aws-sdk-core 3.113.0 → 3.114.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +25 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-core/pageable_response.rb +7 -1
- data/lib/aws-sdk-core/pager.rb +3 -0
- data/lib/aws-sdk-core/sso_credentials.rb +1 -2
- data/lib/aws-sdk-core/stubbing/protocols/json.rb +1 -1
- data/lib/aws-sdk-core/xml/builder.rb +1 -1
- data/lib/aws-sdk-core/xml/doc_builder.rb +6 -1
- data/lib/aws-sdk-sso.rb +1 -1
- data/lib/aws-sdk-sso/client.rb +1 -1
- data/lib/aws-sdk-sts.rb +1 -1
- data/lib/aws-sdk-sts/client.rb +220 -143
- data/lib/aws-sdk-sts/client_api.rb +5 -0
- data/lib/aws-sdk-sts/types.rb +164 -43
- metadata +5 -6
@@ -74,6 +74,7 @@ module Aws::STS
|
|
74
74
|
roleSessionNameType = Shapes::StringShape.new(name: 'roleSessionNameType')
|
75
75
|
serialNumberType = Shapes::StringShape.new(name: 'serialNumberType')
|
76
76
|
sessionPolicyDocumentType = Shapes::StringShape.new(name: 'sessionPolicyDocumentType')
|
77
|
+
sourceIdentityType = Shapes::StringShape.new(name: 'sourceIdentityType')
|
77
78
|
tagKeyListType = Shapes::ListShape.new(name: 'tagKeyListType')
|
78
79
|
tagKeyType = Shapes::StringShape.new(name: 'tagKeyType')
|
79
80
|
tagListType = Shapes::ListShape.new(name: 'tagListType')
|
@@ -95,11 +96,13 @@ module Aws::STS
|
|
95
96
|
AssumeRoleRequest.add_member(:external_id, Shapes::ShapeRef.new(shape: externalIdType, location_name: "ExternalId"))
|
96
97
|
AssumeRoleRequest.add_member(:serial_number, Shapes::ShapeRef.new(shape: serialNumberType, location_name: "SerialNumber"))
|
97
98
|
AssumeRoleRequest.add_member(:token_code, Shapes::ShapeRef.new(shape: tokenCodeType, location_name: "TokenCode"))
|
99
|
+
AssumeRoleRequest.add_member(:source_identity, Shapes::ShapeRef.new(shape: sourceIdentityType, location_name: "SourceIdentity"))
|
98
100
|
AssumeRoleRequest.struct_class = Types::AssumeRoleRequest
|
99
101
|
|
100
102
|
AssumeRoleResponse.add_member(:credentials, Shapes::ShapeRef.new(shape: Credentials, location_name: "Credentials"))
|
101
103
|
AssumeRoleResponse.add_member(:assumed_role_user, Shapes::ShapeRef.new(shape: AssumedRoleUser, location_name: "AssumedRoleUser"))
|
102
104
|
AssumeRoleResponse.add_member(:packed_policy_size, Shapes::ShapeRef.new(shape: nonNegativeIntegerType, location_name: "PackedPolicySize"))
|
105
|
+
AssumeRoleResponse.add_member(:source_identity, Shapes::ShapeRef.new(shape: sourceIdentityType, location_name: "SourceIdentity"))
|
103
106
|
AssumeRoleResponse.struct_class = Types::AssumeRoleResponse
|
104
107
|
|
105
108
|
AssumeRoleWithSAMLRequest.add_member(:role_arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "RoleArn"))
|
@@ -118,6 +121,7 @@ module Aws::STS
|
|
118
121
|
AssumeRoleWithSAMLResponse.add_member(:issuer, Shapes::ShapeRef.new(shape: Issuer, location_name: "Issuer"))
|
119
122
|
AssumeRoleWithSAMLResponse.add_member(:audience, Shapes::ShapeRef.new(shape: Audience, location_name: "Audience"))
|
120
123
|
AssumeRoleWithSAMLResponse.add_member(:name_qualifier, Shapes::ShapeRef.new(shape: NameQualifier, location_name: "NameQualifier"))
|
124
|
+
AssumeRoleWithSAMLResponse.add_member(:source_identity, Shapes::ShapeRef.new(shape: sourceIdentityType, location_name: "SourceIdentity"))
|
121
125
|
AssumeRoleWithSAMLResponse.struct_class = Types::AssumeRoleWithSAMLResponse
|
122
126
|
|
123
127
|
AssumeRoleWithWebIdentityRequest.add_member(:role_arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "RoleArn"))
|
@@ -135,6 +139,7 @@ module Aws::STS
|
|
135
139
|
AssumeRoleWithWebIdentityResponse.add_member(:packed_policy_size, Shapes::ShapeRef.new(shape: nonNegativeIntegerType, location_name: "PackedPolicySize"))
|
136
140
|
AssumeRoleWithWebIdentityResponse.add_member(:provider, Shapes::ShapeRef.new(shape: Issuer, location_name: "Provider"))
|
137
141
|
AssumeRoleWithWebIdentityResponse.add_member(:audience, Shapes::ShapeRef.new(shape: Audience, location_name: "Audience"))
|
142
|
+
AssumeRoleWithWebIdentityResponse.add_member(:source_identity, Shapes::ShapeRef.new(shape: sourceIdentityType, location_name: "SourceIdentity"))
|
138
143
|
AssumeRoleWithWebIdentityResponse.struct_class = Types::AssumeRoleWithWebIdentityResponse
|
139
144
|
|
140
145
|
AssumedRoleUser.add_member(:assumed_role_id, Shapes::ShapeRef.new(shape: assumedRoleIdType, required: true, location_name: "AssumedRoleId"))
|
data/lib/aws-sdk-sts/types.rb
CHANGED
@@ -33,6 +33,7 @@ module Aws::STS
|
|
33
33
|
# external_id: "externalIdType",
|
34
34
|
# serial_number: "serialNumberType",
|
35
35
|
# token_code: "tokenCodeType",
|
36
|
+
# source_identity: "sourceIdentityType",
|
36
37
|
# }
|
37
38
|
#
|
38
39
|
# @!attribute [rw] role_arn
|
@@ -63,14 +64,14 @@ module Aws::STS
|
|
63
64
|
# in the same account as the role.
|
64
65
|
#
|
65
66
|
# This parameter is optional. You can provide up to 10 managed policy
|
66
|
-
# ARNs. However, the
|
67
|
+
# ARNs. However, the plaintext that you use for both inline and
|
67
68
|
# managed session policies can't exceed 2,048 characters. For more
|
68
69
|
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
69
70
|
# Service Namespaces][1] in the AWS General Reference.
|
70
71
|
#
|
71
72
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
72
73
|
# tags into a packed binary format that has a separate limit. Your
|
73
|
-
# request can fail for this limit even if your
|
74
|
+
# request can fail for this limit even if your plaintext meets the
|
74
75
|
# other requirements. The `PackedPolicySize` response element
|
75
76
|
# indicates by percentage how close the policies and tags for your
|
76
77
|
# request are to the upper size limit.
|
@@ -107,7 +108,7 @@ module Aws::STS
|
|
107
108
|
# the role that is being assumed. For more information, see [Session
|
108
109
|
# Policies][1] in the *IAM User Guide*.
|
109
110
|
#
|
110
|
-
# The
|
111
|
+
# The plaintext that you use for both inline and managed session
|
111
112
|
# policies can't exceed 2,048 characters. The JSON policy characters
|
112
113
|
# can be any ASCII character from the space character to the end of
|
113
114
|
# the valid character list (\\u0020 through \\u00FF). It can also
|
@@ -116,7 +117,7 @@ module Aws::STS
|
|
116
117
|
#
|
117
118
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
118
119
|
# tags into a packed binary format that has a separate limit. Your
|
119
|
-
# request can fail for this limit even if your
|
120
|
+
# request can fail for this limit even if your plaintext meets the
|
120
121
|
# other requirements. The `PackedPolicySize` response element
|
121
122
|
# indicates by percentage how close the policies and tags for your
|
122
123
|
# request are to the upper size limit.
|
@@ -129,15 +130,17 @@ module Aws::STS
|
|
129
130
|
# @return [String]
|
130
131
|
#
|
131
132
|
# @!attribute [rw] duration_seconds
|
132
|
-
# The duration, in seconds, of the role session. The value
|
133
|
-
# from 900 seconds (15 minutes) up to the maximum
|
134
|
-
#
|
135
|
-
#
|
136
|
-
#
|
137
|
-
#
|
138
|
-
#
|
139
|
-
#
|
140
|
-
#
|
133
|
+
# The duration, in seconds, of the role session. The value specified
|
134
|
+
# can can range from 900 seconds (15 minutes) up to the maximum
|
135
|
+
# session duration that is set for the role. The maximum session
|
136
|
+
# duration setting can have a value from 1 hour to 12 hours. If you
|
137
|
+
# specify a value higher than this setting or the administrator
|
138
|
+
# setting (whichever is lower), the operation fails. For example, if
|
139
|
+
# you specify a session duration of 12 hours, but your administrator
|
140
|
+
# set the maximum session duration to 6 hours, your operation fails.
|
141
|
+
# To learn how to view the maximum value for your role, see [View the
|
142
|
+
# Maximum Session Duration Setting for a Role][1] in the *IAM User
|
143
|
+
# Guide*.
|
141
144
|
#
|
142
145
|
# By default, the value is set to `3600` seconds.
|
143
146
|
#
|
@@ -164,13 +167,13 @@ module Aws::STS
|
|
164
167
|
# User Guide*.
|
165
168
|
#
|
166
169
|
# This parameter is optional. You can pass up to 50 session tags. The
|
167
|
-
#
|
170
|
+
# plaintext session tag keys can’t exceed 128 characters, and the
|
168
171
|
# values can’t exceed 256 characters. For these and additional limits,
|
169
172
|
# see [IAM and STS Character Limits][2] in the *IAM User Guide*.
|
170
173
|
#
|
171
174
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
172
175
|
# tags into a packed binary format that has a separate limit. Your
|
173
|
-
# request can fail for this limit even if your
|
176
|
+
# request can fail for this limit even if your plaintext meets the
|
174
177
|
# other requirements. The `PackedPolicySize` response element
|
175
178
|
# indicates by percentage how close the policies and tags for your
|
176
179
|
# request are to the upper size limit.
|
@@ -262,15 +265,40 @@ module Aws::STS
|
|
262
265
|
#
|
263
266
|
# @!attribute [rw] token_code
|
264
267
|
# The value provided by the MFA device, if the trust policy of the
|
265
|
-
# role being assumed requires MFA (
|
266
|
-
# condition that tests for MFA). If the role being assumed
|
267
|
-
# MFA and if the `TokenCode` value is missing or expired, the
|
268
|
+
# role being assumed requires MFA. (In other words, if the policy
|
269
|
+
# includes a condition that tests for MFA). If the role being assumed
|
270
|
+
# requires MFA and if the `TokenCode` value is missing or expired, the
|
268
271
|
# `AssumeRole` call returns an "access denied" error.
|
269
272
|
#
|
270
273
|
# The format for this parameter, as described by its regex pattern, is
|
271
274
|
# a sequence of six numeric digits.
|
272
275
|
# @return [String]
|
273
276
|
#
|
277
|
+
# @!attribute [rw] source_identity
|
278
|
+
# The source identity specified by the principal that is calling the
|
279
|
+
# `AssumeRole` operation.
|
280
|
+
#
|
281
|
+
# You can require users to specify a source identity when they assume
|
282
|
+
# a role. You do this by using the `sts:SourceIdentity` condition key
|
283
|
+
# in a role trust policy. You can use source identity information in
|
284
|
+
# AWS CloudTrail logs to determine who took actions with a role. You
|
285
|
+
# can use the `aws:SourceIdentity` condition key to further control
|
286
|
+
# access to AWS resources based on the value of source identity. For
|
287
|
+
# more information about using source identity, see [Monitor and
|
288
|
+
# control actions taken with assumed roles][1] in the *IAM User
|
289
|
+
# Guide*.
|
290
|
+
#
|
291
|
+
# The regex used to validate this parameter is a string of characters
|
292
|
+
# consisting of upper- and lower-case alphanumeric characters with no
|
293
|
+
# spaces. You can also include underscores or any of the following
|
294
|
+
# characters: =,.@-. You cannot use a value that begins with the text
|
295
|
+
# `aws:`. This prefix is reserved for AWS internal use.
|
296
|
+
#
|
297
|
+
#
|
298
|
+
#
|
299
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
|
300
|
+
# @return [String]
|
301
|
+
#
|
274
302
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleRequest AWS API Documentation
|
275
303
|
#
|
276
304
|
class AssumeRoleRequest < Struct.new(
|
@@ -283,7 +311,8 @@ module Aws::STS
|
|
283
311
|
:transitive_tag_keys,
|
284
312
|
:external_id,
|
285
313
|
:serial_number,
|
286
|
-
:token_code
|
314
|
+
:token_code,
|
315
|
+
:source_identity)
|
287
316
|
SENSITIVE = []
|
288
317
|
include Aws::Structure
|
289
318
|
end
|
@@ -318,12 +347,37 @@ module Aws::STS
|
|
318
347
|
# means the policies and tags exceeded the allowed space.
|
319
348
|
# @return [Integer]
|
320
349
|
#
|
350
|
+
# @!attribute [rw] source_identity
|
351
|
+
# The source identity specified by the principal that is calling the
|
352
|
+
# `AssumeRole` operation.
|
353
|
+
#
|
354
|
+
# You can require users to specify a source identity when they assume
|
355
|
+
# a role. You do this by using the `sts:SourceIdentity` condition key
|
356
|
+
# in a role trust policy. You can use source identity information in
|
357
|
+
# AWS CloudTrail logs to determine who took actions with a role. You
|
358
|
+
# can use the `aws:SourceIdentity` condition key to further control
|
359
|
+
# access to AWS resources based on the value of source identity. For
|
360
|
+
# more information about using source identity, see [Monitor and
|
361
|
+
# control actions taken with assumed roles][1] in the *IAM User
|
362
|
+
# Guide*.
|
363
|
+
#
|
364
|
+
# The regex used to validate this parameter is a string of characters
|
365
|
+
# consisting of upper- and lower-case alphanumeric characters with no
|
366
|
+
# spaces. You can also include underscores or any of the following
|
367
|
+
# characters: =,.@-
|
368
|
+
#
|
369
|
+
#
|
370
|
+
#
|
371
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
|
372
|
+
# @return [String]
|
373
|
+
#
|
321
374
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleResponse AWS API Documentation
|
322
375
|
#
|
323
376
|
class AssumeRoleResponse < Struct.new(
|
324
377
|
:credentials,
|
325
378
|
:assumed_role_user,
|
326
|
-
:packed_policy_size
|
379
|
+
:packed_policy_size,
|
380
|
+
:source_identity)
|
327
381
|
SENSITIVE = []
|
328
382
|
include Aws::Structure
|
329
383
|
end
|
@@ -355,8 +409,7 @@ module Aws::STS
|
|
355
409
|
# @return [String]
|
356
410
|
#
|
357
411
|
# @!attribute [rw] saml_assertion
|
358
|
-
# The
|
359
|
-
# IdP.
|
412
|
+
# The base64 encoded SAML authentication response provided by the IdP.
|
360
413
|
#
|
361
414
|
# For more information, see [Configuring a Relying Party and Adding
|
362
415
|
# Claims][1] in the *IAM User Guide*.
|
@@ -372,14 +425,14 @@ module Aws::STS
|
|
372
425
|
# in the same account as the role.
|
373
426
|
#
|
374
427
|
# This parameter is optional. You can provide up to 10 managed policy
|
375
|
-
# ARNs. However, the
|
428
|
+
# ARNs. However, the plaintext that you use for both inline and
|
376
429
|
# managed session policies can't exceed 2,048 characters. For more
|
377
430
|
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
378
431
|
# Service Namespaces][1] in the AWS General Reference.
|
379
432
|
#
|
380
433
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
381
434
|
# tags into a packed binary format that has a separate limit. Your
|
382
|
-
# request can fail for this limit even if your
|
435
|
+
# request can fail for this limit even if your plaintext meets the
|
383
436
|
# other requirements. The `PackedPolicySize` response element
|
384
437
|
# indicates by percentage how close the policies and tags for your
|
385
438
|
# request are to the upper size limit.
|
@@ -416,7 +469,7 @@ module Aws::STS
|
|
416
469
|
# the role that is being assumed. For more information, see [Session
|
417
470
|
# Policies][1] in the *IAM User Guide*.
|
418
471
|
#
|
419
|
-
# The
|
472
|
+
# The plaintext that you use for both inline and managed session
|
420
473
|
# policies can't exceed 2,048 characters. The JSON policy characters
|
421
474
|
# can be any ASCII character from the space character to the end of
|
422
475
|
# the valid character list (\\u0020 through \\u00FF). It can also
|
@@ -425,7 +478,7 @@ module Aws::STS
|
|
425
478
|
#
|
426
479
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
427
480
|
# tags into a packed binary format that has a separate limit. Your
|
428
|
-
# request can fail for this limit even if your
|
481
|
+
# request can fail for this limit even if your plaintext meets the
|
429
482
|
# other requirements. The `PackedPolicySize` response element
|
430
483
|
# indicates by percentage how close the policies and tags for your
|
431
484
|
# request are to the upper size limit.
|
@@ -537,11 +590,17 @@ module Aws::STS
|
|
537
590
|
# @return [String]
|
538
591
|
#
|
539
592
|
# @!attribute [rw] name_qualifier
|
540
|
-
# A hash value based on the concatenation of the
|
541
|
-
#
|
542
|
-
#
|
543
|
-
#
|
544
|
-
#
|
593
|
+
# A hash value based on the concatenation of the following:
|
594
|
+
#
|
595
|
+
# * The `Issuer` response value.
|
596
|
+
#
|
597
|
+
# * The AWS account ID.
|
598
|
+
#
|
599
|
+
# * The friendly name (the last part of the ARN) of the SAML provider
|
600
|
+
# in IAM.
|
601
|
+
#
|
602
|
+
# The combination of `NameQualifier` and `Subject` can be used to
|
603
|
+
# uniquely identify a federated user.
|
545
604
|
#
|
546
605
|
# The following pseudocode shows how the hash value is calculated:
|
547
606
|
#
|
@@ -549,6 +608,34 @@ module Aws::STS
|
|
549
608
|
# "/MySAMLIdP" ) )`
|
550
609
|
# @return [String]
|
551
610
|
#
|
611
|
+
# @!attribute [rw] source_identity
|
612
|
+
# The value in the `SourceIdentity` attribute in the SAML assertion.
|
613
|
+
#
|
614
|
+
# You can require users to set a source identity value when they
|
615
|
+
# assume a role. You do this by using the `sts:SourceIdentity`
|
616
|
+
# condition key in a role trust policy. That way, actions that are
|
617
|
+
# taken with the role are associated with that user. After the source
|
618
|
+
# identity is set, the value cannot be changed. It is present in the
|
619
|
+
# request for all actions that are taken by the role and persists
|
620
|
+
# across [chained role][1] sessions. You can configure your SAML
|
621
|
+
# identity provider to use an attribute associated with your users,
|
622
|
+
# like user name or email, as the source identity when calling
|
623
|
+
# `AssumeRoleWithSAML`. You do this by adding an attribute to the SAML
|
624
|
+
# assertion. For more information about using source identity, see
|
625
|
+
# [Monitor and control actions taken with assumed roles][2] in the
|
626
|
+
# *IAM User Guide*.
|
627
|
+
#
|
628
|
+
# The regex used to validate this parameter is a string of characters
|
629
|
+
# consisting of upper- and lower-case alphanumeric characters with no
|
630
|
+
# spaces. You can also include underscores or any of the following
|
631
|
+
# characters: =,.@-
|
632
|
+
#
|
633
|
+
#
|
634
|
+
#
|
635
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining
|
636
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
|
637
|
+
# @return [String]
|
638
|
+
#
|
552
639
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAMLResponse AWS API Documentation
|
553
640
|
#
|
554
641
|
class AssumeRoleWithSAMLResponse < Struct.new(
|
@@ -559,7 +646,8 @@ module Aws::STS
|
|
559
646
|
:subject_type,
|
560
647
|
:issuer,
|
561
648
|
:audience,
|
562
|
-
:name_qualifier
|
649
|
+
:name_qualifier,
|
650
|
+
:source_identity)
|
563
651
|
SENSITIVE = []
|
564
652
|
include Aws::Structure
|
565
653
|
end
|
@@ -626,14 +714,14 @@ module Aws::STS
|
|
626
714
|
# in the same account as the role.
|
627
715
|
#
|
628
716
|
# This parameter is optional. You can provide up to 10 managed policy
|
629
|
-
# ARNs. However, the
|
717
|
+
# ARNs. However, the plaintext that you use for both inline and
|
630
718
|
# managed session policies can't exceed 2,048 characters. For more
|
631
719
|
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
632
720
|
# Service Namespaces][1] in the AWS General Reference.
|
633
721
|
#
|
634
722
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
635
723
|
# tags into a packed binary format that has a separate limit. Your
|
636
|
-
# request can fail for this limit even if your
|
724
|
+
# request can fail for this limit even if your plaintext meets the
|
637
725
|
# other requirements. The `PackedPolicySize` response element
|
638
726
|
# indicates by percentage how close the policies and tags for your
|
639
727
|
# request are to the upper size limit.
|
@@ -670,7 +758,7 @@ module Aws::STS
|
|
670
758
|
# the role that is being assumed. For more information, see [Session
|
671
759
|
# Policies][1] in the *IAM User Guide*.
|
672
760
|
#
|
673
|
-
# The
|
761
|
+
# The plaintext that you use for both inline and managed session
|
674
762
|
# policies can't exceed 2,048 characters. The JSON policy characters
|
675
763
|
# can be any ASCII character from the space character to the end of
|
676
764
|
# the valid character list (\\u0020 through \\u00FF). It can also
|
@@ -679,7 +767,7 @@ module Aws::STS
|
|
679
767
|
#
|
680
768
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
681
769
|
# tags into a packed binary format that has a separate limit. Your
|
682
|
-
# request can fail for this limit even if your
|
770
|
+
# request can fail for this limit even if your plaintext meets the
|
683
771
|
# other requirements. The `PackedPolicySize` response element
|
684
772
|
# indicates by percentage how close the policies and tags for your
|
685
773
|
# request are to the upper size limit.
|
@@ -789,6 +877,38 @@ module Aws::STS
|
|
789
877
|
# application that requested the web identity token.
|
790
878
|
# @return [String]
|
791
879
|
#
|
880
|
+
# @!attribute [rw] source_identity
|
881
|
+
# The value of the source identity that is returned in the JSON web
|
882
|
+
# token (JWT) from the identity provider.
|
883
|
+
#
|
884
|
+
# You can require users to set a source identity value when they
|
885
|
+
# assume a role. You do this by using the `sts:SourceIdentity`
|
886
|
+
# condition key in a role trust policy. That way, actions that are
|
887
|
+
# taken with the role are associated with that user. After the source
|
888
|
+
# identity is set, the value cannot be changed. It is present in the
|
889
|
+
# request for all actions that are taken by the role and persists
|
890
|
+
# across [chained role][1] sessions. You can configure your identity
|
891
|
+
# provider to use an attribute associated with your users, like user
|
892
|
+
# name or email, as the source identity when calling
|
893
|
+
# `AssumeRoleWithWebIdentity`. You do this by adding a claim to the
|
894
|
+
# JSON web token. To learn more about OIDC tokens and claims, see
|
895
|
+
# [Using Tokens with User Pools][2] in the *Amazon Cognito Developer
|
896
|
+
# Guide*. For more information about using source identity, see
|
897
|
+
# [Monitor and control actions taken with assumed roles][3] in the
|
898
|
+
# *IAM User Guide*.
|
899
|
+
#
|
900
|
+
# The regex used to validate this parameter is a string of characters
|
901
|
+
# consisting of upper- and lower-case alphanumeric characters with no
|
902
|
+
# spaces. You can also include underscores or any of the following
|
903
|
+
# characters: =,.@-
|
904
|
+
#
|
905
|
+
#
|
906
|
+
#
|
907
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining
|
908
|
+
# [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html
|
909
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
|
910
|
+
# @return [String]
|
911
|
+
#
|
792
912
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentityResponse AWS API Documentation
|
793
913
|
#
|
794
914
|
class AssumeRoleWithWebIdentityResponse < Struct.new(
|
@@ -797,7 +917,8 @@ module Aws::STS
|
|
797
917
|
:assumed_role_user,
|
798
918
|
:packed_policy_size,
|
799
919
|
:provider,
|
800
|
-
:audience
|
920
|
+
:audience,
|
921
|
+
:source_identity)
|
801
922
|
SENSITIVE = []
|
802
923
|
include Aws::Structure
|
803
924
|
end
|
@@ -1074,7 +1195,7 @@ module Aws::STS
|
|
1074
1195
|
# are granted in addition to the permissions that are granted by the
|
1075
1196
|
# session policies.
|
1076
1197
|
#
|
1077
|
-
# The
|
1198
|
+
# The plaintext that you use for both inline and managed session
|
1078
1199
|
# policies can't exceed 2,048 characters. The JSON policy characters
|
1079
1200
|
# can be any ASCII character from the space character to the end of
|
1080
1201
|
# the valid character list (\\u0020 through \\u00FF). It can also
|
@@ -1083,7 +1204,7 @@ module Aws::STS
|
|
1083
1204
|
#
|
1084
1205
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
1085
1206
|
# tags into a packed binary format that has a separate limit. Your
|
1086
|
-
# request can fail for this limit even if your
|
1207
|
+
# request can fail for this limit even if your plaintext meets the
|
1087
1208
|
# other requirements. The `PackedPolicySize` response element
|
1088
1209
|
# indicates by percentage how close the policies and tags for your
|
1089
1210
|
# request are to the upper size limit.
|
@@ -1104,7 +1225,7 @@ module Aws::STS
|
|
1104
1225
|
# You must pass an inline or managed [session policy][1] to this
|
1105
1226
|
# operation. You can pass a single JSON policy document to use as an
|
1106
1227
|
# inline session policy. You can also specify up to 10 managed
|
1107
|
-
# policies to use as managed session policies. The
|
1228
|
+
# policies to use as managed session policies. The plaintext that you
|
1108
1229
|
# use for both inline and managed session policies can't exceed 2,048
|
1109
1230
|
# characters. You can provide up to 10 managed policy ARNs. For more
|
1110
1231
|
# information about ARNs, see [Amazon Resource Names (ARNs) and AWS
|
@@ -1131,7 +1252,7 @@ module Aws::STS
|
|
1131
1252
|
#
|
1132
1253
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
1133
1254
|
# tags into a packed binary format that has a separate limit. Your
|
1134
|
-
# request can fail for this limit even if your
|
1255
|
+
# request can fail for this limit even if your plaintext meets the
|
1135
1256
|
# other requirements. The `PackedPolicySize` response element
|
1136
1257
|
# indicates by percentage how close the policies and tags for your
|
1137
1258
|
# request are to the upper size limit.
|
@@ -1160,13 +1281,13 @@ module Aws::STS
|
|
1160
1281
|
# [Passing Session Tags in STS][1] in the *IAM User Guide*.
|
1161
1282
|
#
|
1162
1283
|
# This parameter is optional. You can pass up to 50 session tags. The
|
1163
|
-
#
|
1284
|
+
# plaintext session tag keys can’t exceed 128 characters and the
|
1164
1285
|
# values can’t exceed 256 characters. For these and additional limits,
|
1165
1286
|
# see [IAM and STS Character Limits][2] in the *IAM User Guide*.
|
1166
1287
|
#
|
1167
1288
|
# <note markdown="1"> An AWS conversion compresses the passed session policies and session
|
1168
1289
|
# tags into a packed binary format that has a separate limit. Your
|
1169
|
-
# request can fail for this limit even if your
|
1290
|
+
# request can fail for this limit even if your plaintext meets the
|
1170
1291
|
# other requirements. The `PackedPolicySize` response element
|
1171
1292
|
# indicates by percentage how close the policies and tags for your
|
1172
1293
|
# request are to the upper size limit.
|