aws-sdk-core 3.113.1 → 3.118.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +4 -4
- data/CHANGELOG.md +43 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-core/credential_provider_chain.rb +2 -1
- data/lib/aws-sdk-core/ec2_metadata.rb +24 -5
- data/lib/aws-sdk-core/errors.rb +4 -0
- data/lib/aws-sdk-core/instance_profile_credentials.rb +39 -4
- data/lib/aws-sdk-core/json/parser.rb +8 -0
- data/lib/aws-sdk-core/log/param_filter.rb +9 -1
- data/lib/aws-sdk-core/pageable_response.rb +7 -1
- data/lib/aws-sdk-core/pager.rb +3 -0
- data/lib/aws-sdk-core/param_validator.rb +8 -0
- data/lib/aws-sdk-core/shared_config.rb +21 -1
- data/lib/aws-sdk-core/shared_credentials.rb +7 -1
- data/lib/aws-sdk-core/sso_credentials.rb +1 -2
- data/lib/aws-sdk-core/structure.rb +10 -1
- data/lib/aws-sdk-core/stubbing/protocols/json.rb +1 -1
- data/lib/aws-sdk-core/xml/builder.rb +1 -1
- data/lib/aws-sdk-core/xml/parser/frame.rb +23 -0
- data/lib/aws-sdk-sso.rb +1 -1
- data/lib/aws-sdk-sso/client.rb +1 -1
- data/lib/aws-sdk-sts.rb +1 -1
- data/lib/aws-sdk-sts/client.rb +464 -365
- data/lib/aws-sdk-sts/client_api.rb +5 -0
- data/lib/aws-sdk-sts/types.rb +307 -178
- data/lib/seahorse/client/h2/connection.rb +11 -6
- data/lib/seahorse/model/shapes.rb +20 -0
- metadata +3 -4
@@ -11,7 +11,7 @@ module Aws
|
|
11
11
|
def initialize(rules, options = {})
|
12
12
|
@rules = rules
|
13
13
|
@xml = options[:target] || []
|
14
|
-
indent = options[:indent] || '
|
14
|
+
indent = options[:indent] || ''
|
15
15
|
pad = options[:pad] || ''
|
16
16
|
@builder = DocBuilder.new(target: @xml, indent: indent, pad: pad)
|
17
17
|
end
|
@@ -95,6 +95,8 @@ module Aws
|
|
95
95
|
def child_frame(xml_name)
|
96
96
|
if @member = @members[xml_name]
|
97
97
|
Frame.new(xml_name, self, @member[:ref])
|
98
|
+
elsif @ref.shape.union
|
99
|
+
UnknownMemberFrame.new(xml_name, self, nil, @result)
|
98
100
|
else
|
99
101
|
NullFrame.new(xml_name, self)
|
100
102
|
end
|
@@ -106,10 +108,24 @@ module Aws
|
|
106
108
|
@result[@member[:name]][child.key.result] = child.value.result
|
107
109
|
when FlatListFrame
|
108
110
|
@result[@member[:name]] << child.result
|
111
|
+
when UnknownMemberFrame
|
112
|
+
@result[:unknown] = { 'name' => child.path.last, 'value' => child.result }
|
109
113
|
when NullFrame
|
110
114
|
else
|
111
115
|
@result[@member[:name]] = child.result
|
112
116
|
end
|
117
|
+
|
118
|
+
if @ref.shape.union
|
119
|
+
# a union may only have one member set
|
120
|
+
# convert to the union subclass
|
121
|
+
# The default Struct created will have defaults set for all values
|
122
|
+
# This also sets only one of the values leaving everything else nil
|
123
|
+
# as required for unions
|
124
|
+
set_member_name = @member ? @member[:name] : :unknown
|
125
|
+
member_subclass = @ref.shape.member_subclass(set_member_name).new # shape.member_subclass(target.member).new
|
126
|
+
member_subclass[set_member_name] = @result[set_member_name]
|
127
|
+
@result = member_subclass
|
128
|
+
end
|
113
129
|
end
|
114
130
|
|
115
131
|
private
|
@@ -242,6 +258,12 @@ module Aws
|
|
242
258
|
end
|
243
259
|
end
|
244
260
|
|
261
|
+
class UnknownMemberFrame < Frame
|
262
|
+
def result
|
263
|
+
@text.join
|
264
|
+
end
|
265
|
+
end
|
266
|
+
|
245
267
|
class BlobFrame < Frame
|
246
268
|
def result
|
247
269
|
@text.empty? ? nil : Base64.decode64(@text.join)
|
@@ -302,6 +324,7 @@ module Aws
|
|
302
324
|
MapShape => MapFrame,
|
303
325
|
StringShape => StringFrame,
|
304
326
|
StructureShape => StructureFrame,
|
327
|
+
UnionShape => StructureFrame,
|
305
328
|
TimestampShape => TimestampFrame,
|
306
329
|
}
|
307
330
|
|
data/lib/aws-sdk-sso.rb
CHANGED
data/lib/aws-sdk-sso/client.rb
CHANGED
data/lib/aws-sdk-sts.rb
CHANGED
data/lib/aws-sdk-sts/client.rb
CHANGED
@@ -335,65 +335,38 @@ module Aws::STS
|
|
335
335
|
# @!group API Operations
|
336
336
|
|
337
337
|
# Returns a set of temporary security credentials that you can use to
|
338
|
-
# access
|
339
|
-
# temporary credentials consist of an access key ID, a
|
340
|
-
# key, and a security token. Typically, you use
|
341
|
-
# account or for cross-account access. For a
|
342
|
-
# with other API operations that produce
|
343
|
-
# [Requesting Temporary Security
|
344
|
-
# STS API operations][2] in the *IAM
|
345
|
-
#
|
346
|
-
# You cannot use AWS account root user credentials to call `AssumeRole`.
|
347
|
-
# You must use credentials for an IAM user or an IAM role to call
|
348
|
-
# `AssumeRole`.
|
349
|
-
#
|
350
|
-
# For cross-account access, imagine that you own multiple accounts and
|
351
|
-
# need to access resources in each account. You could create long-term
|
352
|
-
# credentials in each account to access those resources. However,
|
353
|
-
# managing all those credentials and remembering which one can access
|
354
|
-
# which account can be time consuming. Instead, you can create one set
|
355
|
-
# of long-term credentials in one account. Then use temporary security
|
356
|
-
# credentials to access all the other accounts by assuming roles in
|
357
|
-
# those accounts. For more information about roles, see [IAM Roles][3]
|
358
|
-
# in the *IAM User Guide*.
|
359
|
-
#
|
360
|
-
# **Session Duration**
|
361
|
-
#
|
362
|
-
# By default, the temporary security credentials created by `AssumeRole`
|
363
|
-
# last for one hour. However, you can use the optional `DurationSeconds`
|
364
|
-
# parameter to specify the duration of your session. You can provide a
|
365
|
-
# value from 900 seconds (15 minutes) up to the maximum session duration
|
366
|
-
# setting for the role. This setting can have a value from 1 hour to 12
|
367
|
-
# hours. To learn how to view the maximum value for your role, see [View
|
368
|
-
# the Maximum Session Duration Setting for a Role][4] in the *IAM User
|
369
|
-
# Guide*. The maximum session duration limit applies when you use the
|
370
|
-
# `AssumeRole*` API operations or the `assume-role*` CLI commands.
|
371
|
-
# However the limit does not apply when you use those operations to
|
372
|
-
# create a console URL. For more information, see [Using IAM Roles][5]
|
373
|
-
# in the *IAM User Guide*.
|
338
|
+
# access Amazon Web Services resources that you might not normally have
|
339
|
+
# access to. These temporary credentials consist of an access key ID, a
|
340
|
+
# secret access key, and a security token. Typically, you use
|
341
|
+
# `AssumeRole` within your account or for cross-account access. For a
|
342
|
+
# comparison of `AssumeRole` with other API operations that produce
|
343
|
+
# temporary credentials, see [Requesting Temporary Security
|
344
|
+
# Credentials][1] and [Comparing the STS API operations][2] in the *IAM
|
345
|
+
# User Guide*.
|
374
346
|
#
|
375
347
|
# **Permissions**
|
376
348
|
#
|
377
349
|
# The temporary security credentials created by `AssumeRole` can be used
|
378
|
-
# to make API calls to any
|
379
|
-
# cannot call the
|
380
|
-
# operations.
|
350
|
+
# to make API calls to any Amazon Web Services service with the
|
351
|
+
# following exception: You cannot call the STS `GetFederationToken` or
|
352
|
+
# `GetSessionToken` API operations.
|
381
353
|
#
|
382
|
-
# (Optional) You can pass inline or managed [session policies][
|
354
|
+
# (Optional) You can pass inline or managed [session policies][3] to
|
383
355
|
# this operation. You can pass a single JSON policy document to use as
|
384
356
|
# an inline session policy. You can also specify up to 10 managed
|
385
|
-
# policies to use as managed session policies. The
|
357
|
+
# policies to use as managed session policies. The plaintext that you
|
386
358
|
# use for both inline and managed session policies can't exceed 2,048
|
387
359
|
# characters. Passing policies to this operation returns new temporary
|
388
360
|
# credentials. The resulting session's permissions are the intersection
|
389
361
|
# of the role's identity-based policy and the session policies. You can
|
390
|
-
# use the role's temporary credentials in subsequent
|
391
|
-
# access resources in the account that owns the
|
392
|
-
# session policies to grant more permissions than
|
393
|
-
# identity-based policy of the role that is being
|
394
|
-
# information, see [Session Policies][
|
362
|
+
# use the role's temporary credentials in subsequent Amazon Web
|
363
|
+
# Services API calls to access resources in the account that owns the
|
364
|
+
# role. You cannot use session policies to grant more permissions than
|
365
|
+
# those allowed by the identity-based policy of the role that is being
|
366
|
+
# assumed. For more information, see [Session Policies][3] in the *IAM
|
367
|
+
# User Guide*.
|
395
368
|
#
|
396
|
-
# To assume a role from a different account, your
|
369
|
+
# To assume a role from a different account, your account must be
|
397
370
|
# trusted by the role. The trust relationship is defined in the role's
|
398
371
|
# trust policy when the role is created. That trust policy states which
|
399
372
|
# accounts are allowed to delegate that access to users in the account.
|
@@ -413,41 +386,41 @@ module Aws::STS
|
|
413
386
|
# In this case, the trust policy acts as an IAM resource-based policy.
|
414
387
|
# Users in the same account as the role do not need explicit permission
|
415
388
|
# to assume the role. For more information about trust policies and
|
416
|
-
# resource-based policies, see [IAM Policies][
|
389
|
+
# resource-based policies, see [IAM Policies][4] in the *IAM User
|
417
390
|
# Guide*.
|
418
391
|
#
|
419
392
|
# **Tags**
|
420
393
|
#
|
421
394
|
# (Optional) You can pass tag key-value pairs to your session. These
|
422
395
|
# tags are called session tags. For more information about session tags,
|
423
|
-
# see [Passing Session Tags in STS][
|
396
|
+
# see [Passing Session Tags in STS][5] in the *IAM User Guide*.
|
424
397
|
#
|
425
398
|
# An administrator must grant you the permissions necessary to pass
|
426
399
|
# session tags. The administrator can also create granular permissions
|
427
400
|
# to allow you to pass only specific session tags. For more information,
|
428
|
-
# see [Tutorial: Using Tags for Attribute-Based Access Control][
|
401
|
+
# see [Tutorial: Using Tags for Attribute-Based Access Control][6] in
|
429
402
|
# the *IAM User Guide*.
|
430
403
|
#
|
431
404
|
# You can set the session tags as transitive. Transitive tags persist
|
432
405
|
# during role chaining. For more information, see [Chaining Roles with
|
433
|
-
# Session Tags][
|
406
|
+
# Session Tags][7] in the *IAM User Guide*.
|
434
407
|
#
|
435
408
|
# **Using MFA with AssumeRole**
|
436
409
|
#
|
437
410
|
# (Optional) You can include multi-factor authentication (MFA)
|
438
411
|
# information when you call `AssumeRole`. This is useful for
|
439
412
|
# cross-account scenarios to ensure that the user that assumes the role
|
440
|
-
# has been authenticated with an
|
441
|
-
# trust policy of the role being assumed includes a
|
442
|
-
# for MFA authentication. If the caller does not
|
443
|
-
# information, the request to assume the role is
|
444
|
-
# in a trust policy that tests for MFA
|
445
|
-
# the following example.
|
413
|
+
# has been authenticated with an Amazon Web Services MFA device. In that
|
414
|
+
# scenario, the trust policy of the role being assumed includes a
|
415
|
+
# condition that tests for MFA authentication. If the caller does not
|
416
|
+
# include valid MFA information, the request to assume the role is
|
417
|
+
# denied. The condition in a trust policy that tests for MFA
|
418
|
+
# authentication might look like the following example.
|
446
419
|
#
|
447
420
|
# `"Condition": \{"Bool": \{"aws:MultiFactorAuthPresent": true\}\}`
|
448
421
|
#
|
449
|
-
# For more information, see [Configuring MFA-Protected API Access][
|
450
|
-
#
|
422
|
+
# For more information, see [Configuring MFA-Protected API Access][8] in
|
423
|
+
# the *IAM User Guide* guide.
|
451
424
|
#
|
452
425
|
# To use MFA with `AssumeRole`, you pass values for the `SerialNumber`
|
453
426
|
# and `TokenCode` parameters. The `SerialNumber` value identifies the
|
@@ -458,15 +431,12 @@ module Aws::STS
|
|
458
431
|
#
|
459
432
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html
|
460
433
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
461
|
-
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
462
|
-
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
463
|
-
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
464
|
-
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
465
|
-
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
466
|
-
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
467
|
-
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
|
468
|
-
# [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
|
469
|
-
# [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
|
434
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
435
|
+
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html
|
436
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
437
|
+
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
|
438
|
+
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
|
439
|
+
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/MFAProtectedAPI.html
|
470
440
|
#
|
471
441
|
# @option params [required, String] :role_arn
|
472
442
|
# The Amazon Resource Name (ARN) of the role to assume.
|
@@ -481,7 +451,7 @@ module Aws::STS
|
|
481
451
|
# also used in the ARN of the assumed role principal. This means that
|
482
452
|
# subsequent cross-account API requests that use the temporary security
|
483
453
|
# credentials will expose the role session name to the external account
|
484
|
-
# in their
|
454
|
+
# in their CloudTrail logs.
|
485
455
|
#
|
486
456
|
# The regex used to validate this parameter is a string of characters
|
487
457
|
# consisting of upper- and lower-case alphanumeric characters with no
|
@@ -494,28 +464,29 @@ module Aws::STS
|
|
494
464
|
# the same account as the role.
|
495
465
|
#
|
496
466
|
# This parameter is optional. You can provide up to 10 managed policy
|
497
|
-
# ARNs. However, the
|
467
|
+
# ARNs. However, the plaintext that you use for both inline and managed
|
498
468
|
# session policies can't exceed 2,048 characters. For more information
|
499
|
-
# about ARNs, see [Amazon Resource Names (ARNs) and
|
500
|
-
# Namespaces][1] in the
|
469
|
+
# about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services
|
470
|
+
# Service Namespaces][1] in the Amazon Web Services General Reference.
|
501
471
|
#
|
502
|
-
# <note markdown="1"> An
|
503
|
-
# tags into a packed binary format that has a
|
504
|
-
# request can fail for this limit even if your
|
505
|
-
# other requirements. The `PackedPolicySize`
|
506
|
-
# by percentage how close the policies and
|
507
|
-
# the upper size limit.
|
472
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
473
|
+
# policies and session tags into a packed binary format that has a
|
474
|
+
# separate limit. Your request can fail for this limit even if your
|
475
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
476
|
+
# response element indicates by percentage how close the policies and
|
477
|
+
# tags for your request are to the upper size limit.
|
508
478
|
#
|
509
479
|
# </note>
|
510
480
|
#
|
511
481
|
# Passing policies to this operation returns new temporary credentials.
|
512
482
|
# The resulting session's permissions are the intersection of the
|
513
483
|
# role's identity-based policy and the session policies. You can use
|
514
|
-
# the role's temporary credentials in subsequent
|
515
|
-
# access resources in the account that owns the role. You
|
516
|
-
# session policies to grant more permissions than those
|
517
|
-
# identity-based policy of the role that is being
|
518
|
-
# information, see [Session Policies][2] in the *IAM
|
484
|
+
# the role's temporary credentials in subsequent Amazon Web Services
|
485
|
+
# API calls to access resources in the account that owns the role. You
|
486
|
+
# cannot use session policies to grant more permissions than those
|
487
|
+
# allowed by the identity-based policy of the role that is being
|
488
|
+
# assumed. For more information, see [Session Policies][2] in the *IAM
|
489
|
+
# User Guide*.
|
519
490
|
#
|
520
491
|
#
|
521
492
|
#
|
@@ -530,25 +501,25 @@ module Aws::STS
|
|
530
501
|
# new temporary credentials. The resulting session's permissions are
|
531
502
|
# the intersection of the role's identity-based policy and the session
|
532
503
|
# policies. You can use the role's temporary credentials in subsequent
|
533
|
-
#
|
534
|
-
# You cannot use session policies to grant more
|
535
|
-
# allowed by the identity-based policy of the
|
536
|
-
# assumed. For more information, see [Session
|
537
|
-
# User Guide*.
|
504
|
+
# Amazon Web Services API calls to access resources in the account that
|
505
|
+
# owns the role. You cannot use session policies to grant more
|
506
|
+
# permissions than those allowed by the identity-based policy of the
|
507
|
+
# role that is being assumed. For more information, see [Session
|
508
|
+
# Policies][1] in the *IAM User Guide*.
|
538
509
|
#
|
539
|
-
# The
|
510
|
+
# The plaintext that you use for both inline and managed session
|
540
511
|
# policies can't exceed 2,048 characters. The JSON policy characters
|
541
512
|
# can be any ASCII character from the space character to the end of the
|
542
513
|
# valid character list (\\u0020 through \\u00FF). It can also include
|
543
514
|
# the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
544
515
|
# characters.
|
545
516
|
#
|
546
|
-
# <note markdown="1"> An
|
547
|
-
# tags into a packed binary format that has a
|
548
|
-
# request can fail for this limit even if your
|
549
|
-
# other requirements. The `PackedPolicySize`
|
550
|
-
# by percentage how close the policies and
|
551
|
-
# the upper size limit.
|
517
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
518
|
+
# policies and session tags into a packed binary format that has a
|
519
|
+
# separate limit. Your request can fail for this limit even if your
|
520
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
521
|
+
# response element indicates by percentage how close the policies and
|
522
|
+
# tags for your request are to the upper size limit.
|
552
523
|
#
|
553
524
|
# </note>
|
554
525
|
#
|
@@ -557,15 +528,16 @@ module Aws::STS
|
|
557
528
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
558
529
|
#
|
559
530
|
# @option params [Integer] :duration_seconds
|
560
|
-
# The duration, in seconds, of the role session. The value can
|
561
|
-
# from 900 seconds (15 minutes) up to the maximum session
|
562
|
-
#
|
563
|
-
#
|
564
|
-
#
|
565
|
-
#
|
566
|
-
#
|
567
|
-
#
|
568
|
-
#
|
531
|
+
# The duration, in seconds, of the role session. The value specified can
|
532
|
+
# can range from 900 seconds (15 minutes) up to the maximum session
|
533
|
+
# duration that is set for the role. The maximum session duration
|
534
|
+
# setting can have a value from 1 hour to 12 hours. If you specify a
|
535
|
+
# value higher than this setting or the administrator setting (whichever
|
536
|
+
# is lower), the operation fails. For example, if you specify a session
|
537
|
+
# duration of 12 hours, but your administrator set the maximum session
|
538
|
+
# duration to 6 hours, your operation fails. To learn how to view the
|
539
|
+
# maximum value for your role, see [View the Maximum Session Duration
|
540
|
+
# Setting for a Role][1] in the *IAM User Guide*.
|
569
541
|
#
|
570
542
|
# By default, the value is set to `3600` seconds.
|
571
543
|
#
|
@@ -574,8 +546,8 @@ module Aws::STS
|
|
574
546
|
# The request to the federation endpoint for a console sign-in token
|
575
547
|
# takes a `SessionDuration` parameter that specifies the maximum length
|
576
548
|
# of the console session. For more information, see [Creating a URL that
|
577
|
-
# Enables Federated Users to Access the
|
578
|
-
#
|
549
|
+
# Enables Federated Users to Access the Management Console][2] in the
|
550
|
+
# *IAM User Guide*.
|
579
551
|
#
|
580
552
|
# </note>
|
581
553
|
#
|
@@ -587,20 +559,20 @@ module Aws::STS
|
|
587
559
|
# @option params [Array<Types::Tag>] :tags
|
588
560
|
# A list of session tags that you want to pass. Each session tag
|
589
561
|
# consists of a key name and an associated value. For more information
|
590
|
-
# about session tags, see [Tagging
|
562
|
+
# about session tags, see [Tagging STS Sessions][1] in the *IAM User
|
591
563
|
# Guide*.
|
592
564
|
#
|
593
565
|
# This parameter is optional. You can pass up to 50 session tags. The
|
594
|
-
#
|
595
|
-
#
|
596
|
-
#
|
566
|
+
# plaintext session tag keys can’t exceed 128 characters, and the values
|
567
|
+
# can’t exceed 256 characters. For these and additional limits, see [IAM
|
568
|
+
# and STS Character Limits][2] in the *IAM User Guide*.
|
597
569
|
#
|
598
|
-
# <note markdown="1"> An
|
599
|
-
# tags into a packed binary format that has a
|
600
|
-
# request can fail for this limit even if your
|
601
|
-
# other requirements. The `PackedPolicySize`
|
602
|
-
# by percentage how close the policies and
|
603
|
-
# the upper size limit.
|
570
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
571
|
+
# policies and session tags into a packed binary format that has a
|
572
|
+
# separate limit. Your request can fail for this limit even if your
|
573
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
574
|
+
# response element indicates by percentage how close the policies and
|
575
|
+
# tags for your request are to the upper size limit.
|
604
576
|
#
|
605
577
|
# </note>
|
606
578
|
#
|
@@ -619,8 +591,8 @@ module Aws::STS
|
|
619
591
|
# operation, the new session inherits any transitive session tags from
|
620
592
|
# the calling session. If you pass a session tag with the same key as an
|
621
593
|
# inherited tag, the operation fails. To view the inherited tags for a
|
622
|
-
# session, see the
|
623
|
-
#
|
594
|
+
# session, see the CloudTrail logs. For more information, see [Viewing
|
595
|
+
# Session Tags in CloudTrail][3] in the *IAM User Guide*.
|
624
596
|
#
|
625
597
|
#
|
626
598
|
#
|
@@ -656,7 +628,8 @@ module Aws::STS
|
|
656
628
|
# trusted account. That way, only someone with the ID can assume the
|
657
629
|
# role, rather than everyone in the account. For more information about
|
658
630
|
# the external ID, see [How to Use an External ID When Granting Access
|
659
|
-
# to Your
|
631
|
+
# to Your Amazon Web Services Resources to a Third Party][1] in the *IAM
|
632
|
+
# User Guide*.
|
660
633
|
#
|
661
634
|
# The regex used to validate this parameter is a string of characters
|
662
635
|
# consisting of upper- and lower-case alphanumeric characters with no
|
@@ -683,7 +656,7 @@ module Aws::STS
|
|
683
656
|
#
|
684
657
|
# @option params [String] :token_code
|
685
658
|
# The value provided by the MFA device, if the trust policy of the role
|
686
|
-
# being assumed requires MFA (
|
659
|
+
# being assumed requires MFA. (In other words, if the policy includes a
|
687
660
|
# condition that tests for MFA). If the role being assumed requires MFA
|
688
661
|
# and if the `TokenCode` value is missing or expired, the `AssumeRole`
|
689
662
|
# call returns an "access denied" error.
|
@@ -691,11 +664,35 @@ module Aws::STS
|
|
691
664
|
# The format for this parameter, as described by its regex pattern, is a
|
692
665
|
# sequence of six numeric digits.
|
693
666
|
#
|
667
|
+
# @option params [String] :source_identity
|
668
|
+
# The source identity specified by the principal that is calling the
|
669
|
+
# `AssumeRole` operation.
|
670
|
+
#
|
671
|
+
# You can require users to specify a source identity when they assume a
|
672
|
+
# role. You do this by using the `sts:SourceIdentity` condition key in a
|
673
|
+
# role trust policy. You can use source identity information in
|
674
|
+
# CloudTrail logs to determine who took actions with a role. You can use
|
675
|
+
# the `aws:SourceIdentity` condition key to further control access to
|
676
|
+
# Amazon Web Services resources based on the value of source identity.
|
677
|
+
# For more information about using source identity, see [Monitor and
|
678
|
+
# control actions taken with assumed roles][1] in the *IAM User Guide*.
|
679
|
+
#
|
680
|
+
# The regex used to validate this parameter is a string of characters
|
681
|
+
# consisting of upper- and lower-case alphanumeric characters with no
|
682
|
+
# spaces. You can also include underscores or any of the following
|
683
|
+
# characters: =,.@-. You cannot use a value that begins with the text
|
684
|
+
# `aws:`. This prefix is reserved for Amazon Web Services internal use.
|
685
|
+
#
|
686
|
+
#
|
687
|
+
#
|
688
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
|
689
|
+
#
|
694
690
|
# @return [Types::AssumeRoleResponse] Returns a {Seahorse::Client::Response response} object which responds to the following methods:
|
695
691
|
#
|
696
692
|
# * {Types::AssumeRoleResponse#credentials #credentials} => Types::Credentials
|
697
693
|
# * {Types::AssumeRoleResponse#assumed_role_user #assumed_role_user} => Types::AssumedRoleUser
|
698
694
|
# * {Types::AssumeRoleResponse#packed_policy_size #packed_policy_size} => Integer
|
695
|
+
# * {Types::AssumeRoleResponse#source_identity #source_identity} => String
|
699
696
|
#
|
700
697
|
#
|
701
698
|
# @example Example: To assume a role
|
@@ -762,6 +759,7 @@ module Aws::STS
|
|
762
759
|
# external_id: "externalIdType",
|
763
760
|
# serial_number: "serialNumberType",
|
764
761
|
# token_code: "tokenCodeType",
|
762
|
+
# source_identity: "sourceIdentityType",
|
765
763
|
# })
|
766
764
|
#
|
767
765
|
# @example Response structure
|
@@ -773,6 +771,7 @@ module Aws::STS
|
|
773
771
|
# resp.assumed_role_user.assumed_role_id #=> String
|
774
772
|
# resp.assumed_role_user.arn #=> String
|
775
773
|
# resp.packed_policy_size #=> Integer
|
774
|
+
# resp.source_identity #=> String
|
776
775
|
#
|
777
776
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRole AWS API Documentation
|
778
777
|
#
|
@@ -786,16 +785,17 @@ module Aws::STS
|
|
786
785
|
# Returns a set of temporary security credentials for users who have
|
787
786
|
# been authenticated via a SAML authentication response. This operation
|
788
787
|
# provides a mechanism for tying an enterprise identity store or
|
789
|
-
# directory to role-based
|
790
|
-
# or configuration. For a comparison of
|
791
|
-
# other API operations that produce
|
792
|
-
# [Requesting Temporary Security
|
793
|
-
# STS API operations][2] in the *IAM
|
788
|
+
# directory to role-based Amazon Web Services access without
|
789
|
+
# user-specific credentials or configuration. For a comparison of
|
790
|
+
# `AssumeRoleWithSAML` with the other API operations that produce
|
791
|
+
# temporary credentials, see [Requesting Temporary Security
|
792
|
+
# Credentials][1] and [Comparing the STS API operations][2] in the *IAM
|
793
|
+
# User Guide*.
|
794
794
|
#
|
795
795
|
# The temporary security credentials returned by this operation consist
|
796
796
|
# of an access key ID, a secret access key, and a security token.
|
797
797
|
# Applications can use these temporary security credentials to sign
|
798
|
-
# calls to
|
798
|
+
# calls to Amazon Web Services services.
|
799
799
|
#
|
800
800
|
# **Session Duration**
|
801
801
|
#
|
@@ -815,37 +815,49 @@ module Aws::STS
|
|
815
815
|
# use those operations to create a console URL. For more information,
|
816
816
|
# see [Using IAM Roles][4] in the *IAM User Guide*.
|
817
817
|
#
|
818
|
+
# <note markdown="1"> [Role chaining][5] limits your CLI or Amazon Web Services API role
|
819
|
+
# session to a maximum of one hour. When you use the `AssumeRole` API
|
820
|
+
# operation to assume a role, you can specify the duration of your role
|
821
|
+
# session with the `DurationSeconds` parameter. You can specify a
|
822
|
+
# parameter value of up to 43200 seconds (12 hours), depending on the
|
823
|
+
# maximum session duration setting for your role. However, if you assume
|
824
|
+
# a role using role chaining and provide a `DurationSeconds` parameter
|
825
|
+
# value greater than one hour, the operation fails.
|
826
|
+
#
|
827
|
+
# </note>
|
828
|
+
#
|
818
829
|
# **Permissions**
|
819
830
|
#
|
820
831
|
# The temporary security credentials created by `AssumeRoleWithSAML` can
|
821
|
-
# be used to make API calls to any
|
822
|
-
# exception: you cannot call the STS `GetFederationToken` or
|
832
|
+
# be used to make API calls to any Amazon Web Services service with the
|
833
|
+
# following exception: you cannot call the STS `GetFederationToken` or
|
823
834
|
# `GetSessionToken` API operations.
|
824
835
|
#
|
825
|
-
# (Optional) You can pass inline or managed [session policies][
|
836
|
+
# (Optional) You can pass inline or managed [session policies][6] to
|
826
837
|
# this operation. You can pass a single JSON policy document to use as
|
827
838
|
# an inline session policy. You can also specify up to 10 managed
|
828
|
-
# policies to use as managed session policies. The
|
839
|
+
# policies to use as managed session policies. The plaintext that you
|
829
840
|
# use for both inline and managed session policies can't exceed 2,048
|
830
841
|
# characters. Passing policies to this operation returns new temporary
|
831
842
|
# credentials. The resulting session's permissions are the intersection
|
832
843
|
# of the role's identity-based policy and the session policies. You can
|
833
|
-
# use the role's temporary credentials in subsequent
|
834
|
-
# access resources in the account that owns the
|
835
|
-
# session policies to grant more permissions than
|
836
|
-
# identity-based policy of the role that is being
|
837
|
-
# information, see [Session Policies][
|
838
|
-
#
|
839
|
-
#
|
840
|
-
#
|
841
|
-
#
|
842
|
-
# for
|
843
|
-
#
|
844
|
-
#
|
845
|
-
#
|
846
|
-
#
|
847
|
-
#
|
848
|
-
#
|
844
|
+
# use the role's temporary credentials in subsequent Amazon Web
|
845
|
+
# Services API calls to access resources in the account that owns the
|
846
|
+
# role. You cannot use session policies to grant more permissions than
|
847
|
+
# those allowed by the identity-based policy of the role that is being
|
848
|
+
# assumed. For more information, see [Session Policies][6] in the *IAM
|
849
|
+
# User Guide*.
|
850
|
+
#
|
851
|
+
# Calling `AssumeRoleWithSAML` does not require the use of Amazon Web
|
852
|
+
# Services security credentials. The identity of the caller is validated
|
853
|
+
# by using keys in the metadata document that is uploaded for the SAML
|
854
|
+
# provider entity for your identity provider.
|
855
|
+
#
|
856
|
+
# Calling `AssumeRoleWithSAML` can result in an entry in your CloudTrail
|
857
|
+
# logs. The entry includes the value in the `NameID` element of the SAML
|
858
|
+
# assertion. We recommend that you use a `NameIDType` that is not
|
859
|
+
# associated with any personally identifiable information (PII). For
|
860
|
+
# example, you could instead use the persistent identifier
|
849
861
|
# (`urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`).
|
850
862
|
#
|
851
863
|
# **Tags**
|
@@ -853,19 +865,19 @@ module Aws::STS
|
|
853
865
|
# (Optional) You can configure your IdP to pass attributes into your
|
854
866
|
# SAML assertion as session tags. Each session tag consists of a key
|
855
867
|
# name and an associated value. For more information about session tags,
|
856
|
-
# see [Passing Session Tags in STS][
|
868
|
+
# see [Passing Session Tags in STS][7] in the *IAM User Guide*.
|
857
869
|
#
|
858
|
-
# You can pass up to 50 session tags. The
|
870
|
+
# You can pass up to 50 session tags. The plaintext session tag keys
|
859
871
|
# can’t exceed 128 characters and the values can’t exceed 256
|
860
872
|
# characters. For these and additional limits, see [IAM and STS
|
861
|
-
# Character Limits][
|
873
|
+
# Character Limits][8] in the *IAM User Guide*.
|
862
874
|
#
|
863
|
-
# <note markdown="1"> An
|
864
|
-
# tags into a packed binary format that has a
|
865
|
-
# request can fail for this limit even if your
|
866
|
-
# other requirements. The `PackedPolicySize`
|
867
|
-
# by percentage how close the policies and
|
868
|
-
# the upper size limit.
|
875
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
876
|
+
# policies and session tags into a packed binary format that has a
|
877
|
+
# separate limit. Your request can fail for this limit even if your
|
878
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
879
|
+
# response element indicates by percentage how close the policies and
|
880
|
+
# tags for your request are to the upper size limit.
|
869
881
|
#
|
870
882
|
# </note>
|
871
883
|
#
|
@@ -876,32 +888,33 @@ module Aws::STS
|
|
876
888
|
# An administrator must grant you the permissions necessary to pass
|
877
889
|
# session tags. The administrator can also create granular permissions
|
878
890
|
# to allow you to pass only specific session tags. For more information,
|
879
|
-
# see [Tutorial: Using Tags for Attribute-Based Access Control][
|
891
|
+
# see [Tutorial: Using Tags for Attribute-Based Access Control][9] in
|
880
892
|
# the *IAM User Guide*.
|
881
893
|
#
|
882
894
|
# You can set the session tags as transitive. Transitive tags persist
|
883
895
|
# during role chaining. For more information, see [Chaining Roles with
|
884
|
-
# Session Tags][
|
896
|
+
# Session Tags][10] in the *IAM User Guide*.
|
885
897
|
#
|
886
898
|
# **SAML Configuration**
|
887
899
|
#
|
888
900
|
# Before your application can call `AssumeRoleWithSAML`, you must
|
889
901
|
# configure your SAML identity provider (IdP) to issue the claims
|
890
|
-
# required by
|
891
|
-
# Management (IAM) to create a SAML provider entity in your
|
892
|
-
# that represents your identity provider.
|
893
|
-
# role that specifies this SAML provider in
|
902
|
+
# required by Amazon Web Services. Additionally, you must use Identity
|
903
|
+
# and Access Management (IAM) to create a SAML provider entity in your
|
904
|
+
# Amazon Web Services account that represents your identity provider.
|
905
|
+
# You must also create an IAM role that specifies this SAML provider in
|
906
|
+
# its trust policy.
|
894
907
|
#
|
895
908
|
# For more information, see the following resources:
|
896
909
|
#
|
897
|
-
# * [About SAML 2.0-based Federation][
|
910
|
+
# * [About SAML 2.0-based Federation][11] in the *IAM User Guide*.
|
898
911
|
#
|
899
|
-
# * [Creating SAML Identity Providers][
|
912
|
+
# * [Creating SAML Identity Providers][12] in the *IAM User Guide*.
|
900
913
|
#
|
901
|
-
# * [Configuring a Relying Party and Claims][
|
914
|
+
# * [Configuring a Relying Party and Claims][13] in the *IAM User
|
902
915
|
# Guide*.
|
903
916
|
#
|
904
|
-
# * [Creating a Role for SAML 2.0 Federation][
|
917
|
+
# * [Creating a Role for SAML 2.0 Federation][14] in the *IAM User
|
905
918
|
# Guide*.
|
906
919
|
#
|
907
920
|
#
|
@@ -910,15 +923,16 @@ module Aws::STS
|
|
910
923
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_request.html#stsapi_comparison
|
911
924
|
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html#id_roles_use_view-role-max-session
|
912
925
|
# [4]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
|
913
|
-
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
914
|
-
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
915
|
-
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
916
|
-
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
917
|
-
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
918
|
-
# [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
919
|
-
# [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
920
|
-
# [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
921
|
-
# [13]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
926
|
+
# [5]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts.html#iam-term-role-chaining
|
927
|
+
# [6]: https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html#policies_session
|
928
|
+
# [7]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
929
|
+
# [8]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
|
930
|
+
# [9]: https://docs.aws.amazon.com/IAM/latest/UserGuide/tutorial_attribute-based-access-control.html
|
931
|
+
# [10]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_role-chaining
|
932
|
+
# [11]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_saml.html
|
933
|
+
# [12]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml.html
|
934
|
+
# [13]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_saml_relying-party.html
|
935
|
+
# [14]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create_for-idp_saml.html
|
922
936
|
#
|
923
937
|
# @option params [required, String] :role_arn
|
924
938
|
# The Amazon Resource Name (ARN) of the role that the caller is
|
@@ -929,7 +943,7 @@ module Aws::STS
|
|
929
943
|
# describes the IdP.
|
930
944
|
#
|
931
945
|
# @option params [required, String] :saml_assertion
|
932
|
-
# The
|
946
|
+
# The base64 encoded SAML authentication response provided by the IdP.
|
933
947
|
#
|
934
948
|
# For more information, see [Configuring a Relying Party and Adding
|
935
949
|
# Claims][1] in the *IAM User Guide*.
|
@@ -944,28 +958,29 @@ module Aws::STS
|
|
944
958
|
# the same account as the role.
|
945
959
|
#
|
946
960
|
# This parameter is optional. You can provide up to 10 managed policy
|
947
|
-
# ARNs. However, the
|
961
|
+
# ARNs. However, the plaintext that you use for both inline and managed
|
948
962
|
# session policies can't exceed 2,048 characters. For more information
|
949
|
-
# about ARNs, see [Amazon Resource Names (ARNs) and
|
950
|
-
# Namespaces][1] in the
|
963
|
+
# about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services
|
964
|
+
# Service Namespaces][1] in the Amazon Web Services General Reference.
|
951
965
|
#
|
952
|
-
# <note markdown="1"> An
|
953
|
-
# tags into a packed binary format that has a
|
954
|
-
# request can fail for this limit even if your
|
955
|
-
# other requirements. The `PackedPolicySize`
|
956
|
-
# by percentage how close the policies and
|
957
|
-
# the upper size limit.
|
966
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
967
|
+
# policies and session tags into a packed binary format that has a
|
968
|
+
# separate limit. Your request can fail for this limit even if your
|
969
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
970
|
+
# response element indicates by percentage how close the policies and
|
971
|
+
# tags for your request are to the upper size limit.
|
958
972
|
#
|
959
973
|
# </note>
|
960
974
|
#
|
961
975
|
# Passing policies to this operation returns new temporary credentials.
|
962
976
|
# The resulting session's permissions are the intersection of the
|
963
977
|
# role's identity-based policy and the session policies. You can use
|
964
|
-
# the role's temporary credentials in subsequent
|
965
|
-
# access resources in the account that owns the role. You
|
966
|
-
# session policies to grant more permissions than those
|
967
|
-
# identity-based policy of the role that is being
|
968
|
-
# information, see [Session Policies][2] in the *IAM
|
978
|
+
# the role's temporary credentials in subsequent Amazon Web Services
|
979
|
+
# API calls to access resources in the account that owns the role. You
|
980
|
+
# cannot use session policies to grant more permissions than those
|
981
|
+
# allowed by the identity-based policy of the role that is being
|
982
|
+
# assumed. For more information, see [Session Policies][2] in the *IAM
|
983
|
+
# User Guide*.
|
969
984
|
#
|
970
985
|
#
|
971
986
|
#
|
@@ -980,25 +995,25 @@ module Aws::STS
|
|
980
995
|
# new temporary credentials. The resulting session's permissions are
|
981
996
|
# the intersection of the role's identity-based policy and the session
|
982
997
|
# policies. You can use the role's temporary credentials in subsequent
|
983
|
-
#
|
984
|
-
# You cannot use session policies to grant more
|
985
|
-
# allowed by the identity-based policy of the
|
986
|
-
# assumed. For more information, see [Session
|
987
|
-
# User Guide*.
|
998
|
+
# Amazon Web Services API calls to access resources in the account that
|
999
|
+
# owns the role. You cannot use session policies to grant more
|
1000
|
+
# permissions than those allowed by the identity-based policy of the
|
1001
|
+
# role that is being assumed. For more information, see [Session
|
1002
|
+
# Policies][1] in the *IAM User Guide*.
|
988
1003
|
#
|
989
|
-
# The
|
1004
|
+
# The plaintext that you use for both inline and managed session
|
990
1005
|
# policies can't exceed 2,048 characters. The JSON policy characters
|
991
1006
|
# can be any ASCII character from the space character to the end of the
|
992
1007
|
# valid character list (\\u0020 through \\u00FF). It can also include
|
993
1008
|
# the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
994
1009
|
# characters.
|
995
1010
|
#
|
996
|
-
# <note markdown="1"> An
|
997
|
-
# tags into a packed binary format that has a
|
998
|
-
# request can fail for this limit even if your
|
999
|
-
# other requirements. The `PackedPolicySize`
|
1000
|
-
# by percentage how close the policies and
|
1001
|
-
# the upper size limit.
|
1011
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
1012
|
+
# policies and session tags into a packed binary format that has a
|
1013
|
+
# separate limit. Your request can fail for this limit even if your
|
1014
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
1015
|
+
# response element indicates by percentage how close the policies and
|
1016
|
+
# tags for your request are to the upper size limit.
|
1002
1017
|
#
|
1003
1018
|
# </note>
|
1004
1019
|
#
|
@@ -1027,8 +1042,8 @@ module Aws::STS
|
|
1027
1042
|
# The request to the federation endpoint for a console sign-in token
|
1028
1043
|
# takes a `SessionDuration` parameter that specifies the maximum length
|
1029
1044
|
# of the console session. For more information, see [Creating a URL that
|
1030
|
-
# Enables Federated Users to Access the
|
1031
|
-
#
|
1045
|
+
# Enables Federated Users to Access the Management Console][2] in the
|
1046
|
+
# *IAM User Guide*.
|
1032
1047
|
#
|
1033
1048
|
# </note>
|
1034
1049
|
#
|
@@ -1047,6 +1062,7 @@ module Aws::STS
|
|
1047
1062
|
# * {Types::AssumeRoleWithSAMLResponse#issuer #issuer} => String
|
1048
1063
|
# * {Types::AssumeRoleWithSAMLResponse#audience #audience} => String
|
1049
1064
|
# * {Types::AssumeRoleWithSAMLResponse#name_qualifier #name_qualifier} => String
|
1065
|
+
# * {Types::AssumeRoleWithSAMLResponse#source_identity #source_identity} => String
|
1050
1066
|
#
|
1051
1067
|
#
|
1052
1068
|
# @example Example: To assume a role using a SAML assertion
|
@@ -1107,6 +1123,7 @@ module Aws::STS
|
|
1107
1123
|
# resp.issuer #=> String
|
1108
1124
|
# resp.audience #=> String
|
1109
1125
|
# resp.name_qualifier #=> String
|
1126
|
+
# resp.source_identity #=> String
|
1110
1127
|
#
|
1111
1128
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAML AWS API Documentation
|
1112
1129
|
#
|
@@ -1123,33 +1140,36 @@ module Aws::STS
|
|
1123
1140
|
# Facebook, Google, or any OpenID Connect-compatible identity provider.
|
1124
1141
|
#
|
1125
1142
|
# <note markdown="1"> For mobile applications, we recommend that you use Amazon Cognito. You
|
1126
|
-
# can use Amazon Cognito with the [
|
1127
|
-
# and the [
|
1128
|
-
# a user. You can also supply
|
1129
|
-
# throughout the lifetime of an
|
1143
|
+
# can use Amazon Cognito with the [Amazon Web Services SDK for iOS
|
1144
|
+
# Developer Guide][1] and the [Amazon Web Services SDK for Android
|
1145
|
+
# Developer Guide][2] to uniquely identify a user. You can also supply
|
1146
|
+
# the user with a consistent identity throughout the lifetime of an
|
1147
|
+
# application.
|
1130
1148
|
#
|
1131
1149
|
# To learn more about Amazon Cognito, see [Amazon Cognito Overview][3]
|
1132
|
-
# in *
|
1133
|
-
# Overview][4] in the *
|
1150
|
+
# in *Amazon Web Services SDK for Android Developer Guide* and [Amazon
|
1151
|
+
# Cognito Overview][4] in the *Amazon Web Services SDK for iOS Developer
|
1152
|
+
# Guide*.
|
1134
1153
|
#
|
1135
1154
|
# </note>
|
1136
1155
|
#
|
1137
|
-
# Calling `AssumeRoleWithWebIdentity` does not require the use of
|
1138
|
-
# security credentials. Therefore, you can distribute an
|
1139
|
-
# (for example, on mobile devices) that requests temporary
|
1140
|
-
# credentials without including long-term
|
1141
|
-
# application. You also don't need to deploy
|
1142
|
-
# services that use long-term
|
1143
|
-
# the caller is validated by using
|
1144
|
-
# provider. For a comparison of
|
1145
|
-
# other API operations that produce
|
1146
|
-
# [Requesting Temporary Security
|
1147
|
-
# STS API operations][6] in the *IAM
|
1156
|
+
# Calling `AssumeRoleWithWebIdentity` does not require the use of Amazon
|
1157
|
+
# Web Services security credentials. Therefore, you can distribute an
|
1158
|
+
# application (for example, on mobile devices) that requests temporary
|
1159
|
+
# security credentials without including long-term Amazon Web Services
|
1160
|
+
# credentials in the application. You also don't need to deploy
|
1161
|
+
# server-based proxy services that use long-term Amazon Web Services
|
1162
|
+
# credentials. Instead, the identity of the caller is validated by using
|
1163
|
+
# a token from the web identity provider. For a comparison of
|
1164
|
+
# `AssumeRoleWithWebIdentity` with the other API operations that produce
|
1165
|
+
# temporary credentials, see [Requesting Temporary Security
|
1166
|
+
# Credentials][5] and [Comparing the STS API operations][6] in the *IAM
|
1167
|
+
# User Guide*.
|
1148
1168
|
#
|
1149
1169
|
# The temporary security credentials returned by this API consist of an
|
1150
1170
|
# access key ID, a secret access key, and a security token. Applications
|
1151
|
-
# can use these temporary security credentials to sign calls to
|
1152
|
-
# service API operations.
|
1171
|
+
# can use these temporary security credentials to sign calls to Amazon
|
1172
|
+
# Web Services service API operations.
|
1153
1173
|
#
|
1154
1174
|
# **Session Duration**
|
1155
1175
|
#
|
@@ -1169,23 +1189,24 @@ module Aws::STS
|
|
1169
1189
|
# **Permissions**
|
1170
1190
|
#
|
1171
1191
|
# The temporary security credentials created by
|
1172
|
-
# `AssumeRoleWithWebIdentity` can be used to make API calls to any
|
1173
|
-
# service with the following exception: you cannot
|
1174
|
-
# `GetFederationToken` or `GetSessionToken` API operations.
|
1192
|
+
# `AssumeRoleWithWebIdentity` can be used to make API calls to any
|
1193
|
+
# Amazon Web Services service with the following exception: you cannot
|
1194
|
+
# call the STS `GetFederationToken` or `GetSessionToken` API operations.
|
1175
1195
|
#
|
1176
1196
|
# (Optional) You can pass inline or managed [session policies][9] to
|
1177
1197
|
# this operation. You can pass a single JSON policy document to use as
|
1178
1198
|
# an inline session policy. You can also specify up to 10 managed
|
1179
|
-
# policies to use as managed session policies. The
|
1199
|
+
# policies to use as managed session policies. The plaintext that you
|
1180
1200
|
# use for both inline and managed session policies can't exceed 2,048
|
1181
1201
|
# characters. Passing policies to this operation returns new temporary
|
1182
1202
|
# credentials. The resulting session's permissions are the intersection
|
1183
1203
|
# of the role's identity-based policy and the session policies. You can
|
1184
|
-
# use the role's temporary credentials in subsequent
|
1185
|
-
# access resources in the account that owns the
|
1186
|
-
# session policies to grant more permissions than
|
1187
|
-
# identity-based policy of the role that is being
|
1188
|
-
# information, see [Session Policies][9] in the *IAM
|
1204
|
+
# use the role's temporary credentials in subsequent Amazon Web
|
1205
|
+
# Services API calls to access resources in the account that owns the
|
1206
|
+
# role. You cannot use session policies to grant more permissions than
|
1207
|
+
# those allowed by the identity-based policy of the role that is being
|
1208
|
+
# assumed. For more information, see [Session Policies][9] in the *IAM
|
1209
|
+
# User Guide*.
|
1189
1210
|
#
|
1190
1211
|
# **Tags**
|
1191
1212
|
#
|
@@ -1194,17 +1215,17 @@ module Aws::STS
|
|
1194
1215
|
# name and an associated value. For more information about session tags,
|
1195
1216
|
# see [Passing Session Tags in STS][10] in the *IAM User Guide*.
|
1196
1217
|
#
|
1197
|
-
# You can pass up to 50 session tags. The
|
1218
|
+
# You can pass up to 50 session tags. The plaintext session tag keys
|
1198
1219
|
# can’t exceed 128 characters and the values can’t exceed 256
|
1199
1220
|
# characters. For these and additional limits, see [IAM and STS
|
1200
1221
|
# Character Limits][11] in the *IAM User Guide*.
|
1201
1222
|
#
|
1202
|
-
# <note markdown="1"> An
|
1203
|
-
# tags into a packed binary format that has a
|
1204
|
-
# request can fail for this limit even if your
|
1205
|
-
# other requirements. The `PackedPolicySize`
|
1206
|
-
# by percentage how close the policies and
|
1207
|
-
# the upper size limit.
|
1223
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
1224
|
+
# policies and session tags into a packed binary format that has a
|
1225
|
+
# separate limit. Your request can fail for this limit even if your
|
1226
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
1227
|
+
# response element indicates by percentage how close the policies and
|
1228
|
+
# tags for your request are to the upper size limit.
|
1208
1229
|
#
|
1209
1230
|
# </note>
|
1210
1231
|
#
|
@@ -1231,9 +1252,9 @@ module Aws::STS
|
|
1231
1252
|
# identity token. In other words, the identity provider must be
|
1232
1253
|
# specified in the role's trust policy.
|
1233
1254
|
#
|
1234
|
-
# Calling `AssumeRoleWithWebIdentity` can result in an entry in your
|
1255
|
+
# Calling `AssumeRoleWithWebIdentity` can result in an entry in your
|
1235
1256
|
# CloudTrail logs. The entry includes the [Subject][14] of the provided
|
1236
|
-
#
|
1257
|
+
# web identity token. We recommend that you avoid using any personally
|
1237
1258
|
# identifiable information (PII) in this field. For example, you could
|
1238
1259
|
# instead use a GUID or a pairwise identifier, as [suggested in the OIDC
|
1239
1260
|
# specification][15].
|
@@ -1247,13 +1268,13 @@ module Aws::STS
|
|
1247
1268
|
# * [ Web Identity Federation Playground][18]. Walk through the process
|
1248
1269
|
# of authenticating through Login with Amazon, Facebook, or Google,
|
1249
1270
|
# getting temporary security credentials, and then using those
|
1250
|
-
# credentials to make a request to
|
1271
|
+
# credentials to make a request to Amazon Web Services.
|
1251
1272
|
#
|
1252
|
-
# * [
|
1253
|
-
# Developer Guide][2]. These toolkits contain
|
1254
|
-
# how to invoke the identity providers. The
|
1255
|
-
# use the information from these providers
|
1256
|
-
# security credentials.
|
1273
|
+
# * [Amazon Web Services SDK for iOS Developer Guide][1] and [Amazon Web
|
1274
|
+
# Services SDK for Android Developer Guide][2]. These toolkits contain
|
1275
|
+
# sample apps that show how to invoke the identity providers. The
|
1276
|
+
# toolkits then show how to use the information from these providers
|
1277
|
+
# to get and use temporary security credentials.
|
1257
1278
|
#
|
1258
1279
|
# * [Web Identity Federation with Mobile Applications][19]. This article
|
1259
1280
|
# discusses web identity federation and shows an example of how to use
|
@@ -1322,28 +1343,29 @@ module Aws::STS
|
|
1322
1343
|
# the same account as the role.
|
1323
1344
|
#
|
1324
1345
|
# This parameter is optional. You can provide up to 10 managed policy
|
1325
|
-
# ARNs. However, the
|
1346
|
+
# ARNs. However, the plaintext that you use for both inline and managed
|
1326
1347
|
# session policies can't exceed 2,048 characters. For more information
|
1327
|
-
# about ARNs, see [Amazon Resource Names (ARNs) and
|
1328
|
-
# Namespaces][1] in the
|
1348
|
+
# about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services
|
1349
|
+
# Service Namespaces][1] in the Amazon Web Services General Reference.
|
1329
1350
|
#
|
1330
|
-
# <note markdown="1"> An
|
1331
|
-
# tags into a packed binary format that has a
|
1332
|
-
# request can fail for this limit even if your
|
1333
|
-
# other requirements. The `PackedPolicySize`
|
1334
|
-
# by percentage how close the policies and
|
1335
|
-
# the upper size limit.
|
1351
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
1352
|
+
# policies and session tags into a packed binary format that has a
|
1353
|
+
# separate limit. Your request can fail for this limit even if your
|
1354
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
1355
|
+
# response element indicates by percentage how close the policies and
|
1356
|
+
# tags for your request are to the upper size limit.
|
1336
1357
|
#
|
1337
1358
|
# </note>
|
1338
1359
|
#
|
1339
1360
|
# Passing policies to this operation returns new temporary credentials.
|
1340
1361
|
# The resulting session's permissions are the intersection of the
|
1341
1362
|
# role's identity-based policy and the session policies. You can use
|
1342
|
-
# the role's temporary credentials in subsequent
|
1343
|
-
# access resources in the account that owns the role. You
|
1344
|
-
# session policies to grant more permissions than those
|
1345
|
-
# identity-based policy of the role that is being
|
1346
|
-
# information, see [Session Policies][2] in the *IAM
|
1363
|
+
# the role's temporary credentials in subsequent Amazon Web Services
|
1364
|
+
# API calls to access resources in the account that owns the role. You
|
1365
|
+
# cannot use session policies to grant more permissions than those
|
1366
|
+
# allowed by the identity-based policy of the role that is being
|
1367
|
+
# assumed. For more information, see [Session Policies][2] in the *IAM
|
1368
|
+
# User Guide*.
|
1347
1369
|
#
|
1348
1370
|
#
|
1349
1371
|
#
|
@@ -1358,25 +1380,25 @@ module Aws::STS
|
|
1358
1380
|
# new temporary credentials. The resulting session's permissions are
|
1359
1381
|
# the intersection of the role's identity-based policy and the session
|
1360
1382
|
# policies. You can use the role's temporary credentials in subsequent
|
1361
|
-
#
|
1362
|
-
# You cannot use session policies to grant more
|
1363
|
-
# allowed by the identity-based policy of the
|
1364
|
-
# assumed. For more information, see [Session
|
1365
|
-
# User Guide*.
|
1383
|
+
# Amazon Web Services API calls to access resources in the account that
|
1384
|
+
# owns the role. You cannot use session policies to grant more
|
1385
|
+
# permissions than those allowed by the identity-based policy of the
|
1386
|
+
# role that is being assumed. For more information, see [Session
|
1387
|
+
# Policies][1] in the *IAM User Guide*.
|
1366
1388
|
#
|
1367
|
-
# The
|
1389
|
+
# The plaintext that you use for both inline and managed session
|
1368
1390
|
# policies can't exceed 2,048 characters. The JSON policy characters
|
1369
1391
|
# can be any ASCII character from the space character to the end of the
|
1370
1392
|
# valid character list (\\u0020 through \\u00FF). It can also include
|
1371
1393
|
# the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
1372
1394
|
# characters.
|
1373
1395
|
#
|
1374
|
-
# <note markdown="1"> An
|
1375
|
-
# tags into a packed binary format that has a
|
1376
|
-
# request can fail for this limit even if your
|
1377
|
-
# other requirements. The `PackedPolicySize`
|
1378
|
-
# by percentage how close the policies and
|
1379
|
-
# the upper size limit.
|
1396
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
1397
|
+
# policies and session tags into a packed binary format that has a
|
1398
|
+
# separate limit. Your request can fail for this limit even if your
|
1399
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
1400
|
+
# response element indicates by percentage how close the policies and
|
1401
|
+
# tags for your request are to the upper size limit.
|
1380
1402
|
#
|
1381
1403
|
# </note>
|
1382
1404
|
#
|
@@ -1402,8 +1424,8 @@ module Aws::STS
|
|
1402
1424
|
# The request to the federation endpoint for a console sign-in token
|
1403
1425
|
# takes a `SessionDuration` parameter that specifies the maximum length
|
1404
1426
|
# of the console session. For more information, see [Creating a URL that
|
1405
|
-
# Enables Federated Users to Access the
|
1406
|
-
#
|
1427
|
+
# Enables Federated Users to Access the Management Console][2] in the
|
1428
|
+
# *IAM User Guide*.
|
1407
1429
|
#
|
1408
1430
|
# </note>
|
1409
1431
|
#
|
@@ -1420,6 +1442,7 @@ module Aws::STS
|
|
1420
1442
|
# * {Types::AssumeRoleWithWebIdentityResponse#packed_policy_size #packed_policy_size} => Integer
|
1421
1443
|
# * {Types::AssumeRoleWithWebIdentityResponse#provider #provider} => String
|
1422
1444
|
# * {Types::AssumeRoleWithWebIdentityResponse#audience #audience} => String
|
1445
|
+
# * {Types::AssumeRoleWithWebIdentityResponse#source_identity #source_identity} => String
|
1423
1446
|
#
|
1424
1447
|
#
|
1425
1448
|
# @example Example: To assume a role as an OpenID Connect-federated user
|
@@ -1479,6 +1502,7 @@ module Aws::STS
|
|
1479
1502
|
# resp.packed_policy_size #=> Integer
|
1480
1503
|
# resp.provider #=> String
|
1481
1504
|
# resp.audience #=> String
|
1505
|
+
# resp.source_identity #=> String
|
1482
1506
|
#
|
1483
1507
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentity AWS API Documentation
|
1484
1508
|
#
|
@@ -1490,19 +1514,19 @@ module Aws::STS
|
|
1490
1514
|
end
|
1491
1515
|
|
1492
1516
|
# Decodes additional information about the authorization status of a
|
1493
|
-
# request from an encoded message returned in response to an
|
1494
|
-
# request.
|
1517
|
+
# request from an encoded message returned in response to an Amazon Web
|
1518
|
+
# Services request.
|
1495
1519
|
#
|
1496
1520
|
# For example, if a user is not authorized to perform an operation that
|
1497
1521
|
# he or she has requested, the request returns a
|
1498
1522
|
# `Client.UnauthorizedOperation` response (an HTTP 403 response). Some
|
1499
|
-
#
|
1500
|
-
# details about this authorization failure.
|
1523
|
+
# Amazon Web Services operations additionally return an encoded message
|
1524
|
+
# that can provide details about this authorization failure.
|
1501
1525
|
#
|
1502
|
-
# <note markdown="1"> Only certain
|
1503
|
-
# The documentation for an individual operation
|
1504
|
-
# operation returns an encoded message in
|
1505
|
-
# code.
|
1526
|
+
# <note markdown="1"> Only certain Amazon Web Services operations return an encoded
|
1527
|
+
# authorization message. The documentation for an individual operation
|
1528
|
+
# indicates whether that operation returns an encoded message in
|
1529
|
+
# addition to returning an HTTP code.
|
1506
1530
|
#
|
1507
1531
|
# </note>
|
1508
1532
|
#
|
@@ -1578,15 +1602,16 @@ module Aws::STS
|
|
1578
1602
|
# *IAM User Guide*.
|
1579
1603
|
#
|
1580
1604
|
# When you pass an access key ID to this operation, it returns the ID of
|
1581
|
-
# the
|
1582
|
-
# with `AKIA` are long-term credentials for an IAM user or
|
1583
|
-
# account root user. Access key IDs beginning
|
1584
|
-
# credentials that are created using STS
|
1585
|
-
# the response belongs to you, you can
|
1586
|
-
# review your root user access keys. Then,
|
1587
|
-
# report][2] to learn which IAM user owns
|
1588
|
-
# requested the temporary credentials for an
|
1589
|
-
# STS events in your [CloudTrail logs][3] in
|
1605
|
+
# the Amazon Web Services account to which the keys belong. Access key
|
1606
|
+
# IDs beginning with `AKIA` are long-term credentials for an IAM user or
|
1607
|
+
# the Amazon Web Services account root user. Access key IDs beginning
|
1608
|
+
# with `ASIA` are temporary credentials that are created using STS
|
1609
|
+
# operations. If the account in the response belongs to you, you can
|
1610
|
+
# sign in as the root user and review your root user access keys. Then,
|
1611
|
+
# you can pull a [credentials report][2] to learn which IAM user owns
|
1612
|
+
# the keys. To learn who requested the temporary credentials for an
|
1613
|
+
# `ASIA` access key, view the STS events in your [CloudTrail logs][3] in
|
1614
|
+
# the *IAM User Guide*.
|
1590
1615
|
#
|
1591
1616
|
# This operation does not indicate the state of the access key. The key
|
1592
1617
|
# might be active, inactive, or deleted. Active keys might not have
|
@@ -1723,8 +1748,8 @@ module Aws::STS
|
|
1723
1748
|
# can be safely stored, usually in a server-based application. For a
|
1724
1749
|
# comparison of `GetFederationToken` with the other API operations that
|
1725
1750
|
# produce temporary credentials, see [Requesting Temporary Security
|
1726
|
-
# Credentials][1] and [Comparing the
|
1727
|
-
#
|
1751
|
+
# Credentials][1] and [Comparing the STS API operations][2] in the *IAM
|
1752
|
+
# User Guide*.
|
1728
1753
|
#
|
1729
1754
|
# <note markdown="1"> You can create a mobile-based or browser-based app that can
|
1730
1755
|
# authenticate users using a web identity provider like Login with
|
@@ -1736,27 +1761,97 @@ module Aws::STS
|
|
1736
1761
|
# </note>
|
1737
1762
|
#
|
1738
1763
|
# You can also call `GetFederationToken` using the security credentials
|
1739
|
-
# of an
|
1740
|
-
# recommend that you create an IAM user for the purpose
|
1741
|
-
# application. Then attach a policy to the IAM user that
|
1742
|
-
# federated users to only the actions and resources that they
|
1743
|
-
# access. For more information, see [IAM Best Practices][5] in
|
1744
|
-
# User Guide*.
|
1764
|
+
# of an Amazon Web Services account root user, but we do not recommend
|
1765
|
+
# it. Instead, we recommend that you create an IAM user for the purpose
|
1766
|
+
# of the proxy application. Then attach a policy to the IAM user that
|
1767
|
+
# limits federated users to only the actions and resources that they
|
1768
|
+
# need to access. For more information, see [IAM Best Practices][5] in
|
1769
|
+
# the *IAM User Guide*.
|
1770
|
+
#
|
1771
|
+
# **Session duration**
|
1772
|
+
#
|
1773
|
+
# The temporary credentials are valid for the specified duration, from
|
1774
|
+
# 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36
|
1775
|
+
# hours). The default session duration is 43,200 seconds (12 hours).
|
1776
|
+
# Temporary credentials that are obtained by using Amazon Web Services
|
1777
|
+
# account root user credentials have a maximum duration of 3,600 seconds
|
1778
|
+
# (1 hour).
|
1779
|
+
#
|
1780
|
+
# **Permissions**
|
1781
|
+
#
|
1782
|
+
# You can use the temporary credentials created by `GetFederationToken`
|
1783
|
+
# in any Amazon Web Services service except the following:
|
1784
|
+
#
|
1785
|
+
# * You cannot call any IAM operations using the CLI or the Amazon Web
|
1786
|
+
# Services API.
|
1787
|
+
#
|
1788
|
+
# * You cannot call any STS operations except `GetCallerIdentity`.
|
1789
|
+
#
|
1790
|
+
# You must pass an inline or managed [session policy][6] to this
|
1791
|
+
# operation. You can pass a single JSON policy document to use as an
|
1792
|
+
# inline session policy. You can also specify up to 10 managed policies
|
1793
|
+
# to use as managed session policies. The plaintext that you use for
|
1794
|
+
# both inline and managed session policies can't exceed 2,048
|
1795
|
+
# characters.
|
1796
|
+
#
|
1797
|
+
# Though the session policy parameters are optional, if you do not pass
|
1798
|
+
# a policy, then the resulting federated user session has no
|
1799
|
+
# permissions. When you pass session policies, the session permissions
|
1800
|
+
# are the intersection of the IAM user policies and the session policies
|
1801
|
+
# that you pass. This gives you a way to further restrict the
|
1802
|
+
# permissions for a federated user. You cannot use session policies to
|
1803
|
+
# grant more permissions than those that are defined in the permissions
|
1804
|
+
# policy of the IAM user. For more information, see [Session
|
1805
|
+
# Policies][6] in the *IAM User Guide*. For information about using
|
1806
|
+
# `GetFederationToken` to create temporary security credentials, see
|
1807
|
+
# [GetFederationToken—Federation Through a Custom Identity Broker][7].
|
1808
|
+
#
|
1809
|
+
# You can use the credentials to access a resource that has a
|
1810
|
+
# resource-based policy. If that policy specifically references the
|
1811
|
+
# federated user session in the `Principal` element of the policy, the
|
1812
|
+
# session has the permissions allowed by the policy. These permissions
|
1813
|
+
# are granted in addition to the permissions granted by the session
|
1814
|
+
# policies.
|
1815
|
+
#
|
1816
|
+
# **Tags**
|
1817
|
+
#
|
1818
|
+
# (Optional) You can pass tag key-value pairs to your session. These are
|
1819
|
+
# called session tags. For more information about session tags, see
|
1820
|
+
# [Passing Session Tags in STS][8] in the *IAM User Guide*.
|
1821
|
+
#
|
1822
|
+
# <note markdown="1"> You can create a mobile-based or browser-based app that can
|
1823
|
+
# authenticate users using a web identity provider like Login with
|
1824
|
+
# Amazon, Facebook, Google, or an OpenID Connect-compatible identity
|
1825
|
+
# provider. In this case, we recommend that you use [Amazon Cognito][3]
|
1826
|
+
# or `AssumeRoleWithWebIdentity`. For more information, see [Federation
|
1827
|
+
# Through a Web-based Identity Provider][4] in the *IAM User Guide*.
|
1828
|
+
#
|
1829
|
+
# </note>
|
1830
|
+
#
|
1831
|
+
# You can also call `GetFederationToken` using the security credentials
|
1832
|
+
# of an Amazon Web Services account root user, but we do not recommend
|
1833
|
+
# it. Instead, we recommend that you create an IAM user for the purpose
|
1834
|
+
# of the proxy application. Then attach a policy to the IAM user that
|
1835
|
+
# limits federated users to only the actions and resources that they
|
1836
|
+
# need to access. For more information, see [IAM Best Practices][5] in
|
1837
|
+
# the *IAM User Guide*.
|
1745
1838
|
#
|
1746
1839
|
# **Session duration**
|
1747
1840
|
#
|
1748
1841
|
# The temporary credentials are valid for the specified duration, from
|
1749
1842
|
# 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36
|
1750
1843
|
# hours). The default session duration is 43,200 seconds (12 hours).
|
1751
|
-
# Temporary credentials that are obtained by using
|
1752
|
-
# credentials have a maximum duration of 3,600 seconds
|
1844
|
+
# Temporary credentials that are obtained by using Amazon Web Services
|
1845
|
+
# account root user credentials have a maximum duration of 3,600 seconds
|
1846
|
+
# (1 hour).
|
1753
1847
|
#
|
1754
1848
|
# **Permissions**
|
1755
1849
|
#
|
1756
1850
|
# You can use the temporary credentials created by `GetFederationToken`
|
1757
|
-
# in any
|
1851
|
+
# in any Amazon Web Services service except the following:
|
1758
1852
|
#
|
1759
|
-
# * You cannot call any IAM operations using the
|
1853
|
+
# * You cannot call any IAM operations using the CLI or the Amazon Web
|
1854
|
+
# Services API.
|
1760
1855
|
#
|
1761
1856
|
# * You cannot call any STS operations except `GetCallerIdentity`.
|
1762
1857
|
#
|
@@ -1857,19 +1952,19 @@ module Aws::STS
|
|
1857
1952
|
# are granted in addition to the permissions that are granted by the
|
1858
1953
|
# session policies.
|
1859
1954
|
#
|
1860
|
-
# The
|
1955
|
+
# The plaintext that you use for both inline and managed session
|
1861
1956
|
# policies can't exceed 2,048 characters. The JSON policy characters
|
1862
1957
|
# can be any ASCII character from the space character to the end of the
|
1863
1958
|
# valid character list (\\u0020 through \\u00FF). It can also include
|
1864
1959
|
# the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
|
1865
1960
|
# characters.
|
1866
1961
|
#
|
1867
|
-
# <note markdown="1"> An
|
1868
|
-
# tags into a packed binary format that has a
|
1869
|
-
# request can fail for this limit even if your
|
1870
|
-
# other requirements. The `PackedPolicySize`
|
1871
|
-
# by percentage how close the policies and
|
1872
|
-
# the upper size limit.
|
1962
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
1963
|
+
# policies and session tags into a packed binary format that has a
|
1964
|
+
# separate limit. Your request can fail for this limit even if your
|
1965
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
1966
|
+
# response element indicates by percentage how close the policies and
|
1967
|
+
# tags for your request are to the upper size limit.
|
1873
1968
|
#
|
1874
1969
|
# </note>
|
1875
1970
|
#
|
@@ -1885,11 +1980,12 @@ module Aws::STS
|
|
1885
1980
|
# You must pass an inline or managed [session policy][1] to this
|
1886
1981
|
# operation. You can pass a single JSON policy document to use as an
|
1887
1982
|
# inline session policy. You can also specify up to 10 managed policies
|
1888
|
-
# to use as managed session policies. The
|
1983
|
+
# to use as managed session policies. The plaintext that you use for
|
1889
1984
|
# both inline and managed session policies can't exceed 2,048
|
1890
1985
|
# characters. You can provide up to 10 managed policy ARNs. For more
|
1891
|
-
# information about ARNs, see [Amazon Resource Names (ARNs) and
|
1892
|
-
# Service Namespaces][2] in the
|
1986
|
+
# information about ARNs, see [Amazon Resource Names (ARNs) and Amazon
|
1987
|
+
# Web Services Service Namespaces][2] in the Amazon Web Services General
|
1988
|
+
# Reference.
|
1893
1989
|
#
|
1894
1990
|
# This parameter is optional. However, if you do not pass any session
|
1895
1991
|
# policies, then the resulting federated user session has no
|
@@ -1910,12 +2006,12 @@ module Aws::STS
|
|
1910
2006
|
# are granted in addition to the permissions that are granted by the
|
1911
2007
|
# session policies.
|
1912
2008
|
#
|
1913
|
-
# <note markdown="1"> An
|
1914
|
-
# tags into a packed binary format that has a
|
1915
|
-
# request can fail for this limit even if your
|
1916
|
-
# other requirements. The `PackedPolicySize`
|
1917
|
-
# by percentage how close the policies and
|
1918
|
-
# the upper size limit.
|
2009
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
2010
|
+
# policies and session tags into a packed binary format that has a
|
2011
|
+
# separate limit. Your request can fail for this limit even if your
|
2012
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
2013
|
+
# response element indicates by percentage how close the policies and
|
2014
|
+
# tags for your request are to the upper size limit.
|
1919
2015
|
#
|
1920
2016
|
# </note>
|
1921
2017
|
#
|
@@ -1928,10 +2024,10 @@ module Aws::STS
|
|
1928
2024
|
# The duration, in seconds, that the session should last. Acceptable
|
1929
2025
|
# durations for federation sessions range from 900 seconds (15 minutes)
|
1930
2026
|
# to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the
|
1931
|
-
# default. Sessions obtained using
|
1932
|
-
# restricted to a maximum of 3,600 seconds (one hour).
|
1933
|
-
# duration is longer than one hour, the session
|
1934
|
-
# user credentials defaults to one hour.
|
2027
|
+
# default. Sessions obtained using Amazon Web Services account root user
|
2028
|
+
# credentials are restricted to a maximum of 3,600 seconds (one hour).
|
2029
|
+
# If the specified duration is longer than one hour, the session
|
2030
|
+
# obtained by using root user credentials defaults to one hour.
|
1935
2031
|
#
|
1936
2032
|
# @option params [Array<Types::Tag>] :tags
|
1937
2033
|
# A list of session tags. Each session tag consists of a key name and an
|
@@ -1939,16 +2035,16 @@ module Aws::STS
|
|
1939
2035
|
# [Passing Session Tags in STS][1] in the *IAM User Guide*.
|
1940
2036
|
#
|
1941
2037
|
# This parameter is optional. You can pass up to 50 session tags. The
|
1942
|
-
#
|
2038
|
+
# plaintext session tag keys can’t exceed 128 characters and the values
|
1943
2039
|
# can’t exceed 256 characters. For these and additional limits, see [IAM
|
1944
2040
|
# and STS Character Limits][2] in the *IAM User Guide*.
|
1945
2041
|
#
|
1946
|
-
# <note markdown="1"> An
|
1947
|
-
# tags into a packed binary format that has a
|
1948
|
-
# request can fail for this limit even if your
|
1949
|
-
# other requirements. The `PackedPolicySize`
|
1950
|
-
# by percentage how close the policies and
|
1951
|
-
# the upper size limit.
|
2042
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
2043
|
+
# policies and session tags into a packed binary format that has a
|
2044
|
+
# separate limit. Your request can fail for this limit even if your
|
2045
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
2046
|
+
# response element indicates by percentage how close the policies and
|
2047
|
+
# tags for your request are to the upper size limit.
|
1952
2048
|
#
|
1953
2049
|
# </note>
|
1954
2050
|
#
|
@@ -2046,37 +2142,38 @@ module Aws::STS
|
|
2046
2142
|
req.send_request(options)
|
2047
2143
|
end
|
2048
2144
|
|
2049
|
-
# Returns a set of temporary credentials for an
|
2050
|
-
# The credentials consist of an access key ID, a
|
2051
|
-
# a security token. Typically, you use
|
2052
|
-
# use MFA to protect programmatic calls
|
2053
|
-
#
|
2054
|
-
#
|
2055
|
-
#
|
2056
|
-
#
|
2057
|
-
#
|
2145
|
+
# Returns a set of temporary credentials for an Amazon Web Services
|
2146
|
+
# account or IAM user. The credentials consist of an access key ID, a
|
2147
|
+
# secret access key, and a security token. Typically, you use
|
2148
|
+
# `GetSessionToken` if you want to use MFA to protect programmatic calls
|
2149
|
+
# to specific Amazon Web Services API operations like Amazon EC2
|
2150
|
+
# `StopInstances`. MFA-enabled IAM users would need to call
|
2151
|
+
# `GetSessionToken` and submit an MFA code that is associated with their
|
2152
|
+
# MFA device. Using the temporary security credentials that are returned
|
2153
|
+
# from the call, IAM users can then make programmatic calls to API
|
2154
|
+
# operations that require MFA authentication. If you do not supply a
|
2058
2155
|
# correct MFA code, then the API returns an access denied error. For a
|
2059
2156
|
# comparison of `GetSessionToken` with the other API operations that
|
2060
2157
|
# produce temporary credentials, see [Requesting Temporary Security
|
2061
|
-
# Credentials][1] and [Comparing the
|
2062
|
-
#
|
2158
|
+
# Credentials][1] and [Comparing the STS API operations][2] in the *IAM
|
2159
|
+
# User Guide*.
|
2063
2160
|
#
|
2064
2161
|
# **Session Duration**
|
2065
2162
|
#
|
2066
2163
|
# The `GetSessionToken` operation must be called by using the long-term
|
2067
|
-
#
|
2068
|
-
#
|
2069
|
-
# that you specify. This duration can
|
2070
|
-
# minutes) up to a maximum of 129,600 seconds
|
2071
|
-
# of 43,200 seconds (12 hours). Credentials
|
2072
|
-
# can range from 900 seconds (15 minutes)
|
2073
|
-
# with a default of 1 hour.
|
2164
|
+
# Amazon Web Services security credentials of the Amazon Web Services
|
2165
|
+
# account root user or an IAM user. Credentials that are created by IAM
|
2166
|
+
# users are valid for the duration that you specify. This duration can
|
2167
|
+
# range from 900 seconds (15 minutes) up to a maximum of 129,600 seconds
|
2168
|
+
# (36 hours), with a default of 43,200 seconds (12 hours). Credentials
|
2169
|
+
# based on account credentials can range from 900 seconds (15 minutes)
|
2170
|
+
# up to 3,600 seconds (1 hour), with a default of 1 hour.
|
2074
2171
|
#
|
2075
2172
|
# **Permissions**
|
2076
2173
|
#
|
2077
2174
|
# The temporary security credentials created by `GetSessionToken` can be
|
2078
|
-
# used to make API calls to any
|
2079
|
-
# exceptions:
|
2175
|
+
# used to make API calls to any Amazon Web Services service with the
|
2176
|
+
# following exceptions:
|
2080
2177
|
#
|
2081
2178
|
# * You cannot call any IAM API operations unless MFA authentication
|
2082
2179
|
# information is included in the request.
|
@@ -2084,20 +2181,21 @@ module Aws::STS
|
|
2084
2181
|
# * You cannot call any STS API *except* `AssumeRole` or
|
2085
2182
|
# `GetCallerIdentity`.
|
2086
2183
|
#
|
2087
|
-
# <note markdown="1"> We recommend that you do not call `GetSessionToken` with
|
2088
|
-
# root user credentials. Instead, follow our [best
|
2089
|
-
# creating one or more IAM users, giving them the
|
2090
|
-
# and using IAM users for everyday interaction
|
2184
|
+
# <note markdown="1"> We recommend that you do not call `GetSessionToken` with Amazon Web
|
2185
|
+
# Services account root user credentials. Instead, follow our [best
|
2186
|
+
# practices][3] by creating one or more IAM users, giving them the
|
2187
|
+
# necessary permissions, and using IAM users for everyday interaction
|
2188
|
+
# with Amazon Web Services.
|
2091
2189
|
#
|
2092
2190
|
# </note>
|
2093
2191
|
#
|
2094
2192
|
# The credentials that are returned by `GetSessionToken` are based on
|
2095
2193
|
# permissions associated with the user whose credentials were used to
|
2096
|
-
# call the operation. If `GetSessionToken` is called using
|
2097
|
-
# root user credentials, the temporary credentials have
|
2098
|
-
# permissions. Similarly, if `GetSessionToken` is called using
|
2099
|
-
# credentials of an IAM user, the temporary credentials have the
|
2100
|
-
# permissions as the IAM user.
|
2194
|
+
# call the operation. If `GetSessionToken` is called using Amazon Web
|
2195
|
+
# Services account root user credentials, the temporary credentials have
|
2196
|
+
# root user permissions. Similarly, if `GetSessionToken` is called using
|
2197
|
+
# the credentials of an IAM user, the temporary credentials have the
|
2198
|
+
# same permissions as the IAM user.
|
2101
2199
|
#
|
2102
2200
|
# For more information about using `GetSessionToken` to create temporary
|
2103
2201
|
# credentials, go to [Temporary Credentials for Users in Untrusted
|
@@ -2114,9 +2212,10 @@ module Aws::STS
|
|
2114
2212
|
# The duration, in seconds, that the credentials should remain valid.
|
2115
2213
|
# Acceptable durations for IAM user sessions range from 900 seconds (15
|
2116
2214
|
# minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12 hours)
|
2117
|
-
# as the default. Sessions for
|
2118
|
-
# maximum of 3,600 seconds (one hour). If the duration
|
2119
|
-
# one hour, the session for
|
2215
|
+
# as the default. Sessions for Amazon Web Services account owners are
|
2216
|
+
# restricted to a maximum of 3,600 seconds (one hour). If the duration
|
2217
|
+
# is longer than one hour, the session for Amazon Web Services account
|
2218
|
+
# owners defaults to one hour.
|
2120
2219
|
#
|
2121
2220
|
# @option params [String] :serial_number
|
2122
2221
|
# The identification number of the MFA device that is associated with
|
@@ -2125,8 +2224,8 @@ module Aws::STS
|
|
2125
2224
|
# The value is either the serial number for a hardware device (such as
|
2126
2225
|
# `GAHT12345678`) or an Amazon Resource Name (ARN) for a virtual device
|
2127
2226
|
# (such as `arn:aws:iam::123456789012:mfa/user`). You can find the
|
2128
|
-
# device for an IAM user by going to the
|
2129
|
-
#
|
2227
|
+
# device for an IAM user by going to the Management Console and viewing
|
2228
|
+
# the user's security credentials.
|
2130
2229
|
#
|
2131
2230
|
# The regex used to validate this parameter is a string of characters
|
2132
2231
|
# consisting of upper- and lower-case alphanumeric characters with no
|
@@ -2204,7 +2303,7 @@ module Aws::STS
|
|
2204
2303
|
params: params,
|
2205
2304
|
config: config)
|
2206
2305
|
context[:gem_name] = 'aws-sdk-core'
|
2207
|
-
context[:gem_version] = '3.
|
2306
|
+
context[:gem_version] = '3.118.0'
|
2208
2307
|
Seahorse::Client::Request.new(handlers, context)
|
2209
2308
|
end
|
2210
2309
|
|