policies can't exceed 2,048
1768
1845
  # characters.
@@ -1857,7 +1934,7 @@ module Aws::STS
1857
1934
  # are granted in addition to the permissions that are granted by the
1858
1935
  # session policies.
1859
1936
  #
1860
- # The plain text that you use for both inline and managed session
1937
+ # The plaintext that you use for both inline and managed session
1861
1938
  # policies can't exceed 2,048 characters. The JSON policy characters
1862
1939
  # can be any ASCII character from the space character to the end of the
1863
1940
  # valid character list (\\u0020 through \\u00FF). It can also include
@@ -1866,10 +1943,10 @@ module Aws::STS
1866
1943
  #
1867
1944
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1868
1945
  # tags into a packed binary format that has a separate limit. Your
1869
- # request can fail for this limit even if your plain text meets the
1870
- # other requirements. The `PackedPolicySize` response element indicates
1871
- # by percentage how close the policies and tags for your request are to
1872
- # the upper size limit.
1946
+ # request can fail for this limit even if your plaintext meets the other
1947
+ # requirements. The `PackedPolicySize` response element indicates by
1948
+ # percentage how close the policies and tags for your request are to the
1949
+ # upper size limit.
1873
1950
  #
1874
1951
  # </note>
1875
1952
  #
@@ -1885,7 +1962,7 @@ module Aws::STS
1885
1962
  # You must pass an inline or managed [session policy][1] to this
1886
1963
  # operation. You can pass a single JSON policy document to use as an
1887
1964
  # inline session policy. You can also specify up to 10 managed policies
1888
- # to use as managed session policies. The plain text that you use for
1965
+ # to use as managed session policies. The plaintext that you use for
1889
1966
  # both inline and managed session policies can't exceed 2,048
1890
1967
  # characters. You can provide up to 10 managed policy ARNs. For more
1891
1968
  # information about ARNs, see [Amazon Resource Names (ARNs) and AWS
@@ -1912,10 +1989,10 @@ module Aws::STS
1912
1989
  #
1913
1990
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1914
1991
  # tags into a packed binary format that has a separate limit. Your
1915
- # request can fail for this limit even if your plain text meets the
1916
- # other requirements. The `PackedPolicySize` response element indicates
1917
- # by percentage how close the policies and tags for your request are to
1918
- # the upper size limit.
1992
+ # request can fail for this limit even if your plaintext meets the other
1993
+ # requirements. The `PackedPolicySize` response element indicates by
1994
+ # percentage how close the policies and tags for your request are to the
1995
+ # upper size limit.
1919
1996
  #
1920
1997
  # </note>
1921
1998
  #
@@ -1939,16 +2016,16 @@ module Aws::STS
1939
2016
  # [Passing Session Tags in STS][1] in the *IAM User Guide*.
1940
2017
  #
1941
2018
  # This parameter is optional. You can pass up to 50 session tags. The
1942
- # plain text session tag keys can’t exceed 128 characters and the values
2019
+ # plaintext session tag keys can’t exceed 128 characters and the values
1943
2020
  # can’t exceed 256 characters. For these and additional limits, see [IAM
1944
2021
  # and STS Character Limits][2] in the *IAM User Guide*.
1945
2022
  #
1946
2023
  # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1947
2024
  # tags into a packed binary format that has a separate limit. Your
1948
- # request can fail for this limit even if your plain text meets the
1949
- # other requirements. The `PackedPolicySize` response element indicates
1950
- # by percentage how close the policies and tags for your request are to
1951
- # the upper size limit.
2025
+ # request can fail for this limit even if your plaintext meets the other
2026
+ # requirements. The `PackedPolicySize` response element indicates by
2027
+ # percentage how close the policies and tags for your request are to the
2028
+ # upper size limit.
1952
2029
  #
1953
2030
  # </note>
1954
2031
  #
@@ -2204,7 +2281,7 @@ module Aws::STS
2204
2281
  params: params,
2205
2282
  config: config)
2206
2283
  context[:gem_name] = 'aws-sdk-core'
2207
- context[:gem_version] = '3.113.0'
2284
+ context[:gem_version] = '3.114.3'
2208
2285
  Seahorse::Client::Request.new(handlers, context)
2209
2286
  end
2210
2287