aws-sdk-core 3.114.0 → 3.180.2
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +617 -0
- data/VERSION +1 -1
- data/lib/aws-defaults/default_configuration.rb +153 -0
- data/lib/aws-defaults/defaults_mode_config_resolver.rb +107 -0
- data/lib/aws-defaults.rb +3 -0
- data/lib/aws-sdk-core/arn.rb +13 -0
- data/lib/aws-sdk-core/assume_role_credentials.rb +21 -7
- data/lib/aws-sdk-core/assume_role_web_identity_credentials.rb +14 -10
- data/lib/aws-sdk-core/binary/encode_handler.rb +12 -1
- data/lib/aws-sdk-core/client_stubs.rb +5 -1
- data/lib/aws-sdk-core/credential_provider.rb +3 -0
- data/lib/aws-sdk-core/credential_provider_chain.rb +10 -6
- data/lib/aws-sdk-core/ec2_metadata.rb +27 -7
- data/lib/aws-sdk-core/ecs_credentials.rb +121 -53
- data/lib/aws-sdk-core/endpoints/condition.rb +41 -0
- data/lib/aws-sdk-core/endpoints/endpoint.rb +17 -0
- data/lib/aws-sdk-core/endpoints/endpoint_rule.rb +75 -0
- data/lib/aws-sdk-core/endpoints/error_rule.rb +42 -0
- data/lib/aws-sdk-core/endpoints/function.rb +80 -0
- data/lib/aws-sdk-core/endpoints/matchers.rb +127 -0
- data/lib/aws-sdk-core/endpoints/reference.rb +31 -0
- data/lib/aws-sdk-core/endpoints/rule.rb +25 -0
- data/lib/aws-sdk-core/endpoints/rule_set.rb +52 -0
- data/lib/aws-sdk-core/endpoints/rules_provider.rb +37 -0
- data/lib/aws-sdk-core/endpoints/templater.rb +58 -0
- data/lib/aws-sdk-core/endpoints/tree_rule.rb +45 -0
- data/lib/aws-sdk-core/endpoints/url.rb +60 -0
- data/lib/aws-sdk-core/endpoints.rb +78 -0
- data/lib/aws-sdk-core/errors.rb +18 -1
- data/lib/aws-sdk-core/ini_parser.rb +7 -0
- data/lib/aws-sdk-core/instance_profile_credentials.rb +124 -18
- data/lib/aws-sdk-core/json/error_handler.rb +20 -1
- data/lib/aws-sdk-core/json/json_engine.rb +10 -8
- data/lib/aws-sdk-core/json/oj_engine.rb +33 -6
- data/lib/aws-sdk-core/json/parser.rb +8 -0
- data/lib/aws-sdk-core/json.rb +8 -26
- data/lib/aws-sdk-core/log/formatter.rb +6 -0
- data/lib/aws-sdk-core/log/param_filter.rb +9 -1
- data/lib/aws-sdk-core/pageable_response.rb +81 -26
- data/lib/aws-sdk-core/pager.rb +3 -0
- data/lib/aws-sdk-core/param_validator.rb +29 -0
- data/lib/aws-sdk-core/plugins/bearer_authorization.rb +67 -0
- data/lib/aws-sdk-core/plugins/checksum_algorithm.rb +340 -0
- data/lib/aws-sdk-core/plugins/credentials_configuration.rb +27 -1
- data/lib/aws-sdk-core/plugins/defaults_mode.rb +40 -0
- data/lib/aws-sdk-core/plugins/endpoint_discovery.rb +6 -2
- data/lib/aws-sdk-core/plugins/http_checksum.rb +8 -1
- data/lib/aws-sdk-core/plugins/jsonvalue_converter.rb +34 -6
- data/lib/aws-sdk-core/plugins/protocols/api_gateway.rb +17 -0
- data/lib/aws-sdk-core/plugins/protocols/rest_json.rb +16 -1
- data/lib/aws-sdk-core/plugins/recursion_detection.rb +38 -0
- data/lib/aws-sdk-core/plugins/regional_endpoint.rb +144 -17
- data/lib/aws-sdk-core/plugins/request_compression.rb +217 -0
- data/lib/aws-sdk-core/plugins/response_paging.rb +1 -1
- data/lib/aws-sdk-core/plugins/retries/error_inspector.rb +7 -4
- data/lib/aws-sdk-core/plugins/retry_errors.rb +21 -5
- data/lib/aws-sdk-core/plugins/sign.rb +201 -0
- data/lib/aws-sdk-core/plugins/signature_v2.rb +1 -0
- data/lib/aws-sdk-core/plugins/signature_v4.rb +28 -31
- data/lib/aws-sdk-core/plugins/stub_responses.rb +5 -1
- data/lib/aws-sdk-core/plugins/user_agent.rb +117 -14
- data/lib/aws-sdk-core/process_credentials.rb +9 -11
- data/lib/aws-sdk-core/refreshing_credentials.rb +41 -16
- data/lib/aws-sdk-core/refreshing_token.rb +71 -0
- data/lib/aws-sdk-core/rest/handler.rb +1 -1
- data/lib/aws-sdk-core/rest/request/body.rb +19 -1
- data/lib/aws-sdk-core/rest/request/headers.rb +14 -6
- data/lib/aws-sdk-core/rest/response/headers.rb +3 -1
- data/lib/aws-sdk-core/shared_config.rb +127 -13
- data/lib/aws-sdk-core/shared_credentials.rb +7 -1
- data/lib/aws-sdk-core/sso_credentials.rb +92 -52
- data/lib/aws-sdk-core/sso_token_provider.rb +135 -0
- data/lib/aws-sdk-core/static_token_provider.rb +14 -0
- data/lib/aws-sdk-core/structure.rb +16 -5
- data/lib/aws-sdk-core/stubbing/protocols/json.rb +1 -1
- data/lib/aws-sdk-core/stubbing/stub_data.rb +11 -0
- data/lib/aws-sdk-core/token.rb +31 -0
- data/lib/aws-sdk-core/token_provider.rb +15 -0
- data/lib/aws-sdk-core/token_provider_chain.rb +51 -0
- data/lib/aws-sdk-core/waiters/poller.rb +3 -1
- data/lib/aws-sdk-core/xml/builder.rb +1 -1
- data/lib/aws-sdk-core/xml/error_handler.rb +7 -0
- data/lib/aws-sdk-core/xml/parser/engines/oga.rb +2 -0
- data/lib/aws-sdk-core/xml/parser/engines/ox.rb +1 -1
- data/lib/aws-sdk-core/xml/parser/engines/rexml.rb +0 -8
- data/lib/aws-sdk-core/xml/parser/frame.rb +23 -0
- data/lib/aws-sdk-core.rb +20 -0
- data/lib/aws-sdk-sso/client.rb +97 -15
- data/lib/aws-sdk-sso/endpoint_parameters.rb +66 -0
- data/lib/aws-sdk-sso/endpoint_provider.rb +51 -0
- data/lib/aws-sdk-sso/endpoints.rb +72 -0
- data/lib/aws-sdk-sso/plugins/endpoints.rb +76 -0
- data/lib/aws-sdk-sso/types.rb +8 -43
- data/lib/aws-sdk-sso.rb +5 -1
- data/lib/aws-sdk-ssooidc/client.rb +626 -0
- data/lib/aws-sdk-ssooidc/client_api.rb +216 -0
- data/lib/aws-sdk-ssooidc/customizations.rb +1 -0
- data/lib/aws-sdk-ssooidc/endpoint_parameters.rb +66 -0
- data/lib/aws-sdk-ssooidc/endpoint_provider.rb +51 -0
- data/lib/aws-sdk-ssooidc/endpoints.rb +58 -0
- data/lib/aws-sdk-ssooidc/errors.rb +290 -0
- data/lib/aws-sdk-ssooidc/plugins/endpoints.rb +74 -0
- data/lib/aws-sdk-ssooidc/resource.rb +26 -0
- data/lib/aws-sdk-ssooidc/types.rb +502 -0
- data/lib/aws-sdk-ssooidc.rb +59 -0
- data/lib/aws-sdk-sts/client.rb +535 -472
- data/lib/aws-sdk-sts/client_api.rb +10 -0
- data/lib/aws-sdk-sts/endpoint_parameters.rb +78 -0
- data/lib/aws-sdk-sts/endpoint_provider.rb +112 -0
- data/lib/aws-sdk-sts/endpoints.rb +136 -0
- data/lib/aws-sdk-sts/plugins/endpoints.rb +84 -0
- data/lib/aws-sdk-sts/plugins/sts_regional_endpoints.rb +5 -1
- data/lib/aws-sdk-sts/presigner.rb +13 -9
- data/lib/aws-sdk-sts/types.rb +248 -313
- data/lib/aws-sdk-sts.rb +5 -1
- data/lib/seahorse/client/async_base.rb +0 -1
- data/lib/seahorse/client/configuration.rb +5 -5
- data/lib/seahorse/client/h2/connection.rb +26 -22
- data/lib/seahorse/client/h2/handler.rb +4 -5
- data/lib/seahorse/client/net_http/connection_pool.rb +7 -0
- data/lib/seahorse/client/net_http/handler.rb +15 -7
- data/lib/seahorse/client/net_http/patches.rb +13 -84
- data/lib/seahorse/client/plugins/content_length.rb +11 -5
- data/lib/seahorse/client/plugins/net_http.rb +33 -2
- data/lib/seahorse/client/plugins/request_callback.rb +9 -9
- data/lib/seahorse/client/response.rb +6 -0
- data/lib/seahorse/model/operation.rb +6 -0
- data/lib/seahorse/model/shapes.rb +25 -0
- data/lib/seahorse/util.rb +4 -0
- metadata +64 -12
- data/lib/aws-sdk-sso/plugins/content_type.rb +0 -25
data/lib/aws-sdk-sts/types.rb
CHANGED
@@ -10,32 +10,6 @@
|
|
10
10
|
module Aws::STS
|
11
11
|
module Types
|
12
12
|
|
13
|
-
# @note When making an API call, you may pass AssumeRoleRequest
|
14
|
-
# data as a hash:
|
15
|
-
#
|
16
|
-
# {
|
17
|
-
# role_arn: "arnType", # required
|
18
|
-
# role_session_name: "roleSessionNameType", # required
|
19
|
-
# policy_arns: [
|
20
|
-
# {
|
21
|
-
# arn: "arnType",
|
22
|
-
# },
|
23
|
-
# ],
|
24
|
-
# policy: "sessionPolicyDocumentType",
|
25
|
-
# duration_seconds: 1,
|
26
|
-
# tags: [
|
27
|
-
# {
|
28
|
-
# key: "tagKeyType", # required
|
29
|
-
# value: "tagValueType", # required
|
30
|
-
# },
|
31
|
-
# ],
|
32
|
-
# transitive_tag_keys: ["tagKeyType"],
|
33
|
-
# external_id: "externalIdType",
|
34
|
-
# serial_number: "serialNumberType",
|
35
|
-
# token_code: "tokenCodeType",
|
36
|
-
# source_identity: "sourceIdentityType",
|
37
|
-
# }
|
38
|
-
#
|
39
13
|
# @!attribute [rw] role_arn
|
40
14
|
# The Amazon Resource Name (ARN) of the role to assume.
|
41
15
|
# @return [String]
|
@@ -50,7 +24,7 @@ module Aws::STS
|
|
50
24
|
# role session name is also used in the ARN of the assumed role
|
51
25
|
# principal. This means that subsequent cross-account API requests
|
52
26
|
# that use the temporary security credentials will expose the role
|
53
|
-
# session name to the external account in their
|
27
|
+
# session name to the external account in their CloudTrail logs.
|
54
28
|
#
|
55
29
|
# The regex used to validate this parameter is a string of characters
|
56
30
|
# consisting of upper- and lower-case alphanumeric characters with no
|
@@ -66,15 +40,17 @@ module Aws::STS
|
|
66
40
|
# This parameter is optional. You can provide up to 10 managed policy
|
67
41
|
# ARNs. However, the plaintext that you use for both inline and
|
68
42
|
# managed session policies can't exceed 2,048 characters. For more
|
69
|
-
# information about ARNs, see [Amazon Resource Names (ARNs) and
|
70
|
-
# Service Namespaces][1] in the
|
71
|
-
#
|
72
|
-
#
|
73
|
-
#
|
74
|
-
#
|
75
|
-
#
|
76
|
-
#
|
77
|
-
#
|
43
|
+
# information about ARNs, see [Amazon Resource Names (ARNs) and Amazon
|
44
|
+
# Web Services Service Namespaces][1] in the Amazon Web Services
|
45
|
+
# General Reference.
|
46
|
+
#
|
47
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline
|
48
|
+
# session policy, managed policy ARNs, and session tags into a packed
|
49
|
+
# binary format that has a separate limit. Your request can fail for
|
50
|
+
# this limit even if your plaintext meets the other requirements. The
|
51
|
+
# `PackedPolicySize` response element indicates by percentage how
|
52
|
+
# close the policies and tags for your request are to the upper size
|
53
|
+
# limit.
|
78
54
|
#
|
79
55
|
# </note>
|
80
56
|
#
|
@@ -82,10 +58,10 @@ module Aws::STS
|
|
82
58
|
# credentials. The resulting session's permissions are the
|
83
59
|
# intersection of the role's identity-based policy and the session
|
84
60
|
# policies. You can use the role's temporary credentials in
|
85
|
-
# subsequent
|
86
|
-
# owns the role. You cannot use session policies to grant
|
87
|
-
# permissions than those allowed by the identity-based policy of
|
88
|
-
# role that is being assumed. For more information, see [Session
|
61
|
+
# subsequent Amazon Web Services API calls to access resources in the
|
62
|
+
# account that owns the role. You cannot use session policies to grant
|
63
|
+
# more permissions than those allowed by the identity-based policy of
|
64
|
+
# the role that is being assumed. For more information, see [Session
|
89
65
|
# Policies][2] in the *IAM User Guide*.
|
90
66
|
#
|
91
67
|
#
|
@@ -102,11 +78,11 @@ module Aws::STS
|
|
102
78
|
# returns new temporary credentials. The resulting session's
|
103
79
|
# permissions are the intersection of the role's identity-based
|
104
80
|
# policy and the session policies. You can use the role's temporary
|
105
|
-
# credentials in subsequent
|
106
|
-
# account that owns the role. You cannot use session
|
107
|
-
# more permissions than those allowed by the
|
108
|
-
# the role that is being assumed. For more
|
109
|
-
# Policies][1] in the *IAM User Guide*.
|
81
|
+
# credentials in subsequent Amazon Web Services API calls to access
|
82
|
+
# resources in the account that owns the role. You cannot use session
|
83
|
+
# policies to grant more permissions than those allowed by the
|
84
|
+
# identity-based policy of the role that is being assumed. For more
|
85
|
+
# information, see [Session Policies][1] in the *IAM User Guide*.
|
110
86
|
#
|
111
87
|
# The plaintext that you use for both inline and managed session
|
112
88
|
# policies can't exceed 2,048 characters. The JSON policy characters
|
@@ -115,12 +91,13 @@ module Aws::STS
|
|
115
91
|
# include the tab (\\u0009), linefeed (\\u000A), and carriage return
|
116
92
|
# (\\u000D) characters.
|
117
93
|
#
|
118
|
-
# <note markdown="1"> An
|
119
|
-
#
|
120
|
-
#
|
121
|
-
# other requirements. The
|
122
|
-
# indicates by percentage how
|
123
|
-
# request are to the upper size
|
94
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline
|
95
|
+
# session policy, managed policy ARNs, and session tags into a packed
|
96
|
+
# binary format that has a separate limit. Your request can fail for
|
97
|
+
# this limit even if your plaintext meets the other requirements. The
|
98
|
+
# `PackedPolicySize` response element indicates by percentage how
|
99
|
+
# close the policies and tags for your request are to the upper size
|
100
|
+
# limit.
|
124
101
|
#
|
125
102
|
# </note>
|
126
103
|
#
|
@@ -131,16 +108,25 @@ module Aws::STS
|
|
131
108
|
#
|
132
109
|
# @!attribute [rw] duration_seconds
|
133
110
|
# The duration, in seconds, of the role session. The value specified
|
134
|
-
# can
|
135
|
-
#
|
136
|
-
#
|
137
|
-
#
|
138
|
-
#
|
139
|
-
#
|
140
|
-
#
|
141
|
-
#
|
142
|
-
#
|
143
|
-
#
|
111
|
+
# can range from 900 seconds (15 minutes) up to the maximum session
|
112
|
+
# duration set for the role. The maximum session duration setting can
|
113
|
+
# have a value from 1 hour to 12 hours. If you specify a value higher
|
114
|
+
# than this setting or the administrator setting (whichever is lower),
|
115
|
+
# the operation fails. For example, if you specify a session duration
|
116
|
+
# of 12 hours, but your administrator set the maximum session duration
|
117
|
+
# to 6 hours, your operation fails.
|
118
|
+
#
|
119
|
+
# Role chaining limits your Amazon Web Services CLI or Amazon Web
|
120
|
+
# Services API role session to a maximum of one hour. When you use the
|
121
|
+
# `AssumeRole` API operation to assume a role, you can specify the
|
122
|
+
# duration of your role session with the `DurationSeconds` parameter.
|
123
|
+
# You can specify a parameter value of up to 43200 seconds (12 hours),
|
124
|
+
# depending on the maximum session duration setting for your role.
|
125
|
+
# However, if you assume a role using role chaining and provide a
|
126
|
+
# `DurationSeconds` parameter value greater than one hour, the
|
127
|
+
# operation fails. To learn how to view the maximum value for your
|
128
|
+
# role, see [View the Maximum Session Duration Setting for a Role][1]
|
129
|
+
# in the *IAM User Guide*.
|
144
130
|
#
|
145
131
|
# By default, the value is set to `3600` seconds.
|
146
132
|
#
|
@@ -149,8 +135,8 @@ module Aws::STS
|
|
149
135
|
# credentials. The request to the federation endpoint for a console
|
150
136
|
# sign-in token takes a `SessionDuration` parameter that specifies the
|
151
137
|
# maximum length of the console session. For more information, see
|
152
|
-
# [Creating a URL that Enables Federated Users to Access the
|
153
|
-
# Management Console][2] in the *IAM User Guide*.
|
138
|
+
# [Creating a URL that Enables Federated Users to Access the Amazon
|
139
|
+
# Web Services Management Console][2] in the *IAM User Guide*.
|
154
140
|
#
|
155
141
|
# </note>
|
156
142
|
#
|
@@ -163,20 +149,21 @@ module Aws::STS
|
|
163
149
|
# @!attribute [rw] tags
|
164
150
|
# A list of session tags that you want to pass. Each session tag
|
165
151
|
# consists of a key name and an associated value. For more information
|
166
|
-
# about session tags, see [Tagging
|
167
|
-
# User Guide*.
|
152
|
+
# about session tags, see [Tagging Amazon Web Services STS
|
153
|
+
# Sessions][1] in the *IAM User Guide*.
|
168
154
|
#
|
169
155
|
# This parameter is optional. You can pass up to 50 session tags. The
|
170
156
|
# plaintext session tag keys can’t exceed 128 characters, and the
|
171
157
|
# values can’t exceed 256 characters. For these and additional limits,
|
172
158
|
# see [IAM and STS Character Limits][2] in the *IAM User Guide*.
|
173
159
|
#
|
174
|
-
# <note markdown="1"> An
|
175
|
-
#
|
176
|
-
#
|
177
|
-
# other requirements. The
|
178
|
-
# indicates by percentage how
|
179
|
-
# request are to the upper size
|
160
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline
|
161
|
+
# session policy, managed policy ARNs, and session tags into a packed
|
162
|
+
# binary format that has a separate limit. Your request can fail for
|
163
|
+
# this limit even if your plaintext meets the other requirements. The
|
164
|
+
# `PackedPolicySize` response element indicates by percentage how
|
165
|
+
# close the policies and tags for your request are to the upper size
|
166
|
+
# limit.
|
180
167
|
#
|
181
168
|
# </note>
|
182
169
|
#
|
@@ -196,14 +183,14 @@ module Aws::STS
|
|
196
183
|
# operation, the new session inherits any transitive session tags from
|
197
184
|
# the calling session. If you pass a session tag with the same key as
|
198
185
|
# an inherited tag, the operation fails. To view the inherited tags
|
199
|
-
# for a session, see the
|
200
|
-
#
|
186
|
+
# for a session, see the CloudTrail logs. For more information, see
|
187
|
+
# [Viewing Session Tags in CloudTrail][3] in the *IAM User Guide*.
|
201
188
|
#
|
202
189
|
#
|
203
190
|
#
|
204
191
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
205
192
|
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-limits.html#reference_iam-limits-entity-length
|
206
|
-
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
193
|
+
# [3]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html#id_session-tags_ctlogs
|
207
194
|
# @return [Array<Types::Tag>]
|
208
195
|
#
|
209
196
|
# @!attribute [rw] transitive_tag_keys
|
@@ -235,8 +222,8 @@ module Aws::STS
|
|
235
222
|
# the administrator of the trusted account. That way, only someone
|
236
223
|
# with the ID can assume the role, rather than everyone in the
|
237
224
|
# account. For more information about the external ID, see [How to Use
|
238
|
-
# an External ID When Granting Access to Your
|
239
|
-
# Party][1] in the *IAM User Guide*.
|
225
|
+
# an External ID When Granting Access to Your Amazon Web Services
|
226
|
+
# Resources to a Third Party][1] in the *IAM User Guide*.
|
240
227
|
#
|
241
228
|
# The regex used to validate this parameter is a string of characters
|
242
229
|
# consisting of upper- and lower-case alphanumeric characters with no
|
@@ -281,24 +268,29 @@ module Aws::STS
|
|
281
268
|
# You can require users to specify a source identity when they assume
|
282
269
|
# a role. You do this by using the `sts:SourceIdentity` condition key
|
283
270
|
# in a role trust policy. You can use source identity information in
|
284
|
-
#
|
285
|
-
#
|
286
|
-
#
|
287
|
-
# more information about using source identity, see
|
288
|
-
# control actions taken with assumed roles][1] in the
|
289
|
-
# Guide*.
|
271
|
+
# CloudTrail logs to determine who took actions with a role. You can
|
272
|
+
# use the `aws:SourceIdentity` condition key to further control access
|
273
|
+
# to Amazon Web Services resources based on the value of source
|
274
|
+
# identity. For more information about using source identity, see
|
275
|
+
# [Monitor and control actions taken with assumed roles][1] in the
|
276
|
+
# *IAM User Guide*.
|
290
277
|
#
|
291
278
|
# The regex used to validate this parameter is a string of characters
|
292
279
|
# consisting of upper- and lower-case alphanumeric characters with no
|
293
280
|
# spaces. You can also include underscores or any of the following
|
294
281
|
# characters: =,.@-. You cannot use a value that begins with the text
|
295
|
-
# `aws:`. This prefix is reserved for
|
282
|
+
# `aws:`. This prefix is reserved for Amazon Web Services internal
|
283
|
+
# use.
|
296
284
|
#
|
297
285
|
#
|
298
286
|
#
|
299
287
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_control-access_monitor.html
|
300
288
|
# @return [String]
|
301
289
|
#
|
290
|
+
# @!attribute [rw] provided_contexts
|
291
|
+
# Reserved for future use.
|
292
|
+
# @return [Array<Types::ProvidedContext>]
|
293
|
+
#
|
302
294
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/AssumeRoleRequest AWS API Documentation
|
303
295
|
#
|
304
296
|
class AssumeRoleRequest < Struct.new(
|
@@ -312,13 +304,15 @@ module Aws::STS
|
|
312
304
|
:external_id,
|
313
305
|
:serial_number,
|
314
306
|
:token_code,
|
315
|
-
:source_identity
|
307
|
+
:source_identity,
|
308
|
+
:provided_contexts)
|
316
309
|
SENSITIVE = []
|
317
310
|
include Aws::Structure
|
318
311
|
end
|
319
312
|
|
320
313
|
# Contains the response to a successful AssumeRole request, including
|
321
|
-
# temporary
|
314
|
+
# temporary Amazon Web Services credentials that can be used to make
|
315
|
+
# Amazon Web Services requests.
|
322
316
|
#
|
323
317
|
# @!attribute [rw] credentials
|
324
318
|
# The temporary security credentials, which include an access key ID,
|
@@ -354,12 +348,12 @@ module Aws::STS
|
|
354
348
|
# You can require users to specify a source identity when they assume
|
355
349
|
# a role. You do this by using the `sts:SourceIdentity` condition key
|
356
350
|
# in a role trust policy. You can use source identity information in
|
357
|
-
#
|
358
|
-
#
|
359
|
-
#
|
360
|
-
# more information about using source identity, see
|
361
|
-
# control actions taken with assumed roles][1] in the
|
362
|
-
# Guide*.
|
351
|
+
# CloudTrail logs to determine who took actions with a role. You can
|
352
|
+
# use the `aws:SourceIdentity` condition key to further control access
|
353
|
+
# to Amazon Web Services resources based on the value of source
|
354
|
+
# identity. For more information about using source identity, see
|
355
|
+
# [Monitor and control actions taken with assumed roles][1] in the
|
356
|
+
# *IAM User Guide*.
|
363
357
|
#
|
364
358
|
# The regex used to validate this parameter is a string of characters
|
365
359
|
# consisting of upper- and lower-case alphanumeric characters with no
|
@@ -382,22 +376,6 @@ module Aws::STS
|
|
382
376
|
include Aws::Structure
|
383
377
|
end
|
384
378
|
|
385
|
-
# @note When making an API call, you may pass AssumeRoleWithSAMLRequest
|
386
|
-
# data as a hash:
|
387
|
-
#
|
388
|
-
# {
|
389
|
-
# role_arn: "arnType", # required
|
390
|
-
# principal_arn: "arnType", # required
|
391
|
-
# saml_assertion: "SAMLAssertionType", # required
|
392
|
-
# policy_arns: [
|
393
|
-
# {
|
394
|
-
# arn: "arnType",
|
395
|
-
# },
|
396
|
-
# ],
|
397
|
-
# policy: "sessionPolicyDocumentType",
|
398
|
-
# duration_seconds: 1,
|
399
|
-
# }
|
400
|
-
#
|
401
379
|
# @!attribute [rw] role_arn
|
402
380
|
# The Amazon Resource Name (ARN) of the role that the caller is
|
403
381
|
# assuming.
|
@@ -427,15 +405,17 @@ module Aws::STS
|
|
427
405
|
# This parameter is optional. You can provide up to 10 managed policy
|
428
406
|
# ARNs. However, the plaintext that you use for both inline and
|
429
407
|
# managed session policies can't exceed 2,048 characters. For more
|
430
|
-
# information about ARNs, see [Amazon Resource Names (ARNs) and
|
431
|
-
# Service Namespaces][1] in the
|
432
|
-
#
|
433
|
-
#
|
434
|
-
#
|
435
|
-
#
|
436
|
-
#
|
437
|
-
#
|
438
|
-
#
|
408
|
+
# information about ARNs, see [Amazon Resource Names (ARNs) and Amazon
|
409
|
+
# Web Services Service Namespaces][1] in the Amazon Web Services
|
410
|
+
# General Reference.
|
411
|
+
#
|
412
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline
|
413
|
+
# session policy, managed policy ARNs, and session tags into a packed
|
414
|
+
# binary format that has a separate limit. Your request can fail for
|
415
|
+
# this limit even if your plaintext meets the other requirements. The
|
416
|
+
# `PackedPolicySize` response element indicates by percentage how
|
417
|
+
# close the policies and tags for your request are to the upper size
|
418
|
+
# limit.
|
439
419
|
#
|
440
420
|
# </note>
|
441
421
|
#
|
@@ -443,10 +423,10 @@ module Aws::STS
|
|
443
423
|
# credentials. The resulting session's permissions are the
|
444
424
|
# intersection of the role's identity-based policy and the session
|
445
425
|
# policies. You can use the role's temporary credentials in
|
446
|
-
# subsequent
|
447
|
-
# owns the role. You cannot use session policies to grant
|
448
|
-
# permissions than those allowed by the identity-based policy of
|
449
|
-
# role that is being assumed. For more information, see [Session
|
426
|
+
# subsequent Amazon Web Services API calls to access resources in the
|
427
|
+
# account that owns the role. You cannot use session policies to grant
|
428
|
+
# more permissions than those allowed by the identity-based policy of
|
429
|
+
# the role that is being assumed. For more information, see [Session
|
450
430
|
# Policies][2] in the *IAM User Guide*.
|
451
431
|
#
|
452
432
|
#
|
@@ -463,11 +443,11 @@ module Aws::STS
|
|
463
443
|
# returns new temporary credentials. The resulting session's
|
464
444
|
# permissions are the intersection of the role's identity-based
|
465
445
|
# policy and the session policies. You can use the role's temporary
|
466
|
-
# credentials in subsequent
|
467
|
-
# account that owns the role. You cannot use session
|
468
|
-
# more permissions than those allowed by the
|
469
|
-
# the role that is being assumed. For more
|
470
|
-
# Policies][1] in the *IAM User Guide*.
|
446
|
+
# credentials in subsequent Amazon Web Services API calls to access
|
447
|
+
# resources in the account that owns the role. You cannot use session
|
448
|
+
# policies to grant more permissions than those allowed by the
|
449
|
+
# identity-based policy of the role that is being assumed. For more
|
450
|
+
# information, see [Session Policies][1] in the *IAM User Guide*.
|
471
451
|
#
|
472
452
|
# The plaintext that you use for both inline and managed session
|
473
453
|
# policies can't exceed 2,048 characters. The JSON policy characters
|
@@ -476,12 +456,13 @@ module Aws::STS
|
|
476
456
|
# include the tab (\\u0009), linefeed (\\u000A), and carriage return
|
477
457
|
# (\\u000D) characters.
|
478
458
|
#
|
479
|
-
# <note markdown="1"> An
|
480
|
-
#
|
481
|
-
#
|
482
|
-
# other requirements. The
|
483
|
-
# indicates by percentage how
|
484
|
-
# request are to the upper size
|
459
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline
|
460
|
+
# session policy, managed policy ARNs, and session tags into a packed
|
461
|
+
# binary format that has a separate limit. Your request can fail for
|
462
|
+
# this limit even if your plaintext meets the other requirements. The
|
463
|
+
# `PackedPolicySize` response element indicates by percentage how
|
464
|
+
# close the policies and tags for your request are to the upper size
|
465
|
+
# limit.
|
485
466
|
#
|
486
467
|
# </note>
|
487
468
|
#
|
@@ -512,8 +493,8 @@ module Aws::STS
|
|
512
493
|
# credentials. The request to the federation endpoint for a console
|
513
494
|
# sign-in token takes a `SessionDuration` parameter that specifies the
|
514
495
|
# maximum length of the console session. For more information, see
|
515
|
-
# [Creating a URL that Enables Federated Users to Access the
|
516
|
-
# Management Console][2] in the *IAM User Guide*.
|
496
|
+
# [Creating a URL that Enables Federated Users to Access the Amazon
|
497
|
+
# Web Services Management Console][2] in the *IAM User Guide*.
|
517
498
|
#
|
518
499
|
# </note>
|
519
500
|
#
|
@@ -532,13 +513,13 @@ module Aws::STS
|
|
532
513
|
:policy_arns,
|
533
514
|
:policy,
|
534
515
|
:duration_seconds)
|
535
|
-
SENSITIVE = []
|
516
|
+
SENSITIVE = [:saml_assertion]
|
536
517
|
include Aws::Structure
|
537
518
|
end
|
538
519
|
|
539
520
|
# Contains the response to a successful AssumeRoleWithSAML request,
|
540
|
-
# including temporary
|
541
|
-
# requests.
|
521
|
+
# including temporary Amazon Web Services credentials that can be used
|
522
|
+
# to make Amazon Web Services requests.
|
542
523
|
#
|
543
524
|
# @!attribute [rw] credentials
|
544
525
|
# The temporary security credentials, which include an access key ID,
|
@@ -594,13 +575,13 @@ module Aws::STS
|
|
594
575
|
#
|
595
576
|
# * The `Issuer` response value.
|
596
577
|
#
|
597
|
-
# * The
|
578
|
+
# * The Amazon Web Services account ID.
|
598
579
|
#
|
599
580
|
# * The friendly name (the last part of the ARN) of the SAML provider
|
600
581
|
# in IAM.
|
601
582
|
#
|
602
583
|
# The combination of `NameQualifier` and `Subject` can be used to
|
603
|
-
# uniquely identify a
|
584
|
+
# uniquely identify a user.
|
604
585
|
#
|
605
586
|
# The following pseudocode shows how the hash value is calculated:
|
606
587
|
#
|
@@ -652,23 +633,6 @@ module Aws::STS
|
|
652
633
|
include Aws::Structure
|
653
634
|
end
|
654
635
|
|
655
|
-
# @note When making an API call, you may pass AssumeRoleWithWebIdentityRequest
|
656
|
-
# data as a hash:
|
657
|
-
#
|
658
|
-
# {
|
659
|
-
# role_arn: "arnType", # required
|
660
|
-
# role_session_name: "roleSessionNameType", # required
|
661
|
-
# web_identity_token: "clientTokenType", # required
|
662
|
-
# provider_id: "urlType",
|
663
|
-
# policy_arns: [
|
664
|
-
# {
|
665
|
-
# arn: "arnType",
|
666
|
-
# },
|
667
|
-
# ],
|
668
|
-
# policy: "sessionPolicyDocumentType",
|
669
|
-
# duration_seconds: 1,
|
670
|
-
# }
|
671
|
-
#
|
672
636
|
# @!attribute [rw] role_arn
|
673
637
|
# The Amazon Resource Name (ARN) of the role that the caller is
|
674
638
|
# assuming.
|
@@ -693,17 +657,18 @@ module Aws::STS
|
|
693
657
|
# provided by the identity provider. Your application must get this
|
694
658
|
# token by authenticating the user who is using your application with
|
695
659
|
# a web identity provider before the application makes an
|
696
|
-
# `AssumeRoleWithWebIdentity` call.
|
660
|
+
# `AssumeRoleWithWebIdentity` call. Only tokens with RSA algorithms
|
661
|
+
# (RS256) are supported.
|
697
662
|
# @return [String]
|
698
663
|
#
|
699
664
|
# @!attribute [rw] provider_id
|
700
|
-
# The fully qualified host component of the domain name of the
|
701
|
-
# identity provider.
|
665
|
+
# The fully qualified host component of the domain name of the OAuth
|
666
|
+
# 2.0 identity provider. Do not specify this value for an OpenID
|
667
|
+
# Connect identity provider.
|
702
668
|
#
|
703
|
-
#
|
704
|
-
#
|
705
|
-
#
|
706
|
-
# schemes and port numbers.
|
669
|
+
# Currently `www.amazon.com` and `graph.facebook.com` are the only
|
670
|
+
# supported identity providers for OAuth 2.0 access tokens. Do not
|
671
|
+
# include URL schemes and port numbers.
|
707
672
|
#
|
708
673
|
# Do not specify this value for OpenID Connect ID tokens.
|
709
674
|
# @return [String]
|
@@ -716,15 +681,17 @@ module Aws::STS
|
|
716
681
|
# This parameter is optional. You can provide up to 10 managed policy
|
717
682
|
# ARNs. However, the plaintext that you use for both inline and
|
718
683
|
# managed session policies can't exceed 2,048 characters. For more
|
719
|
-
# information about ARNs, see [Amazon Resource Names (ARNs) and
|
720
|
-
# Service Namespaces][1] in the
|
721
|
-
#
|
722
|
-
#
|
723
|
-
#
|
724
|
-
#
|
725
|
-
#
|
726
|
-
#
|
727
|
-
#
|
684
|
+
# information about ARNs, see [Amazon Resource Names (ARNs) and Amazon
|
685
|
+
# Web Services Service Namespaces][1] in the Amazon Web Services
|
686
|
+
# General Reference.
|
687
|
+
#
|
688
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline
|
689
|
+
# session policy, managed policy ARNs, and session tags into a packed
|
690
|
+
# binary format that has a separate limit. Your request can fail for
|
691
|
+
# this limit even if your plaintext meets the other requirements. The
|
692
|
+
# `PackedPolicySize` response element indicates by percentage how
|
693
|
+
# close the policies and tags for your request are to the upper size
|
694
|
+
# limit.
|
728
695
|
#
|
729
696
|
# </note>
|
730
697
|
#
|
@@ -732,10 +699,10 @@ module Aws::STS
|
|
732
699
|
# credentials. The resulting session's permissions are the
|
733
700
|
# intersection of the role's identity-based policy and the session
|
734
701
|
# policies. You can use the role's temporary credentials in
|
735
|
-
# subsequent
|
736
|
-
# owns the role. You cannot use session policies to grant
|
737
|
-
# permissions than those allowed by the identity-based policy of
|
738
|
-
# role that is being assumed. For more information, see [Session
|
702
|
+
# subsequent Amazon Web Services API calls to access resources in the
|
703
|
+
# account that owns the role. You cannot use session policies to grant
|
704
|
+
# more permissions than those allowed by the identity-based policy of
|
705
|
+
# the role that is being assumed. For more information, see [Session
|
739
706
|
# Policies][2] in the *IAM User Guide*.
|
740
707
|
#
|
741
708
|
#
|
@@ -752,11 +719,11 @@ module Aws::STS
|
|
752
719
|
# returns new temporary credentials. The resulting session's
|
753
720
|
# permissions are the intersection of the role's identity-based
|
754
721
|
# policy and the session policies. You can use the role's temporary
|
755
|
-
# credentials in subsequent
|
756
|
-
# account that owns the role. You cannot use session
|
757
|
-
# more permissions than those allowed by the
|
758
|
-
# the role that is being assumed. For more
|
759
|
-
# Policies][1] in the *IAM User Guide*.
|
722
|
+
# credentials in subsequent Amazon Web Services API calls to access
|
723
|
+
# resources in the account that owns the role. You cannot use session
|
724
|
+
# policies to grant more permissions than those allowed by the
|
725
|
+
# identity-based policy of the role that is being assumed. For more
|
726
|
+
# information, see [Session Policies][1] in the *IAM User Guide*.
|
760
727
|
#
|
761
728
|
# The plaintext that you use for both inline and managed session
|
762
729
|
# policies can't exceed 2,048 characters. The JSON policy characters
|
@@ -765,12 +732,13 @@ module Aws::STS
|
|
765
732
|
# include the tab (\\u0009), linefeed (\\u000A), and carriage return
|
766
733
|
# (\\u000D) characters.
|
767
734
|
#
|
768
|
-
# <note markdown="1"> An
|
769
|
-
#
|
770
|
-
#
|
771
|
-
# other requirements. The
|
772
|
-
# indicates by percentage how
|
773
|
-
# request are to the upper size
|
735
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline
|
736
|
+
# session policy, managed policy ARNs, and session tags into a packed
|
737
|
+
# binary format that has a separate limit. Your request can fail for
|
738
|
+
# this limit even if your plaintext meets the other requirements. The
|
739
|
+
# `PackedPolicySize` response element indicates by percentage how
|
740
|
+
# close the policies and tags for your request are to the upper size
|
741
|
+
# limit.
|
774
742
|
#
|
775
743
|
# </note>
|
776
744
|
#
|
@@ -797,8 +765,8 @@ module Aws::STS
|
|
797
765
|
# credentials. The request to the federation endpoint for a console
|
798
766
|
# sign-in token takes a `SessionDuration` parameter that specifies the
|
799
767
|
# maximum length of the console session. For more information, see
|
800
|
-
# [Creating a URL that Enables Federated Users to Access the
|
801
|
-
# Management Console][2] in the *IAM User Guide*.
|
768
|
+
# [Creating a URL that Enables Federated Users to Access the Amazon
|
769
|
+
# Web Services Management Console][2] in the *IAM User Guide*.
|
802
770
|
#
|
803
771
|
# </note>
|
804
772
|
#
|
@@ -818,13 +786,13 @@ module Aws::STS
|
|
818
786
|
:policy_arns,
|
819
787
|
:policy,
|
820
788
|
:duration_seconds)
|
821
|
-
SENSITIVE = []
|
789
|
+
SENSITIVE = [:web_identity_token]
|
822
790
|
include Aws::Structure
|
823
791
|
end
|
824
792
|
|
825
793
|
# Contains the response to a successful AssumeRoleWithWebIdentity
|
826
|
-
# request, including temporary
|
827
|
-
#
|
794
|
+
# request, including temporary Amazon Web Services credentials that can
|
795
|
+
# be used to make Amazon Web Services requests.
|
828
796
|
#
|
829
797
|
# @!attribute [rw] credentials
|
830
798
|
# The temporary security credentials, which include an access key ID,
|
@@ -929,7 +897,7 @@ module Aws::STS
|
|
929
897
|
# @!attribute [rw] assumed_role_id
|
930
898
|
# A unique identifier that contains the role ID and the role session
|
931
899
|
# name of the role that is being assumed. The role ID is generated by
|
932
|
-
#
|
900
|
+
# Amazon Web Services when the role is created.
|
933
901
|
# @return [String]
|
934
902
|
#
|
935
903
|
# @!attribute [rw] arn
|
@@ -952,7 +920,7 @@ module Aws::STS
|
|
952
920
|
include Aws::Structure
|
953
921
|
end
|
954
922
|
|
955
|
-
#
|
923
|
+
# Amazon Web Services credentials for API authentication.
|
956
924
|
#
|
957
925
|
# @!attribute [rw] access_key_id
|
958
926
|
# The access key ID that identifies the temporary security
|
@@ -979,17 +947,10 @@ module Aws::STS
|
|
979
947
|
:secret_access_key,
|
980
948
|
:session_token,
|
981
949
|
:expiration)
|
982
|
-
SENSITIVE = []
|
950
|
+
SENSITIVE = [:secret_access_key]
|
983
951
|
include Aws::Structure
|
984
952
|
end
|
985
953
|
|
986
|
-
# @note When making an API call, you may pass DecodeAuthorizationMessageRequest
|
987
|
-
# data as a hash:
|
988
|
-
#
|
989
|
-
# {
|
990
|
-
# encoded_message: "encodedMessageType", # required
|
991
|
-
# }
|
992
|
-
#
|
993
954
|
# @!attribute [rw] encoded_message
|
994
955
|
# The encoded message that was returned with the response.
|
995
956
|
# @return [String]
|
@@ -1004,10 +965,10 @@ module Aws::STS
|
|
1004
965
|
|
1005
966
|
# A document that contains additional information about the
|
1006
967
|
# authorization status of a request from an encoded message that is
|
1007
|
-
# returned in response to an
|
968
|
+
# returned in response to an Amazon Web Services request.
|
1008
969
|
#
|
1009
970
|
# @!attribute [rw] decoded_message
|
1010
|
-
#
|
971
|
+
# The API returns a response with the decoded message.
|
1011
972
|
# @return [String]
|
1012
973
|
#
|
1013
974
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/DecodeAuthorizationMessageResponse AWS API Documentation
|
@@ -1060,13 +1021,6 @@ module Aws::STS
|
|
1060
1021
|
include Aws::Structure
|
1061
1022
|
end
|
1062
1023
|
|
1063
|
-
# @note When making an API call, you may pass GetAccessKeyInfoRequest
|
1064
|
-
# data as a hash:
|
1065
|
-
#
|
1066
|
-
# {
|
1067
|
-
# access_key_id: "accessKeyIdType", # required
|
1068
|
-
# }
|
1069
|
-
#
|
1070
1024
|
# @!attribute [rw] access_key_id
|
1071
1025
|
# The identifier of an access key.
|
1072
1026
|
#
|
@@ -1084,7 +1038,7 @@ module Aws::STS
|
|
1084
1038
|
end
|
1085
1039
|
|
1086
1040
|
# @!attribute [rw] account
|
1087
|
-
# The number used to identify the
|
1041
|
+
# The number used to identify the Amazon Web Services account.
|
1088
1042
|
# @return [String]
|
1089
1043
|
#
|
1090
1044
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetAccessKeyInfoResponse AWS API Documentation
|
@@ -1117,12 +1071,12 @@ module Aws::STS
|
|
1117
1071
|
# @return [String]
|
1118
1072
|
#
|
1119
1073
|
# @!attribute [rw] account
|
1120
|
-
# The
|
1121
|
-
# calling entity.
|
1074
|
+
# The Amazon Web Services account ID number of the account that owns
|
1075
|
+
# or contains the calling entity.
|
1122
1076
|
# @return [String]
|
1123
1077
|
#
|
1124
1078
|
# @!attribute [rw] arn
|
1125
|
-
# The
|
1079
|
+
# The Amazon Web Services ARN associated with the calling entity.
|
1126
1080
|
# @return [String]
|
1127
1081
|
#
|
1128
1082
|
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/GetCallerIdentityResponse AWS API Documentation
|
@@ -1135,26 +1089,6 @@ module Aws::STS
|
|
1135
1089
|
include Aws::Structure
|
1136
1090
|
end
|
1137
1091
|
|
1138
|
-
# @note When making an API call, you may pass GetFederationTokenRequest
|
1139
|
-
# data as a hash:
|
1140
|
-
#
|
1141
|
-
# {
|
1142
|
-
# name: "userNameType", # required
|
1143
|
-
# policy: "sessionPolicyDocumentType",
|
1144
|
-
# policy_arns: [
|
1145
|
-
# {
|
1146
|
-
# arn: "arnType",
|
1147
|
-
# },
|
1148
|
-
# ],
|
1149
|
-
# duration_seconds: 1,
|
1150
|
-
# tags: [
|
1151
|
-
# {
|
1152
|
-
# key: "tagKeyType", # required
|
1153
|
-
# value: "tagValueType", # required
|
1154
|
-
# },
|
1155
|
-
# ],
|
1156
|
-
# }
|
1157
|
-
#
|
1158
1092
|
# @!attribute [rw] name
|
1159
1093
|
# The name of the federated user. The name is used as an identifier
|
1160
1094
|
# for the temporary security credentials (such as `Bob`). For example,
|
@@ -1173,8 +1107,8 @@ module Aws::STS
|
|
1173
1107
|
#
|
1174
1108
|
# You must pass an inline or managed [session policy][1] to this
|
1175
1109
|
# operation. You can pass a single JSON policy document to use as an
|
1176
|
-
# inline session policy. You can also specify up to 10 managed
|
1177
|
-
#
|
1110
|
+
# inline session policy. You can also specify up to 10 managed policy
|
1111
|
+
# Amazon Resource Names (ARNs) to use as managed session policies.
|
1178
1112
|
#
|
1179
1113
|
# This parameter is optional. However, if you do not pass any session
|
1180
1114
|
# policies, then the resulting federated user session has no
|
@@ -1202,12 +1136,13 @@ module Aws::STS
|
|
1202
1136
|
# include the tab (\\u0009), linefeed (\\u000A), and carriage return
|
1203
1137
|
# (\\u000D) characters.
|
1204
1138
|
#
|
1205
|
-
# <note markdown="1"> An
|
1206
|
-
#
|
1207
|
-
#
|
1208
|
-
# other requirements. The
|
1209
|
-
# indicates by percentage how
|
1210
|
-
# request are to the upper size
|
1139
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline
|
1140
|
+
# session policy, managed policy ARNs, and session tags into a packed
|
1141
|
+
# binary format that has a separate limit. Your request can fail for
|
1142
|
+
# this limit even if your plaintext meets the other requirements. The
|
1143
|
+
# `PackedPolicySize` response element indicates by percentage how
|
1144
|
+
# close the policies and tags for your request are to the upper size
|
1145
|
+
# limit.
|
1211
1146
|
#
|
1212
1147
|
# </note>
|
1213
1148
|
#
|
@@ -1224,12 +1159,13 @@ module Aws::STS
|
|
1224
1159
|
#
|
1225
1160
|
# You must pass an inline or managed [session policy][1] to this
|
1226
1161
|
# operation. You can pass a single JSON policy document to use as an
|
1227
|
-
# inline session policy. You can also specify up to 10 managed
|
1228
|
-
#
|
1229
|
-
# use for both inline and managed session policies
|
1230
|
-
# characters. You can provide up to 10 managed
|
1231
|
-
# information about ARNs, see [Amazon Resource
|
1232
|
-
# Service Namespaces][2] in the
|
1162
|
+
# inline session policy. You can also specify up to 10 managed policy
|
1163
|
+
# Amazon Resource Names (ARNs) to use as managed session policies. The
|
1164
|
+
# plaintext that you use for both inline and managed session policies
|
1165
|
+
# can't exceed 2,048 characters. You can provide up to 10 managed
|
1166
|
+
# policy ARNs. For more information about ARNs, see [Amazon Resource
|
1167
|
+
# Names (ARNs) and Amazon Web Services Service Namespaces][2] in the
|
1168
|
+
# Amazon Web Services General Reference.
|
1233
1169
|
#
|
1234
1170
|
# This parameter is optional. However, if you do not pass any session
|
1235
1171
|
# policies, then the resulting federated user session has no
|
@@ -1250,12 +1186,13 @@ module Aws::STS
|
|
1250
1186
|
# are granted in addition to the permissions that are granted by the
|
1251
1187
|
# session policies.
|
1252
1188
|
#
|
1253
|
-
# <note markdown="1"> An
|
1254
|
-
#
|
1255
|
-
#
|
1256
|
-
# other requirements. The
|
1257
|
-
# indicates by percentage how
|
1258
|
-
# request are to the upper size
|
1189
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline
|
1190
|
+
# session policy, managed policy ARNs, and session tags into a packed
|
1191
|
+
# binary format that has a separate limit. Your request can fail for
|
1192
|
+
# this limit even if your plaintext meets the other requirements. The
|
1193
|
+
# `PackedPolicySize` response element indicates by percentage how
|
1194
|
+
# close the policies and tags for your request are to the upper size
|
1195
|
+
# limit.
|
1259
1196
|
#
|
1260
1197
|
# </note>
|
1261
1198
|
#
|
@@ -1269,10 +1206,10 @@ module Aws::STS
|
|
1269
1206
|
# The duration, in seconds, that the session should last. Acceptable
|
1270
1207
|
# durations for federation sessions range from 900 seconds (15
|
1271
1208
|
# minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12
|
1272
|
-
# hours) as the default. Sessions obtained using
|
1273
|
-
#
|
1274
|
-
#
|
1275
|
-
#
|
1209
|
+
# hours) as the default. Sessions obtained using root user credentials
|
1210
|
+
# are restricted to a maximum of 3,600 seconds (one hour). If the
|
1211
|
+
# specified duration is longer than one hour, the session obtained by
|
1212
|
+
# using root user credentials defaults to one hour.
|
1276
1213
|
# @return [Integer]
|
1277
1214
|
#
|
1278
1215
|
# @!attribute [rw] tags
|
@@ -1285,12 +1222,13 @@ module Aws::STS
|
|
1285
1222
|
# values can’t exceed 256 characters. For these and additional limits,
|
1286
1223
|
# see [IAM and STS Character Limits][2] in the *IAM User Guide*.
|
1287
1224
|
#
|
1288
|
-
# <note markdown="1"> An
|
1289
|
-
#
|
1290
|
-
#
|
1291
|
-
# other requirements. The
|
1292
|
-
# indicates by percentage how
|
1293
|
-
# request are to the upper size
|
1225
|
+
# <note markdown="1"> An Amazon Web Services conversion compresses the passed inline
|
1226
|
+
# session policy, managed policy ARNs, and session tags into a packed
|
1227
|
+
# binary format that has a separate limit. Your request can fail for
|
1228
|
+
# this limit even if your plaintext meets the other requirements. The
|
1229
|
+
# `PackedPolicySize` response element indicates by percentage how
|
1230
|
+
# close the policies and tags for your request are to the upper size
|
1231
|
+
# limit.
|
1294
1232
|
#
|
1295
1233
|
# </note>
|
1296
1234
|
#
|
@@ -1325,8 +1263,8 @@ module Aws::STS
|
|
1325
1263
|
end
|
1326
1264
|
|
1327
1265
|
# Contains the response to a successful GetFederationToken request,
|
1328
|
-
# including temporary
|
1329
|
-
# requests.
|
1266
|
+
# including temporary Amazon Web Services credentials that can be used
|
1267
|
+
# to make Amazon Web Services requests.
|
1330
1268
|
#
|
1331
1269
|
# @!attribute [rw] credentials
|
1332
1270
|
# The temporary security credentials, which include an access key ID,
|
@@ -1363,23 +1301,14 @@ module Aws::STS
|
|
1363
1301
|
include Aws::Structure
|
1364
1302
|
end
|
1365
1303
|
|
1366
|
-
# @note When making an API call, you may pass GetSessionTokenRequest
|
1367
|
-
# data as a hash:
|
1368
|
-
#
|
1369
|
-
# {
|
1370
|
-
# duration_seconds: 1,
|
1371
|
-
# serial_number: "serialNumberType",
|
1372
|
-
# token_code: "tokenCodeType",
|
1373
|
-
# }
|
1374
|
-
#
|
1375
1304
|
# @!attribute [rw] duration_seconds
|
1376
1305
|
# The duration, in seconds, that the credentials should remain valid.
|
1377
1306
|
# Acceptable durations for IAM user sessions range from 900 seconds
|
1378
1307
|
# (15 minutes) to 129,600 seconds (36 hours), with 43,200 seconds (12
|
1379
|
-
# hours) as the default. Sessions for
|
1380
|
-
# restricted to a maximum of 3,600 seconds (one hour). If
|
1381
|
-
# is longer than one hour, the session for
|
1382
|
-
# to one hour.
|
1308
|
+
# hours) as the default. Sessions for Amazon Web Services account
|
1309
|
+
# owners are restricted to a maximum of 3,600 seconds (one hour). If
|
1310
|
+
# the duration is longer than one hour, the session for Amazon Web
|
1311
|
+
# Services account owners defaults to one hour.
|
1383
1312
|
# @return [Integer]
|
1384
1313
|
#
|
1385
1314
|
# @!attribute [rw] serial_number
|
@@ -1389,8 +1318,8 @@ module Aws::STS
|
|
1389
1318
|
# The value is either the serial number for a hardware device (such as
|
1390
1319
|
# `GAHT12345678`) or an Amazon Resource Name (ARN) for a virtual
|
1391
1320
|
# device (such as `arn:aws:iam::123456789012:mfa/user`). You can find
|
1392
|
-
# the device for an IAM user by going to the
|
1393
|
-
# and viewing the user's security credentials.
|
1321
|
+
# the device for an IAM user by going to the Amazon Web Services
|
1322
|
+
# Management Console and viewing the user's security credentials.
|
1394
1323
|
#
|
1395
1324
|
# The regex used to validate this parameter is a string of characters
|
1396
1325
|
# consisting of upper- and lower-case alphanumeric characters with no
|
@@ -1421,8 +1350,8 @@ module Aws::STS
|
|
1421
1350
|
end
|
1422
1351
|
|
1423
1352
|
# Contains the response to a successful GetSessionToken request,
|
1424
|
-
# including temporary
|
1425
|
-
# requests.
|
1353
|
+
# including temporary Amazon Web Services credentials that can be used
|
1354
|
+
# to make Amazon Web Services requests.
|
1426
1355
|
#
|
1427
1356
|
# @!attribute [rw] credentials
|
1428
1357
|
# The temporary security credentials, which include an access key ID,
|
@@ -1494,9 +1423,9 @@ module Aws::STS
|
|
1494
1423
|
include Aws::Structure
|
1495
1424
|
end
|
1496
1425
|
|
1497
|
-
# The web identity token that was passed could not be validated by
|
1498
|
-
# Get a new identity token from the identity
|
1499
|
-
# request.
|
1426
|
+
# The web identity token that was passed could not be validated by
|
1427
|
+
# Amazon Web Services. Get a new identity token from the identity
|
1428
|
+
# provider and then retry the request.
|
1500
1429
|
#
|
1501
1430
|
# @!attribute [rw] message
|
1502
1431
|
# @return [String]
|
@@ -1524,12 +1453,13 @@ module Aws::STS
|
|
1524
1453
|
end
|
1525
1454
|
|
1526
1455
|
# The request was rejected because the total packed size of the session
|
1527
|
-
# policies and session tags combined was too large. An
|
1528
|
-
# compresses the session policy document, session
|
1529
|
-
# session tags into a packed binary format that has a
|
1530
|
-
# The error message indicates by percentage how close
|
1531
|
-
# tags are to the upper size limit. For more
|
1532
|
-
# Session Tags in STS][1] in the *IAM User
|
1456
|
+
# policies and session tags combined was too large. An Amazon Web
|
1457
|
+
# Services conversion compresses the session policy document, session
|
1458
|
+
# policy ARNs, and session tags into a packed binary format that has a
|
1459
|
+
# separate limit. The error message indicates by percentage how close
|
1460
|
+
# the policies and tags are to the upper size limit. For more
|
1461
|
+
# information, see [Passing Session Tags in STS][1] in the *IAM User
|
1462
|
+
# Guide*.
|
1533
1463
|
#
|
1534
1464
|
# You could receive this error even though you meet other defined
|
1535
1465
|
# session policy and session tag limits. For more information, see [IAM
|
@@ -1538,7 +1468,7 @@ module Aws::STS
|
|
1538
1468
|
#
|
1539
1469
|
#
|
1540
1470
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
1541
|
-
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/
|
1471
|
+
# [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_iam-quotas.html#reference_iam-limits-entity-length
|
1542
1472
|
#
|
1543
1473
|
# @!attribute [rw] message
|
1544
1474
|
# @return [String]
|
@@ -1554,18 +1484,11 @@ module Aws::STS
|
|
1554
1484
|
# A reference to the IAM managed policy that is passed as a session
|
1555
1485
|
# policy for a role session or a federated user session.
|
1556
1486
|
#
|
1557
|
-
# @note When making an API call, you may pass PolicyDescriptorType
|
1558
|
-
# data as a hash:
|
1559
|
-
#
|
1560
|
-
# {
|
1561
|
-
# arn: "arnType",
|
1562
|
-
# }
|
1563
|
-
#
|
1564
1487
|
# @!attribute [rw] arn
|
1565
1488
|
# The Amazon Resource Name (ARN) of the IAM managed policy to use as a
|
1566
1489
|
# session policy for the role. For more information about ARNs, see
|
1567
|
-
# [Amazon Resource Names (ARNs) and
|
1568
|
-
# *
|
1490
|
+
# [Amazon Resource Names (ARNs) and Amazon Web Services Service
|
1491
|
+
# Namespaces][1] in the *Amazon Web Services General Reference*.
|
1569
1492
|
#
|
1570
1493
|
#
|
1571
1494
|
#
|
@@ -1580,11 +1503,30 @@ module Aws::STS
|
|
1580
1503
|
include Aws::Structure
|
1581
1504
|
end
|
1582
1505
|
|
1506
|
+
# Reserved for future use.
|
1507
|
+
#
|
1508
|
+
# @!attribute [rw] provider_arn
|
1509
|
+
# Reserved for future use.
|
1510
|
+
# @return [String]
|
1511
|
+
#
|
1512
|
+
# @!attribute [rw] context_assertion
|
1513
|
+
# Reserved for future use.
|
1514
|
+
# @return [String]
|
1515
|
+
#
|
1516
|
+
# @see http://docs.aws.amazon.com/goto/WebAPI/sts-2011-06-15/ProvidedContext AWS API Documentation
|
1517
|
+
#
|
1518
|
+
class ProvidedContext < Struct.new(
|
1519
|
+
:provider_arn,
|
1520
|
+
:context_assertion)
|
1521
|
+
SENSITIVE = []
|
1522
|
+
include Aws::Structure
|
1523
|
+
end
|
1524
|
+
|
1583
1525
|
# STS is not activated in the requested region for the account that is
|
1584
1526
|
# being asked to generate credentials. The account administrator must
|
1585
1527
|
# use the IAM console to activate STS in that region. For more
|
1586
|
-
# information, see [Activating and Deactivating
|
1587
|
-
# Region][1] in the *IAM User Guide*.
|
1528
|
+
# information, see [Activating and Deactivating Amazon Web Services STS
|
1529
|
+
# in an Amazon Web Services Region][1] in the *IAM User Guide*.
|
1588
1530
|
#
|
1589
1531
|
#
|
1590
1532
|
#
|
@@ -1604,20 +1546,13 @@ module Aws::STS
|
|
1604
1546
|
# You can pass custom key-value pair attributes when you assume a role
|
1605
1547
|
# or federate a user. These are called session tags. You can then use
|
1606
1548
|
# the session tags to control access to resources. For more information,
|
1607
|
-
# see [Tagging
|
1549
|
+
# see [Tagging Amazon Web Services STS Sessions][1] in the *IAM User
|
1550
|
+
# Guide*.
|
1608
1551
|
#
|
1609
1552
|
#
|
1610
1553
|
#
|
1611
1554
|
# [1]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_session-tags.html
|
1612
1555
|
#
|
1613
|
-
# @note When making an API call, you may pass Tag
|
1614
|
-
# data as a hash:
|
1615
|
-
#
|
1616
|
-
# {
|
1617
|
-
# key: "tagKeyType", # required
|
1618
|
-
# value: "tagValueType", # required
|
1619
|
-
# }
|
1620
|
-
#
|
1621
1556
|
# @!attribute [rw] key
|
1622
1557
|
# The key for a session tag.
|
1623
1558
|
#
|