aws-sdk-core 3.113.1 → 3.118.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +43 -0
- data/VERSION +1 -1
- data/lib/aws-sdk-core/credential_provider_chain.rb +2 -1
- data/lib/aws-sdk-core/ec2_metadata.rb +24 -5
- data/lib/aws-sdk-core/errors.rb +4 -0
- data/lib/aws-sdk-core/instance_profile_credentials.rb +39 -4
- data/lib/aws-sdk-core/json/parser.rb +8 -0
- data/lib/aws-sdk-core/log/param_filter.rb +9 -1
- data/lib/aws-sdk-core/pageable_response.rb +7 -1
- data/lib/aws-sdk-core/pager.rb +3 -0
- data/lib/aws-sdk-core/param_validator.rb +8 -0
- data/lib/aws-sdk-core/shared_config.rb +21 -1
- data/lib/aws-sdk-core/shared_credentials.rb +7 -1
- data/lib/aws-sdk-core/sso_credentials.rb +1 -2
- data/lib/aws-sdk-core/structure.rb +10 -1
- data/lib/aws-sdk-core/stubbing/protocols/json.rb +1 -1
- data/lib/aws-sdk-core/xml/builder.rb +1 -1
- data/lib/aws-sdk-core/xml/parser/frame.rb +23 -0
- data/lib/aws-sdk-sso.rb +1 -1
- data/lib/aws-sdk-sso/client.rb +1 -1
- data/lib/aws-sdk-sts.rb +1 -1
- data/lib/aws-sdk-sts/client.rb +464 -365
- data/lib/aws-sdk-sts/client_api.rb +5 -0
- data/lib/aws-sdk-sts/types.rb +307 -178
- data/lib/seahorse/client/h2/connection.rb +11 -6
- data/lib/seahorse/model/shapes.rb +20 -0
- metadata +3 -4
@@ -74,6 +74,7 @@ module Aws::STS
|
|
74
74
|
roleSessionNameType = Shapes::StringShape.new(name: 'roleSessionNameType')
|
75
75
|
serialNumberType = Shapes::StringShape.new(name: 'serialNumberType')
|
76
76
|
sessionPolicyDocumentType = Shapes::StringShape.new(name: 'sessionPolicyDocumentType')
|
77
|
+
sourceIdentityType = Shapes::StringShape.new(name: 'sourceIdentityType')
|
77
78
|
tagKeyListType = Shapes::ListShape.new(name: 'tagKeyListType')
|
78
79
|
tagKeyType = Shapes::StringShape.new(name: 'tagKeyType')
|
79
80
|
tagListType = Shapes::ListShape.new(name: 'tagListType')
|
@@ -95,11 +96,13 @@ module Aws::STS
|
|
95
96
|
AssumeRoleRequest.add_member(:external_id, Shapes::ShapeRef.new(shape: externalIdType, location_name: "ExternalId"))
|
96
97
|
AssumeRoleRequest.add_member(:serial_number, Shapes::ShapeRef.new(shape: serialNumberType, location_name: "SerialNumber"))
|
97
98
|
AssumeRoleRequest.add_member(:token_code, Shapes::ShapeRef.new(shape: tokenCodeType, location_name: "TokenCode"))
|
99
|
+
AssumeRoleRequest.add_member(:source_identity, Shapes::ShapeRef.new(shape: sourceIdentityType, location_name: "SourceIdentity"))
|
98
100
|
AssumeRoleRequest.struct_class = Types::AssumeRoleRequest
|
99
101
|
|
100
102
|
AssumeRoleResponse.add_member(:credentials, Shapes::ShapeRef.new(shape: Credentials, location_name: "Credentials"))
|
101
103
|
AssumeRoleResponse.add_member(:assumed_role_user, Shapes::ShapeRef.new(shape: AssumedRoleUser, location_name: "AssumedRoleUser"))
|
102
104
|
AssumeRoleResponse.add_member(:packed_policy_size, Shapes::ShapeRef.new(shape: nonNegativeIntegerType, location_name: "PackedPolicySize"))
|
105
|
+
AssumeRoleResponse.add_member(:source_identity, Shapes::ShapeRef.new(shape: sourceIdentityType, location_name: "SourceIdentity"))
|
103
106
|
AssumeRoleResponse.struct_class = Types::AssumeRoleResponse
|
104
107
|
|
105
108
|
AssumeRoleWithSAMLRequest.add_member(:role_arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "RoleArn"))
|
@@ -118,6 +121,7 @@ module Aws::STS
|
|
118
121
|
AssumeRoleWithSAMLResponse.add_member(:issuer, Shapes::ShapeRef.new(shape: Issuer, location_name: "Issuer"))
|
119
122
|
AssumeRoleWithSAMLResponse.add_member(:audience, Shapes::ShapeRef.new(shape: Audience, location_name: "Audience"))
|
120
123
|
AssumeRoleWithSAMLResponse.add_member(:name_qualifier, Shapes::ShapeRef.new(shape: NameQualifier, location_name: "NameQualifier"))
|
124
|
+
AssumeRoleWithSAMLResponse.add_member(:source_identity, Shapes::ShapeRef.new(shape: sourceIdentityType, location_name: "SourceIdentity"))
|
121
125
|
AssumeRoleWithSAMLResponse.struct_class = Types::AssumeRoleWithSAMLResponse
|
122
126
|
|
123
127
|
AssumeRoleWithWebIdentityRequest.add_member(:role_arn, Shapes::ShapeRef.new(shape: arnType, required: true, location_name: "RoleArn"))
|
@@ -135,6 +139,7 @@ module Aws::STS
|
|
135
139
|
AssumeRoleWithWebIdentityResponse.add_member(:packed_policy_size, Shapes::ShapeRef.new(shape: nonNegativeIntegerType, location_name: "PackedPolicySize"))
|
136
140
|
AssumeRoleWithWebIdentityResponse.add_member(:provider, Shapes::ShapeRef.new(shape: Issuer, location_name: "Provider"))
|
137
141
|
AssumeRoleWithWebIdentityResponse.add_member(:audience, Shapes::ShapeRef.new(shape: Audience, location_name: "Audience"))
|
142
|
+
AssumeRoleWithWebIdentityResponse.add_member(:source_identity, Shapes::ShapeRef.new(shape: sourceIdentityType, location_name: "SourceIdentity"))
|
138
143
|
AssumeRoleWithWebIdentityResponse.struct_class = Types::AssumeRoleWithWebIdentityResponse
|
139
144
|
|
140
145
|
AssumedRoleUser.add_member(:assumed_role_id, Shapes::ShapeRef.new(shape: assumedRoleIdType, required: true, location_name: "AssumedRoleId"))
|
data/lib/aws-sdk-sts/types.rb
CHANGED
@@ -33,6 +33,7 @@ module Aws::STS
|
|
33
33
|
# external_id: "externalIdType",
|
34
34
|
# serial_number: "serialNumberType",
|
35
35
|
# token_code: "tokenCodeType",
|
36
|
+
# source_identity: "sourceIdentityType",
|
36
37
|
# }
|
37
38
|
#
|
38
39
|
# @!attribute [rw] role_arn
|
@@ -49,7 +50,7 @@ module Aws::STS
|
|
49
50
|
# role session name is also used in the ARN of the assumed role
|
50
51
|
# principal. This means that subsequent cross-account API requests
|
51
52
|
# that use the temporary security credentials will expose the role
|
52
|
-
# session name to the external account in their
|
53
|
+
# session name to the external account in their CloudTrail logs.
|
53
54
|
#
|
54
55
|
# The regex used to validate this parameter is a string of characters
|
55
56
|
# consisting of upper- and lower-case alphanumeric characters with no
|
@@ -63,17 +64,18 @@ module Aws::STS
|
|
63
64
|
# in the same account as the role.
|
64
65
|
#
|
65
66
|
# This parameter is optional. You can provide up to 10 managed policy
|
66
|
-
# ARNs. However, the
|
67
|
+
# ARNs. However, the plaintext that you use for both inline and
|
67
68
|
# managed session policies can't exceed 2,048 characters. For more
|
68
|
-
# information about ARNs, see [Amazon Resource Names (ARNs) and
|
69
|
-
# Service Namespaces][1] in the
|
69
|
+
# information about ARNs, see [Amazon Resource Names (ARNs) and Amazon
|
70
|
+
# Web Services Service Namespaces][1] in the Amazon Web Services
|
71
|
+
# General Reference.
|
70
72
|
#
|
71
|
-
# <note markdown="1"> An
|
72
|
-
# tags into a packed binary format that has a
|
73
|
-
# request can fail for this limit even if your
|
74
|
-
# other requirements. The `PackedPolicySize`
|
75
|
-
# indicates by percentage how close the policies and
|
76
|
-
# request are to the upper size limit.
|
73
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
74
|
+
# policies and session tags into a packed binary format that has a
|
75
|
+
# separate limit. Your request can fail for this limit even if your
|
76
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
77
|
+
# response element indicates by percentage how close the policies and
|
78
|
+
# tags for your request are to the upper size limit.
|
77
79
|
#
|
78
80
|
# </note>
|
79
81
|
#
|
@@ -81,10 +83,10 @@ module Aws::STS
|
|
81
83
|
# credentials. The resulting session's permissions are the
|
82
84
|
# intersection of the role's identity-based policy and the session
|
83
85
|
# policies. You can use the role's temporary credentials in
|
84
|
-
# subsequent
|
85
|
-
# owns the role. You cannot use session policies to grant
|
86
|
-
# permissions than those allowed by the identity-based policy of
|
87
|
-
# role that is being assumed. For more information, see [Session
|
86
|
+
# subsequent Amazon Web Services API calls to access resources in the
|
87
|
+
# account that owns the role. You cannot use session policies to grant
|
88
|
+
# more permissions than those allowed by the identity-based policy of
|
89
|
+
# the role that is being assumed. For more information, see [Session
|
88
90
|
# Policies][2] in the *IAM User Guide*.
|
89
91
|
#
|
90
92
|
#
|
@@ -101,25 +103,25 @@ module Aws::STS
|
|
101
103
|
# returns new temporary credentials. The resulting session's
|
102
104
|
# permissions are the intersection of the role's identity-based
|
103
105
|
# policy and the session policies. You can use the role's temporary
|
104
|
-
# credentials in subsequent
|
105
|
-
# account that owns the role. You cannot use session
|
106
|
-
# more permissions than those allowed by the
|
107
|
-
# the role that is being assumed. For more
|
108
|
-
# Policies][1] in the *IAM User Guide*.
|
106
|
+
# credentials in subsequent Amazon Web Services API calls to access
|
107
|
+
# resources in the account that owns the role. You cannot use session
|
108
|
+
# policies to grant more permissions than those allowed by the
|
109
|
+
# identity-based policy of the role that is being assumed. For more
|
110
|
+
# information, see [Session Policies][1] in the *IAM User Guide*.
|
109
111
|
#
|
110
|
-
# The
|
112
|
+
# The plaintext that you use for both inline and managed session
|
111
113
|
# policies can't exceed 2,048 characters. The JSON policy characters
|
112
114
|
# can be any ASCII character from the space character to the end of
|
113
115
|
# the valid character list (\\u0020 through \\u00FF). It can also
|
114
116
|
# include the tab (\\u0009), linefeed (\\u000A), and carriage return
|
115
117
|
# (\\u000D) characters.
|
116
118
|
#
|
117
|
-
# <note markdown="1"> An
|
118
|
-
# tags into a packed binary format that has a
|
119
|
-
# request can fail for this limit even if your
|
120
|
-
# other requirements. The `PackedPolicySize`
|
121
|
-
# indicates by percentage how close the policies and
|
122
|
-
# request are to the upper size limit.
|
119
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
120
|
+
# policies and session tags into a packed binary format that has a
|
121
|
+
# separate limit. Your request can fail for this limit even if your
|
122
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
123
|
+
# response element indicates by percentage how close the policies and
|
124
|
+
# tags for your request are to the upper size limit.
|
123
125
|
#
|
124
126
|
# </note>
|
125
127
|
#
|
@@ -129,15 +131,17 @@ module Aws::STS
|
|
129
131
|
# @return [String]
|
130
132
|
#
|
131
133
|
# @!attribute [rw] duration_seconds
|
132
|
-
# The duration, in seconds, of the role session. The value
|
133
|
-
# from 900 seconds (15 minutes) up to the maximum
|
134
|
-
#
|
135
|
-
#
|
136
|
-
#
|
137
|
-
#
|
138
|
-
#
|
139
|
-
#
|
140
|
-
#
|
134
|
+
# The duration, in seconds, of the role session. The value specified
|
135
|
+
# can can range from 900 seconds (15 minutes) up to the maximum
|
136
|
+
# session duration that is set for the role. The maximum session
|
137
|
+
# duration setting can have a value from 1 hour to 12 hours. If you
|
138
|
+
# specify a value higher than this setting or the administrator
|
139
|
+
# setting (whichever is lower), the operation fails. For example, if
|
140
|
+
# you specify a session duration of 12 hours, but your administrator
|
141
|
+
# set the maximum session duration to 6 hours, your operation fails.
|
142
|
+
# To learn how to view the maximum value for your role, see [View the
|
143
|
+
# Maximum Session Duration Setting for a Role][1] in the *IAM User
|
144
|
+
# Guide*.
|
141
145
|
#
|
142
146
|
# By default, the value is set to `3600` seconds.
|
143
147
|
#
|
@@ -146,7 +150,7 @@ module Aws::STS
|
|
146
150
|
# credentials. The request to the federation endpoint for a console
|
147
151
|
# sign-in token takes a `SessionDuration` parameter that specifies the
|
148
152
|
# maximum length of the console session. For more information, see
|
149
|
-
# [Creating a URL that Enables Federated Users to Access the
|
153
|
+
# [Creating a URL that Enables Federated Users to Access the
|
150
154
|
# Management Console][2] in the *IAM User Guide*.
|
151
155
|
#
|
152
156
|
# </note>
|
@@ -160,20 +164,20 @@ module Aws::STS
|
|
160
164
|
# @!attribute [rw] tags
|
161
165
|
# A list of session tags that you want to pass. Each session tag
|
162
166
|
# consists of a key name and an associated value. For more information
|
163
|
-
# about session tags, see [Tagging
|
164
|
-
#
|
167
|
+
# about session tags, see [Tagging STS Sessions][1] in the *IAM User
|
168
|
+
# Guide*.
|
165
169
|
#
|
166
170
|
# This parameter is optional. You can pass up to 50 session tags. The
|
167
|
-
#
|
171
|
+
# plaintext session tag keys can’t exceed 128 characters, and the
|
168
172
|
# values can’t exceed 256 characters. For these and additional limits,
|
169
173
|
# see [IAM and STS Character Limits][2] in the *IAM User Guide*.
|
170
174
|
#
|
171
|
-
# <note markdown="1"> An
|
172
|
-
# tags into a packed binary format that has a
|
173
|
-
# request can fail for this limit even if your
|
174
|
-
# other requirements. The `PackedPolicySize`
|
175
|
-
# indicates by percentage how close the policies and
|
176
|
-
# request are to the upper size limit.
|
175
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
176
|
+
# policies and session tags into a packed binary format that has a
|
177
|
+
# separate limit. Your request can fail for this limit even if your
|
178
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
179
|
+
# response element indicates by percentage how close the policies and
|
180
|
+
# tags for your request are to the upper size limit.
|
177
181
|
#
|
178
182
|
# </note>
|
179
183
|
#
|
@@ -193,8 +197,8 @@ module Aws::STS
|
|
193
197
|
# operation, the new session inherits any transitive session tags from
|
194
198
|
# the calling session. If you pass a session tag with the same key as
|
195
199
|
# an inherited tag, the operation fails. To view the inherited tags
|
196
|
-
# for a session, see the
|
197
|
-
#
|
200
|
+
# for a session, see the CloudTrail logs. For more information, see
|
201
|
+
# [Viewing Session Tags in CloudTrail][3] in the *IAM User Guide*.
|
198
202
|
#
|
199
203
|
#
|
200
204
|
#
|
@@ -232,8 +236,8 @@ module Aws::STS
|
|
232
236
|
# the administrator of the trusted account. That way, only someone
|
233
237
|
# with the ID can assume the role, rather than everyone in the
|
234
238
|
# account. For more information about the external ID, see [How to Use
|
235
|
-
# an External ID When Granting Access to Your
|
236
|
-
# Party][1] in the *IAM User Guide*.
|
239
|
+
# an External ID When Granting Access to Your Amazon Web Services
|
240
|
+
# Resources to a Third Party][1] in the *IAM User Guide*.
|
237
241
|
#
|
238
242
|
# The regex used to validate this parameter is a string of characters
|
239
243
|
# consisting of upper- and lower-case alphanumeric characters with no
|
@@ -262,15 +266,41 @@ module Aws::STS
|
|
262
266
|
#
|
263
267
|
# @!attribute [rw] token_code
|
264
268
|
# The value provided by the MFA device, if the trust policy of the
|
265
|
-
# role being assumed requires MFA (
|
266
|
-
# condition that tests for MFA). If the role being assumed
|
267
|
-
# MFA and if the `TokenCode` value is missing or expired, the
|
269
|
+
# role being assumed requires MFA. (In other words, if the policy
|
270
|
+
# includes a condition that tests for MFA). If the role being assumed
|
271
|
+
# requires MFA and if the `TokenCode` value is missing or expired, the
|
268
272
|
# `AssumeRole` call returns an "access denied" error.
|
269
273
|
#
|
270
274
|
# The format for this parameter, as described by its regex pattern, is
|
271
275
|
# a sequence of six numeric digits.
|
272
276
|
# @return [String]
|
273
277
|
#
|
278
|
+
# @!attribute [rw] source_identity
|
279
|
+
# The source identity specified by the principal that is calling the
|
280
|
+
# `AssumeRole` operation.
|
281
|
+
#
|
282
|
+
# You can require users to specify a source identity when they assume
|
283
|
+
# a role. You do this by using the `sts:SourceIdentity` condition key
|
284
|
+
# in a role trust policy. You can use source identity information in
|
285
|
+
# CloudTrail logs to determine who took actions with a role. You can
|
286
|
+
# use the `aws:SourceIdentity` condition key to further control access
|
287
|
+
# to Amazon Web Services resources based on the value of source
|
288
|
+
# identity. For more information about using source identity, see
|
289
|
+
# [Monitor and control actions taken with assumed roles][1] in the
|
290
|
+
# *IAM User Guide*.
|
291
|
+
#
|
292
|
+
# The regex used to validate this parameter is a string of characters
|
293
|
+
# consisting of upper- and lower-case alphanumeric characters with no
|
294
|
+
# spaces. You can also include underscores or any of the following
|
295
|
+
# characters: =,.@-. You cannot use a value that begins with the text
|
296
|
+
# `aws:`. This prefix is reserved for Amazon Web Services internal
|
297
|
+
# use.
|
298
|
+
#
|
299
|
+
#
|
300
|
+
#
|
301
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
|
302
|
+
# @return [String]
|
303
|
+
#
|
274
304
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleRequest AWS API Documentation
|
275
305
|
#
|
276
306
|
class AssumeRoleRequest < Struct.new(
|
@@ -283,13 +313,15 @@ module Aws::STS
|
|
283
313
|
:transitive_tag_keys,
|
284
314
|
:external_id,
|
285
315
|
:serial_number,
|
286
|
-
:token_code
|
316
|
+
:token_code,
|
317
|
+
:source_identity)
|
287
318
|
SENSITIVE = []
|
288
319
|
include Aws::Structure
|
289
320
|
end
|
290
321
|
|
291
322
|
# Contains the response to a successful AssumeRole request, including
|
292
|
-
# temporary
|
323
|
+
# temporary Amazon Web Services credentials that can be used to make
|
324
|
+
# Amazon Web Services requests.
|
293
325
|
#
|
294
326
|
# @!attribute [rw] credentials
|
295
327
|
# The temporary security credentials, which include an access key ID,
|
@@ -318,12 +350,37 @@ module Aws::STS
|
|
318
350
|
# means the policies and tags exceeded the allowed space.
|
319
351
|
# @return [Integer]
|
320
352
|
#
|
353
|
+
# @!attribute [rw] source_identity
|
354
|
+
# The source identity specified by the principal that is calling the
|
355
|
+
# `AssumeRole` operation.
|
356
|
+
#
|
357
|
+
# You can require users to specify a source identity when they assume
|
358
|
+
# a role. You do this by using the `sts:SourceIdentity` condition key
|
359
|
+
# in a role trust policy. You can use source identity information in
|
360
|
+
# CloudTrail logs to determine who took actions with a role. You can
|
361
|
+
# use the `aws:SourceIdentity` condition key to further control access
|
362
|
+
# to Amazon Web Services resources based on the value of source
|
363
|
+
# identity. For more information about using source identity, see
|
364
|
+
# [Monitor and control actions taken with assumed roles][1] in the
|
365
|
+
# *IAM User Guide*.
|
366
|
+
#
|
367
|
+
# The regex used to validate this parameter is a string of characters
|
368
|
+
# consisting of upper- and lower-case alphanumeric characters with no
|
369
|
+
# spaces. You can also include underscores or any of the following
|
370
|
+
# characters: =,.@-
|
371
|
+
#
|
372
|
+
#
|
373
|
+
#
|
374
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
|
375
|
+
# @return [String]
|
376
|
+
#
|
321
377
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleResponse AWS API Documentation
|
322
378
|
#
|
323
379
|
class AssumeRoleResponse < Struct.new(
|
324
380
|
:credentials,
|
325
381
|
:assumed_role_user,
|
326
|
-
:packed_policy_size
|
382
|
+
:packed_policy_size,
|
383
|
+
:source_identity)
|
327
384
|
SENSITIVE = []
|
328
385
|
include Aws::Structure
|
329
386
|
end
|
@@ -355,8 +412,7 @@ module Aws::STS
|
|
355
412
|
# @return [String]
|
356
413
|
#
|
357
414
|
# @!attribute [rw] saml_assertion
|
358
|
-
# The
|
359
|
-
# IdP.
|
415
|
+
# The base64 encoded SAML authentication response provided by the IdP.
|
360
416
|
#
|
361
417
|
# For more information, see [Configuring a Relying Party and Adding
|
362
418
|
# Claims][1] in the *IAM User Guide*.
|
@@ -372,17 +428,18 @@ module Aws::STS
|
|
372
428
|
# in the same account as the role.
|
373
429
|
#
|
374
430
|
# This parameter is optional. You can provide up to 10 managed policy
|
375
|
-
# ARNs. However, the
|
431
|
+
# ARNs. However, the plaintext that you use for both inline and
|
376
432
|
# managed session policies can't exceed 2,048 characters. For more
|
377
|
-
# information about ARNs, see [Amazon Resource Names (ARNs) and
|
378
|
-
# Service Namespaces][1] in the
|
433
|
+
# information about ARNs, see [Amazon Resource Names (ARNs) and Amazon
|
434
|
+
# Web Services Service Namespaces][1] in the Amazon Web Services
|
435
|
+
# General Reference.
|
379
436
|
#
|
380
|
-
# <note markdown="1"> An
|
381
|
-
# tags into a packed binary format that has a
|
382
|
-
# request can fail for this limit even if your
|
383
|
-
# other requirements. The `PackedPolicySize`
|
384
|
-
# indicates by percentage how close the policies and
|
385
|
-
# request are to the upper size limit.
|
437
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
438
|
+
# policies and session tags into a packed binary format that has a
|
439
|
+
# separate limit. Your request can fail for this limit even if your
|
440
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
441
|
+
# response element indicates by percentage how close the policies and
|
442
|
+
# tags for your request are to the upper size limit.
|
386
443
|
#
|
387
444
|
# </note>
|
388
445
|
#
|
@@ -390,10 +447,10 @@ module Aws::STS
|
|
390
447
|
# credentials. The resulting session's permissions are the
|
391
448
|
# intersection of the role's identity-based policy and the session
|
392
449
|
# policies. You can use the role's temporary credentials in
|
393
|
-
# subsequent
|
394
|
-
# owns the role. You cannot use session policies to grant
|
395
|
-
# permissions than those allowed by the identity-based policy of
|
396
|
-
# role that is being assumed. For more information, see [Session
|
450
|
+
# subsequent Amazon Web Services API calls to access resources in the
|
451
|
+
# account that owns the role. You cannot use session policies to grant
|
452
|
+
# more permissions than those allowed by the identity-based policy of
|
453
|
+
# the role that is being assumed. For more information, see [Session
|
397
454
|
# Policies][2] in the *IAM User Guide*.
|
398
455
|
#
|
399
456
|
#
|
@@ -410,25 +467,25 @@ module Aws::STS
|
|
410
467
|
# returns new temporary credentials. The resulting session's
|
411
468
|
# permissions are the intersection of the role's identity-based
|
412
469
|
# policy and the session policies. You can use the role's temporary
|
413
|
-
# credentials in subsequent
|
414
|
-
# account that owns the role. You cannot use session
|
415
|
-
# more permissions than those allowed by the
|
416
|
-
# the role that is being assumed. For more
|
417
|
-
# Policies][1] in the *IAM User Guide*.
|
470
|
+
# credentials in subsequent Amazon Web Services API calls to access
|
471
|
+
# resources in the account that owns the role. You cannot use session
|
472
|
+
# policies to grant more permissions than those allowed by the
|
473
|
+
# identity-based policy of the role that is being assumed. For more
|
474
|
+
# information, see [Session Policies][1] in the *IAM User Guide*.
|
418
475
|
#
|
419
|
-
# The
|
476
|
+
# The plaintext that you use for both inline and managed session
|
420
477
|
# policies can't exceed 2,048 characters. The JSON policy characters
|
421
478
|
# can be any ASCII character from the space character to the end of
|
422
479
|
# the valid character list (\\u0020 through \\u00FF). It can also
|
423
480
|
# include the tab (\\u0009), linefeed (\\u000A), and carriage return
|
424
481
|
# (\\u000D) characters.
|
425
482
|
#
|
426
|
-
# <note markdown="1"> An
|
427
|
-
# tags into a packed binary format that has a
|
428
|
-
# request can fail for this limit even if your
|
429
|
-
# other requirements. The `PackedPolicySize`
|
430
|
-
# indicates by percentage how close the policies and
|
431
|
-
# request are to the upper size limit.
|
483
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
484
|
+
# policies and session tags into a packed binary format that has a
|
485
|
+
# separate limit. Your request can fail for this limit even if your
|
486
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
487
|
+
# response element indicates by percentage how close the policies and
|
488
|
+
# tags for your request are to the upper size limit.
|
432
489
|
#
|
433
490
|
# </note>
|
434
491
|
#
|
@@ -459,7 +516,7 @@ module Aws::STS
|
|
459
516
|
# credentials. The request to the federation endpoint for a console
|
460
517
|
# sign-in token takes a `SessionDuration` parameter that specifies the
|
461
518
|
# maximum length of the console session. For more information, see
|
462
|
-
# [Creating a URL that Enables Federated Users to Access the
|
519
|
+
# [Creating a URL that Enables Federated Users to Access the
|
463
520
|
# Management Console][2] in the *IAM User Guide*.
|
464
521
|
#
|
465
522
|
# </note>
|
@@ -484,8 +541,8 @@ module Aws::STS
|
|
484
541
|
end
|
485
542
|
|
486
543
|
# Contains the response to a successful AssumeRoleWithSAML request,
|
487
|
-
# including temporary
|
488
|
-
# requests.
|
544
|
+
# including temporary Amazon Web Services credentials that can be used
|
545
|
+
# to make Amazon Web Services requests.
|
489
546
|
#
|
490
547
|
# @!attribute [rw] credentials
|
491
548
|
# The temporary security credentials, which include an access key ID,
|
@@ -537,11 +594,17 @@ module Aws::STS
|
|
537
594
|
# @return [String]
|
538
595
|
#
|
539
596
|
# @!attribute [rw] name_qualifier
|
540
|
-
# A hash value based on the concatenation of the
|
541
|
-
#
|
542
|
-
#
|
543
|
-
#
|
544
|
-
#
|
597
|
+
# A hash value based on the concatenation of the following:
|
598
|
+
#
|
599
|
+
# * The `Issuer` response value.
|
600
|
+
#
|
601
|
+
# * The Amazon Web Services account ID.
|
602
|
+
#
|
603
|
+
# * The friendly name (the last part of the ARN) of the SAML provider
|
604
|
+
# in IAM.
|
605
|
+
#
|
606
|
+
# The combination of `NameQualifier` and `Subject` can be used to
|
607
|
+
# uniquely identify a federated user.
|
545
608
|
#
|
546
609
|
# The following pseudocode shows how the hash value is calculated:
|
547
610
|
#
|
@@ -549,6 +612,34 @@ module Aws::STS
|
|
549
612
|
# "/MySAMLIdP" ) )`
|
550
613
|
# @return [String]
|
551
614
|
#
|
615
|
+
# @!attribute [rw] source_identity
|
616
|
+
# The value in the `SourceIdentity` attribute in the SAML assertion.
|
617
|
+
#
|
618
|
+
# You can require users to set a source identity value when they
|
619
|
+
# assume a role. You do this by using the `sts:SourceIdentity`
|
620
|
+
# condition key in a role trust policy. That way, actions that are
|
621
|
+
# taken with the role are associated with that user. After the source
|
622
|
+
# identity is set, the value cannot be changed. It is present in the
|
623
|
+
# request for all actions that are taken by the role and persists
|
624
|
+
# across [chained role][1] sessions. You can configure your SAML
|
625
|
+
# identity provider to use an attribute associated with your users,
|
626
|
+
# like user name or email, as the source identity when calling
|
627
|
+
# `AssumeRoleWithSAML`. You do this by adding an attribute to the SAML
|
628
|
+
# assertion. For more information about using source identity, see
|
629
|
+
# [Monitor and control actions taken with assumed roles][2] in the
|
630
|
+
# *IAM User Guide*.
|
631
|
+
#
|
632
|
+
# The regex used to validate this parameter is a string of characters
|
633
|
+
# consisting of upper- and lower-case alphanumeric characters with no
|
634
|
+
# spaces. You can also include underscores or any of the following
|
635
|
+
# characters: =,.@-
|
636
|
+
#
|
637
|
+
#
|
638
|
+
#
|
639
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining
|
640
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
|
641
|
+
# @return [String]
|
642
|
+
#
|
552
643
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithSAMLResponse AWS API Documentation
|
553
644
|
#
|
554
645
|
class AssumeRoleWithSAMLResponse < Struct.new(
|
@@ -559,7 +650,8 @@ module Aws::STS
|
|
559
650
|
:subject_type,
|
560
651
|
:issuer,
|
561
652
|
:audience,
|
562
|
-
:name_qualifier
|
653
|
+
:name_qualifier,
|
654
|
+
:source_identity)
|
563
655
|
SENSITIVE = []
|
564
656
|
include Aws::Structure
|
565
657
|
end
|
@@ -626,17 +718,18 @@ module Aws::STS
|
|
626
718
|
# in the same account as the role.
|
627
719
|
#
|
628
720
|
# This parameter is optional. You can provide up to 10 managed policy
|
629
|
-
# ARNs. However, the
|
721
|
+
# ARNs. However, the plaintext that you use for both inline and
|
630
722
|
# managed session policies can't exceed 2,048 characters. For more
|
631
|
-
# information about ARNs, see [Amazon Resource Names (ARNs) and
|
632
|
-
# Service Namespaces][1] in the
|
723
|
+
# information about ARNs, see [Amazon Resource Names (ARNs) and Amazon
|
724
|
+
# Web Services Service Namespaces][1] in the Amazon Web Services
|
725
|
+
# General Reference.
|
633
726
|
#
|
634
|
-
# <note markdown="1"> An
|
635
|
-
# tags into a packed binary format that has a
|
636
|
-
# request can fail for this limit even if your
|
637
|
-
# other requirements. The `PackedPolicySize`
|
638
|
-
# indicates by percentage how close the policies and
|
639
|
-
# request are to the upper size limit.
|
727
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
728
|
+
# policies and session tags into a packed binary format that has a
|
729
|
+
# separate limit. Your request can fail for this limit even if your
|
730
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
731
|
+
# response element indicates by percentage how close the policies and
|
732
|
+
# tags for your request are to the upper size limit.
|
640
733
|
#
|
641
734
|
# </note>
|
642
735
|
#
|
@@ -644,10 +737,10 @@ module Aws::STS
|
|
644
737
|
# credentials. The resulting session's permissions are the
|
645
738
|
# intersection of the role's identity-based policy and the session
|
646
739
|
# policies. You can use the role's temporary credentials in
|
647
|
-
# subsequent
|
648
|
-
# owns the role. You cannot use session policies to grant
|
649
|
-
# permissions than those allowed by the identity-based policy of
|
650
|
-
# role that is being assumed. For more information, see [Session
|
740
|
+
# subsequent Amazon Web Services API calls to access resources in the
|
741
|
+
# account that owns the role. You cannot use session policies to grant
|
742
|
+
# more permissions than those allowed by the identity-based policy of
|
743
|
+
# the role that is being assumed. For more information, see [Session
|
651
744
|
# Policies][2] in the *IAM User Guide*.
|
652
745
|
#
|
653
746
|
#
|
@@ -664,25 +757,25 @@ module Aws::STS
|
|
664
757
|
# returns new temporary credentials. The resulting session's
|
665
758
|
# permissions are the intersection of the role's identity-based
|
666
759
|
# policy and the session policies. You can use the role's temporary
|
667
|
-
# credentials in subsequent
|
668
|
-
# account that owns the role. You cannot use session
|
669
|
-
# more permissions than those allowed by the
|
670
|
-
# the role that is being assumed. For more
|
671
|
-
# Policies][1] in the *IAM User Guide*.
|
760
|
+
# credentials in subsequent Amazon Web Services API calls to access
|
761
|
+
# resources in the account that owns the role. You cannot use session
|
762
|
+
# policies to grant more permissions than those allowed by the
|
763
|
+
# identity-based policy of the role that is being assumed. For more
|
764
|
+
# information, see [Session Policies][1] in the *IAM User Guide*.
|
672
765
|
#
|
673
|
-
# The
|
766
|
+
# The plaintext that you use for both inline and managed session
|
674
767
|
# policies can't exceed 2,048 characters. The JSON policy characters
|
675
768
|
# can be any ASCII character from the space character to the end of
|
676
769
|
# the valid character list (\\u0020 through \\u00FF). It can also
|
677
770
|
# include the tab (\\u0009), linefeed (\\u000A), and carriage return
|
678
771
|
# (\\u000D) characters.
|
679
772
|
#
|
680
|
-
# <note markdown="1"> An
|
681
|
-
# tags into a packed binary format that has a
|
682
|
-
# request can fail for this limit even if your
|
683
|
-
# other requirements. The `PackedPolicySize`
|
684
|
-
# indicates by percentage how close the policies and
|
685
|
-
# request are to the upper size limit.
|
773
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
774
|
+
# policies and session tags into a packed binary format that has a
|
775
|
+
# separate limit. Your request can fail for this limit even if your
|
776
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
777
|
+
# response element indicates by percentage how close the policies and
|
778
|
+
# tags for your request are to the upper size limit.
|
686
779
|
#
|
687
780
|
# </note>
|
688
781
|
#
|
@@ -709,7 +802,7 @@ module Aws::STS
|
|
709
802
|
# credentials. The request to the federation endpoint for a console
|
710
803
|
# sign-in token takes a `SessionDuration` parameter that specifies the
|
711
804
|
# maximum length of the console session. For more information, see
|
712
|
-
# [Creating a URL that Enables Federated Users to Access the
|
805
|
+
# [Creating a URL that Enables Federated Users to Access the
|
713
806
|
# Management Console][2] in the *IAM User Guide*.
|
714
807
|
#
|
715
808
|
# </note>
|
@@ -735,8 +828,8 @@ module Aws::STS
|
|
735
828
|
end
|
736
829
|
|
737
830
|
# Contains the response to a successful AssumeRoleWithWebIdentity
|
738
|
-
# request, including temporary
|
739
|
-
#
|
831
|
+
# request, including temporary Amazon Web Services credentials that can
|
832
|
+
# be used to make Amazon Web Services requests.
|
740
833
|
#
|
741
834
|
# @!attribute [rw] credentials
|
742
835
|
# The temporary security credentials, which include an access key ID,
|
@@ -789,6 +882,38 @@ module Aws::STS
|
|
789
882
|
# application that requested the web identity token.
|
790
883
|
# @return [String]
|
791
884
|
#
|
885
|
+
# @!attribute [rw] source_identity
|
886
|
+
# The value of the source identity that is returned in the JSON web
|
887
|
+
# token (JWT) from the identity provider.
|
888
|
+
#
|
889
|
+
# You can require users to set a source identity value when they
|
890
|
+
# assume a role. You do this by using the `sts:SourceIdentity`
|
891
|
+
# condition key in a role trust policy. That way, actions that are
|
892
|
+
# taken with the role are associated with that user. After the source
|
893
|
+
# identity is set, the value cannot be changed. It is present in the
|
894
|
+
# request for all actions that are taken by the role and persists
|
895
|
+
# across [chained role][1] sessions. You can configure your identity
|
896
|
+
# provider to use an attribute associated with your users, like user
|
897
|
+
# name or email, as the source identity when calling
|
898
|
+
# `AssumeRoleWithWebIdentity`. You do this by adding a claim to the
|
899
|
+
# JSON web token. To learn more about OIDC tokens and claims, see
|
900
|
+
# [Using Tokens with User Pools][2] in the *Amazon Cognito Developer
|
901
|
+
# Guide*. For more information about using source identity, see
|
902
|
+
# [Monitor and control actions taken with assumed roles][3] in the
|
903
|
+
# *IAM User Guide*.
|
904
|
+
#
|
905
|
+
# The regex used to validate this parameter is a string of characters
|
906
|
+
# consisting of upper- and lower-case alphanumeric characters with no
|
907
|
+
# spaces. You can also include underscores or any of the following
|
908
|
+
# characters: =,.@-
|
909
|
+
#
|
910
|
+
#
|
911
|
+
#
|
912
|
+
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_terms-and-concepts#iam-term-role-chaining
|
913
|
+
# [2]: https://docs.aws.amazon.com/cognito/latest/developerguide/amazon-cognito-user-pools-using-tokens-with-identity-providers.html
|
914
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
|
915
|
+
# @return [String]
|
916
|
+
#
|
792
917
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleWithWebIdentityResponse AWS API Documentation
|
793
918
|
#
|
794
919
|
class AssumeRoleWithWebIdentityResponse < Struct.new(
|
@@ -797,7 +922,8 @@ module Aws::STS
|
|
797
922
|
:assumed_role_user,
|
798
923
|
:packed_policy_size,
|
799
924
|
:provider,
|
800
|
-
:audience
|
925
|
+
:audience,
|
926
|
+
:source_identity)
|
801
927
|
SENSITIVE = []
|
802
928
|
include Aws::Structure
|
803
929
|
end
|
@@ -808,7 +934,7 @@ module Aws::STS
|
|
808
934
|
# @!attribute [rw] assumed_role_id
|
809
935
|
# A unique identifier that contains the role ID and the role session
|
810
936
|
# name of the role that is being assumed. The role ID is generated by
|
811
|
-
#
|
937
|
+
# Amazon Web Services when the role is created.
|
812
938
|
# @return [String]
|
813
939
|
#
|
814
940
|
# @!attribute [rw] arn
|
@@ -831,7 +957,7 @@ module Aws::STS
|
|
831
957
|
include Aws::Structure
|
832
958
|
end
|
833
959
|
|
834
|
-
#
|
960
|
+
# Amazon Web Services credentials for API authentication.
|
835
961
|
#
|
836
962
|
# @!attribute [rw] access_key_id
|
837
963
|
# The access key ID that identifies the temporary security
|
@@ -883,7 +1009,7 @@ module Aws::STS
|
|
883
1009
|
|
884
1010
|
# A document that contains additional information about the
|
885
1011
|
# authorization status of a request from an encoded message that is
|
886
|
-
# returned in response to an
|
1012
|
+
# returned in response to an Amazon Web Services request.
|
887
1013
|
#
|
888
1014
|
# @!attribute [rw] decoded_message
|
889
1015
|
# An XML document that contains the decoded message.
|
@@ -963,7 +1089,7 @@ module Aws::STS
|
|
963
1089
|
end
|
964
1090
|
|
965
1091
|
# @!attribute [rw] account
|
966
|
-
# The number used to identify the
|
1092
|
+
# The number used to identify the Amazon Web Services account.
|
967
1093
|
# @return [String]
|
968
1094
|
#
|
969
1095
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfoResponse AWS API Documentation
|
@@ -996,12 +1122,12 @@ module Aws::STS
|
|
996
1122
|
# @return [String]
|
997
1123
|
#
|
998
1124
|
# @!attribute [rw] account
|
999
|
-
# The
|
1000
|
-
# calling entity.
|
1125
|
+
# The Amazon Web Services account ID number of the account that owns
|
1126
|
+
# or contains the calling entity.
|
1001
1127
|
# @return [String]
|
1002
1128
|
#
|
1003
1129
|
# @!attribute [rw] arn
|
1004
|
-
# The
|
1130
|
+
# The Amazon Web Services ARN associated with the calling entity.
|
1005
1131
|
# @return [String]
|
1006
1132
|
#
|
1007
1133
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentityResponse AWS API Documentation
|
@@ -1074,19 +1200,19 @@ module Aws::STS
|
|
1074
1200
|
# are granted in addition to the permissions that are granted by the
|
1075
1201
|
# session policies.
|
1076
1202
|
#
|
1077
|
-
# The
|
1203
|
+
# The plaintext that you use for both inline and managed session
|
1078
1204
|
# policies can't exceed 2,048 characters. The JSON policy characters
|
1079
1205
|
# can be any ASCII character from the space character to the end of
|
1080
1206
|
# the valid character list (\\u0020 through \\u00FF). It can also
|
1081
1207
|
# include the tab (\\u0009), linefeed (\\u000A), and carriage return
|
1082
1208
|
# (\\u000D) characters.
|
1083
1209
|
#
|
1084
|
-
# <note markdown="1"> An
|
1085
|
-
# tags into a packed binary format that has a
|
1086
|
-
# request can fail for this limit even if your
|
1087
|
-
# other requirements. The `PackedPolicySize`
|
1088
|
-
# indicates by percentage how close the policies and
|
1089
|
-
# request are to the upper size limit.
|
1210
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
1211
|
+
# policies and session tags into a packed binary format that has a
|
1212
|
+
# separate limit. Your request can fail for this limit even if your
|
1213
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
1214
|
+
# response element indicates by percentage how close the policies and
|
1215
|
+
# tags for your request are to the upper size limit.
|
1090
1216
|
#
|
1091
1217
|
# </note>
|
1092
1218
|
#
|
@@ -1104,11 +1230,12 @@ module Aws::STS
|
|
1104
1230
|
# You must pass an inline or managed [session policy][1] to this
|
1105
1231
|
# operation. You can pass a single JSON policy document to use as an
|
1106
1232
|
# inline session policy. You can also specify up to 10 managed
|
1107
|
-
# policies to use as managed session policies. The
|
1233
|
+
# policies to use as managed session policies. The plaintext that you
|
1108
1234
|
# use for both inline and managed session policies can't exceed 2,048
|
1109
1235
|
# characters. You can provide up to 10 managed policy ARNs. For more
|
1110
|
-
# information about ARNs, see [Amazon Resource Names (ARNs) and
|
1111
|
-
# Service Namespaces][2] in the
|
1236
|
+
# information about ARNs, see [Amazon Resource Names (ARNs) and Amazon
|
1237
|
+
# Web Services Service Namespaces][2] in the Amazon Web Services
|
1238
|
+
# General Reference.
|
1112
1239
|
#
|
1113
1240
|
# This parameter is optional. However, if you do not pass any session
|
1114
1241
|
# policies, then the resulting federated user session has no
|
@@ -1129,12 +1256,12 @@ module Aws::STS
|
|
1129
1256
|
# are granted in addition to the permissions that are granted by the
|
1130
1257
|
# session policies.
|
1131
1258
|
#
|
1132
|
-
# <note markdown="1"> An
|
1133
|
-
# tags into a packed binary format that has a
|
1134
|
-
# request can fail for this limit even if your
|
1135
|
-
# other requirements. The `PackedPolicySize`
|
1136
|
-
# indicates by percentage how close the policies and
|
1137
|
-
# request are to the upper size limit.
|
1259
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
1260
|
+
# policies and session tags into a packed binary format that has a
|
1261
|
+
# separate limit. Your request can fail for this limit even if your
|
1262
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
1263
|
+
# response element indicates by percentage how close the policies and
|
1264
|
+
# tags for your request are to the upper size limit.
|
1138
1265
|
#
|
1139
1266
|
# </note>
|
1140
1267
|
#
|
@@ -1148,10 +1275,11 @@ module Aws::STS
|
|
1148
1275
|
# The duration, in seconds, that the session should last. Acceptable
|
1149
1276
|
# durations for federation sessions range from 900 seconds (15
|
1150
1277
|
# minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12
|
1151
|
-
# hours) as the default. Sessions obtained using
|
1152
|
-
# credentials are restricted to a maximum of 3,600
|
1153
|
-
# If the specified duration is longer than one
|
1154
|
-
# obtained by using root user credentials defaults
|
1278
|
+
# hours) as the default. Sessions obtained using Amazon Web Services
|
1279
|
+
# account root user credentials are restricted to a maximum of 3,600
|
1280
|
+
# seconds (one hour). If the specified duration is longer than one
|
1281
|
+
# hour, the session obtained by using root user credentials defaults
|
1282
|
+
# to one hour.
|
1155
1283
|
# @return [Integer]
|
1156
1284
|
#
|
1157
1285
|
# @!attribute [rw] tags
|
@@ -1160,16 +1288,16 @@ module Aws::STS
|
|
1160
1288
|
# [Passing Session Tags in STS][1] in the *IAM User Guide*.
|
1161
1289
|
#
|
1162
1290
|
# This parameter is optional. You can pass up to 50 session tags. The
|
1163
|
-
#
|
1291
|
+
# plaintext session tag keys can’t exceed 128 characters and the
|
1164
1292
|
# values can’t exceed 256 characters. For these and additional limits,
|
1165
1293
|
# see [IAM and STS Character Limits][2] in the *IAM User Guide*.
|
1166
1294
|
#
|
1167
|
-
# <note markdown="1"> An
|
1168
|
-
# tags into a packed binary format that has a
|
1169
|
-
# request can fail for this limit even if your
|
1170
|
-
# other requirements. The `PackedPolicySize`
|
1171
|
-
# indicates by percentage how close the policies and
|
1172
|
-
# request are to the upper size limit.
|
1295
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed session
|
1296
|
+
# policies and session tags into a packed binary format that has a
|
1297
|
+
# separate limit. Your request can fail for this limit even if your
|
1298
|
+
# plaintext meets the other requirements. The `PackedPolicySize`
|
1299
|
+
# response element indicates by percentage how close the policies and
|
1300
|
+
# tags for your request are to the upper size limit.
|
1173
1301
|
#
|
1174
1302
|
# </note>
|
1175
1303
|
#
|
@@ -1204,8 +1332,8 @@ module Aws::STS
|
|
1204
1332
|
end
|
1205
1333
|
|
1206
1334
|
# Contains the response to a successful GetFederationToken request,
|
1207
|
-
# including temporary
|
1208
|
-
# requests.
|
1335
|
+
# including temporary Amazon Web Services credentials that can be used
|
1336
|
+
# to make Amazon Web Services requests.
|
1209
1337
|
#
|
1210
1338
|
# @!attribute [rw] credentials
|
1211
1339
|
# The temporary security credentials, which include an access key ID,
|
@@ -1255,10 +1383,10 @@ module Aws::STS
|
|
1255
1383
|
# The duration, in seconds, that the credentials should remain valid.
|
1256
1384
|
# Acceptable durations for IAM user sessions range from 900 seconds
|
1257
1385
|
# (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12
|
1258
|
-
# hours) as the default. Sessions for
|
1259
|
-
# restricted to a maximum of 3,600 seconds (one hour). If
|
1260
|
-
# is longer than one hour, the session for
|
1261
|
-
# to one hour.
|
1386
|
+
# hours) as the default. Sessions for Amazon Web Services account
|
1387
|
+
# owners are restricted to a maximum of 3,600 seconds (one hour). If
|
1388
|
+
# the duration is longer than one hour, the session for Amazon Web
|
1389
|
+
# Services account owners defaults to one hour.
|
1262
1390
|
# @return [Integer]
|
1263
1391
|
#
|
1264
1392
|
# @!attribute [rw] serial_number
|
@@ -1268,8 +1396,8 @@ module Aws::STS
|
|
1268
1396
|
# The value is either the serial number for a hardware device (such as
|
1269
1397
|
# `GAHT12345678`) or an Amazon Resource Name (ARN) for a virtual
|
1270
1398
|
# device (such as `arn:aws:iam::123456789012:mfa/user`). You can find
|
1271
|
-
# the device for an IAM user by going to the
|
1272
|
-
#
|
1399
|
+
# the device for an IAM user by going to the Management Console and
|
1400
|
+
# viewing the user's security credentials.
|
1273
1401
|
#
|
1274
1402
|
# The regex used to validate this parameter is a string of characters
|
1275
1403
|
# consisting of upper- and lower-case alphanumeric characters with no
|
@@ -1300,8 +1428,8 @@ module Aws::STS
|
|
1300
1428
|
end
|
1301
1429
|
|
1302
1430
|
# Contains the response to a successful GetSessionToken request,
|
1303
|
-
# including temporary
|
1304
|
-
# requests.
|
1431
|
+
# including temporary Amazon Web Services credentials that can be used
|
1432
|
+
# to make Amazon Web Services requests.
|
1305
1433
|
#
|
1306
1434
|
# @!attribute [rw] credentials
|
1307
1435
|
# The temporary security credentials, which include an access key ID,
|
@@ -1373,9 +1501,9 @@ module Aws::STS
|
|
1373
1501
|
include Aws::Structure
|
1374
1502
|
end
|
1375
1503
|
|
1376
|
-
# The web identity token that was passed could not be validated by
|
1377
|
-
# Get a new identity token from the identity
|
1378
|
-
# request.
|
1504
|
+
# The web identity token that was passed could not be validated by
|
1505
|
+
# Amazon Web Services. Get a new identity token from the identity
|
1506
|
+
# provider and then retry the request.
|
1379
1507
|
#
|
1380
1508
|
# @!attribute [rw] message
|
1381
1509
|
# @return [String]
|
@@ -1403,12 +1531,13 @@ module Aws::STS
|
|
1403
1531
|
end
|
1404
1532
|
|
1405
1533
|
# The request was rejected because the total packed size of the session
|
1406
|
-
# policies and session tags combined was too large. An
|
1407
|
-
# compresses the session policy document, session
|
1408
|
-
# session tags into a packed binary format that has a
|
1409
|
-
# The error message indicates by percentage how close
|
1410
|
-
# tags are to the upper size limit. For more
|
1411
|
-
# Session Tags in STS][1] in the *IAM User
|
1534
|
+
# policies and session tags combined was too large. An Amazon Web
|
1535
|
+
# Services conversion compresses the session policy document, session
|
1536
|
+
# policy ARNs, and session tags into a packed binary format that has a
|
1537
|
+
# separate limit. The error message indicates by percentage how close
|
1538
|
+
# the policies and tags are to the upper size limit. For more
|
1539
|
+
# information, see [Passing Session Tags in STS][1] in the *IAM User
|
1540
|
+
# Guide*.
|
1412
1541
|
#
|
1413
1542
|
# You could receive this error even though you meet other defined
|
1414
1543
|
# session policy and session tag limits. For more information, see [IAM
|
@@ -1443,8 +1572,8 @@ module Aws::STS
|
|
1443
1572
|
# @!attribute [rw] arn
|
1444
1573
|
# The Amazon Resource Name (ARN) of the IAM managed policy to use as a
|
1445
1574
|
# session policy for the role. For more information about ARNs, see
|
1446
|
-
# [Amazon Resource Names (ARNs) and
|
1447
|
-
# *
|
1575
|
+
# [Amazon Resource Names (ARNs) and Amazon Web Services Service
|
1576
|
+
# Namespaces][1] in the *Amazon Web Services General Reference*.
|
1448
1577
|
#
|
1449
1578
|
#
|
1450
1579
|
#
|
@@ -1462,8 +1591,8 @@ module Aws::STS
|
|
1462
1591
|
# STS is not activated in the requested region for the account that is
|
1463
1592
|
# being asked to generate credentials. The account administrator must
|
1464
1593
|
# use the IAM console to activate STS in that region. For more
|
1465
|
-
# information, see [Activating and Deactivating
|
1466
|
-
# Region][1] in the *IAM User Guide*.
|
1594
|
+
# information, see [Activating and Deactivating Amazon Web Services STS
|
1595
|
+
# in an Amazon Web Services Region][1] in the *IAM User Guide*.
|
1467
1596
|
#
|
1468
1597
|
#
|
1469
1598
|
#
|
@@ -1483,7 +1612,7 @@ module Aws::STS
|
|
1483
1612
|
# You can pass custom key-value pair attributes when you assume a role
|
1484
1613
|
# or federate a user. These are called session tags. You can then use
|
1485
1614
|
# the session tags to control access to resources. For more information,
|
1486
|
-
# see [Tagging
|
1615
|
+
# see [Tagging STS Sessions][1] in the *IAM User Guide*.
|
1487
1616
|
#
|
1488
1617
|
#
|
1489
1618
|
#
|