aws-sdk-core 3.114.0 → 3.116.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: 05c92208568d6da15a22a13751f95250f41f75aee075c229041d9e5143508541
4
- data.tar.gz: 117caabce8194db97c873fd92597cbfcd1628f35f218233c7dd45d745e0796af
3
+ metadata.gz: 7a1315234c9e3c212dc0e7c1b4dda2c92280857fb0217248d353f399e7eb8687
4
+ data.tar.gz: fb0e2a094c882762c95c3d528f5a006a126b5001c74dd026f34058e35cbeff01
5
5
  SHA512:
6
- metadata.gz: c02e113926180f3a3fc82788b1017501ca7ff1e247dbaded8d3ea78cd35d3f5e4fb2c2e546e8327b1060d61824feab5750f820a04a3ae4d406c82c3ca25ad905
7
- data.tar.gz: e6eca7b1d0823f668bcff24331006def2d46ff43672da88612472e4ec2474f1bba1b0dc410f6e4a6897017f21cf7e4a452614a4657228d5246d3fba3895703a7
6
+ metadata.gz: fb9e12d6ca261891f84891af10f57218bf1cfc6d7d7d40826b60790c48b2dc8e7400413ac8ae5772dc9521dcfaa184fdf1560d34a21b9983f97771d355cc6fb1
7
+ data.tar.gz: 13326486b1cb0062e20a8fc766146baa548361ee0b147250ca87f0a8f6ef8beee00cf0d0d90ad8cba96df9c3cd23bff4b14f002f9279184b1c651f2f8366e669
data/CHANGELOG.md CHANGED
@@ -1,6 +1,32 @@
1
1
  Unreleased Changes
2
2
  ------------------
3
3
 
4
+ 3.116.0 (2021-07-07)
5
+ ------------------
6
+
7
+ * Feature - Updated Aws::STS::Client with the latest API changes.
8
+
9
+ 3.115.0 (2021-06-23)
10
+ ------------------
11
+
12
+ * Feature - Add support for Assume Role Chaining in profiles. (#2531)
13
+ * Issue - Fixed an issue with `Seahorse::Client::H2::Connection` for non-https endpoints. (#2542)
14
+
15
+ 3.114.3 (2021-06-15)
16
+ ------------------
17
+
18
+ * Issue - Fixed an issue with `Aws::PageableResponse` where it was modifying original params hash, causing frozen hashes to fail.
19
+
20
+ 3.114.2 (2021-06-09)
21
+ ------------------
22
+
23
+ * Issue - Fixed an issue with `Aws::PageableResponse` where intentionally nil tokens were not merged into the params for the next call.
24
+
25
+ 3.114.1 (2021-06-02)
26
+ ------------------
27
+
28
+ * Issue - Change XML Builder to not indent by default
29
+
4
30
  3.114.0 (2021-04-13)
5
31
  ------------------
6
32
 
data/VERSION CHANGED
@@ -1 +1 @@
1
- 3.114.0
1
+ 3.116.0
@@ -210,6 +210,10 @@ module Aws
210
210
  # Raised when SSO Credentials are invalid
211
211
  class InvalidSSOCredentials < RuntimeError; end
212
212
 
213
+ # Raised when there is a circular reference in chained
214
+ # source_profiles
215
+ class SourceProfileCircularReferenceError < RuntimeError; end
216
+
213
217
  # Raised when a client is constructed and region is not specified.
214
218
  class MissingRegionError < ArgumentError
215
219
  def initialize(*args)
@@ -115,7 +115,13 @@ module Aws
115
115
  # @return [Hash] Returns the hash of request parameters for the
116
116
  # next page, merging any given params.
117
117
  def next_page_params(params)
118
- context[:original_params].merge(@pager.next_tokens(self).merge(params))
118
+ # Remove all previous tokens from original params
119
+ # Sometimes a token can be nil and merge would not include it.
120
+ tokens = @pager.tokens.values.map(&:to_sym)
121
+
122
+ params_without_tokens = context[:original_params].reject { |k, _v| tokens.include?(k) }
123
+ params_without_tokens.merge!(@pager.next_tokens(self).merge(params))
124
+ params_without_tokens
119
125
  end
120
126
 
121
127
  # Raised when calling {PageableResponse#next_page} on a pager that
@@ -18,6 +18,9 @@ module Aws
18
18
  # @return [Symbol, nil]
19
19
  attr_reader :limit_key
20
20
 
21
+ # @return [Hash, nil]
22
+ attr_reader :tokens
23
+
21
24
  # @param [Seahorse::Client::Response] response
22
25
  # @return [Hash]
23
26
  def next_tokens(response)
@@ -205,6 +205,7 @@ module Aws
205
205
  'a credential_source. For assume role credentials, must '\
206
206
  'provide only source_profile or credential_source, not both.'
207
207
  elsif opts[:source_profile]
208
+ opts[:visited_profiles] ||= Set.new
208
209
  opts[:credentials] = resolve_source_profile(opts[:source_profile], opts)
209
210
  if opts[:credentials]
210
211
  opts[:role_session_name] ||= prof_cfg['role_session_name']
@@ -214,6 +215,7 @@ module Aws
214
215
  opts[:external_id] ||= prof_cfg['external_id']
215
216
  opts[:serial_number] ||= prof_cfg['mfa_serial']
216
217
  opts[:profile] = opts.delete(:source_profile)
218
+ opts.delete(:visited_profiles)
217
219
  AssumeRoleCredentials.new(opts)
218
220
  else
219
221
  raise Errors::NoSourceProfileError,
@@ -246,8 +248,21 @@ module Aws
246
248
  end
247
249
 
248
250
  def resolve_source_profile(profile, opts = {})
251
+ if opts[:visited_profiles] && opts[:visited_profiles].include?(profile)
252
+ raise Errors::SourceProfileCircularReferenceError
253
+ end
254
+ opts[:visited_profiles].add(profile) if opts[:visited_profiles]
255
+
256
+ profile_config = @parsed_credentials[profile]
257
+ if @config_enabled
258
+ profile_config ||= @parsed_config[profile]
259
+ end
260
+
249
261
  if (creds = credentials(profile: profile))
250
262
  creds # static credentials
263
+ elsif profile_config && profile_config['source_profile']
264
+ opts.delete(:source_profile)
265
+ assume_role_credentials_from_config(opts.merge(profile: profile))
251
266
  elsif (provider = assume_role_web_identity_credentials_from_config(opts.merge(profile: profile)))
252
267
  provider.credentials if provider.credentials.set?
253
268
  elsif (provider = assume_role_process_credentials_from_config(profile))
@@ -274,7 +289,10 @@ module Aws
274
289
 
275
290
  def assume_role_process_credentials_from_config(profile)
276
291
  validate_profile_exists(profile)
277
- credential_process = @parsed_config[profile]['credential_process']
292
+ credential_process = @parsed_credentials.fetch(profile, {})['credential_process']
293
+ if @parsed_config
294
+ credential_process ||= @parsed_config.fetch(profile, {})['credential_process']
295
+ end
278
296
  ProcessCredentials.new(credential_process) if credential_process
279
297
  end
280
298
 
@@ -8,8 +8,7 @@ module Aws
8
8
  # AWS CLI with the correct profile.
9
9
  #
10
10
  # For more background on AWS SSO see the official
11
- # {what is SSO}[https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html]
12
- # page.
11
+ # {https://docs.aws.amazon.com/singlesignon/latest/userguide/what-is.html what is SSO Userguide}
13
12
  #
14
13
  # ## Refreshing Credentials from SSO
15
14
  #
@@ -29,7 +29,7 @@ module Aws
29
29
  private
30
30
 
31
31
  def content_type(api)
32
- "application/x-amz-json-#{api.metadata['jsonVerison']}"
32
+ "application/x-amz-json-#{api.metadata['jsonVersion']}"
33
33
  end
34
34
 
35
35
  def build_body(operation, data)
@@ -11,7 +11,7 @@ module Aws
11
11
  def initialize(rules, options = {})
12
12
  @rules = rules
13
13
  @xml = options[:target] || []
14
- indent = options[:indent] || ' '
14
+ indent = options[:indent] || ''
15
15
  pad = options[:pad] || ''
16
16
  @builder = DocBuilder.new(target: @xml, indent: indent, pad: pad)
17
17
  end
data/lib/aws-sdk-sso.rb CHANGED
@@ -50,6 +50,6 @@ require_relative 'aws-sdk-sso/customizations'
50
50
  # @!group service
51
51
  module Aws::SSO
52
52
 
53
- GEM_VERSION = '3.114.0'
53
+ GEM_VERSION = '3.116.0'
54
54
 
55
55
  end
@@ -523,7 +523,7 @@ module Aws::SSO
523
523
  params: params,
524
524
  config: config)
525
525
  context[:gem_name] = 'aws-sdk-core'
526
- context[:gem_version] = '3.114.0'
526
+ context[:gem_version] = '3.116.0'
527
527
  Seahorse::Client::Request.new(handlers, context)
528
528
  end
529
529
 
data/lib/aws-sdk-sts.rb CHANGED
@@ -50,6 +50,6 @@ require_relative 'aws-sdk-sts/customizations'
50
50
  # @!group service
51
51
  module Aws::STS
52
52
 
53
- GEM_VERSION = '3.114.0'
53
+ GEM_VERSION = '3.116.0'
54
54
 
55
55
  end
@@ -335,20 +335,21 @@ module Aws::STS
335
335
  # @!group API Operations
336
336
 
337
337
  # Returns a set of temporary security credentials that you can use to
338
- # access AWS resources that you might not normally have access to. These
339
- # temporary credentials consist of an access key ID, a secret access
340
- # key, and a security token. Typically, you use `AssumeRole` within your
341
- # account or for cross-account access. For a comparison of `AssumeRole`
342
- # with other API operations that produce temporary credentials, see
343
- # [Requesting Temporary Security Credentials][1] and [Comparing the AWS
344
- # STS API operations][2] in the *IAM User Guide*.
338
+ # access Amazon Web Services resources that you might not normally have
339
+ # access to. These temporary credentials consist of an access key ID, a
340
+ # secret access key, and a security token. Typically, you use
341
+ # `AssumeRole` within your account or for cross-account access. For a
342
+ # comparison of `AssumeRole` with other API operations that produce
343
+ # temporary credentials, see [Requesting Temporary Security
344
+ # Credentials][1] and [Comparing the STS API operations][2] in the *IAM
345
+ # User Guide*.
345
346
  #
346
347
  # **Permissions**
347
348
  #
348
349
  # The temporary security credentials created by `AssumeRole` can be used
349
- # to make API calls to any AWS service with the following exception: You
350
- # cannot call the AWS STS `GetFederationToken` or `GetSessionToken` API
351
- # operations.
350
+ # to make API calls to any Amazon Web Services service with the
351
+ # following exception: You cannot call the STS `GetFederationToken` or
352
+ # `GetSessionToken` API operations.
352
353
  #
353
354
  # (Optional) You can pass inline or managed [session policies][3] to
354
355
  # this operation. You can pass a single JSON policy document to use as
@@ -358,13 +359,14 @@ module Aws::STS
358
359
  # characters. Passing policies to this operation returns new temporary
359
360
  # credentials. The resulting session's permissions are the intersection
360
361
  # of the role's identity-based policy and the session policies. You can
361
- # use the role's temporary credentials in subsequent AWS API calls to
362
- # access resources in the account that owns the role. You cannot use
363
- # session policies to grant more permissions than those allowed by the
364
- # identity-based policy of the role that is being assumed. For more
365
- # information, see [Session Policies][3] in the *IAM User Guide*.
362
+ # use the role's temporary credentials in subsequent Amazon Web
363
+ # Services API calls to access resources in the account that owns the
364
+ # role. You cannot use session policies to grant more permissions than
365
+ # those allowed by the identity-based policy of the role that is being
366
+ # assumed. For more information, see [Session Policies][3] in the *IAM
367
+ # User Guide*.
366
368
  #
367
- # To assume a role from a different account, your AWS account must be
369
+ # To assume a role from a different account, your account must be
368
370
  # trusted by the role. The trust relationship is defined in the role's
369
371
  # trust policy when the role is created. That trust policy states which
370
372
  # accounts are allowed to delegate that access to users in the account.
@@ -408,12 +410,12 @@ module Aws::STS
408
410
  # (Optional) You can include multi-factor authentication (MFA)
409
411
  # information when you call `AssumeRole`. This is useful for
410
412
  # cross-account scenarios to ensure that the user that assumes the role
411
- # has been authenticated with an AWS MFA device. In that scenario, the
412
- # trust policy of the role being assumed includes a condition that tests
413
- # for MFA authentication. If the caller does not include valid MFA
414
- # information, the request to assume the role is denied. The condition
415
- # in a trust policy that tests for MFA authentication might look like
416
- # the following example.
413
+ # has been authenticated with an Amazon Web Services MFA device. In that
414
+ # scenario, the trust policy of the role being assumed includes a
415
+ # condition that tests for MFA authentication. If the caller does not
416
+ # include valid MFA information, the request to assume the role is
417
+ # denied. The condition in a trust policy that tests for MFA
418
+ # authentication might look like the following example.
417
419
  #
418
420
  # `"Condition": \{"Bool": \{"aws:MultiFactorAuthPresent": true\}\}`
419
421
  #
@@ -449,7 +451,7 @@ module Aws::STS
449
451
  # also used in the ARN of the assumed role principal. This means that
450
452
  # subsequent cross-account API requests that use the temporary security
451
453
  # credentials will expose the role session name to the external account
452
- # in their AWS CloudTrail logs.
454
+ # in their CloudTrail logs.
453
455
  #
454
456
  # The regex used to validate this parameter is a string of characters
455
457
  # consisting of upper- and lower-case alphanumeric characters with no
@@ -464,26 +466,27 @@ module Aws::STS
464
466
  # This parameter is optional. You can provide up to 10 managed policy
465
467
  # ARNs. However, the plaintext that you use for both inline and managed
466
468
  # session policies can't exceed 2,048 characters. For more information
467
- # about ARNs, see [Amazon Resource Names (ARNs) and AWS Service
468
- # Namespaces][1] in the AWS General Reference.
469
+ # about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services
470
+ # Service Namespaces][1] in the Amazon Web Services General Reference.
469
471
  #
470
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
471
- # tags into a packed binary format that has a separate limit. Your
472
- # request can fail for this limit even if your plaintext meets the other
473
- # requirements. The `PackedPolicySize` response element indicates by
474
- # percentage how close the policies and tags for your request are to the
475
- # upper size limit.
472
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
473
+ # policies and session tags into a packed binary format that has a
474
+ # separate limit. Your request can fail for this limit even if your
475
+ # plaintext meets the other requirements. The `PackedPolicySize`
476
+ # response element indicates by percentage how close the policies and
477
+ # tags for your request are to the upper size limit.
476
478
  #
477
479
  # </note>
478
480
  #
479
481
  # Passing policies to this operation returns new temporary credentials.
480
482
  # The resulting session's permissions are the intersection of the
481
483
  # role's identity-based policy and the session policies. You can use
482
- # the role's temporary credentials in subsequent AWS API calls to
483
- # access resources in the account that owns the role. You cannot use
484
- # session policies to grant more permissions than those allowed by the
485
- # identity-based policy of the role that is being assumed. For more
486
- # information, see [Session Policies][2] in the *IAM User Guide*.
484
+ # the role's temporary credentials in subsequent Amazon Web Services
485
+ # API calls to access resources in the account that owns the role. You
486
+ # cannot use session policies to grant more permissions than those
487
+ # allowed by the identity-based policy of the role that is being
488
+ # assumed. For more information, see [Session Policies][2] in the *IAM
489
+ # User Guide*.
487
490
  #
488
491
  #
489
492
  #
@@ -498,11 +501,11 @@ module Aws::STS
498
501
  # new temporary credentials. The resulting session's permissions are
499
502
  # the intersection of the role's identity-based policy and the session
500
503
  # policies. You can use the role's temporary credentials in subsequent
501
- # AWS API calls to access resources in the account that owns the role.
502
- # You cannot use session policies to grant more permissions than those
503
- # allowed by the identity-based policy of the role that is being
504
- # assumed. For more information, see [Session Policies][1] in the *IAM
505
- # User Guide*.
504
+ # Amazon Web Services API calls to access resources in the account that
505
+ # owns the role. You cannot use session policies to grant more
506
+ # permissions than those allowed by the identity-based policy of the
507
+ # role that is being assumed. For more information, see [Session
508
+ # Policies][1] in the *IAM User Guide*.
506
509
  #
507
510
  # The plaintext that you use for both inline and managed session
508
511
  # policies can't exceed 2,048 characters. The JSON policy characters
@@ -511,12 +514,12 @@ module Aws::STS
511
514
  # the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
512
515
  # characters.
513
516
  #
514
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
515
- # tags into a packed binary format that has a separate limit. Your
516
- # request can fail for this limit even if your plaintext meets the other
517
- # requirements. The `PackedPolicySize` response element indicates by
518
- # percentage how close the policies and tags for your request are to the
519
- # upper size limit.
517
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
518
+ # policies and session tags into a packed binary format that has a
519
+ # separate limit. Your request can fail for this limit even if your
520
+ # plaintext meets the other requirements. The `PackedPolicySize`
521
+ # response element indicates by percentage how close the policies and
522
+ # tags for your request are to the upper size limit.
520
523
  #
521
524
  # </note>
522
525
  #
@@ -543,8 +546,8 @@ module Aws::STS
543
546
  # The request to the federation endpoint for a console sign-in token
544
547
  # takes a `SessionDuration` parameter that specifies the maximum length
545
548
  # of the console session. For more information, see [Creating a URL that
546
- # Enables Federated Users to Access the AWS Management Console][2] in
547
- # the *IAM User Guide*.
549
+ # Enables Federated Users to Access the Management Console][2] in the
550
+ # *IAM User Guide*.
548
551
  #
549
552
  # </note>
550
553
  #
@@ -556,7 +559,7 @@ module Aws::STS
556
559
  # @option params [Array<Types::Tag>] :tags
557
560
  # A list of session tags that you want to pass. Each session tag
558
561
  # consists of a key name and an associated value. For more information
559
- # about session tags, see [Tagging AWS STS Sessions][1] in the *IAM User
562
+ # about session tags, see [Tagging STS Sessions][1] in the *IAM User
560
563
  # Guide*.
561
564
  #
562
565
  # This parameter is optional. You can pass up to 50 session tags. The
@@ -564,12 +567,12 @@ module Aws::STS
564
567
  # can’t exceed 256 characters. For these and additional limits, see [IAM
565
568
  # and STS Character Limits][2] in the *IAM User Guide*.
566
569
  #
567
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
568
- # tags into a packed binary format that has a separate limit. Your
569
- # request can fail for this limit even if your plaintext meets the other
570
- # requirements. The `PackedPolicySize` response element indicates by
571
- # percentage how close the policies and tags for your request are to the
572
- # upper size limit.
570
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
571
+ # policies and session tags into a packed binary format that has a
572
+ # separate limit. Your request can fail for this limit even if your
573
+ # plaintext meets the other requirements. The `PackedPolicySize`
574
+ # response element indicates by percentage how close the policies and
575
+ # tags for your request are to the upper size limit.
573
576
  #
574
577
  # </note>
575
578
  #
@@ -588,8 +591,8 @@ module Aws::STS
588
591
  # operation, the new session inherits any transitive session tags from
589
592
  # the calling session. If you pass a session tag with the same key as an
590
593
  # inherited tag, the operation fails. To view the inherited tags for a
591
- # session, see the AWS CloudTrail logs. For more information, see
592
- # [Viewing Session Tags in CloudTrail][3] in the *IAM User Guide*.
594
+ # session, see the CloudTrail logs. For more information, see [Viewing
595
+ # Session Tags in CloudTrail][3] in the *IAM User Guide*.
593
596
  #
594
597
  #
595
598
  #
@@ -625,7 +628,8 @@ module Aws::STS
625
628
  # trusted account. That way, only someone with the ID can assume the
626
629
  # role, rather than everyone in the account. For more information about
627
630
  # the external ID, see [How to Use an External ID When Granting Access
628
- # to Your AWS Resources to a Third Party][1] in the *IAM User Guide*.
631
+ # to Your Amazon Web Services Resources to a Third Party][1] in the *IAM
632
+ # User Guide*.
629
633
  #
630
634
  # The regex used to validate this parameter is a string of characters
631
635
  # consisting of upper- and lower-case alphanumeric characters with no
@@ -666,18 +670,18 @@ module Aws::STS
666
670
  #
667
671
  # You can require users to specify a source identity when they assume a
668
672
  # role. You do this by using the `sts:SourceIdentity` condition key in a
669
- # role trust policy. You can use source identity information in AWS
673
+ # role trust policy. You can use source identity information in
670
674
  # CloudTrail logs to determine who took actions with a role. You can use
671
675
  # the `aws:SourceIdentity` condition key to further control access to
672
- # AWS resources based on the value of source identity. For more
673
- # information about using source identity, see [Monitor and control
674
- # actions taken with assumed roles][1] in the *IAM User Guide*.
676
+ # Amazon Web Services resources based on the value of source identity.
677
+ # For more information about using source identity, see [Monitor and
678
+ # control actions taken with assumed roles][1] in the *IAM User Guide*.
675
679
  #
676
680
  # The regex used to validate this parameter is a string of characters
677
681
  # consisting of upper- and lower-case alphanumeric characters with no
678
682
  # spaces. You can also include underscores or any of the following
679
683
  # characters: =,.@-. You cannot use a value that begins with the text
680
- # `aws:`. This prefix is reserved for AWS internal use.
684
+ # `aws:`. This prefix is reserved for Amazon Web Services internal use.
681
685
  #
682
686
  #
683
687
  #
@@ -781,16 +785,17 @@ module Aws::STS
781
785
  # Returns a set of temporary security credentials for users who have
782
786
  # been authenticated via a SAML authentication response. This operation
783
787
  # provides a mechanism for tying an enterprise identity store or
784
- # directory to role-based AWS access without user-specific credentials
785
- # or configuration. For a comparison of `AssumeRoleWithSAML` with the
786
- # other API operations that produce temporary credentials, see
787
- # [Requesting Temporary Security Credentials][1] and [Comparing the AWS
788
- # STS API operations][2] in the *IAM User Guide*.
788
+ # directory to role-based Amazon Web Services access without
789
+ # user-specific credentials or configuration. For a comparison of
790
+ # `AssumeRoleWithSAML` with the other API operations that produce
791
+ # temporary credentials, see [Requesting Temporary Security
792
+ # Credentials][1] and [Comparing the STS API operations][2] in the *IAM
793
+ # User Guide*.
789
794
  #
790
795
  # The temporary security credentials returned by this operation consist
791
796
  # of an access key ID, a secret access key, and a security token.
792
797
  # Applications can use these temporary security credentials to sign
793
- # calls to AWS services.
798
+ # calls to Amazon Web Services services.
794
799
  #
795
800
  # **Session Duration**
796
801
  #
@@ -810,22 +815,22 @@ module Aws::STS
810
815
  # use those operations to create a console URL. For more information,
811
816
  # see [Using IAM Roles][4] in the *IAM User Guide*.
812
817
  #
813
- # <note markdown="1"> [Role chaining][5] limits your AWS CLI or AWS API role session to a
814
- # maximum of one hour. When you use the `AssumeRole` API operation to
815
- # assume a role, you can specify the duration of your role session with
816
- # the `DurationSeconds` parameter. You can specify a parameter value of
817
- # up to 43200 seconds (12 hours), depending on the maximum session
818
- # duration setting for your role. However, if you assume a role using
819
- # role chaining and provide a `DurationSeconds` parameter value greater
820
- # than one hour, the operation fails.
818
+ # <note markdown="1"> [Role chaining][5] limits your CLI or Amazon Web Services API role
819
+ # session to a maximum of one hour. When you use the `AssumeRole` API
820
+ # operation to assume a role, you can specify the duration of your role
821
+ # session with the `DurationSeconds` parameter. You can specify a
822
+ # parameter value of up to 43200 seconds (12 hours), depending on the
823
+ # maximum session duration setting for your role. However, if you assume
824
+ # a role using role chaining and provide a `DurationSeconds` parameter
825
+ # value greater than one hour, the operation fails.
821
826
  #
822
827
  # </note>
823
828
  #
824
829
  # **Permissions**
825
830
  #
826
831
  # The temporary security credentials created by `AssumeRoleWithSAML` can
827
- # be used to make API calls to any AWS service with the following
828
- # exception: you cannot call the STS `GetFederationToken` or
832
+ # be used to make API calls to any Amazon Web Services service with the
833
+ # following exception: you cannot call the STS `GetFederationToken` or
829
834
  # `GetSessionToken` API operations.
830
835
  #
831
836
  # (Optional) You can pass inline or managed [session policies][6] to
@@ -836,22 +841,23 @@ module Aws::STS
836
841
  # characters. Passing policies to this operation returns new temporary
837
842
  # credentials. The resulting session's permissions are the intersection
838
843
  # of the role's identity-based policy and the session policies. You can
839
- # use the role's temporary credentials in subsequent AWS API calls to
840
- # access resources in the account that owns the role. You cannot use
841
- # session policies to grant more permissions than those allowed by the
842
- # identity-based policy of the role that is being assumed. For more
843
- # information, see [Session Policies][6] in the *IAM User Guide*.
844
- #
845
- # Calling `AssumeRoleWithSAML` does not require the use of AWS security
846
- # credentials. The identity of the caller is validated by using keys in
847
- # the metadata document that is uploaded for the SAML provider entity
848
- # for your identity provider.
849
- #
850
- # Calling `AssumeRoleWithSAML` can result in an entry in your AWS
851
- # CloudTrail logs. The entry includes the value in the `NameID` element
852
- # of the SAML assertion. We recommend that you use a `NameIDType` that
853
- # is not associated with any personally identifiable information (PII).
854
- # For example, you could instead use the persistent identifier
844
+ # use the role's temporary credentials in subsequent Amazon Web
845
+ # Services API calls to access resources in the account that owns the
846
+ # role. You cannot use session policies to grant more permissions than
847
+ # those allowed by the identity-based policy of the role that is being
848
+ # assumed. For more information, see [Session Policies][6] in the *IAM
849
+ # User Guide*.
850
+ #
851
+ # Calling `AssumeRoleWithSAML` does not require the use of Amazon Web
852
+ # Services security credentials. The identity of the caller is validated
853
+ # by using keys in the metadata document that is uploaded for the SAML
854
+ # provider entity for your identity provider.
855
+ #
856
+ # Calling `AssumeRoleWithSAML` can result in an entry in your CloudTrail
857
+ # logs. The entry includes the value in the `NameID` element of the SAML
858
+ # assertion. We recommend that you use a `NameIDType` that is not
859
+ # associated with any personally identifiable information (PII). For
860
+ # example, you could instead use the persistent identifier
855
861
  # (`urn:oasis:names:tc:SAML:2.0:nameid-format:persistent`).
856
862
  #
857
863
  # **Tags**
@@ -866,12 +872,12 @@ module Aws::STS
866
872
  # characters. For these and additional limits, see [IAM and STS
867
873
  # Character Limits][8] in the *IAM User Guide*.
868
874
  #
869
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
870
- # tags into a packed binary format that has a separate limit. Your
871
- # request can fail for this limit even if your plaintext meets the other
872
- # requirements. The `PackedPolicySize` response element indicates by
873
- # percentage how close the policies and tags for your request are to the
874
- # upper size limit.
875
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
876
+ # policies and session tags into a packed binary format that has a
877
+ # separate limit. Your request can fail for this limit even if your
878
+ # plaintext meets the other requirements. The `PackedPolicySize`
879
+ # response element indicates by percentage how close the policies and
880
+ # tags for your request are to the upper size limit.
875
881
  #
876
882
  # </note>
877
883
  #
@@ -893,10 +899,11 @@ module Aws::STS
893
899
  #
894
900
  # Before your application can call `AssumeRoleWithSAML`, you must
895
901
  # configure your SAML identity provider (IdP) to issue the claims
896
- # required by AWS. Additionally, you must use AWS Identity and Access
897
- # Management (IAM) to create a SAML provider entity in your AWS account
898
- # that represents your identity provider. You must also create an IAM
899
- # role that specifies this SAML provider in its trust policy.
902
+ # required by Amazon Web Services. Additionally, you must use Identity
903
+ # and Access Management (IAM) to create a SAML provider entity in your
904
+ # Amazon Web Services account that represents your identity provider.
905
+ # You must also create an IAM role that specifies this SAML provider in
906
+ # its trust policy.
900
907
  #
901
908
  # For more information, see the following resources:
902
909
  #
@@ -953,26 +960,27 @@ module Aws::STS
953
960
  # This parameter is optional. You can provide up to 10 managed policy
954
961
  # ARNs. However, the plaintext that you use for both inline and managed
955
962
  # session policies can't exceed 2,048 characters. For more information
956
- # about ARNs, see [Amazon Resource Names (ARNs) and AWS Service
957
- # Namespaces][1] in the AWS General Reference.
963
+ # about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services
964
+ # Service Namespaces][1] in the Amazon Web Services General Reference.
958
965
  #
959
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
960
- # tags into a packed binary format that has a separate limit. Your
961
- # request can fail for this limit even if your plaintext meets the other
962
- # requirements. The `PackedPolicySize` response element indicates by
963
- # percentage how close the policies and tags for your request are to the
964
- # upper size limit.
966
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
967
+ # policies and session tags into a packed binary format that has a
968
+ # separate limit. Your request can fail for this limit even if your
969
+ # plaintext meets the other requirements. The `PackedPolicySize`
970
+ # response element indicates by percentage how close the policies and
971
+ # tags for your request are to the upper size limit.
965
972
  #
966
973
  # </note>
967
974
  #
968
975
  # Passing policies to this operation returns new temporary credentials.
969
976
  # The resulting session's permissions are the intersection of the
970
977
  # role's identity-based policy and the session policies. You can use
971
- # the role's temporary credentials in subsequent AWS API calls to
972
- # access resources in the account that owns the role. You cannot use
973
- # session policies to grant more permissions than those allowed by the
974
- # identity-based policy of the role that is being assumed. For more
975
- # information, see [Session Policies][2] in the *IAM User Guide*.
978
+ # the role's temporary credentials in subsequent Amazon Web Services
979
+ # API calls to access resources in the account that owns the role. You
980
+ # cannot use session policies to grant more permissions than those
981
+ # allowed by the identity-based policy of the role that is being
982
+ # assumed. For more information, see [Session Policies][2] in the *IAM
983
+ # User Guide*.
976
984
  #
977
985
  #
978
986
  #
@@ -987,11 +995,11 @@ module Aws::STS
987
995
  # new temporary credentials. The resulting session's permissions are
988
996
  # the intersection of the role's identity-based policy and the session
989
997
  # policies. You can use the role's temporary credentials in subsequent
990
- # AWS API calls to access resources in the account that owns the role.
991
- # You cannot use session policies to grant more permissions than those
992
- # allowed by the identity-based policy of the role that is being
993
- # assumed. For more information, see [Session Policies][1] in the *IAM
994
- # User Guide*.
998
+ # Amazon Web Services API calls to access resources in the account that
999
+ # owns the role. You cannot use session policies to grant more
1000
+ # permissions than those allowed by the identity-based policy of the
1001
+ # role that is being assumed. For more information, see [Session
1002
+ # Policies][1] in the *IAM User Guide*.
995
1003
  #
996
1004
  # The plaintext that you use for both inline and managed session
997
1005
  # policies can't exceed 2,048 characters. The JSON policy characters
@@ -1000,12 +1008,12 @@ module Aws::STS
1000
1008
  # the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
1001
1009
  # characters.
1002
1010
  #
1003
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1004
- # tags into a packed binary format that has a separate limit. Your
1005
- # request can fail for this limit even if your plaintext meets the other
1006
- # requirements. The `PackedPolicySize` response element indicates by
1007
- # percentage how close the policies and tags for your request are to the
1008
- # upper size limit.
1011
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
1012
+ # policies and session tags into a packed binary format that has a
1013
+ # separate limit. Your request can fail for this limit even if your
1014
+ # plaintext meets the other requirements. The `PackedPolicySize`
1015
+ # response element indicates by percentage how close the policies and
1016
+ # tags for your request are to the upper size limit.
1009
1017
  #
1010
1018
  # </note>
1011
1019
  #
@@ -1034,8 +1042,8 @@ module Aws::STS
1034
1042
  # The request to the federation endpoint for a console sign-in token
1035
1043
  # takes a `SessionDuration` parameter that specifies the maximum length
1036
1044
  # of the console session. For more information, see [Creating a URL that
1037
- # Enables Federated Users to Access the AWS Management Console][2] in
1038
- # the *IAM User Guide*.
1045
+ # Enables Federated Users to Access the Management Console][2] in the
1046
+ # *IAM User Guide*.
1039
1047
  #
1040
1048
  # </note>
1041
1049
  #
@@ -1132,33 +1140,36 @@ module Aws::STS
1132
1140
  # Facebook, Google, or any OpenID Connect-compatible identity provider.
1133
1141
  #
1134
1142
  # <note markdown="1"> For mobile applications, we recommend that you use Amazon Cognito. You
1135
- # can use Amazon Cognito with the [AWS SDK for iOS Developer Guide][1]
1136
- # and the [AWS SDK for Android Developer Guide][2] to uniquely identify
1137
- # a user. You can also supply the user with a consistent identity
1138
- # throughout the lifetime of an application.
1143
+ # can use Amazon Cognito with the [Amazon Web Services SDK for iOS
1144
+ # Developer Guide][1] and the [Amazon Web Services SDK for Android
1145
+ # Developer Guide][2] to uniquely identify a user. You can also supply
1146
+ # the user with a consistent identity throughout the lifetime of an
1147
+ # application.
1139
1148
  #
1140
1149
  # To learn more about Amazon Cognito, see [Amazon Cognito Overview][3]
1141
- # in *AWS SDK for Android Developer Guide* and [Amazon Cognito
1142
- # Overview][4] in the *AWS SDK for iOS Developer Guide*.
1150
+ # in *Amazon Web Services SDK for Android Developer Guide* and [Amazon
1151
+ # Cognito Overview][4] in the *Amazon Web Services SDK for iOS Developer
1152
+ # Guide*.
1143
1153
  #
1144
1154
  # </note>
1145
1155
  #
1146
- # Calling `AssumeRoleWithWebIdentity` does not require the use of AWS
1147
- # security credentials. Therefore, you can distribute an application
1148
- # (for example, on mobile devices) that requests temporary security
1149
- # credentials without including long-term AWS credentials in the
1150
- # application. You also don't need to deploy server-based proxy
1151
- # services that use long-term AWS credentials. Instead, the identity of
1152
- # the caller is validated by using a token from the web identity
1153
- # provider. For a comparison of `AssumeRoleWithWebIdentity` with the
1154
- # other API operations that produce temporary credentials, see
1155
- # [Requesting Temporary Security Credentials][5] and [Comparing the AWS
1156
- # STS API operations][6] in the *IAM User Guide*.
1156
+ # Calling `AssumeRoleWithWebIdentity` does not require the use of Amazon
1157
+ # Web Services security credentials. Therefore, you can distribute an
1158
+ # application (for example, on mobile devices) that requests temporary
1159
+ # security credentials without including long-term Amazon Web Services
1160
+ # credentials in the application. You also don't need to deploy
1161
+ # server-based proxy services that use long-term Amazon Web Services
1162
+ # credentials. Instead, the identity of the caller is validated by using
1163
+ # a token from the web identity provider. For a comparison of
1164
+ # `AssumeRoleWithWebIdentity` with the other API operations that produce
1165
+ # temporary credentials, see [Requesting Temporary Security
1166
+ # Credentials][5] and [Comparing the STS API operations][6] in the *IAM
1167
+ # User Guide*.
1157
1168
  #
1158
1169
  # The temporary security credentials returned by this API consist of an
1159
1170
  # access key ID, a secret access key, and a security token. Applications
1160
- # can use these temporary security credentials to sign calls to AWS
1161
- # service API operations.
1171
+ # can use these temporary security credentials to sign calls to Amazon
1172
+ # Web Services service API operations.
1162
1173
  #
1163
1174
  # **Session Duration**
1164
1175
  #
@@ -1178,9 +1189,9 @@ module Aws::STS
1178
1189
  # **Permissions**
1179
1190
  #
1180
1191
  # The temporary security credentials created by
1181
- # `AssumeRoleWithWebIdentity` can be used to make API calls to any AWS
1182
- # service with the following exception: you cannot call the STS
1183
- # `GetFederationToken` or `GetSessionToken` API operations.
1192
+ # `AssumeRoleWithWebIdentity` can be used to make API calls to any
1193
+ # Amazon Web Services service with the following exception: you cannot
1194
+ # call the STS `GetFederationToken` or `GetSessionToken` API operations.
1184
1195
  #
1185
1196
  # (Optional) You can pass inline or managed [session policies][9] to
1186
1197
  # this operation. You can pass a single JSON policy document to use as
@@ -1190,11 +1201,12 @@ module Aws::STS
1190
1201
  # characters. Passing policies to this operation returns new temporary
1191
1202
  # credentials. The resulting session's permissions are the intersection
1192
1203
  # of the role's identity-based policy and the session policies. You can
1193
- # use the role's temporary credentials in subsequent AWS API calls to
1194
- # access resources in the account that owns the role. You cannot use
1195
- # session policies to grant more permissions than those allowed by the
1196
- # identity-based policy of the role that is being assumed. For more
1197
- # information, see [Session Policies][9] in the *IAM User Guide*.
1204
+ # use the role's temporary credentials in subsequent Amazon Web
1205
+ # Services API calls to access resources in the account that owns the
1206
+ # role. You cannot use session policies to grant more permissions than
1207
+ # those allowed by the identity-based policy of the role that is being
1208
+ # assumed. For more information, see [Session Policies][9] in the *IAM
1209
+ # User Guide*.
1198
1210
  #
1199
1211
  # **Tags**
1200
1212
  #
@@ -1208,12 +1220,12 @@ module Aws::STS
1208
1220
  # characters. For these and additional limits, see [IAM and STS
1209
1221
  # Character Limits][11] in the *IAM User Guide*.
1210
1222
  #
1211
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1212
- # tags into a packed binary format that has a separate limit. Your
1213
- # request can fail for this limit even if your plaintext meets the other
1214
- # requirements. The `PackedPolicySize` response element indicates by
1215
- # percentage how close the policies and tags for your request are to the
1216
- # upper size limit.
1223
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
1224
+ # policies and session tags into a packed binary format that has a
1225
+ # separate limit. Your request can fail for this limit even if your
1226
+ # plaintext meets the other requirements. The `PackedPolicySize`
1227
+ # response element indicates by percentage how close the policies and
1228
+ # tags for your request are to the upper size limit.
1217
1229
  #
1218
1230
  # </note>
1219
1231
  #
@@ -1240,7 +1252,7 @@ module Aws::STS
1240
1252
  # identity token. In other words, the identity provider must be
1241
1253
  # specified in the role's trust policy.
1242
1254
  #
1243
- # Calling `AssumeRoleWithWebIdentity` can result in an entry in your AWS
1255
+ # Calling `AssumeRoleWithWebIdentity` can result in an entry in your
1244
1256
  # CloudTrail logs. The entry includes the [Subject][14] of the provided
1245
1257
  # web identity token. We recommend that you avoid using any personally
1246
1258
  # identifiable information (PII) in this field. For example, you could
@@ -1256,13 +1268,13 @@ module Aws::STS
1256
1268
  # * [ Web Identity Federation Playground][18]. Walk through the process
1257
1269
  # of authenticating through Login with Amazon, Facebook, or Google,
1258
1270
  # getting temporary security credentials, and then using those
1259
- # credentials to make a request to AWS.
1271
+ # credentials to make a request to Amazon Web Services.
1260
1272
  #
1261
- # * [AWS SDK for iOS Developer Guide][1] and [AWS SDK for Android
1262
- # Developer Guide][2]. These toolkits contain sample apps that show
1263
- # how to invoke the identity providers. The toolkits then show how to
1264
- # use the information from these providers to get and use temporary
1265
- # security credentials.
1273
+ # * [Amazon Web Services SDK for iOS Developer Guide][1] and [Amazon Web
1274
+ # Services SDK for Android Developer Guide][2]. These toolkits contain
1275
+ # sample apps that show how to invoke the identity providers. The
1276
+ # toolkits then show how to use the information from these providers
1277
+ # to get and use temporary security credentials.
1266
1278
  #
1267
1279
  # * [Web Identity Federation with Mobile Applications][19]. This article
1268
1280
  # discusses web identity federation and shows an example of how to use
@@ -1333,26 +1345,27 @@ module Aws::STS
1333
1345
  # This parameter is optional. You can provide up to 10 managed policy
1334
1346
  # ARNs. However, the plaintext that you use for both inline and managed
1335
1347
  # session policies can't exceed 2,048 characters. For more information
1336
- # about ARNs, see [Amazon Resource Names (ARNs) and AWS Service
1337
- # Namespaces][1] in the AWS General Reference.
1348
+ # about ARNs, see [Amazon Resource Names (ARNs) and Amazon Web Services
1349
+ # Service Namespaces][1] in the Amazon Web Services General Reference.
1338
1350
  #
1339
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1340
- # tags into a packed binary format that has a separate limit. Your
1341
- # request can fail for this limit even if your plaintext meets the other
1342
- # requirements. The `PackedPolicySize` response element indicates by
1343
- # percentage how close the policies and tags for your request are to the
1344
- # upper size limit.
1351
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
1352
+ # policies and session tags into a packed binary format that has a
1353
+ # separate limit. Your request can fail for this limit even if your
1354
+ # plaintext meets the other requirements. The `PackedPolicySize`
1355
+ # response element indicates by percentage how close the policies and
1356
+ # tags for your request are to the upper size limit.
1345
1357
  #
1346
1358
  # </note>
1347
1359
  #
1348
1360
  # Passing policies to this operation returns new temporary credentials.
1349
1361
  # The resulting session's permissions are the intersection of the
1350
1362
  # role's identity-based policy and the session policies. You can use
1351
- # the role's temporary credentials in subsequent AWS API calls to
1352
- # access resources in the account that owns the role. You cannot use
1353
- # session policies to grant more permissions than those allowed by the
1354
- # identity-based policy of the role that is being assumed. For more
1355
- # information, see [Session Policies][2] in the *IAM User Guide*.
1363
+ # the role's temporary credentials in subsequent Amazon Web Services
1364
+ # API calls to access resources in the account that owns the role. You
1365
+ # cannot use session policies to grant more permissions than those
1366
+ # allowed by the identity-based policy of the role that is being
1367
+ # assumed. For more information, see [Session Policies][2] in the *IAM
1368
+ # User Guide*.
1356
1369
  #
1357
1370
  #
1358
1371
  #
@@ -1367,11 +1380,11 @@ module Aws::STS
1367
1380
  # new temporary credentials. The resulting session's permissions are
1368
1381
  # the intersection of the role's identity-based policy and the session
1369
1382
  # policies. You can use the role's temporary credentials in subsequent
1370
- # AWS API calls to access resources in the account that owns the role.
1371
- # You cannot use session policies to grant more permissions than those
1372
- # allowed by the identity-based policy of the role that is being
1373
- # assumed. For more information, see [Session Policies][1] in the *IAM
1374
- # User Guide*.
1383
+ # Amazon Web Services API calls to access resources in the account that
1384
+ # owns the role. You cannot use session policies to grant more
1385
+ # permissions than those allowed by the identity-based policy of the
1386
+ # role that is being assumed. For more information, see [Session
1387
+ # Policies][1] in the *IAM User Guide*.
1375
1388
  #
1376
1389
  # The plaintext that you use for both inline and managed session
1377
1390
  # policies can't exceed 2,048 characters. The JSON policy characters
@@ -1380,12 +1393,12 @@ module Aws::STS
1380
1393
  # the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
1381
1394
  # characters.
1382
1395
  #
1383
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1384
- # tags into a packed binary format that has a separate limit. Your
1385
- # request can fail for this limit even if your plaintext meets the other
1386
- # requirements. The `PackedPolicySize` response element indicates by
1387
- # percentage how close the policies and tags for your request are to the
1388
- # upper size limit.
1396
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
1397
+ # policies and session tags into a packed binary format that has a
1398
+ # separate limit. Your request can fail for this limit even if your
1399
+ # plaintext meets the other requirements. The `PackedPolicySize`
1400
+ # response element indicates by percentage how close the policies and
1401
+ # tags for your request are to the upper size limit.
1389
1402
  #
1390
1403
  # </note>
1391
1404
  #
@@ -1411,8 +1424,8 @@ module Aws::STS
1411
1424
  # The request to the federation endpoint for a console sign-in token
1412
1425
  # takes a `SessionDuration` parameter that specifies the maximum length
1413
1426
  # of the console session. For more information, see [Creating a URL that
1414
- # Enables Federated Users to Access the AWS Management Console][2] in
1415
- # the *IAM User Guide*.
1427
+ # Enables Federated Users to Access the Management Console][2] in the
1428
+ # *IAM User Guide*.
1416
1429
  #
1417
1430
  # </note>
1418
1431
  #
@@ -1501,19 +1514,19 @@ module Aws::STS
1501
1514
  end
1502
1515
 
1503
1516
  # Decodes additional information about the authorization status of a
1504
- # request from an encoded message returned in response to an AWS
1505
- # request.
1517
+ # request from an encoded message returned in response to an Amazon Web
1518
+ # Services request.
1506
1519
  #
1507
1520
  # For example, if a user is not authorized to perform an operation that
1508
1521
  # he or she has requested, the request returns a
1509
1522
  # `Client.UnauthorizedOperation` response (an HTTP 403 response). Some
1510
- # AWS operations additionally return an encoded message that can provide
1511
- # details about this authorization failure.
1523
+ # Amazon Web Services operations additionally return an encoded message
1524
+ # that can provide details about this authorization failure.
1512
1525
  #
1513
- # <note markdown="1"> Only certain AWS operations return an encoded authorization message.
1514
- # The documentation for an individual operation indicates whether that
1515
- # operation returns an encoded message in addition to returning an HTTP
1516
- # code.
1526
+ # <note markdown="1"> Only certain Amazon Web Services operations return an encoded
1527
+ # authorization message. The documentation for an individual operation
1528
+ # indicates whether that operation returns an encoded message in
1529
+ # addition to returning an HTTP code.
1517
1530
  #
1518
1531
  # </note>
1519
1532
  #
@@ -1589,15 +1602,16 @@ module Aws::STS
1589
1602
  # *IAM User Guide*.
1590
1603
  #
1591
1604
  # When you pass an access key ID to this operation, it returns the ID of
1592
- # the AWS account to which the keys belong. Access key IDs beginning
1593
- # with `AKIA` are long-term credentials for an IAM user or the AWS
1594
- # account root user. Access key IDs beginning with `ASIA` are temporary
1595
- # credentials that are created using STS operations. If the account in
1596
- # the response belongs to you, you can sign in as the root user and
1597
- # review your root user access keys. Then, you can pull a [credentials
1598
- # report][2] to learn which IAM user owns the keys. To learn who
1599
- # requested the temporary credentials for an `ASIA` access key, view the
1600
- # STS events in your [CloudTrail logs][3] in the *IAM User Guide*.
1605
+ # the Amazon Web Services account to which the keys belong. Access key
1606
+ # IDs beginning with `AKIA` are long-term credentials for an IAM user or
1607
+ # the Amazon Web Services account root user. Access key IDs beginning
1608
+ # with `ASIA` are temporary credentials that are created using STS
1609
+ # operations. If the account in the response belongs to you, you can
1610
+ # sign in as the root user and review your root user access keys. Then,
1611
+ # you can pull a [credentials report][2] to learn which IAM user owns
1612
+ # the keys. To learn who requested the temporary credentials for an
1613
+ # `ASIA` access key, view the STS events in your [CloudTrail logs][3] in
1614
+ # the *IAM User Guide*.
1601
1615
  #
1602
1616
  # This operation does not indicate the state of the access key. The key
1603
1617
  # might be active, inactive, or deleted. Active keys might not have
@@ -1734,8 +1748,8 @@ module Aws::STS
1734
1748
  # can be safely stored, usually in a server-based application. For a
1735
1749
  # comparison of `GetFederationToken` with the other API operations that
1736
1750
  # produce temporary credentials, see [Requesting Temporary Security
1737
- # Credentials][1] and [Comparing the AWS STS API operations][2] in the
1738
- # *IAM User Guide*.
1751
+ # Credentials][1] and [Comparing the STS API operations][2] in the *IAM
1752
+ # User Guide*.
1739
1753
  #
1740
1754
  # <note markdown="1"> You can create a mobile-based or browser-based app that can
1741
1755
  # authenticate users using a web identity provider like Login with
@@ -1747,27 +1761,29 @@ module Aws::STS
1747
1761
  # </note>
1748
1762
  #
1749
1763
  # You can also call `GetFederationToken` using the security credentials
1750
- # of an AWS account root user, but we do not recommend it. Instead, we
1751
- # recommend that you create an IAM user for the purpose of the proxy
1752
- # application. Then attach a policy to the IAM user that limits
1753
- # federated users to only the actions and resources that they need to
1754
- # access. For more information, see [IAM Best Practices][5] in the *IAM
1755
- # User Guide*.
1764
+ # of an Amazon Web Services account root user, but we do not recommend
1765
+ # it. Instead, we recommend that you create an IAM user for the purpose
1766
+ # of the proxy application. Then attach a policy to the IAM user that
1767
+ # limits federated users to only the actions and resources that they
1768
+ # need to access. For more information, see [IAM Best Practices][5] in
1769
+ # the *IAM User Guide*.
1756
1770
  #
1757
1771
  # **Session duration**
1758
1772
  #
1759
1773
  # The temporary credentials are valid for the specified duration, from
1760
1774
  # 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36
1761
1775
  # hours). The default session duration is 43,200 seconds (12 hours).
1762
- # Temporary credentials that are obtained by using AWS account root user
1763
- # credentials have a maximum duration of 3,600 seconds (1 hour).
1776
+ # Temporary credentials that are obtained by using Amazon Web Services
1777
+ # account root user credentials have a maximum duration of 3,600 seconds
1778
+ # (1 hour).
1764
1779
  #
1765
1780
  # **Permissions**
1766
1781
  #
1767
1782
  # You can use the temporary credentials created by `GetFederationToken`
1768
- # in any AWS service except the following:
1783
+ # in any Amazon Web Services service except the following:
1769
1784
  #
1770
- # * You cannot call any IAM operations using the AWS CLI or the AWS API.
1785
+ # * You cannot call any IAM operations using the CLI or the Amazon Web
1786
+ # Services API.
1771
1787
  #
1772
1788
  # * You cannot call any STS operations except `GetCallerIdentity`.
1773
1789
  #
@@ -1813,27 +1829,29 @@ module Aws::STS
1813
1829
  # </note>
1814
1830
  #
1815
1831
  # You can also call `GetFederationToken` using the security credentials
1816
- # of an AWS account root user, but we do not recommend it. Instead, we
1817
- # recommend that you create an IAM user for the purpose of the proxy
1818
- # application. Then attach a policy to the IAM user that limits
1819
- # federated users to only the actions and resources that they need to
1820
- # access. For more information, see [IAM Best Practices][5] in the *IAM
1821
- # User Guide*.
1832
+ # of an Amazon Web Services account root user, but we do not recommend
1833
+ # it. Instead, we recommend that you create an IAM user for the purpose
1834
+ # of the proxy application. Then attach a policy to the IAM user that
1835
+ # limits federated users to only the actions and resources that they
1836
+ # need to access. For more information, see [IAM Best Practices][5] in
1837
+ # the *IAM User Guide*.
1822
1838
  #
1823
1839
  # **Session duration**
1824
1840
  #
1825
1841
  # The temporary credentials are valid for the specified duration, from
1826
1842
  # 900 seconds (15 minutes) up to a maximum of 129,600 seconds (36
1827
1843
  # hours). The default session duration is 43,200 seconds (12 hours).
1828
- # Temporary credentials that are obtained by using AWS account root user
1829
- # credentials have a maximum duration of 3,600 seconds (1 hour).
1844
+ # Temporary credentials that are obtained by using Amazon Web Services
1845
+ # account root user credentials have a maximum duration of 3,600 seconds
1846
+ # (1 hour).
1830
1847
  #
1831
1848
  # **Permissions**
1832
1849
  #
1833
1850
  # You can use the temporary credentials created by `GetFederationToken`
1834
- # in any AWS service except the following:
1851
+ # in any Amazon Web Services service except the following:
1835
1852
  #
1836
- # * You cannot call any IAM operations using the AWS CLI or the AWS API.
1853
+ # * You cannot call any IAM operations using the CLI or the Amazon Web
1854
+ # Services API.
1837
1855
  #
1838
1856
  # * You cannot call any STS operations except `GetCallerIdentity`.
1839
1857
  #
@@ -1941,12 +1959,12 @@ module Aws::STS
1941
1959
  # the tab (\\u0009), linefeed (\\u000A), and carriage return (\\u000D)
1942
1960
  # characters.
1943
1961
  #
1944
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1945
- # tags into a packed binary format that has a separate limit. Your
1946
- # request can fail for this limit even if your plaintext meets the other
1947
- # requirements. The `PackedPolicySize` response element indicates by
1948
- # percentage how close the policies and tags for your request are to the
1949
- # upper size limit.
1962
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
1963
+ # policies and session tags into a packed binary format that has a
1964
+ # separate limit. Your request can fail for this limit even if your
1965
+ # plaintext meets the other requirements. The `PackedPolicySize`
1966
+ # response element indicates by percentage how close the policies and
1967
+ # tags for your request are to the upper size limit.
1950
1968
  #
1951
1969
  # </note>
1952
1970
  #
@@ -1965,8 +1983,9 @@ module Aws::STS
1965
1983
  # to use as managed session policies. The plaintext that you use for
1966
1984
  # both inline and managed session policies can't exceed 2,048
1967
1985
  # characters. You can provide up to 10 managed policy ARNs. For more
1968
- # information about ARNs, see [Amazon Resource Names (ARNs) and AWS
1969
- # Service Namespaces][2] in the AWS General Reference.
1986
+ # information about ARNs, see [Amazon Resource Names (ARNs) and Amazon
1987
+ # Web Services Service Namespaces][2] in the Amazon Web Services General
1988
+ # Reference.
1970
1989
  #
1971
1990
  # This parameter is optional. However, if you do not pass any session
1972
1991
  # policies, then the resulting federated user session has no
@@ -1987,12 +2006,12 @@ module Aws::STS
1987
2006
  # are granted in addition to the permissions that are granted by the
1988
2007
  # session policies.
1989
2008
  #
1990
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
1991
- # tags into a packed binary format that has a separate limit. Your
1992
- # request can fail for this limit even if your plaintext meets the other
1993
- # requirements. The `PackedPolicySize` response element indicates by
1994
- # percentage how close the policies and tags for your request are to the
1995
- # upper size limit.
2009
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
2010
+ # policies and session tags into a packed binary format that has a
2011
+ # separate limit. Your request can fail for this limit even if your
2012
+ # plaintext meets the other requirements. The `PackedPolicySize`
2013
+ # response element indicates by percentage how close the policies and
2014
+ # tags for your request are to the upper size limit.
1996
2015
  #
1997
2016
  # </note>
1998
2017
  #
@@ -2005,10 +2024,10 @@ module Aws::STS
2005
2024
  # The duration, in seconds, that the session should last. Acceptable
2006
2025
  # durations for federation sessions range from 900 seconds (15 minutes)
2007
2026
  # to 129,600 seconds (36 hours), with 43,200 seconds (12 hours) as the
2008
- # default. Sessions obtained using AWS account root user credentials are
2009
- # restricted to a maximum of 3,600 seconds (one hour). If the specified
2010
- # duration is longer than one hour, the session obtained by using root
2011
- # user credentials defaults to one hour.
2027
+ # default. Sessions obtained using Amazon Web Services account root user
2028
+ # credentials are restricted to a maximum of 3,600 seconds (one hour).
2029
+ # If the specified duration is longer than one hour, the session
2030
+ # obtained by using root user credentials defaults to one hour.
2012
2031
  #
2013
2032
  # @option params [Array<Types::Tag>] :tags
2014
2033
  # A list of session tags. Each session tag consists of a key name and an
@@ -2020,12 +2039,12 @@ module Aws::STS
2020
2039
  # can’t exceed 256 characters. For these and additional limits, see [IAM
2021
2040
  # and STS Character Limits][2] in the *IAM User Guide*.
2022
2041
  #
2023
- # <note markdown="1"> An AWS conversion compresses the passed session policies and session
2024
- # tags into a packed binary format that has a separate limit. Your
2025
- # request can fail for this limit even if your plaintext meets the other
2026
- # requirements. The `PackedPolicySize` response element indicates by
2027
- # percentage how close the policies and tags for your request are to the
2028
- # upper size limit.
2042
+ # <note markdown="1"> An Amazon Web Services conversion compresses the passed session
2043
+ # policies and session tags into a packed binary format that has a
2044
+ # separate limit. Your request can fail for this limit even if your
2045
+ # plaintext meets the other requirements. The `PackedPolicySize`
2046
+ # response element indicates by percentage how close the policies and
2047
+ # tags for your request are to the upper size limit.
2029
2048
  #
2030
2049
  # </note>
2031
2050
  #
@@ -2123,37 +2142,38 @@ module Aws::STS
2123
2142
  req.send_request(options)
2124
2143
  end
2125
2144
 
2126
- # Returns a set of temporary credentials for an AWS account or IAM user.
2127
- # The credentials consist of an access key ID, a secret access key, and
2128
- # a security token. Typically, you use `GetSessionToken` if you want to
2129
- # use MFA to protect programmatic calls to specific AWS API operations
2130
- # like Amazon EC2 `StopInstances`. MFA-enabled IAM users would need to
2131
- # call `GetSessionToken` and submit an MFA code that is associated with
2132
- # their MFA device. Using the temporary security credentials that are
2133
- # returned from the call, IAM users can then make programmatic calls to
2134
- # API operations that require MFA authentication. If you do not supply a
2145
+ # Returns a set of temporary credentials for an Amazon Web Services
2146
+ # account or IAM user. The credentials consist of an access key ID, a
2147
+ # secret access key, and a security token. Typically, you use
2148
+ # `GetSessionToken` if you want to use MFA to protect programmatic calls
2149
+ # to specific Amazon Web Services API operations like Amazon EC2
2150
+ # `StopInstances`. MFA-enabled IAM users would need to call
2151
+ # `GetSessionToken` and submit an MFA code that is associated with their
2152
+ # MFA device. Using the temporary security credentials that are returned
2153
+ # from the call, IAM users can then make programmatic calls to API
2154
+ # operations that require MFA authentication. If you do not supply a
2135
2155
  # correct MFA code, then the API returns an access denied error. For a
2136
2156
  # comparison of `GetSessionToken` with the other API operations that
2137
2157
  # produce temporary credentials, see [Requesting Temporary Security
2138
- # Credentials][1] and [Comparing the AWS STS API operations][2] in the
2139
- # *IAM User Guide*.
2158
+ # Credentials][1] and [Comparing the STS API operations][2] in the *IAM
2159
+ # User Guide*.
2140
2160
  #
2141
2161
  # **Session Duration**
2142
2162
  #
2143
2163
  # The `GetSessionToken` operation must be called by using the long-term
2144
- # AWS security credentials of the AWS account root user or an IAM user.
2145
- # Credentials that are created by IAM users are valid for the duration
2146
- # that you specify. This duration can range from 900 seconds (15
2147
- # minutes) up to a maximum of 129,600 seconds (36 hours), with a default
2148
- # of 43,200 seconds (12 hours). Credentials based on account credentials
2149
- # can range from 900 seconds (15 minutes) up to 3,600 seconds (1 hour),
2150
- # with a default of 1 hour.
2164
+ # Amazon Web Services security credentials of the Amazon Web Services
2165
+ # account root user or an IAM user. Credentials that are created by IAM
2166
+ # users are valid for the duration that you specify. This duration can
2167
+ # range from 900 seconds (15 minutes) up to a maximum of 129,600 seconds
2168
+ # (36 hours), with a default of 43,200 seconds (12 hours). Credentials
2169
+ # based on account credentials can range from 900 seconds (15 minutes)
2170
+ # up to 3,600 seconds (1 hour), with a default of 1 hour.
2151
2171
  #
2152
2172
  # **Permissions**
2153
2173
  #
2154
2174
  # The temporary security credentials created by `GetSessionToken` can be
2155
- # used to make API calls to any AWS service with the following
2156
- # exceptions:
2175
+ # used to make API calls to any Amazon Web Services service with the
2176
+ # following exceptions:
2157
2177
  #
2158
2178
  # * You cannot call any IAM API operations unless MFA authentication
2159
2179
  # information is included in the request.
@@ -2161,20 +2181,21 @@ module Aws::STS
2161
2181
  # * You cannot call any STS API *except* `AssumeRole` or
2162
2182
  # `GetCallerIdentity`.
2163
2183
  #
2164
- # <note markdown="1"> We recommend that you do not call `GetSessionToken` with AWS account
2165
- # root user credentials. Instead, follow our [best practices][3] by
2166
- # creating one or more IAM users, giving them the necessary permissions,
2167
- # and using IAM users for everyday interaction with AWS.
2184
+ # <note markdown="1"> We recommend that you do not call `GetSessionToken` with Amazon Web
2185
+ # Services account root user credentials. Instead, follow our [best
2186
+ # practices][3] by creating one or more IAM users, giving them the
2187
+ # necessary permissions, and using IAM users for everyday interaction
2188
+ # with Amazon Web Services.
2168
2189
  #
2169
2190
  # </note>
2170
2191
  #
2171
2192
  # The credentials that are returned by `GetSessionToken` are based on
2172
2193
  # permissions associated with the user whose credentials were used to
2173
- # call the operation. If `GetSessionToken` is called using AWS account
2174
- # root user credentials, the temporary credentials have root user
2175
- # permissions. Similarly, if `GetSessionToken` is called using the
2176
- # credentials of an IAM user, the temporary credentials have the same
2177
- # permissions as the IAM user.
2194
+ # call the operation. If `GetSessionToken` is called using Amazon Web
2195
+ # Services account root user credentials, the temporary credentials have
2196
+ # root user permissions. Similarly, if `GetSessionToken` is called using
2197
+ # the credentials of an IAM user, the temporary credentials have the
2198
+ # same permissions as the IAM user.
2178
2199
  #
2179
2200
  # For more information about using `GetSessionToken` to create temporary
2180
2201
  # credentials, go to [Temporary Credentials for Users in Untrusted
@@ -2191,9 +2212,10 @@ module Aws::STS
2191
2212
  # The duration, in seconds, that the credentials should remain valid.
2192
2213
  # Acceptable durations for IAM user sessions range from 900 seconds (15
2193
2214
  # minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12 hours)
2194
- # as the default. Sessions for AWS account owners are restricted to a
2195
- # maximum of 3,600 seconds (one hour). If the duration is longer than
2196
- # one hour, the session for AWS account owners defaults to one hour.
2215
+ # as the default. Sessions for Amazon Web Services account owners are
2216
+ # restricted to a maximum of 3,600 seconds (one hour). If the duration
2217
+ # is longer than one hour, the session for Amazon Web Services account
2218
+ # owners defaults to one hour.
2197
2219
  #
2198
2220
  # @option params [String] :serial_number
2199
2221
  # The identification number of the MFA device that is associated with
@@ -2202,8 +2224,8 @@ module Aws::STS
2202
2224
  # The value is either the serial number for a hardware device (such as
2203
2225
  # `GAHT12345678`) or an Amazon Resource Name (ARN) for a virtual device
2204
2226
  # (such as `arn:aws:iam::123456789012:mfa/user`). You can find the
2205
- # device for an IAM user by going to the AWS Management Console and
2206
- # viewing the user's security credentials.
2227
+ # device for an IAM user by going to the Management Console and viewing
2228
+ # the user's security credentials.
2207
2229
  #
2208
2230
  # The regex used to validate this parameter is a string of characters
2209
2231
  # consisting of upper- and lower-case alphanumeric characters with no
@@ -2281,7 +2303,7 @@ module Aws::STS
2281
2303
  params: params,
2282
2304
  config: config)
2283
2305
  context[:gem_name] = 'aws-sdk-core'
2284
- context[:gem_version] = '3.114.0'
2306
+ context[:gem_version] = '3.116.0'
2285
2307
  Seahorse::Client::Request.new(handlers, context)
2286
2308
  end
2287
2309