aws-sdk-core 3.113.1 → 3.118.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -11,7 +11,7 @@ module Aws
11
11
  def initialize(rules, options = {})
12
12
  @rules = rules
13
13
  @xml = options[:target] || []
14
- indent = options[:indent] || ' '
14
+ indent = options[:indent] || ''
15
15
  pad = options[:pad] || ''
16
16
  @builder = DocBuilder.new(target: @xml, indent: indent, pad: pad)
17
17
  end
@@ -95,6 +95,8 @@ module Aws
95
95
  def child_frame(xml_name)
96
96
  if @member = @members[xml_name]
97
97
  Frame.new(xml_name, self, @member[:ref])
98
+ elsif @ref.shape.union
99
+ UnknownMemberFrame.new(xml_name, self, nil, @result)
98
100
  else
99
101
  NullFrame.new(xml_name, self)
100
102
  end
@@ -106,10 +108,24 @@ module Aws
106
108
  @result[@member[:name]][child.key.result] = child.value.result
107
109
  when FlatListFrame
108
110
  @result[@member[:name]] << child.result
111
+ when UnknownMemberFrame
112
+ @result[:unknown] = { 'name' => child.path.last, 'value' => child.result }
109
113
  when NullFrame
110
114
  else
111
115
  @result[@member[:name]] = child.result
112
116
  end
117
+
118
+ if @ref.shape.union
119
+ # a union may only have one member set
120
+ # convert to the union subclass
121
+ # The default Struct created will have defaults set for all values
122
+ # This also sets only one of the values leaving everything else nil
123
+ # as required for unions
124
+ set_member_name = @member ? @member[:name] : :unknown
125
+ member_subclass = @ref.shape.member_subclass(set_member_name).new # shape.member_subclass(target.member).new
126
+ member_subclass[set_member_name] = @result[set_member_name]
127
+ @result = member_subclass
128
+ end
113
129
  end
114
130
 
115
131
  private
@@ -242,6 +258,12 @@ module Aws
242
258
  end
243
259
  end
244
260
 
261
+ class UnknownMemberFrame < Frame
262
+ def result
263
+ @text.join
264
+ end
265
+ end
266
+
245
267
  class BlobFrame < Frame
246
268
  def result
247
269
  @text.empty? ? nil : Base64.decode64(@text.join)
@@ -302,6 +324,7 @@ module Aws
302
324
  MapShape => MapFrame,
303
325
  StringShape => StringFrame,
304
326
  StructureShape => StructureFrame,
327
+ UnionShape => StructureFrame,
305
328
  TimestampShape => TimestampFrame,
306
329
  }
307
330
 
data/lib/aws-sdk-sso.rb CHANGED
@@ -50,6 +50,6 @@ require_relative 'aws-sdk-sso/customizations'
50
50
  # @!group service
51
51
  module Aws::SSO
52
52
 
53
- GEM_VERSION = '3.113.1'
53
+ GEM_VERSION = '3.118.0'
54
54
 
55
55
  end
@@ -523,7 +523,7 @@ module Aws::SSO
523
523
  params: params,
524
524
  config: config)
525
525
  context[:gem_name] = 'aws-sdk-core'
526
- context[:gem_version] = '3.113.1'
526
+ context[:gem_version] = '3.118.0'
527
527
  Seahorse::Client::Request.new(handlers, context)
528
528
  end
529
529
 
data/lib/aws-sdk-sts.rb CHANGED
@@ -50,6 +50,6 @@ require_relative 'aws-sdk-sts/customizations'
50
50
  # @!group service
51
51
  module Aws::STS
52
52
 
53
- GEM_VERSION = '3.113.1'
53
+ GEM_VERSION = '3.118.0'
54
54
 
55
55
  end
@@ -335,65 +335,38 @@ module Aws::STS
335
335
  # @!group API Operations
336
336
 
337
337
  # Returns a set of temporary security credentials that you can use to
338
- # access AWS resources that you might not normally have access to. These
339
- # temporary credentials consist of an access key ID, a secret access
340
- # key, and a security token. Typically, you use `AssumeRole` within your
341
- # account or for cross-account access. For a comparison of `AssumeRole`
342
- # with other API operations that produce temporary credentials, see
343
- # [Requesting Temporary Security Credentials][1] and [Comparing the AWS
344
- # STS API operations][2] in the *IAM User Guide*.
345
- #
346
- # You cannot use AWS account root user credentials to call `AssumeRole`.
347
- # You must use credentials for an IAM user or an IAM role to call
348
- # `AssumeRole`.
349
- #
350
- # For cross-account access, imagine that you own multiple accounts and
351
- # need to access resources in each account. You could create long-term
352
- # credentials in each account to access those resources. However,
353
- # managing all those credentials and remembering which one can access
354
- # which account can be time consuming. Instead, you can create one set
355
- # of long-term credentials in one account. Then use temporary security
356
- # credentials to access all the other accounts by assuming roles in
357
- # those accounts. For more information about roles, see [IAM Roles][3]
358
- # in the *IAM User Guide*.
359
- #
360
- # **Session Duration**
361
- #
362
- # By default, the temporary security credentials created by `AssumeRole`
363
- # last for one hour. However, you can use the optional `DurationSeconds`
364
- # parameter to specify the duration of your session. You can provide a
365
- # value from 900 seconds (15 minutes) up to the maximum session duration
366
- # setting for the role. This setting can have a value from 1 hour to 12
367
- # hours. To learn how to view the maximum value for your role, see [View
368
- # the Maximum Session Duration Setting for a Role][4] in the *IAM User
369
- # Guide*. The maximum session duration limit applies when you use the
370
- # `AssumeRole*` API operations or the `assume-role*` CLI commands.
371
- # However the limit does not apply when you use those operations to
372
- # create a console URL. For more information, see [Using IAM Roles][5]
373
- # in the *IAM User Guide*.
338
+ # access Amazon Web Services resources that you might not normally have
339
+ # access to. These temporary credentials consist of an access key ID, a
340
+ # secret access key, and a security token. Typically, you use
341
+ # `AssumeRole` within your account or for cross-account access. For a
342
+ # comparison of `AssumeRole` with other API operations that produce
343
+ # temporary credentials, see [Requesting Temporary Security
344
+ # Credentials][1] and [Comparing the STS API operations][2] in the *IAM
345
+ # User Guide*.
374
346
  #
375
347
  # **Permissions**
376
348
  #
377
349
  # The temporary security credentials created by `AssumeRole` can be used
378
- # to make API calls to any AWS service with the following exception: You
379
- # cannot call the AWS STS `GetFederationToken` or `GetSessionToken` API
380
- # operations.
350
+ # to make API calls to any Amazon Web Services service with the
351
+ # following exception: You cannot call the STS `GetFederationToken` or
352
+ # `GetSessionToken` API operations.
381
353
  #
382
- # (Optional) You can pass inline or managed [session policies][6] to
354
+ # (Optional) You can pass inline or managed [session policies][3] to
383
355
  # this operation. You can pass a single JSON policy document to use as
384
356
  # an inline session policy. You can also specify up to 10 managed
385
- # policies to use as managed session policies. The plain text that you
357
+ # policies to use as managed session policies. The plaintext that you
386
358
  # use for both inline and managed session policies can't exceed 2,048
387
359
  # characters. Passing policies to this operation returns new temporary
388
360
  # credentials. The resulting session's permissions are the intersection
389
361
  # of the role's identity-based policy and the session policies. You can
390
- # use the role's temporary credentials in subsequent AWS API calls to
391
- # access resources in the account that owns the role. You cannot use
392
- # session policies to grant more permissions than those allowed by the
393
- # identity-based policy of the role that is being assumed. For more
394
- # information, see [Session Policies][6] in the *IAM User Guide*.
362
+ # use the role's temporary credentials in subsequent Amazon Web
363
+ # Services API calls to access resources in the account that owns the
364
+ # role. You cannot use session policies to grant more permissions than
365
+ # those allowed by the identity-based policy of the role that is being
366
+ # assumed. For more information, see [Session Policies][3] in the *IAM
367
+ # User Guide*.
395
368
  #
396
- # To assume a role from a different account, your AWS account must be
369
+ # To assume a role from a different account, your account must be
397
370
  # trusted by the role. The trust relationship is defined in the role's
398
371
  # trust policy when the role is created. That trust policy states which
399
372
  # accounts are allowed to delegate that access to users in the account.
@@ -413,41 +386,41 @@ module Aws::STS
413
386
  # In this case, the trust policy acts as an IAM resource-based policy.
414
387
  # Users in the same account as the role do not need explicit permission
415
388
  # to assume the role. For more information about trust policies and
416
- # resource-based policies, see [IAM Policies][7] in the *IAM User
389
+ # resource-based policies, see [IAM Policies][4] in the *IAM User
417
390
  # Guide*.
418
391
  #
419
392
  # **Tags**
420
393
  #
421
394
  # (Optional) You can pass tag key-value pairs to your session. These
422
395
  # tags are called session tags. For more information about session tags,
423
- # see [Passing Session Tags in STS][8] in the *IAM User Guide*.
396
+ # see [Passing Session Tags in STS][5] in the *IAM User Guide*.
424
397
  #
425
398
  # An administrator must grant you the permissions necessary to pass
426
399
  # session tags. The administrator can also create granular permissions
427
400
  # to allow you to pass only specific session tags. For more information,
428
- # see [Tutorial: Using Tags for Attribute-Based Access Control][9] in
401
+ # see [Tutorial: Using Tags for Attribute-Based Access Control][6] in
429
402
  # the *IAM User Guide*.
430
403
  #
431
404
  # You can set the session tags as transitive. Transitive tags persist
432
405
  # during role chaining. For more information, see [Chaining Roles with
433
- # Session Tags][10] in the *IAM User Guide*.
406
+ # Session Tags][7] in the *IAM User Guide*.
434
407
  #
435
408
  # **Using MFA with AssumeRole**
436
409
  #
437
410
  # (Optional) You can include multi-factor authentication (MFA)
438
411
  # information when you call `AssumeRole`. This is useful for
439
412
  # cross-account scenarios to ensure that the user that assumes the role
440
- # has been authenticated with an AWS MFA device. In that scenario, the
441
- # trust policy of the role being assumed includes a condition that tests
442
- # for MFA authentication. If the caller does not include valid MFA
443
- # information, the request to assume the role is denied. The condition
444
- # in a trust policy that tests for MFA authentication might look like
445
- # the following example.
413
+ # has been authenticated with an Amazon Web Services MFA device. In that
414
+ # scenario, the trust policy of the role being assumed includes a
415
+ # condition that tests for MFA authentication. If the caller does not
416
+ # include valid MFA information, the request to assume the role is
417
+ # denied. The condition in a trust policy that tests for MFA
418
+ # authentication might look like the following example.
446
419
  #
447
420
  # `"Condition": \{"Bool": \{"aws:MultiFactorAuthPresent": true\}\}`
448
421
  #
449
- # For more information, see [Configuring MFA-Protected API Access][11]
450
- # in the *IAM User Guide* guide.
422
+ # For more information, see [Configuring MFA-Protected API Access][8] in
423
+ # the *IAM User Guide* guide.
451
424
  #
452
425
  # To use MFA with `AssumeRole`, you pass values for the `SerialNumber`
453
426
  # and `TokenCode` parameters. The `SerialNumber` value identifies the
@@ -458,15 +431,12 @@ module Aws::STS
458
431
  #
459
432
  # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
460
433
  # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
461
- # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html
462
- # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
463
- # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
464
- # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
465
- # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
466
- # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
467
- # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
468
- # [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
469
- # [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
434
+ # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
435
+ # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
436
+ # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
437
+ # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
438
+ # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
439
+ # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
470
440
  #
471
441
  # @option params [required, String] :role_arn
472
442
  # The Amazon Resource Name (ARN) of the role to assume.
@@ -481,7 +451,7 @@ module Aws::STS
481
451
  # also used in the ARN of the assumed role principal. This means that
482
452
  # subsequent cross-account API requests that use the temporary security
483
453
  # credentials will expose the role session name to the external account
484
- # in their AWS CloudTrail logs.
454
+ # in their CloudTrail logs.
485
455
  #
486
456
  # The regex used to validate this parameter is a string of characters
487
457
  # consisting of upper- and lower-case alphanumeric characters with no
@@ -494,28 +464,29 @@ module Aws::STS
494
464
  # the same account as the role.
495
465
  #
496
466
  # This parameter is optional. You can provide up to 10 managed policy
497
- # ARNs. However, the plain text that you use for both inline and managed
467
+ # ARNs. However, the plaintext that you use for both inline and managed
498
468
  # session policies can't exceed 2,048 characters. For more information
499
- # about ARNs, see [Amazon Resource Names (ARNs) and AWS Service
500
- # Namespaces][1] in the AWS General Reference.
469
+ # about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services
470
+ # Service Namespaces][1] in the Amazon Web Services General Reference.
501
471
  #
502
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
503
- # tags into a packed binary format that has a separate limit. Your
504
- # request can fail for this limit even if your plain text meets the
505
- # other requirements. The `PackedPolicySize` response element indicates
506
- # by percentage how close the policies and tags for your request are to
507
- # the upper size limit.
472
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
473
+ # policies and session tags into a packed binary format that has a
474
+ # separate limit. Your request can fail for this limit even if your
475
+ # plaintext meets the other requirements. The `PackedPolicySize`
476
+ # response element indicates by percentage how close the policies and
477
+ # tags for your request are to the upper size limit.
508
478
  #
509
479
  # </note>
510
480
  #
511
481
  # Passing policies to this operation returns new temporary credentials.
512
482
  # The resulting session's permissions are the intersection of the
513
483
  # role's identity-based policy and the session policies. You can use
514
- # the role's temporary credentials in subsequent AWS API calls to
515
- # access resources in the account that owns the role. You cannot use
516
- # session policies to grant more permissions than those allowed by the
517
- # identity-based policy of the role that is being assumed. For more
518
- # information, see [Session Policies][2] in the *IAM User Guide*.
484
+ # the role's temporary credentials in subsequent Amazon Web Services
485
+ # API calls to access resources in the account that owns the role. You
486
+ # cannot use session policies to grant more permissions than those
487
+ # allowed by the identity-based policy of the role that is being
488
+ # assumed. For more information, see [Session Policies][2] in the *IAM
489
+ # User Guide*.
519
490
  #
520
491
  #
521
492
  #
@@ -530,25 +501,25 @@ module Aws::STS
530
501
  # new temporary credentials. The resulting session's permissions are
531
502
  # the intersection of the role's identity-based policy and the session
532
503
  # policies. You can use the role's temporary credentials in subsequent
533
- # AWS API calls to access resources in the account that owns the role.
534
- # You cannot use session policies to grant more permissions than those
535
- # allowed by the identity-based policy of the role that is being
536
- # assumed. For more information, see [Session Policies][1] in the *IAM
537
- # User Guide*.
504
+ # Amazon Web Services API calls to access resources in the account that
505
+ # owns the role. You cannot use session policies to grant more
506
+ # permissions than those allowed by the identity-based policy of the
507
+ # role that is being assumed. For more information, see [Session
508
+ # Policies][1] in the *IAM User Guide*.
538
509
  #
539
- # The plain text that you use for both inline and managed session
510
+ # The plaintext that you use for both inline and managed session
540
511
  # policies can't exceed 2,048 characters. The JSON policy characters
541
512
  # can be any ASCII character from the space character to the end of the
542
513
  # valid character list (\\u0020 through \\u00FF). It can also include
543
514
  # the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
544
515
  # characters.
545
516
  #
546
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
547
- # tags into a packed binary format that has a separate limit. Your
548
- # request can fail for this limit even if your plain text meets the
549
- # other requirements. The `PackedPolicySize` response element indicates
550
- # by percentage how close the policies and tags for your request are to
551
- # the upper size limit.
517
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
518
+ # policies and session tags into a packed binary format that has a
519
+ # separate limit. Your request can fail for this limit even if your
520
+ # plaintext meets the other requirements. The `PackedPolicySize`
521
+ # response element indicates by percentage how close the policies and
522
+ # tags for your request are to the upper size limit.
552
523
  #
553
524
  # </note>
554
525
  #
@@ -557,15 +528,16 @@ module Aws::STS
557
528
  # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
558
529
  #
559
530
  # @option params [Integer] :duration_seconds
560
- # The duration, in seconds, of the role session. The value can range
561
- # from 900 seconds (15 minutes) up to the maximum session duration
562
- # setting for the role. This setting can have a value from 1 hour to 12
563
- # hours. If you specify a value higher than this setting, the operation
564
- # fails. For example, if you specify a session duration of 12 hours, but
565
- # your administrator set the maximum session duration to 6 hours, your
566
- # operation fails. To learn how to view the maximum value for your role,
567
- # see [View the Maximum Session Duration Setting for a Role][1] in the
568
- # *IAM User Guide*.
531
+ # The duration, in seconds, of the role session. The value specified can
532
+ # can range from 900 seconds (15 minutes) up to the maximum session
533
+ # duration that is set for the role. The maximum session duration
534
+ # setting can have a value from 1 hour to 12 hours. If you specify a
535
+ # value higher than this setting or the administrator setting (whichever
536
+ # is lower), the operation fails. For example, if you specify a session
537
+ # duration of 12 hours, but your administrator set the maximum session
538
+ # duration to 6 hours, your operation fails. To learn how to view the
539
+ # maximum value for your role, see [View the Maximum Session Duration
540
+ # Setting for a Role][1] in the *IAM User Guide*.
569
541
  #
570
542
  # By default, the value is set to `3600` seconds.
571
543
  #
@@ -574,8 +546,8 @@ module Aws::STS
574
546
  # The request to the federation endpoint for a console sign-in token
575
547
  # takes a `SessionDuration` parameter that specifies the maximum length
576
548
  # of the console session. For more information, see [Creating a URL that
577
- # Enables Federated Users to Access the AWS Management Console][2] in
578
- # the *IAM User Guide*.
549
+ # Enables Federated Users to Access the Management Console][2] in the
550
+ # *IAM User Guide*.
579
551
  #
580
552
  # </note>
581
553
  #
@@ -587,20 +559,20 @@ module Aws::STS
587
559
  # @option params [Array<Types::Tag>] :tags
588
560
  # A list of session tags that you want to pass. Each session tag
589
561
  # consists of a key name and an associated value. For more information
590
- # about session tags, see [Tagging AWS STS Sessions][1] in the *IAM User
562
+ # about session tags, see [Tagging STS Sessions][1] in the *IAM User
591
563
  # Guide*.
592
564
  #
593
565
  # This parameter is optional. You can pass up to 50 session tags. The
594
- # plain text session tag keys can’t exceed 128 characters, and the
595
- # values can’t exceed 256 characters. For these and additional limits,
596
- # see [IAM and STS Character Limits][2] in the *IAM User Guide*.
566
+ # plaintext session tag keys can’t exceed 128 characters, and the values
567
+ # can’t exceed 256 characters. For these and additional limits, see [IAM
568
+ # and STS Character Limits][2] in the *IAM User Guide*.
597
569
  #
598
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
599
- # tags into a packed binary format that has a separate limit. Your
600
- # request can fail for this limit even if your plain text meets the
601
- # other requirements. The `PackedPolicySize` response element indicates
602
- # by percentage how close the policies and tags for your request are to
603
- # the upper size limit.
570
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
571
+ # policies and session tags into a packed binary format that has a
572
+ # separate limit. Your request can fail for this limit even if your
573
+ # plaintext meets the other requirements. The `PackedPolicySize`
574
+ # response element indicates by percentage how close the policies and
575
+ # tags for your request are to the upper size limit.
604
576
  #
605
577
  # </note>
606
578
  #
@@ -619,8 +591,8 @@ module Aws::STS
619
591
  # operation, the new session inherits any transitive session tags from
620
592
  # the calling session. If you pass a session tag with the same key as an
621
593
  # inherited tag, the operation fails. To view the inherited tags for a
622
- # session, see the AWS CloudTrail logs. For more information, see
623
- # [Viewing Session Tags in CloudTrail][3] in the *IAM User Guide*.
594
+ # session, see the CloudTrail logs. For more information, see [Viewing
595
+ # Session Tags in CloudTrail][3] in the *IAM User Guide*.
624
596
  #
625
597
  #
626
598
  #
@@ -656,7 +628,8 @@ module Aws::STS
656
628
  # trusted account. That way, only someone with the ID can assume the
657
629
  # role, rather than everyone in the account. For more information about
658
630
  # the external ID, see [How to Use an External ID When Granting Access
659
- # to Your AWS Resources to a Third Party][1] in the *IAM User Guide*.
631
+ # to Your Amazon Web Services Resources to a Third Party][1] in the *IAM
632
+ # User Guide*.
660
633
  #
661
634
  # The regex used to validate this parameter is a string of characters
662
635
  # consisting of upper- and lower-case alphanumeric characters with no
@@ -683,7 +656,7 @@ module Aws::STS
683
656
  #
684
657
  # @option params [String] :token_code
685
658
  # The value provided by the MFA device, if the trust policy of the role
686
- # being assumed requires MFA (that is, if the policy includes a
659
+ # being assumed requires MFA. (In other words, if the policy includes a
687
660
  # condition that tests for MFA). If the role being assumed requires MFA
688
661
  # and if the `TokenCode` value is missing or expired, the `AssumeRole`
689
662
  # call returns an "access denied" error.
@@ -691,11 +664,35 @@ module Aws::STS
691
664
  # The format for this parameter, as described by its regex pattern, is a
692
665
  # sequence of six numeric digits.
693
666
  #
667
+ # @option params [String] :source_identity
668
+ # The source identity specified by the principal that is calling the
669
+ # `AssumeRole` operation.
670
+ #
671
+ # You can require users to specify a source identity when they assume a
672
+ # role. You do this by using the `sts:SourceIdentity` condition key in a
673
+ # role trust policy. You can use source identity information in
674
+ # CloudTrail logs to determine who took actions with a role. You can use
675
+ # the `aws:SourceIdentity` condition key to further control access to
676
+ # Amazon Web Services resources based on the value of source identity.
677
+ # For more information about using source identity, see [Monitor and
678
+ # control actions taken with assumed roles][1] in the *IAM User Guide*.
679
+ #
680
+ # The regex used to validate this parameter is a string of characters
681
+ # consisting of upper- and lower-case alphanumeric characters with no
682
+ # spaces. You can also include underscores or any of the following
683
+ # characters: =,.@-. You cannot use a value that begins with the text
684
+ # `aws:`. This prefix is reserved for Amazon Web Services internal use.
685
+ #
686
+ #
687
+ #
688
+ # [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
689
+ #
694
690
  # @return [Types::AssumeRoleResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
695
691
  #
696
692
  # * {Types::AssumeRoleResponse#credentials #credentials} => Types::Credentials
697
693
  # * {Types::AssumeRoleResponse#assumed_role_user #assumed_role_user} => Types::AssumedRoleUser
698
694
  # * {Types::AssumeRoleResponse#packed_policy_size #packed_policy_size} => Integer
695
+ # * {Types::AssumeRoleResponse#source_identity #source_identity} => String
699
696
  #
700
697
  #
701
698
  # @example Example: To assume a role
@@ -762,6 +759,7 @@ module Aws::STS
762
759
  # external_id: "externalIdType",
763
760
  # serial_number: "serialNumberType",
764
761
  # token_code: "tokenCodeType",
762
+ # source_identity: "sourceIdentityType",
765
763
  # })
766
764
  #
767
765
  # @example Response structure
@@ -773,6 +771,7 @@ module Aws::STS
773
771
  # resp.assumed_role_user.assumed_role_id #=> String
774
772
  # resp.assumed_role_user.arn #=> String
775
773
  # resp.packed_policy_size #=> Integer
774
+ # resp.source_identity #=> String
776
775
  #
777
776
  # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole AWS API Documentation
778
777
  #
@@ -786,16 +785,17 @@ module Aws::STS
786
785
  # Returns a set of temporary security credentials for users who have
787
786
  # been authenticated via a SAML authentication response. This operation
788
787
  # provides a mechanism for tying an enterprise identity store or
789
- # directory to role-based AWS access without user-specific credentials
790
- # or configuration. For a comparison of `AssumeRoleWithSAML` with the
791
- # other API operations that produce temporary credentials, see
792
- # [Requesting Temporary Security Credentials][1] and [Comparing the AWS
793
- # STS API operations][2] in the *IAM User Guide*.
788
+ # directory to role-based Amazon Web Services access without
789
+ # user-specific credentials or configuration. For a comparison of
790
+ # `AssumeRoleWithSAML` with the other API operations that produce
791
+ # temporary credentials, see [Requesting Temporary Security
792
+ # Credentials][1] and [Comparing the STS API operations][2] in the *IAM
793
+ # User Guide*.
794
794
  #
795
795
  # The temporary security credentials returned by this operation consist
796
796
  # of an access key ID, a secret access key, and a security token.
797
797
  # Applications can use these temporary security credentials to sign
798
- # calls to AWS services.
798
+ # calls to Amazon Web Services services.
799
799
  #
800
800
  # **Session Duration**
801
801
  #
@@ -815,37 +815,49 @@ module Aws::STS
815
815
  # use those operations to create a console URL. For more information,
816
816
  # see [Using IAM Roles][4] in the *IAM User Guide*.
817
817
  #
818
+ # <note markdown="1"> [Role chaining][5] limits your CLI or Amazon Web Services API role
819
+ # session to a maximum of one hour. When you use the `AssumeRole` API
820
+ # operation to assume a role, you can specify the duration of your role
821
+ # session with the `DurationSeconds` parameter. You can specify a
822
+ # parameter value of up to 43200 seconds (12 hours), depending on the
823
+ # maximum session duration setting for your role. However, if you assume
824
+ # a role using role chaining and provide a `DurationSeconds` parameter
825
+ # value greater than one hour, the operation fails.
826
+ #
827
+ # </note>
828
+ #
818
829
  # **Permissions**
819
830
  #
820
831
  # The temporary security credentials created by `AssumeRoleWithSAML` can
821
- # be used to make API calls to any AWS service with the following
822
- # exception: you cannot call the STS `GetFederationToken` or
832
+ # be used to make API calls to any Amazon Web Services service with the
833
+ # following exception: you cannot call the STS `GetFederationToken` or
823
834
  # `GetSessionToken` API operations.
824
835
  #
825
- # (Optional) You can pass inline or managed [session policies][5] to
836
+ # (Optional) You can pass inline or managed [session policies][6] to
826
837
  # this operation. You can pass a single JSON policy document to use as
827
838
  # an inline session policy. You can also specify up to 10 managed
828
- # policies to use as managed session policies. The plain text that you
839
+ # policies to use as managed session policies. The plaintext that you
829
840
  # use for both inline and managed session policies can't exceed 2,048
830
841
  # characters. Passing policies to this operation returns new temporary
831
842
  # credentials. The resulting session's permissions are the intersection
832
843
  # of the role's identity-based policy and the session policies. You can
833
- # use the role's temporary credentials in subsequent AWS API calls to
834
- # access resources in the account that owns the role. You cannot use
835
- # session policies to grant more permissions than those allowed by the
836
- # identity-based policy of the role that is being assumed. For more
837
- # information, see [Session Policies][5] in the *IAM User Guide*.
838
- #
839
- # Calling `AssumeRoleWithSAML` does not require the use of AWS security
840
- # credentials. The identity of the caller is validated by using keys in
841
- # the metadata document that is uploaded for the SAML provider entity
842
- # for your identity provider.
843
- #
844
- # Calling `AssumeRoleWithSAML` can result in an entry in your AWS
845
- # CloudTrail logs. The entry includes the value in the `NameID` element
846
- # of the SAML assertion. We recommend that you use a `NameIDType` that
847
- # is not associated with any personally identifiable information (PII).
848
- # For example, you could instead use the persistent identifier
844
+ # use the role's temporary credentials in subsequent Amazon Web
845
+ # Services API calls to access resources in the account that owns the
846
+ # role. You cannot use session policies to grant more permissions than
847
+ # those allowed by the identity-based policy of the role that is being
848
+ # assumed. For more information, see [Session Policies][6] in the *IAM
849
+ # User Guide*.
850
+ #
851
+ # Calling `AssumeRoleWithSAML` does not require the use of Amazon Web
852
+ # Services security credentials. The identity of the caller is validated
853
+ # by using keys in the metadata document that is uploaded for the SAML
854
+ # provider entity for your identity provider.
855
+ #
856
+ # Calling `AssumeRoleWithSAML` can result in an entry in your CloudTrail
857
+ # logs. The entry includes the value in the `NameID` element of the SAML
858
+ # assertion. We recommend that you use a `NameIDType` that is not
859
+ # associated with any personally identifiable information (PII). For
860
+ # example, you could instead use the persistent identifier
849
861
  # (`urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`).
850
862
  #
851
863
  # **Tags**
@@ -853,19 +865,19 @@ module Aws::STS
853
865
  # (Optional) You can configure your IdP to pass attributes into your
854
866
  # SAML assertion as session tags. Each session tag consists of a key
855
867
  # name and an associated value. For more information about session tags,
856
- # see [Passing Session Tags in STS][6] in the *IAM User Guide*.
868
+ # see [Passing Session Tags in STS][7] in the *IAM User Guide*.
857
869
  #
858
- # You can pass up to 50 session tags. The plain text session tag keys
870
+ # You can pass up to 50 session tags. The plaintext session tag keys
859
871
  # can’t exceed 128 characters and the values can’t exceed 256
860
872
  # characters. For these and additional limits, see [IAM and STS
861
- # Character Limits][7] in the *IAM User Guide*.
873
+ # Character Limits][8] in the *IAM User Guide*.
862
874
  #
863
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
864
- # tags into a packed binary format that has a separate limit. Your
865
- # request can fail for this limit even if your plain text meets the
866
- # other requirements. The `PackedPolicySize` response element indicates
867
- # by percentage how close the policies and tags for your request are to
868
- # the upper size limit.
875
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
876
+ # policies and session tags into a packed binary format that has a
877
+ # separate limit. Your request can fail for this limit even if your
878
+ # plaintext meets the other requirements. The `PackedPolicySize`
879
+ # response element indicates by percentage how close the policies and
880
+ # tags for your request are to the upper size limit.
869
881
  #
870
882
  # </note>
871
883
  #
@@ -876,32 +888,33 @@ module Aws::STS
876
888
  # An administrator must grant you the permissions necessary to pass
877
889
  # session tags. The administrator can also create granular permissions
878
890
  # to allow you to pass only specific session tags. For more information,
879
- # see [Tutorial: Using Tags for Attribute-Based Access Control][8] in
891
+ # see [Tutorial: Using Tags for Attribute-Based Access Control][9] in
880
892
  # the *IAM User Guide*.
881
893
  #
882
894
  # You can set the session tags as transitive. Transitive tags persist
883
895
  # during role chaining. For more information, see [Chaining Roles with
884
- # Session Tags][9] in the *IAM User Guide*.
896
+ # Session Tags][10] in the *IAM User Guide*.
885
897
  #
886
898
  # **SAML Configuration**
887
899
  #
888
900
  # Before your application can call `AssumeRoleWithSAML`, you must
889
901
  # configure your SAML identity provider (IdP) to issue the claims
890
- # required by AWS. Additionally, you must use AWS Identity and Access
891
- # Management (IAM) to create a SAML provider entity in your AWS account
892
- # that represents your identity provider. You must also create an IAM
893
- # role that specifies this SAML provider in its trust policy.
902
+ # required by Amazon Web Services. Additionally, you must use Identity
903
+ # and Access Management (IAM) to create a SAML provider entity in your
904
+ # Amazon Web Services account that represents your identity provider.
905
+ # You must also create an IAM role that specifies this SAML provider in
906
+ # its trust policy.
894
907
  #
895
908
  # For more information, see the following resources:
896
909
  #
897
- # * [About SAML 2.0-based Federation][10] in the *IAM User Guide*.
910
+ # * [About SAML 2.0-based Federation][11] in the *IAM User Guide*.
898
911
  #
899
- # * [Creating SAML Identity Providers][11] in the *IAM User Guide*.
912
+ # * [Creating SAML Identity Providers][12] in the *IAM User Guide*.
900
913
  #
901
- # * [Configuring a Relying Party and Claims][12] in the *IAM User
914
+ # * [Configuring a Relying Party and Claims][13] in the *IAM User
902
915
  # Guide*.
903
916
  #
904
- # * [Creating a Role for SAML 2.0 Federation][13] in the *IAM User
917
+ # * [Creating a Role for SAML 2.0 Federation][14] in the *IAM User
905
918
  # Guide*.
906
919
  #
907
920
  #
@@ -910,15 +923,16 @@ module Aws::STS
910
923
  # [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
911
924
  # [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
912
925
  # [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
913
- # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
914
- # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
915
- # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
916
- # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
917
- # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
918
- # [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
919
- # [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
920
- # [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html
921
- # [13]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
926
+ # [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining
927
+ # [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
928
+ # [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
929
+ # [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
930
+ # [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
931
+ # [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
932
+ # [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
933
+ # [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
934
+ # [13]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html
935
+ # [14]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
922
936
  #
923
937
  # @option params [required, String] :role_arn
924
938
  # The Amazon Resource Name (ARN) of the role that the caller is
@@ -929,7 +943,7 @@ module Aws::STS
929
943
  # describes the IdP.
930
944
  #
931
945
  # @option params [required, String] :saml_assertion
932
- # The base-64 encoded SAML authentication response provided by the IdP.
946
+ # The base64 encoded SAML authentication response provided by the IdP.
933
947
  #
934
948
  # For more information, see [Configuring a Relying Party and Adding
935
949
  # Claims][1] in the *IAM User Guide*.
@@ -944,28 +958,29 @@ module Aws::STS
944
958
  # the same account as the role.
945
959
  #
946
960
  # This parameter is optional. You can provide up to 10 managed policy
947
- # ARNs. However, the plain text that you use for both inline and managed
961
+ # ARNs. However, the plaintext that you use for both inline and managed
948
962
  # session policies can't exceed 2,048 characters. For more information
949
- # about ARNs, see [Amazon Resource Names (ARNs) and AWS Service
950
- # Namespaces][1] in the AWS General Reference.
963
+ # about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services
964
+ # Service Namespaces][1] in the Amazon Web Services General Reference.
951
965
  #
952
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
953
- # tags into a packed binary format that has a separate limit. Your
954
- # request can fail for this limit even if your plain text meets the
955
- # other requirements. The `PackedPolicySize` response element indicates
956
- # by percentage how close the policies and tags for your request are to
957
- # the upper size limit.
966
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
967
+ # policies and session tags into a packed binary format that has a
968
+ # separate limit. Your request can fail for this limit even if your
969
+ # plaintext meets the other requirements. The `PackedPolicySize`
970
+ # response element indicates by percentage how close the policies and
971
+ # tags for your request are to the upper size limit.
958
972
  #
959
973
  # </note>
960
974
  #
961
975
  # Passing policies to this operation returns new temporary credentials.
962
976
  # The resulting session's permissions are the intersection of the
963
977
  # role's identity-based policy and the session policies. You can use
964
- # the role's temporary credentials in subsequent AWS API calls to
965
- # access resources in the account that owns the role. You cannot use
966
- # session policies to grant more permissions than those allowed by the
967
- # identity-based policy of the role that is being assumed. For more
968
- # information, see [Session Policies][2] in the *IAM User Guide*.
978
+ # the role's temporary credentials in subsequent Amazon Web Services
979
+ # API calls to access resources in the account that owns the role. You
980
+ # cannot use session policies to grant more permissions than those
981
+ # allowed by the identity-based policy of the role that is being
982
+ # assumed. For more information, see [Session Policies][2] in the *IAM
983
+ # User Guide*.
969
984
  #
970
985
  #
971
986
  #
@@ -980,25 +995,25 @@ module Aws::STS
980
995
  # new temporary credentials. The resulting session's permissions are
981
996
  # the intersection of the role's identity-based policy and the session
982
997
  # policies. You can use the role's temporary credentials in subsequent
983
- # AWS API calls to access resources in the account that owns the role.
984
- # You cannot use session policies to grant more permissions than those
985
- # allowed by the identity-based policy of the role that is being
986
- # assumed. For more information, see [Session Policies][1] in the *IAM
987
- # User Guide*.
998
+ # Amazon Web Services API calls to access resources in the account that
999
+ # owns the role. You cannot use session policies to grant more
1000
+ # permissions than those allowed by the identity-based policy of the
1001
+ # role that is being assumed. For more information, see [Session
1002
+ # Policies][1] in the *IAM User Guide*.
988
1003
  #
989
- # The plain text that you use for both inline and managed session
1004
+ # The plaintext that you use for both inline and managed session
990
1005
  # policies can't exceed 2,048 characters. The JSON policy characters
991
1006
  # can be any ASCII character from the space character to the end of the
992
1007
  # valid character list (\\u0020 through \\u00FF). It can also include
993
1008
  # the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
994
1009
  # characters.
995
1010
  #
996
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
997
- # tags into a packed binary format that has a separate limit. Your
998
- # request can fail for this limit even if your plain text meets the
999
- # other requirements. The `PackedPolicySize` response element indicates
1000
- # by percentage how close the policies and tags for your request are to
1001
- # the upper size limit.
1011
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
1012
+ # policies and session tags into a packed binary format that has a
1013
+ # separate limit. Your request can fail for this limit even if your
1014
+ # plaintext meets the other requirements. The `PackedPolicySize`
1015
+ # response element indicates by percentage how close the policies and
1016
+ # tags for your request are to the upper size limit.
1002
1017
  #
1003
1018
  # </note>
1004
1019
  #
@@ -1027,8 +1042,8 @@ module Aws::STS
1027
1042
  # The request to the federation endpoint for a console sign-in token
1028
1043
  # takes a `SessionDuration` parameter that specifies the maximum length
1029
1044
  # of the console session. For more information, see [Creating a URL that
1030
- # Enables Federated Users to Access the AWS Management Console][2] in
1031
- # the *IAM User Guide*.
1045
+ # Enables Federated Users to Access the Management Console][2] in the
1046
+ # *IAM User Guide*.
1032
1047
  #
1033
1048
  # </note>
1034
1049
  #
@@ -1047,6 +1062,7 @@ module Aws::STS
1047
1062
  # * {Types::AssumeRoleWithSAMLResponse#issuer #issuer} => String
1048
1063
  # * {Types::AssumeRoleWithSAMLResponse#audience #audience} => String
1049
1064
  # * {Types::AssumeRoleWithSAMLResponse#name_qualifier #name_qualifier} => String
1065
+ # * {Types::AssumeRoleWithSAMLResponse#source_identity #source_identity} => String
1050
1066
  #
1051
1067
  #
1052
1068
  # @example Example: To assume a role using a SAML assertion
@@ -1107,6 +1123,7 @@ module Aws::STS
1107
1123
  # resp.issuer #=> String
1108
1124
  # resp.audience #=> String
1109
1125
  # resp.name_qualifier #=> String
1126
+ # resp.source_identity #=> String
1110
1127
  #
1111
1128
  # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML AWS API Documentation
1112
1129
  #
@@ -1123,33 +1140,36 @@ module Aws::STS
1123
1140
  # Facebook, Google, or any OpenID Connect-compatible identity provider.
1124
1141
  #
1125
1142
  # <note markdown="1"> For mobile applications, we recommend that you use Amazon Cognito. You
1126
- # can use Amazon Cognito with the [AWS SDK for iOS Developer Guide][1]
1127
- # and the [AWS SDK for Android Developer Guide][2] to uniquely identify
1128
- # a user. You can also supply the user with a consistent identity
1129
- # throughout the lifetime of an application.
1143
+ # can use Amazon Cognito with the [Amazon Web Services SDK for iOS
1144
+ # Developer Guide][1] and the [Amazon Web Services SDK for Android
1145
+ # Developer Guide][2] to uniquely identify a user. You can also supply
1146
+ # the user with a consistent identity throughout the lifetime of an
1147
+ # application.
1130
1148
  #
1131
1149
  # To learn more about Amazon Cognito, see [Amazon Cognito Overview][3]
1132
- # in *AWS SDK for Android Developer Guide* and [Amazon Cognito
1133
- # Overview][4] in the *AWS SDK for iOS Developer Guide*.
1150
+ # in *Amazon Web Services SDK for Android Developer Guide* and [Amazon
1151
+ # Cognito Overview][4] in the *Amazon Web Services SDK for iOS Developer
1152
+ # Guide*.
1134
1153
  #
1135
1154
  # </note>
1136
1155
  #
1137
- # Calling `AssumeRoleWithWebIdentity` does not require the use of AWS
1138
- # security credentials. Therefore, you can distribute an application
1139
- # (for example, on mobile devices) that requests temporary security
1140
- # credentials without including long-term AWS credentials in the
1141
- # application. You also don't need to deploy server-based proxy
1142
- # services that use long-term AWS credentials. Instead, the identity of
1143
- # the caller is validated by using a token from the web identity
1144
- # provider. For a comparison of `AssumeRoleWithWebIdentity` with the
1145
- # other API operations that produce temporary credentials, see
1146
- # [Requesting Temporary Security Credentials][5] and [Comparing the AWS
1147
- # STS API operations][6] in the *IAM User Guide*.
1156
+ # Calling `AssumeRoleWithWebIdentity` does not require the use of Amazon
1157
+ # Web Services security credentials. Therefore, you can distribute an
1158
+ # application (for example, on mobile devices) that requests temporary
1159
+ # security credentials without including long-term Amazon Web Services
1160
+ # credentials in the application. You also don't need to deploy
1161
+ # server-based proxy services that use long-term Amazon Web Services
1162
+ # credentials. Instead, the identity of the caller is validated by using
1163
+ # a token from the web identity provider. For a comparison of
1164
+ # `AssumeRoleWithWebIdentity` with the other API operations that produce
1165
+ # temporary credentials, see [Requesting Temporary Security
1166
+ # Credentials][5] and [Comparing the STS API operations][6] in the *IAM
1167
+ # User Guide*.
1148
1168
  #
1149
1169
  # The temporary security credentials returned by this API consist of an
1150
1170
  # access key ID, a secret access key, and a security token. Applications
1151
- # can use these temporary security credentials to sign calls to AWS
1152
- # service API operations.
1171
+ # can use these temporary security credentials to sign calls to Amazon
1172
+ # Web Services service API operations.
1153
1173
  #
1154
1174
  # **Session Duration**
1155
1175
  #
@@ -1169,23 +1189,24 @@ module Aws::STS
1169
1189
  # **Permissions**
1170
1190
  #
1171
1191
  # The temporary security credentials created by
1172
- # `AssumeRoleWithWebIdentity` can be used to make API calls to any AWS
1173
- # service with the following exception: you cannot call the STS
1174
- # `GetFederationToken` or `GetSessionToken` API operations.
1192
+ # `AssumeRoleWithWebIdentity` can be used to make API calls to any
1193
+ # Amazon Web Services service with the following exception: you cannot
1194
+ # call the STS `GetFederationToken` or `GetSessionToken` API operations.
1175
1195
  #
1176
1196
  # (Optional) You can pass inline or managed [session policies][9] to
1177
1197
  # this operation. You can pass a single JSON policy document to use as
1178
1198
  # an inline session policy. You can also specify up to 10 managed
1179
- # policies to use as managed session policies. The plain text that you
1199
+ # policies to use as managed session policies. The plaintext that you
1180
1200
  # use for both inline and managed session policies can't exceed 2,048
1181
1201
  # characters. Passing policies to this operation returns new temporary
1182
1202
  # credentials. The resulting session's permissions are the intersection
1183
1203
  # of the role's identity-based policy and the session policies. You can
1184
- # use the role's temporary credentials in subsequent AWS API calls to
1185
- # access resources in the account that owns the role. You cannot use
1186
- # session policies to grant more permissions than those allowed by the
1187
- # identity-based policy of the role that is being assumed. For more
1188
- # information, see [Session Policies][9] in the *IAM User Guide*.
1204
+ # use the role's temporary credentials in subsequent Amazon Web
1205
+ # Services API calls to access resources in the account that owns the
1206
+ # role. You cannot use session policies to grant more permissions than
1207
+ # those allowed by the identity-based policy of the role that is being
1208
+ # assumed. For more information, see [Session Policies][9] in the *IAM
1209
+ # User Guide*.
1189
1210
  #
1190
1211
  # **Tags**
1191
1212
  #
@@ -1194,17 +1215,17 @@ module Aws::STS
1194
1215
  # name and an associated value. For more information about session tags,
1195
1216
  # see [Passing Session Tags in STS][10] in the *IAM User Guide*.
1196
1217
  #
1197
- # You can pass up to 50 session tags. The plain text session tag keys
1218
+ # You can pass up to 50 session tags. The plaintext session tag keys
1198
1219
  # can’t exceed 128 characters and the values can’t exceed 256
1199
1220
  # characters. For these and additional limits, see [IAM and STS
1200
1221
  # Character Limits][11] in the *IAM User Guide*.
1201
1222
  #
1202
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1203
- # tags into a packed binary format that has a separate limit. Your
1204
- # request can fail for this limit even if your plain text meets the
1205
- # other requirements. The `PackedPolicySize` response element indicates
1206
- # by percentage how close the policies and tags for your request are to
1207
- # the upper size limit.
1223
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
1224
+ # policies and session tags into a packed binary format that has a
1225
+ # separate limit. Your request can fail for this limit even if your
1226
+ # plaintext meets the other requirements. The `PackedPolicySize`
1227
+ # response element indicates by percentage how close the policies and
1228
+ # tags for your request are to the upper size limit.
1208
1229
  #
1209
1230
  # </note>
1210
1231
  #
@@ -1231,9 +1252,9 @@ module Aws::STS
1231
1252
  # identity token. In other words, the identity provider must be
1232
1253
  # specified in the role's trust policy.
1233
1254
  #
1234
- # Calling `AssumeRoleWithWebIdentity` can result in an entry in your AWS
1255
+ # Calling `AssumeRoleWithWebIdentity` can result in an entry in your
1235
1256
  # CloudTrail logs. The entry includes the [Subject][14] of the provided
1236
- # Web Identity Token. We recommend that you avoid using any personally
1257
+ # web identity token. We recommend that you avoid using any personally
1237
1258
  # identifiable information (PII) in this field. For example, you could
1238
1259
  # instead use a GUID or a pairwise identifier, as [suggested in the OIDC
1239
1260
  # specification][15].
@@ -1247,13 +1268,13 @@ module Aws::STS
1247
1268
  # * [ Web Identity Federation Playground][18]. Walk through the process
1248
1269
  # of authenticating through Login with Amazon, Facebook, or Google,
1249
1270
  # getting temporary security credentials, and then using those
1250
- # credentials to make a request to AWS.
1271
+ # credentials to make a request to Amazon Web Services.
1251
1272
  #
1252
- # * [AWS SDK for iOS Developer Guide][1] and [AWS SDK for Android
1253
- # Developer Guide][2]. These toolkits contain sample apps that show
1254
- # how to invoke the identity providers. The toolkits then show how to
1255
- # use the information from these providers to get and use temporary
1256
- # security credentials.
1273
+ # * [Amazon Web Services SDK for iOS Developer Guide][1] and [Amazon Web
1274
+ # Services SDK for Android Developer Guide][2]. These toolkits contain
1275
+ # sample apps that show how to invoke the identity providers. The
1276
+ # toolkits then show how to use the information from these providers
1277
+ # to get and use temporary security credentials.
1257
1278
  #
1258
1279
  # * [Web Identity Federation with Mobile Applications][19]. This article
1259
1280
  # discusses web identity federation and shows an example of how to use
@@ -1322,28 +1343,29 @@ module Aws::STS
1322
1343
  # the same account as the role.
1323
1344
  #
1324
1345
  # This parameter is optional. You can provide up to 10 managed policy
1325
- # ARNs. However, the plain text that you use for both inline and managed
1346
+ # ARNs. However, the plaintext that you use for both inline and managed
1326
1347
  # session policies can't exceed 2,048 characters. For more information
1327
- # about ARNs, see [Amazon Resource Names (ARNs) and AWS Service
1328
- # Namespaces][1] in the AWS General Reference.
1348
+ # about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services
1349
+ # Service Namespaces][1] in the Amazon Web Services General Reference.
1329
1350
  #
1330
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1331
- # tags into a packed binary format that has a separate limit. Your
1332
- # request can fail for this limit even if your plain text meets the
1333
- # other requirements. The `PackedPolicySize` response element indicates
1334
- # by percentage how close the policies and tags for your request are to
1335
- # the upper size limit.
1351
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
1352
+ # policies and session tags into a packed binary format that has a
1353
+ # separate limit. Your request can fail for this limit even if your
1354
+ # plaintext meets the other requirements. The `PackedPolicySize`
1355
+ # response element indicates by percentage how close the policies and
1356
+ # tags for your request are to the upper size limit.
1336
1357
  #
1337
1358
  # </note>
1338
1359
  #
1339
1360
  # Passing policies to this operation returns new temporary credentials.
1340
1361
  # The resulting session's permissions are the intersection of the
1341
1362
  # role's identity-based policy and the session policies. You can use
1342
- # the role's temporary credentials in subsequent AWS API calls to
1343
- # access resources in the account that owns the role. You cannot use
1344
- # session policies to grant more permissions than those allowed by the
1345
- # identity-based policy of the role that is being assumed. For more
1346
- # information, see [Session Policies][2] in the *IAM User Guide*.
1363
+ # the role's temporary credentials in subsequent Amazon Web Services
1364
+ # API calls to access resources in the account that owns the role. You
1365
+ # cannot use session policies to grant more permissions than those
1366
+ # allowed by the identity-based policy of the role that is being
1367
+ # assumed. For more information, see [Session Policies][2] in the *IAM
1368
+ # User Guide*.
1347
1369
  #
1348
1370
  #
1349
1371
  #
@@ -1358,25 +1380,25 @@ module Aws::STS
1358
1380
  # new temporary credentials. The resulting session's permissions are
1359
1381
  # the intersection of the role's identity-based policy and the session
1360
1382
  # policies. You can use the role's temporary credentials in subsequent
1361
- # AWS API calls to access resources in the account that owns the role.
1362
- # You cannot use session policies to grant more permissions than those
1363
- # allowed by the identity-based policy of the role that is being
1364
- # assumed. For more information, see [Session Policies][1] in the *IAM
1365
- # User Guide*.
1383
+ # Amazon Web Services API calls to access resources in the account that
1384
+ # owns the role. You cannot use session policies to grant more
1385
+ # permissions than those allowed by the identity-based policy of the
1386
+ # role that is being assumed. For more information, see [Session
1387
+ # Policies][1] in the *IAM User Guide*.
1366
1388
  #
1367
- # The plain text that you use for both inline and managed session
1389
+ # The plaintext that you use for both inline and managed session
1368
1390
  # policies can't exceed 2,048 characters. The JSON policy characters
1369
1391
  # can be any ASCII character from the space character to the end of the
1370
1392
  # valid character list (\\u0020 through \\u00FF). It can also include
1371
1393
  # the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
1372
1394
  # characters.
1373
1395
  #
1374
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1375
- # tags into a packed binary format that has a separate limit. Your
1376
- # request can fail for this limit even if your plain text meets the
1377
- # other requirements. The `PackedPolicySize` response element indicates
1378
- # by percentage how close the policies and tags for your request are to
1379
- # the upper size limit.
1396
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
1397
+ # policies and session tags into a packed binary format that has a
1398
+ # separate limit. Your request can fail for this limit even if your
1399
+ # plaintext meets the other requirements. The `PackedPolicySize`
1400
+ # response element indicates by percentage how close the policies and
1401
+ # tags for your request are to the upper size limit.
1380
1402
  #
1381
1403
  # </note>
1382
1404
  #
@@ -1402,8 +1424,8 @@ module Aws::STS
1402
1424
  # The request to the federation endpoint for a console sign-in token
1403
1425
  # takes a `SessionDuration` parameter that specifies the maximum length
1404
1426
  # of the console session. For more information, see [Creating a URL that
1405
- # Enables Federated Users to Access the AWS Management Console][2] in
1406
- # the *IAM User Guide*.
1427
+ # Enables Federated Users to Access the Management Console][2] in the
1428
+ # *IAM User Guide*.
1407
1429
  #
1408
1430
  # </note>
1409
1431
  #
@@ -1420,6 +1442,7 @@ module Aws::STS
1420
1442
  # * {Types::AssumeRoleWithWebIdentityResponse#packed_policy_size #packed_policy_size} => Integer
1421
1443
  # * {Types::AssumeRoleWithWebIdentityResponse#provider #provider} => String
1422
1444
  # * {Types::AssumeRoleWithWebIdentityResponse#audience #audience} => String
1445
+ # * {Types::AssumeRoleWithWebIdentityResponse#source_identity #source_identity} => String
1423
1446
  #
1424
1447
  #
1425
1448
  # @example Example: To assume a role as an OpenID Connect-federated user
@@ -1479,6 +1502,7 @@ module Aws::STS
1479
1502
  # resp.packed_policy_size #=> Integer
1480
1503
  # resp.provider #=> String
1481
1504
  # resp.audience #=> String
1505
+ # resp.source_identity #=> String
1482
1506
  #
1483
1507
  # @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity AWS API Documentation
1484
1508
  #
@@ -1490,19 +1514,19 @@ module Aws::STS
1490
1514
  end
1491
1515
 
1492
1516
  # Decodes additional information about the authorization status of a
1493
- # request from an encoded message returned in response to an AWS
1494
- # request.
1517
+ # request from an encoded message returned in response to an Amazon Web
1518
+ # Services request.
1495
1519
  #
1496
1520
  # For example, if a user is not authorized to perform an operation that
1497
1521
  # he or she has requested, the request returns a
1498
1522
  # `Client.UnauthorizedOperation` response (an HTTP 403 response). Some
1499
- # AWS operations additionally return an encoded message that can provide
1500
- # details about this authorization failure.
1523
+ # Amazon Web Services operations additionally return an encoded message
1524
+ # that can provide details about this authorization failure.
1501
1525
  #
1502
- # <note markdown="1"> Only certain AWS operations return an encoded authorization message.
1503
- # The documentation for an individual operation indicates whether that
1504
- # operation returns an encoded message in addition to returning an HTTP
1505
- # code.
1526
+ # <note markdown="1"> Only certain Amazon Web Services operations return an encoded
1527
+ # authorization message. The documentation for an individual operation
1528
+ # indicates whether that operation returns an encoded message in
1529
+ # addition to returning an HTTP code.
1506
1530
  #
1507
1531
  # </note>
1508
1532
  #
@@ -1578,15 +1602,16 @@ module Aws::STS
1578
1602
  # *IAM User Guide*.
1579
1603
  #
1580
1604
  # When you pass an access key ID to this operation, it returns the ID of
1581
- # the AWS account to which the keys belong. Access key IDs beginning
1582
- # with `AKIA` are long-term credentials for an IAM user or the AWS
1583
- # account root user. Access key IDs beginning with `ASIA` are temporary
1584
- # credentials that are created using STS operations. If the account in
1585
- # the response belongs to you, you can sign in as the root user and
1586
- # review your root user access keys. Then, you can pull a [credentials
1587
- # report][2] to learn which IAM user owns the keys. To learn who
1588
- # requested the temporary credentials for an `ASIA` access key, view the
1589
- # STS events in your [CloudTrail logs][3] in the *IAM User Guide*.
1605
+ # the Amazon Web Services account to which the keys belong. Access key
1606
+ # IDs beginning with `AKIA` are long-term credentials for an IAM user or
1607
+ # the Amazon Web Services account root user. Access key IDs beginning
1608
+ # with `ASIA` are temporary credentials that are created using STS
1609
+ # operations. If the account in the response belongs to you, you can
1610
+ # sign in as the root user and review your root user access keys. Then,
1611
+ # you can pull a [credentials report][2] to learn which IAM user owns
1612
+ # the keys. To learn who requested the temporary credentials for an
1613
+ # `ASIA` access key, view the STS events in your [CloudTrail logs][3] in
1614
+ # the *IAM User Guide*.
1590
1615
  #
1591
1616
  # This operation does not indicate the state of the access key. The key
1592
1617
  # might be active, inactive, or deleted. Active keys might not have
@@ -1723,8 +1748,8 @@ module Aws::STS
1723
1748
  # can be safely stored, usually in a server-based application. For a
1724
1749
  # comparison of `GetFederationToken` with the other API operations that
1725
1750
  # produce temporary credentials, see [Requesting Temporary Security
1726
- # Credentials][1] and [Comparing the AWS STS API operations][2] in the
1727
- # *IAM User Guide*.
1751
+ # Credentials][1] and [Comparing the STS API operations][2] in the *IAM
1752
+ # User Guide*.
1728
1753
  #
1729
1754
  # <note markdown="1"> You can create a mobile-based or browser-based app that can
1730
1755
  # authenticate users using a web identity provider like Login with
@@ -1736,27 +1761,97 @@ module Aws::STS
1736
1761
  # </note>
1737
1762
  #
1738
1763
  # You can also call `GetFederationToken` using the security credentials
1739
- # of an AWS account root user, but we do not recommend it. Instead, we
1740
- # recommend that you create an IAM user for the purpose of the proxy
1741
- # application. Then attach a policy to the IAM user that limits
1742
- # federated users to only the actions and resources that they need to
1743
- # access. For more information, see [IAM Best Practices][5] in the *IAM
1744
- # User Guide*.
1764
+ # of an Amazon Web Services account root user, but we do not recommend
1765
+ # it. Instead, we recommend that you create an IAM user for the purpose
1766
+ # of the proxy application. Then attach a policy to the IAM user that
1767
+ # limits federated users to only the actions and resources that they
1768
+ # need to access. For more information, see [IAM Best Practices][5] in
1769
+ # the *IAM User Guide*.
1770
+ #
1771
+ # **Session duration**
1772
+ #
1773
+ # The temporary credentials are valid for the specified duration, from
1774
+ # 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36
1775
+ # hours). The default session duration is 43,200 seconds (12 hours).
1776
+ # Temporary credentials that are obtained by using Amazon Web Services
1777
+ # account root user credentials have a maximum duration of 3,600 seconds
1778
+ # (1 hour).
1779
+ #
1780
+ # **Permissions**
1781
+ #
1782
+ # You can use the temporary credentials created by `GetFederationToken`
1783
+ # in any Amazon Web Services service except the following:
1784
+ #
1785
+ # * You cannot call any IAM operations using the CLI or the Amazon Web
1786
+ # Services API.
1787
+ #
1788
+ # * You cannot call any STS operations except `GetCallerIdentity`.
1789
+ #
1790
+ # You must pass an inline or managed [session policy][6] to this
1791
+ # operation. You can pass a single JSON policy document to use as an
1792
+ # inline session policy. You can also specify up to 10 managed policies
1793
+ # to use as managed session policies. The plaintext that you use for
1794
+ # both inline and managed session policies can't exceed 2,048
1795
+ # characters.
1796
+ #
1797
+ # Though the session policy parameters are optional, if you do not pass
1798
+ # a policy, then the resulting federated user session has no
1799
+ # permissions. When you pass session policies, the session permissions
1800
+ # are the intersection of the IAM user policies and the session policies
1801
+ # that you pass. This gives you a way to further restrict the
1802
+ # permissions for a federated user. You cannot use session policies to
1803
+ # grant more permissions than those that are defined in the permissions
1804
+ # policy of the IAM user. For more information, see [Session
1805
+ # Policies][6] in the *IAM User Guide*. For information about using
1806
+ # `GetFederationToken` to create temporary security credentials, see
1807
+ # [GetFederationToken—Federation Through a Custom Identity Broker][7].
1808
+ #
1809
+ # You can use the credentials to access a resource that has a
1810
+ # resource-based policy. If that policy specifically references the
1811
+ # federated user session in the `Principal` element of the policy, the
1812
+ # session has the permissions allowed by the policy. These permissions
1813
+ # are granted in addition to the permissions granted by the session
1814
+ # policies.
1815
+ #
1816
+ # **Tags**
1817
+ #
1818
+ # (Optional) You can pass tag key-value pairs to your session. These are
1819
+ # called session tags. For more information about session tags, see
1820
+ # [Passing Session Tags in STS][8] in the *IAM User Guide*.
1821
+ #
1822
+ # <note markdown="1"> You can create a mobile-based or browser-based app that can
1823
+ # authenticate users using a web identity provider like Login with
1824
+ # Amazon, Facebook, Google, or an OpenID Connect-compatible identity
1825
+ # provider. In this case, we recommend that you use [Amazon Cognito][3]
1826
+ # or `AssumeRoleWithWebIdentity`. For more information, see [Federation
1827
+ # Through a Web-based Identity Provider][4] in the *IAM User Guide*.
1828
+ #
1829
+ # </note>
1830
+ #
1831
+ # You can also call `GetFederationToken` using the security credentials
1832
+ # of an Amazon Web Services account root user, but we do not recommend
1833
+ # it. Instead, we recommend that you create an IAM user for the purpose
1834
+ # of the proxy application. Then attach a policy to the IAM user that
1835
+ # limits federated users to only the actions and resources that they
1836
+ # need to access. For more information, see [IAM Best Practices][5] in
1837
+ # the *IAM User Guide*.
1745
1838
  #
1746
1839
  # **Session duration**
1747
1840
  #
1748
1841
  # The temporary credentials are valid for the specified duration, from
1749
1842
  # 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36
1750
1843
  # hours). The default session duration is 43,200 seconds (12 hours).
1751
- # Temporary credentials that are obtained by using AWS account root user
1752
- # credentials have a maximum duration of 3,600 seconds (1 hour).
1844
+ # Temporary credentials that are obtained by using Amazon Web Services
1845
+ # account root user credentials have a maximum duration of 3,600 seconds
1846
+ # (1 hour).
1753
1847
  #
1754
1848
  # **Permissions**
1755
1849
  #
1756
1850
  # You can use the temporary credentials created by `GetFederationToken`
1757
- # in any AWS service except the following:
1851
+ # in any Amazon Web Services service except the following:
1758
1852
  #
1759
- # * You cannot call any IAM operations using the AWS CLI or the AWS API.
1853
+ # * You cannot call any IAM operations using the CLI or the Amazon Web
1854
+ # Services API.
1760
1855
  #
1761
1856
  # * You cannot call any STS operations except `GetCallerIdentity`.
1762
1857
  #
@@ -1857,19 +1952,19 @@ module Aws::STS
1857
1952
  # are granted in addition to the permissions that are granted by the
1858
1953
  # session policies.
1859
1954
  #
1860
- # The plain text that you use for both inline and managed session
1955
+ # The plaintext that you use for both inline and managed session
1861
1956
  # policies can't exceed 2,048 characters. The JSON policy characters
1862
1957
  # can be any ASCII character from the space character to the end of the
1863
1958
  # valid character list (\\u0020 through \\u00FF). It can also include
1864
1959
  # the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
1865
1960
  # characters.
1866
1961
  #
1867
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1868
- # tags into a packed binary format that has a separate limit. Your
1869
- # request can fail for this limit even if your plain text meets the
1870
- # other requirements. The `PackedPolicySize` response element indicates
1871
- # by percentage how close the policies and tags for your request are to
1872
- # the upper size limit.
1962
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
1963
+ # policies and session tags into a packed binary format that has a
1964
+ # separate limit. Your request can fail for this limit even if your
1965
+ # plaintext meets the other requirements. The `PackedPolicySize`
1966
+ # response element indicates by percentage how close the policies and
1967
+ # tags for your request are to the upper size limit.
1873
1968
  #
1874
1969
  # </note>
1875
1970
  #
@@ -1885,11 +1980,12 @@ module Aws::STS
1885
1980
  # You must pass an inline or managed [session policy][1] to this
1886
1981
  # operation. You can pass a single JSON policy document to use as an
1887
1982
  # inline session policy. You can also specify up to 10 managed policies
1888
- # to use as managed session policies. The plain text that you use for
1983
+ # to use as managed session policies. The plaintext that you use for
1889
1984
  # both inline and managed session policies can't exceed 2,048
1890
1985
  # characters. You can provide up to 10 managed policy ARNs. For more
1891
- # information about ARNs, see [Amazon Resource Names (ARNs) and AWS
1892
- # Service Namespaces][2] in the AWS General Reference.
1986
+ # information about ARNs, see [Amazon Resource Names (ARNs) and Amazon
1987
+ # Web Services Service Namespaces][2] in the Amazon Web Services General
1988
+ # Reference.
1893
1989
  #
1894
1990
  # This parameter is optional. However, if you do not pass any session
1895
1991
  # policies, then the resulting federated user session has no
@@ -1910,12 +2006,12 @@ module Aws::STS
1910
2006
  # are granted in addition to the permissions that are granted by the
1911
2007
  # session policies.
1912
2008
  #
1913
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1914
- # tags into a packed binary format that has a separate limit. Your
1915
- # request can fail for this limit even if your plain text meets the
1916
- # other requirements. The `PackedPolicySize` response element indicates
1917
- # by percentage how close the policies and tags for your request are to
1918
- # the upper size limit.
2009
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
2010
+ # policies and session tags into a packed binary format that has a
2011
+ # separate limit. Your request can fail for this limit even if your
2012
+ # plaintext meets the other requirements. The `PackedPolicySize`
2013
+ # response element indicates by percentage how close the policies and
2014
+ # tags for your request are to the upper size limit.
1919
2015
  #
1920
2016
  # </note>
1921
2017
  #
@@ -1928,10 +2024,10 @@ module Aws::STS
1928
2024
  # The duration, in seconds, that the session should last. Acceptable
1929
2025
  # durations for federation sessions range from 900 seconds (15 minutes)
1930
2026
  # to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the
1931
- # default. Sessions obtained using AWS account root user credentials are
1932
- # restricted to a maximum of 3,600 seconds (one hour). If the specified
1933
- # duration is longer than one hour, the session obtained by using root
1934
- # user credentials defaults to one hour.
2027
+ # default. Sessions obtained using Amazon Web Services account root user
2028
+ # credentials are restricted to a maximum of 3,600 seconds (one hour).
2029
+ # If the specified duration is longer than one hour, the session
2030
+ # obtained by using root user credentials defaults to one hour.
1935
2031
  #
1936
2032
  # @option params [Array<Types::Tag>] :tags
1937
2033
  # A list of session tags. Each session tag consists of a key name and an
@@ -1939,16 +2035,16 @@ module Aws::STS
1939
2035
  # [Passing Session Tags in STS][1] in the *IAM User Guide*.
1940
2036
  #
1941
2037
  # This parameter is optional. You can pass up to 50 session tags. The
1942
- # plain text session tag keys can’t exceed 128 characters and the values
2038
+ # plaintext session tag keys can’t exceed 128 characters and the values
1943
2039
  # can’t exceed 256 characters. For these and additional limits, see [IAM
1944
2040
  # and STS Character Limits][2] in the *IAM User Guide*.
1945
2041
  #
1946
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1947
- # tags into a packed binary format that has a separate limit. Your
1948
- # request can fail for this limit even if your plain text meets the
1949
- # other requirements. The `PackedPolicySize` response element indicates
1950
- # by percentage how close the policies and tags for your request are to
1951
- # the upper size limit.
2042
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
2043
+ # policies and session tags into a packed binary format that has a
2044
+ # separate limit. Your request can fail for this limit even if your
2045
+ # plaintext meets the other requirements. The `PackedPolicySize`
2046
+ # response element indicates by percentage how close the policies and
2047
+ # tags for your request are to the upper size limit.
1952
2048
  #
1953
2049
  # </note>
1954
2050
  #
@@ -2046,37 +2142,38 @@ module Aws::STS
2046
2142
  req.send_request(options)
2047
2143
  end
2048
2144
 
2049
- # Returns a set of temporary credentials for an AWS account or IAM user.
2050
- # The credentials consist of an access key ID, a secret access key, and
2051
- # a security token. Typically, you use `GetSessionToken` if you want to
2052
- # use MFA to protect programmatic calls to specific AWS API operations
2053
- # like Amazon EC2 `StopInstances`. MFA-enabled IAM users would need to
2054
- # call `GetSessionToken` and submit an MFA code that is associated with
2055
- # their MFA device. Using the temporary security credentials that are
2056
- # returned from the call, IAM users can then make programmatic calls to
2057
- # API operations that require MFA authentication. If you do not supply a
2145
+ # Returns a set of temporary credentials for an Amazon Web Services
2146
+ # account or IAM user. The credentials consist of an access key ID, a
2147
+ # secret access key, and a security token. Typically, you use
2148
+ # `GetSessionToken` if you want to use MFA to protect programmatic calls
2149
+ # to specific Amazon Web Services API operations like Amazon EC2
2150
+ # `StopInstances`. MFA-enabled IAM users would need to call
2151
+ # `GetSessionToken` and submit an MFA code that is associated with their
2152
+ # MFA device. Using the temporary security credentials that are returned
2153
+ # from the call, IAM users can then make programmatic calls to API
2154
+ # operations that require MFA authentication. If you do not supply a
2058
2155
  # correct MFA code, then the API returns an access denied error. For a
2059
2156
  # comparison of `GetSessionToken` with the other API operations that
2060
2157
  # produce temporary credentials, see [Requesting Temporary Security
2061
- # Credentials][1] and [Comparing the AWS STS API operations][2] in the
2062
- # *IAM User Guide*.
2158
+ # Credentials][1] and [Comparing the STS API operations][2] in the *IAM
2159
+ # User Guide*.
2063
2160
  #
2064
2161
  # **Session Duration**
2065
2162
  #
2066
2163
  # The `GetSessionToken` operation must be called by using the long-term
2067
- # AWS security credentials of the AWS account root user or an IAM user.
2068
- # Credentials that are created by IAM users are valid for the duration
2069
- # that you specify. This duration can range from 900 seconds (15
2070
- # minutes) up to a maximum of 129,600 seconds (36 hours), with a default
2071
- # of 43,200 seconds (12 hours). Credentials based on account credentials
2072
- # can range from 900 seconds (15 minutes) up to 3,600 seconds (1 hour),
2073
- # with a default of 1 hour.
2164
+ # Amazon Web Services security credentials of the Amazon Web Services
2165
+ # account root user or an IAM user. Credentials that are created by IAM
2166
+ # users are valid for the duration that you specify. This duration can
2167
+ # range from 900 seconds (15 minutes) up to a maximum of 129,600 seconds
2168
+ # (36 hours), with a default of 43,200 seconds (12 hours). Credentials
2169
+ # based on account credentials can range from 900 seconds (15 minutes)
2170
+ # up to 3,600 seconds (1 hour), with a default of 1 hour.
2074
2171
  #
2075
2172
  # **Permissions**
2076
2173
  #
2077
2174
  # The temporary security credentials created by `GetSessionToken` can be
2078
- # used to make API calls to any AWS service with the following
2079
- # exceptions:
2175
+ # used to make API calls to any Amazon Web Services service with the
2176
+ # following exceptions:
2080
2177
  #
2081
2178
  # * You cannot call any IAM API operations unless MFA authentication
2082
2179
  # information is included in the request.
@@ -2084,20 +2181,21 @@ module Aws::STS
2084
2181
  # * You cannot call any STS API *except* `AssumeRole` or
2085
2182
  # `GetCallerIdentity`.
2086
2183
  #
2087
- # <note markdown="1"> We recommend that you do not call `GetSessionToken` with AWS account
2088
- # root user credentials. Instead, follow our [best practices][3] by
2089
- # creating one or more IAM users, giving them the necessary permissions,
2090
- # and using IAM users for everyday interaction with AWS.
2184
+ # <note markdown="1"> We recommend that you do not call `GetSessionToken` with Amazon Web
2185
+ # Services account root user credentials. Instead, follow our [best
2186
+ # practices][3] by creating one or more IAM users, giving them the
2187
+ # necessary permissions, and using IAM users for everyday interaction
2188
+ # with Amazon Web Services.
2091
2189
  #
2092
2190
  # </note>
2093
2191
  #
2094
2192
  # The credentials that are returned by `GetSessionToken` are based on
2095
2193
  # permissions associated with the user whose credentials were used to
2096
- # call the operation. If `GetSessionToken` is called using AWS account
2097
- # root user credentials, the temporary credentials have root user
2098
- # permissions. Similarly, if `GetSessionToken` is called using the
2099
- # credentials of an IAM user, the temporary credentials have the same
2100
- # permissions as the IAM user.
2194
+ # call the operation. If `GetSessionToken` is called using Amazon Web
2195
+ # Services account root user credentials, the temporary credentials have
2196
+ # root user permissions. Similarly, if `GetSessionToken` is called using
2197
+ # the credentials of an IAM user, the temporary credentials have the
2198
+ # same permissions as the IAM user.
2101
2199
  #
2102
2200
  # For more information about using `GetSessionToken` to create temporary
2103
2201
  # credentials, go to [Temporary Credentials for Users in Untrusted
@@ -2114,9 +2212,10 @@ module Aws::STS
2114
2212
  # The duration, in seconds, that the credentials should remain valid.
2115
2213
  # Acceptable durations for IAM user sessions range from 900 seconds (15
2116
2214
  # minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12 hours)
2117
- # as the default. Sessions for AWS account owners are restricted to a
2118
- # maximum of 3,600 seconds (one hour). If the duration is longer than
2119
- # one hour, the session for AWS account owners defaults to one hour.
2215
+ # as the default. Sessions for Amazon Web Services account owners are
2216
+ # restricted to a maximum of 3,600 seconds (one hour). If the duration
2217
+ # is longer than one hour, the session for Amazon Web Services account
2218
+ # owners defaults to one hour.
2120
2219
  #
2121
2220
  # @option params [String] :serial_number
2122
2221
  # The identification number of the MFA device that is associated with
@@ -2125,8 +2224,8 @@ module Aws::STS
2125
2224
  # The value is either the serial number for a hardware device (such as
2126
2225
  # `GAHT12345678`) or an Amazon Resource Name (ARN) for a virtual device
2127
2226
  # (such as `arn:aws:iam::123456789012:mfa/user`). You can find the
2128
- # device for an IAM user by going to the AWS Management Console and
2129
- # viewing the user's security credentials.
2227
+ # device for an IAM user by going to the Management Console and viewing
2228
+ # the user's security credentials.
2130
2229
  #
2131
2230
  # The regex used to validate this parameter is a string of characters
2132
2231
  # consisting of upper- and lower-case alphanumeric characters with no
@@ -2204,7 +2303,7 @@ module Aws::STS
2204
2303
  params: params,
2205
2304
  config: config)
2206
2305
  context[:gem_name] = 'aws-sdk-core'
2207
- context[:gem_version] = '3.113.1'
2306
+ context[:gem_version] = '3.118.0'
2208
2307
  Seahorse::Client::Request.new(handlers, context)
2209
2308
  end
2210
2309